thesp0nge
thesp0nge OSCP guy. I break code and rebuild it with security in mind, taekwon-do, husband, dad. Chaotic good drow ranger. I blog @codiceinsicuro and @the_armoredcode.

The shellerate project: yet another framework for shellcode generation

The shellerate project: yet another framework for shellcode generation

Last summer, as I told on Codice Insicuro, my Italian blog about cybersecurity and related, I took the x86 Assembly Language and Shellcoding on Linux course and related certification.

The idea was to train myself into advanced shellcode programming and anti-virus evasion challenges I will face now in the Cracking the perimeter course.

From the assignments I did, in order to obtain the SLAE32 certification I created the shellerate project. The shellerate term is a pun between ‘shell’ and ‘scellerato’, the Italian word for ‘wicked’, so sorry for English mother tongue people out there, to have invented a new ‘world’ in yout language. The ideal pronunciation is the union of “shell” and “rate” words.

Back to the techie part, shellerate is a shellcode generation framework. There are tons of excellent frameworks out there, I started a new project in order to learn python better and to have a DIY tool in order to customize my exploits.

shellerate is a standard project, you can install using pip.

$ pip3 install shellerate --user

Installing shellerate, 0.3.0 version is the latest as the time I’m writing this, you will install a very alpha shellcode generation framework that makes you able to create a bind shell shellcode for x86 platform and Linux operating system only.

You can encode the shellcode with the custom encoding schema I developed.

from shellerate.bind_shellcode import *

b=BindShellcode(4444, 'x86', 'linux')
b.encode()
b.generate()
print("Shellcode: %s" % b.shellcode())

As you can seem I’m trying to create a clean API around the type of shellcode you want to create:

  • a TCP bind shell
  • a TCP reverse shell

You can also create an egg hunter version in a very similiar way:

b=BindShellcode(4444, 'x86', 'linux')
b.egg_hunter()
b.generate()
sc = b.shellcode()

print("Egg Hunter: %s" % sc["egg_hunter_code"])
print("Shellcode: %s" % sc["egg_hunter_shellcode"])

Next steps

Tons of future implementations are in my personal roadmap. First of all, I have to add a polymorphic engine and to replicate all features on the reverse shell shellcode generator.

Then I have to extend the support to other operating systems and to x86-64 architecture.

Since must of this is for my OSCE exam, I think that win32 platform will be the next I will support in the very next months.

Off by one

I don’t know I anyone of you reading this post, will found shellerate useful. I created it just for fun and I had a lot of it during those months of work. I hope the funny part will last for long time.

Please feel free to spread the voice about the project and if you have suggestions ot criticisms about shellerate, please comment this post and share with me your opinions.

Enjoy it!

comments powered by Disqus