shellcodes.arm64 — Shellcodes for ARM64 mode

shellcodes.arm64

acceptloop

shellcodes.arm64.acceptloop.generate(port=31337)[source]

accept loop shellcode

Args:
port(int/str): specific port
Returns:
x6 reg indicates socket descriptor will be mapped with dup()

appendwrite

shellcodes.arm64.appendwrite.generate(filepath, sock)[source]

write with append option a file with user’s data

Args:

filepath(str) : file name to open

sock(int/str/reg): read a sock to write data

bindshell

shellcodes.arm64.bindshell.generate(port=31337, sock=4, once=True)[source]

bind shell on specific port

Args:

port(int): specific port

sock(int/str/reg): connection sock will be mapped with shell

once(boolean): binds on port infinity if true
binds on port once if false

cat

shellcodes.arm64.cat.generate(filepath, in_fd='auto', out_fd='4')[source]

cat a file like UNIX Command

Args:

filepath (str) : target file name

in_fd (int/str): in file descriptor (default: ‘x6’ indicates a file descriptor)

out_fd (int/str): out file descriptor (default: 4)

connect

shellcodes.arm64.connect.binary_ip(host)[source]
shellcodes.arm64.connect.generate(host='127.0.0.1', port=31337)[source]

Connects to remote machine on specific port

Args:

host(str): hostname or IP address

port(int/str): specific port

shellcodes.arm64.connect.u32(u)[source]

connectback

shellcodes.arm64.connectback.binary_ip(host)[source]
shellcodes.arm64.connectback.generate(host='127.0.0.1', port=31337, sock='x6')[source]

connection back to attacker with pwn shell on specific port

argument:
host (str) : specific IP address or hostname port (int/str): specific port sock (int/str): sock descriptor for dupsh()
shellcodes.arm64.connectback.u32(u)[source]

dup

shellcodes.arm64.dup.generate(sock=4)[source]

Duplicates sock to stdin, stdout and stderr

Args:
sock(int/str/reg): sock descriptor

dupsh

shellcodes.arm64.dupsh.generate(sock=4, cmd='/bin/sh')[source]

Duplicates sock to stdin, stdout and stderr and spawns a shell

Args:

sock(int/str/reg): sock descriptor

cmd(str): executes a cmd (default: /bin/sh)

exit

shellcodes.arm64.exit.generate(n=0)[source]

exit with return code

Args:
n(int/str/reg): return code

findpeer

shellcodes.arm64.findpeer.generate()[source]

find a socket, which is connected to the specified port Leaves socket in x6 regs.

x6: indicates found socket/file descriptor for backup

findpeersh

shellcodes.arm64.findpeersh.generate()[source]

find a socket, which is connected to the specified port Leaves socket in x6 reg.

fsync

shellcodes.arm64.fsync.generate(out_fd)[source]

fsync with file descriptor

Args:
out_fd (int/str/reg) = file descriptor

getdents

shellcodes.arm64.getdents.generate(in_fd)[source]

getdents - lists specific directory

argument:
in_fd - (int/str/reg): in file descriptor

infinityloop

shellcodes.arm64.infinityloop.generate()[source]

Loop infinity to check whether pwned or not

listen

shellcodes.arm64.listen.generate(port=31337)[source]

listens on specific port

Args:
port(int): specific prot
Returns:
x6 reg indicates socket descriptor

ls

shellcodes.arm64.ls.generate(filepath, out_fd)[source]

ls a directory list like UNIX Command in thumb mode

arguments:
filepath (str) : target directory name out_fd (int/str): out file descriptor
backup:
x6 reg indicates to file descriptor

lseek

shellcodes.arm64.lseek.generate(out_fd, offset=0, whence=2)[source]

lseek3264 with file descriptor

Args:

out_fd (int/str/reg) = file descriptor

offset (int/str/reg) = offset

whence (int/enum) = position depends on offset

open_file

shellcodes.arm64.open_file.generate(filepath='./secret', flags=0, mode=None)[source]

open a file for reading/writing/sending to you

Args:
filepath(str): filename to read with flags/mode flags(int/str): The argument flags must include one of the following access modes: O_RDONLY, O_WRONLY, or O_RDWR . These request opening the file read-only, write-only, or read/write, respectively. mode(int/str): modes
backup:
x6: opened file descriptor

overwrite

shellcodes.arm64.overwrite.generate(filepath, sock, isNewFile=False)[source]

overwrites a file with user’s data

argument:
filepath (str) : file name to open sock (int/str/reg): read a sock to write data
Examples:
sending a big file to remote to write
>>> HOST = 'hostname'
>>> PORT = 31337
>>> MAXSIZE = 128
>>> sc  = scgen.overwrite('./binary', 4)
>>> sc += scgen.exit(0)
>>> xsc = CompileSC( (sc), isThumb=True)
>>> s = socket(AF_INET, SOCK_STREAM)
>>> s.connect( (HOST, PORT) )
>>> f = s.makefile('rw', bufsize=0)
>>> f.write(xsc + '\n')
>>> data = open('/path/to/binary', 'rb').read()
>>> size = len(data)
>>> mod  = size % MAXSIZE
>>> div  = size / MAXSIZE
>>> for i in range(0, div):
>>>    f.write(data[i*128:(i+1)*MAXSIZE])
>>> if div:
>>>    f.write(data[mod*MAXSIZE:])

read_from_stack

shellcodes.arm64.read_from_stack.generate(out_fd, size)[source]

Writes a file from stack

Args:

out_fd (int/str/reg) = file descriptor

size (int/str/reg) = size to read

sendfile

shellcodes.arm64.sendfile.generate(in_fd, out_fd)[source]

sends a file to user

Args:
in_fd (str/int): in file descriptor out_fd (str/int): out file descriptor

setregid

shellcodes.arm64.setregid.generate(gid=0)[source]

setregid(gid, gid) to get egid’s privilige

argument:
gid (int/str/reg) - effective gid number

setreuid

shellcodes.arm64.setreuid.generate(uid=0)[source]

setreuid(uid, uid) to get euid’s privilige

argument:
uid (int/str/reg) - effective uid number

sh

shellcodes.arm64.sh.generate(cmd='/bin/sh')[source]

Executes cmd

Args:
cmd(str): executes cmd (default: /bin/sh)

write_to_stack

shellcodes.arm64.write_to_stack.align4(n)[source]
shellcodes.arm64.write_to_stack.align8(n)[source]
shellcodes.arm64.write_to_stack.generate(in_fd, size)[source]

Writes data to stack

Args:

in_fd (int/str/reg) = file descriptor

size (int/str/reg) = size to write