Skip to Main Content
August 21, 2012

New tool PyInjector Released - Python Shellcode Injection

Written by David Kennedy
Penetration Testing Security Testing & Analysis
Awhile back Bernardo Damele showed a cool method for utilizing an executable to deliver alphanumeric shellcode straight into memory. This was an awesome attack vector and allowed for AV and other security mechanisms such as HIPS and others to be circumvented extremely easy. You can download shellcodeexec here. Since then, Matthew Graeber came out with a technique for injecting shellcode straight into memory through Powershell. This technique eventually made it into the Social-Engineer Toolkit (SET) as a method for the Java Applet and never touching disk. You can read the blog post here. One day on twitter, Justin Elze and David Kennedy were talking about the usefulness of having one in Python. With python imports and ctypes, this is absolutely possible. Justin had written a version of his as well as TrustedSec and we both quickly ran into compatibility issues with x64 and x86. Looking around, TrustedSec stumbled across the blog post here which details exactly how to utilize native shellcode to inject into Python. Today we are releasing PyInjector, a python tool that will take a command line argument similar to shellcodeexec that will allow you to paste native shellcode into the application and have it automatically execute the shellcode for you. In addition, we released a small script to help you create the proper format within msfvenom (Metasploit). If you do not have Python installed on the victim machine, simply byte compile the Python code with pyinstaller and using pybuild (detailed in earlier blog posts) To download pyinjector along with the shellcode creation script and a tutorial, download the zipfile here: Also head over to the tools and exploits download section for more research like this. Note that these techniques will be in the next release and version of the Social-Engineer Toolkit (SET) 3.7, which is slated for release in the next few days. Credit to Justin Elze for the idea and research as well as Debasish Mandal for the wicked blog post.