RE: Generating shellcode

From: Sinan Eren (SEren@entercept.com)
Date: 05/21/02 

Date: Mon, 20 May 2002 18:47:46 -0700
From: "Sinan Eren" <SEren@entercept.com>
To: "Ryn" <mattyml@daemons.net>, <vuln-dev@securityfocus.com>

Hi,

Well I guess the right answer to your question is this shell script which I have been using to dump C string array style shellcodes.

shellac# cat shellsc.sh
dis -F main $1 | cut -b10-20 > ./hex.out
cat ./hex.out | awk '{ print "\"\x"$1"\x"$2"\x"$3"\x"$4"\"" }' > hex.out2
LINEC=`wc -l hex.out2 | awk '{print $1}'`
TAILC=`expr $LINEC - 7`
tail -$TAILC hex.out2 > hex.out3
TAILC=`expr $TAILC - 1`
printf "char shellcode[] = \n"
head -$TAILC hex.out3
printf ";\n"
echo
echo
echo int
echo "main(void)"
echo {
echo "void (*f)();"
echo
echo "f = (void (*)())shellcode;"
echo
echo "printf(\"shellcode %d\", sizeof(shellcode));"
echo
echo "f();"
echo }
rm -f hex.out*

shellac#

chmod 755 ./shellsc
and then hit ./shellsc connectback_shellcode ....
eg:
shellac# ./shellsc.sh connectback
char shellcode[] =
"\x20\xbf\xff\xff"
"\x20\xbf\xff\ ....

....

int
main(void)
{
void (*f)();

f = (void (*)())shellcode;

printf("shellcode %d", sizeof(shellcode));

f();
}

-----Original Message-----
From: Ryn [mailto:mattyml@daemons.net]
Sent: Sunday, May 19, 2002 7:29 AM
To: vuln-dev@securityfocus.com
Subject: Generating shellcode

Howdy,

Do any documents exist explaining how to covert assembly op codes and
operands to hex? I can use "gdb" or "dis" on Solaris to get:

bc 10 20 00 clr %fp
e0 03 a0 40 ld [%sp + 64], %l0
a2 03 a0 44 add %sp, 68, %l1
9c 23 a0 20 sub %sp, 32, %sp
80 90 00 01 orcc %g0, %g1, %g0

I want to see how to get column 1 - 4 by hand.

Thanks for any info,
Ryan