pwnlib.shellcraft.amd64 — Shellcode for AMD64

pwnlib.shellcraft.amd64

Shellcraft module containing generic Intel x86_64 shellcodes.

pwnlib.shellcraft.amd64.crash()[source]

Crash.

Example

>>> run_assembly(shellcraft.crash()).poll(True)
-11
pwnlib.shellcraft.amd64.infloop()[source]

A two-byte infinite loop.

pwnlib.shellcraft.amd64.itoa(v, buffer='rsp', allocate_stack=True)[source]

Converts an integer into its string representation, and pushes it onto the stack.

Parameters
  • v (str, int) – Integer constant or register that contains the value to convert.

  • alloca

Example

>>> sc = shellcraft.amd64.mov('rax', 0xdeadbeef)
>>> sc += shellcraft.amd64.itoa('rax')
>>> sc += shellcraft.amd64.linux.write(1, 'rsp', 32)
>>> run_assembly(sc).recvuntil(b'\x00')
b'3735928559\x00'
pwnlib.shellcraft.amd64.memcpy(dest, src, n)[source]

Copies memory.

Parameters
  • dest – Destination address

  • src – Source address

  • n – Number of bytes

pwnlib.shellcraft.amd64.mov(dest, src, stack_allowed=True)[source]

Move src into dest without newlines and null bytes.

If the src is a register smaller than the dest, then it will be zero-extended to fit inside the larger register.

If the src is a register larger than the dest, then only some of the bits will be used.

If src is a string that is not a register, then it will locally set context.arch to ‘amd64’ and use pwnlib.constants.eval() to evaluate the string. Note that this means that this shellcode can change behavior depending on the value of context.os.

Example

>>> print(shellcraft.amd64.mov('eax','ebx').rstrip())
    mov eax, ebx
>>> print(shellcraft.amd64.mov('eax', 0).rstrip())
    xor eax, eax /* 0 */
>>> print(shellcraft.amd64.mov('ax', 0).rstrip())
    xor ax, ax /* 0 */
>>> print(shellcraft.amd64.mov('rax', 0).rstrip())
    xor eax, eax /* 0 */
>>> print(shellcraft.amd64.mov('rdi', 'ax').rstrip())
    movzx edi, ax
>>> print(shellcraft.amd64.mov('al', 'ax').rstrip())
    /* moving ax into al, but this is a no-op */
>>> print(shellcraft.amd64.mov('ax', 'bl').rstrip())
    movzx ax, bl
>>> print(shellcraft.amd64.mov('eax', 1).rstrip())
    push 1
    pop rax
>>> print(shellcraft.amd64.mov('rax', 0xc0).rstrip())
    xor eax, eax
    mov al, 0xc0
>>> print(shellcraft.amd64.mov('rax', 0xc000).rstrip())
    xor eax, eax
    mov ah, 0xc000 >> 8
>>> print(shellcraft.amd64.mov('rax', 0xc0c0).rstrip())
    xor eax, eax
    mov ax, 0xc0c0
>>> print(shellcraft.amd64.mov('rdi', 0xff).rstrip())
    mov edi, 0x1010101 /* 255 == 0xff */
    xor edi, 0x10101fe
>>> print(shellcraft.amd64.mov('rax', 0xdead00ff).rstrip())
    mov eax, 0x1010101 /* 3735879935 == 0xdead00ff */
    xor eax, 0xdfac01fe
>>> print(shellcraft.amd64.mov('rax', 0x11dead00ff).rstrip())
    mov rax, 0x101010101010101 /* 76750323967 == 0x11dead00ff */
    push rax
    mov rax, 0x1010110dfac01fe
    xor [rsp], rax
    pop rax
>>> print(shellcraft.amd64.mov('rax', 0xffffffff).rstrip())
    mov eax, 0xffffffff
>>> print(shellcraft.amd64.mov('rax', 0x7fffffff).rstrip())
    mov eax, 0x7fffffff
>>> print(shellcraft.amd64.mov('rax', 0x80010101).rstrip())
    mov eax, 0x80010101
>>> print(shellcraft.amd64.mov('rax', 0x80000000).rstrip())
    mov eax, 0x1010101 /* 2147483648 == 0x80000000 */
    xor eax, 0x81010101
>>> print(shellcraft.amd64.mov('rax', 0xffffffffffffffff).rstrip())
    push 0xffffffffffffffff
    pop rax
>>> with context.local(os = 'linux'):
...     print(shellcraft.amd64.mov('eax', 'SYS_read').rstrip())
    xor eax, eax /* SYS_read */
>>> with context.local(os = 'freebsd'):
...     print(shellcraft.amd64.mov('eax', 'SYS_read').rstrip())
    push SYS_read /* 3 */
    pop rax
>>> with context.local(os = 'linux'):
...     print(shellcraft.amd64.mov('eax', 'PROT_READ | PROT_WRITE | PROT_EXEC').rstrip())
    push (PROT_READ | PROT_WRITE | PROT_EXEC) /* 7 */
    pop rax
Parameters
  • dest (str) – The destination register.

