;hello.asm
[SECTION .text]
global _start
_start:
jmp short ender
starter:
xor eax, eax ;clean up the registers
xor ebx, ebx
xor edx, edx
xor ecx, ecx
mov al, 4 ;syscall write
mov bl, 1 ;stdout is 1
pop ecx ;get the address of the string from the stack
mov dl, 5 ;length of the string
int 0x80
xor eax, eax
mov al, 1 ;exit the shellcode
xor ebx,ebx
int 0x80
ender:
call starter ;put the address of the string on the stack
db 'hello'
$ nasm -f elf hello.asm
$ ld -o hello hello.o
$ objdump -d ./PROGRAM|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
or
by python
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
from subprocess import Popen, PIPE
import sys
def shellcode_from_objdump(obj):
res = ''
p = Popen(['objdump', '-d', obj], stdout=PIPE, stderr=PIPE)
(stdoutdata, stderrdata) = p.communicate()
if p.returncode == 0:
for line in stdoutdata.splitlines():
cols = line.split('\t')
if len(cols) > 2:
for b in [b for b in cols[1].split(' ') if b != '']:
res = res + ('\\x%s' % b)
else:
raise ValueError(stderrdata)
return res
if __name__ == '__main__':
if len(sys.argv) < 2:
print 'Usage: %s <obj_file>' % sys.argv[0]
sys.exit(2)
else:
print 'Shellcode for %s:' % sys.argv[1]
print shellcode_from_objdump(sys.argv[1])
sys.exit(0)
|