Today I found this through Twitter: a web service to convert shellcode to executable files. Here’s the link to it: http://sandsprite.com/shellcode_2_exe.php.
Then I thought: hey, why do we have to send our beautiful shellcodes to someone else on the Internet when we can do it all locally? 
So I whipped up this quick Python script using CORE’s InlineEgg package. It was coded in a few minutes so don’t blame me if it’s got bugs 
instead let me know about it and I’ll try to fix it.
Enjoy!
Updates
- Anand Sastry has tweaked the script to accept not only shellcode in binary form, but also shellcode encoded as a ‘\x’ ASCII string. Check it out!
Download
shellcode2exe.py
Source code
#!/usr/bin/env python
# Shellcode to executable converter
# Copyright (c) 2009, Mario Vilas
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice,
# this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above copyright
# notice,this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
# Requires InlineEgg by CORE Security Technologies
# http://oss.coresecurity.com/projects/inlineegg.html
try:
from inlineegg import exelib
except ImportError:
exelib = None
# Shellcode to executable converter
class ShellcodeToExecutable(object):
# List of supported OS
os_list = (
'windows',
'linux',
'freebsd',
'openbsd',
'solaris',
)
# List of supported ARCH
arch_list = (
'i386',
'powerpc',
'sparc',
'arm',
)
def __init__(self, shellcode, os='windows', arch='i386'):
method = getattr(self, 'build_%s_%s' % (os, arch), None)
if method is None:
raise NotImplementedError, "unsupported platform: %s on %s" % (os, arch)
method(shellcode)
def __str__(self):
return self.bytes()
def bytes(self):
return self.__program.bytes()
def build_windows_i386(self, shellcode):
self.__program = exelib.PEProgram()
self.__program.addCode(shellcode)
def build_linux_i386(self, shellcode):
self.__program = exelib.Elf32Program()
self.__program.arch = self.__program.ARCH_I386
self.__program.addCode(shellcode)
def build_linux_sparc(self, shellcode):
self.__program = exelib.Elf32Program()
self.__program.arch = self.__program.ARCH_SPARC
self.__program.addCode(shellcode)
def build_linux_powerpc(self, shellcode):
self.__program = exelib.AOutProgram()
self.__program.arch = self.__program.MID_POWERPC
self.__program.setCode(shellcode)
def build_linux_arm(self, shellcode):
self.__program = exelib.AOutProgram()
self.__program.arch = self.__program.MID_ARM6
self.__program.setCode(shellcode)
def build_solaris_i386(self, shellcode):
self.__program = exelib.Elf32Program()
self.__program.arch = self.__program.ARCH_I386
self.__program.addCode(shellcode)
def build_solaris_sparc(self, shellcode):
self.__program = exelib.Elf32Program()
self.__program.arch = self.__program.ARCH_SPARC
self.__program.addCode(shellcode)
def build_freebsd_i386(self, shellcode):
self.__program = exelib.Elf32Program()
self.__program.arch = self.__program.ARCH_I386
self.__program.header.ei_osabi = exelib.ELFOSABI_FREEBSD
self.__program.addCode(shellcode)
def build_freebsd_sparc(self, shellcode):
self.__program = exelib.Elf32Program()
self.__program.arch = self.__program.ARCH_SPARC
self.__program.header.ei_osabi = exelib.ELFOSABI_FREEBSD
self.__program.addCode(shellcode)
def build_freebsd_arm(self, shellcode):
self.__program = exelib.AOutProgram()
self.__program.arch = self.__program.MID_ARM6
self.__program.setCode(shellcode)
def build_openbsd_i386(self, shellcode):
self.__program = exelib.AOutProgram()
self.__program.arch = self.__program.ARCH_I386
self.__program.setCode(shellcode)
def build_openbsd_sparc(self, shellcode):
self.__program = exelib.AOutProgram()
self.__program.arch = self.__program.MID_SPARC
