shellme.py

1. from commands import getoutput
2. from argparse import ArgumentParser
3. from os import system
4. import sys
5.  
6. """Lazy mans shellcode maker.  Wraps nasm/objdump stuff.
7. """
8.  
9. def check():
10.     """i need nasm/objdump"""
11.     found = True
12.     if getoutput("which nasm") == '':
13.         found = False
14.     elif getoutput("which objdump") == '':
15.         found = False
16.     return found
17.  
18. def get_output(inf,arch='elf'):
19.     """format into a string of bytes"""
20.     output = ''
21.     if '.nasm' in inf:
22.         tmp = getoutput("nasm -f %s %s"%(arch,inf))
23.         if 'error' in tmp:
24.             print '[-] Error in your asm: ', tmp
25.             sys.exit(1)
26.         inf = inf.replace(".nasm", ".o")
27.     tmp = getoutput("objdump -d %s"%inf)
28.    
29.     opcodes = ''
30.     for line in tmp.split('\n')[7:]:
31.         tmp = line.split(':',1)
32.         if len(tmp) > 1 and len(tmp[1]) > 0: tmp = tmp[1]
33.         else: continue
34.  
35.         # split on tab to get opcodes
36.         tmp = ''.join(tmp).split('\t')
37.         if len(tmp) > 1: tmp = tmp[1].strip().replace(' ','')
38.         if '<' in tmp: continue
39.         opcodes += tmp
40.     return opcodes
41.  
42. def encode(lbyte):
43.     """Take the opcode string and insert \\x's.  
44.        I'll add in fancy encoding and output
45.        formatting eventually.
46.     """
47.     formatted_lbyte = ''.join(["\\x"+lbyte[idx]+lbyte[idx+1] for idx in range(0,len(lbyte)-1,2)])
48.     return formatted_lbyte
49.  
50. def format_output(dmp,width=8):
51.     """Input should just be a stream of formatted hex bytes
52.        i.e. \\x05\\x06\\x07...
53.        Returns this truncated into columns with a width of width
54.     """
55.     dmp = dmp.split('\\x')[1:]
56.     return '\\x'+'\n\\x'.join(['\\x'.join(dmp[i:i+width]) for i in range(0,len(dmp),width)])
57.  
58. def compile_instruction(instruction,arch='elf'):
59.     """Compile a single instruction and return opcodes"""
60.     with open('/tmp/tmp-me.nasm', 'w+') as f:
61.         f.write(instruction.decode('string-escape')+'\n')
62.     ops = encode(get_output('/tmp/tmp-me.nasm',arch))
63.     system('rm -f /tmp/tmp-me.nasm /tmp/tmp-me.o')
64.     return ops
65.  
66. def run(options):
67.     """encode/dump"""
68.     if options.inf:
69.         dmp = encode(get_output(options.inf,options.arch))
70.     elif options.instruction:
71.         dmp = compile_instruction(options.instruction,options.arch)
72.  
73.     print '[+] Encoded:\n', format_output(dmp)
74.     if options.output:
75.         with open(options.output, 'w') as f:
76.             f.write(format_output(dmp))
77.  
78. def arguments():
79.     """Handle cli"""
80.     parser = ArgumentParser()
81.     parser.add_argument('-n',help='nasm or object file',metavar='FILE',action='store',dest='inf')
82.     parser.add_argument('-o',help='output file',action='store',dest='output')
83.     parser.add_argument('-i',help='instruction',action='store',dest='instruction')
84.     parser.add_argument('-a',help='architecture [elf/elf64]',action='store',dest='arch',default='elf')
85.  
86.     if len(sys.argv) < 2:
87.         parser.print_help()
88.         sys.exit(1)
89.  
90.     return parser.parse_args() 
91.  
92. if __name__=="__main__":   
93.     if not check():
94.         print '[-] I need objdump and nasm'
95.         sys.exit(1)
96.     run(arguments())