-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathstackstring.py
executable file
·108 lines (79 loc) · 2.62 KB
/
stackstring.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
#!/usr/bin/env python
"""
# StackString encoder
Usage: ./stackstring.py -s <string> [options]
Options:
-s <string> The string to encode
-0 No null byte in the shellcode
-x <xorkey> XOR Key (1 byte) to use to encode the last 4 bytes of the string
eg: '0x11' or 'e'
Example:
./stackstring.py -s "Hello world"
./stackstring.py -s "Hello world" -0
./stackstring.py -s "Hello world" -0 -x 0x21
Ref: https://www.exploit-db.com/docs/english/17065-manual-shellcode.pdf
"""
__description__ = 'Generates x86 shellcode that produces a StackString'
__author__ = 'Benjamin Evrard'
import struct
import binascii
import pwn
import docopt
OC = {
"XOR_EAX" : "\x35", # 5
"PUSH_EAX" : "\x50", # P
"POP_EAX" : "\x58", # X
"PUSH" : "\x68", # h
}
def pad(str, int, chr):
while len(str) % int:
str += chr
return str
def encode_stack_string(string,nb,xorkey=0x11111111):
# Pad string to multiple of 4
if string[-1] != "\x00":
string += "\x00"
string = pad(string, 4, "\x00")
# Split string in dword
string_words = []
for i in range(0, len(string), 4):
string_words.append(struct.unpack("<I", string[i:i+4])[0])
# revert dwords order
string_words == string_words.reverse()
sc = []
if nb:
# Encode the whole string
for w in string_words:
sc.append(OC["PUSH"] + struct.pack("<I", w))
else:
# Encode end of string to avoid null byte in sc (using XOR)
sc.append(OC["PUSH"] + struct.pack("<I", string_words[0]^xorkey))
sc.append(OC["POP_EAX"])
sc.append(OC["XOR_EAX"] + struct.pack("<I", xorkey))
sc.append(OC["PUSH_EAX"])
#Encode rest of the strig
for w in string_words[1:]:
sc.append(OC["PUSH"] + struct.pack("<I", w))
return sc
def main():
args = docopt.docopt(__doc__)
string = args["-s"]
xorbyte = 0x11
if args["-x"]:
if args["-x"][0:2] == "0x":
xorbyte = int(args["-x"],16)
elif len(args["-x"]) == 1:
xorbyte = ord(args["-x"])
xorkey = xorbyte + (xorbyte << 8) + (xorbyte << 16) + (xorbyte << 24)
nb=1
if args["-0"]:
print("XOR Key: 0x%08x" % xorkey)
nb=0
print("Encoding \"%s\" into a stackstring: " % string)
stackstring = encode_stack_string(string,nb,xorkey)
for w in stackstring:
print("%s%s%s" % (pwn.disasm(w)[8:]," "*(60-len(pwn.disasm(w))),w))
print("\n"+binascii.hexlify("".join(stackstring)))
print("".join(stackstring))
if __name__ == "__main__":
main()