123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178 |
- /*
- * Name: execshellcode
- * Version: 0.1.1
- * Description: A simple utility to test shellcode
- * This program runs shellcode using the mmap function.
- * In modern systems with varying protections
- * it may not work properly.
- * Dependencies:
- */
- #include "bzbio.h"
- #include <string.h>
- #include <sys/mman.h>
- #include <iostream>
- #include <cstdlib>
- #include <sstream>
- using namespace bzbio;
- constexpr int VERSION_MAJOR = 0;
- constexpr int VERSION_MINOR = 1;
- constexpr int VERSION_PATCH = 1;
- unsigned char hex_to_char(std::string str) {
- if(str.size() != 2) {
- println("ERROR Wrong format in hex_to_char()");
- exit(1);
- }
- char high_nibble = 0;
- char low_nibble = 0;
- unsigned char h = str[0];
- unsigned char l = str[1];
- if(h < '0' && h > '9' && h < 'A' && h > 'F' && h < 'a' && h > 'f') {
- println("ERROR Wrong format in hex_to_char()");
- exit(1);
- }
- if(l < '0' && l > '9' && l < 'A' && l > 'F' && l < 'a' && l > 'f') {
- println("ERROR Wrong format in hex_to_char()");
- exit(1);
- }
- if(h >= 'A' && h <= 'F')
- h += 32;
- if(l >= 'A' && l <= 'F')
- l += 32;
- if(h >= '0' && h <= '9') {
- high_nibble = (h - '0') << 4;
- } else {
- high_nibble = (h - 'a' + 10) << 4;
- }
- if(l >= '0' && l <= '9') {
- low_nibble = l - '0';
- } else {
- low_nibble = l - 'a' + 10;
- }
- return high_nibble | low_nibble;
- }
- void print_help() {
- println("\nUsage: execshellcode [ --backslash | --nobackslash ] <shellcode>");
- println("\t--backslash\tRead shellcode with backslashes in it (\\\\YZ format)");
- println("\t--nobackslash\tRead shellcode with no backslashes in it (YX format)\n");
- println("\tIf you try to execute normally formatted shellcode e.g. \\x03");
- println("\tyou don't need to use --backslash. If you enter shellcode");
- println("\tforcing a backslash in your terminal like \\\\x03, use --backslash.\n");
- exit(0);
- }
- void print_version_exit() {
- print("execshellcode v");
- println(VERSION_MAJOR, "." ,VERSION_MINOR , ".", VERSION_PATCH);
- println("This program is part of the Balzebub project.");
- exit(0);
- }
- int main(int argc, char const *argv[]) {
- if(argc < 2) {
- print_help();
- }
- std::string shellcode = argv[1];
- unsigned char* buffer = nullptr;
- size_t buffer_size = 0;
- size_t byte_size = 3;
- if(shellcode == "--help" || shellcode == "-h") {
- print_help();
- } else if(shellcode == "--version" || shellcode == "-v") {
- print_version_exit();
- }
- if(argc == 3) {
- if(shellcode == "--backslash") {
- shellcode = argv[2];
- byte_size = 4;
- } else if(shellcode == "--nobackslash") {
- shellcode = argv[2];
- byte_size = 2;
- }
- }
- if(shellcode.size() % byte_size != 0) {
- println("ERROR Wrong format\nUse \\xYZ format or"
- "\\\\xYZ format with --backslash option or"
- "YZ with --nobackslash option.");
- exit(-3);
- }
- buffer = new unsigned char[shellcode.size() / byte_size];
- buffer_size = shellcode.size() / byte_size;
- if(!buffer) {
- println("ERROR Cannot allocate buffer...");
- exit(-4);
- }
- // Convert the shellcode string to char
- for (size_t i = 0, l = 0; i < shellcode.size(); i += byte_size, l++) {
- if(byte_size == 3) {
- if(shellcode[i] == 'x') {
- std::string str = shellcode.substr(i + 1, 2);
- buffer[l] = hex_to_char(str);
- }
- } else if(byte_size == 4) {
- if(shellcode[i] == '\\' && shellcode[i + 1] == 'x') {
- std::string str = shellcode.substr(i + 2, 2);
- buffer[l] = hex_to_char(str);
- }
- } else if(byte_size == 2) {
- std::string str = shellcode.substr(i, 2);
- buffer[l] = hex_to_char(str);
- }
- }
- // Create an anonymous executable mapped buffer and write the shellcode in it
- void* executable = mmap(nullptr, buffer_size,
- PROT_WRITE | PROT_EXEC | PROT_READ,
- MAP_ANONYMOUS | MAP_PRIVATE,
- -1, 0);
- if(executable == MAP_FAILED) {
- perror("mmap");
- exit(-1);
- }
- memcpy(executable, (void*) buffer, buffer_size);
- println("Executing", buffer_size, "bytes shellcode using mmap...\n");
- ((int(*)()) executable)();
- munmap(executable, buffer_size);
- return 0;
- }
|