/
syscall.asm
115 lines (110 loc) · 3.71 KB
/
syscall.asm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
<%
from pwnlib.shellcraft import i386, pretty
from pwnlib.constants import Constant
from pwnlib.abi import linux_i386_syscall as abi
from six import text_type
%>
<%page args="syscall = None, arg0 = None, arg1 = None, arg2 = None, arg3 = None, arg4 = None, arg5 = None"/>
<%docstring>
Args: [syscall_number, \*args]
Does a syscall
Any of the arguments can be expressions to be evaluated by :func:`pwnlib.constants.eval`.
Example:
>>> print(pwnlib.shellcraft.i386.linux.syscall('SYS_execve', 1, 'esp', 2, 0).rstrip())
/* call execve(1, 'esp', 2, 0) */
push SYS_execve /* 0xb */
pop eax
push 1
pop ebx
mov ecx, esp
push 2
pop edx
xor esi, esi
int 0x80
>>> print(pwnlib.shellcraft.i386.linux.syscall('SYS_execve', 2, 1, 0, 20).rstrip())
/* call execve(2, 1, 0, 0x14) */
push SYS_execve /* 0xb */
pop eax
push 2
pop ebx
push 1
pop ecx
push 0x14
pop esi
cdq /* edx=0 */
int 0x80
>>> print(pwnlib.shellcraft.i386.linux.syscall().rstrip())
/* call syscall() */
int 0x80
>>> print(pwnlib.shellcraft.i386.linux.syscall('eax', 'ebx', 'ecx').rstrip())
/* call syscall('eax', 'ebx', 'ecx') */
/* setregs noop */
int 0x80
>>> print(pwnlib.shellcraft.i386.linux.syscall('ebp', None, None, 1).rstrip())
/* call syscall('ebp', ?, ?, 1) */
mov eax, ebp
push 1
pop edx
int 0x80
>>> print(pwnlib.shellcraft.i386.linux.syscall(
... 'SYS_mmap2', 0, 0x1000,
... 'PROT_READ | PROT_WRITE | PROT_EXEC',
... 'MAP_PRIVATE | MAP_ANONYMOUS',
... -1, 0).rstrip())
/* call mmap2(0, 0x1000, 'PROT_READ | PROT_WRITE | PROT_EXEC', 'MAP_PRIVATE | MAP_ANONYMOUS', -1, 0) */
xor eax, eax
mov al, 0xc0
xor ebp, ebp
xor ebx, ebx
xor ecx, ecx
mov ch, 0x1000 >> 8
push -1
pop edi
push (PROT_READ | PROT_WRITE | PROT_EXEC) /* 7 */
pop edx
push (MAP_PRIVATE | MAP_ANONYMOUS) /* 0x22 */
pop esi
int 0x80
>>> print(pwnlib.shellcraft.open('/home/pwn/flag').rstrip())
/* open(file='/home/pwn/flag', oflag=0, mode=0) */
/* push b'/home/pwn/flag\x00' */
push 0x1010101
xor dword ptr [esp], 0x1016660
push 0x6c662f6e
push 0x77702f65
push 0x6d6f682f
mov ebx, esp
xor ecx, ecx
xor edx, edx
/* call open() */
push SYS_open /* 5 */
pop eax
int 0x80
</%docstring>
<%
if isinstance(syscall, (str, text_type, Constant)) and str(syscall).startswith('SYS_'):
syscall_repr = str(syscall)[4:] + "(%s)"
args = []
else:
syscall_repr = 'syscall(%s)'
if syscall is None:
args = ['?']
else:
args = [pretty(syscall, False)]
for arg in [arg0, arg1, arg2, arg3, arg4, arg5]:
if arg is None:
args.append('?')
else:
args.append(pretty(arg, False))
while args and args[-1] == '?':
args.pop()
syscall_repr = syscall_repr % ', '.join(args)
registers = abi.register_arguments
arguments = [syscall, arg0, arg1, arg2, arg3, arg4, arg5]
regctx = dict(zip(registers, arguments))
%>\
/* call ${syscall_repr} */
%if any(a is not None for a in arguments):
${i386.setregs(regctx)}
%endif
int 0x80