pwntools 1.0.1 → 1.1.0

data/lib/pwnlib/shellcraft/generators/x86/linux/cat.rb

@@ -0,0 +1,53 @@
+# encoding: ASCII-8BIT
+
+require 'pwnlib/shellcraft/generators/x86/common/pushstr'
+require 'pwnlib/shellcraft/generators/x86/linux/linux'
+require 'pwnlib/shellcraft/generators/x86/linux/syscall'
+
+module Pwnlib
+  module Shellcraft
+    module Generators
+      module X86
+        module Linux
+          # Opens a file and writes its contents to the specified file descriptor.
+          #
+          # @param [String] filename
+          #   The filename.
+          # @param [Integer] fd
+          #   The file descriptor to write the file contents.
+          #
+          # @example
+          #  context.arch = 'amd64'
+          #  puts shellcraft.cat('/etc/passwd')
+          #  #  /* push "/etc/passwd\x00" */
+          #  #  push 0x1010101 ^ 0x647773
+          #  #  xor dword ptr [rsp], 0x1010101
+          #  #  mov rax, 0x7361702f6374652f
+          #  #  push rax
+          #  #  /* call open("rsp", 0, "O_RDONLY") */
+          #  #  push 2 /* (SYS_open) */
+          #  #  pop rax
+          #  #  mov rdi, rsp
+          #  #  xor esi, esi /* 0 */
+          #  #  cdq /* rdx=0 */
+          #  #  syscall
+          #  #  /* call sendfile(1, "rax", 0, 2147483647) */
+          #  #  push 1
+          #  #  pop rdi
+          #  #  mov rsi, rax
+          #  #  push 0x28 /* (SYS_sendfile) */
+          #  #  pop rax
+          #  #  mov r10d, 0x7fffffff
+          #  #  cdq /* rdx=0 */
+          #  #  syscall
+          #  #=> nil
+          def cat(filename, fd: 1)
+            abi = ::Pwnlib::ABI::ABI.syscall
+            cat Linux.open(filename, 'O_RDONLY')
+            cat Linux.syscall('SYS_sendfile', fd, abi.register_arguments.first, 0, 0x7fffffff)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/pwnlib/shellcraft/generators/x86/linux/exit.rb

@@ -0,0 +1,33 @@
+# encoding: ASCII-8BIT
+
+require 'pwnlib/shellcraft/generators/x86/linux/linux'
+
+module Pwnlib
+  module Shellcraft
+    module Generators
+      module X86
+        module Linux
+          # Exit syscall.
+          #
+          # @param [Integer] status
+          #   Status code.
+          #
+          # @return [String]
+          #   Assembly for invoking exit syscall.
+          #
+          # @example
+          #   puts shellcraft.exit(1)
+          #   #   /* call exit(1) */
+          #   #   push 1 /* (SYS_exit) */
+          #   #   pop eax
+          #   #   push 1
+          #   #   pop ebx
+          #   #   int 0x80
+          def exit(status = 0)
+            cat Linux.syscall('SYS_exit', status)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/pwnlib/shellcraft/generators/x86/linux/open.rb

@@ -0,0 +1,46 @@
+# encoding: ASCII-8BIT
+
+require 'pwnlib/shellcraft/generators/x86/linux/linux'
+
+module Pwnlib
+  module Shellcraft
+    module Generators
+      module X86
+        module Linux
+          # Push filename onto stack and perform open syscall.
+          #
+          # @param [String] filename
+          #   The file to be opened.
+          # @param [String, Integer] flags
+          #   Flags for opening a file.
+          # @param [Integer] mode
+          #   If +filename+ doesn't exist and 'O_CREAT' is specified in +flags+,
+          #   +mode+ will be used as the file permission for creating the file.
+          #
+          # @return [String]
+          #   Assembly for syscall open.
+          #
+          # @example
+          #   puts shellcraft.open('/etc/passwd', 'O_RDONLY')
+          #   #   /* push "/etc/passwd\x00" */
+          #   #   push 0x1010101
+          #   #   xor dword ptr [esp], 0x1657672 /* 0x1010101 ^ 0x647773 */
+          #   #   push 0x7361702f
+          #   #   push 0x6374652f
+          #   #   /* call open("esp", "O_RDONLY", 0) */
+          #   #   push 5 /* (SYS_open) */
+          #   #   pop eax
+          #   #   mov ebx, esp
+          #   #   xor ecx, ecx /* (O_RDONLY) */
+          #   #   cdq /* edx=0 */
+          #   #   int 0x80
+          def open(filename, flags = 'O_RDONLY', mode = 0)
+            abi = ::Pwnlib::ABI::ABI.syscall
+            cat Common.pushstr(filename)
+            cat Linux.syscall('SYS_open', abi.stack_pointer, flags, mode)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/pwnlib/shellcraft/shellcraft.rb

@@ -3,6 +3,7 @@
 require 'singleton'
 
 require 'pwnlib/context'
+require 'pwnlib/errors'
 require 'pwnlib/logger'
 
 module Pwnlib
@@ -48,8 +49,8 @@ module Pwnlib
         begin
           arch_module = ::Pwnlib::Shellcraft::Generators.const_get(context.arch.capitalize)
         rescue NameError
-          log.error("Can't use shellcraft under architecture #{context.arch.inspect}.")
-          return nil
+          raise ::Pwnlib::Errors::UnsupportedArchError,
+                "Can't use shellcraft under architecture #{context.arch.inspect}."
         end
         # try search in Common module
         common_module = arch_module.const_get(:Common)

data/lib/pwnlib/timer.rb

@@ -3,6 +3,7 @@
 require 'time'
 
 require 'pwnlib/context'
+require 'pwnlib/errors'
 
 module Pwnlib
   # A simple timer class.
@@ -27,7 +28,7 @@ module Pwnlib
     end
 
     def timeout
-      return @timeout || Pwnlib::Context.context.timeout unless started?
+      return @timeout || ::Pwnlib::Context.context.timeout unless started?
       @deadline == :forever ? :forever : [@deadline - Time.now, 0].max
     end
 
@@ -46,14 +47,16 @@ module Pwnlib
       end
 
       timeout ||= @timeout
-      timeout ||= Pwnlib::Context.context.timeout
+      timeout ||= ::Pwnlib::Context.context.timeout
 
       @deadline = timeout == :forever ? :forever : Time.now + timeout
 
       begin
         yield
       ensure
+        was_active = active?
         @deadline = nil
+        raise ::Pwnlib::Errors::TimeoutError unless was_active
       end
     end
   end

