2011-04-24 22:03:43 +00:00
|
|
|
/* radare - LGPL - Copyright 2007-2011 pancake <@nopcode.org> */
|
2010-10-04 17:43:40 +00:00
|
|
|
|
|
|
|
#include "rasc.h"
|
|
|
|
#include "r_types.h"
|
|
|
|
#include "r_userconf.h"
|
|
|
|
#include <stdio.h>
|
|
|
|
#include <string.h>
|
|
|
|
#include <getopt.h>
|
|
|
|
#include <stdlib.h>
|
|
|
|
#include <sys/types.h>
|
|
|
|
#include <unistd.h>
|
2011-09-19 11:54:57 +00:00
|
|
|
#include <r_util.h>
|
2010-10-04 17:43:40 +00:00
|
|
|
|
|
|
|
#if __UNIX__
|
2011-08-03 19:01:56 +00:00
|
|
|
#include <sys/mman.h>
|
2010-10-04 17:43:40 +00:00
|
|
|
#include <sys/socket.h>
|
|
|
|
#include <netinet/in.h>
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#if __WINDOWS__
|
|
|
|
#include <windows.h>
|
|
|
|
#endif
|
|
|
|
|
2011-07-02 21:15:40 +00:00
|
|
|
// TODO: remove this limit
|
|
|
|
#define BLOCK 32768
|
2011-07-26 07:34:10 +00:00
|
|
|
static const char *ofile = NULL;
|
|
|
|
static const char *encoder = NULL;
|
|
|
|
static int scidx = -1;
|
|
|
|
static int hexa_print = 0;
|
|
|
|
static ut32 off = 0, addr = 0;
|
|
|
|
static ut8 shellcode[BLOCK];
|
|
|
|
static ut8 output[BLOCK];
|
2010-10-04 17:43:40 +00:00
|
|
|
|
|
|
|
/* sizes */
|
2011-07-26 07:34:10 +00:00
|
|
|
static int A=0, N=0;
|
|
|
|
static int C=0, E=0;
|
|
|
|
static int scsize = 0;
|
2010-10-04 17:43:40 +00:00
|
|
|
#define SCSIZE N+A+C+E+scsize
|
|
|
|
|
|
|
|
static int show_helpline() {
|
|
|
|
printf( "Usage: rasc2 [-cCexXtLV] [-l port] [-a addr@off] [-[A|N|C|E] N]\n"
|
|
|
|
" [-s hexpair] [-i name] [-S file] [-h]\n");
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int show_help() {
|
2011-04-24 22:03:43 +00:00
|
|
|
show_helpline ();
|
|
|
|
printf (
|
2010-10-04 17:43:40 +00:00
|
|
|
" -l [port] starts a syscall proxy server\n"
|
|
|
|
" -A [n] prefix shellcode with N A's (0x41)\n"
|
|
|
|
" -N [n] prefix shellcode with N nops (0x90)\n"
|
|
|
|
" -C [n] suffix shellcode with N traps\n"
|
|
|
|
" -E [n] prefix with enumeration 01 02 03..\n"
|
|
|
|
" -a addr@off set the return address at a specified offset\n"
|
|
|
|
" -s 'sc' set shellcode in hexpairs (cc cd 80)\n"
|
|
|
|
" -S 'file' load shellcode from file\n"
|
|
|
|
" -i 'scdb' hardcoded shellcode (-L to list)\n"
|
|
|
|
" -L list hardcoded shellcodes\n"
|
|
|
|
" -c output in C format\n"
|
|
|
|
" -e output in escapped string\n"
|
|
|
|
" -x output in hexpairs format\n"
|
2011-07-26 07:34:10 +00:00
|
|
|
" -O [encoder] select output encoder (fmi: -O help)\n"
