RE: Generating shellcode

["Sinan Eren" <SEren () entercept com>]

Hi,

Well I guess the right answer to your question is this shell script which I have been using to dump C string array 
style shellcodes.

shellac# cat shellsc.sh
dis -F main $1 | cut -b10-20 > ./hex.out
cat ./hex.out | awk '{ print "\"\x"$1"\x"$2"\x"$3"\x"$4"\"" }' > hex.out2
LINEC=`wc -l hex.out2 | awk '{print $1}'`
TAILC=`expr $LINEC - 7`
tail -$TAILC hex.out2 > hex.out3
TAILC=`expr $TAILC - 1`
printf "char shellcode[] = \n"
head -$TAILC hex.out3
printf ";\n"
echo
echo
echo int
echo "main(void)"
echo {
echo        "void (*f)();"
echo
echo        "f = (void (*)())shellcode;"
echo
echo        "printf(\"shellcode %d\", sizeof(shellcode));"
echo
echo        "f();"
echo }
rm -f hex.out*

shellac#

chmod 755 ./shellsc
and then hit ./shellsc connectback_shellcode ....
eg:
shellac# ./shellsc.sh connectback
char shellcode[] =
"\x20\xbf\xff\xff"
"\x20\xbf\xff\ ....

....


int
main(void)
{
void (*f)();

f = (void (*)())shellcode;

printf("shellcode %d", sizeof(shellcode));

f();
}

-----Original Message-----
From: Ryn [mailto:mattyml () daemons net]
Sent: Sunday, May 19, 2002 7:29 AM
To: vuln-dev () securityfocus com
Subject: Generating shellcode


Howdy,

Do any documents exist explaining how to covert assembly op codes and
operands to hex? I can use "gdb" or "dis" on Solaris to get:

bc 10 20 00        clr          %fp
e0 03 a0 40        ld           [%sp + 64], %l0
a2 03 a0 44        add          %sp, 68, %l1
9c 23 a0 20        sub          %sp, 32, %sp
80 90 00 01        orcc         %g0, %g1, %g0

I want to see how to get column 1 - 4 by hand.

Thanks for any info,
Ryan