shellcode factory: create and test shellcodes from custom assembly sources

shellcode factory

Shellcode Factory tool

A tool to print and test shellcodes from assembly code.

It supports both Gas and Intel syntax (.s and .asm extensions respectively), as well as x86 and x64 architectures.

Download

git clone https://github.com/danielhenrymantilla/shellcode-factory.git

Usage:

make targets [parameters]

targets:

  • build / assembly – will compile the assembly code from shellcode.s
  • debug – debugs the assembly binary
  • print / xxd / p – will print the shellcode in hex
  • x / auto / a – will run the shellcode using a smashed stack
  • sc_debug – will debug the shellcode called from a smashed stack
  • set – will let you edit the source assembly code
  • neg – will negate the shellcode, and prepend to it a 12-bytes-long decoder. It assumes the shellcode is reached right after a ret instruction
  • xor_byte – will xor the shellcode with a random byte, and prepend to it an appropriate decoder (the decoder is 21-26 bytes long). It will try to avoid the bytes from the NO parameter.
  • xor – will xor the shellcode with a random rotating word, and prepend to it an appropriate decoder (the decoder is 27-34 bytes long). It will try to avoid the bytes from the NO parameter.
  • alphanumeric – will transform the shellcode into one using alphanumeric chars only (it needs to be reached right after a ret instruction for it to work)
  • clean / c – removes generated files

parameters:

  • ARCH=XX (default=32) XX-bit binaries (32 / 64)
  • S=filename (default=shellcode.s) Source assembly filename.
  • SC="\x31\xc0..." (ignored by default) Raw Input shellcode (overrides S parameter).
  • NO="[0x...]" (default=”[0x00, 0x20, 0x9, 0xa]”) List of chars to avoid when xor-ing
  • PAUSE=NO Disables the pause-before-execution security
  • LANG=C Changes the formatting of the print command to use a C-style array of bytes
  • SYNTAX=INTEL Changes the syntax used to display assembly source code

Examples:

  • make print S=foo.asm SYNTAX=INTEL will print the shellcode from foo.asm with INTEL syntax
  • make S=foo.s set c p x ARCH=64 will let you edit foo.s and will then hexdump it and attempt to run it (x64)
  • make c print SC="\x31\xc0\x40\xcd\x80" will parse input shellcode into assembly instructions
  • make c p sc_debug SC="\x31\xc0\x40\xcd\x80" will clean (recommended) then print and debug input shellcode
  • make p S=foo.asm | grep -e x00 -e x20 is a useful trick to check for forbidden bytes (bytes 0x00 and 0x20 for instance)
  • make p xor S=foo.asm NO="[0x00, 0x20]" xors the shellcode to avoid forbidden bytes
  • make p alphanumeric S=foo.s generates an alphanumeric version of the shellcode

Copyright (c) 2017-2018 Daniel Henry-Mantilla

Source: https://github.com/danielhenrymantilla/