pwntools 0.1.0 → 1.0.0

data/test/shellcraft/linux/syscalls/syscall_test.rb

@@ -0,0 +1,83 @@
+# encoding: ASCII-8BIT
+
+require 'test_helper'
+
+require 'pwnlib/context'
+require 'pwnlib/shellcraft/shellcraft'
+
+class SyscallTest < MiniTest::Test
+  include ::Pwnlib::Context
+
+  def setup
+    @shellcraft = ::Pwnlib::Shellcraft::Shellcraft.instance
+  end
+
+  def test_amd64
+    context.local(arch: 'amd64') do
+      assert_equal(<<-'EOS', @shellcraft.syscall('SYS_execve', 1, 'rsp', 2, 0))
+  /* call execve(1, "rsp", 2, 0) */
+  push 0x3b /* (SYS_execve) */
+  pop rax
+  push 1
+  pop rdi
+  mov rsi, rsp
+  push 2
+  pop rdx
+  xor r10d, r10d /* 0 */
+  syscall
+      EOS
+      assert_equal(<<-'EOS', @shellcraft.syscall)
+  /* call syscall() */
+  syscall
+      EOS
+      assert_equal(<<-'EOS', @shellcraft.syscall('rax', 'rdi', 'rsi'))
+  /* call syscall("rax", "rdi", "rsi") */
+  /* setregs noop */
+  syscall
+      EOS
+      assert_equal(<<-'EOS', @shellcraft.syscall('rbp', nil, nil, 1))
+  /* call syscall("rbp", ?, ?, 1) */
+  mov rax, rbp
+  push 1
+  pop rdx
+  syscall
+      EOS
+      mmap = @shellcraft.syscall('SYS_mmap', 0, 4096,
+                                 'PROT_READ | PROT_WRITE | PROT_EXEC',
+                                 'MAP_PRIVATE | MAP_ANONYMOUS', -1, 0)
+      assert_equal(<<-'EOS', mmap)
+  /* call mmap(0, 4096, "PROT_READ | PROT_WRITE | PROT_EXEC", "MAP_PRIVATE | MAP_ANONYMOUS", -1, 0) */
+  push 9 /* (SYS_mmap) */
+  pop rax
+  xor edi, edi /* 0 */
+  mov esi, 0x1010101
+  xor esi, 0x1011101 /* 0x1000 == 0x1010101 ^ 0x1011101 */
+  push 7 /* (PROT_READ | PROT_WRITE | PROT_EXEC) */
+  pop rdx
+  push 0x22 /* (MAP_PRIVATE | MAP_ANONYMOUS) */
+  pop r10
+  push -1
+  pop r8
+  xor r9d, r9d /* 0 */
+  syscall
+      EOS
+    end
+  end
+
+  def test_i386
+    context.local(arch: 'i386') do
+      assert_equal(<<-'EOS', @shellcraft.syscall('ebp', nil, nil, 1))
+  /* call syscall("ebp", ?, ?, 1) */
+  mov eax, ebp
+  push 1
+  pop edx
+  int 0x80
+      EOS
+      assert_equal(<<-'EOS', @shellcraft.syscall('eax', 'ebx', 'ecx'))
+  /* call syscall("eax", "ebx", "ecx") */
+  /* setregs noop */
+  int 0x80
+      EOS
+    end
+  end
+end

data/test/shellcraft/memcpy_test.rb

@@ -0,0 +1,35 @@
+# encoding: ASCII-8BIT
+
+require 'test_helper'
+
+require 'pwnlib/context'
+require 'pwnlib/shellcraft/shellcraft'
+
+class MemcpyTest < MiniTest::Test
+  include ::Pwnlib::Context
+
+  def setup
+    @shellcraft = ::Pwnlib::Shellcraft::Shellcraft.instance
+  end
+
+  def test_amd64
+    context.local(arch: 'amd64') do
+      assert_equal(<<-'EOS', @shellcraft.memcpy('rdi', 'rbx', 255))
+  /* memcpy("rdi", "rbx", 0xff) */
+  cld
+  mov rsi, rbx
+  xor ecx, ecx
+  mov cl, 0xff
+  rep movsb
+      EOS
+      assert_equal(<<-'EOS', @shellcraft.memcpy('rdi', 'rbx', 255))
+  /* memcpy("rdi", "rbx", 0xff) */
+  cld
+  mov rsi, rbx
+  xor ecx, ecx
+  mov cl, 0xff
+  rep movsb
+      EOS
+    end
+  end
+end