  • src (str) – Either the input register, or an immediate value.

  • stack_allowed (bool) – Can the stack be used?

pwnlib.shellcraft.amd64.nop()[source]

A single-byte nop instruction.

pwnlib.shellcraft.amd64.popad()[source]

Pop all of the registers onto the stack which i386 popad does, in the same order.

pwnlib.shellcraft.amd64.push(value)[source]

Pushes a value onto the stack without using null bytes or newline characters.

If src is a string, then we try to evaluate with context.arch = ‘amd64’ using pwnlib.constants.eval() before determining how to push it. Note that this means that this shellcode can change behavior depending on the value of context.os.

Parameters

value (int,str) – The value or register to push

Example

>>> print(pwnlib.shellcraft.amd64.push(0).rstrip())
    /* push 0 */
    push 1
    dec byte ptr [rsp]
>>> print(pwnlib.shellcraft.amd64.push(1).rstrip())
    /* push 1 */
    push 1
>>> print(pwnlib.shellcraft.amd64.push(256).rstrip())
    /* push 0x100 */
    push 0x1010201 ^ 0x100
    xor dword ptr [rsp], 0x1010201
>>> with context.local(os = 'linux'):
...     print(pwnlib.shellcraft.amd64.push('SYS_write').rstrip())
    /* push 'SYS_write' */
    push 1
>>> with context.local(os = 'freebsd'):
...     print(pwnlib.shellcraft.amd64.push('SYS_write').rstrip())
    /* push 'SYS_write' */
    push 4
pwnlib.shellcraft.amd64.pushad()[source]

Push all of the registers onto the stack which i386 pushad does, in the same order.

pwnlib.shellcraft.amd64.pushstr(string, append_null=True)[source]

Pushes a string onto the stack without using null bytes or newline characters.

Example

>>> print(shellcraft.amd64.pushstr('').rstrip())
    /* push b'\x00' */
    push 1
    dec byte ptr [rsp]
>>> print(shellcraft.amd64.pushstr('a').rstrip())
    /* push b'a\x00' */
    push 0x61
>>> print(shellcraft.amd64.pushstr('aa').rstrip())
    /* push b'aa\x00' */
    push 0x1010101 ^ 0x6161
    xor dword ptr [rsp], 0x1010101
>>> print(shellcraft.amd64.pushstr('aaa').rstrip())
    /* push b'aaa\x00' */
    push 0x1010101 ^ 0x616161
    xor dword ptr [rsp], 0x1010101
>>> print(shellcraft.amd64.pushstr('aaaa').rstrip())
    /* push b'aaaa\x00' */
    push 0x61616161
>>> print(shellcraft.amd64.pushstr(b'aaa\xc3').rstrip())
    /* push b'aaa\xc3\x00' */
    mov rax, 0x101010101010101
    push rax
    mov rax, 0x101010101010101 ^ 0xc3616161
    xor [rsp], rax
>>> print(shellcraft.amd64.pushstr(b'aaa\xc3', append_null = False).rstrip())
    /* push b'aaa\xc3' */
    push -0x3c9e9e9f
>>> print(shellcraft.amd64.pushstr(b'\xc3').rstrip())
    /* push b'\xc3\x00' */
    push 0x1010101 ^ 0xc3
    xor dword ptr [rsp], 0x1010101
>>> print(shellcraft.amd64.pushstr(b'\xc3', append_null = False).rstrip())
    /* push b'\xc3' */
    push -0x3d
>>> with context.local():
...    context.arch = 'amd64'
...    print(enhex(asm(shellcraft.pushstr("/bin/sh"))))
48b801010101010101015048b82e63686f2e72690148310424
>>> with context.local():
...    context.arch = 'amd64'
...    print(enhex(asm(shellcraft.pushstr(""))))
6a01fe0c24
>>> with context.local():
...    context.arch = 'amd64'
...    print(enhex(asm(shellcraft.pushstr("\x00", False))))
6a01fe0c24
Parameters
  • string (str) – The string to push.

