Breaking Code

January 18, 2010

Quickpost: Converting shellcode to executable files using InlineEgg

Filed under: Tools — Tags: , , , , , — Mario Vilas @ 7:42 pm

Today I found this through Twitter: a web service to convert shellcode to executable files. Here’s the link to it: http://sandsprite.com/shellcode_2_exe.php.

Then I thought: hey, why do we have to send our beautiful shellcodes to someone else on the Internet when we can do it all locally? :)

So I whipped up this quick Python script using CORE’s InlineEgg package. It was coded in a few minutes so don’t blame me if it’s got bugs ;) instead let me know about it and I’ll try to fix it.

Enjoy! :)

Updates

  • Anand Sastry has tweaked the script to accept not only shellcode in binary form, but also shellcode encoded as a ‘\x’ ASCII string. Check it out!
  • Moved the source code to Github

Download

shellcode2exe.py

Source code

#!/usr/bin/env python 

# Shellcode to executable converter
# Copyright (c) 2009, Mario Vilas
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
#     * Redistributions of source code must retain the above copyright notice,
#       this list of conditions and the following disclaimer.
#     * Redistributions in binary form must reproduce the above copyright
#       notice,this list of conditions and the following disclaimer in the
#       documentation and/or other materials provided with the distribution.
#     * Neither the name of the copyright holder nor the names of its
#       contributors may be used to endorse or promote products derived from
#       this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE. 

# Requires InlineEgg by CORE Security Technologies
# http://oss.coresecurity.com/projects/inlineegg.html
try:
    from inlineegg import exelib
except ImportError:
    exelib = None 

# Shellcode to executable converter
class ShellcodeToExecutable(object): 

    # List of supported OS
    os_list = (
        'windows',
        'linux',
        'freebsd',
        'openbsd',
        'solaris',
    ) 

    # List of supported ARCH
    arch_list = (
        'i386',
        'powerpc',
        'sparc',
        'arm',
    ) 

    def __init__(self, shellcode, os='windows', arch='i386'):
        method = getattr(self, 'build_%s_%s' % (os, arch), None)
        if method is None:
            raise NotImplementedError, "unsupported platform: %s on %s" % (os, arch)
        method(shellcode) 

    def __str__(self):
        return self.bytes() 

    def bytes(self):
        return self.__program.bytes() 

    def build_windows_i386(self, shellcode):
        self.__program = exelib.PEProgram()
        self.__program.addCode(shellcode) 

    def build_linux_i386(self, shellcode):
        self.__program = exelib.Elf32Program()
        self.__program.arch = self.__program.ARCH_I386
        self.__program.addCode(shellcode) 

    def build_linux_sparc(self, shellcode):
        self.__program = exelib.Elf32Program()
        self.__program.arch = self.__program.ARCH_SPARC
        self.__program.addCode(shellcode) 

    def build_linux_powerpc(self, shellcode):
        self.__program = exelib.AOutProgram()
        self.__program.arch = self.__program.MID_POWERPC
        self.__program.setCode(shellcode) 

    def build_linux_arm(self, shellcode):
        self.__program = exelib.AOutProgram()
        self.__program.arch = self.__program.MID_ARM6
        self.__program.setCode(shellcode) 

    def build_solaris_i386(self, shellcode):
        self.__program = exelib.Elf32Program()
        self.__program.arch = self.__program.ARCH_I386
        self.__program.addCode(shellcode) 

    def build_solaris_sparc(self, shellcode):
        self.__program = exelib.Elf32Program()
        self.__program.arch = self.__program.ARCH_SPARC
        self.__program.addCode(shellcode) 

    def build_freebsd_i386(self, shellcode):
        self.__program = exelib.Elf32Program()
        self.__program.arch = self.__program.ARCH_I386
        self.__program.header.ei_osabi = exelib.ELFOSABI_FREEBSD
        self.__program.addCode(shellcode) 

    def build_freebsd_sparc(self, shellcode):
        self.__program = exelib.Elf32Program()
        self.__program.arch = self.__program.ARCH_SPARC
        self.__program.header.ei_osabi = exelib.ELFOSABI_FREEBSD
        self.__program.addCode(shellcode) 

    def build_freebsd_arm(self, shellcode):
        self.__program = exelib.AOutProgram()
        self.__program.arch = self.__program.MID_ARM6
        self.__program.setCode(shellcode) 

    def build_openbsd_i386(self, shellcode):
        self.__program = exelib.AOutProgram()
        self.__program.arch = self.__program.ARCH_I386
        self.__program.setCode(shellcode) 

    def build_openbsd_sparc(self, shellcode):
        self.__program = exelib.AOutProgram()
        self.__program.arch = self.__program.MID_SPARC
        self.__program.setCode(shellcode) 

    def build_openbsd_powerpc(self, shellcode):
        self.__program = exelib.AOutProgram()
        self.__program.arch = self.__program.MID_POWERPC
        self.__program.setCode(shellcode) 

    def build_openbsd_arm(self, shellcode):
        self.__program = exelib.AOutProgram()
        self.__program.arch = self.__program.MID_ARM6
        self.__program.setCode(shellcode) 