data/test/shellcraft/mov_test.rb

@@ -0,0 +1,98 @@
+# encoding: ASCII-8BIT
+
+require 'test_helper'
+
+require 'pwnlib/context'
+require 'pwnlib/shellcraft/shellcraft'
+
+class MovTest < MiniTest::Test
+  include ::Pwnlib::Context
+
+  def setup
+    @shellcraft = ::Pwnlib::Shellcraft::Shellcraft.instance
+  end
+
+  def test_amd64
+    context.local(arch: 'amd64') do
+      assert_equal("  xor eax, eax /* 0 */\n", @shellcraft.mov('rax', 0))
+      assert_equal("  /* moving rax into rax, but this is a no-op */\n", @shellcraft.mov('rax', 'rax'))
+      assert_equal("  push 9 /* mov eax, '\\n' */\n  pop rax\n  inc eax\n", @shellcraft.mov('rax', 10))
+      assert_equal("  xor eax, eax\n  mov al, 0xc0\n", @shellcraft.mov('rax', 0xc0))
+      assert_equal("  xor eax, eax\n  mov ax, 0xc0c0\n", @shellcraft.mov('rax', 0xc0c0))
+      assert_equal("  xor ebx, ebx\n  mov bh, 0x100 >> 8\n", @shellcraft.mov('ebx', 0x100))
+      assert_equal(<<-'EOS', @shellcraft.mov('rdi', 0x100))
+  mov edi, 0x1010201
+  xor edi, 0x1010301 /* 0x100 == 0x1010201 ^ 0x1010301 */
+      EOS
+      assert_equal("  mov r15d, 0xffffffff\n", @shellcraft.mov('r15', 0xffffffff))
+      assert_equal("  push -1\n  pop rsi\n", @shellcraft.mov('rsi', -1))
+      assert_equal("  mov esi, -1\n", @shellcraft.mov('rsi', -1, stack_allowed: false))
+      assert_equal("  movzx edi, ax\n", @shellcraft.mov('rdi', 'ax'))
+      assert_equal("  mov rdx, rbx\n", @shellcraft.mov('rdx', 'rbx'))
+      assert_equal("  xor eax, eax /* (SYS_read) */\n", @shellcraft.mov('rax', 'SYS_read'))
+      assert_equal("  push 1 /* (SYS_write) */\n  pop rax\n", @shellcraft.mov('eax', 'SYS_write'))
+      assert_equal("  xor ax, ax\n  mov al, 1 /* (SYS_write) */\n", @shellcraft.mov('ax', 'SYS_write'))
+      assert_equal("  /* moving ax into al, but this is a no-op */\n", @shellcraft.mov('al', 'ax'))
+      assert_equal(<<-'EOS', @shellcraft.mov('rax', 0x11dead00ff))
+  mov rax, 0x101010101010101
+  push rax
+  mov rax, 0x1010110dfac01fe
+  xor [rsp], rax /* 0x11dead00ff == 0x101010101010101 ^ 0x1010110dfac01fe */
+  pop rax
+      EOS
+      # raises
+      err = assert_raises(ArgumentError) { @shellcraft.mov('eax', 'rdx') }
+      assert_equal('cannot mov eax, rdx: dst is smaller than src', err.message)
+      err = assert_raises(ArgumentError) { @shellcraft.mov('rcx', 0x7f00000000, stack_allowed: false) }