|
|
|
|
" -o [file] select output file\n"
|
2010-10-04 17:43:40 +00:00
|
|
|
" -X execute shellcode\n"
|
|
|
|
" -t test current platform\n"
|
|
|
|
" -V show version information\n"
|
|
|
|
" Environment variables to compile shellcodes:\n"
|
|
|
|
" CMD Command to execute on execves\n"
|
|
|
|
" HOST Host to connect\n"
|
|
|
|
" PORT Port to listen or connect\n");
|
|
|
|
//#warning TODO: prefix shellcode with setuid() fun
|
|
|
|
//printf(" -p attach \n");
|
|
|
|
//printf(" -P push file and remote execute\n");
|
|
|
|
//printf(" -u use UDP\n");
|
|
|
|
return 0;
|
2011-07-26 23:16:18 +00:00
|
|
|
}
|
2010-10-04 17:43:40 +00:00
|
|
|
|
2011-07-26 23:16:18 +00:00
|
|
|
int encode (const char *encoder, ut8 *dst, int dstlen, ut8 *src, int srclen) {
|
2011-08-03 19:01:56 +00:00
|
|
|
int xordeclen, i;
|
2011-07-26 23:16:18 +00:00
|
|
|
if (!strcmp (encoder, "xor")) {
|
2011-08-03 19:01:56 +00:00
|
|
|
//ut8 key = 33;
|
2011-07-27 08:30:23 +00:00
|
|
|
// Find valid xor key
|
|
|
|
// length is key here
|
2011-08-03 19:01:56 +00:00
|
|
|
const ut8 *xordec = (const ut8*)
|
2011-07-27 08:30:23 +00:00
|
|
|
// TODO: setup ecx here
|
|
|
|
"\xe8\xff\xff\xff\xff" // call $$+4
|
|
|
|
"\xc1" // ffc1 = inc ecx
|
|
|
|
"\x5e" // pop esi
|
|
|
|
"\x30\x4c\x0e\x07" // xor [esi+ecx+7], cl
|
|
|
|
"\xe2\xfa"; // loop xoresi
|
2011-08-03 19:01:56 +00:00
|
|
|
xordeclen = strlen ((const char *)xordec);
|
2011-07-27 08:30:23 +00:00
|
|
|
if (srclen+xordeclen>=dstlen) {
|
|
|
|
eprintf ("encode: too long");
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
memcpy (dst, xordec, xordeclen);
|
|
|
|
for (i=0;i<srclen; i++) {
|
|
|
|
dst[xordeclen+i] = src[i] ^ i; // XXX
|
|
|
|
}
|
|
|
|
memcpy (dst+xordeclen, src, srclen);
|
|
|
|
return srclen + xordeclen;
|
2011-07-26 23:16:18 +00:00
|
|
|
} else {
|
|
|
|
eprintf ("Encoders: xor\n");
|
|
|
|
exit (0);
|
|
|
|
}
|
2011-07-26 23:41:35 +00:00
|
|
|
return 0;
|
2010-10-04 17:43:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
char *filetostr(char *file) {
|
2011-07-27 08:30:23 +00:00
|
|
|
FILE *fd = fopen (file,"r");
|
2010-10-04 17:43:40 +00:00
|
|
|
char *buf;
|
|
|
|
int i, size = BLOCK;
|
|
|
|
|
|
|
|
if (fd == NULL)
|
|
|
|
return NULL;
|
|
|
|
|
2011-04-24 22:03:43 +00:00
|
|
|
buf = (char *)malloc (size);
|
2010-10-04 17:43:40 +00:00
|
|
|
buf[0]='\0';
|
2011-07-27 08:30:23 +00:00
|
|
|
for (i=0; !feof (fd); i++) {
|
2010-10-04 17:43:40 +00:00
|
|
|
if (i==size) {