# Main function to run when invoked from the command line
def main(argv):
    from os import path
    import optparse 

    # Banner
    print "Shellcode to executable converter"
    print "by Mario Vilas (mvilas at gmail dot com)"
    print 

    # Configure the command line parser
    usage  = "\n\t%%prog payload.bin [payload.exe]\n\t\t[--arch=%s]\n\t\t[--os=%s]"
    usage  = usage % ( '|'.join(ShellcodeToExecutable.arch_list), '|'.join(ShellcodeToExecutable.os_list) )
    parser = optparse.OptionParser(usage=usage)
    parser.add_option("-a", "--arch", metavar="ARCH",
                      help="target architecture [default: i386]")
    parser.add_option("-o", "--os", metavar="OS",
                      help="target operating system [default: windows]")
    parser.set_defaults(arch='i386', os='windows') 

    # Parse the command line arguments
    if len(argv) == 1:
        argv = argv + ['-h']
    options, parameters = parser.parse_args(argv)
    parameters = parameters[1:] 

    # Now's a good time to show an error if InlineEgg is missing
    if exelib is None:
        parser.error("missing module: InlineEgg (http://oss.coresecurity.com/projects/inlineegg.html)") 

    # Validate the command line arguments
    if len(parameters) < 1:
        parser.error("missing parameter: input file")
    options.arch = options.arch.strip().lower()
    options.os   = options.os.strip().lower()
    if options.arch not in ShellcodeToExecutable.arch_list:
        parser.error("unknown architecture: %s" % options.arch)
    if options.os not in ShellcodeToExecutable.os_list:
        parser.error("unknown operating system: %s" % options.os)
    if len(parameters) < 2:
        if options.os == 'windows':
            parameters.append('%s%s%s' % (path.splitext(parameters[0])[0], path.extsep, 'exe'))
        else:
            parameters.append(path.splitext(parameters[0])[0])
        if parameters[1] == parameters[0]:
            parameters[1] = '%s_executable%s' % path.splitext(parameters[0]) 

    # Convert the shellcode to an executable file
    try:
        print "Reading file %s" % parameters[0]
        shellcode  = open(parameters[0], 'rb').read()
        print "Generating executable file"
        executable = ShellcodeToExecutable(shellcode, options.os, options.arch)
        print "Writing file %s" % parameters[1]
        open(parameters[1], 'w+b').write(executable.bytes())
        print "Done."
    except Exception, e:
##        raise   # XXX DEBUG
        parser.error(str(e)) 

# Run main() when invoked from the command line
if __name__ == "__main__":
    import sys
    main(sys.argv) 
About these ads

5 Comments »

  1. Thanks Brother for your share, nice info, and so usefull for me..
    script mlm,script binary

    Comment by script binary — January 30, 2010 @ 4:20 am

  2. [...] files using InlineEgg I like small utils, gadget ones, this article can be found at Breaking Code blog does not have that important functionality but it’s really [...]

    Pingback by Converting shellcode to executable files using InlineEgg « c0llateral Blog — February 9, 2010 @ 6:20 pm

  3. the source for shellcode_2_exe.php is provided in the iDefense Malcode Analyst Pack

    http://labs.idefense.com/software/malcode.php#more_malcode+analysis+pack

    Comment by joe — March 28, 2010 @ 2:26 pm

  4. [...] in python, Tools Tagged: inlineegg, LinkedIn, open source, python, shellcode, tool Breaking Code This entry was posted in Breaking Code and tagged Converting, executable, files, InlineEgg, [...]

    Pingback by Quickpost: Converting shellcode to executable files using InlineEgg | Linux-backtrack.com — January 25, 2011 @ 2:56 pm

  5. Thx bro, this is so helpful!

    Comment by Ming — February 15, 2011 @ 6:11 am


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Silver is the New Black Theme Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 2,479 other followers

%d bloggers like this: