pwnlib.shellcraft.thumb
— Shellcode for Thumb Mode¶
pwnlib.shellcraft.thumb
¶
Shellcraft module containing generic thumb little endian shellcodes.
-
pwnlib.shellcraft.thumb.
crash
()[source]¶ Crash.
Example
>>> run_assembly(shellcraft.crash()).poll(True) < 0 True
-
pwnlib.shellcraft.thumb.
itoa
(v, buffer='sp', allocate_stack=True)[source]¶ Converts an integer into its string representation, and pushes it onto the stack. Uses registers r0-r5.
Parameters: Example
>>> sc = shellcraft.thumb.mov('r0', 0xdeadbeef) >>> sc += shellcraft.thumb.itoa('r0') >>> sc += shellcraft.thumb.linux.write(1, 'sp', 32) >>> run_assembly(sc).recvuntil('\x00') '3735928559\x00'
-
pwnlib.shellcraft.thumb.
memcpy
(dest, src, n)[source]¶ Copies memory.
Parameters: - dest – Destination address
- src – Source address
- n – Number of bytes
-
pwnlib.shellcraft.thumb.
mov
(dst, src)[source]¶ Returns THUMB code for moving the specified source value into the specified destination register.
If src is a string that is not a register, then it will locally set context.arch to ‘thumb’ and use
pwnlib.constants.eval()
to evaluate the string. Note that this means that this shellcode can change behavior depending on the value of context.os.Example
>>> print shellcraft.thumb.mov('r1','r2').rstrip() mov r1, r2 >>> print shellcraft.thumb.mov('r1', 0).rstrip() eor r1, r1 >>> print shellcraft.thumb.mov('r1', 10).rstrip() mov r1, #0xa + 1 sub r1, r1, 1 >>> print shellcraft.thumb.mov('r1', 17).rstrip() mov r1, #0x11 >>> print shellcraft.thumb.mov('r1', 'r1').rstrip() /* moving r1 into r1, but this is a no-op */ >>> print shellcraft.thumb.mov('r1', 512).rstrip() mov r1, #0x200 >>> print shellcraft.thumb.mov('r1', 0x10000001).rstrip() mov r1, #(0x10000001 >> 28) lsl r1, #28 add r1, #(0x10000001 & 0xff) >>> print shellcraft.thumb.mov('r1', 0xdead0000).rstrip() mov r1, #(0xdead0000 >> 25) lsl r1, #(25 - 16) add r1, #((0xdead0000 >> 16) & 0xff) lsl r1, #16 >>> print shellcraft.thumb.mov('r1', 0xdead00ff).rstrip() ldr r1, value_... b value_..._after value_...: .word 0xdead00ff value_..._after: >>> with context.local(os = 'linux'): ... print shellcraft.thumb.mov('r1', 'SYS_execve').rstrip() mov r1, #SYS_execve /* 0xb */ >>> with context.local(os = 'freebsd'): ... print shellcraft.thumb.mov('r1', 'SYS_execve').rstrip() mov r1, #SYS_execve /* 0x3b */ >>> with context.local(os = 'linux'): ... print shellcraft.thumb.mov('r1', 'PROT_READ | PROT_WRITE | PROT_EXEC').rstrip() mov r1, #(PROT_READ | PROT_WRITE | PROT_EXEC) /* 7 */
-
pwnlib.shellcraft.thumb.
popad
()[source]¶ Pop all of the registers onto the stack which i386 popad does, in the same order.
-
pwnlib.shellcraft.thumb.
push
(value)[source]¶ Pushes a value onto the stack without using null bytes or newline characters.
If src is a string, then we try to evaluate with context.arch = ‘thumb’ using
pwnlib.constants.eval()
before determining how to push it. Note that this means that this shellcode can change behavior depending on the value of context.os.Parameters: value (int,str) – The value or register to push Example
>>> print pwnlib.shellcraft.thumb.push('r0').rstrip() push {r0} >>> print pwnlib.shellcraft.thumb.push(0).rstrip() /* push 0 */ eor r7, r7 push {r7} >>> print pwnlib.shellcraft.thumb.push(1).rstrip() /* push 1 */ mov r7, #1 push {r7} >>> print pwnlib.shellcraft.thumb.push(256).rstrip() /* push 256 */ mov r7, #0x100 push {r7} >>> print pwnlib.shellcraft.thumb.push('SYS_execve').rstrip() /* push 'SYS_execve' */ mov r7, #0xb push {r7} >>> with context.local(os = 'freebsd'): ... print pwnlib.shellcraft.thumb.push('SYS_execve').rstrip() /* push 'SYS_execve' */ mov r7, #0x3b push {r7}
-
pwnlib.shellcraft.thumb.
pushad
()[source]¶ Push all of the registers onto the stack which i386 pushad does, in the same order.
-
pwnlib.shellcraft.thumb.
pushstr
(string, append_null=True, register='r7')[source]¶ Pushes a string onto the stack without using null bytes or newline characters.