|
|
|
|
size = size + BLOCK;
|
2011-07-27 08:30:23 +00:00
|
|
|
buf = realloc (buf, size);
|
2010-10-04 17:43:40 +00:00
|
|
|
}
|
2011-04-24 22:03:43 +00:00
|
|
|
fread (buf+i, 1, 1, fd);
|
2010-10-04 17:43:40 +00:00
|
|
|
}
|
2011-04-24 22:03:43 +00:00
|
|
|
fclose (fd);
|
2010-10-04 17:43:40 +00:00
|
|
|
if (buf[0]=='\0') {
|
2011-04-24 22:03:43 +00:00
|
|
|
free (buf);
|
2010-10-04 17:43:40 +00:00
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
return buf;
|
|
|
|
}
|
|
|
|
|
|
|
|
int otf_patch() {
|
|
|
|
char *ptr;
|
|
|
|
/* on the fly patching */
|
|
|
|
if (scidx != -1) {
|
|
|
|
if (shellcodes[scidx].cmd) {
|
2011-07-02 21:15:40 +00:00
|
|
|
// XXX: This is broken
|
2011-04-24 22:03:43 +00:00
|
|
|
ptr = getenv ("CMD");
|
2010-10-04 17:43:40 +00:00
|
|
|
if (ptr) {
|
2011-07-02 21:15:40 +00:00
|
|
|
int srclen = strlen (ptr);
|
|
|
|
char *dst = (char*) (shellcode+shellcodes[scidx].cmd);
|
|
|
|
memcpy (dst, ptr, srclen);
|
|
|
|
shellcode[shellcodes[scidx].cmd+srclen]='\0';
|
|
|
|
if (strlen (ptr)>7)
|
|
|
|
scsize += strlen (ptr)-7;
|
2010-10-04 17:43:40 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
if (shellcodes[scidx].host) {
|
2011-04-24 22:03:43 +00:00
|
|
|
ptr = getenv ("HOST");
|
2010-10-04 17:43:40 +00:00
|
|
|
if (ptr) {
|
|
|
|
int x,y,z,w;
|
2011-07-27 08:30:23 +00:00
|
|
|
sscanf (ptr,"%d.%d.%d.%d", &x,&y,&z,&w);
|
2010-10-04 17:43:40 +00:00
|
|
|
shellcode[shellcodes[scidx].host+3]=x;
|
|
|
|
shellcode[shellcodes[scidx].host+2]=y;
|
|
|
|
shellcode[shellcodes[scidx].host+1]=z;
|
|
|
|
shellcode[shellcodes[scidx].host+0]=w;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (shellcodes[scidx].port) {
|
2011-04-24 22:03:43 +00:00
|
|
|
ptr = getenv ("PORT");
|
2010-10-04 17:43:40 +00:00
|
|
|
if (ptr) {
|
|
|
|
unsigned short port = atoi(ptr);
|
2011-08-08 00:07:26 +00:00
|
|
|
memcpy (shellcode+shellcodes[scidx].port, &port, 2);
|
2010-10-04 17:43:40 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
/* patch return address */
|
|
|
|
if (addr != 0) {
|
|
|
|
/* TODO: swapping endian for addr (-e) */
|
2011-07-26 07:34:10 +00:00
|
|
|
ut8 *foo = (ut8 *)&addr;
|
2010-10-04 17:43:40 +00:00
|
|
|
if (off<0) off = 0;
|
|
|
|
if (off>SCSIZE) off = SCSIZE-4;
|
|
|
|
output[off+0] = foo[0];
|
|
|
|
output[off+1] = foo[1];
|
|
|
|
output[off+2] = foo[2];
|
|
|
|
output[off+3] = foo[3];
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
int print_shellcode() {
|
2011-04-24 22:03:43 +00:00