data/lib/pwnlib/tubes/process.rb

@@ -0,0 +1,153 @@
+# encoding: ASCII-8BIT
+
+require 'pwnlib/errors'
+require 'pwnlib/tubes/tube'
+
+module Pwnlib
+  module Tubes
+    # Launch a process.
+    class Process < Tube
+      # Default options for {#initialize}.
+      DEFAULT_OPTIONS = {
+        env: ENV,
+        in: :pipe,
+        out: :pipe,
+        raw: true,
+        aslr: true
+      }.freeze
+
+      # Instantiate a {Pwnlib::Tubes::Process} object.
+      #
+      # @param [Array<String>, String] argv
+      #   List of arguments to pass to the spawned process.
+      #
+      # @option opts [Hash{String => String}] env (ENV)
+      #   Environment variables. By default, inherits from Ruby's environment.
+      # @option opts [Symbol] in (:pipe)
+      #   What kind of io should be used for +stdin+.
+      #   Candidates are: +:pipe+, +:pty+.
+      # @option opts [Symbol] out (:pipe)
+      #   What kind of io should be used for +stdout+.
+      #   Candidates are: +:pipe+, +:pty+.
+      #   See examples for more details.
+      # @option opts [Boolean] raw (true)
+      #   Set the created PTY to raw mode. i.e. disable echo and control characters.
+      #   If no pty is created, this has no effect.
+      # @option opts [Boolean] aslr (true)
+      #   If +false+ is given, the ASLR of the target process will be disabled via +setarch -R+.
+      # @option opts [Float?] timeout (nil)
+      #   See {Pwnlib::Tubes::Tube#initialize}.
+      #
+      # @example
+      #   io = Tubes::Process.new('ls')
+      #   io.gets
+      #   #=> "Gemfile\n"
+      #
+      #   io = Tubes::Process.new('ls', out: :pty)
+      #   io.gets
+      #   #=> "Gemfile       LICENSE\t\t\t   README.md  STYLE.md\t    git-hooks  pwntools.gemspec  test\n"
+      # @example
+      #   io = Tubes::Process.new('cat /proc/self/maps')
+      #   io.gets
+      #   #=> "55f8b8a10000-55f8b8a18000 r-xp 00000000 fd:00 9044035                    /bin/cat\n"
+      #   io.close
+      #
+      #   io = Tubes::Process.new('cat /proc/self/maps', aslr: false)
+      #   io.gets
+      #   #=> "555555554000-55555555c000 r-xp 00000000 fd:00 9044035                    /bin/cat\n"
+      #   io.close
+      # @example
+      #   io = Tubes::Process.new('env', env: { 'FOO' => 'BAR' })
+      #   io.gets
+      #   #=> "FOO=BAR\n"
+      def initialize(argv, **opts)
+        opts = DEFAULT_OPTIONS.merge(opts)
+        super(timeout: opts[:timeout])
+        argv = normalize_argv(argv, opts)
+        slave_i, slave_o = create_pipe(opts)
+        @pid = ::Process.spawn(opts[:env], *argv, in: slave_i, out: slave_o, unsetenv_others: true)
+        slave_i.close
+        slave_o.close unless slave_i == slave_o
+      end
+
+      # Close the IO.
+      #
+      # @param [:both, :recv, :read, :send, :write] direction
+      #   Disallow further read/write of the process.
+      #
+      # @return [void]
+      def shutdown(direction = :both)
+        close_io(normalize_direction(direction))
+      end
+
+      # Kill the process.
+      #
+      # @return [void]
+      def kill
+        shutdown
+        ::Process.kill('KILL', @pid)
+        ::Process.wait(@pid)
+      end
+      alias close kill
+
+      private
+
+      def io_out
+        @o
+      end
+
+      def close_io(dirs)
+        @o.close if dirs.include?(:read) && !@o.closed?
+        @i.close if dirs.include?(:write) && !@i.closed?
+      end
+
+      def normalize_argv(argv, opts)
+        # XXX(david942j): Set personality on child process will be better than using setarch
+        pre_cmd = opts[:aslr] ? '' : "setarch #{`uname -m`.strip} -R "
+        pre_cmd = pre_cmd.split if argv.is_a?(Array)
+        Array(pre_cmd + argv)
+      end
+
+      def create_pipe(opts)
+        if [opts[:in], opts[:out]].include?(:pty)
+          # Require only when we need it.
+          # This prevents broken on Windows, which has no pty support.
+          require 'io/console'
+          require 'pty'
+          mpty, spty = PTY.open
+          mpty.raw! if opts[:raw]
+        end
+        @o, slave_o = pipe(opts[:out], mpty, spty)
+        slave_i, @i = pipe(opts[:in], spty, mpty)
+        [slave_i, slave_o]
+      end
+
+      # @return [(IO, IO)]
+      #   IO pair.
+      def pipe(type, mst, slv)
+        case type
+        when :pipe then IO.pipe
+        when :pty then [mst, slv]
+        end
+      end
+
+      def send_raw(data)
+        @i.write(data)
+      rescue Errno::EIO, Errno::EPIPE, IOError
+        raise ::Pwnlib::Errors::EndOfTubeError
+      end
+
+      def recv_raw(size)
+        o, = IO.select([@o], [], [], @timeout)
+        return if o.nil?
+        @o.readpartial(size)
+      rescue Errno::EIO, Errno::EPIPE, IOError
+        raise ::Pwnlib::Errors::EndOfTubeError
+      end
+
+      def timeout_raw=(timeout)
+        @timeout = timeout
+      end
+    end
+  end
+end

