/
pushstr.asm
101 lines (95 loc) · 2.81 KB
/
pushstr.asm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
<%
from pwnlib.util import lists, packing, fiddling
from pwnlib.shellcraft import pretty, okay
%>
<%page args="string, append_null = True"/>
<%docstring>
Pushes a string onto the stack without using
null bytes or newline characters.
Example:
>>> print shellcraft.i386.pushstr('').rstrip()
/* push '\x00' */
push 1
dec byte ptr [esp]
>>> print shellcraft.i386.pushstr('a').rstrip()
/* push 'a\x00' */
push 0x61
>>> print shellcraft.i386.pushstr('aa').rstrip()
/* push 'aa\x00' */
push 0x1010101
xor dword ptr [esp], 0x1016060
>>> print shellcraft.i386.pushstr('aaa').rstrip()
/* push 'aaa\x00' */
push 0x1010101
xor dword ptr [esp], 0x1606060
>>> print shellcraft.i386.pushstr('aaaa').rstrip()
/* push 'aaaa\x00' */
push 1
dec byte ptr [esp]
push 0x61616161
>>> print shellcraft.i386.pushstr('aaaaa').rstrip()
/* push 'aaaaa\x00' */
push 0x61
push 0x61616161
>>> print shellcraft.i386.pushstr('aaaa', append_null = False).rstrip()
/* push 'aaaa' */
push 0x61616161
>>> print shellcraft.i386.pushstr('\xc3').rstrip()
/* push '\xc3\x00' */
push 0x1010101
xor dword ptr [esp], 0x10101c2
>>> print shellcraft.i386.pushstr('\xc3', append_null = False).rstrip()
/* push '\xc3' */
push -0x3d
>>> with context.local():
... context.arch = 'i386'
... print enhex(asm(shellcraft.pushstr("/bin/sh")))
68010101018134242e726901682f62696e
>>> with context.local():
... context.arch = 'i386'
... print enhex(asm(shellcraft.pushstr("")))
6a01fe0c24
>>> with context.local():
... context.arch = 'i386'
... print enhex(asm(shellcraft.pushstr("\x00", False)))
6a01fe0c24
Args:
string (str): The string to push.
append_null (bool): Whether to append a single NULL-byte before pushing.
</%docstring>
<%
original = string
string = packing.flat(string)
if append_null:
string += '\x00'
if isinstance(original, str):
original += '\x00'
if not string:
return
if ord(string[-1]) >= 128:
extend = '\xff'
else:
extend = '\x00'
%>\
/* push ${pretty(original, False)} */
% for word in lists.group(4, string, 'fill', extend)[::-1]:
<%
sign = packing.u32(word, endian='little', sign='signed')
%>\
% if sign in [0, 0xa]:
push ${pretty(sign + 1)}
dec byte ptr [esp]
% elif -0x80 <= sign <= 0x7f and okay(word[0]):
push ${pretty(sign)}
% elif okay(word):
push ${pretty(sign)}
% else:
<%
a,b = fiddling.xor_pair(word, avoid = '\x00\n')
a = packing.u32(a, endian='little', sign='unsigned')
b = packing.u32(b, endian='little', sign='unsigned')
%>\
push ${pretty(a)}
xor dword ptr [esp], ${pretty(b)}
% endif
% endfor