Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/0xvpr/vpr-shell-shock

A C99/C++17 compatible header only library capable of creating position independent shellcode.
https://github.com/0xvpr/vpr-shell-shock

binary exploit-development header-only header-only-library pe32 pe32plus position-independent-code shellcode shellcode-development windows

Last synced: 6 days ago
JSON representation

A C99/C++17 compatible header only library capable of creating position independent shellcode.

Host: GitHub
URL: https://github.com/0xvpr/vpr-shell-shock
Owner: 0xvpr
License: mit
Created: 2023-01-03T21:59:03.000Z (about 2 years ago)
Default Branch: main
Last Pushed: 2024-04-01T20:21:45.000Z (9 months ago)
Last Synced: 2024-11-09T01:54:04.122Z (2 months ago)
Topics: binary, exploit-development, header-only, header-only-library, pe32, pe32plus, position-independent-code, shellcode, shellcode-development, windows
Language: C++
Homepage:
Size: 407 KB
Stars: 4
Watchers: 1
Forks: 1
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        
Shellshock



  

  

  

  

  

    

  

  


  
Inspired by: Dark VortEx from bruteratel.com

  


### How to use

One way to use the shellshock.h header is to:

- Create a 'Shellshock' object

- Resolve functions that you intend to use with the 'load_' member functions

- Utilize a singular function and make sure that all variables are created  

  on the stack

Once something like this is achieved, you can compile the binary to an object  

file and dump the `.text` section out to a whatever you like. That dump **should**  

be position independent.

### Quick Example

```cpp

#include "shellshock/shellshock.h"

typedef int (WINAPI * MessageBoxA_t)(HWND, LPCSTR, LPCSTR, UINT);

extern "C" int payload_cpp(void) {

    auto ss = ss::shellshock();

    // Load target function into a temporary variable.

    char szMessageBoxA[] = "MessageBoxA";

    auto fMessageBoxA = ss.find_user32_func(szMessageBoxA);

    

    // Perform function call

    char szTitle[] = "Shellshock";

    char szMessage[] = "Success.";

    fMessageBoxA && fMessageBoxA(nullptr, szMessage, szTitle, 0);

    return 0;

}

```

If you want the payload to be immediately exported to a file,  

you can do the following:

```cpp

// Payload that will be exported to shellcode

extern "C" auto payload() noexcept -> void { (...) }

// Immediately after the function ends

void stub() {

    return;

}

int main() {

    auto pd = ss::payload_data::build_from_payload(payload, stub);

    pd.extract_to_file("shellcode.bin");

}

```

### Compilation

Compiling this code to an executable **should** export the code to the specified  

file location.

Compiling this code to an object **should** mean that the `payload` function of  

the `.text` section is out new position independent executable.

NOTE: Compilation may fail if position-independent-code is not enabled AND/OR if function sections are enabled.