`shellcodes.arm` — Shellcodes for ARM32 mode¶

`shellcodes.arm`¶

shellcodes.arm.acceptloop.generate(port=31337)¶

accept loop shellcode

Args:: port(int/str): specific port
Returns:: r6 reg indicates socket descriptor will be mapped with dup()

`arm_to_arm`¶

shellcodes.arm.thumb_to_arm.generate()¶: switchs Thumb to ARM mode

`appendwrite`¶

`bindshell`¶

shellcodes.arm.bindshell.generate(port=31337, sock=4, once=True)¶

bind shell on specific port

Args:

port(int): specific port

sock(int/str/reg): connection sock will be mapped with shell

once(boolean): binds on port infinity if true: binds on port once if false

`cat`¶

shellcodes.arm.cat.generate(filepath, in_fd='auto', out_fd=4)¶

cat a file like UNIX Command

Args:: filepath (str) : target file name in_fd (int/str): in file descriptor (default: ‘r6’ indicates a file descriptor) out_fd (int/str): out file descriptor (default: 4)

`chmod`¶

shellcodes.arm.chmod.generate(fname='/etc/passwd')¶

chmod like a UNIX command with mask 0777

Args:: fname(str): file name

`connect`¶

shellcodes.arm.connect.binary_ip(host)¶

shellcodes.arm.connect.generate(host='127.0.0.1', port=31337)¶

Connects to remote machine on specific port

Args:

host(str): hostname or IP address

port(int/str): specific port

shellcodes.arm.connect.u32(u)¶

`connectback`¶

shellcodes.arm.connectback.binary_ip(host)¶

shellcodes.arm.connectback.generate(host='127.0.0.1', port=31337, sock='r6')¶

connection back to attacker with pwn shell on specific port

argument:: host (str) : specific IP address or hostname port (int/str): specific port sock (int/str): sock descriptor for dupsh()

shellcodes.arm.connectback.u32(u)¶

`dup`¶

shellcodes.arm.dup.generate(sock=4)¶

Duplicates sock to stdin, stdout and stderr

Args:: sock(int/str/reg): sock descriptor

`dupsh`¶

shellcodes.arm.dupsh.generate(sock=4, cmd='/bin/sh')¶

Duplicates sock to stdin, stdout and stderr and spawns a shell

Args:

sock(int/str/reg): sock descriptor

cmd(str): executes a cmd (default: /bin/sh)

`exit`¶

shellcodes.arm.exit.generate(n=0)¶

`findpeer`¶

shellcodes.arm.findpeer.generate()¶

find a socket, which is connected to the specified port Leaves socket in r0 reg.

argument:: port (int/str): specific port
backup:: r6: indicates found socket/file descriptor

`findpeersh`¶

shellcodes.arm.findpeersh.generate()¶: find a socket, which is connected to the specified port Leaves socket in r6 reg.

`getdents`¶

shellcodes.arm.getdents.generate(in_fd)¶

getdents - lists specific directory

Args:: in_fd - (int/str/reg): in file descriptor

`infinityloop`¶

shellcodes.arm.infinityloop.generate()¶: Loop infinity to check whether pwned or not

`listen`¶

shellcodes.arm.listen.generate(port=31337)¶

listens on specific port

Args:: port(int): specific prot
Returns:: r6 reg indicates socket descriptor

`ls`¶

shellcodes.arm.ls.generate(filepath, out_fd)¶

ls a directory list like UNIX Command

arguments:: filepath (str) : target directory name out_fd (int/str): out file descriptor
backup:: r6 reg indicates to file descriptor

`open_file`¶

shellcodes.arm.open_file.generate(filepath='./secret', flags=0, mode=None)¶

open a file for reading/writing/sending to you

Args:

filepath(str): filename to read with flags/mode

flags(int/str): The argument flags must include one of the following access modes:: O_RDONLY, O_WRONLY, or O_RDWR These request opening the file read-only, write-only, or read/write, respectively.

mode(int/str): modes

backup:

r6: opened file descriptor

`overwrite`¶

shellcodes.arm.overwrite.generate(filepath, sock, isNewFile=False)¶

overwrites a file with user’s data

argument:: filepath (str) : file name to open sock (int/str/reg): read a sock to write data
Examples:: sending a big file to remote to write

>>> HOST = 'hostname'
>>> PORT = 31337
>>> MAXSIZE = 128
>>> sc  = scgen.overwrite('./binary', 4)
>>> sc += scgen.exit(0)
>>> xsc = CompileSC( (sc), isThumb=True)
>>> s = socket(AF_INET, SOCK_STREAM)
>>> s.connect( (HOST, PORT) )
>>> f = s.makefile('rw', bufsize=0)
>>> f.write(xsc + '\n')
>>> data = open('/path/to/binary', 'rb').read()
>>> size = len(data)
>>> mod  = size % MAXSIZE
>>> div  = size / MAXSIZE
>>> for i in range(0, div):
>>>    f.write(data[i*128:(i+1)*MAXSIZE])
>>> if div:
>>>    f.write(data[div*MAXSIZE:])

`read_from_stack`¶

shellcodes.arm.read_from_stack.generate(out_fd, size)¶

Writes a file from stack

Args:

out_fd (int/str/reg) = file descriptor

size (int/str/reg) = size to read

`sendfile`¶

shellcodes.arm.sendfile.generate(in_fd, out_fd)¶

sends a file to user

Args:: in_fd (str/int): in file descriptor out_fd (str/int): out file descriptor

`setregid`¶

shellcodes.arm.setregid.generate(gid=0)¶

setregid(gid, gid) to get egid’s privilige

argument:: gid (int/str/reg) - effective gid number

`setreuid`¶

shellcodes.arm.setreuid.generate(uid=0)¶

setreuid(uid, uid) to get euid’s privilige

argument:: uid (int/str/reg) - effective uid number

`sh`¶

shellcodes.arm.sh.generate(cmd='/bin/sh')¶

Executes cmd

Args:: cmd(str): executes cmd (default: /bin/sh)

`write_to_stack`¶

shellcodes.arm.write_to_stack.align4(n)¶

shellcodes.arm.write_to_stack.generate(in_fd, size)¶

Writes data to stack

Args:: in_fd (int/str/reg) = file descriptor size (int/str/reg) = size to write

shellcodes.arm — Shellcodes for ARM32 mode¶

shellcodes.arm¶

arm_to_arm¶

appendwrite¶

bindshell¶

cat¶

chmod¶

connect¶

connectback¶

dup¶

dupsh¶

exit¶

findpeer¶

findpeersh¶

getdents¶

infinityloop¶

listen¶

ls¶

open_file¶

overwrite¶

read_from_stack¶

sendfile¶

setregid¶

setreuid¶

sh¶

write_to_stack¶

`shellcodes.arm` — Shellcodes for ARM32 mode¶

`shellcodes.arm`¶

`arm_to_arm`¶

`appendwrite`¶

`bindshell`¶

`cat`¶

`chmod`¶

`connect`¶

`connectback`¶

`dup`¶

`dupsh`¶

`exit`¶

`findpeer`¶

`findpeersh`¶

`getdents`¶

`infinityloop`¶

`listen`¶

`ls`¶

`open_file`¶

`overwrite`¶

`read_from_stack`¶

`sendfile`¶

`setregid`¶

`setreuid`¶

`sh`¶

`write_to_stack`¶