#!/usr/bin/perl
######################################################################
+#######
#
+ #
# mksc.pl v0.1 - ShellCode creator - written for Perlmonks.org
+ #
# Copyright (c) 2004 X-3mE'89 <exxtreme@altervista.org>
+ #
#
+ #
# This program is free software; you can redistribute it and/or modify
+ #
# it under the terms of the GNU General Public License as published by
+ #
# the Free Software Foundation; either version 2 of the License, or
+ #
# (at your option) any later version.
+ #
#
+ #
# This program is distributed in the hope that it will be useful,
+ #
# but WITHOUT ANY WARRANTY; without even the implied warranty of
+ #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ #
# GNU General Public License for more details.
+ #
#
+ #
# You should have received a copy of the GNU General Public License
+ #
# along with this program; if not, write to the Free Software
+ #
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
+ USA #
#
+ #
######################################################################
+#######
#
+ #
# Usage example:
+ #
# $ mksc.pl stupid_program main 16 72
+ #
# ,_______/ ,__/ / \_,
+ #
# program containing function ,_/ stop address (e.g main+72
+) #
# our shellcode start address
+ #
# (e.g main+16)
+ #
######################################################################
+#######
use strict;
if($ARGV[2] eq '')
{
die "Usage: $0 <executable> <function> <start_address> <stop_addre
+ss>\n".
"start_address and stop_address must be in numeric form\n".
"Example:\n $0 a.out main 16 73\nextracts bytes from main+16 t
+o main+73\n";
}
#
# Our variables
#
my $toexec = $ARGV[0];
my $func = $ARGV[1];
my $addr = $ARGV[2];
my $saddr = $ARGV[3];
my $sc;
my $i;
my $x;
my @data;
#
# Open a file and write instructions
# for gdb to it.
#
open(TEMP,">/tmp/sc.tmp") or die "Couldn't open /tmp/sc.tmp\n";
#
# Start extracting shellcode.
#
print TEMP "x/bx $func+$addr\n";
#
# Continue extracting shellcode
#
for($i=$addr;$i<$saddr;$i++)
{
print TEMP "\n"
}
#
# Quit gdb.
#
print TEMP "q\n";
#
# Close gdb "script" file.
#
close TEMP;
#
# Run gdb.
#
system("gdb -q $toexec </tmp/sc.tmp>/tmp/scresult.tmp");
#
# Initialize $sc and $i
# ($i is set to -1 so that
# the shellcode will appear
# "regular" if you don't
# understand try changing $i's
# value...)
#
$sc="char ".$func."[]=\n\t\"";
$i=-1;
#
# Read gdb's output.
#
open(ITEMP,"/tmp/scresult.tmp");
@data=<ITEMP>;
close ITEMP;
#
# Get the shellcodes from gdb's
# output using regexps.
#
foreach $x(@data)
{
if($x=~/^\(gdb\)/)
{
$x=~s/\(gdb\) 0x.+ <.+>:\s+//g;
$x=~s/0x/\\x/g;
$x=~s/\n//g;
$x=~s/\(gdb\)//g;
$x=~s/\s+//g;
$sc.=$x;
}
$i++;
#
# "Indent" the shellcode
# ($i exists only for this)
#
if(($i%12)==0)
{
$sc.="\"\n\t\""
}
}
$sc.="\";\n";
#
# Save our shellcode.
#
open(SHELLCODE,">shellcoded.c") or die "Couldn't open shellcoded.c\n";
print SHELLCODE $sc;
close SHELLCODE;
#
# Disk clean-up.
#
system("rm -rf /tmp/sc.tmp /tmp/scresult.tmp");
#
# End.
#
In reply to mksc.pl
by X-3mE
-
Are you posting in the right place? Check out Where do I post X? to know for sure.
-
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big>
<blockquote> <br /> <dd>
<dl> <dt> <em> <font>
<h1> <h2> <h3> <h4>
<h5> <h6> <hr /> <i>
<li> <nbsp> <ol> <p>
<small> <strike> <strong>
<sub> <sup> <table>
<td> <th> <tr> <tt>
<u> <ul>
-
Snippets of code should be wrapped in
<code> tags not
<pre> tags. In fact, <pre>
tags should generally be avoided. If they must
be used, extreme care should be
taken to ensure that their contents do not
have long lines (<70 chars), in order to prevent
horizontal scrolling (and possible janitor
intervention).
-
Want more info? How to link
or How to display code and escape characters
are good places to start.
|