pwntools 0.1.0 → 1.0.0

data/lib/pwnlib/shellcraft/generators/x86/common/common.rb

@@ -0,0 +1,26 @@
+require 'pwnlib/shellcraft/generators/helper'
+
+module Pwnlib
+  module Shellcraft
+    module Generators
+      module X86
+        # For non os-related methods.
+        module Common
+          class << self
+            def define_arch_dependent_method(method)
+              define_method(method) do |*args|
+                if context.arch == 'amd64'
+                  cat Amd64::Common.public_send(method, *args)
+                elsif context.arch == 'i386'
+                  cat I386::Common.public_send(method, *args)
+                end
+              end
+            end
+          end
+
+          extend ::Pwnlib::Shellcraft::Generators::Helper
+        end
+      end
+    end
+  end
+end

data/lib/pwnlib/shellcraft/generators/x86/common/infloop.rb

@@ -0,0 +1,22 @@
+require 'pwnlib/shellcraft/generators/x86/common/common'
+
+module Pwnlib
+  module Shellcraft
+    module Generators
+      module X86
+        module Common
+          # Infinite loop.
+          #
+          # @example
+          #   shellcraft.infloop
+          #   #=> "infloop_1:\n  jmp infloop_1"
+          def infloop
+            label = get_label('infloop')
+            cat "#{label}:"
+            cat "jmp #{label}"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/pwnlib/shellcraft/generators/x86/common/mov.rb

@@ -0,0 +1,15 @@
+require 'pwnlib/shellcraft/generators/amd64/common/mov'
+require 'pwnlib/shellcraft/generators/i386/common/mov'
+require 'pwnlib/shellcraft/generators/x86/common/common'
+
+module Pwnlib
+  module Shellcraft
+    module Generators
+      module X86
+        module Common
+          define_arch_dependent_method :mov
+        end
+      end
+    end
+  end
+end

data/lib/pwnlib/shellcraft/generators/x86/common/pushstr.rb

@@ -0,0 +1,15 @@
+require 'pwnlib/shellcraft/generators/amd64/common/pushstr'
+require 'pwnlib/shellcraft/generators/i386/common/pushstr'
+require 'pwnlib/shellcraft/generators/x86/common/common'
+
+module Pwnlib
+  module Shellcraft
+    module Generators
+      module X86
+        module Common
+          define_arch_dependent_method :pushstr
+        end
+      end
+    end
+  end
+end

