Skip to content
Permalink
Browse files

Fix encoder support for python3 (#1458)

  • Loading branch information
bet4it committed Mar 21, 2020
1 parent c517846 commit 5ddd0f4ba377a6edb0e1229a0e2dc9a7a2373802
@@ -5,21 +5,20 @@
:mod:`pwnlib.encoders` --- Encoding Shellcode
===============================================

.. automodule:: pwnlib.encoders
:members:

.. automodule:: pwnlib.encoders.encoder
:members:

.. automodule:: pwnlib.encoders.i386.xor
:members:

.. automodule:: pwnlib.encoders.amd64
.. automodule:: pwnlib.encoders.i386.delta
:members:

.. automodule:: pwnlib.encoders.arm
.. automodule:: pwnlib.encoders.amd64.delta
:members:

.. automodule:: pwnlib.encoders.i386
.. automodule:: pwnlib.encoders.arm.xor
:members:

.. automodule:: pwnlib.encoders.i386.xor
.. automodule:: pwnlib.encoders.mips.xor
:members:
@@ -80,8 +80,8 @@ def main(args):
parser.print_usage()
sys.exit(0)

data = sys.stdin.read()
output = data
stdin_buffer = getattr(sys.stdin, 'buffer', sys.stdin)
output = stdin_buffer.read()
fmt = args.format or ('hex' if tty else 'raw')
formatters = {'r':bytes, 'h':enhex, 's':repr}

@@ -5,19 +5,20 @@


class amd64DeltaEncoder(i386DeltaEncoder):
"""
r"""
amd64 encoder built on delta-encoding.
In addition to the loader stub, doubles the size of the shellcode.
>>> context.clear(arch='amd64')
>>> shellcode = asm(shellcraft.sh())
>>> avoid = '/bin/sh\x00'
>>> avoid = b'/bin/sh\x00'
>>> encoded = pwnlib.encoders.amd64.delta.encode(shellcode, avoid)
>>> assert not any(c in encoded for c in avoid)
>>> p = run_shellcode(encoded)
>>> p.sendline(b'echo hello; exit')
>>> p.recvline()
b'hello\n'
"""
assembly = '''
base:
@@ -39,7 +40,7 @@ class amd64DeltaEncoder(i386DeltaEncoder):
data:
'''
arch = 'amd64'
raw = 'H\x8d5\xf9\xff\xff\xffH\x83\xc6\x1a\xfcH\x89\xf7\xac\x93\xac(\xd8\xaa\x80\xeb\xacu\xf5'
raw = b'H\x8d5\xf9\xff\xff\xffH\x83\xc6\x1a\xfcH\x89\xf7\xac\x93\xac(\xd8\xaa\x80\xeb\xacu\xf5'
blacklist = set(raw)

encode = amd64DeltaEncoder()
@@ -15,7 +15,7 @@ class ArmXorEncoder(Encoder):
>>> context.clear(arch='arm')
>>> shellcode = asm(shellcraft.sh())
>>> avoid = 'binsh\x00\n'
>>> avoid = b'binsh\x00\n'
>>> encoded = pwnlib.encoders.arm.xor.encode(shellcode, avoid)
>>> assert not any(c in encoded for c in avoid)
>>> p = run_shellcode(encoded)
@@ -1,6 +1,7 @@
from __future__ import absolute_import
from __future__ import division

import six
import collections
from random import choice
from random import randint
@@ -41,7 +42,7 @@ class i386DeltaEncoder(Encoder):
Example:
>>> sc = pwnlib.encoders.i386.delta.encode('\xcc', '\x00\xcc')
>>> sc = pwnlib.encoders.i386.delta.encode(b'\xcc', b'\x00\xcc')
>>> e = ELF.from_bytes(sc)
>>> e.process().poll(True)
-5
@@ -50,36 +51,35 @@ class i386DeltaEncoder(Encoder):
arch = 'i386'
stub = None
terminator = 0xac
raw = '\xd9\xd0\xfc\xd9t$\xf4^\x83\xc6\x18\x89\xf7\xac\x93\xac(\xd8\xaa\x80\xeb\xacu\xf5'
raw = b'\xd9\xd0\xfc\xd9t$\xf4^\x83\xc6\x18\x89\xf7\xac\x93\xac(\xd8\xaa\x80\xeb\xacu\xf5'