  • append_null (bool) – Whether to append a single NULL-byte before pushing.

pwnlib.shellcraft.amd64.pushstr_array(reg, array)[source]

Pushes an array/envp-style array of pointers onto the stack.

Parameters
  • reg (str) – Destination register to hold the pointer.

  • array (str,list) – Single argument or list of arguments to push. NULL termination is normalized so that each argument ends with exactly one NULL byte.

pwnlib.shellcraft.amd64.ret(return_value=None)[source]

A single-byte RET instruction.

Parameters

return_value – Value to return

pwnlib.shellcraft.amd64.setregs(reg_context, stack_allowed=True)[source]

Sets multiple registers, taking any register dependencies into account (i.e., given eax=1,ebx=eax, set ebx first).

Parameters
  • reg_context (dict) – Desired register context

  • stack_allowed (bool) – Can the stack be used?

Example

>>> print(shellcraft.setregs({'rax':1, 'rbx':'rax'}).rstrip())
    mov rbx, rax
    push 1
    pop rax
>>> print(shellcraft.setregs({'rax': 'SYS_write', 'rbx':'rax'}).rstrip())
    mov rbx, rax
    push SYS_write /* 1 */
    pop rax
>>> print(shellcraft.setregs({'rax':'rbx', 'rbx':'rax', 'rcx':'rbx'}).rstrip())
    mov rcx, rbx
    xchg rax, rbx
>>> print(shellcraft.setregs({'rax':1, 'rdx':0}).rstrip())
    push 1
    pop rax
    cdq /* rdx=0 */
pwnlib.shellcraft.amd64.strcpy(dst, src)[source]

Copies a string

Example

>>> sc  = 'jmp get_str\n'
>>> sc += 'pop_str: pop rax\n'
>>> sc += shellcraft.amd64.strcpy('rsp', 'rax')
>>> sc += shellcraft.amd64.linux.write(1, 'rsp', 32)
>>> sc += shellcraft.amd64.linux.exit(0)
>>> sc += 'get_str: call pop_str\n'
>>> sc += '.asciz "Hello, world\\n"'
>>> run_assembly(sc).recvline()
b'Hello, world\n'
pwnlib.shellcraft.amd64.strlen(string, reg='rcx')[source]

Calculate the length of the specified string.

Parameters
  • string (str) – Register or address with the string

  • reg (str) – Named register to return the value in, rcx is the default.

Example

>>> sc  = 'jmp get_str\n'
>>> sc += 'pop_str: pop rdi\n'
>>> sc += shellcraft.amd64.strlen('rdi', 'rax')
>>> sc += 'push rax;'
>>> sc += shellcraft.amd64.linux.write(1, 'rsp', 8)
>>> sc += shellcraft.amd64.linux.exit(0)
>>> sc += 'get_str: call pop_str\n'
>>> sc += '.asciz "Hello, world\\n"'
>>> run_assembly(sc).unpack() == len('Hello, world\n')
True
pwnlib.shellcraft.amd64.trap()[source]

A trap instruction.

pwnlib.shellcraft.amd64.xor(key, address, count)[source]

XORs data a constant value.

