Sickle: A high-quality ShellCode development tool is recommended.
Sickle is a shellcode development tool used to accelerate the steps required to create a normal shellcode.
Sickle provides the following functions:
- Identify the bad characters that may cause the shellcode to fail to run normally.
- Supports multiple language output formats (python, perl, javascript, and so on ).
- Use STDIN to receive and format the shellcode.
- Shellcode can be executed in both Windows and Linux environments.
- Comparison of shellcode differences is supported.
- Decompiling shellcode into assembly languages (such as ARM and x86 ).
- Quick error check
In actual tests, testers often need to perform repeated and boring tests on a shellcode to determine whether shellcode is available. This is a time-consuming and laborious task for testers. In this case, Sickle may help us to quickly check for possible errors in shellcode. (Applicable to Windows and Unix systems ):
Shellcode Reconstruction
Sometimes you may want to rebuild the shellcode to understand the underlying mechanism of a smooth shellceode segment. Sickle helps you compare the differences between the original shellcode and the "rebuilt" version.
Bad Character Recognition
It should be noted that it is best to identify bad characters in a Linux-based operating system. When the shellcode is dumped on a Windows host, the error characters are not highlighted. The following is an example of use in a Unix environment:
Disassembly
It also supports converting a binary file and extracted operation code (shellcode) into machine commands (-obj ). Note that this must be executed together with the original operation code (-r) and STDIN (-s. In the following example, I convert a reverse shell to an assembly.
Wndows Installation
If you do not use its disassembly function, but just use Sickle as a wrapper/dump tool, you can use any version of Python environment (including 2.7 ). It should be noted that I encountered some problems when writing/testing 64-bit shellcode on Windows 10. Therefore, to avoid the same problem during usage, we recommend that you install Python 3.4.4 (amd64). However, this problem does not exist in other versions of windows. Second, if the shellcode you write is x86, any version of Python will not be affected, such as Python 3.7.0a3. The following is an example of how to test the shellcode ("Windows/x64/shell_reverse_tcp") generated by msfvenom on a windows 10 host.
Linux Installation
Sickle is compiled by Python3 and has complete functions. We recommend that you install capstone directly. Capstone installation is very simple:
Apt-get install python3-pip
Pip3 install capstone
If you do not compile your shellcode in NASM, I have added an "objdump2shellcode" feature. For ease of access, I prefer to add Sickle to the/usr/bin/directory. However, if the Black Arch Linux Sickle is used, it is pre-installed. (Previously called objdump2shellcode ):
Root @ wetw0rk :~ # Git clone https://github.com/wetw0rk/Sickle.git
Root @ wetw0rk :~ # Cd Sickle/
Root @ wetw0rk :~ # Chmod + x sickle. py
Root @ wetw0rk :~ # Cp sickle. py/usr/bin/sickle
Root @ wetw0rk :~ # Sickle
Usage: sickle [-h] [-r READ] [-s] [-obj OBJDUMP] [-f FORMAT] [-B BADCHAR] [-c]
[-V VARNAME] [-l] [-e EXAMINE] [-d] [-a ARCH] [-m MODE] [-rs]
Sickle-a shellcode development tool
Optional arguments:
-H, -- help show this help message and exit
-R READ, -- read READ read byte array from the binary file
-S, -- stdin read ops from stdin (EX: echo-ne "\ xde \ xad \ xbe \ xef" |
Sickle-s-f <format>-B '\ x00 ')
-Obj OBJDUMP, -- objdump OBJDUMP
Binary to use for shellcode extraction (via objdump
Method)
-F FORMAT, -- format FORMAT
Output format (use -- list for a list)
-B BADCHAR, -- badchar BADCHAR
Bad characters to avoid in shellcode
-C, -- comment comments the shellcode output
-V VARNAME, -- varname VARNAME
Alternative variable name
-L, -- list all available formats and arguments
-E EXAMINE, -- examine EXAMINE
Examine a separate file containing original shellcode.
Mainly used to see if shellcode was recreated
Successfully
-D, -- disassemble the binary file
-A ARCH, -- arch ARCH select architecture for disassembly
-M MODE, -- mode MODE mode select MODE for disassembly
-Rs, -- run-shellcode run the shellcode (use at your own risk)
* Reference Source: github
This article permanently updates link: https://www.bkjia.com/Linux/2018-02/150998tm