Sickle

Sickle is a shellcode development tool created to speed up the various steps needed to create functioning shellcode.

Sickle can aid in the following:

  • Identifying instructions resulting in bad characters.
  • Formatting output in various languages (Python, Perl, Javascript, etc).
  • Accepting shellcode via STDIN and formatting it.
  • Executing shellcode in both Windows and Linux environments.
  • Comparing reversed shellcode to the original.
  • Dissembling shellcode into assembly language (ARM, x86, etc).
Quick failure checkA task I found myself doing repetitively was compiling the ASM -> extracting shellcode -> placing it into a wrapper, and testing it. If it was a bad go, the process would be repeated until successful. Sickle takes care of placing the shellcode into a wrapper for quick testing (Works on Windows and Unix systems):Recreating shellcode

Sometimes you find a piece of shellcode that is fluent in its execution and you want to recreate it yourself to understand its underlying mechanisms. Sickle can help you compare the original shellcode to your “recreated” version.

Bad character identification

It’s important to note that currently bad character identification is best used within a Linux based OS. When dumping shellcode on Windows bad characters will not be highlighted. Below is an example of usage in a Unix environment:

Disassembly

Sickle can also take a binary file and convert the extracted opcodes (shellcode) to machine instructions (-obj). Keep in mind this works with raw opcodes (-r) and STDIN (-s) as well. In the following example, I am converting a reverse shell designed by Stephen Fewer to assembly.

Changelog

v2.0.2

  • Windows coloring now supported
  • Diff module improved
  • Improved module layout
  • Formatting is now a module, and other modules can thus call formats
  • Documentation updated
  • Badchar module added

Installation

It is written in Python3 and to have full functionality I recommend installing capstone, however, at the moment the only “function” that requires capstone is disassembly. If you don’t need the disassembly function, Sickle should work out of the box. Installation of Capstone is as easy as 1,2,3:

  • apt-get install python3-pip
  • pip3 install capstone

If you don’t compile your shellcode in NASM I have added an “objdump2shellcode” like function. Although I recommend using NASM for a streamline experience. For ease of access I prefer to add Sickle to the /usr/bin/ directory however if you use Black Arch Linux Sickle comes pre-installed. (previously known as objdump2shellcode):

 

Use

root@kali:~# sickle 

usage: sickle [-h] [-r READ] [-s] [-obj OBJDUMP] [-a ARCH] [-f FORMAT]

              [-b BADCHAR] [-c] [-v VARNAME] [-l] [-e EXAMINE] [-d] [-rs]



Sickle - Shellcode development tool



optional arguments:

  -h, --help            show this help message and exit

  -r READ, --read READ  read byte array from the binary file

  -s, --stdin           read ops from stdin (EX: echo -ne "\xde\xad\xbe\xef" |

                        sickle -s -f <format> -b '\x00')

  -obj OBJDUMP, --objdump OBJDUMP

                        binary to use for shellcode extraction (via objdump

                        method)

  -a ARCH, --arch ARCH  select architecture for disassembly

  -f FORMAT, --format FORMAT

                        output format (use --list for a list)

  -b BADCHAR, --badchar BADCHAR

                        bad characters to avoid in shellcode

  -c, --comment         comments the shellcode output

  -v VARNAME, --varname VARNAME

                        alternative variable name

  -l, --list            list all available formats and arguments

  -e EXAMINE, --examine EXAMINE

                        examine a separate file containing original shellcode.

                        mainly used to see if shellcode was recreated

                        successfully

  -d, --disassemble     disassemble the binary file

  -rs, --run-shellcode  run the shellcode (use at your own risk)

Copyright (c) 2017 Milton Valencia

Source: https://github.com/wetw0rk