Parameters
  • key (int,str) – XOR key either as a 8-byte integer, If a string, length must be a power of two, and not longer than 8 bytes. Alternately, may be a register.

  • address (int) – Address of the data (e.g. 0xdead0000, ‘esp’)

  • count (int) – Number of bytes to XOR, or a register containing the number of bytes to XOR.

Example

>>> sc  = shellcraft.read(0, 'rsp', 32)
>>> sc += shellcraft.xor(0xdeadbeef, 'rsp', 32)
>>> sc += shellcraft.write(1, 'rsp', 32)
>>> io = run_assembly(sc)
>>> io.send(cyclic(32))
>>> result = io.recvn(32)
>>> expected = xor(cyclic(32), p32(0xdeadbeef))
>>> result == expected
True

pwnlib.shellcraft.amd64.linux

Shellcraft module containing Intel x86_64 shellcodes for Linux.

pwnlib.shellcraft.amd64.linux.amd64_to_i386()[source]

Returns code to switch from amd64 to i386 mode. Trashes eax, ecx, edx.

Note that you most surely want to set up some stack (and place this code) in low address space before (or afterwards).

pwnlib.shellcraft.amd64.linux.bindsh(port, network)[source]

Listens on a TCP port and spawns a shell for the first to connect. Port is the TCP port to listen on, network is either ‘ipv4’ or ‘ipv6’.

pwnlib.shellcraft.amd64.linux.cat(filename, fd=1)[source]

Opens a file and writes its contents to the specified file descriptor.

pwnlib.shellcraft.amd64.linux.cat2(filename, fd=1, length=16384)[source]

Opens a file and writes its contents to the specified file descriptor. Uses an extra stack buffer and must know the length.

pwnlib.shellcraft.amd64.linux.connect(host, port, network='ipv4')[source]

Connects to the host on the specified port. Network is either ‘ipv4’ or ‘ipv6’. Leaves the connected socket in rbp.

pwnlib.shellcraft.amd64.linux.connectstager(host, port, network='ipv4')[source]

connect recvsize stager :param host: :param where to connect to: :param port: :param which port to connect to: :param network: ipv4) :param ipv4 or ipv6? (default: ipv4)

pwnlib.shellcraft.amd64.linux.dupio(sock='rbp')[source]

Args: [sock (imm/reg) = rbp] Duplicates sock to stdin, stdout and stderr

pwnlib.shellcraft.amd64.linux.dupsh(sock='rbp')[source]

Args: [sock (imm/reg) = rbp] Duplicates sock to stdin, stdout and stderr and spawns a shell.

pwnlib.shellcraft.amd64.linux.echo(string, sock='1')[source]

Writes a string to a file descriptor

pwnlib.shellcraft.amd64.linux.egghunter(egg, start_address=0)[source]

Searches memory for the byte sequence ‘egg’.

Return value is the address immediately following the match, stored in RDI.

Parameters
  • egg (str, int) – String of bytes, or word-size integer to search for

  • start_address (int) – Where to start the search

pwnlib.shellcraft.amd64.linux.findpeer(port=None)[source]

Args: port (defaults to any port) Finds a socket, which is connected to the specified port. Leaves socket in RDI.

pwnlib.shellcraft.amd64.linux.findpeersh(port=None)[source]

Args: port (defaults to any) Finds an open socket which connects to a specified port, and then opens a dup2 shell on it.

pwnlib.shellcraft.amd64.linux.findpeerstager(port=None)[source]

Findpeer recvsize stager :param port: :type port: defaults to any :param the port given to findpeer: :type the port given to findpeer: defaults to any

pwnlib.shellcraft.amd64.linux.forkbomb()[source]

Performs a forkbomb attack.

pwnlib.shellcraft.amd64.linux.forkexit()[source]

Attempts to fork. If the fork is successful, the parent exits.

pwnlib.shellcraft.amd64.linux.getpid()[source]

Retrieve the current PID

pwnlib.shellcraft.amd64.linux.kill(pid, sig) str[source]

Invokes the syscall kill.

