2011-11-26 04:14:03 +00:00
|
|
|
#!/bin/sh
|
2016-11-05 03:51:20 +00:00
|
|
|
# ragg2-cc : a shellcode compiler -- pancake - 2011-2016
|
2013-02-19 20:21:39 +00:00
|
|
|
#
|
|
|
|
# Supported operating systems:
|
|
|
|
# - GNU/Linux
|
|
|
|
# - OSX
|
|
|
|
# - BSD
|
|
|
|
# Supported compilers
|
|
|
|
# - gcc
|
|
|
|
# - clang
|
2011-11-26 04:14:03 +00:00
|
|
|
# TODO
|
|
|
|
# add support for arm
|
|
|
|
# add support for nested shellcodes
|
|
|
|
|
2014-10-09 19:50:40 +00:00
|
|
|
# Find which compiler is installed
|
2011-11-30 17:05:46 +00:00
|
|
|
if [ -z "${CC}" ]; then
|
2011-11-30 19:59:58 +00:00
|
|
|
for a in llvm-gcc clang gcc ; do
|
2011-11-30 17:05:46 +00:00
|
|
|
$a --version >/dev/null 2>&1
|
|
|
|
if [ $? = 0 ]; then
|
|
|
|
CC="$a"
|
|
|
|
break
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
if [ -z "${CC}" ]; then
|
2017-01-31 21:13:32 +00:00
|
|
|
echo "Cannot find CC" >&2
|
2011-11-30 17:05:46 +00:00
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
fi
|
2014-10-09 19:50:40 +00:00
|
|
|
|
|
|
|
# Get path for sflib
|
2015-08-27 10:00:10 +00:00
|
|
|
if [ -z "${SFLIBPATH}" ]; then
|
2015-08-27 04:22:15 +00:00
|
|
|
SFLIBPATH="$(r2 -hh | grep INCDIR | awk '{print $2}')"/sflib
|
2015-08-27 10:00:10 +00:00
|
|
|
fi
|
2011-11-29 02:14:27 +00:00
|
|
|
if [ ! -d "${SFLIBPATH}" ]; then
|
|
|
|
echo "Cannot find ${SFLIBPATH}"
|
2015-08-19 09:36:18 +00:00
|
|
|
echo "Define SFLIBPATH env var or fix the r2 installation"
|
2011-11-29 02:14:27 +00:00
|
|
|
exit 1
|
|
|
|
fi
|
2014-10-09 19:50:40 +00:00
|
|
|
|
|
|
|
# Get local architecture
|
2015-08-19 09:36:18 +00:00
|
|
|
case "$(uname -m)" in
|
2016-11-05 03:51:20 +00:00
|
|
|
arm64|aarch64|x86_64)
|
2011-11-29 02:14:27 +00:00
|
|
|
B=64
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
B=32
|
|
|
|
;;
|
|
|
|
esac
|
2011-11-29 18:40:10 +00:00
|
|
|
|
|
|
|
dohelp() {
|
2015-08-19 09:36:18 +00:00
|
|
|
cat<<EOF
|
2015-08-27 10:00:10 +00:00
|
|
|
Usage: ragg2-cc [-cdsvx] [-a arch] [-b bits] [-k kernel] [-o output] [file.c]
|
2015-08-27 04:21:01 +00:00
|
|
|
-a x86 set arch (x86, arm)
|
|
|
|
-b 32 bits (32, 64)
|
2015-08-27 10:00:10 +00:00
|
|
|
-c generate compiled shellcode
|
|
|
|
-d enable debug mode
|
2015-08-27 04:21:01 +00:00
|
|
|
-k linux set kernel (darwin, linux)
|
|
|
|
-o file set output file
|
|
|
|
-s generate assembly
|
|
|
|
-v show version
|
2015-08-27 10:00:10 +00:00
|
|
|
-x show hexpair bytes
|
2015-08-19 09:36:18 +00:00
|
|
|
EOF
|
2011-11-29 18:40:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
case "`uname`" in
|
|
|
|
Darwin)
|
|
|
|
K=darwin
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
K=linux
|
|
|
|
;;
|
|
|
|
esac
|
2014-10-09 19:50:40 +00:00
|
|
|
|
2011-11-29 02:14:27 +00:00
|
|
|
X=0
|
|
|
|
C=""
|
2011-11-26 04:14:03 +00:00
|
|
|
D=""
|
|
|
|
O=""
|
|
|
|
F=""
|
|
|
|
ASM=0
|
2014-10-09 19:50:40 +00:00
|
|
|
A=x86
|
2011-11-26 04:14:03 +00:00
|
|
|
while : ; do
|
|
|
|
[ -z "$1" ] && break
|
|
|
|
F=$1
|
|
|
|
case "$F" in
|
2014-10-09 19:50:40 +00:00
|
|
|
-a) # architecture (x86, mips, arm)
|
2011-11-29 02:14:27 +00:00
|
|
|
shift
|
|
|
|
A=$1
|
|
|
|
[ -z "$A" ] && { echo "Missing argument for -a" ; exit 1; }
|
|
|
|
;;
|
2014-10-09 19:50:40 +00:00
|
|
|
-b) # register size (32, 64, ...)