blacklist = set(raw)

def __call__(self, bytes, avoid, pcreg=''):
def __call__(self, raw_bytes, avoid, pcreg=''):
table = collections.defaultdict(lambda: [])
endchar = ''
endchar = bytearray()

not_bad = lambda x: chr(x) not in avoid
not_bad = lambda x: six.int2byte(x) not in avoid
not_bad_or_term = lambda x: not_bad(x) and x != self.terminator

for i in filter(not_bad_or_term, range(0, 256)):
endchar += chr(i)
endchar.append(i)
for j in filter(not_bad, range(0, 256)):
table[(j - i) & 0xff].append(chr(i) + chr(j))
table[(j - i) & 0xff].append(bytearray([i, j]))

res = self.raw
res = bytearray(self.raw)

for c in bytes:
a = ord(c)
l = len(table[a])
for c in bytearray(raw_bytes):
l = len(table[c])
if l == 0:
print('No encodings for character %02x' % a)
print('No encodings for character %02x' % c)
return None

res += table[a][randint(0, l - 1)]
res += table[c][randint(0, l - 1)]

res += chr(self.terminator)
res += choice(endchar)
res.append(self.terminator)
res.append(choice(endchar))

return res
return bytes(res)

encode = i386DeltaEncoder()
@@ -26,74 +26,75 @@
from __future__ import absolute_import
from __future__ import division

import six
from pwnlib import asm
from pwnlib import shellcraft
from pwnlib.context import context
from pwnlib.encoders.encoder import Encoder
from pwnlib.util.fiddling import xor_key

