Sickle is a shellcode development tool, created to speed up the various steps needed to create functioning shellcode.
Sickle can aid in the following:
- Identifying instructions resulting in bad characters
- Format output in various languages (python, perl, javascript, etc)
- Accept shellcode via stdin and format it / detect bad characters
- Execute shellcode in both Windows and Linux environments
- Compare reversed shellcode to original
- Disassemble shellcode into assembly language (ARM, x86, etc)
A task I found myself doing repetitively was compiling the ASM -> extracting shellcode -> placing it into a wrapper, and testing it. If it was a bad go, the process would be repeated until successful. Sickle takes care of placing the shellcode into a wrapper for quick testing (Works on Windows and Unix systems):
Sometimes you find a piece of shellcode that's fluent in its execution and you want to recreate it yourself to understand its underlying mechanisms. Sickle can help you compare the original shellcode to your "recreated" version.
It's important to note that currently bad character identification is best used within a Linux based OS. When dumping shellcode on a Windows host bad characters will not be highlighted. Below is a usage example in a Unix environment:
Sickle can also take a binary file and convert the opcodes to machine instructions:
Sickle is written in Python3 and to have full functionality I recommend installing capstone, however at the moment the only "function" that requires capstone is disassembly. If you don't need the disassembly function, Sickle should work out of the box. Installation of Capstone is as easy as 1,2,3:
- apt-get install python3-pip
- pip3 install capstone
Another thing to note is that if you do not compile your shellcode in NASM I have added an "objdump2shellcode like" function. Although I recommend using NASM for a streamline experience. For ease of access I prefer to add it to the /usr/bin/ directory, however if you use Black Arch Linux Sickle comes pre-installed (previously known as objdump2shellcode). :
root@wetw0rk:~# chmod +x sickle.py
root@wetw0rk:~# cp sickle.py /usr/bin/sickle
root@wetw0rk:~# sickle
usage: sickle [-h] [-r READ] [-s] [-obj OBJDUMP] [-f FORMAT] [-b BADCHAR] [-c]
[-v VARNAME] [-l] [-e EXAMINE] [-d] [-a ARCH] [-m MODE] [-rs]
Sickle - a shellcode development tool
optional arguments:
-h, --help show this help message and exit
-r READ, --read READ read byte array from the binary file
-s, --stdin read ops from stdin (EX: echo -ne "\xde\xad\xbe\xef" |
sickle -s -f <format> -b '\x00')
-obj OBJDUMP, --objdump OBJDUMP
binary to use for shellcode extraction (via objdump
method)
-f FORMAT, --format FORMAT
output format (use --list for a list)
-b BADCHAR, --badchar BADCHAR
bad characters to avoid in shellcode
-c, --comment comments the shellcode output
-v VARNAME, --varname VARNAME
alternative variable name
-l, --list list all available formats and arguments
-e EXAMINE, --examine EXAMINE
examine a separate file containing original shellcode.
mainly used to see if shellcode was recreated
successfully
-d, --disassemble disassemble the binary file
-a ARCH, --arch ARCH select architecture for disassembly
-m MODE, --mode MODE select mode for disassembly
-rs, --run-shellcode run the shellcode (use at your own risk)