137 lines
3.9 KiB
Bash
137 lines
3.9 KiB
Bash
|
#!/usr/bin/env sh
|
||
|
#
|
||
|
# USAGE
|
||
|
# ./make.sh [Egg-Mark]
|
||
|
#
|
||
|
# NOTE
|
||
|
# Egg-Mark must be a plaintext with 8 bytes in length
|
||
|
# If Egg-Mark was not specified, the default one will be used.
|
||
|
#
|
||
|
# To specify a custom payload, simply modify the code of payload.nasm file.
|
||
|
# Alternativly, you can modify PAYLOADCODE= variable down below the code.
|
||
|
#
|
||
|
|
||
|
ARG1=$1
|
||
|
|
||
|
if [ -z "$ARG1" ]; then
|
||
|
echo " [I] Argument not specified. Using default EGG mark."
|
||
|
ARG1="Egg-Mark";
|
||
|
elif ! [[ `expr length $ARG1` -ge 8 && `expr length $ARG1` -le 8 ]]; then
|
||
|
echo " [E] Custom EGG mark must be 8 bytes in length! Exiting."
|
||
|
exit 1;
|
||
|
else
|
||
|
echo " [I] Using custom EGG mark: "$ARG1
|
||
|
fi
|
||
|
|
||
|
|
||
|
DEFAULTEGG=($(echo -n "Egg-Mark" | sed -e 's/\(....\)/\1\n/g')) # set in hunter.nasm
|
||
|
EGGMARK=$ARG1
|
||
|
NEWEGG=($(echo -n $EGGMARK | sed -e 's/\(....\)/\1\n/g'))
|
||
|
|
||
|
# Uncomment to save EGGMARK in HEX
|
||
|
EGGMARK=$(echo -n $ARG1 | od -A n -t x1 |sed 's/ /\\x/g')
|
||
|
|
||
|
# Cleanup
|
||
|
rm -f shellcode payload.o payload egg.o egg hunter.o hunter
|
||
|
|
||
|
echo " [+] Compiling payload.nasm ..."
|
||
|
nasm -f elf32 -o payload.o payload.nasm
|
||
|
ld -m elf_i386 -o payload payload.o
|
||
|
|
||
|
echo " [+] Compiling egg.nasm ..."
|
||
|
nasm -f elf32 -o egg.o egg.nasm
|
||
|
ld -m elf_i386 -o egg egg.o
|
||
|
|
||
|
echo " [+] Compiling hunter.nasm ..."
|
||
|
nasm -f elf32 -o hunter.o hunter.nasm
|
||
|
ld -m elf_i386 -o hunter hunter.o
|
||
|
|
||
|
echo " [+] Extracting EGG code from egg ..."
|
||
|
EGGCODE=$(objdump -d ./egg |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s)
|
||
|
|
||
|
echo " [+] Extracting PAYLOAD code from payload ..."
|
||
|
PAYLOADCODE=$(objdump -d ./payload |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s)
|
||
|
|
||
|
FULL_PAYLOADCODE=$(echo -n ${EGGMARK}${EGGCODE}${PAYLOADCODE}|sed 's/^/"/' |sed 's/$/"/g')
|
||
|
|
||
|
echo " [+] Checking PAYLOAD code for NULLs ..."
|
||
|
if [[ $FULL_PAYLOADCODE == *00* ]]; then
|
||
|
echo " [E] Your PAYLOAD code contains 00 (NULL) ! Exiting."
|
||
|
exit 1
|
||
|
fi
|
||
|
|
||
|
|
||
|
echo " [+] Extracting HUNTER code from hunter ..."
|
||
|
HUNTERCODE=$(objdump -d ./hunter |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s|sed 's/^/"/' |sed 's/$/"/g')
|
||
|
|
||
|
# For debugging only
|
||
|
#echo ${DEFAULTEGG[0]}
|
||
|
#echo ${DEFAULTEGG[1]}
|
||
|
#echo ${NEWEGG[0]}
|
||
|
#echo ${NEWEGG[1]}
|
||
|
|
||
|
# Preparing Default egg to HEX form in order to replace it with a New egg
|
||
|
DEFEGG1=$(echo -n ${DEFAULTEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
|
||
|
DEFEGG2=$(echo -n ${DEFAULTEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
|
||
|
|
||
|
# Uncomment to save new EGGMARK in HEX format
|
||
|
NEWEGG1=$(echo -n ${NEWEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
|
||
|
NEWEGG2=$(echo -n ${NEWEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
|
||
|
|
||
|
# Uncomment to save new EGGMARK in Plaintext format
|
||
|
#NEWEGG1=$(echo -n ${NEWEGG[0]})
|
||
|
#NEWEGG2=$(echo -n ${NEWEGG[1]})
|
||
|
|
||
|
|
||
|
FULL_HUNTERCODE=$(echo -n $HUNTERCODE |sed 's/'$DEFEGG1'/'$NEWEGG1'/g'| sed 's/'$DEFEGG2'/'$NEWEGG2'/g')
|
||
|
|
||
|
echo " [+] Checking HUNTER code for NULLs ..."
|
||
|
if [[ $FULL_HUNTERCODE == *00* ]]; then
|
||
|
echo " [E] Your HUNTER code contains 00 (NULL) ! Exiting."
|
||
|
exit 1
|
||
|
fi
|
||
|
|
||
|
|
||
|
# Uncomment to see what will is replaced (default egg with a new one)
|
||
|
#echo $DEFEGG1
|
||
|
#echo $DEFEGG2
|
||
|
#echo $NEWEGG1
|
||
|
#echo $NEWEGG2
|
||
|
#echo $HUNTERCODE
|
||
|
#echo $FULL_HUNTERCODE
|
||
|
|
||
|
cat > shellcode.c << EOF
|
||
|
#include <stdio.h>
|
||
|
#include <string.h>
|
||
|
|
||
|
unsigned char hunter[] = \
|
||
|
$FULL_HUNTERCODE;
|
||
|
|
||
|
unsigned char garbage1[] = \
|
||
|
"Just some garbage here...";
|
||
|
|
||
|
unsigned char payload[] = \
|
||
|
$FULL_PAYLOADCODE;
|
||
|
|
||
|
unsigned char garbage2[] = \
|
||
|
"And some garbage there...";
|
||
|
|
||
|
main()
|
||
|
{
|
||
|
printf("Hunter Length: %d\n", strlen(hunter));
|
||
|
printf("Payload Length: %d\n", strlen(payload));
|
||
|
int (*ret)() = (int(*)())hunter;
|
||
|
ret();
|
||
|
}
|
||
|
EOF
|
||
|
|
||
|
echo " [+] Compiling shellcode.c ..."
|
||
|
gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode
|
||
|
|
||
|
# Cleanup
|
||
|
rm -f payload.o payload egg.o egg hunter.o hunter
|
||
|
|
||
|
ls -la ./shellcode
|
||
|
|
||
|
echo " [+] All done!"
|