;hello.asm
[SECTION .text]
global _start
_start:
jmp short ender
starter:
xor eax, eax ;clean up the registers
xor ebx, ebx
xor edx, edx
xor ecx, ecx
mov al, 4 ;syscall write
mov bl, 1 ;stdout is 1
pop ecx ;get the address of the string from the stack
mov dl, 5 ;length of the string
int 0x80
xor eax, eax
mov al, 1 ;exit the shellcode
xor ebx,ebx
int 0x80
ender:
call starter ;put the address of the string on the stack
db 'hello'
$ nasm -f elf hello.asm
$ ld -o hello hello.o
$ objdump -d ./PROGRAM|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
or
by python
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
from subprocess import Popen, PIPEimport sysdef shellcode_from_objdump(obj): res = '' p = Popen(['objdump', '-d', obj], stdout=PIPE, stderr=PIPE) (stdoutdata, stderrdata) = p.communicate() if p.returncode == 0: for line in stdoutdata.splitlines(): cols = line.split('\t') if len(cols) > 2: for b in [b for b in cols[1].split(' ') if b != '']: res = res + ('\\x%s' % b) else: raise ValueError(stderrdata) return resif __name__ == '__main__': if len(sys.argv) < 2: print 'Usage: %s <obj_file>' % sys.argv[0] sys.exit(2) else: print 'Shellcode for %s:' % sys.argv[1] print shellcode_from_objdump(sys.argv[1]) sys.exit(0) |