A Python script to work with shellcode on Windows

Technology description

If you work with exploits and shellcode, you already know what shellcode is and how to deal with it. Sometimes it comes with exploits in C, Perl, Python… It usually looks like:

payload = (b"xbfxabxd0x9ax5bxdaxc7xd9x74x24xf4x5ax2bxc9" + "xb1x45x83xc2x04x31x7ax11x03x7ax11xe2x5ex2c" + "x72xd2xa0xcdx83x85x29x28xb2x97x4dx38xe7x27" + ...

But sometimes you need a binary file representation of this shellcode, so you can inject it into some file, debug it or for whatever reason. There are all kinds of scripts out there to deal with shellcode and accomplish different tasks. Binary to shellcode, shellcode to binary (only for bash)… But I was not able to find a simple script to get it under Windows. Even finding “xxd” command (make a hexdump) ported to Windows is possible but not easy (it seems to come bundled with Vim for Windows, but it used to be available with unixtools…).

Anyhow, here is a simple script in Python that works for Windows and will do the job. It will tolerate dirty shellcode (spaces, returns, concatenation commands…) and will only keep hex characters. Then it uses “write” with “wb” so you get a binary file. Quick and dirty.

Functionalities

Here is the tiny code. Just copy it and save it as a .py file. Tested with 2.7 branch.

import binascii
import fileinput
import os
import re
import sys

def shell2bin(args):
if len(args) < 2:
print "Usage: %s shellcodefile binfile" % args[0]
return
else:
try:
with open(sys.argv[1], "r") as fileshell:
flux = fileshell.read()
flux = re.sub("[^0-9,^a-f,^A-F]", "",flux)
with open(sys.argv[2], "wb") as filebin:
filebin.write(binascii.unhexlify(flux))
print "Done!"
except IOError as e:
print "I/O error({0}): {1}".format(e.errno, e.strerror)
except:
print "Unexpected error:", sys.exc_info()[0]
if __name__=='__main__':
shell2bin(sys.argv)
Innovation Technologies

UAC-A-Mola

UAC-A-Mola is a tool that allows security researchers to investigate new UAC bypasses, in addition to detecting and exploiting known bypasses.

m33tfinder

m33tfinder is a tool to detect active conference ID ranges in a Cisco Meeting Server.