+      assert_equal('Cannot put 0x7f00000000 into \'rcx\' without using stack.', err.message)
+    end
+  end
+
+  def test_i386
+    context.local(arch: 'i386') do
+      assert_equal("  mov eax, ebx\n", @shellcraft.mov('eax', 'ebx'))
+      assert_equal("  xor eax, eax /* 0 */\n", @shellcraft.mov('eax', 0))
+      assert_equal("  xor ax, ax /* 0 */\n", @shellcraft.mov('ax', 0))
+      assert_equal("  xor ax, ax\n  mov al, 0x11\n", @shellcraft.mov('ax', 17))
+      assert_equal(<<-EOS, @shellcraft.mov('edi', 10))
+  push 9 /* mov edi, '\\n' */
+  pop edi
+  inc edi
+      EOS
+      assert_equal("  /* moving ax into al, but this is a no-op */\n", @shellcraft.mov('al', 'ax'))
+      assert_equal("  /* moving esp into esp, but this is a no-op */\n", @shellcraft.mov('esp', 'esp'))
+      assert_equal("  movzx ax, bl\n", @shellcraft.mov('ax', 'bl'))
+      assert_equal("  push 1\n  pop eax\n", @shellcraft.mov('eax', 1))
+      assert_equal("  xor eax, eax\n  mov al, 1\n", @shellcraft.mov('eax', 1, stack_allowed: false))
+      assert_equal("  mov eax, 0xdeadbeaf\n", @shellcraft.mov('eax', 0xdeadbeaf))
+      assert_equal("  mov eax, -0xdead00ff\n  neg eax\n", @shellcraft.mov('eax', 0xdead00ff))
+      assert_equal("  xor eax, eax\n  mov al, 0xc0\n", @shellcraft.mov('eax', 0xc0))
+      assert_equal("  mov edi, -0xc0\n  neg edi\n", @shellcraft.mov('edi', 0xc0))
+      assert_equal("  xor eax, eax\n  mov ah, 0xc000 >> 8\n", @shellcraft.mov('eax', 0xc000))
+      assert_equal(<<-EOS, @shellcraft.mov('eax', 0xffc000))
+  mov eax, 0x1010101
+  xor eax, 0x1fec101 /* 0xffc000 == 0x1010101 ^ 0x1fec101 */
+      EOS
+      assert_equal(<<-EOS, @shellcraft.mov('edi', 0xc000))
+  mov edi, (-1) ^ 0xc000
+  not edi
+      EOS
+      assert_equal(<<-EOS, @shellcraft.mov('edi', 0xf500))
+  mov edi, 0x1010101
+  xor edi, 0x101f401 /* 0xf500 == 0x1010101 ^ 0x101f401 */
+      EOS
+      assert_equal("  xor eax, eax\n  mov ax, 0xc0c0\n", @shellcraft.mov('eax', 0xc0c0))
+      assert_equal(<<-EOS, @shellcraft.mov('eax', 'SYS_execve'))
+  push 0xb /* (SYS_execve) */
+  pop eax
+      EOS
+      assert_equal(<<-EOS, @shellcraft.mov('eax', 'PROT_READ | PROT_WRITE | PROT_EXEC'))
+  push 7 /* (PROT_READ | PROT_WRITE | PROT_EXEC) */
+  pop eax
+      EOS
+      # raises
+      err = assert_raises(ArgumentError) { @shellcraft.mov('ax', 'ebx') }
+      assert_equal('cannot mov ax, ebx: dst is smaller than src', err.message)
+    end
+  end
+end

