Merge branch 'beta' into dev

docs/source/intro.rst

@@ -27,7 +27,7 @@ This exposes a standard interface to talk to processes, sockets, serial ports,
 and all manner of things, along with some nifty helpers for common tasks.
 For example, remote connections via :mod:`pwnlib.tubes.remote`.
 
-    >>> conn = remote('ftp.ubuntu.org',21)
+    >>> conn = remote('ftp.ubuntu.com',21)
     >>> conn.recvline() # doctest: +ELLIPSIS
     '220 ...'
     >>> conn.send('USER anonymous\r\n')

pwnlib/gdb.py

@@ -424,7 +424,7 @@ def debug(args, gdbscript=None, exe=None, ssh=None, env=None, sysroot=None, **kw
     else:
         qemu_port = random.randint(1024, 65535)
         qemu_user = qemu.user_path()
-        sysroot = sysroot or qemu.ld_prefix(env)
+        sysroot = sysroot or qemu.ld_prefix(env=env)
         if not qemu_user:
             log.error("Cannot debug %s binaries without appropriate QEMU binaries" % context.arch)
         args = [qemu_user, '-g', str(qemu_port)] + args

pwnlib/rop/rop.py

@@ -168,6 +168,21 @@
     0x0078:       'faabgaab' <pad 0x8>
     0x0080:       0x10000008 target
 
+Pwntools will also filter out some bad instructions while setting the registers
+( e.g. syscall, int 0x80... )
+
+    >>> assembly = 'syscall; pop rdx; pop rsi; ret ; pop rdi ; int 0x80; pop rsi; pop rdx; ret ; pop rdi ; ret'
+    >>> binary = ELF.from_assembly(assembly)
+    >>> rop = ROP(binary)
+    >>> rop.call(0xdeadbeef, [1, 2, 3])
+    >>> print rop.dump()
+    0x0000:       0x1000000b pop rdi; ret
+    0x0008:              0x1 [arg0] rdi = 1
+    0x0010:       0x10000008 pop rsi; pop rdx; ret
+    0x0018:              0x2 [arg1] rsi = 2
+    0x0020:              0x3 [arg2] rdx = 3
+    0x0028:       0xdeadbeef
+
 ROP + Sigreturn
 -----------------------
 
@@ -496,15 +511,20 @@ def setRegisters(self, registers):
 
         regset = set(registers)
 
+        bad_instructions = set(('syscall', 'sysenter', 'int 0x80'))
+
         # Collect all gadgets which use these registers
         # Also collect the "best" gadget for each combination of registers
         gadgets = []
         best_gadgets = {}
 
         for gadget in self.gadgets.values():
-            # Do not use gadgets which end in e.g. "int 0x80"
+            # Do not use gadgets which doesn't end with 'ret'
             if gadget.insns[-1] != 'ret':
                 continue
+            # Do not use gadgets which contain 'syscall' or 'int'
+            if set(gadget.insns) & bad_instructions:
+                continue
 
             touched = tuple(regset & set(gadget.regs))
 
@@ -513,10 +533,14 @@ def setRegisters(self, registers):
 
             old = best_gadgets.get(touched, gadget)
 
-            if old is gadget or old.move > gadget.move:
+            # if we have a new gadget for the touched registers, choose it
+            # if the new gadget requires less stack space, choose it
+            # if both gadgets require same stack space, choose the one with less instructions
+            if (old is gadget) \
+              or (old.move > gadget.move) \
+              or (old.move == gadget.move and len(old.insns) > len(gadget.insns)):
                 best_gadgets[touched] = gadget
 
-
         winner = None
         budget = 999999999
 

pwnlib/tubes/ssh.py

@@ -1995,7 +1995,7 @@ def _checksec_cache(self, value=None):
         if value is not None:
             with open(path, 'w+') as f:
                 f.write(value)
-        else:
+        elif os.path.exists(path):
             with open(path, 'r+') as f:
                 return f.read()
 

pwnlib/util/proc.py

@@ -246,6 +246,8 @@ def status(pid):
     try:
         with open('/proc/%d/status' % pid) as fd:
             for line in fd:
+                if ':' not in line:
+                    continue
                 i = line.index(':')
                 key = line[:i]
                 val = line[i + 2:-1] # initial :\t and trailing \n

setup.py

@@ -46,7 +46,7 @@
 install_requires     = ['paramiko>=1.15.2',
                         'mako>=1.0.0',
                         'pyelftools>=0.2.4',
-                        'capstone',
+                        'capstone>=3.0.5rc2', # See Gallopsled/pwntools#971, Gallopsled/pwntools#1160
                         'ropgadget>=5.3',
                         'pyserial>=2.7',
                         'requests>=2.0',
@@ -58,6 +58,7 @@
                         'packaging',
                         'psutil>=3.3.0',
                         'intervaltree',
+                        'sortedcontainers<2.0', # See Gallopsled/pwntools#1154
                         'unicorn']
 
 # Check that the user has installed the Python development headers