`shellcodes.thumb` — Shellcodes for Thumb mode¶

`shellcodes.thumb`¶

`acceptloop`¶

shellcodes.thumb.acceptloop.generate(port=31337)¶

accept loop shellcode in Thumb Mode

Args:: port(int/str): specific port
Returns:: r6 reg indicates socket descriptor will be mapped with dup()

`arm_to_thumb`¶

shellcodes.thumb.arm_to_thumb.generate()¶: switchs ARM to Thumb mode

`appendwrite`¶

shellcodes.thumb.appendwrite.generate(filepath, sock)¶

write with append option a file with user’s data

argument:

filepath(str) : file name to open

sock(int/str/reg): read a sock to write data

`bindshell`¶

shellcodes.thumb.bindshell.generate(port=31337, sock=4, once=True)¶

bind shell on specific port in Thumb Mode

Args:

port(int): specific port

sock(int/str/reg): connection sock will be mapped with shell

once(boolean): binds on port infinity if true: binds on port once if false

`cat`¶

shellcodes.thumb.cat.generate(filepath, in_fd='auto', out_fd=4)¶

cat a file like UNIX Command

Args:: filepath (str) : target file name in_fd (int/str): in file descriptor (default: ‘r6’ indicates a file descriptor) out_fd (int/str): out file descriptor (default: 4)

`chmod`¶

shellcodes.thumb.chmod.generate(fname='/etc/passwd')¶

chmod like a UNIX command with mask 0777

Args:: fname(str): file name

`connect`¶

shellcodes.thumb.connect.binary_ip(host)¶

shellcodes.thumb.connect.generate(host='127.0.0.1', port=31337)¶

Connects to remote machine on specific port

Args:

host(str): hostname or IP address

port(int/str): specific port

shellcodes.thumb.connect.u32(u)¶

`connectback`¶

shellcodes.thumb.connectback.binary_ip(host)¶

shellcodes.thumb.connectback.generate(host='127.0.0.1', port=31337, sock='r6')¶

connection back to attacker with pwn shell on specific port in Thumb Mode

argument:: host (str) : specific IP address or hostname port (int/str): specific port sock (int/str): sock descriptor for dupsh()

shellcodes.thumb.connectback.u32(u)¶

`dup`¶

shellcodes.thumb.dup.generate(sock=4)¶

Duplicates sock to stdin, stdout and stderr

Args:: sock(int/str/reg): sock descriptor

`dupsh`¶

shellcodes.thumb.dupsh.generate(sock=4, cmd='/bin/sh')¶

Duplicates sock to stdin, stdout and stderr and spawns a shell

Args:

sock(int/str/reg): sock descriptor

cmd(str): executes a cmd (default: /bin/sh)

`exit`¶

shellcodes.thumb.exit.generate(n=0)¶

`findpeer`¶

shellcodes.thumb.findpeer.generate()¶

find a socket, which is connected to the specified port in thumb mode Leaves socket in r0 reg.

argument:: port (int/str): specific port
backup:: r6: indicates found socket/file descriptor

`findpeersh`¶

shellcodes.thumb.findpeersh.generate()¶: find a socket, which is connected to the specified port in thumb mode Leaves socket in r6 reg.

`getdents`¶

shellcodes.thumb.getdents.generate(in_fd)¶

getdents - lists specific directory in thumb mode

Args:: in_fd - (int/str/reg): in file descriptor

`infinityloop`¶

shellcodes.thumb.infinityloop.generate()¶: Loop infinity to check whether pwned or not

`listen`¶

shellcodes.thumb.listen.generate(port=31337)¶

listens on specific port

Args:: port(int): specific prot
Returns:: r6 reg indicates socket descriptor

`ls`¶

shellcodes.thumb.ls.generate(filepath, out_fd)¶

ls a directory list like UNIX Command in thumb mode

arguments:: filepath (str) : target directory name out_fd (int/str): out file descriptor
backup:: r6 reg indicates to file descriptor

`open_file`¶

shellcodes.thumb.open_file.generate(filepath='./secret', flags=0, mode=None)¶

open a file for reading/writing/sending to you in thumb mode

Args:

filepath(str): filename to read with flags/mode

flags(int/str): The argument flags must include one of the following access modes:: O_RDONLY, O_WRONLY, or O_RDWR These request opening the file read-only, write-only, or read/write, respectively.

mode(int/str): modes

backup:

r6: opened file descriptor

`overwrite`¶

shellcodes.thumb.overwrite.generate(filepath, sock, isNewFile=False)¶

overwrites a file with user’s data

argument:: filepath (str) : file name to open sock (int/str/reg): read a sock to write data
Examples:: sending a big file to remote to write

>>> HOST = 'hostname'
>>> PORT = 31337
>>> MAXSIZE = 128
>>> sc  = scgen.overwrite('./binary', 4)
>>> sc += scgen.exit(0)
>>> xsc = CompileSC( (sc), isThumb=True)
>>> s = socket(AF_INET, SOCK_STREAM)
>>> s.connect( (HOST, PORT) )
>>> f = s.makefile('rw', bufsize=0)
>>> f.write(xsc + '\n')
>>> data = open('/path/to/binary', 'rb').read()
>>> size = len(data)
>>> mod  = size % MAXSIZE
>>> div  = size / MAXSIZE
>>> for i in range(0, div):
>>>    f.write(data[i*128:(i+1)*MAXSIZE])
>>> if div:
>>>    f.write(data[div*MAXSIZE:])

`read_from_stack`¶

shellcodes.thumb.read_from_stack.generate(out_fd, size)¶

Writes a file from stack in thumb mode

Args:

out_fd (int/str/reg) = file descriptor

size (int/str/reg) = size to read

`sendfile`¶

shellcodes.thumb.sendfile.generate(in_fd, out_fd)¶

sends a file to user in thumb mode

Args:: in_fd (str/int): in file descriptor out_fd (str/int): out file descriptor

`setregid`¶

shellcodes.thumb.setregid.generate(gid=0)¶

setregid(gid, gid) to get egid’s privilige

argument:: gid (int/str/reg) - effective gid number

`setreuid`¶

shellcodes.thumb.setreuid.generate(uid=0)¶

setreuid(uid, uid) to get euid’s privilige

argument:: uid (int/str/reg) - effective uid number

`sh`¶

shellcodes.thumb.sh.generate(cmd='/bin/sh')¶

Executes cmd

Args:: cmd(str): executes cmd (default: /bin/sh)

`write_to_stack`¶

shellcodes.thumb.write_to_stack.align4(n)¶

shellcodes.thumb.write_to_stack.generate(in_fd, size)¶

Writes data to stack in thumb mode

Args:: in_fd (int/str/reg) = file descriptor size (int/str/reg) = size to write

shellcodes.thumb — Shellcodes for Thumb mode¶