|
2011-11-29 02:14:27 +00:00
|
|
|
shift
|
|
|
|
B=$1
|
|
|
|
[ -z "$B" ] && { echo "Missing argument for -b" ; exit 1; }
|
|
|
|
;;
|
2014-10-09 19:50:40 +00:00
|
|
|
-k) # kernel
|
2011-11-29 02:14:27 +00:00
|
|
|
shift
|
|
|
|
K=$1
|
|
|
|
[ -z "$K" ] && { echo "Missing argument for -k" ; exit 1; }
|
|
|
|
;;
|
2014-10-09 19:50:40 +00:00
|
|
|
-x) # execute
|
2011-11-29 02:14:27 +00:00
|
|
|
X=1
|
|
|
|
;;
|
2014-10-09 19:50:40 +00:00
|
|
|
-c) # set configuration option
|
2011-11-29 02:14:27 +00:00
|
|
|
C=1
|
2011-11-26 04:14:03 +00:00
|
|
|
;;
|
2014-10-09 19:50:40 +00:00
|
|
|
-d) # patch dword (4 bytes) at given offset
|
2011-11-26 04:14:03 +00:00
|
|
|
D=1
|
|
|
|
;;
|
2014-10-09 19:50:40 +00:00
|
|
|
-s) # show assembler
|
2011-11-26 04:14:03 +00:00
|
|
|
ASM=1
|
|
|
|
;;
|
2014-10-09 19:50:40 +00:00
|
|
|
-o) # output file
|
2011-11-26 04:14:03 +00:00
|
|
|
shift
|
|
|
|
O=$1
|
|
|
|
if [ -z "$O" ]; then
|
|
|
|
echo "Missing argument for -o"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
;;
|
2014-10-09 19:50:40 +00:00
|
|
|
-h) # help
|
2011-11-29 18:40:10 +00:00
|
|
|
dohelp
|
2011-11-26 04:14:03 +00:00
|
|
|
exit 0
|
|
|
|
;;
|
2014-10-09 19:50:40 +00:00
|
|
|
-v) # version
|
2011-11-29 02:14:27 +00:00
|
|
|
ragg2 -v | sed -e 's,2,2-cc,'
|
2011-11-26 04:14:03 +00:00
|
|
|
exit 0
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
shift
|
|
|
|
done
|
2014-10-09 19:50:40 +00:00
|
|
|
|
2011-11-26 04:14:03 +00:00
|
|
|
if [ -z "$F" ]; then
|
2011-11-29 18:40:10 +00:00
|
|
|
dohelp
|
2011-11-26 04:14:03 +00:00
|
|
|
exit 1
|
|
|
|
fi
|
2011-11-28 19:13:44 +00:00
|
|
|
|
2016-11-05 03:51:20 +00:00
|
|
|
JMP=jmp
|
|
|
|
case "$A" in
|
|
|
|
arm|aarch64|arm64|thumb|arm32)
|
|
|
|
JMP=b
|
|
|
|
;;
|
|
|
|
mips|mips32|mips64)
|
|
|
|
JMP=b
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
|
|
|
|
FMT=elf
|
|
|
|
if [ "$K" = darwin ]; then
|
2011-11-26 04:14:03 +00:00
|
|
|
OBJCOPY=gobjcopy
|
2016-11-05 03:51:20 +00:00
|
|
|
FMT=mach0
|
|
|
|
ARCH="$A"
|
|
|
|
if [ "$ARCH" = x86 ]; then
|
|
|
|
if [ "${B}" = 32 ]; then
|
|
|
|
ARCH=i386
|
|
|
|
TRIPLET=darwin-x86-32
