Extracting a Payload

shellcode
malware

#1

as @0x00pf explained in his ELF injection tutorial, you can extract the .text (actualy code) from an ELF (binary) file to get the payload.
There are many ways to do this and picoflamingo showed us one way.
Today I will share a shell script I wrote that does the same thing and prints it in ascii on your terminal, or wherever you redirect / pipe it.

#!/bin/bash
xxd -g 1 -s `h2d $(objdump -h $1 | grep .text | awk -e '{print $6}')` $1

That’s all, it’s pretty short, but can be very functional for shellcode development.
You can check man xxd for more options to change it’s output format.

Hope it’s of any use to you !

I forgot to include h2d, it’s a C program I wrote :slight_smile:

#include <stdio.h>
#include <string.h>

int main(int argc, char *argv[])
{
    int indx = strlen(argv[1]) - 1;
    int i,j=1, sum = 0;
    for(i=indx;i>=0;i--,j*=16) {
        if(argv[1][i] >= '0' && argv[1][i] <= '9')
            sum += ((argv[1][i] - '0') * j);
        else
            sum += ((argv[1][i] - 'a' + 10) * j);
    }
    printf("%d\n", sum);

    return 0;
}

After compiling you need to put it in your path, you can do this by moving it to /usr/bin, or make your own path folder, put the program in there and then update your PATH variable.
The best way to do this, is to add the addition in ~/.bashrc

export PATH="$PATH:$HOME/.rvm/bin:$HOME/.path/" # Add RVM to PATH for scripting
You will find this liine in your .bashrc probably if you have RVM installed. As you can see I added the folder .path to it
Else put in the line:
export PATH="$PATH:$HOME/.path (if your folder is at ~/.path.)
After doing that, either restart your terminal or use:
source ~/.bashrc


Over The Wire: Narnia1 - Environment variables and Shellcode
(Command-Line Ninja) #2

OH MAN! YES! I have been forever trying to find a decent way to do this. Well, not forever, but I spent a hard 15 minutes of googling before I gave up xD

Thanks a tonne, going straight in my ~/Bin/ :wink:

I’ve named it shellstract!


(Command-Line Ninja) #3

This however I have found works much nicer IMO.

#!/bin/bash
objdump -d ./$1|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'

Actually gives you the shellcode.


(oaktree) #4

That has so many pipes, we should call you The Plumber.


(Command-Line Ninja) #5

Haha! I do like a good pipe xD


#7

You can also add it in .bashrc, ofcourse h2d needs to be in your path
(I use ~/.path/)


#8

This topic was automatically closed after 30 days. New replies are no longer allowed.