2011-12-05 01:42:06 +00:00
|
|
|
.Dd Dec 5, 2011
|
|
|
|
.Dt RAGG2-CC 1
|
|
|
|
.Os
|
|
|
|
.Sh NAME
|
|
|
|
.Nm ragg2-cc
|
|
|
|
.Nd CC frontend for compiling shellcodes
|
|
|
|
.Sh SYNOPSIS
|
|
|
|
.Nm ragg2-cc
|
|
|
|
.Op Fl a Ar arch
|
|
|
|
.Op Fl b Ar bits
|
|
|
|
.Op Fl k Ar kernel
|
|
|
|
.Op Fl o Ar file
|
|
|
|
.Op Fl dscxvh
|
|
|
|
.Sh DESCRIPTION
|
2011-12-05 23:27:57 +00:00
|
|
|
ragg2-cc is a frontend of CC. It is used to creates tiny binaries (1KB) or shellcodes in binary or hexpairs from a C source.
|
2011-12-05 01:42:06 +00:00
|
|
|
.Pp
|
|
|
|
The compiler used is the one configured by the CC environment. This has been tested with gcc, llvm-gcc and clang.
|
|
|
|
.Pp
|
|
|
|
Uses sflib (shellforge4) includes to get the syscall definitions.
|
|
|
|
.Pp
|
|
|
|
Only linux/darwin x86-32/64 is supported at the moment. Planned support for more architectures.
|
|
|
|
.Sh OPTIONS
|
|
|
|
.Pp
|
|
|
|
.Bl -tag -width Fl
|
|
|
|
.It Fl a Ar arch
|
|
|
|
set architecture x86, arm
|
|
|
|
.It Fl b Ar bits
|
|
|
|
32 or 64
|
|
|
|
.It Fl k Ar kernel
|
|
|
|
windows, linux or osx
|
|
|
|
.It Fl o Ar file
|
|
|
|
output file to write result of compilation
|
|
|
|
.It Fl h
|
|
|
|
show help message
|
|
|
|
.It Fl v
|
|
|
|
show version
|
|
|
|
.It Fl d
|
|
|
|
show assembler code
|
|
|
|
.It Fl s
|
|
|
|
generate assembly file
|
|
|
|
.It Fl c
|
|
|
|
generate compiled shellcode
|
|
|
|
.It Fl x
|
|
|
|
show hexpair bytes
|
|
|
|
.El
|
|
|
|
.Sh EXAMPLE
|
|
|
|
.Pp
|
|
|
|
$ cat hi.c
|
|
|
|
int main() {
|
|
|
|
write (1, "Hello World\\n", 12);
|
|
|
|
exit (0);
|
|
|
|
}
|
|
|
|
.Pp
|
|
|
|
$ ragg2-cc hi.c
|
|
|
|
hi.c.bin
|
|
|
|
.Pp
|
|
|
|
# Linked into a tiny binary. This is 294 bytes
|
2011-12-05 07:27:16 +00:00
|
|
|
$ wc \-c < hi.c.bin
|
2011-12-05 01:42:06 +00:00
|
|
|
294
|
|
|
|
.Pp
|
|
|
|
$ ./hi.c.bin
|
|
|
|
Hello World
|
|
|
|
.Pp
|
|
|
|
# The compiled shellcode has zeroes
|
2011-12-05 07:27:16 +00:00
|
|
|
$ ragg2-cc \-x hi.c
|
2011-12-05 01:42:06 +00:00
|
|
|
e90000000083ec0ce800000000588d882a000000b804000000606a0651
|
|
|
|
6a0150cd8083c41061b8010000006a0050cd8083c40883c40cc368656c
|
|
|
|
6c6f0a00
|
|
|
|
.Pp
|
|
|
|
# Use a xor encoder with key 32 to bypass
|
2011-12-05 07:27:16 +00:00
|
|
|
$ ragg2 \-e xor \-c key=32 \-B `ragg2-cc \-x hi.c`
|
2011-12-05 01:42:06 +00:00
|
|
|
6a3e596a205be8ffffffffc15e4883c60d301e48ffc6e2f9c920202020
|
|
|
|
a3cc2cc82020202078ada80a2020209824202020404a26714a2170eda0
|
|
|
|
a3e4304198212020204a2070eda0a3e428a3e42ce348454c4c4f2a20
|
|
|
|
.Sh SEE ALSO
|
|
|
|
.Pp
|
|
|
|
.Xr radare2(1) ,
|
|
|
|
.Xr rahash2(1) ,
|
|
|
|
.Xr rafind2(1) ,
|
|
|
|
.Xr rabin2(1) ,
|
|
|
|
.Xr rafind2(1) ,
|
|
|
|
.Xr ranal2(1) ,
|
|
|
|
.Xr radiff2(1) ,
|
|
|
|
.Xr rasm2(1) ,
|
|
|
|
.Xr ragg2cc(1) ,
|
|
|
|
.Sh AUTHORS
|
|
|
|
.Pp
|
|
|
|
pancake <pancake@nopcode.org>
|