`shellcodes.arm64` — Shellcodes for ARM64 mode¶

`shellcodes.arm64`¶

`acceptloop`¶

shellcodes.arm64.acceptloop.generate(port=31337)¶

accept loop shellcode

Args:: port(int/str): specific port
Returns:: x6 reg indicates socket descriptor will be mapped with dup()

`appendwrite`¶

shellcodes.arm64.appendwrite.generate(filepath, sock)¶

write with append option a file with user’s data

Args:

filepath(str) : file name to open

sock(int/str/reg): read a sock to write data

`bindshell`¶

shellcodes.arm64.bindshell.generate(port=31337, sock=4, once=True)¶

bind shell on specific port

Args:

port(int): specific port

sock(int/str/reg): connection sock will be mapped with shell

once(boolean): binds on port infinity if true: binds on port once if false

`cat`¶

shellcodes.arm64.cat.generate(filepath, in_fd='auto', out_fd='4')¶

cat a file like UNIX Command

Args:

filepath (str) : target file name

in_fd (int/str): in file descriptor (default: ‘x6’ indicates a file descriptor)

out_fd (int/str): out file descriptor (default: 4)

`connect`¶

shellcodes.arm64.connect.binary_ip(host)¶

shellcodes.arm64.connect.generate(host='127.0.0.1', port=31337)¶

Connects to remote machine on specific port

Args:

host(str): hostname or IP address

port(int/str): specific port

shellcodes.arm64.connect.u32(u)¶

`connectback`¶

shellcodes.arm64.connectback.binary_ip(host)¶

shellcodes.arm64.connectback.generate(host='127.0.0.1', port=31337, sock='x6')¶

connection back to attacker with pwn shell on specific port

argument:: host (str) : specific IP address or hostname port (int/str): specific port sock (int/str): sock descriptor for dupsh()

shellcodes.arm64.connectback.u32(u)¶

`dup`¶

shellcodes.arm64.dup.generate(sock=4)¶

Duplicates sock to stdin, stdout and stderr

Args:: sock(int/str/reg): sock descriptor

`dupsh`¶

shellcodes.arm64.dupsh.generate(sock=4, cmd='/bin/sh')¶

Duplicates sock to stdin, stdout and stderr and spawns a shell

Args:

sock(int/str/reg): sock descriptor

cmd(str): executes a cmd (default: /bin/sh)

`exit`¶

shellcodes.arm64.exit.generate(n=0)¶

exit with return code

Args:: n(int/str/reg): return code

`findpeer`¶

shellcodes.arm64.findpeer.generate()¶

find a socket, which is connected to the specified port Leaves socket in x6 regs.

x6: indicates found socket/file descriptor for backup

`findpeersh`¶

shellcodes.arm64.findpeersh.generate()¶: find a socket, which is connected to the specified port Leaves socket in x6 reg.

`fsync`¶

shellcodes.arm64.fsync.generate(out_fd)¶

fsync with file descriptor

Args:: out_fd (int/str/reg) = file descriptor

`getdents`¶

shellcodes.arm64.getdents.generate(in_fd)¶

getdents - lists specific directory

argument:: in_fd - (int/str/reg): in file descriptor

`infinityloop`¶

shellcodes.arm64.infinityloop.generate()¶: Loop infinity to check whether pwned or not

`listen`¶

shellcodes.arm64.listen.generate(port=31337)¶

listens on specific port

Args:: port(int): specific prot
Returns:: x6 reg indicates socket descriptor

`ls`¶

shellcodes.arm64.ls.generate(filepath, out_fd)¶

ls a directory list like UNIX Command in thumb mode

arguments:: filepath (str) : target directory name out_fd (int/str): out file descriptor
backup:: x6 reg indicates to file descriptor

`lseek`¶

shellcodes.arm64.lseek.generate(out_fd, offset=0, whence=2)¶

lseek3264 with file descriptor

Args:

out_fd (int/str/reg) = file descriptor

offset (int/str/reg) = offset

whence (int/enum) = position depends on offset

`open_file`¶

shellcodes.arm64.open_file.generate(filepath='./secret', flags=0, mode=None)¶

open a file for reading/writing/sending to you

Args:: filepath(str): filename to read with flags/mode flags(int/str): The argument flags must include one of the following access modes: O_RDONLY, O_WRONLY, or O_RDWR . These request opening the file read-only, write-only, or read/write, respectively. mode(int/str): modes
backup:: x6: opened file descriptor

`overwrite`¶

shellcodes.arm64.overwrite.generate(filepath, sock, isNewFile=False)¶

overwrites a file with user’s data

argument:: filepath (str) : file name to open sock (int/str/reg): read a sock to write data
Examples:: sending a big file to remote to write

>>> HOST = 'hostname'
>>> PORT = 31337
>>> MAXSIZE = 128
>>> sc  = scgen.overwrite('./binary', 4)
>>> sc += scgen.exit(0)
>>> xsc = CompileSC( (sc), isThumb=True)
>>> s = socket(AF_INET, SOCK_STREAM)
>>> s.connect( (HOST, PORT) )
>>> f = s.makefile('rw', bufsize=0)
>>> f.write(xsc + '\n')
>>> data = open('/path/to/binary', 'rb').read()
>>> size = len(data)
>>> mod  = size % MAXSIZE
>>> div  = size / MAXSIZE
>>> for i in range(0, div):
>>>    f.write(data[i*128:(i+1)*MAXSIZE])
>>> if div:
>>>    f.write(data[mod*MAXSIZE:])

`read_from_stack`¶

shellcodes.arm64.read_from_stack.generate(out_fd, size)¶

Writes a file from stack

Args:

out_fd (int/str/reg) = file descriptor

size (int/str/reg) = size to read

`sendfile`¶

shellcodes.arm64.sendfile.generate(in_fd, out_fd)¶

sends a file to user

Args:: in_fd (str/int): in file descriptor out_fd (str/int): out file descriptor

`setregid`¶

shellcodes.arm64.setregid.generate(gid=0)¶

setregid(gid, gid) to get egid’s privilige

argument:: gid (int/str/reg) - effective gid number

`setreuid`¶

shellcodes.arm64.setreuid.generate(uid=0)¶

setreuid(uid, uid) to get euid’s privilige

Args:: uid (int/str/reg) - effective uid number

`sh`¶

shellcodes.arm64.sh.generate(cmd='/bin/sh')¶

Executes cmd

Args:: cmd(str): executes cmd (default: /bin/sh)

`write_to_stack`¶

shellcodes.arm64.write_to_stack.align4(n)¶

shellcodes.arm64.write_to_stack.align8(n)¶

shellcodes.arm64.write_to_stack.generate(in_fd, size)¶

Writes data to stack

Args:

in_fd (int/str/reg) = file descriptor

size (int/str/reg) = size to write

shellcodes.arm64 — Shellcodes for ARM64 mode¶