|
|
|
int j=0, i=0;
|
2010-10-04 17:43:40 +00:00
|
|
|
|
|
|
|
if (!(SCSIZE)) {
|
2011-04-24 22:03:43 +00:00
|
|
|
printf ("No shellcode defined\n");
|
2010-10-04 17:43:40 +00:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2011-07-02 23:51:20 +00:00
|
|
|
if (SCSIZE+A+N+4>=BLOCK) {
|
|
|
|
eprintf ("TODO: add support for unlimitted buffers.\n");
|
2010-10-04 17:43:40 +00:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* prepare output buffer */
|
2011-04-24 22:03:43 +00:00
|
|
|
for (i=0;i<A;i++)
|
2010-10-04 17:43:40 +00:00
|
|
|
output[i] = 'A';
|
|
|
|
if (N%2) {
|
2011-07-26 07:34:10 +00:00
|
|
|
for (i=0; i<N; i++)
|
2010-10-04 17:43:40 +00:00
|
|
|
output[i+A] = '\x90';
|
|
|
|
} else {
|
2011-07-26 07:34:10 +00:00
|
|
|
for (i=0; i<N; i+=2) {
|
2010-10-04 17:43:40 +00:00
|
|
|
output[i+A] = '\x40'; // inc eax
|
|
|
|
output[i+A+1] = '\x48'; // dec eax
|
|
|
|
}
|
|
|
|
}
|
2011-07-02 21:15:40 +00:00
|
|
|
for (i=0,j='A'; i<E; i++,j++) {
|
|
|
|
int idx = i*4;
|
2010-10-04 17:43:40 +00:00
|
|
|
if (j=='\n'||j=='\r')
|
|
|
|
j++;
|
2011-07-02 21:15:40 +00:00
|
|
|
output[idx+A+N] = (ut8)(j%256);
|
|
|
|
output[idx+A+N+1] = (ut8)(j%256);
|
|
|
|
output[idx+A+N+2] = (ut8)(j%256);
|
|
|
|
output[idx+A+N+3] = (ut8)(j%256);
|
2010-10-04 17:43:40 +00:00
|
|
|
}
|
2011-05-03 21:43:16 +00:00
|
|
|
/* patch addr and env */
|
|
|
|
otf_patch ();
|
|
|
|
|
2011-07-26 23:16:18 +00:00
|
|
|
if (encoder) {
|
2011-07-26 23:41:35 +00:00
|
|
|
ut8 blob[BLOCK];
|
2011-07-26 23:16:18 +00:00
|
|
|
scsize = encode (encoder, blob, sizeof (blob), shellcode, scsize);
|
|
|
|
memcpy (output+A+N+E, blob, scsize);
|
|
|
|
} else memcpy (output+A+N+E, shellcode, scsize);
|
2011-07-26 07:34:10 +00:00
|
|
|
for (i=0; i<C; i++)
|
2010-10-04 17:43:40 +00:00
|
|
|
output[i+A+E+N+scsize] = '\xCC';
|
|
|
|
|
2011-07-26 07:34:10 +00:00
|
|
|
if (ofile) {
|
|
|
|
int fd;
|
|
|
|
unlink (ofile);
|
|
|
|
fd = open (ofile, O_RDWR | O_CREAT, 0755);
|
|
|
|
dup2 (fd, 1);
|
|
|
|
}
|
2011-04-24 22:03:43 +00:00
|
|
|
switch (hexa_print) {
|
2010-10-04 17:43:40 +00:00
|
|
|
case 0: // raw
|
2011-04-24 22:03:43 +00:00
|
|
|
write (1, output, SCSIZE);
|
2010-10-04 17:43:40 +00:00
|
|
|
break;
|
|
|
|
case 1: // hexpairs
|
2011-07-26 07:34:10 +00:00
|
|
|
for (i=0; i<SCSIZE; i++)
|
|
|
|
printf ("%02x", output[i]);
|
2011-04-24 22:03:43 +00:00
|
|
|
printf ("\n");
|
2010-10-04 17:43:40 +00:00
|
|
|
break;
|
|
|
|
case 2: // C
|
2011-07-26 07:34:10 +00:00