|
|
|
|
else
|
|
|
|
ARCH=x86_64
|
|
|
|
TRIPLET=darwin-x86-64
|
|
|
|
fi
|
|
|
|
case "$B" in
|
|
|
|
32)
|
|
|
|
CFLAGS="-arch $ARCH "
|
|
|
|
LDFLAGS="-arch $ARCH -shared -c"
|
|
|
|
;;
|
|
|
|
64)
|
|
|
|
CFLAGS="-arch $ARCH"
|
|
|
|
LDFLAGS="-arch $ARCH -shared -c"
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
else
|
|
|
|
LDFLAGS="-shared -c"
|
|
|
|
fi
|
2011-11-26 04:14:03 +00:00
|
|
|
SHDR="
|
|
|
|
.text
|
2016-11-05 03:51:20 +00:00
|
|
|
${JMP} _main"
|
2011-11-26 04:14:03 +00:00
|
|
|
else
|
|
|
|
OBJCOPY=objcopy
|
|
|
|
SHDR="
|
2011-11-28 19:13:44 +00:00
|
|
|
.section .text
|
2011-11-26 04:14:03 +00:00
|
|
|
.globl main
|
2016-11-14 03:24:50 +00:00
|
|
|
// .type main, @function
|
2016-11-05 03:51:20 +00:00
|
|
|
${JMP} main
|
2011-11-26 04:14:03 +00:00
|
|
|
"
|
2016-11-05 03:51:20 +00:00
|
|
|
if [ "$A" = x86 ]; then
|
|
|
|
case "$B" in
|
|
|
|
64)
|
|
|
|
CFLAGS="-fPIC -fPIE -pie -fpic -m64"
|
|
|
|
LDFLAGS="-fPIC -fPIE -pie -fpic -m64"
|
|
|
|
TRIPLET=linux-x86-64
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
CFLAGS="-fPIC -fPIE -pie -fpic -m32"
|
|
|
|
LDFLAGS="-fPIC -fPIE -pie -fpic -m32"
|
|
|
|
TRIPLET=linux-x86-32
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
else
|
|
|
|
CFLAGS="-fPIC -fPIE -pie -fpic -nostartfiles"
|
|
|
|
LDFLAGS="-fPIC -fPIE -pie -fpic -nostartfiles"
|
|
|
|
fi
|
2011-11-26 04:14:03 +00:00
|
|
|
fi
|
2011-11-29 02:14:27 +00:00
|
|
|
|
2016-11-05 03:51:20 +00:00
|
|
|
[ "$A$K" ] && TRIPLET="$K-$A-$B"
|
2011-11-29 02:14:27 +00:00
|
|
|
|
2011-11-29 18:40:10 +00:00
|
|
|
case "$K" in
|
2016-11-05 03:51:20 +00:00
|
|
|
windows)
|
|
|
|
#TEXT="__TEXT.__text"
|
|
|
|
TEXT=".text"
|
|
|
|
FMT=pe
|
|
|
|
;;
|
2011-11-29 18:40:10 +00:00
|
|
|
darwin)
|
2012-09-21 00:47:07 +00:00
|
|
|
#TEXT="__TEXT.__text"
|
2017-02-17 03:30:05 +00:00
|
|
|
#TEXT="0.__text"
|
|
|
|
TEXT=0.__TEXT.__text
|
2016-11-05 03:51:20 +00:00
|
|
|
FMT=mach0
|
2011-11-29 18:40:10 +00:00
|
|
|
;;
|
|
|
|
*|linux)
|
|
|
|
TEXT=".text"
|
2016-11-05 03:51:20 +00:00
|
|
|
FMT=elf
|
2011-11-29 18:40:10 +00:00
|
|
|
;;
|
|
|
|
esac
|
|
|
|
|
