|
1 | 1 | #![feature(asm)] |
| 2 | +#![feature(pattern)] |
| 3 | + |
2 | 4 | // #![windows_subsystem = "windows"] |
3 | 5 | use bindings::windows::win32::system_services::VirtualAlloc; |
| 6 | +use clap::{App, Arg}; |
4 | 7 | pub const PAGE_EXECUTE_READWRITE: u32 = 0x40; |
5 | 8 | pub const MEM_COMMIT: u32 = 0x1000; |
6 | 9 | pub const MEM_RESERVE: u32 = 0x2000; |
7 | 10 |
|
8 | 11 | fn main() { |
9 | | - let args: Vec<String> = std::env::args().collect(); |
10 | | - if args.len() < 2 { |
11 | | - println!("Usage: ./rs_shellcode \"C:\\Users\\Admin\\Desktop\\calc64.raw\" [-b]"); |
12 | | - return; |
13 | | - } |
14 | | - let mut set_breakpoint = false; |
15 | | - if args.len() == 3 { |
16 | | - set_breakpoint = &args[2] == "-b"; |
17 | | - println!("[*] Set breakpoint in debugger"); |
| 12 | + let matches = App::new("rs_shellcode") |
| 13 | + .arg( |
| 14 | + Arg::new("file") |
| 15 | + .short('f') |
| 16 | + .about("shellcode path") |
| 17 | + .takes_value(true) |
| 18 | + .required(true), |
| 19 | + ) |
| 20 | + .arg( |
| 21 | + Arg::new("breakpoint") |
| 22 | + .short('b') |
| 23 | + .about("set breakpoint in debugger"), |
| 24 | + ) |
| 25 | + .arg( |
| 26 | + Arg::new("offset") |
| 27 | + .short('o') |
| 28 | + .about("shellcode offset") |
| 29 | + .takes_value(true), |
| 30 | + ) |
| 31 | + .get_matches(); |
| 32 | + |
| 33 | + let set_breakpoint = matches.is_present("breakpoint"); |
| 34 | + if set_breakpoint { |
| 35 | + println!("[*] Breakpoint flag set!"); |
18 | 36 | } |
19 | | - let fp = &args[1]; |
20 | | - // let fp = "C:\\Users\\Admin\\Desktop\\calc64.raw".to_owned(); |
| 37 | + let fp: String = matches.value_of_t("file").unwrap_or_else(|e| e.exit()); |
| 38 | + let offset: u64 = match matches.value_of("offset") { |
| 39 | + Some(offset) => { |
| 40 | + if offset.find("0x") == Some(0) { |
| 41 | + let without_prefix = offset.trim_start_matches("0x"); |
| 42 | + u64::from_str_radix(without_prefix, 16).unwrap_or(0) |
| 43 | + } else { |
| 44 | + u64::from_str_radix(offset, 10).unwrap_or(0) |
| 45 | + } |
| 46 | + } |
| 47 | + _ => 0, |
| 48 | + }; |
21 | 49 | println!("[*] Reading shellcode from path: {:?}", fp.clone()); |
22 | 50 | let contents = std::fs::read(fp).unwrap(); |
23 | 51 | let flen = contents.len(); |
24 | 52 |
|
25 | | - let test_buf = unsafe { |
| 53 | + if flen as u64 <= offset { |
| 54 | + println!( |
| 55 | + "[*] Offset too big, offset: {}, file length: {}", |
| 56 | + offset, flen |
| 57 | + ); |
| 58 | + return; |
| 59 | + } |
| 60 | + let new_buf = unsafe { |
26 | 61 | VirtualAlloc( |
27 | 62 | std::ptr::null_mut(), |
28 | 63 | flen, |
29 | 64 | MEM_COMMIT | MEM_RESERVE, |
30 | 65 | PAGE_EXECUTE_READWRITE, |
31 | 66 | ) |
32 | 67 | }; |
33 | | - if test_buf == std::ptr::null_mut() { |
| 68 | + if new_buf == std::ptr::null_mut() { |
34 | 69 | println!("[*] Failed to allocate memory"); |
35 | 70 | return; |
36 | 71 | } |
37 | | - let test_buf_ptr: *mut u8 = test_buf as *mut u8 as _; |
38 | | - unsafe { std::ptr::copy_nonoverlapping(contents.as_ptr(), test_buf_ptr, flen) }; |
39 | | - println!("[*] Before jmp to shellcode"); |
40 | | - |
| 72 | + let new_buf_ptr: *mut u8 = new_buf as *mut u8 as _; |
| 73 | + unsafe { std::ptr::copy_nonoverlapping(contents.as_ptr(), new_buf_ptr, flen) }; |
| 74 | + println!("[*] Starting jmp to shellcode at offset 0x{:x}", offset); |
41 | 75 | unsafe { |
42 | 76 | if set_breakpoint { |
43 | 77 | asm!("int 3"); |
44 | 78 | } |
45 | | - asm!("jmp {}",in(reg) test_buf) |
| 79 | + asm!("jmp {}",in(reg) new_buf.offset(offset as isize)) |
46 | 80 | }; |
47 | 81 | } |
0 commit comments