|
|
|
printf ("ut8 shellcode[] = { ");
|
2010-10-04 17:43:40 +00:00
|
|
|
j = 0;
|
2011-07-26 07:34:10 +00:00
|
|
|
for (i=0; i<SCSIZE; i++) {
|
2011-04-24 22:03:43 +00:00
|
|
|
if (!(i%12)) printf ("\n ");
|
|
|
|
printf ("0x%02x", output[i]);
|
2010-10-04 17:43:40 +00:00
|
|
|
if (i+1!=SCSIZE+scsize)
|
2011-04-24 22:03:43 +00:00
|
|
|
printf (", ");
|
2010-10-04 17:43:40 +00:00
|
|
|
}
|
2011-04-24 22:03:43 +00:00
|
|
|
printf ("\n};\n");
|
2010-10-04 17:43:40 +00:00
|
|
|
break;
|
|
|
|
case 3:
|
|
|
|
if (scsize == 0) {
|
|
|
|
printf("No shellcode defined\n");
|
|
|
|
return 1;
|
|
|
|
} else {
|
2011-11-14 00:17:13 +00:00
|
|
|
ut8 *ptr, *p = malloc (4096<<1);
|
2011-07-26 07:34:10 +00:00
|
|
|
void (*cb)() = (void *)&shellcode;
|
2011-11-14 00:17:13 +00:00
|
|
|
ptr = R_MEM_ALIGN (p);
|
2011-08-08 00:07:26 +00:00
|
|
|
memcpy (ptr, shellcode, SCSIZE);
|
2011-09-19 11:54:57 +00:00
|
|
|
r_mem_protect (ptr, 4096, "rx");
|
|
|
|
r_mem_protect (ptr, 4096, "rwx"); // try, ignore if fail
|
2011-08-03 19:01:56 +00:00
|
|
|
cb = (void*)ptr;
|
2011-09-19 11:54:57 +00:00
|
|
|
cb ();
|
2011-11-14 00:17:13 +00:00
|
|
|
free (p);
|
2010-10-04 17:43:40 +00:00
|
|
|
}
|
|
|
|
break;
|
|
|
|
case 4:
|
2011-07-26 07:34:10 +00:00
|
|
|
printf ("\"");
|
2010-10-04 17:43:40 +00:00
|
|
|
j = 0;
|
2011-09-19 11:54:57 +00:00
|
|
|
for (i=0;i<SCSIZE;i++)
|
2011-07-26 07:34:10 +00:00
|
|
|
printf ("\\x%02x", output[i]);
|
|
|
|
printf ("\"\n");
|
2010-10-04 17:43:40 +00:00
|
|
|
break;
|
|
|
|
}
|
2011-07-26 07:34:10 +00:00
|
|
|
fflush (stdout);
|
|
|
|
if (ofile)
|
|
|
|
close (1);
|
2010-10-04 17:43:40 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2011-07-26 07:34:10 +00:00
|
|
|
int hex2int (ut8 *val, ut8 c) {
|
|
|
|
if ('0' <= c && c <= '9') *val = (ut8)(*val) * 16 + ( c - '0');
|
|
|
|
else if (c >= 'A' && c <= 'F') *val = (ut8)(*val) * 16 + ( c - 'A' + 10);
|
|
|
|
else if (c >= 'a' && c <= 'f') *val = (ut8)(*val) * 16 + ( c - 'a' + 10);
|
2010-10-04 17:43:40 +00:00
|
|
|
else return 0;
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2011-04-24 22:03:43 +00:00
|
|
|
int hexpair2bin(const char *arg) { // (0A) => 10 || -1 (on error)
|
2011-07-26 07:34:10 +00:00
|
|
|
ut8 *ptr;
|
|
|
|
ut8 c = '\0';
|
|
|
|
ut8 d = '\0';
|
|
|
|
unsigned int j = 0;
|
2010-10-04 17:43:40 +00:00
|
|
|
|
2011-07-26 07:34:10 +00:00
|
|
|
for (ptr = (ut8 *)arg; ; ptr++) {
|
2010-10-04 17:43:40 +00:00
|
|
|
if (ptr[0]==' '||ptr[0]=='\t'||ptr[0]=='\n'||ptr[0]=='\r')