Parameters: Examples:
Note that this doctest has two possibilities for the first result, depending on your version of binutils.
>>> enhex(asm(shellcraft.pushstr('Hello\nWorld!', True))) in [ ... '87ea070780b4dff8047001e0726c642180b4dff8047001e06f0a576f80b4dff8047001e048656c6c80b4', ... '87ea070780b4dff8067000f002b8726c642180b4dff8047000f002b86f0a576f80b4014f00f002b848656c6c80b4'] True >>> print shellcraft.pushstr('abc').rstrip() /* push 'abc\x00' */ ldr r7, value_... b value_..._after value_...: .word 0xff636261 value_..._after: lsl r7, #8 lsr r7, #8 push {r7} >>> print enhex(asm(shellcraft.pushstr('\x00', False))) 87ea070780b4
-
pwnlib.shellcraft.thumb.
pushstr_array
(reg, array)[source]¶ Pushes an array/envp-style array of pointers onto the stack.
Parameters:
-
pwnlib.shellcraft.thumb.
ret
(return_value=None)[source]¶ A single-byte RET instruction.
Parameters: return_value – Value to return
-
pwnlib.shellcraft.thumb.
setregs
(reg_context, stack_allowed=True)[source]¶ Sets multiple registers, taking any register dependencies into account (i.e., given eax=1,ebx=eax, set ebx first).
Parameters: Example
>>> print shellcraft.setregs({'r0':1, 'r2':'r3'}).rstrip() mov r0, #1 mov r2, r3 >>> print shellcraft.setregs({'r0':'r1', 'r1':'r0', 'r2':'r3'}).rstrip() mov r2, r3 eor r0, r0, r1 /* xchg r0, r1 */ eor r1, r0, r1 eor r0, r0, r1
-
pwnlib.shellcraft.thumb.
udiv_10
(N)[source]¶ Divides r0 by 10. Result is stored in r0, N and Z flags are updated.
- Code is from generated from here:
- https://raw.githubusercontent.com/rofirrim/raspberry-pi-assembler/master/chapter15/magic.py
- With code:
- python magic.py 10 code_for_unsigned
pwnlib.shellcraft.thumb.linux
¶
Shellcraft module containing THUMB shellcodes for Linux.
-
pwnlib.shellcraft.thumb.linux.
bindsh
(port, network)[source]¶ Listens on a TCP port and spawns a shell for the first to connect. Port is the TCP port to listen on, network is either ‘ipv4’ or ‘ipv6’.
-
pwnlib.shellcraft.thumb.linux.
cat
(filename, fd=1)[source]¶ Opens a file and writes its contents to the specified file descriptor.
Example
>>> f = tempfile.mktemp() >>> write(f, 'FLAG\n') >>> run_assembly(shellcraft.arm.to_thumb()+shellcraft.thumb.linux.cat(f)).recvline() 'FLAG\n'
-
pwnlib.shellcraft.thumb.linux.
connect
(host, port, network='ipv4')[source]¶ Connects to the host on the specified port. Network is either ‘ipv4’ or ‘ipv6’. Leaves the connected socket in R6.
-
pwnlib.shellcraft.thumb.linux.
connectstager
(host, port, network='ipv4')[source]¶ connect recvsize stager :param host, where to connect to: :param port, which port to connect to: :param network, ipv4 or ipv6? (default: ipv4)
-
pwnlib.shellcraft.thumb.linux.
dup
(sock='r6')[source]¶ Args: [sock (imm/reg) = r6] Duplicates sock to stdin, stdout and stderr
-
pwnlib.shellcraft.thumb.linux.
dupsh
(sock='r6')[source]¶ Args: [sock (imm/reg) = ebp] Duplicates sock to stdin, stdout and stderr and spawns a shell.
-
pwnlib.shellcraft.thumb.linux.
echo
(string, sock='1')[source]¶ Writes a string to a file descriptor
Example
>>> run_assembly(shellcraft.echo('hello\n', 1)).recvline() 'hello\n'
-
pwnlib.shellcraft.thumb.linux.
findpeer
(port)[source]¶ Finds a connected socket. If port is specified it is checked against the peer port. Resulting socket is left in r6.
-
pwnlib.shellcraft.thumb.linux.
findpeersh
(port)[source]¶ Finds a connected socket. If port is specified it is checked against the peer port. A dup2 shell is spawned on it.
-
pwnlib.shellcraft.thumb.linux.
findpeerstager
(port=None)[source]¶ Findpeer recvsize stager :param port, the port given to findpeer: :type port, the port given to findpeer: defaults to any
-
pwnlib.shellcraft.thumb.linux.
forkexit
()[source]¶ Attempts to fork. If the fork is successful, the parent exits.
-
pwnlib.shellcraft.thumb.linux.
killparent
()[source]¶ Kills its parent process until whatever the parent is (probably init) cannot be killed any longer.
