pwnlib.encoders — Encoding Shellcode

pwnlib.encoders.encoder.alphanumeric(raw_bytes) → str[source]

Encode the shellcode raw_bytes such that it does not contain any bytes except for [A-Za-z0-9].

Accepts the same arguments as encode().

pwnlib.encoders.encoder.encode(raw_bytes, avoid, expr, force) → str[source]

Encode shellcode raw_bytes such that it does not contain any bytes in avoid or expr.

Parameters:
  • raw_bytes (str) – Sequence of shellcode bytes to encode.
  • avoid (str) – Bytes to avoid
  • expr (str) – Regular expression which matches bad characters.
  • force (bool) – Force re-encoding of the shellcode, even if it doesn’t contain any bytes in avoid.
pwnlib.encoders.encoder.line(raw_bytes) → str[source]

Encode the shellcode raw_bytes such that it does not contain any NULL bytes or whitespace.

Accepts the same arguments as encode().

pwnlib.encoders.encoder.null(raw_bytes) → str[source]

Encode the shellcode raw_bytes such that it does not contain any NULL bytes.

Accepts the same arguments as encode().

pwnlib.encoders.encoder.printable(raw_bytes) → str[source]

Encode the shellcode raw_bytes such that it only contains non-space printable bytes.

Accepts the same arguments as encode().

pwnlib.encoders.encoder.scramble(raw_bytes) → str[source]

Encodes the input data with a random encoder.

Accepts the same arguments as encode().

class pwnlib.encoders.i386.xor.i386XorEncoder[source]

Generates an XOR decoder for i386.

>>> context.clear(arch='i386')
>>> shellcode = asm(shellcraft.sh())
>>> avoid = b'/bin/sh\xcc\xcd\x80'
>>> encoded = pwnlib.encoders.i386.xor.encode(shellcode, avoid)
>>> assert not any(c in encoded for c in avoid)
>>> p = run_shellcode(encoded)
>>> p.sendline(b'echo hello; exit')
>>> p.recvline()
b'hello\n'

Shellcode encoder class

Implements an architecture-specific shellcode encoder

class pwnlib.encoders.i386.delta.i386DeltaEncoder[source]

i386 encoder built on delta-encoding.

In addition to the loader stub, doubles the size of the shellcode.

Example

>>> sc = pwnlib.encoders.i386.delta.encode(b'\xcc', b'\x00\xcc')
>>> e  = ELF.from_bytes(sc)
>>> e.process().poll(True)
-5

Shellcode encoder class

Implements an architecture-specific shellcode encoder

class pwnlib.encoders.amd64.delta.amd64DeltaEncoder[source]

amd64 encoder built on delta-encoding.

In addition to the loader stub, doubles the size of the shellcode.

>>> context.clear(arch='amd64')
>>> shellcode = asm(shellcraft.sh())
>>> avoid = b'/bin/sh\x00'
>>> encoded = pwnlib.encoders.amd64.delta.encode(shellcode, avoid)
>>> assert not any(c in encoded for c in avoid)
>>> p = run_shellcode(encoded)
>>> p.sendline(b'echo hello; exit')
>>> p.recvline()
b'hello\n'

Shellcode encoder class

Implements an architecture-specific shellcode encoder

class pwnlib.encoders.arm.xor.ArmXorEncoder[source]

Generates an XOR decoder for ARM.

>>> context.clear(arch='arm')
>>> shellcode = asm(shellcraft.sh())
>>> avoid = b'binsh\x00\n'
>>> encoded = pwnlib.encoders.arm.xor.encode(shellcode, avoid)
>>> assert not any(c in encoded for c in avoid)
>>> p = run_shellcode(encoded)
>>> p.sendline(b'echo hello; exit')
>>> p.recvline()
b'hello\n'

Shellcode encoder class

Implements an architecture-specific shellcode encoder

class pwnlib.encoders.mips.xor.MipsXorEncoder[source]

Generates an XOR decoder for MIPS.

>>> context.clear(arch='mips')
>>> shellcode = asm(shellcraft.sh())
>>> avoid = b'/bin/sh\x00'
>>> encoded = pwnlib.encoders.mips.xor.encode(shellcode, avoid)
>>> assert not any(c in encoded for c in avoid)
>>> p = run_shellcode(encoded)
>>> p.sendline(b'echo hello; exit')
>>> p.recvline()
b'hello\n'

Shellcode encoder class

Implements an architecture-specific shellcode encoder