;hello.asm
[SECTION .text]
global _start
_start:
jmp short ender
starter:
xor eax, eax ;clean up the registers
xor ebx, ebx
xor edx, edx
xor ecx, ecx
mov al, 4 ;syscall write
mov bl, 1 ;stdout is 1
pop ecx ;get the address of the string from the stack
mov dl, 5 ;length of the string
int 0x80
xor eax, eax
mov al, 1 ;exit the shellcode
xor ebx,ebx
int 0x80
ender:
call starter ;put the address of the string on the stack
db 'hello'
$ nasm -f elf hello.asm
$ ld -o hello hello.o
$ objdump -d ./PROGRAM|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
or
by python
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
from subprocess import Popen, PIPE import sys def shellcode_from_objdump(obj): res = '' p = Popen([ 'objdump' , '-d' , obj], stdout = PIPE, stderr = PIPE) (stdoutdata, stderrdata) = p.communicate() if p.returncode = = 0 : for line in stdoutdata.splitlines(): cols = line.split( '\t' ) if len (cols) > 2 : for b in [b for b in cols[ 1 ].split( ' ' ) if b ! = '']: res = res + ( '\\x%s' % b) else : raise ValueError(stderrdata) return res if __name__ = = '__main__' : if len (sys.argv) < 2 : print 'Usage: %s <obj_file>' % sys.argv[ 0 ] sys.exit( 2 ) else : print 'Shellcode for %s:' % sys.argv[ 1 ] print shellcode_from_objdump(sys.argv[ 1 ]) sys.exit( 0 ) |