Python package to create shellcdoes from elfs supported arch (mips, i386 32bit, i386 64bit)
Project description
Elf to shellcode
Convert standard elf files to standalone shellcodes. Please read the following documentation view the examples for this project to work
How does this work ?
The python library parses the elf and create a simple relocatable file format Then the mini loader is inserted as the entry point of the elf the mini loader will load the relocatable format and execute it. There are no special requirements, the library contain the compiled mini loaders
Project links
Supported architectures
mips
i386 (32bit)
i386 (64bit)
Installation:
# Unfortunately only python2 is supported for now
python2 -m pip install elf_to_shellcodeCreating a shellcode
Some compilation flags are required for this to work properly. You must compile the binary with -fPIE and -static take a look at the provided examples below (makefile).
shellcode is a stripped binary with no symbols and no elf information only opcodes, in order to make the shellcode this library require a binary with elf information. so make sure you are not stripping the binary before using this library #### Examples:
Compiling with libc
Libc has destructors and constructors this project doesn’t fully support libc. take a look at the provided example (which uses libc) and note that some function won’t work properly.
eg…
printf is using fwrite which uses the FILE * struct for stdout. this file is opened post libc initialization (in one of the libc constructors). __start is responsible for calling libc constructors and we don’t use __start (for other reasons). therefor you can’t use printf in the shellcode, but you can implement it using snprintf and write
Converting the elf to shellcode:
from elf_to_shellcode.relocate import make_shellcode
shellcode = make_shellcode(
binary_path="/tmp/binary.out",
arch="mips",
endian="big"
)
with open("myshellcode.out", 'wb') as fp:
fp.write(shellcode)Testing your shellcode
You can use the provided shellcode Loader to test you shellcodes
qemu-mips ./shellcode_loader ./myshellcode.outOutput example
Shellcode size = 66620
Allocating shellcode buffer, size = 69632
Mapping new memory, size = 69632
Jumping to shellcode, address = 0x7f7ee000
Hello from shellcode !Optimizations
some Compiler optimization (like -o3) may produce un-shellcodeable output. #### Example of compiler optimization (intel x32):
void * func1() {
// ... function code
}
void * func2() {
// ... function code
}
void * funcs[2] = {
func1,
func2
};
void main(int argc) {
if(argc == 1) {
funcs[0]();
}
else {
funcs[1]();
}
}This example actually fools -fPIE and the provided output is
cmp eax, 1 ; argc
je call_func_zero
; address is incorrect here because we are in PIC mode
call <address_of_func_one>
call_func_zero:
call <address_of_func_zero>Address is incorrect and should be calculated as:
get_pc:
mov eax, [esp]
ret
call get_pc
lea eax, [eax+relative_address_of_func_1]
; then
call eaxRelease history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
File details
Details for the file elf_to_shellcode-1.6.tar.gz.
File metadata
- Download URL: elf_to_shellcode-1.6.tar.gz
- Upload date:
- Size: 6.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.0 CPython/3.9.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
bc0f0b56020a3014666cfe5f93b056f8e63587ba9e16483e33b4dd196c13d4f1
|
|
| MD5 |
6ee0306e0ee93a4f7daebe055608d700
|
|
| BLAKE2b-256 |
952746b975922a2763028a778a142e9ca7c8f6024a4370fa6c41f917799b8248
|