See ‘man 2 kill’ for more information.

Parameters
  • pid (pid_t) – pid

  • sig (int) – sig

Returns

int

pwnlib.shellcraft.amd64.linux.killparent()[source]

Kills its parent process until whatever the parent is (probably init) cannot be killed any longer.

pwnlib.shellcraft.amd64.linux.listen(port, network)[source]

Listens on a TCP port, accept a client and leave his socket in RAX. Port is the TCP port to listen on, network is either ‘ipv4’ or ‘ipv6’.

pwnlib.shellcraft.amd64.linux.loader(address)[source]

Loads a statically-linked ELF into memory and transfers control.

Parameters

address (int) – Address of the ELF as a register or integer.

pwnlib.shellcraft.amd64.linux.loader_append(data=None)[source]

Loads a statically-linked ELF into memory and transfers control.

Similar to loader.asm but loads an appended ELF.

Parameters

data (str) – If a valid filename, the data is loaded from the named file. Otherwise, this is treated as raw ELF data to append. If None, it is ignored.

Example

>>> payload = shellcraft.echo(b'Hello, world!\n') + shellcraft.exit(0)
>>> payloadELF = ELF.from_assembly(payload)
>>> payloadELF.arch
'amd64'
>>> loader = shellcraft.loader_append(payloadELF.data)
>>> loaderELF = ELF.from_assembly(loader, vma=0, shared=True)
>>> loaderELF.process().recvall()
b'Hello, world!\n'
pwnlib.shellcraft.amd64.linux.membot(readsock=0, writesock=1)[source]

Read-write access to a remote process’ memory.

Provide a single pointer-width value to determine the operation to perform:

  • 0: Exit the loop

  • 1: Read data

  • 2: Write data

pwnlib.shellcraft.amd64.linux.migrate_stack(size=1048576, fd=0)[source]

Migrates to a new stack.

pwnlib.shellcraft.amd64.linux.mmap_rwx(size=4096, protection=7, address=None)[source]

Maps some memory

pwnlib.shellcraft.amd64.linux.read(fd=0, buffer='rsp', count=8)[source]

Reads data from the file descriptor into the provided buffer. This is a one-shot and does not fill the request.

pwnlib.shellcraft.amd64.linux.read_upto(fd=0, buffer='rsp', sizereg='rdx')[source]

Reads up to N bytes 8 bytes into the specified register

pwnlib.shellcraft.amd64.linux.readfile(path, dst='rdi')[source]

Args: [path, dst (imm/reg) = rdi ] Opens the specified file path and sends its content to the specified file descriptor.

pwnlib.shellcraft.amd64.linux.readinto(sock=0)[source]

Reads into a buffer of a size and location determined at runtime. When the shellcode is executing, it should send a pointer and pointer-width size to determine the location and size of buffer.

pwnlib.shellcraft.amd64.linux.readloop(sock=0)[source]

Reads into a buffer of a size and location determined at runtime. When the shellcode is executing, it should send a pointer and pointer-width size to determine the location and size of buffer.

pwnlib.shellcraft.amd64.linux.readn(fd, buf, nbytes)[source]

Reads exactly nbytes bytes from file descriptor fd into the buffer buf.

Parameters
  • fd (int) – fd

  • buf (void) – buf

  • nbytes (size_t) – nbytes

pwnlib.shellcraft.amd64.linux.readptr(fd=0, target_reg='rdx')[source]

Reads 8 bytes into the specified register

pwnlib.shellcraft.amd64.linux.recvsize(sock, reg='rcx')[source]

Recives 4 bytes size field Useful in conjuncion with findpeer and stager :param sock: :param the socket to read the payload from.: :param reg: :type reg: default ecx :param the place to put the size: :type the place to put the size: default ecx

Leaves socket in ebx

pwnlib.shellcraft.amd64.linux.setregid(gid='egid')[source]

Args: [gid (imm/reg) = egid] Sets the real and effective group id.

pwnlib.shellcraft.amd64.linux.setresuid(ruid=None, euid=None, suid=None)[source]

Args: [ruid = geteuid(), euid = ruid, suid = ruid] Sets real, effective and saved user ids to given values

pwnlib.shellcraft.amd64.linux.setreuid(uid='euid')[source]

Args: [uid (imm/reg) = euid] Sets the real and effective user id.

pwnlib.shellcraft.amd64.linux.sh()[source]

Execute a different process.