data/test/shellcraft/nop_test.rb

@@ -0,0 +1,26 @@
+# encoding: ASCII-8BIT
+
+require 'test_helper'
+
+require 'pwnlib/context'
+require 'pwnlib/shellcraft/shellcraft'
+
+class NopTest < MiniTest::Test
+  include ::Pwnlib::Context
+
+  def setup
+    @shellcraft = ::Pwnlib::Shellcraft::Shellcraft.instance
+  end
+
+  def test_amd64
+    context.local(arch: 'amd64') do
+      assert_equal("  nop\n", @shellcraft.nop)
+    end
+  end
+
+  def test_i386
+    context.local(arch: 'i386') do
+      assert_equal("  nop\n", @shellcraft.nop)
+    end
+  end
+end

data/test/shellcraft/popad_test.rb

@@ -0,0 +1,29 @@
+# encoding: ASCII-8BIT
+
+require 'test_helper'
+
+require 'pwnlib/context'
+require 'pwnlib/shellcraft/shellcraft'
+
+class PopadTest < MiniTest::Test
+  include ::Pwnlib::Context
+
+  def setup
+    @shellcraft = ::Pwnlib::Shellcraft::Shellcraft.instance
+  end
+
+  def test_amd64
+    context.local(arch: 'amd64') do
+      assert_equal(<<-'EOS', @shellcraft.popad)
+  pop rdi
+  pop rsi
+  pop rbp
+  pop rbx /* add rsp, 8 */
+  pop rbx
+  pop rdx
+  pop rcx
+  pop rax
+      EOS
+    end
+  end
+end

data/test/shellcraft/pushstr_array_test.rb

@@ -0,0 +1,91 @@
+# encoding: ASCII-8BIT
+
+require 'test_helper'
+
+require 'pwnlib/context'
+require 'pwnlib/shellcraft/shellcraft'
+
+class PushstrArrayTest < MiniTest::Test
+  include ::Pwnlib::Context
+
+  def setup
+    @shellcraft = ::Pwnlib::Shellcraft::Shellcraft.instance
+  end
+
+  def test_amd64
+    context.local(arch: 'amd64') do
+      assert_equal(<<-'EOS', @shellcraft.pushstr_array('rcx', ['A']))
+  /* push argument array ["A\x00"] */
+  /* push "A\x00" */
+  push 0x41
+  xor ecx, ecx /* 0 */
+  push rcx /* null terminate */
+  push 8
+  pop rcx
+  add rcx, rsp
+  push rcx /* "A\x00" */
+  mov rcx, rsp
+      EOS
+      assert_equal(<<-'EOS', @shellcraft.pushstr_array('rsp', ['sh', '-c', 'echo pusheen']))
+  /* push argument array ["sh\x00", "-c\x00", "echo pusheen\x00"] */
+  /* push "sh\x00-c\x00echo pusheen\x00" */
+  push 0x1010101 ^ 0x6e65
+  xor dword ptr [rsp], 0x1010101
+  mov rax, 0x6568737570206f68
+  push rax
+  mov rax, 0x101010101010101
+  push rax
+  mov rax, 0x626401622c016972 /* 0x101010101010101 ^ 0x636500632d006873 */
+  xor [rsp], rax
+  xor esp, esp /* 0 */
+  push rsp /* null terminate */
+  push 0xe
+  pop rsp
+  add rsp, rsp
+  push rsp /* "echo pusheen\x00" */
+  push 0x13
+  pop rsp
+  add rsp, rsp
+  push rsp /* "-c\x00" */
+  push 0x18
+  pop rsp
+  add rsp, rsp
+  push rsp /* "sh\x00" */
+  /* moving rsp into rsp, but this is a no-op */
+      EOS
+    end
+  end
+
+  def test_i386
+    context.local(arch: 'i386') do
+      assert_equal(<<-'EOS', @shellcraft.pushstr_array('esp', ['sh', '-c', 'echo pusheen']))
+  /* push argument array ["sh\x00", "-c\x00", "echo pusheen\x00"] */
+  /* push "sh\x00-c\x00echo pusheen\x00" */
+  push 0x1010101
+  xor dword ptr [esp], 0x1016f64 /* 0x1010101 ^ 0x6e65 */
+  push 0x65687375
+  push 0x70206f68
+  push 0x1010101
+  xor dword ptr [esp], 0x62640162 /* 0x1010101 ^ 0x63650063 */
+  push 0x1010101
+  xor dword ptr [esp], 0x2c016972 /* 0x1010101 ^ 0x2d006873 */
+  xor esp, esp /* 0 */
+  push esp /* null terminate */
+  push 9 /* mov esp, '\n' */
+  pop esp
+  inc esp
+  add esp, esp
+  push esp /* "echo pusheen\x00" */
+  push 0xb
+  pop esp
+  add esp, esp
+  push esp /* "-c\x00" */
+  push 0xc
+  pop esp
+  add esp, esp
+  push esp /* "sh\x00" */
+  /* moving esp into esp, but this is a no-op */
+      EOS
+    end
+  end
+end

