-
Notifications
You must be signed in to change notification settings - Fork 17
/
Copy pathmkhex.sh
executable file
·171 lines (145 loc) · 2.87 KB
/
mkhex.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
#!/usr/bin/env bash
#
# Copyright 2015 Gu Zhengxiong <[email protected]>
#
main()
{
flag=$(parse_args "$@")
if [[ $? -eq 233 ]]
then
show_help
exit 233
fi
regex='\t([0-9a-f]{2}\s)+'
if type x86_64-w64-mingw32-objdump > /dev/null 2>&1
then
dumper=x86_64-w64-mingw32-objdump
else
dumper=objdump
fi
hex=$($dumper -z -d "$1" "${@:3}" \
| grep -oP $regex) || exit 233
hex=$(printf '%s' $hex | sed -r 's/(90)*$//g')
if [[ $flag -ge 2 ]]
then
cat <<EOF
/*
* This file was automatically generated by mkhex.sh,
* which, together with the complete
* and heavily commented assembly source code
* for this shellcode, is available at
* https://github.com/NoviceLive/shellcoding.
*
* For those curious heads
* striving to figure out what's under the hood.
*/
# include <stdlib.h>
# include <stdio.h>
EOF
if [[ $flag -eq 3 ]]
then
cat <<EOF
# include <stdint.h>
# include <sys/mman.h>
EOF
fi
if [[ $flag -eq 4 ]]
then
cat <<EOF
# include <windows.h>
EOF
fi
cat <<EOF
# define COUNTOF(a) (sizeof(a) / sizeof(a[0]))
int
main(void)
{
EOF
printf ' char shellcode[] = "'
fi
format_hex $hex $flag
if [[ $flag -ge 2 ]]
then
printf '";\n\n'
if [[ $flag -eq 3 ]]
then
cat <<EOF
int failure = mprotect((void *)((uintptr_t)shellcode & ~4095),
4096, PROT_READ | PROT_WRITE | PROT_EXEC);
if (failure) {
printf ("mprotect\n");
return EXIT_FAILURE;
}
EOF
fi
if [[ $flag -eq 4 ]]
then
cat <<EOF
DWORD why_must_this_variable;
BOOL success = VirtualProtect(shellcode, COUNTOF(shellcode),
PAGE_EXECUTE_READWRITE, &why_must_this_variable);
if (!success) {
printf ("VirtualProtect\n");
return EXIT_FAILURE;
}
EOF
fi
cat <<EOF
printf("strlen(shellcode)=%d\n", COUNTOF(shellcode));
((void (*)(void))shellcode)();
return EXIT_SUCCESS;
}
EOF
fi
}
format_hex()
{
local i=0
local c=0
if [[ $2 -eq 1 ]]
then
fmt='%s'
else
fmt='\\x%s'
fi
while [[ $i -lt ${#1} ]]
do
if [[ $2 -ge 2 && $c -eq 10 ]]
then
c=0
printf '"\n "'
fi
printf $fmt ${1:$i:2}
i=$(($i+2))
c=$(($c+1))
done
}
show_help()
{
cat <<EOF
Synopsis: $0 file -e|--escape -r|--raw -c|--c -l|--linux -w|--windows
EOF
}
parse_args()
{
if [[ $# -lt 1 || (! -f "$1") ]]
then
return 233
fi
case "$2" in
-e|--escape)
flag=0;;
-r|--raw)
flag=1;;
-c|--c)
flag=2;;
-l|--linux)
flag=3;;
-w|--windows)
flag=4;;
*)
flag=0;;
esac
printf '%s' $flag
}
main "$@"