2017-01-29 01:35:51 +00:00
|
|
|
USE_CLANG=0
|
|
|
|
case "$K-$A-$B" in
|
|
|
|
darwin-arm-64)
|
|
|
|
CC="xcrun --sdk iphoneos gcc -arch arm64"
|
|
|
|
USE_CLANG=1
|
|
|
|
TEXT=0.__TEXT.__text
|
|
|
|
;;
|
|
|
|
darwin-arm-32)
|
|
|
|
USE_CLANG=1
|
|
|
|
CC="xcrun --sdk iphoneos gcc -arch armv7"
|
|
|
|
TEXT=0.__TEXT.__text
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
|
|
|
|
OPT=-Os
|
|
|
|
CFLAGS="${CFLAGS} -nostdinc -include ${SFLIBPATH}/${TRIPLET}/sflib.h"
|
|
|
|
if [ 1 = "${USE_CLANG}" ]; then
|
|
|
|
CFLAGS="${CFLAGS} -fomit-frame-pointer -fno-zero-initialized-in-bss"
|
|
|
|
else
|
|
|
|
CFLAGS="${CFLAGS} -z execstack -fomit-frame-pointer -finline-functions -fno-zero-initialized-in-bss"
|
|
|
|
fi
|
|
|
|
LDFLAGS="${LDFLAGS} -nostdlib"
|
|
|
|
|
|
|
|
|
2011-11-26 04:14:03 +00:00
|
|
|
rmtemps() {
|
2011-11-29 02:14:27 +00:00
|
|
|
[ -z "$D" ] && rm -f $F.tmp $F.text $F.s $F.o
|
2011-11-26 04:14:03 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
fail() {
|
2017-01-29 01:35:51 +00:00
|
|
|
echo "ERROR: $@"
|
2011-11-26 04:14:03 +00:00
|
|
|
rmtemps
|
|
|
|
exit 1
|
|
|
|
}
|
|
|
|
|
|
|
|
if [ "$D" ]; then
|
|
|
|
echo "==> Compile"
|
|
|
|
echo "${CC} ${CFLAGS} -o $F.tmp -S ${OPT} $F"
|
|
|
|
fi
|
2015-08-27 10:00:10 +00:00
|
|
|
rm -f "$F.bin"
|
2017-01-29 01:35:51 +00:00
|
|
|
echo ${CC} ${CFLAGS} -o "$F.tmp" -S ${OPT} "$F"
|
2015-08-27 10:00:10 +00:00
|
|
|
${CC} ${CFLAGS} -o "$F.tmp" -S ${OPT} "$F" || fail
|
2011-11-26 04:14:03 +00:00
|
|
|
echo "${SHDR}" > $F.s
|
2015-08-27 10:00:10 +00:00
|
|
|
cat "$F.tmp" \
|
2012-09-03 16:49:29 +00:00
|
|
|
| sed -e s,rdata,text, -e s,rodata,text, -e 's,get_pc_thunk.bx,__getesp__,g' \
|
2011-11-26 04:14:03 +00:00
|
|
|
| grep -v .cstring | grep -v size | grep -v ___main | grep -v section \
|
|
|
|
| grep -v __alloca | grep -v zero | grep -v cfi >> $F.s
|
2015-08-27 10:00:10 +00:00
|
|
|
rm -f "$F.tmp"
|
2011-11-26 04:14:03 +00:00
|
|
|
if [ $ASM = 1 ]; then
|
2015-08-27 10:00:10 +00:00
|
|
|
echo "$F.s"
|
2011-11-26 04:14:03 +00:00
|
|
|
exit 0
|
|
|
|
fi
|
|
|
|
|
2017-01-29 01:35:51 +00:00
|
|
|
echo ==============================
