ragg2

ragg2 stands for radare2 egg, this is the basic block to construct relocatable snippets of code to be used for injection in target processes when doing exploiting.

ragg2 compiles programs written in a simple high-level language into tiny binaries for x86, x86-64, and ARM.

By default it will compile it’s own ragg2 language, but you can also compile C code using GCC or Clang shellcodes depending on the file extension. Lets create C file called a.c:

  1. int main() {
  2.     write(1, "Hello World\n", 13);
  3.     return 0;
  4. }
  1. $ ragg2 -a x86 -b32 a.c
  2. e900000000488d3516000000bf01000000b80400000248c7c20d0000000f0531c0c348656c6c6f20576f726c640a00
  4. $ rasm2 -a x86 -b 32 -D e900000000488d3516000000bf01000000b80400000248c7c20d0000000f0531c0c348656c6c6f20576f726c640a00
  5. 0x00000000   5               e900000000  jmp 5
  6. 0x00000005   1                       48  dec eax
  7. 0x00000006   6             8d3516000000  lea esi, [0x16]
  8. 0x0000000c   5               bf01000000  mov edi, 1
  9. 0x00000011   5               b804000002  mov eax, 0x2000004
  10. 0x00000016   1                       48  dec eax
  11. 0x00000017   6             c7c20d000000  mov edx, 0xd
  12. 0x0000001d   2                     0f05  syscall
  13. 0x0000001f   2                     31c0  xor eax, eax
  14. 0x00000021   1                       c3  ret
  15. 0x00000022   1                       48  dec eax
  16. 0x00000023   2                     656c  insb byte es:[edi], dx
  17. 0x00000025   1                       6c  insb byte es:[edi], dx
  18. 0x00000026   1                       6f  outsd dx, dword [esi]
  19. 0x00000027   3                   20576f  and byte [edi + 0x6f], dl
  20. 0x0000002a   2                     726c  jb 0x98
  21. 0x0000002c   3                   640a00  or al, byte fs:[eax]

Compiling ragg2 example

  1. $ cat hello.r
  2. exit@syscall(1);
  4. main@global() {
  5.     exit(2);
  6. }
  8. $ ragg2 -a x86 -b 64 hello.r
  9. 48c7c00200000050488b3c2448c7c0010000000f054883c408c3
  10. 0x00000000   1                       48  dec eax
  11. 0x00000001   6             c7c002000000  mov eax, 2
  12. 0x00000007   1                       50  push eax
  13. 0x00000008   1                       48  dec eax
  14. 0x00000009   3                   8b3c24  mov edi, dword [esp]
  15. 0x0000000c   1                       48  dec eax
  16. 0x0000000d   6             c7c001000000  mov eax, 1
  17. 0x00000013   2                     0f05  syscall
  18. 0x00000015   1                       48  dec eax
  19. 0x00000016   3                   83c408  add esp, 8
  20. 0x00000019   1                       c3  ret
  22. $ rasm2 -a x86 -b 64 -D 48c7c00200000050488b3c2448c7c0010000000f054883c408c3
  23. 0x00000000   7           48c7c002000000  mov rax, 2
  24. 0x00000007   1                       50  push rax
  25. 0x00000008   4                 488b3c24  mov rdi, qword [rsp]
  26. 0x0000000c   7           48c7c001000000  mov rax, 1
  27. 0x00000013   2                     0f05  syscall
  28. 0x00000015   4                 4883c408  add rsp, 8
  29. 0x00000019   1                       c3  ret

Tiny binaries

You can create them using the -F flag in ragg2, or the -C in rabin2.