http://qs1969.pair.com?node_id=406786
Category: Miscellaneous
Author/Contact Info X-3mE'89 - <exxtreme(a)altervista.org> http://exxtreme.altervista.org
Description: Extract a C shellcode from any binary program -- you must specify the function and the start/stop addresses
#!/usr/bin/perl
######################################################################
+#######
#                                                                     
+      #
# mksc.pl v0.1 - ShellCode creator - written for Perlmonks.org        
+      #
# Copyright (c) 2004 X-3mE'89 <exxtreme@altervista.org>               
+      #
#                                                                     
+      #
# This program is free software; you can redistribute it and/or modify
+      #
# it under the terms of the GNU General Public License as published by
+      #
# the Free Software Foundation; either version 2 of the License, or   
+      #
# (at your option) any later version.                                 
+      #
#                                                                     
+      #
# This program is distributed in the hope that it will be useful,     
+      #
# but WITHOUT ANY WARRANTY; without even the implied warranty of      
+      #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the       
+      #
# GNU General Public License for more details.                        
+      #
#                                                                     
+      #
# You should have received a copy of the GNU General Public License   
+      #
# along with this program; if not, write to the Free Software         
+      #
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307
+  USA #
#                                                                     
+      #
######################################################################
+#######
#                                                                     
+      #
# Usage example:                                                      
+      #
# $ mksc.pl   stupid_program   main   16 72                           
+      #
#        ,_______/           ,__/      /  \_,                         
+      #
#   program containing    function  ,_/      stop address (e.g main+72
+)     #
#     our shellcode         start address                             
+      #
#                           (e.g main+16)                             
+      #
######################################################################
+#######

use strict;

if($ARGV[2] eq '')
{
    die "Usage: $0 <executable> <function> <start_address> <stop_addre
+ss>\n".
        "start_address and stop_address must be in numeric form\n".
        "Example:\n $0 a.out main 16 73\nextracts bytes from main+16 t
+o main+73\n";
}

#
# Our variables
#

my $toexec = $ARGV[0];
my $func   = $ARGV[1];
my $addr   = $ARGV[2];
my $saddr  = $ARGV[3];
my $sc;
my $i;
my $x;
my @data;

#
# Open a file and write instructions
# for gdb to it.
#

open(TEMP,">/tmp/sc.tmp") or die "Couldn't open /tmp/sc.tmp\n";

#
# Start extracting shellcode.
#
print TEMP "x/bx $func+$addr\n";

#
# Continue extracting shellcode
#

for($i=$addr;$i<$saddr;$i++)
{
    print TEMP "\n"
}
#
# Quit gdb.
#
print TEMP "q\n";

#
# Close gdb "script" file.
#

close TEMP;

#
# Run gdb.
#

system("gdb -q $toexec </tmp/sc.tmp>/tmp/scresult.tmp");

#
# Initialize $sc and $i
# ($i is set to -1 so that
# the shellcode will appear
# "regular" if you don't
# understand try changing $i's
# value...)
#

$sc="char ".$func."[]=\n\t\"";
$i=-1;

#
# Read gdb's output.
#

open(ITEMP,"/tmp/scresult.tmp");
@data=<ITEMP>;
close ITEMP;

#
# Get the shellcodes from gdb's
# output using regexps.
#

foreach $x(@data)
{
    if($x=~/^\(gdb\)/)
    {
        $x=~s/\(gdb\) 0x.+ <.+>:\s+//g;
        $x=~s/0x/\\x/g;
        $x=~s/\n//g;
        $x=~s/\(gdb\)//g;
        $x=~s/\s+//g;
        $sc.=$x;
    }
    $i++;
#
# "Indent" the shellcode
# ($i exists only for this)
#
    if(($i%12)==0) 
    {
        $sc.="\"\n\t\""
    }
}

$sc.="\";\n";

#
# Save our shellcode.
#

open(SHELLCODE,">shellcoded.c") or die "Couldn't open shellcoded.c\n";
print SHELLCODE $sc;
close SHELLCODE;

#
# Disk clean-up.
#

system("rm -rf /tmp/sc.tmp /tmp/scresult.tmp");

#
# End.
#