decoders = {
'little': ''.join([
"SIZ2SIZ1\x0e\x24", # li t6,-5
"\x27\x70\xc0\x01", # nor t6,t6,zero
"\xa3\xff\x0b\x24", # li t3,-93
"\x26\x40\xce\x01", # xor t0,t6,t6
"\xff\xff\x08\x21", # addi t0,t0,-1
"\xff\xff\x10\x05", # bltzal t0,14 <next>
"\x82\x82\x08\x28", # slti t0,zero,-32126
"\xe2\xff\xfd\x23", # addi sp,ra,-30
"\x27\x58\x60\x01", # nor t3,t3,zero
"\x21\xc8\xeb\x03", # addu t9,ra,t3
"\x82\x82\x17\x28", # slti s7,zero,-32126
"\xfc\xff\x31\x8f", # lw s1,-4(t9)
"\xfb\xff\x0c\x24", # li t4,-5
"\x27\x60\x80\x01", # nor t4,t4,zero
"\xfd\xff\x8f\x21", # addi t7,t4,-3
"\xfc\xff\x28\x8f", # lw t0,-4(t9)
"\x21\xb8\xef\x02", # addu s7,s7,t7
"\x26\x18\x11\x01", # xor v1,t0,s1
"\x2b\xf0\xee\x02", # sltu s8,s7,t6
"\xfc\xff\x23\xaf", # sw v1,-4(t9)
"\xfa\xff\x1e\x14", # bne zero,s8,3c <loop>
"\x21\xc8\x2c\x03", # addu t9,t9,t4
"\xfd\xff\x86\x21", # addi a2,t4,-3
"\xf8\xff\xa6\xaf", # sw a2,-8(sp)
"\x26\x28\xce\x01", # xor a1,t6,t6
"\xfc\xff\xa5\xaf", # sw a1,-4(sp)
"\xf8\xff\xa4\x27", # addiu a0,sp,-8
"\x46\x10\x02\x24", # li v0,4166
"\x0c\x54\x4a\x01" # syscall 0x52950
'little': b''.join([
b'SIZ2SIZ1\x0e\x24', # li t6,-5
b'\x27\x70\xc0\x01', # nor t6,t6,zero
b'\xa3\xff\x0b\x24', # li t3,-93
b'\x26\x40\xce\x01', # xor t0,t6,t6
b'\xff\xff\x08\x21', # addi t0,t0,-1
b'\xff\xff\x10\x05', # bltzal t0,14 <next>
b'\x82\x82\x08\x28', # slti t0,zero,-32126
b'\xe2\xff\xfd\x23', # addi sp,ra,-30
b'\x27\x58\x60\x01', # nor t3,t3,zero
b'\x21\xc8\xeb\x03', # addu t9,ra,t3
b'\x82\x82\x17\x28', # slti s7,zero,-32126
b'\xfc\xff\x31\x8f', # lw s1,-4(t9)
b'\xfb\xff\x0c\x24', # li t4,-5
b'\x27\x60\x80\x01', # nor t4,t4,zero
b'\xfd\xff\x8f\x21', # addi t7,t4,-3
b'\xfc\xff\x28\x8f', # lw t0,-4(t9)
b'\x21\xb8\xef\x02', # addu s7,s7,t7
b'\x26\x18\x11\x01', # xor v1,t0,s1
b'\x2b\xf0\xee\x02', # sltu s8,s7,t6
b'\xfc\xff\x23\xaf', # sw v1,-4(t9)
b'\xfa\xff\x1e\x14', # bne zero,s8,3c <loop>
b'\x21\xc8\x2c\x03', # addu t9,t9,t4
b'\xfd\xff\x86\x21', # addi a2,t4,-3
b'\xf8\xff\xa6\xaf', # sw a2,-8(sp)
b'\x26\x28\xce\x01', # xor a1,t6,t6
b'\xfc\xff\xa5\xaf', # sw a1,-4(sp)
b'\xf8\xff\xa4\x27', # addiu a0,sp,-8
b'\x46\x10\x02\x24', # li v0,4166
b'\x0c\x54\x4a\x01' # syscall 0x52950
]),
'big': ''.join([
"\x24\x0eSIZ1SIZ2", # li t6,-5
"\x01\xc0\x70\x27", # nor t6,t6,zero
"\x24\x0b\xff\xa3", # li t3,-93
"\x01\xce\x40\x26", # xor t0,t6,t6
"\x21\x08\xff\xff", # addi t0,t0,-1
"\x05\x10\xff\xff", # bltzal t0,14 <next>
"\x28\x08\x82\x82", # slti t0,zero,-32126
"\x23\xfd\xff\xe2", # addi sp,ra,-30
"\x01\x60\x58\x27", # nor t3,t3,zero
"\x03\xeb\xc8\x21", # addu t9,ra,t3
"\x28\x17\x82\x82", # slti s7,zero,-32126
"\x8f\x31\xff\xfc", # lw s1,-4(t9)
"\x24\x0c\xff\xfb", # li t4,-5
"\x01\x80\x60\x27", # nor t4,t4,zero
"\x21\x8f\xff\xfd", # addi t7,t4,-3
"\x8f\x28\xff\xfc", # lw t0,-4(t9)
"\x02\xef\xb8\x21", # addu s7,s7,t7
"\x01\x11\x18\x26", # xor v1,t0,s1
"\x02\xee\xf0\x2b", # sltu s8,s7,t6
"\xaf\x23\xff\xfc", # sw v1,-4(t9)
"\x14\x1e\xff\xfa", # bne zero,s8,3c <loop>
"\x03\x2c\xc8\x21", # addu t9,t9,t4
"\x21\x86\xff\xfd", # addi a2,t4,-3
"\xaf\xa6\xff\xf8", # sw a2,-8(sp)
"\x01\xce\x28\x26", # xor a1,t6,t6
"\xaf\xa5\xff\xfc", # sw a1,-4(sp)
"\x27\xa4\xff\xf8", # addiu a0,sp,-8
"\x24\x02\x10\x46", # li v0,4166
"\x01\x4a\x54\x0c" # syscall 0x52950
'big': b''.join([
b'\x24\x0eSIZ1SIZ2', # li t6,-5
b'\x01\xc0\x70\x27', # nor t6,t6,zero
b'\x24\x0b\xff\xa3', # li t3,-93
b'\x01\xce\x40\x26', # xor t0,t6,t6
b'\x21\x08\xff\xff', # addi t0,t0,-1
b'\x05\x10\xff\xff', # bltzal t0,14 <next>
b'\x28\x08\x82\x82', # slti t0,zero,-32126
b'\x23\xfd\xff\xe2', # addi sp,ra,-30
b'\x01\x60\x58\x27', # nor t3,t3,zero
b'\x03\xeb\xc8\x21', # addu t9,ra,t3
b'\x28\x17\x82\x82', # slti s7,zero,-32126
b'\x8f\x31\xff\xfc', # lw s1,-4(t9)
b'\x24\x0c\xff\xfb', # li t4,-5
b'\x01\x80\x60\x27', # nor t4,t4,zero
b'\x21\x8f\xff\xfd', # addi t7,t4,-3
b'\x8f\x28\xff\xfc', # lw t0,-4(t9)
b'\x02\xef\xb8\x21', # addu s7,s7,t7
b'\x01\x11\x18\x26', # xor v1,t0,s1
b'\x02\xee\xf0\x2b', # sltu s8,s7,t6
b'\xaf\x23\xff\xfc', # sw v1,-4(t9)
b'\x14\x1e\xff\xfa', # bne zero,s8,3c <loop>
b'\x03\x2c\xc8\x21', # addu t9,t9,t4
b'\x21\x86\xff\xfd', # addi a2,t4,-3
b'\xaf\xa6\xff\xf8', # sw a2,-8(sp)
b'\x01\xce\x28\x26', # xor a1,t6,t6
b'\xaf\xa5\xff\xfc', # sw a1,-4(sp)
b'\x27\xa4\xff\xf8', # addiu a0,sp,-8
b'\x24\x02\x10\x46', # li v0,4166
b'\x01\x4a\x54\x0c' # syscall 0x52950
])
}