data/lib/pwnlib/shellcraft/generators/x86/common/pushstr_array.rb

@@ -0,0 +1,85 @@
+# encoding: ASCII-8BIT
+
+require 'pwnlib/shellcraft/generators/x86/common/common'
+require 'pwnlib/shellcraft/generators/x86/common/mov'
+require 'pwnlib/shellcraft/generators/x86/common/pushstr'
+
+module Pwnlib
+  module Shellcraft
+    module Generators
+      module X86
+        module Common
+          # Push an array of pointers onto the stack.
+          #
+          # @param [String] reg
+          #   Destination register to hold the result pointer.
+          # @param [Array<String>] array
+          #   List of arguments to push.
+          #   NULL termination is normalized so that each argument ends with exactly one NULL byte.
+          #
+          # @example
+          #   context.arch = 'i386'
+          #   puts shellcraft.pushstr_array('eax', ['push', 'een'])
+          #   # /* push argument array ["push\x00", "een\x00"] */
+          #   # /* push "push\x00een\x00" */
+          #   # push 1
+          #   # dec byte ptr [esp]
+          #   # push 0x1010101
+          #   # xor dword ptr [esp], 0x1010101 ^ 0x6e656500
+          #   # push 0x68737570
+          #   # xor eax, eax /* 0 */
+          #   # push eax /* null terminate */
+          #   # push 9
+          #   # pop eax
+          #   # add eax, esp
+          #   # push eax /* "een\x00" */
+          #   # push 8
+          #   # pop eax
+          #   # add eax, esp
+          #   # push eax /* "push\x00" */
+          #   # mov eax, esp
+          #   #=> nil
+          # @example
+          #   context.arch = 'amd64'
+          #   puts shellcraft.pushstr_array('rax', ['meow', 'oh'])
+          #   #   /* push argument array ["meow\x00", "oh\x00"] */
+          #   #   /* push "meow\x00oh\x00" */
+          #   #   mov rax, 0x101010101010101
+          #   #   push rax
+          #   #   mov rax, 0x101010101010101 ^ 0x686f00776f656d
+          #   #   xor [rsp], rax
+          #   #   xor eax, eax /* 0 */
+          #   #   push rax /* null terminate */
+          #   #   push 0xd
+          #   #   pop rax
+          #   #   add rax, rsp
+          #   #   push rax /* "oh\x00" */
+          #   #   push 0x10
+          #   #   pop rax
+          #   #   add rax, rsp
+          #   #   push rax /* "meow\x00" */
+          #   #   mov rax, rsp
+          #   #=> nil
+          def pushstr_array(reg, array)
+            abi = ::Pwnlib::ABI::ABI.default
+            array = array.map { |a| a.gsub(/\x00+\Z/, '') + "\x00" }
+            array_str = array.join
+            word_size = abi.arg_alignment
+            offset = array_str.size + word_size
+            cat "/* push argument array #{array.inspect} */"
+            cat Common.pushstr(array_str)
+            cat Common.mov(reg, 0)
+            cat "push #{reg} /* null terminate */"
+            array.reverse.each_with_index do |arg, i|
+              cat Common.mov(reg, offset + word_size * i - arg.size)
+              cat "add #{reg}, #{abi.stack_pointer}"
+              cat "push #{reg} /* #{arg.inspect} */"
+              offset -= arg.size
+            end
+            cat Common.mov(reg, abi.stack_pointer)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/pwnlib/shellcraft/generators/x86/common/setregs.rb

@@ -0,0 +1,82 @@
+# encoding: ASCII-8BIT
+
+require 'pwnlib/shellcraft/generators/x86/common/common'
+
+module Pwnlib
+  module Shellcraft
+    module Generators
+      module X86
+        module Common
+          # Set registers to given values. See example for clearly usage.
+          #
+          # @param [Hash{Symbol => String, Symbol, Numeric}] reg_context
+          #   The values of each registers to be set, see examples.
+          # @param [Boolean] stack_allowed
+          #   If we can use stack for setting values.
+          #   With +stack_allowd+ equals +true+, shellcode would be shorter.
+          #
+          # @example
+          #   context.arch = 'i386'
+          #   puts shellcraft.setregs(rax: 'ebx', ebx: 'ecx', ecx: 0x123)
+          #   #  mov rax, rbx
+          #   #  mov ebx, ecx
+          #   #  xor ecx, ecx
+          #   #  mov cx, 0x123
+          # @example
+          #   context.arch = 'amd64'
+          #   puts shellcraft.setregs(rdi: 'rsi', rsi: 'rdi')
+          #   #  xchg rdi, rsi
+          #
+          #   puts shellcraft.setregs(rax: -1)
+          #   #  push -1
+          #   #  pop rax
+          #
+          #   puts shellcraft.setregs({rax: -1}, stack_allowed: false)
+          #   #  mov rax, -1
+          def setregs(reg_context, stack_allowed: true)
+            abi = ::Pwnlib::ABI::ABI.default
+            reg_context = reg_context.reject { |_, v| v.nil? }
+            # convert all registers to string
+            reg_context = reg_context.map do |k, v|
+              v = register?(v) ? v.to_s : v
+              [k.to_s, v]
+            end
+            reg_context = reg_context.to_h
+            ax_str, dx_str = abi.cdq_pair
+            eax = reg_context[ax_str]
+            edx = reg_context[dx_str]
+            cdq = false
+            ev = lambda do |reg|
+              return reg unless reg.is_a?(String)
+              evaluate(reg)
+            end
+            eax = ev[eax]
+            edx = ev[edx]
+
+            if eax.is_a?(Numeric) && edx.is_a?(Numeric) && edx.zero? && (eax & (1 << 31)).zero?
+              # @diff
+              #   The condition is wrong in python-pwntools, and here we don't care the case of edx==0xffffffff.
+              cdq = true
+              reg_context.delete(dx_str)
+            end
+            sorted_regs = regsort(reg_context, registers)
+            if sorted_regs.empty?
+              cat '/* setregs noop */'
+            else
+              sorted_regs.each do |how, src, dst|
+                if how == 'xchg'
+                  cat "xchg #{src}, #{dst}"
+                else
+                  # Bug in python-pwntools, which is missing `stack_allowed`.
+                  # Proof of bug: pwnlib.shellcraft.setregs({'rax': 1}, stack_allowed=False)
+                  cat Common.mov(src, dst, stack_allowed: stack_allowed)
+                end
+              end
+            end
+            cat "cdq /* #{dx_str}=0 */" if cdq
+          end
+        end
+      end
+    end
+  end
+end

