Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
#!/usr/bin/perl
2
###############
3

4
##
5
#         Name: build
6
#       Author: H D Moore <hdm [at] metasploit.com>
7
#  Description: Command-line tool for building/extracting asm payloads
8
#      License: GPL / Perl Artistic
9
##
10

11

12
my $name = shift();
13

14
if (! $name || $name =~ /\./) { print STDERR "Usage: $0 <name>\n"; exit(0); }
15

16
if ($name eq 'clean') {
17
    system("rm -f *.bin *.exe *.c *.elf");
18
    exit(0);
19
}
20

21

22
# Compile the asm
23
unlink("$name.bin");
24
system("nasm -f bin -O3 -o $name.bin $name.asm");
25

26
if (! -f "$name.bin") {
27
    exit(0);
28
}
29

30
# Load binary
31
my $bindata;
32
open(X, "<$name.bin") || exit(0);
33
$bindata = join('',<X>);
34
close(X);
35

36
print "# Length: " . length($bindata) . " bytes\n";
37

38

39
# Print out common offsets into the payload data   
40
my $suffix;
41
my $port = index($bindata, pack("n", 8721));
42
if ($port != -1)  { 
43
    print "# Port: $port\n"; 
44
}
45

46
my $host = index($bindata, gethostbyname("127.0.0.1"));
47
if ($host != -1) {
48
    print "# Host: $host\n"; 
49
}
50

51
my $psize = index($bindata, pack("L", 0x12345678));
52
if ($psize != -1) {  
53
    print "# Size: $psize\n";
54
}
55

56
my $pstart = index($bindata, pack("L", 0x13370000));
57
if ($pstart != -1) {
58
    print "# Start: $pstart\n";
59
}
60

61
my $pstart = index($bindata, pack("L", 0x11223344));
62
if ($pstart != -1) {
63
    print "# Alloc: $pstart\n";
64
}
65

66
my $pstart = index($bindata, pack("L", 0x73e2d87e));
67
if ($pstart != -1) {  
68
    print "# ExitProcess: $pstart\n";
69
}
70

71
my $pstart = index($bindata, pack("L", 0x4cf079fa));
72
if ($pstart != -1) { 
73
    print "# PayloadLen: $pstart\n";
74
}
75

76
my $pstart = index($bindata, "\x8d\x77\x15");
77
if ($pstart != -1) {
78
    $pstart+=2; 
79
    print "# FileStart: $pstart\n";
80
}
81

82
my $pstart = index($bindata, "\x88\x4f\x1a");
83
if ($pstart != -1) {
84
    $pstart+=2; 
85
    print "# FileEnd: $pstart\n";
86
}
87

88
my $pstart = index($bindata, "http");
89
if ($pstart != -1) {
90
    print "# URL Start: $pstart\n";
91
}
92

93

94
$x = BufferPerl($bindata);
95
print $x;
96

97
$x = BufferC($bindata);
98
my $cfile;
99
while(<DATA>) { $cfile .= $_; }
100

101
$cfile =~ s/::SHELLCODE::/$x/g;
102

103
open(C, ">$name.c");
104
print C $cfile;
105
close (C);
106

107
# Build PE
108
open  (X, ">templates/payload.bin") || die "payload.bin: $!";
109
print  X $bindata;
110
close (X);
111

112
chdir("templates") || die "chdir(templates): $!";
113
unlink("../$name.exe");
114
system("nasm -I inc/ -f bin -o ../$name.exe win32_template.asm");
115

116
# Build ELF
117
unlink("linux_template.o");
118
system("nasm -f elf -o linux_template.o linux_template.asm");
119
if (-f "linux_template.o")
120
{
121
    system("ld -o ../$name.elf linux_template.o");
122
    unlink("linux_template.o");
123
}
124

125
unlink("payload.bin");
126
system("chmod 755 *.exe *.elf");
127

128
sub BufferPerl
129
{
130
    my ($data, $width) = @_;
131
    my ($res, $count);
132

133
    if (! $data) { return }
134
    if (! $width) { $width = 16 }
135
    
136
    $res = '"';
137
    
138
    $count = 0;
139
    foreach my $char (split(//, $data))
140
    {
141
        if ($count == $width)
142
        {
143
            $res .= '" + ' . "\n" . '"';
144
            $count = 0;
145
        }
146
        $res .= sprintf("\\x%.2x", ord($char));
147
        $count++;
148
    }
149
    if ($count) { $res .= '"' . "\n"; }
150
    return $res;
151
}
152

153
sub BufferC
154
{
155
    my ($data, $width) = @_;
156
    my $res = BufferPerl($data, $width);
157
    if (! $res) { return }
158
    
159
    $res =~ s/\.//g;
160
    return $res;
161
}
162

163
__DATA__
164

165
char code[] =
166
::SHELLCODE::
167

168
int main(int argc, char **argv)
169
{
170
  int (*funct)();
171
  funct = (int (*)()) code;
172
  (int)(*funct)();
173
}
174

175