Example #1
0
 def __init__(self, name, target, args, abi=None):
     assert isinstance(name, str)
     # assert isinstance(target, int)
     assert isinstance(args, (list, tuple))
     self.abi  = abi or ABI.default()
     self.name = name
     self.target = target
     self.args = list(args)
     for i, arg in enumerate(args):
         if not isinstance(arg, (int, long, Unresolved)):
             self.args[i] = AppendedArgument(arg)
Example #2
0
 def __init__(self, name, target, args, abi=None):
     assert isinstance(name, str)
     # assert isinstance(target, six.integer_types)
     assert isinstance(args, (list, tuple))
     self.abi  = abi or ABI.default()
     self.name = name
     self.target = target
     self.args = list(args)
     for i, arg in enumerate(args):
         if not isinstance(arg, six.integer_types+(Unresolved,)):
             self.args[i] = AppendedArgument(arg)
Example #3
0
        def __call__(self,
                     id: Union[int, str],
                     args: list,
                     ret: bool = False) -> None:
            '''Making system calls without the massive overhead of SIGROP
            >>> context.arch = 'amd64'
            >>> r = ROP('./binary')
            >>> r.system_call(0x3b, ['/bin/sh', 0, 0])
            >>> print(r.dump())
            0x0000:         0x41e4af pop rax; ret
            0x0008:             0x3b
            0x0010:         0x44a309 pop rdx; pop rsi; ret
            0x0018:              0x0 [arg2] rdx = 0
            0x0020:              0x0 [arg1] rsi = 0
            0x0028:         0x401696 pop rdi; ret
            0x0030:             0x40 [arg0] rdi = AppendedArgument(['/bin/sh'], 0x0)
            0x0038:         0x4022b4 syscall
            0x0040:   b'/bin/sh\x00'

            Arguments:
                `id`: integer syscall number OR string identifier for the syscall
                    if int: integer is used directly as register value for syscall
                    if str: The syscall number will be resolved with `pwnlib.constants`.
                `args`: arguments to the syscall
                `ret`: Specifically use a 'syscall; ret' gadget for syscalls (instead of 'syscall')
                    `ret` WILL NOT WORK unless you have the dev verison of pwntools installed.
            
            Returns:
                Nothing. Will raise errors if things go wrong.
            '''
            # get the syscall gadget
            if ret:
                if parse_version(PWNLIB_VER) < parse_version('4.4.0dev0'):
                    raise NotImplementedError(
                        '"syscall; ret" gadgets are only available on the '
                        'latest version of pwntools.')
                # pwnlib.rop.srop.syscall_instructions == {'amd64': ['syscall'], 'arm': ['svc 0'], ...}
                syscall = self.rop.find_gadget(
                    [rop.srop.syscall_instructions[context.arch][0], 'ret'])
            else:  # Can lazily use ROP's __getattr__ here
                syscall = self.rop.syscall
            if syscall is None:
                raise AttributeError("ROP unable to find syscall gadget")

            # write the syscall
            id, label = self.label(id)
            self.rop.raw(
                Call(label, syscall.address, [id] + args, ABI.syscall()))
Example #4
0
 def syscall_register(self):
     return ABI.syscall(arch=self.arch).syscall_register
Example #5
0
 def arguments(self):
     # Skip the register used to hold the syscall number
     return ABI.syscall(arch=self.arch).register_arguments[1:]
Example #6
0
 def syscall_register(self):
     return ABI.syscall(arch=self.arch).syscall_register
Example #7
0
 def arguments(self):
     # Skip the register used to hold the syscall number
     return ABI.syscall(arch=self.arch).register_arguments[1:]