Quick and dirty shellcode to binary python script

Wednesday, September 11, 2013


If you work with exploits and shellcode, you already know what shellcode is and how to deal with it. Sometimes it comes with exploits in C, Perl, Python... It usually looks like:
payload = (b"\xbf\xab\xd0\x9a\x5b\xda\xc7\xd9\x74\x24\xf4\x5a\x2b\xc9" +
"\xb1\x45\x83\xc2\x04\x31\x7a\x11\x03\x7a\x11\xe2\x5e\x2c" +
"\x72\xd2\xa0\xcd\x83\x85\x29\x28\xb2\x97\x4d\x38\xe7\x27" + ...
But sometimes you need a binary file representation of this shellcode, so you can inject it into some file, debug it or for whatever reason. There are all kinds of scripts out there to deal with shellcode and accomplish different tasks. Binary to shellcode, shellcode to binary (only for bash)... But I was not able to find a simple script to get it under Windows. Even finding "xxd" command (make a hexdump) ported to Windows is possible but not easy (it seems to come bundled with Vim for Windows, but it used to be available with unixtools...).

Anyhow, here is a simple script in Python that works for Windows and will do the job. It will tolerate dirty shellcode (spaces, returns, concatenation commands...) and will only keep hex characters. Then it uses "write" with "wb" so you get a binary file. Quick and dirty.

Here's the tiny code. Just copy it and save it as a .py file. Tested with 2.7 branch.
import binascii
import fileinput
import os
import re
import sys

def shell2bin(args):
if len(args) < 2:
print "Usage: %s shellcodefile binfile" % args[0]
return
else:
try:
with open(sys.argv[1], "r") as fileshell:
flux = fileshell.read()
flux = re.sub("[^0-9,^a-f,^A-F]", "",flux)
with open(sys.argv[2], "wb") as filebin:
filebin.write(binascii.unhexlify(flux))
print "Done!"
except IOError as e:
print "I/O error({0}): {1}".format(e.errno, e.strerror)
except:
print "Unexpected error:", sys.exc_info()[0]
if __name__=='__main__':
shell2bin(sys.argv)

Sergio de los Santos 
ssantos@11paths.com 

No comments:

Post a Comment