data/lib/pwnlib/tubes/serialtube.rb

@@ -0,0 +1,112 @@
+# encoding: ASCII-8BIT
+
+require 'rubyserial'
+
+require 'pwnlib/tubes/tube'
+
+module Pwnlib
+  module Tubes
+    # @!macro [new] raise_eof
+    #   @raise [Pwnlib::Errors::EndOfTubeError]
+    #     If the request is not satisfied when all data is received.
+
+    # Serial Connections
+    class SerialTube < Tube
+      # Instantiate a {Pwnlib::Tubes::SerialTube} object.
+      #
+      # @param [String] port
+      #   A device name for rubyserial to open, e.g. /dev/ttypUSB0
+      # @param [Integer] baudrate
+      #   Baud rate.
+      # @param [Boolean] convert_newlines
+      #   If +true+, convert any +context.newline+s to +"\\r\\n"+ before
+      #   sending to remote. Has no effect on bytes received.
+      # @param [Integer] bytesize
+      #   Serial character byte size. The '8' in '8N1'.
+      # @param [Symbol] parity
+      #   Serial character parity. The 'N' in '8N1'.
+      def initialize(port = nil, baudrate: 115_200,
+                     convert_newlines: true,
+                     bytesize: 8, parity: :none)
+        super()
+
+        # go hunting for a port
+        port ||= Dir.glob('/dev/tty.usbserial*').first
+        port ||= '/dev/ttyUSB0'
+
+        @convert_newlines = convert_newlines
+        @conn = Serial.new(port, baudrate, bytesize, parity)
+        @serial_timer = Timer.new
+      end
+
+      # Closes the active connection
+      def close
+        @conn.close if @conn && !@conn.closed?
+        @conn = nil
+      end
+
+      # Implementation of the methods required for tube
+      private
+
+      # Gets bytes over the serial connection until some bytes are received, or
+      # +@timeout+ has passed. It is an error for it to return no data in less
+      # than +@timeout+ seconds. It is ok for it to return some data in less
+      # time.
+      #
+      # @param [Integer] numbytes
+      #   An upper limit on the number of bytes to get.
+      #
+      # @return [String]
+      #   A string containing read bytes.
+      #
+      # @!macro raise_eof
+      def recv_raw(numbytes)
+        raise ::Pwnlib::Errors::EndOfTubeError if @conn.nil?
+
+        @serial_timer.countdown do
+          data = ''
+          begin
+            while @serial_timer.active?
+              data += @conn.read(numbytes - data.length)
+              break unless data.empty?
+              sleep 0.1
+            end
+            # XXX(JonathanBeverley): should we reverse @convert_newlines here?
+            return data
+          rescue RubySerial::Error
+            close
+            raise ::Pwnlib::Errors::EndOfTubeError
+          end
+        end
+      end
+
+      # Sends bytes over the serial connection. This call will block until all the bytes are sent or an error occurs.
+      #
+      # @param [String] data
+      #   A string of the bytes to send.
+      #
+      # @return [Integer]
+      #   The number of bytes successfully written.
+      #
+      # @!macro raise_eof
+      def send_raw(data)
+        raise ::Pwnlib::Errors::EndOfTubeError if @conn.nil?
+
+        data.gsub!(context.newline, "\r\n") if @convert_newlines
+        begin
+          return @conn.write(data)
+        rescue RubySerial::Error
+          close
+          raise ::Pwnlib::Errors::EndOfTubeError
+        end
+      end
+
+      # Sets the +timeout+ to use for subsequent +recv_raw+ calls.
+      #
+      # @param [Float] timeout
+      def timeout_raw=(timeout)
+        @serial_timer.timeout = timeout
+      end
+    end
+  end
+end