|
|
|
|
continue;
|
|
|
|
if (!IS_PRINTABLE(ptr[0]))
|
|
|
|
continue;
|
|
|
|
if (ptr[0]=='\0'||ptr[0]==' ' || j==2)
|
|
|
|
break;
|
|
|
|
d = c;
|
|
|
|
if (hex2int(&c, ptr[0]) == 0) {
|
|
|
|
fprintf(stderr, "Invalid hexa string at char '%c'.\n", ptr[0]);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
c |= d;
|
|
|
|
if (j++ == 0) c <<= 4;
|
|
|
|
}
|
|
|
|
|
|
|
|
return (int)c;
|
|
|
|
}
|
|
|
|
|
2011-05-15 01:33:31 +00:00
|
|
|
void cipher_memcpy(ut8 *dst, ut8 *src, int len) {
|
|
|
|
int i, n;
|
|
|
|
for (i=0; i<len; i++) {
|
|
|
|
n = src[i] & 0xf;
|
|
|
|
n = n==0xf?0:n+1;
|
|
|
|
dst[i] = n;
|
|
|
|
n = src[i] & 0xf0;
|
|
|
|
n>>=4;
|
|
|
|
n = n==0xf?0:n+1;
|
|
|
|
dst[i] |= n<<4;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2010-10-04 17:43:40 +00:00
|
|
|
int load_shellcode_from_me(char *str) {
|
|
|
|
int i;
|
2011-05-15 01:33:31 +00:00
|
|
|
for (i=0; shellcodes[i].name; i++) {
|
2011-04-24 22:03:43 +00:00
|
|
|
if (!strcmp (shellcodes[i].name, str)) {
|
2011-05-15 01:33:31 +00:00
|
|
|
//memcpy (shellcode, shellcodes[i].data, shellcodes[i].len);
|
|
|
|
/* cipher shit */
|
|
|
|
cipher_memcpy (shellcode, shellcodes[i].data, shellcodes[i].len);
|
2010-10-04 17:43:40 +00:00
|
|
|
scsize = shellcodes[i].len;
|
|
|
|
scidx = i;
|
|
|
|
//printf("Using %d bytes shellcode (%s) %02x %02x\n", shellcodes[i].len, shellcodes[i].desc,
|
|
|
|
//shellcodes[i].data[0], shellcodes[i].data[1], shellcodes[i].data[2]);
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2011-04-24 22:03:43 +00:00
|
|
|
// XXX: return value is always 0??
|
2010-10-04 17:43:40 +00:00
|
|
|
int load_shellcode_from_string(char *str) {
|
2011-04-24 22:03:43 +00:00
|
|
|
int i, j=1, ch, len;
|
|
|
|
char input2[BLOCK];
|
|
|
|
strncpy (input2, str, BLOCK-1);
|
|
|
|
len = strlen (input2);
|
2010-10-04 17:43:40 +00:00
|
|
|
input2[0] = '\0';
|
2011-04-24 22:03:43 +00:00
|
|
|
for (i=0;i<len;i+=j) {
|
2010-10-04 17:43:40 +00:00
|
|
|
if (str[i]==' '||str[i]=='\t'||str[i]=='\n'||str[i]=='\r')
|
|
|
|
continue;
|
2011-04-24 22:03:43 +00:00
|
|
|
ch = hexpair2bin (str+i);
|
2010-10-04 17:43:40 +00:00
|
|
|
if (str[i+2]==' ')
|
|
|
|
j = 3;
|
|
|
|
else j = 2;
|
|
|
|
if (ch == -1)
|
|
|
|
break;
|
|
|
|
shellcode[scsize++]=ch;
|
|
|
|
}
|
|
|
|
shellcode[scsize] = '\0';
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2011-05-15 01:33:31 +00:00
|
|
|
static int file_type(char *str) {
|
2010-10-04 17:43:40 +00:00
