Shellcode-Extractor

Hi guys, I’m new to this blog, my nick is neetx. I hope you will enjoy my articles and you will learn new things.

Today I introduce you a little tool called shellcode-extractor.

There are a lot of ways (and other tools) to do this, but I wrote this tool for personal use and to share it.

This is not an assembly or C course so I’ll use some words and concepts you must know, for more explanations I recommend you  Shellfl0w course posted on this blog too.

Opcodes and oprands, used in assembly language to write a program, have an hexadecimal representation.

Putting together the hexadecimal codes representing a program will form a string called shellcode:

\x48\x31\xd2\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05

\x means the number is an hexadecimal number.

Each block “\xnn” is the hexadecimal representation of an opcodes/oprands ( n is an hexadecimal digit).

Shellcode can be executed, or it can be used to craft payloads, these payloads are used for exploit writing.

So we can write programs using hexadecimal representation directly or obtain it after writing the assembly version. We choose the second method for obvious reasons.

I will work from Debian 9.

This is the assembly code to spawn a shell locally (x64 architecture):

Assemble it with NASM:

Use linker:

Try it:

It works. Our job is to obtain shellcode now. But first a little demostration:

You can see hexadecimal numbers on the left, we need these! (same output with: objdump -D a./out)

Now we use my tool to obtain shellcode: https://github.com/Neetx/Shellcode-Extractor

It works in pipe with objdump program, so it needs the objdump output as its input.

First string is our shellcode, the integer in the second line is the length of the shellcode.

Note: a shellcode avoids nullbyte (\x00) thanks to some assembly trick. This is necessary for the right execution (otherwise nullbyte will terminates the string).

Now we will test if this shellcode can be executed as the assembly program, C language helps us to do this.

This is a C code that uses a string to contain our shellcode, then the function mprotect sets the string memory as executable.

A function pointer points at our string (shellcode) and executes it.

Compile this code and try it:

It works!

I hope that this article has been useful to you and that you liked it. Bye!



Leave a comment