self.__program.setCode(shellcode)
def build_openbsd_powerpc(self, shellcode):
self.__program = exelib.AOutProgram()
self.__program.arch = self.__program.MID_POWERPC
self.__program.setCode(shellcode)
def build_openbsd_arm(self, shellcode):
self.__program = exelib.AOutProgram()
self.__program.arch = self.__program.MID_ARM6
self.__program.setCode(shellcode)
# Main function to run when invoked from the command line
def main(argv):
from os import path
import optparse
# Banner
print "Shellcode to executable converter"
print "by Mario Vilas (mvilas at gmail dot com)"
print
# Configure the command line parser
usage = "\n\t%%prog payload.bin [payload.exe]\n\t\t[--arch=%s]\n\t\t[--os=%s]"
usage = usage % ( '|'.join(ShellcodeToExecutable.arch_list), '|'.join(ShellcodeToExecutable.os_list) )
parser = optparse.OptionParser(usage=usage)
parser.add_option("-a", "--arch", metavar="ARCH",
help="target architecture [default: i386]")
parser.add_option("-o", "--os", metavar="OS",
help="target operating system [default: windows]")
parser.set_defaults(arch='i386', os='windows')
# Parse the command line arguments
if len(argv) == 1:
argv = argv + ['-h']
options, parameters = parser.parse_args(argv)
parameters = parameters[1:]
# Now's a good time to show an error if InlineEgg is missing
if exelib is None:
parser.error("missing module: InlineEgg (http://oss.coresecurity.com/projects/inlineegg.html)")
# Validate the command line arguments
if len(parameters) < 1:
parser.error("missing parameter: input file")
options.arch = options.arch.strip().lower()
options.os = options.os.strip().lower()
if options.arch not in ShellcodeToExecutable.arch_list:
parser.error("unknown architecture: %s" % options.arch)
if options.os not in ShellcodeToExecutable.os_list:
parser.error("unknown operating system: %s" % options.os)
if len(parameters) < 2:
if options.os == 'windows':
parameters.append('%s%s%s' % (path.splitext(parameters[0])[0], path.extsep, 'exe'))
else:
parameters.append(path.splitext(parameters[0])[0])
if parameters[1] == parameters[0]:
parameters[1] = '%s_executable%s' % path.splitext(parameters[0])
# Convert the shellcode to an executable file
try:
print "Reading file %s" % parameters[0]
shellcode = open(parameters[0], 'rb').read()
print "Generating executable file"
executable = ShellcodeToExecutable(shellcode, options.os, options.arch)
print "Writing file %s" % parameters[1]
open(parameters[1], 'w+b').write(executable.bytes())
print "Done."
except Exception, e:
## raise # XXX DEBUG
parser.error(str(e))
# Run main() when invoked from the command line
if __name__ == "__main__":
import sys
main(sys.argv)
Advertisement
Thanks Brother for your share, nice info, and so usefull for me..
script mlm,script binary
Comment by script binary — January 30, 2010 @ 4:20 am
[...] files using InlineEgg I like small utils, gadget ones, this article can be found at Breaking Code blog does not have that important functionality but it’s really [...]
Pingback by Converting shellcode to executable files using InlineEgg « c0llateral Blog — February 9, 2010 @ 6:20 pm
the source for shellcode_2_exe.php is provided in the iDefense Malcode Analyst Pack
http://labs.idefense.com/software/malcode.php#more_malcode+analysis+pack
Comment by joe — March 28, 2010 @ 2:26 pm
[...] in python, Tools Tagged: inlineegg, LinkedIn, open source, python, shellcode, tool Breaking Code This entry was posted in Breaking Code and tagged Converting, executable, files, InlineEgg, [...]
Pingback by Quickpost: Converting shellcode to executable files using InlineEgg | Linux-backtrack.com — January 25, 2011 @ 2:56 pm
Thx bro, this is so helpful!
Comment by Ming — February 15, 2011 @ 6:11 am