-
pwnlib.shellcraft.thumb.linux.
listen
(port, network)[source]¶ Listens on a TCP port, accept a client and leave his socket in r6. Port is the TCP port to listen on, network is either ‘ipv4’ or ‘ipv6’.
-
pwnlib.shellcraft.thumb.linux.
loader
(address)[source]¶ Loads a statically-linked ELF into memory and transfers control.
Parameters: address (int) – Address of the ELF as a register or integer.
-
pwnlib.shellcraft.thumb.linux.
loader_append
(data=None)[source]¶ Loads a statically-linked ELF into memory and transfers control.
Similar to loader.asm but loads an appended ELF.
Parameters: data (str) – If a valid filename, the data is loaded from the named file. Otherwise, this is treated as raw ELF data to append. If None
, it is ignored.Example:
The following doctest is commented out because it doesn’t work on Travis for reasons I cannot diagnose. However, it should work just fine :-)
# >>> gcc = process([‘arm-linux-gnueabihf-gcc’,’-xc’,’-static’,’-Wl,-Ttext-segment=0x20000000’,’-‘]) # >>> gcc.write(‘’’ # … int main() { # … printf(“Hello, %s!\n”, “world”); # … } # … ‘’‘) # >>> gcc.shutdown(‘send’) # >>> gcc.poll(True) # 0 # >>> sc = shellcraft.loader_append(‘a.out’) # >>> run_assembly(sc).recvline() # ‘Hello, world!n’
-
pwnlib.shellcraft.thumb.linux.
readfile
(path, dst='r6')[source]¶ Args: [path, dst (imm/reg) = r6 ] Opens the specified file path and sends its content to the specified file descriptor. Leaves the destination file descriptor in r6 and the input file descriptor in r5.
-
pwnlib.shellcraft.thumb.linux.
readn
(fd, buf, nbytes)[source]¶ Reads exactly nbytes bytes from file descriptor fd into the buffer buf.
Parameters: - fd (int) – fd
- buf (void) – buf
- nbytes (size_t) – nbytes
-
pwnlib.shellcraft.thumb.linux.
recvsize
(sock, reg='r1')[source]¶ Recives 4 bytes size field Useful in conjuncion with findpeer and stager :param sock, the socket to read the payload from.: :param reg, the place to put the size: :type reg, the place to put the size: default ecx
Leaves socket in ebx
-
pwnlib.shellcraft.thumb.linux.
sh
()[source]¶ Execute a different process.
>>> p = run_assembly(shellcraft.thumb.linux.sh()) >>> p.sendline('echo Hello') >>> p.recv() 'Hello\n'
-
pwnlib.shellcraft.thumb.linux.
stage
(fd=0, length=None)[source]¶ Migrates shellcode to a new buffer.
Parameters: Example
>>> p = run_assembly(shellcraft.stage()) >>> sc = asm(shellcraft.echo("Hello\n", constants.STDOUT_FILENO)) >>> p.pack(len(sc)) >>> p.send(sc) >>> p.recvline() 'Hello\n'
-
pwnlib.shellcraft.thumb.linux.
stager
(sock, size)[source]¶ Read ‘size’ bytes from ‘sock’ and place them in an executable buffer and jump to it. The socket will be left in r6.
-
pwnlib.shellcraft.thumb.linux.
syscall
(syscall=None, arg0=None, arg1=None, arg2=None, arg3=None, arg4=None, arg5=None, arg6=None)[source]¶ - Args: [syscall_number, *args]
- Does a syscall
Any of the arguments can be expressions to be evaluated by
pwnlib.constants.eval()
.Example
>>> print shellcraft.thumb.linux.syscall(11, 1, 'sp', 2, 0).rstrip() /* call syscall(11, 1, 'sp', 2, 0) */ mov r0, #1 mov r1, sp mov r2, #2 eor r3, r3 mov r7, #0xb svc 0x41 >>> print shellcraft.thumb.linux.syscall('SYS_exit', 0).rstrip() /* call exit(0) */ eor r0, r0 mov r7, #SYS_exit /* 1 */ svc 0x41 >>> print pwnlib.shellcraft.open('/home/pwn/flag').rstrip() /* open(file='/home/pwn/flag', oflag=0, mode=0) */ /* push '/home/pwn/flag\x00' */ mov r7, #(0x6761 >> 8) lsl r7, #8 add r7, #(0x6761 & 0xff) push {r7} ldr r7, value_... b value_..._after value_...: .word 0x6c662f6e value_..._after: push {r7} ldr r7, value_... b value_..._after value_...: .word 0x77702f65 value_..._after: push {r7} ldr r7, value_... b value_..._after value_...: .word 0x6d6f682f value_..._after: push {r7} mov r0, sp eor r1, r1 eor r2, r2 /* call open() */ mov r7, #SYS_open /* 5 */ svc 0x41