The following python script creates a barebone exe called out.exe that does nothing. Its extremely useful when you need to debug shellcode or an application stub. Simply load out.exe into Immunity, allocate a buffer, cut and paste the shellcode into the new buffer via the hex dump window, or just cut and paste the shellcode below the return at address 0x00401010 (for example) in the hex dump window. Finally modify RETN to JMP + ADDR of the shellcode you would like to execute.
out.exe loaded into immunity debugger.
Simply modifying the RETN command to JMP 00401010 for example and paste your shellcode at that address in the hex window. Next press F7 to step into your stub or shellcode.
miniexe.py
import re
import sys
import binascii
import os
exe_str = "4D5A9" + ("0" * 4) + "3" + ("0" * 7) + "4" + ("0" * 6) + "FFFF" + ("0" * 4) + \
"B8" + ("0" * 14) + "4" + ("0" * 71) + "B" + ("0" * 8) + \
"E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A24" + \
("0" * 14) + "BB41E4DAFF208A89FF208A89FF208A89FF208A89FE208A8990561789FE208A8952696368FF208A89" + \
("0" * 16) + "5045" + ("0" * 4) + "4C0101004C9AF85" + ("0" * 17) + "E" + ("0" * 4) + \
"2010B010A" + ("0" * 5) + "2" + ("0" * 22) + "1" + ("0" * 7) + "1" + ("0" * 7) + \
"2" + ("0" * 9) + "4" + ("0" * 5) + "1" +("0" * 8) + "2" + ("0" * 5) + "5" + ("0" * 3) + \
"1" + ("0" * 11) + "5" + ("0" *3) + "1" + ("0" * 12) + "2" + ("0" * 8) + "2" + ("0" * 13) + \
"3004085" + ("0" * 4) + "1" + ("0" * 5) + "1" + ("0" * 9) + "1" + ("0" * 5) + "1" + ("0" * 13) + \
"1" + ("0" * 263) + "2E74657874" + ("0" * 7) + "1" + ("0" * 8) + "1" + ("0" * 8) + \
"2" + ("0" * 7) + "2" + ("0" * 28) + "2" + ("0" * 5) + "6" + ("0" * 97) + "C3"+ ("0" * 1022)
f = open("out.exe", 'wb')
f.write(binascii.unhexlify(exe_str))
f.close()
hexdump of out.exe
hexdump -C out.exe
00000000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 |MZ..............|
00000010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 |........@.......|
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 b0 00 00 00 |................|
00000040 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 |........!..L.!Th|
00000050 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f |is program canno|
00000060 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 |t be run in DOS |
00000070 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 |mode....$.......|
00000080 bb 41 e4 da ff 20 8a 89 ff 20 8a 89 ff 20 8a 89 |.A... ... ... ..|
00000090 ff 20 8a 89 fe 20 8a 89 90 56 17 89 fe 20 8a 89 |. ... ...V... ..|
000000a0 52 69 63 68 ff 20 8a 89 00 00 00 00 00 00 00 00 |Rich. ..........|
000000b0 50 45 00 00 4c 01 01 00 4c 9a f8 50 00 00 00 00 |PE..L...L..P....|
000000c0 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 02 00 00 |................|
000000d0 00 00 00 00 00 00 00 00 00 10 00 00 00 10 00 00 |................|
000000e0 00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 |. ....@.........|
000000f0 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 |................|
00000100 00 20 00 00 00 02 00 00 00 00 00 00 03 00 40 85 |. ............@.|
00000110 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 |................|
00000120 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 |................|
00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000001a0 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 |.........text...|
000001b0 01 00 00 00 00 10 00 00 00 02 00 00 00 02 00 00 |................|
000001c0 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 |............ ..`|
000001d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000200 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000400
EOF
Hey! I'd like to share this useful online file converter that just work awesome. Make sure to check out. https://onlineconvertfree.com/
ReplyDelete