Converts c
programs that only use syscalls to 64 bit assembly
file.
It works with 64 bit syscalls
python3 c2shellcode.py [d] input.c output.s
Using -d
deletes input_temp.s
which created with gcc
.
input.c
must only contains syscalls.
#define _GNU_SOURCE 1
#include <sys/sendfile.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>
#include <stdint.h>
#include <assert.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>
#include <fcntl.h>
#include <time.h>
#include <dirent.h>
int main(int argc, char **argv)
{
char* args[3] = {"/bin/cat", "/flag", NULL};
execve("/bin/cat", args, NULL);
}
python3 -d input.c output.s
.global _start
.intel_syntax noprefix
_start:
endbr64
push rbp
mov rbp, rsp
sub rsp, 32
lea rax, .LC0[rip]
mov QWORD PTR -32[rbp], rax
lea rax, .LC1[rip]
mov QWORD PTR -24[rbp], rax
mov QWORD PTR -16[rbp], 0
lea rax, -32[rbp]
mov edx, 0
mov rsi, rax
lea rdi, .LC0[rip]
# call execve@PLT
mov rax, 59
syscall
mov eax, 0
leave
ret
.LC0:
.string "/bin/cat"
.LC1:
.string "/flag"
Also you can use my runner.sh script to get raw-bytes from shellcode and analyse it.
I created syscalls.csv
with getSyscalsFromWebsite.py
which gets syscall numbers, syscall names and argument length from the awesome site Searchable Linux Syscall Table, filippo.io