balzebub/tool/execshellcode.cpp

/*
 * Name: execshellcode
 * Version: 0.1.1
 * Description: A simple utility to test shellcode
 * This program runs shellcode using the mmap function.
 * In modern systems with varying protections
 * it may not work properly.
 * Dependencies: 
 */

#include "bzbio.h"
#include <string.h>
#include <sys/mman.h>
#include <iostream>
#include <cstdlib>
#include <sstream>

using namespace bzbio;

constexpr int VERSION_MAJOR = 0;
constexpr int VERSION_MINOR = 1;
constexpr int VERSION_PATCH = 1;

unsigned char hex_to_char(std::string str) {

	if(str.size() != 2) {
		println("ERROR Wrong format in hex_to_char()");
		exit(1);
	}

	char high_nibble = 0;
	char low_nibble = 0;

	unsigned char h = str[0];
	unsigned char l = str[1];


	if(h < '0' && h > '9' && h < 'A' && h > 'F' && h < 'a' && h > 'f') {
		println("ERROR Wrong format in hex_to_char()");
		exit(1);
	}
	if(l < '0' && l > '9' && l < 'A' && l > 'F' && l < 'a' && l > 'f') {
		println("ERROR Wrong format in hex_to_char()");
		exit(1);
	}


	if(h >= 'A' && h <= 'F')
		h += 32;

	if(l >= 'A' && l <= 'F')
		l += 32;


	if(h >= '0' && h <= '9') {
		high_nibble = (h - '0') << 4;
	} else {
		high_nibble = (h - 'a' + 10) << 4;
	}

	if(l >= '0' && l <= '9') {
		low_nibble = l - '0';
	} else {
		low_nibble = l - 'a' + 10;
	}


	return high_nibble | low_nibble;
}


void print_help() {
	println("\nUsage: execshellcode [ --backslash | --nobackslash ] <shellcode>");
	println("\t--backslash\tRead shellcode with backslashes in it (\\\\YZ format)");
	println("\t--nobackslash\tRead shellcode with no backslashes in it (YX format)\n");
	println("\tIf you try to execute normally formatted shellcode e.g. \\x03");
	println("\tyou don't need to use --backslash. If you enter shellcode");
	println("\tforcing a backslash in your terminal like \\\\x03, use --backslash.\n");
	exit(0);
}


void print_version_exit() {
	print("execshellcode v");
	println(VERSION_MAJOR, "." ,VERSION_MINOR , ".", VERSION_PATCH);
	println("This program is part of the Balzebub project.");
	exit(0);
}


int main(int argc, char const *argv[]) {

	if(argc < 2) {
		print_help();
	}

	std::string shellcode = argv[1];
	unsigned char* buffer = nullptr;
	size_t buffer_size = 0;
	size_t byte_size = 3;

	if(shellcode == "--help" || shellcode == "-h") {
		print_help();
	} else if(shellcode == "--version" || shellcode == "-v") {
		print_version_exit();
	}

	if(argc == 3) {
		if(shellcode == "--backslash") {
			shellcode = argv[2];
			byte_size = 4;
		} else if(shellcode == "--nobackslash") {
			shellcode = argv[2];
			byte_size = 2;
		}
	}

	if(shellcode.size() % byte_size != 0) {
		println("ERROR Wrong format\nUse \\xYZ format or"
					"\\\\xYZ format with --backslash option or"
					"YZ with --nobackslash option.");
		exit(-3);
	}

	buffer = new unsigned char[shellcode.size() / byte_size];
	buffer_size = shellcode.size() / byte_size;

	if(!buffer) {
		println("ERROR Cannot allocate buffer...");
		exit(-4);
	}

	// Convert the shellcode string to char

	for (size_t i = 0, l = 0; i < shellcode.size(); i += byte_size, l++) {

		if(byte_size == 3) {

			if(shellcode[i] == 'x') {
				std::string str = shellcode.substr(i + 1, 2);
				buffer[l] = hex_to_char(str);
			}

		} else if(byte_size == 4) {

			if(shellcode[i] == '\\' && shellcode[i + 1] == 'x') {
				std::string str = shellcode.substr(i + 2, 2);
				buffer[l] = hex_to_char(str);
			}
		} else if(byte_size == 2) {
			std::string str = shellcode.substr(i, 2);
			buffer[l] = hex_to_char(str);
		}
	}

	// Create an anonymous executable mapped buffer and write the shellcode in it

	void* executable = mmap(nullptr, buffer_size,
							PROT_WRITE | PROT_EXEC | PROT_READ,
							MAP_ANONYMOUS | MAP_PRIVATE,
							-1, 0);

	if(executable == MAP_FAILED) {
		perror("mmap");
		exit(-1);
	}

	memcpy(executable, (void*) buffer, buffer_size);

	println("Executing", buffer_size, "bytes shellcode using mmap...\n");

	((int(*)()) executable)();

	munmap(executable, buffer_size);
	return 0;
}