#!/usr/bin/perl
######################################################################
+#######
#
+ #
# mksc.pl v0.1 - ShellCode creator - written for Perlmonks.org
+ #
# Copyright (c) 2004 X-3mE'89 <exxtreme@altervista.org>
+ #
#
+ #
# This program is free software; you can redistribute it and/or modify
+ #
# it under the terms of the GNU General Public License as published by
+ #
# the Free Software Foundation; either version 2 of the License, or
+ #
# (at your option) any later version.
+ #
#
+ #
# This program is distributed in the hope that it will be useful,
+ #
# but WITHOUT ANY WARRANTY; without even the implied warranty of
+ #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ #
# GNU General Public License for more details.
+ #
#
+ #
# You should have received a copy of the GNU General Public License
+ #
# along with this program; if not, write to the Free Software
+ #
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
+ USA #
#
+ #
######################################################################
+#######
#
+ #
# Usage example:
+ #
# $ mksc.pl stupid_program main 16 72
+ #
# ,_______/ ,__/ / \_,
+ #
# program containing function ,_/ stop address (e.g main+72
+) #
# our shellcode start address
+ #
# (e.g main+16)
+ #
######################################################################
+#######
use strict;
if($ARGV[2] eq '')
{
die "Usage: $0 <executable> <function> <start_address> <stop_addre
+ss>\n".
"start_address and stop_address must be in numeric form\n".
"Example:\n $0 a.out main 16 73\nextracts bytes from main+16 t
+o main+73\n";
}
#
# Our variables
#
my $toexec = $ARGV[0];
my $func = $ARGV[1];
my $addr = $ARGV[2];
my $saddr = $ARGV[3];
my $sc;
my $i;
my $x;
my @data;
#
# Open a file and write instructions
# for gdb to it.
#
open(TEMP,">/tmp/sc.tmp") or die "Couldn't open /tmp/sc.tmp\n";
#
# Start extracting shellcode.
#
print TEMP "x/bx $func+$addr\n";
#
# Continue extracting shellcode
#
for($i=$addr;$i<$saddr;$i++)
{
print TEMP "\n"
}
#
# Quit gdb.
#
print TEMP "q\n";
#
# Close gdb "script" file.
#
close TEMP;
#
# Run gdb.
#
system("gdb -q $toexec </tmp/sc.tmp>/tmp/scresult.tmp");
#
# Initialize $sc and $i
# ($i is set to -1 so that
# the shellcode will appear
# "regular" if you don't
# understand try changing $i's
# value...)
#
$sc="char ".$func."[]=\n\t\"";
$i=-1;
#
# Read gdb's output.
#
open(ITEMP,"/tmp/scresult.tmp");
@data=<ITEMP>;
close ITEMP;
#
# Get the shellcodes from gdb's
# output using regexps.
#
foreach $x(@data)
{
if($x=~/^\(gdb\)/)
{
$x=~s/\(gdb\) 0x.+ <.+>:\s+//g;
$x=~s/0x/\\x/g;
$x=~s/\n//g;
$x=~s/\(gdb\)//g;
$x=~s/\s+//g;
$sc.=$x;
}
$i++;
#
# "Indent" the shellcode
# ($i exists only for this)
#
if(($i%12)==0)
{
$sc.="\"\n\t\""
}
}
$sc.="\";\n";
#
# Save our shellcode.
#
open(SHELLCODE,">shellcoded.c") or die "Couldn't open shellcoded.c\n";
print SHELLCODE $sc;
close SHELLCODE;
#
# Disk clean-up.
#
system("rm -rf /tmp/sc.tmp /tmp/scresult.tmp");
#
# End.
#
In reply to mksc.pl
by X-3mE
Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
Read Where should I post X? if you're not absolutely sure you're posting in the right place.
Please read these before you post! —
Posts may use any of the Perl Monks Approved HTML tags:
- a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
| |
For: |
|
Use: |
| & | | & |
| < | | < |
| > | | > |
| [ | | [ |
| ] | | ] |
Link using PerlMonks shortcuts! What shortcuts can I use for linking?
See Writeup Formatting Tips and other pages linked from there for more info.