data/lib/pwnlib/shellcraft/generators/x86/linux/execve.rb

@@ -0,0 +1,69 @@
+# encoding: ASCII-8BIT
+
+require 'pwnlib/shellcraft/generators/x86/common/pushstr'
+require 'pwnlib/shellcraft/generators/x86/common/pushstr_array'
+require 'pwnlib/shellcraft/generators/x86/linux/linux'
+
+module Pwnlib
+  module Shellcraft
+    module Generators
+      module X86
+        module Linux
+          # Execute a different process.
+          #
+          # @param [String] path
+          #   Can be either an absolute path or a register's name.
+          # @param [String, Array<String>, Integer, nil] argv
+          #   If +argv+ is a +String+, it would be seen as a register.
+          #   If +Array<String>+, works like normal arguments array.
+          #   If +Integer+, take it as a pointer adrress. (same as +nil+ if zero is given.)
+          #   If +nil+, use NULL pointer.
+          # @param [String, Hash{#to_s => #to_s}, Integer, nil] envp
+          #   +String+ for register name.
+          #   If +envp+ is a +Hash+, it will be converted into the environ form (i.e. key=value).
+          #   If +Integer+, take it as a pointer address (same as +nil+ if zero is given).
+          #   If +nil+ is given, use NULL pointer.
+          #
+          # @example
+          #   shellcraft.execve('/bin/sh', ['sh'], {PWD: '.'})
+          #
+          # @diff
+          #   Parameters have no default values since this is a basic function.
+          def execve(path, argv, envp)
+            abi = ::Pwnlib::ABI::ABI.syscall
+            argv = case argv
+                   when String
+                     raise ArgumentError, "#{argv.inspect} is not a valid register name" unless register?(argv)
+                     argv
+                   when Array
+                     cat Common.pushstr_array(abi.register_arguments[2], argv)
+                     cat ''
+                     abi.register_arguments[2]
+                   when Integer, nil
+                     argv.to_i
+                   end
+
+            envp = case envp
+                   when String
+                     raise ArgumentError, "#{envp.inspect} is not a valid register name" unless register?(envp)
+                     envp
+                   when Hash
+                     cat Common.pushstr_array(abi.register_arguments[3], envp.map { |k, v| "#{k}=#{v}" })
+                     cat ''
+                     abi.register_arguments[3]
+                   when Integer, nil
+                     envp.to_i
+                   end
+
+            unless register?(path)
+              cat Common.pushstr(path)
+              cat ''
+              path = abi.stack_pointer
+            end
+            cat Linux.syscall('SYS_execve', path, argv, envp)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/pwnlib/shellcraft/generators/x86/linux/linux.rb