data/test/shellcraft/pushstr_test.rb

@@ -0,0 +1,108 @@
+# encoding: ASCII-8BIT
+
+require 'test_helper'
+
+require 'pwnlib/context'
+require 'pwnlib/shellcraft/shellcraft'
+
+class PushstrTest < MiniTest::Test
+  include ::Pwnlib::Context
+
+  def setup
+    @shellcraft = ::Pwnlib::Shellcraft::Shellcraft.instance
+  end
+
+  def test_amd64
+    context.local(arch: 'amd64') do
+      assert_equal(<<-'EOS', @shellcraft.pushstr('A'))
+  /* push "A\x00" */
+  push 0x41
+      EOS
+      assert_equal(<<-'EOS', @shellcraft.pushstr("\n"))
+  /* push "\n\x00" */
+  push 0xb
+  dec byte ptr [rsp]
+      EOS
+      assert_equal(<<-'EOS', @shellcraft.pushstr('A' * 4))
+  /* push "AAAA\x00" */
+  push 0x41414141
+      EOS
+      assert_equal(<<-'EOS', @shellcraft.pushstr('A' * 8))
+  /* push "AAAAAAAA\x00" */
+  push 1
+  dec byte ptr [rsp]
+  mov rax, 0x4141414141414141
+  push rax
+      EOS
+      assert_equal(<<-'EOS', @shellcraft.pushstr('A' * 8, append_null: false))
+  /* push "AAAAAAAA" */
+  mov rax, 0x4141414141414141
+  push rax
+      EOS
+      assert_equal(<<-'EOS', @shellcraft.pushstr("\n" * 4))
+  /* push "\n\n\n\n\x00" */
+  push 0x1010101 ^ 0xa0a0a0a
+  xor dword ptr [rsp], 0x1010101
+      EOS
+      assert_equal(<<-'EOS', @shellcraft.pushstr('/bin/sh'))
+  /* push "/bin/sh\x00" */
+  mov rax, 0x101010101010101
+  push rax
+  mov rax, 0x169722e6f68632e /* 0x101010101010101 ^ 0x68732f6e69622f */
+  xor [rsp], rax
+      EOS
+      assert_equal(<<-'EOS', @shellcraft.pushstr("\x00\xff\xff\xff\xff\xff\xff\xff", append_null: false))
+  /* push "\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF" */
+  mov rax, 0x101010101010101
+  push rax
+  mov rax, -0x1010101010101ff /* 0x101010101010101 ^ -0x100 */
+  xor [rsp], rax
+      EOS
+    end
+  end
+
+  def test_i386
+    context.local(arch: 'i386') do
+      assert_equal(<<-'EOS', @shellcraft.pushstr('A'))
+  /* push "A\x00" */
+  push 0x41
+      EOS
+      assert_equal(<<-'EOS', @shellcraft.pushstr("\n"))
+  /* push "\n\x00" */
+  push 0xb
+  dec byte ptr [esp]
+      EOS
+      assert_equal(<<-'EOS', @shellcraft.pushstr('A' * 4))
+  /* push "AAAA\x00" */
+  push 1
+  dec byte ptr [esp]
+  push 0x41414141
+      EOS
+      assert_equal(<<-'EOS', @shellcraft.pushstr('A' * 8))
+  /* push "AAAAAAAA\x00" */
+  push 1
+  dec byte ptr [esp]
+  push 0x41414141
+  push 0x41414141
+      EOS
+      assert_equal(<<-'EOS', @shellcraft.pushstr('A' * 8, append_null: false))
+  /* push "AAAAAAAA" */
+  push 0x41414141
+  push 0x41414141
+      EOS
+      assert_equal(<<-'EOS', @shellcraft.pushstr("\n" * 4))
+  /* push "\n\n\n\n\x00" */
+  push 1
+  dec byte ptr [esp]
+  push 0x1010101
+  xor dword ptr [esp], 0xb0b0b0b /* 0x1010101 ^ 0xa0a0a0a */
+      EOS
+      assert_equal(<<-'EOS', @shellcraft.pushstr('/bin/sh'))
+  /* push "/bin/sh\x00" */
+  push 0x1010101
+  xor dword ptr [esp], 0x169722e /* 0x1010101 ^ 0x68732f */
+  push 0x6e69622f
+      EOS
+    end
+  end
+end