January 31, 2018

How to create a shellcode with pwntools


It is easy to create shellcode with pwntools that is a python library. Just set the environment and call some functions what you want.


Before you can generate shellcode, you need to install bintutils according to your CPU architecture.

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo apt-add-repository ppa:pwntools/binutils

# In the case of ARM architecture.
$ sudo apt-get install binutils-arm-linux-gnueabi



Python 3.5 and pwntools 2.2.1 is used

$ python3 --version
Python 3.5.2

$ pip3 show pwntools
Name: pwntools
Version: 2.2.1



<shellcode.py>
from pwn import *

# Set environment
context(arch="amd64", os="linux")
code = b''

# [CASE 1] Just shell.
code += asm(shellcraft.sh())

# [CASE 2] Read and write a directory file.
code += asm(shellcraft.pushstr(".\x00"))
code += asm(shellcraft.open("rsp", "O_RDONLY", 0))
code += asm(shellcraft.syscall("SYS_getdents", 3, "rsp", 200))
code += asm(shellcraft.write(1, "rsp", 200))

# [CASE 3] Read and write a regular file.
code += asm(shellcraft.cat("/root/test/flag"))

# [CASE 4] Read and write a regular file.
code += asm(shellcraft.pushstr("/root/flag\x00"))
code += asm(shellcraft.open("rsp", "O_RDONLY", 0))
code += asm(shellcraft.read(3, "rsp", 100))
code += asm(shellcraft.write(1, "rsp", 100))

# Print the shellcode
print("\n[Shellcode]")
print(code)

# Execute the shellcode
print("\n[Run]")
# run_assembly(disasm(code)).interactive()
run_shellcode(code).interactive()

"run_assembly(code)" makes child process.

※ For more information, refer pwntools documentation about shellcode.