Shellcraft Templates

[zachriggle]

For each architecture, all of the following non-syscall shellcodes should be defined:

• breakpoint
• crash
• infloop
• mov
• nop
• push
• pushstr
• pushstr_array
• setregs
• trap (alias of breakpoint)

For each operating system, for each architecture, the following set should be defined:

• accept (accepts a connection)
• bind (binds a socket to a port)
• cat (must not use SYS_sendfile)
• connect (creates a socket and a connection)
• dup (duplicates a file descriptor to all stdio handles)
• echo
• listen (creates a listening socket and accepts a connection)
• sendfile (like cat, but does use SYS_sendfile)
• socket (creates a socket)
• sh
• syscall

With these building blocks, it should be trivial to build entirely architecture-agnostic versions (i.e. living in shellcraft/templates/common/linux) of the following:

• bindsh
• dupsh

Things which are excluded because they are syscalls:

• setreuid / setresuid
• setregid / setresgid
• socketcall

Are there any others that are missing that we expect to work?

[zachriggle]

We are currently missing the following architecture-specific shellcodes:

[!] aarch64/breakpoint.asm
[!] aarch64/crash.asm
[!] aarch64/nop.asm
[!] aarch64/push.asm
[!] aarch64/pushstr_array.asm
[!] aarch64/trap.asm
[!] amd64/breakpoint.asm
[!] arm/breakpoint.asm
[!] mips/breakpoint.asm
[!] mips/crash.asm
[!] mips/infloop.asm
[!] powerpc/breakpoint.asm
[!] powerpc/crash.asm
[!] powerpc/infloop.asm
[!] powerpc/mov.asm
[!] powerpc/nop.asm
[!] powerpc/push.asm
[!] powerpc/pushstr.asm
[!] powerpc/pushstr_array.asm
[!] powerpc/setregs.asm
[!] powerpc/trap.asm
[!] thumb/breakpoint.asm

[zachriggle]

One caveat that's important to note is that aarch64 cannot have a push which is similar to the other architectures, since the stack must be 16-byte aligned.

See: https://community.arm.com/processors/b/blog/posts/using-the-stack-in-aarch64-implementing-push-and-pop

[heapcrash]

Most of these are done, and they can be added ad-hoc where needed