Jump to content
Nytro

Sickle

Recommended Posts

Sickle

Sickle is a payload development tool originally created to aid me in crafting shellcode, however it can be used in crafting payloads for other exploit types as well (non-binary). Although the current modules are mostly aimed towards assembly this tool is not limited to shellcode.

Sickle can aid in the following:

  • Identifying instructions resulting in bad characters when crafting shellcode
  • Formatting output in various languages (python, perl, javascript, etc).
  • Accepting bytecode via STDIN and formatting it.
  • Executing shellcode in both Windows and Linux environments.
  • Diffing for two binaries (hexdump, raw, asm, byte)
  • Dissembling shellcode into assembly language (ARM, x86, etc).
  • Shellcode extraction from raw bins (nasm sc.asm -o sc)

Quick failure check

A task I found myself doing repetitively was compiling assembler source code then extracting the shellcode, placing it into a wrapper, and testing it. If it was a bad run, the process would be repeated until successful. Sickle takes care of placing the shellcode into a wrapper for quick testing. (Works on Windows and Unix systems):

alt text

Recreating shellcode

Sometimes you find a piece of shellcode that's fluent in its execution and you want to recreate it yourself to understand its underlying mechanisms. Sickle can help you compare the original shellcode to your "recreated" version.

alt text

If you're not crafting shellcode and just need 2 binfiles to be the same this feature can also help verifying files are the same byte by byte (multiple modes).

alt text

Disassembly

Sickle can also take a binary file and convert the extracted opcodes (shellcode) to machine instructions. Keep in mind this works with raw opcodes (-r) and STDIN (-r -) as well. In the following example I am converting a reverse shell designed by Stephen Fewer to assembly.

alt text

Bad character identification

asciicast

Module Based Design

This tool was originally designed as a one big script, however recently when a change needed to be done to the script I had to relearn my own code... In order to avoid this in the future I've decided to keep all modules under the "modules" directory (default module: format). If you prefer the old design, I have kept a copy under the Documentation directory.

~# sickle.py -l

  Name                Description
  ----                -----------
  diff                Compare two binaries / shellcode(s). Supports hexdump, byte, raw, and asm modes
  run                 Execute shellcode on either windows or unix
  format              Format bytecode into desired format / language
  badchar             Generate bad characters in respective format
  disassemble         Disassemble bytecode in respective architecture
  pinpoint            Pinpoint where in shellcode bad characters occur

~# sickle -i -m diff
Options for diff

Options:

  Name        Required    Description
  ----        --------    -----------
  BINFILE     yes         Additional binary file needed to perform diff
  MODE        yes         hexdump, byte, raw, or asm

Description:

  Compare two binaries / shellcode(s). Supports hexdump, byte, raw, and asm modes

Sursa: https://github.com/wetw0rk/Sickle

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...