|
|
|
if (!strcmp(str,"-"))
|
|
|
|
return 0; // stdin
|
|
|
|
if (!strcmp(str+strlen(str)-2,".s"))
|
|
|
|
return 1; // stdin
|
|
|
|
return 2;
|
|
|
|
}
|
|
|
|
|
2011-05-15 01:33:31 +00:00
|
|
|
static int load_shellcode_from_file(char *str) {
|
2010-10-04 17:43:40 +00:00
|
|
|
char buf[1024];
|
|
|
|
char *ptr = NULL;
|
|
|
|
|
2011-05-15 01:33:31 +00:00
|
|
|
eprintf ("TODO: This is r1-dependant.. ugly . must dump all disasm\n");
|
2010-10-04 17:43:40 +00:00
|
|
|
str[1024]='\0';
|
2011-04-24 22:03:43 +00:00
|
|
|
switch (file_type (str)) {
|
2010-10-04 17:43:40 +00:00
|
|
|
case 0: // stdin
|
2011-04-24 22:03:43 +00:00
|
|
|
fprintf (stderr, "TODO\n");
|
2010-10-04 17:43:40 +00:00
|
|
|
break;
|
|
|
|
case 1: // .s file (assembly
|
2011-07-02 21:15:40 +00:00
|
|
|
snprintf (buf, sizeof (buf), "gcc -nostdlib -o .x %s", str);
|
2011-05-15 01:33:31 +00:00
|
|
|
system (buf);
|
|
|
|
system ("rsc syms-dump .x | grep _start | cut -d : -f 2 | tee .y");
|
|
|
|
unlink (".x");
|
|
|
|
ptr = filetostr (".y");
|
|
|
|
unlink (".y");
|
2010-10-04 17:43:40 +00:00
|
|
|
if (ptr) {
|
|
|
|
load_shellcode_from_string(ptr);
|
|
|
|
free(ptr);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
default:
|
2011-05-15 01:33:31 +00:00
|
|
|
eprintf ("File format not supported\n");
|
|
|
|
exit (1);
|
2010-10-04 17:43:40 +00:00
|
|
|
}
|
2011-05-03 21:43:16 +00:00
|
|
|
|
2010-10-04 17:43:40 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
int main(int argc, char **argv) {
|
2011-10-20 13:05:30 +00:00
|
|
|
int c; //, listen = 0;
|
2010-10-04 17:43:40 +00:00
|
|
|
|
|
|
|
if (argc<2)
|
2011-04-24 22:03:43 +00:00
|
|
|
return show_helpline ();
|
2010-10-04 17:43:40 +00:00
|
|
|
|
2011-07-26 07:34:10 +00:00
|
|
|
while ((c = getopt (argc, argv, "a:VcC:ts:S:i:Ll:uhN:A:XxE:eo:O:")) != -1) {
|
|
|
|
switch (c) {
|
|
|
|
case 'o':
|
|
|
|
// output file
|
|
|
|
ofile = optarg;
|
|
|
|
break;
|
|
|
|
case 'O':
|
|
|
|
// output encoder
|
|
|
|
eprintf ("TODO: no encoders implemented yet\n");
|
|
|
|
encoder = optarg;
|
|
|
|
break;
|
2010-10-04 17:43:40 +00:00
|
|
|
case 't':
|
2011-04-24 22:03:43 +00:00
|
|
|
return test ();
|
2010-10-04 17:43:40 +00:00
|
|
|
case 'x':
|
|
|
|
// dump shellcode in hexa
|
|
|
|
hexa_print = 1;
|
|
|
|
break;
|
|
|
|
case 'X':
|
|
|
|
// execute
|
|
|
|
hexa_print = 3;
|
|
|
|
break;
|
|
|
|
case 'C':
|
2011-04-24 22:03:43 +00:00
|
|
|
C = atoi (optarg);
|
2010-10-04 17:43:40 +00:00
|
|
|
break;
|
|
|
|