@@ -0,0 +1,14 @@
+require 'pwnlib/shellcraft/generators/helper'
+
+module Pwnlib
+  module Shellcraft
+    module Generators
+      module X86
+        # For os-related methods.
+        module Linux
+          extend ::Pwnlib::Shellcraft::Generators::Helper
+        end
+      end
+    end
+  end
+end

data/lib/pwnlib/shellcraft/generators/x86/linux/ls.rb

@@ -0,0 +1,66 @@
+# encoding: ASCII-8BIT
+
+require 'pwnlib/shellcraft/generators/x86/common/pushstr'
+require 'pwnlib/shellcraft/generators/x86/linux/linux'
+require 'pwnlib/shellcraft/generators/x86/linux/syscall'
+
+module Pwnlib
+  module Shellcraft
+    module Generators
+      module X86
+        module Linux
+          # List files.
+          #
+          # @param [String] dir
+          #   The relative path to be listed.
+          #
+          # @example
+          #  context.arch = 'amd64'
+          #  puts shellcraft.ls
+          #  #   /* push ".\x00" */
+          #  #   push 0x2e
+          #  #   /* call open("rsp", 0, 0) */
+          #  #   push 2 /* (SYS_open) */
+          #  #   pop rax
+          #  #   mov rdi, rsp
+          #  #   xor esi, esi /* 0 */
+          #  #   cdq /* rdx=0 */
+          #  #   syscall
+          #  #   /* call getdents("rax", "rsp", 4096) */
+          #  #   mov rdi, rax
+          #  #   push 0x4e /* (SYS_getdents) */
+          #  #   pop rax
+          #  #   mov rsi, rsp
+          #  #   xor edx, edx
+          #  #   mov dh, 0x1000 >> 8
+          #  #   syscall
+          #  #   /* call write(1, "rsp", "rax") */
+          #  #   push 1
+          #  #   pop rdi
+          #  #   mov rsi, rsp
+          #  #   mov rdx, rax
+          #  #   push 1 /* (SYS_write) */
+          #  #   pop rax
+          #  #   syscall
+          #  #=> nil
+          #
+          # @note
+          #   This shellcode will output the binary data returned by syscall +getdents+.
+          #   Use {Pwnlib::Util::Getdents.parse} to parse the output.
+          def ls(dir = '.')
+            abi = ::Pwnlib::ABI::ABI.syscall
+            cat Common.pushstr(dir)
+            cat Linux.syscall('SYS_open', abi.stack_pointer, 0, 0)
+            # In x86, return value register is same as sysnr register.
+            ret = abi.register_arguments.first
+            # XXX(david942j): Will fixed size 0x1000 be an issue?
+            cat Linux.syscall('SYS_getdents', ret, abi.stack_pointer, 0x1000) # getdents(fd, buf, sz)
+
+            # Just write all the shits out
+            cat Linux.syscall('SYS_write', 1, abi.stack_pointer, ret)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/pwnlib/shellcraft/generators/x86/linux/sh.rb

@@ -0,0 +1,52 @@
+# encoding: ASCII-8BIT
+
+require 'pwnlib/shellcraft/generators/x86/linux/execve'
+require 'pwnlib/shellcraft/generators/x86/linux/linux'
+
+module Pwnlib
+  module Shellcraft
+    module Generators
+      module X86
+        module Linux
+          # Get shell!
+          #
+          # @param [Boolean, Array<String>] argv
+          #   Arguments of +argv+ when calling +execve+.
+          #   If +true+ is given, use +['sh']+.
+          #   If +Array<String>+ is given, use it as arguments array.
+          #
+          # @example
+          #   context.arch = 'i386'
+          #   puts shellcraft.sh
+          #   # /* push "/bin///sh\x00" */
+          #   # push 0x68
+          #   # push 0x732f2f2f
+          #   # push 0x6e69622f
+          #   #
+          #   # /* call execve("esp", 0, 0) */
+          #   # push 0xb /* (SYS_execve) */
+          #   # pop eax
+          #   # mov ebx, esp
+          #   # xor ecx, ecx /* 0 */
+          #   # cdq /* edx=0 */
+          #   # int 0x80
+          #   #=> nil
+          #
+          # @note Null pointer is always used as +envp+.
+          #
+          # @diff
+          #   By default, this method calls +execve('/bin///sh', 0, 0)+, which is different from pwntools-python:
+          #   +execve('/bin///sh', ['sh'], 0)+.
+          def sh(argv: false)
+            argv = case argv
+                   when true then ['sh']
+                   when false then 0
+                   else argv
+                   end
+            cat Linux.execve('/bin///sh', argv, 0)
+          end
+        end
+      end
+    end
+  end
+end