>>> p = run_assembly(shellcraft.amd64.linux.sh())
>>> p.sendline(b'echo Hello')
>>> p.recv()
b'Hello\n'
pwnlib.shellcraft.amd64.linux.sleep(seconds)[source]

Sleeps for the specified amount of seconds.

Uses SYS_nanosleep under the hood. Doesn’t check for interrupts and doesn’t retry with the remaining time.

Parameters

seconds (int,float) – The time to sleep in seconds.

pwnlib.shellcraft.amd64.linux.socket(network='ipv4', proto='tcp')[source]

Creates a new socket

pwnlib.shellcraft.amd64.linux.stage(fd=0, length=None)[source]

Migrates shellcode to a new buffer.

Parameters
  • fd (int) – Integer file descriptor to recv data from. Default is stdin (0).

  • length (int) – Optional buffer length. If None, the first pointer-width of data received is the length.

Example

>>> p = run_assembly(shellcraft.stage())
>>> sc = asm(shellcraft.echo("Hello\n", constants.STDOUT_FILENO))
>>> p.pack(len(sc))
>>> p.send(sc)
>>> p.recvline()
b'Hello\n'
pwnlib.shellcraft.amd64.linux.stager(sock, size, handle_error=False)[source]

Recives a fixed sized payload into a mmaped buffer Useful in conjuncion with findpeer. After running the socket will be left in RDI. :param sock: :param the socket to read the payload from.: :param size: :param the size of the payload:

pwnlib.shellcraft.amd64.linux.strace_dos()[source]

Kills strace

pwnlib.shellcraft.amd64.linux.syscall(syscall=None, arg0=None, arg1=None, arg2=None, arg3=None, arg4=None, arg5=None)[source]
Args: [syscall_number, *args]

Does a syscall

Any of the arguments can be expressions to be evaluated by pwnlib.constants.eval().