case 'E':
|
2011-04-24 22:03:43 +00:00
|
|
|
E = atoi (optarg);
|
2010-10-04 17:43:40 +00:00
|
|
|
break;
|
|
|
|
// dump shellcode in C
|
|
|
|
case 'e':
|
|
|
|
hexa_print = 4;
|
|
|
|
break;
|
|
|
|
case 'c':
|
|
|
|
hexa_print = 2;
|
|
|
|
break;
|
|
|
|
case 'a':
|
2011-04-24 22:03:43 +00:00
|
|
|
sscanf (optarg, "%x@%x", (int*) &addr, (int*) &off);
|
2010-10-04 17:43:40 +00:00
|
|
|
if (!addr||!off)
|
2011-04-24 22:03:43 +00:00
|
|
|
sscanf (optarg, "0%x@%x", (int*) &addr, (int*) &off);
|
2010-10-04 17:43:40 +00:00
|
|
|
|
|
|
|
if (!addr||!off) {
|
2011-04-24 22:03:43 +00:00
|
|
|
printf ("Invalid argument for -a\n");
|
2010-10-04 17:43:40 +00:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case 'A':
|
2011-04-24 22:03:43 +00:00
|
|
|
A = atoi (optarg);
|
2010-10-04 17:43:40 +00:00
|
|
|
break;
|
|
|
|
case 's':
|
2011-04-24 22:03:43 +00:00
|
|
|
load_shellcode_from_string (optarg);
|
2010-10-04 17:43:40 +00:00
|
|
|
break;
|
|
|
|
case 'S':
|
2011-04-24 22:03:43 +00:00
|
|
|
load_shellcode_from_file (optarg);
|
2010-10-04 17:43:40 +00:00
|
|
|
break;
|
|
|
|
case 'i':
|
2011-04-24 22:03:43 +00:00
|
|
|
if (!load_shellcode_from_me (optarg)) {
|
|
|
|
printf ("Cannot find shellcode '%s'\n", optarg);
|
2010-10-04 17:43:40 +00:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case 'N':
|
2011-04-24 22:03:43 +00:00
|
|
|
N = atoi (optarg);
|
2010-10-04 17:43:40 +00:00
|
|
|
break;
|
|
|
|
case 'V':
|
2011-04-24 22:03:43 +00:00
|
|
|
printf ("rasc2 "R2_VERSION"\n");
|
2010-10-04 17:43:40 +00:00
|
|
|
return 0;
|
|
|
|
case 'p':
|
|
|
|
// prefix the contents of this file
|
|
|
|
break;
|
|
|
|
case 'h':
|
2011-04-24 22:03:43 +00:00
|
|
|
return show_help ();
|
2011-10-20 13:05:30 +00:00
|
|
|
/*
|
2010-10-04 17:43:40 +00:00
|
|
|
case 'l':
|
2011-04-24 22:03:43 +00:00
|
|
|
listen = atoi (optarg);
|
2010-10-04 17:43:40 +00:00
|
|
|
break;
|
2011-10-20 13:05:30 +00:00
|
|
|
*/
|
2010-10-04 17:43:40 +00:00
|
|
|
case 'u':
|
2011-04-24 22:03:43 +00:00
|
|
|
printf ("TODO: UDP support\n");
|
2010-10-04 17:43:40 +00:00
|
|
|
break;
|
|
|
|
case 'L':
|
2011-04-24 22:03:43 +00:00
|
|
|
for (c=0;shellcodes[c].name;c++) {
|
|
|
|
printf ("%-20s %3d %s\n",
|
2010-10-04 17:43:40 +00:00
|
|
|
shellcodes[c].name,
|
|
|
|
shellcodes[c].len,
|
|
|
|
shellcodes[c].desc);
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
2011-04-24 22:03:43 +00:00
|
|
|
print_shellcode ();
|
2010-10-04 17:43:40 +00:00
|
|
|
return 0;
|
|
|
|
}
|