@@ -104,7 +105,7 @@ class MipsXorEncoder(Encoder):
>>> context.clear(arch='mips')
>>> shellcode = asm(shellcraft.sh())
>>> avoid = '/bin/sh\x00'
>>> avoid = b'/bin/sh\x00'
>>> encoded = pwnlib.encoders.mips.xor.encode(shellcode, avoid)
>>> assert not any(c in encoded for c in avoid)
>>> p = run_shellcode(encoded)
@@ -114,7 +115,7 @@ class MipsXorEncoder(Encoder):
"""

arch = 'mips'
blacklist = cannot_avoid = set(''.join(v for v in decoders.values()))
blacklist = cannot_avoid = set(b''.join(v for v in decoders.values()))

def __call__(self, raw_bytes, avoid, pcreg=''):

@@ -127,9 +128,9 @@ def __call__(self, raw_bytes, avoid, pcreg=''):
sizelo = size & 0xff
sizehi = size >> 8

decoder = str(decoders[context.endian])
decoder = decoder.replace('SIZ1', chr(sizehi))
decoder = decoder.replace('SIZ2', chr(sizelo))
decoder = decoders[context.endian]
decoder = decoder.replace(b'SIZ1', six.int2byte(sizehi))
decoder = decoder.replace(b'SIZ2', six.int2byte(sizelo))

key, data = xor_key(raw_bytes, avoid=avoid)

0 comments on commit 5ddd0f4

Please sign in to comment.
You can’t perform that action at this time.