By Hаdrien Ваrrаl and Georges-Axel Jaloyan
This work has been presented at DEFCON30 (slides)
This tool ⚒️ helps design RISC-V (both 32-bit and 64-bit) shellcodes capable of running arbitrary code, whose ASCII binary representation use only Unicode UTF-8 emojis 🤯.
It consists of an emoji unpacker. For any target shellcode (non-emoji), the tool will produce an emoji shellcode with the unpacker and the packed version of your shellcode. Run it on a RISC-V simulator/cpu and enjoy!
For a general introduction on RISC-V shellcoding, you may read the blog post by Thomas Karpiniec.
You can find our previous work on RISC-V alphanumeric shellcoding here: https://github.com/RischardV/riscv-alphanumeric-shellcoding.
Folder contents:
qemu
: Full source code and prebuilt binary for the baremetal QEMU demoqemu_short
: Same asqemu
, but a shorter versionesp32
: Demos running on the Espressif ESP32-C3 boardhifiveu
: Demos running on the HiFive-Unleashed boardpayload
: Source code of the payloads usedblock
: How we generated the available instructionsnopsled
: The source code of our ⛔🛷 nopsled
Building the shellcodes requires a RISC-V toolchain. We only provide easy-to-test pre-built QEMU baremetal shellcodes.
The only prerequisite is having a RISC-V QEMU v6.0.0 or newer https://www.qemu.org/.
On Ubuntu 22.04, you can install it using apt install qemu-system-misc
.
Then:
cd emoji-shellcoding/paper_hello_world
cat qemu_miniclog_small.bin
(optional, to print the shellcode. Open it in your favorite editor if your console does not support emojis)./launch_prebuilt
use Ctrl+C to exit
You can modify launch_prebuilt
to run qemu_miniclog_medium.bin
or qemu_miniclog_large.bin
instead.
Start by cloning the repository:
git clone https://github.com/RischardV/emoji-shellcoding.git
cd emoji-shellcoding
- Python 3.10 or later https://www.python.org/
- RISC-V toolchain
- RISC-V QEMU: install QEMU v6.0 or newer https://www.qemu.org/
- GNU m4
On Ubuntu 22.04:
apt install build-essential gcc-riscv64-linux-gnu gcc-riscv64-unknown-elf qemu-system-misc m4
- Build the instructions lists (takes some time)
cd emoji-shellcoding/block
make
- Build the shellcodes
cd emoji-shellcoding/qemu
make
- Run the shellcodes
cd emoji-shellcoding/qemu
cat out/shellcode.bin
(optional, to print the shellcode)./l
use Ctrl+C to exit Expected results: The string "Hello, world!" should print on the screen.
Prerequisites:
-
An Espressif ESP32-C3 board: https://www.espressif.com/en/products/socs/esp32-c3 (esp32-c3-devkitm-1 or esp32-c3-devkitc-02 are easily available for <10$)
-
The ESP-IDF SDK: https://docs.espressif.com/projects/esp-idf/en/latest/esp32c3/get-started/index.html
-
Build the shellcodes
cd emoji-shellcoding/esp32
make -j
Running instructions are very similar to QEMU Linux shellcodes above. Refer to them.
Prerequisites:
-
A HiFive-Unleashed board: https://www.sifive.com/boards/hifive-unleashed (note: this board is not sold anymore)
-
Build the shellcodes
cd emoji-shellcoding/hifiveu
make -j
Running instructions are very similar to QEMU Linux shellcodes above. Refer to them.
This tool is released under Apache license. See LICENSE
file.