写shellcode时的压栈指令方法相信大家使用得不少,只要懂得程序在调用函数时参数进栈的特点便很容易明白。如果执行“net user user password /add&&net localgroup administrators user /add”这语句的话,要让大家逐个字母的进栈肯定会给效率打个大大的折扣,这过程没技术含量纯苦力活,像这类活应该交给自动化工具来完成。。。
写了个脚本便是实现该功能的。这脚本也没啥技术含量,纯学习学习。。。
#/usr/bin/env python
# -*- coding: UTF-8 -*-
'''
写shellcode时压栈指令生成工具
2013-2-26
By Terry
'''
import binascii

if __name__ == '__main__':
        while True:
                string = raw_input("\nInput a String:")
                string_len = len(string)
                if string_len>0:
                        break
        if (string_len+1)%4 != 0:
                string = string + (4 - (string_len+1)%4)*' '
                string_len = len(string)

        string_hex = binascii.hexlify(string).upper()    #将字符转化为16进制编码

        print "\nchar & hex"
        for i in string:
                print i,
        print
        print string_hex
        print u"\n*******************万恶的分隔线*******************\n"
        print "xor\teax,eax;"
        print "push\teax;"
        if string_len < 19:         #判断如果是0-Fh的话需添加个0
                print "sub\tesp,0"+hex(string_len-3)[2:].upper()+"h;"
        else:
                print "sub\tesp,"+hex(string_len-3)[2:]+"h;"
                
        for i_ in range(string_len):
                if string_len-i_ < 15:    #判断如果是0-Fh的话需添加个0
                        print "mov\tbyte ptr [ebp-0" + hex(string_len+1-i_)[2:].upper() + "h]," + string_hex[i_*2:i_*2+2] + "h;\t//" + string[i_]
                else:
                        print "mov\tbyte ptr [ebp-" + hex(string_len+1-i_)[2:].upper() + "h]," + string_hex[i_*2:i_*2+2] + "h;\t//" + string[i_]
        
        print
        if string_len < 15:         #判断如果是0-Fh的话需添加个0
                print "lea\teax,[ebp-0" + hex(string_len+1)[2:] + "h];"
        else:
                print "lea\teax,[ebp-" + hex(string_len+1)[2:] + "h];"
        print "push\teax;"