15
1
Taking some output from xxd and turning it into usable shellcode by hand is no fun, so your job is to automate the process.
Rules
Your submission can be a function, lambda, script, or any reasonable equivalent of those. You may print the result, or if your submission is a function/lambda then you may also return it.
You program must take three arguments, the first being a string containing the output of xxd, ran with no arguments other than a filename, like this: xxd some_file
. Here's an example of what the the first argument will look like:
00000000: 31c0 b046 31db 31c9 cd80 eb16 5b31 c088 1..F1.1.....[1..
00000010: 4307 895b 0889 430c b00b 8d4b 088d 530c C..[..C....K..S.
00000020: cd80 e8e5 ffff ff2f 6269 6e2f 7368 4e58 ......./bin/shNX
00000030: 5858 5859 5959 59 XXXYYYY
Your need to take that middle section containing the bytes (the first 8 columns after the :
) and turn it into shellcode by removing any whitespace, then putting a \x
before each byte.
Here's what the output should be for the input above (ignoring any other arguments):
\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x4e\x58\x58\x58\x58\x59\x59\x59\x59
You can assume the first argument will always be a valid xxd output, ran with no arguments other than the filename.
Your output should also be a string where the backslashes are literal backslashes, not used as escape characters. So when I say "\x65", I'm not talking about the byte 0x65, or even the letter "A". In code, it would be the string "\x65".
The second argument specifies where in the xxd output the shellcode should start, and the third specifies where it should end. If the third argument is -1
, it will end at the end of xxd output. The second and third argument will also always be non negative, except for when the third is -1
Here are some test cases:
Argument 1:
00000000: 31c0 b046 31db 31c9 cd80 eb16 5b31 c088 1..F1.1.....[1..
00000010: 4307 895b 0889 430c b00b 8d4b 088d 530c C..[..C....K..S.
00000020: cd80 e8e5 ffff ff2f 6269 6e2f 7368 4e58 ......./bin/shNX
00000030: 5858 5859 5959 59 XXXYYYY
Argument 2: 7
, Argument 3: e
(these are both strings representing hexadecimal numbers)
Output: \xc9\xcd\x80\xeb\x16\x5b\x31\xc0
Argument 1:
00000000: 31c0 b046 31db 31c9 cd80 eb16 5b31 c088 1..F1.1.....[1..
00000010: 4307 895b 0889 430c b00b 8d4b 088d 530c C..[..C....K..S.
00000020: cd80 e8e5 ffff ff2f 6269 6e2f 7368 4e58 ......./bin/shNX
00000030: 5858 5859 5959 59 XXXYYYY
Argument 2: 0
, Argument 3: 2e
Output: \x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x4e
Argument 1:
00000000: 31c0 b046 31db 31c9 cd80 eb16 5b31 c088 1..F1.1.....[1..
00000010: 4307 895b 0889 430c b00b 8d4b 088d 530c C..[..C....K..S.
00000020: cd80 e8e5 ffff ff2f 6269 6e2f 7368 4e58 ......./bin/shNX
00000030: 5858 5859 5959 59 XXXYYYY
Argument 2: a
, Argument 3: -1
Output: \xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x4e\x58\x58\x58\x58\x59\x59\x59\x59
The code with the least bytes wins. The winner will be announced in seven days, on August 15, 2016 (but submissions after then are still appreciated).
Update
Congrats to @Adnan to winning the challenge!
Just to clarify, can entries return a string or must they print it? – Jordan – 2016-08-08T15:24:53.213
Returning a string is fine as long as it's a function, lambda, or something like that (I updated the rules to specify that after you asked). – addison – 2016-08-08T15:26:04.640
1Can we also return the regular ASCII codes when the code is printable? E.g.
~
instead of\x7e
. And can we return\t
instead of\x09
? – orlp – 2016-08-08T15:38:00.673@orlp Sorry no, it needs to be in a consistent format. – addison – 2016-08-08T16:05:34.533
Are the arguments required to be in hex? Also, the way you've given the second example,
7
looks like a zero-based index ande
is a one-based index (e-7=7
but there are 8 hex codes in your output), or am I overlooking something? – Neil – 2016-08-08T18:22:21.097@Neil e-7 doesn't account for the beginning byte of the range. The formula should be e-7+1. It's an inclusive range, so the beginning and ending indexes are both included. – addison – 2016-08-08T19:26:28.347
@addison make sure you explain all the components of your question in the question itself. For example, many golfers may not know what xxd code and shell code are – MayorMonty – 2016-08-09T00:40:03.240
You mention that start and end arguments in your examples are hexadecimal strings, but that isn't mentioned in the specification. If we submit a function, do we really have to parse two strings for the arguments? – Dennis – 2016-08-09T04:42:25.877