|
|
|
|
|
2011-11-26 04:14:03 +00:00
|
|
|
if [ "$D" ]; then
|
|
|
|
echo "==> Assemble"
|
2015-08-27 04:21:01 +00:00
|
|
|
echo "${CC} ${LDFLAGS} ${OPT} -o $F.o $F.s"
|
2011-11-26 04:14:03 +00:00
|
|
|
fi
|
2017-01-29 01:35:51 +00:00
|
|
|
echo "${CC} ${LDFLAGS} ${OPT} -o $F.o $F.s"
|
|
|
|
${CC} ${LDFLAGS} ${OPT} -o "$F.o" "$F.s" || fail 'compile object'
|
2011-11-26 04:14:03 +00:00
|
|
|
|
|
|
|
if [ "$D" ]; then
|
|
|
|
echo "==> Link"
|
2011-11-29 18:40:10 +00:00
|
|
|
#echo "${OBJCOPY} -j .text -O binary $F.o $.text"
|
2011-11-30 19:59:58 +00:00
|
|
|
echo "rabin2 -o '$F.text' -O d/S/${TEXT} $F.o"
|
2011-11-29 18:40:10 +00:00
|
|
|
fi
|
2011-11-30 19:59:58 +00:00
|
|
|
rabin2 -o "$F.text" -O d/S/${TEXT} $F.o
|
2017-01-29 01:35:51 +00:00
|
|
|
if [ ! -f "$F.o" ]; then
|
|
|
|
echo "Cannot find $F.o"
|
|
|
|
exit 1
|
|
|
|
fi
|
2011-11-29 18:40:10 +00:00
|
|
|
if [ "`du $F.text|awk '{print $1}'`" = 0 ]; then
|
|
|
|
# use objcopy as falback for rabin2
|
2017-01-29 01:35:51 +00:00
|
|
|
echo "FALLBACK: Using objcopy instead of rabin2"
|
2011-11-29 18:40:10 +00:00
|
|
|
${OBJCOPY} -j .text -O binary $F.o $F.text || fail
|
2011-11-26 04:14:03 +00:00
|
|
|
fi
|
2011-11-29 18:40:10 +00:00
|
|
|
if [ "$C" = 1 ]; then
|
2011-11-29 02:14:27 +00:00
|
|
|
if [ "$O" ]; then
|
2015-08-27 10:00:10 +00:00
|
|
|
mv "$F.text" "$O"
|
2011-11-29 02:14:27 +00:00
|
|
|
else
|
|
|
|
O="$F.text"
|
|
|
|
fi
|
2011-11-29 18:40:10 +00:00
|
|
|
echo "$O"
|
2011-11-29 02:14:27 +00:00
|
|
|
exit 0
|
|
|
|
fi
|
2011-11-26 04:14:03 +00:00
|
|
|
|
2015-08-27 10:00:10 +00:00
|
|
|
[ "$X" = 1 ] && exec rax2 -S < "$F.text"
|
2011-11-26 04:14:03 +00:00
|
|
|
|
|
|
|
if [ "$D" ]; then
|
|
|
|
# hexdump -C $F.text
|
|
|
|
rax2 -S - < $F.text
|
|
|
|
ls -l $F.text
|
|
|
|
fi
|
2015-08-27 10:00:10 +00:00
|
|
|
[ -z "$O" ] && O="$F.bin"
|
2017-01-29 01:35:51 +00:00
|
|
|
ragg2 -b "$B" -C "$F.text" -f ${FMT} -a $A -o "$O" || fail "ragg2 cannot generate executable. Use -x"
|
2015-08-27 10:00:10 +00:00
|
|
|
echo "$O"
|
2011-11-29 02:14:27 +00:00
|
|
|
rmtemps
|
2011-11-26 04:14:03 +00:00
|
|
|
exit 0
|