Skip to content

Latest commit

 

History

History
67 lines (58 loc) · 1.82 KB

README.md

File metadata and controls

67 lines (58 loc) · 1.82 KB

cshc - C Shellcode Compiler

This program allows you to build raw binary shellcode for linux from C.

Command Line Usage

$ make #build shellcode runners (scrun-*)
$ vim hello.c
void main() {
    //write shellcode with C
    sys_write(1, "hello\n", 6);
    sys__exit(0);
}

$ cshc -o /tmp/hello_x86 hello.c
$ scrun-x86 /tmp/hello_x86
hello
$ cshc -a x86_64 -o /tmp/hello_x86_64 hello.c
$ scrun-x86_64 /tmp/hello_x86_64
hello
$ cshc -a armel -o /tmp/hello_armel hello.c
$ scrun-armel /tmp/hello_armel #need QEMU
hello
$ cshc -a aarch64 -o /tmp/hello_aarch64 hello.c
$ scrun-aarch64 /tmp/hello_aarch64 #need QEMU
hello

Python2/3 Library Usage

>>> import cshc

>>> cshc.VERSION
'0.1.0'

>>> cshc.archlist()
['aarch64', 'x86_64', 'armel', 'x86']

# Compile string
>>> cshc.arch("x86").compile('int main() { const char *a[] = {"/bin/sh", 0}; sys_execve(*a, a, 0); }')
'VS\xe89\x00\x00\x00\x81 ...' #shellcode

# Compile file
>>> cshc.arch("x86").compile_file("examples/shellcode.c")

How to write C shellcode

  • cshc doesn't link standard libraries into your shellcode, thus you can't use libc functions in the code. You can still use macros defined in libc headers.
  • cshc includes linux-syscall-support implicitly, therefore you can make system calls using it.
  • An errno generated by linux-syscall-support is stored in _errno variable.

TODO

  • (armel/aarch64) invalidate instruction cache after relocation
  • libc
  • ARM floating point support
  • 32-bit PowerPC support
  • MIPS o32 ABI support
  • MIPS n32 ABI support
  • MIPS n64 ABI support
  • expose symbols of injectee to shellcode
  • optimize output code
  • shared object loading
  • ARM OABI support
  • 64-bit PowerPC support
  • windows support