Example

>>> print(pwnlib.shellcraft.amd64.linux.syscall('SYS_execve', 1, 'rsp', 2, 0).rstrip())
    /* call execve(1, 'rsp', 2, 0) */
    xor r10d, r10d /* 0 */
    push SYS_execve /* 0x3b */
    pop rax
    push 1
    pop rdi
    push 2
    pop rdx
    mov rsi, rsp
    syscall
>>> print(pwnlib.shellcraft.amd64.linux.syscall('SYS_execve', 2, 1, 0, -1).rstrip())
    /* call execve(2, 1, 0, -1) */
    push -1
    pop r10
    push SYS_execve /* 0x3b */
    pop rax
    push 2
    pop rdi
    push 1
    pop rsi
    cdq /* rdx=0 */
    syscall
>>> print(pwnlib.shellcraft.amd64.linux.syscall().rstrip())
    /* call syscall() */
    syscall
>>> print(pwnlib.shellcraft.amd64.linux.syscall('rax', 'rdi', 'rsi').rstrip())
    /* call syscall('rax', 'rdi', 'rsi') */
    /* setregs noop */
    syscall
>>> print(pwnlib.shellcraft.amd64.linux.syscall('rbp', None, None, 1).rstrip())
    /* call syscall('rbp', ?, ?, 1) */
    mov rax, rbp
    push 1
    pop rdx
    syscall
>>> print(pwnlib.shellcraft.amd64.linux.syscall(
...               'SYS_mmap', 0, 0x1000,
...               'PROT_READ | PROT_WRITE | PROT_EXEC',
...               'MAP_PRIVATE | MAP_ANONYMOUS',
...               -1, 0).rstrip())
    /* call mmap(0, 0x1000, 'PROT_READ | PROT_WRITE | PROT_EXEC', 'MAP_PRIVATE | MAP_ANONYMOUS', -1, 0) */
    push (MAP_PRIVATE | MAP_ANONYMOUS) /* 0x22 */
    pop r10
    push -1
    pop r8
    xor r9d, r9d /* 0 */
    push SYS_mmap /* 9 */
    pop rax
    xor edi, edi /* 0 */
    push (PROT_READ | PROT_WRITE | PROT_EXEC) /* 7 */
    pop rdx
    mov esi, 0x1010101 /* 4096 == 0x1000 */
    xor esi, 0x1011101
    syscall
>>> print(pwnlib.shellcraft.open('/home/pwn/flag').rstrip())
    /* open(file='/home/pwn/flag', oflag=0, mode=0) */
    /* push b'/home/pwn/flag\x00' */
    mov rax, 0x101010101010101
    push rax
    mov rax, 0x101010101010101 ^ 0x67616c662f6e
    xor [rsp], rax
    mov rax, 0x77702f656d6f682f
    push rax
    mov rdi, rsp
    xor edx, edx /* 0 */
    xor esi, esi /* 0 */
    /* call open() */
    push SYS_open /* 2 */
    pop rax
    syscall
>>> print(shellcraft.amd64.write(0, '*/', 2).rstrip())
    /* write(fd=0, buf='\x2a/', n=2) */
    /* push b'\x2a/\x00' */
    push 0x1010101 ^ 0x2f2a
    xor dword ptr [rsp], 0x1010101
    mov rsi, rsp
    xor edi, edi /* 0 */
    push 2
    pop rdx
    /* call write() */
    push SYS_write /* 1 */
    pop rax
    syscall
pwnlib.shellcraft.amd64.linux.writeloop(readsock=0, writesock=1)[source]

Reads from a buffer of a size and location determined at runtime. When the shellcode is executing, it should send a pointer and pointer-width size to determine the location and size of buffer.

pwnlib.shellcraft.amd64.windows

Shellcraft module containing Intel x86_64 shellcodes for Windows.

pwnlib.shellcraft.amd64.windows.cmd()[source]

Execute cmd.exe and keep the parent process in an infinite loop.

pwnlib.shellcraft.amd64.windows.getexport(function_name, dll='kernel32.dll', dest='rax')[source]

Find the address of an exported function in a dll by manually iterating through the PE export table.

Parameters
  • function_name (str) – The name of the function to find.

  • dll (str) – The name of the DLL to find the function in.

  • dest (str) – The register to load the function address into.

pwnlib.shellcraft.amd64.windows.getprocaddress(function_name, dll='kernel32.dll', dest='rax')[source]

Find the address of an exported function by calling kernel32::GetProcAddress.

Parameters
  • function_name (str) – The name of the function to find.

  • dll (str) – The name of the DLL to find the function in.

  • dest (str) – The register to load the function address into.

pwnlib.shellcraft.amd64.windows.kernel32base(dest='rax')[source]

Find the base address of kernel32.dll in memory.

Parameters

dest (str) – The register to load the kernel32.dll base address into.

pwnlib.shellcraft.amd64.windows.ntdllbase(dest='rax')[source]

Find the base address of ntdll.dll in memory.

Parameters

dest (str) – The register to load the ntdll.dll base address into.

pwnlib.shellcraft.amd64.windows.peb(dest='rax')[source]

Loads the Process Environment Block (PEB) into the target register.

Parameters

dest (str) – The register to load the PEB into.

pwnlib.shellcraft.amd64.windows.teb(dest='rax', offset=0)[source]

Loads the Thread Environment Block (TEB) into the target register.

Parameters
  • dest (str) – The register to load the TEB into.

  • offset (int) – The offset from the TEB to load.

pwnlib.shellcraft.amd64.windows.winexec(cmd, cmd_show=0)[source]

Execute a program using WinExec.

Parameters
  • cmd (str) – The program to execute.

  • cmd_show (int) – nCmdShow parameter.