Merge branch 'stable' into beta

Gallopsled · Jun 30, 2020 · fcfce6c · fcfce6c
2 parents 21c7864 + 4c2fba6
commit fcfce6c
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 101 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -66,7 +66,13 @@ To be released on Jun 5, 2020.
 [fecf9f]: http://github.com/Gallopsled/pwntools/commit/fecf9f
 [1454]: https://github.com/Gallopsled/pwntools/pull/1454
 
-## 4.1.5 (`stable`)
+## 4.1.6 (`stable`)
+
+- [#1615][1615] Fix aarch64 pushstr and pushstr_array
+
+[1615]: https://github.com/Gallopsled/pwntools/pull/1454
+
+## 4.1.5
 
 - [#1517][1517] flat(..., filler=) is fixed for `str` values and Python2 `bytes`
 

diff --git a/pwnlib/shellcraft/templates/aarch64/pushstr.asm b/pwnlib/shellcraft/templates/aarch64/pushstr.asm
@@ -15,64 +15,19 @@ Args:
 
 Examples:
 
-    >>> print(shellcraft.pushstr("Hello!").rstrip())
-        /* push b'Hello!\x00' */
-        /* Set x14 = 36762444129608 = 0x216f6c6c6548 */
-        mov  x14, #25928
-        movk x14, #27756, lsl #16
-        movk x14, #8559, lsl #0x20
-        str x14, [sp, #-16]!
-    >>> print(shellcraft.pushstr("Hello, world!").rstrip())
-        /* push b'Hello, world!\x00' */
-        /* Set x14 = 8583909746840200520 = 0x77202c6f6c6c6548 */
-        mov  x14, #25928
-        movk x14, #27756, lsl #16
-        movk x14, #11375, lsl #0x20
-        movk x14, #30496, lsl #0x30
-        /* Set x15 = 143418749551 = 0x21646c726f */
-        mov  x15, #29295
-        movk x15, #25708, lsl #16
-        movk x15, #33, lsl #0x20
-        stp x14, x15, [sp, #-16]!
-    >>> print(shellcraft.pushstr("Hello, world, bienvenue").rstrip())
-        /* push b'Hello, world, bienvenue\x00' */
-        /* Set x14 = 8583909746840200520 = 0x77202c6f6c6c6548 */
-        mov  x14, #25928
-        movk x14, #27756, lsl #16
-        movk x14, #11375, lsl #0x20
-        movk x14, #30496, lsl #0x30
-        /* Set x15 = 7593667296735556207 = 0x6962202c646c726f */
-        mov  x15, #29295
-        movk x15, #25708, lsl #16
-        movk x15, #8236, lsl #0x20
-        movk x15, #26978, lsl #0x30
-        stp x14, x15, [sp, #-16]!
-        /* Set x14 = 28558089656888933 = 0x65756e65766e65 */
-        mov  x14, #28261
-        movk x14, #25974, lsl #16
-        movk x14, #30062, lsl #0x20
-        movk x14, #101, lsl #0x30
-        str x14, [sp, #-16]!
-    >>> print(shellcraft.pushstr("Hello, world, bienvenue!").rstrip())
-        /* push b'Hello, world, bienvenue!\x00' */
-        /* Set x14 = 8583909746840200520 = 0x77202c6f6c6c6548 */
-        mov  x14, #25928
-        movk x14, #27756, lsl #16
-        movk x14, #11375, lsl #0x20
-        movk x14, #30496, lsl #0x30
-        /* Set x15 = 7593667296735556207 = 0x6962202c646c726f */
-        mov  x15, #29295
-        movk x15, #25708, lsl #16
-        movk x15, #8236, lsl #0x20
-        movk x15, #26978, lsl #0x30
-        stp x14, x15, [sp, #-16]!
-        /* Set x14 = 2406458692908510821 = 0x2165756e65766e65 */
-        mov  x14, #28261
-        movk x14, #25974, lsl #16
-        movk x14, #30062, lsl #0x20
-        movk x14, #8549, lsl #0x30
-        mov  x15, xzr
-        stp x14, x15, [sp, #-16]!
+    >>> string = "Hello, world!"
+    >>> assembly = shellcraft.pushstr(string)
+    >>> assembly += shellcraft.write(1, 'sp', len(string))
+    >>> assembly += shellcraft.exit()
+    >>> ELF.from_assembly(assembly).process().recvall()
+    b'Hello, world!'
+
+    >>> string = "Hello, world! This is a long string! Wow!"
+    >>> assembly = shellcraft.pushstr(string)
+    >>> assembly += shellcraft.write(1, 'sp', len(string))
+    >>> assembly += shellcraft.exit()
+    >>> ELF.from_assembly(assembly).process().recvall()
+    b'Hello, world! This is a long string! Wow!'
 </%docstring>
 <%
 if isinstance(string, six.text_type):
@@ -91,6 +46,8 @@ while len(string) % 8:
 words = packing.unpack_many(string)
 pairs = lists.group(2, words)
 
+pairs = pairs[::-1]
+
 # The stack must be 16-byte aligned
 total = len(pairs) * 16
 

diff --git a/pwnlib/shellcraft/templates/aarch64/pushstr_array.asm b/pwnlib/shellcraft/templates/aarch64/pushstr_array.asm
@@ -14,64 +14,41 @@ Arguments:
         Single argument or list of arguments to push.
         NULL termination is normalized so that each argument
         ends with exactly one NULL byte.
+
+Example:
+
+    >>> assembly = shellcraft.execve("/bin/sh", ["sh", "-c", "echo Hello $WORLD"], {"WORLD": "World!"})
+    >>> ELF.from_assembly(assembly).process().recvall()
+    b'Hello, World!''
 </%docstring>
 <%page args="reg, array, register1='x14', register2='x15'"/>
 <%
 if isinstance(array, (binary_type, text_type)):
     array = [array]
 
-# Normalize all of the arguments' endings
+# Normalize line endings for each item
 array = [arg.rstrip(b'\x00') + b'\x00' for arg in array]
 
+# Join everything in the string-to-be-pushed
+string = b''.join(array)
+
 # Maximum amount that we can adjust SP by at once is 4095,
 # which seems like a safe maximum.
 if len(array) * 8 > 4095:
     raise Exception("Array size is too large (%i), max=4095" % len(array))
-
-# Join them into one big string that can be pushed
-array_str = b''.join(array)
-
-# Create a listing of offsets from what will be the "top" of the stack.
-num_pointers = len(array)
-
-# Account for the NULL terminator
-num_pointers += 1
-
-while num_pointers % 2 != 0:
-    num_pointers += 1
-
-# Offset from the 'top' of the stack, to the data pointed at
-sp_to_data = num_pointers * ctx.bytes
-
-# List of amounts to subtract from $SP
-offsets = {}
-for i,arg in enumerate(reversed(array)):
-    offsets[i] = sp_to_data + len(array_str) - len(arg)
-
-# If the array length is ODD we can sneak in our null terminator at the end
-if len(array) % 2 == 1:
-    offsets[len(offsets)] = 'sp'
-
-sorted_offsets = []
-for key in sorted(offsets):
-    sorted_offsets.append(offsets[key])
-
-# Load the offsets into pairs
-pairwise_offsets = group(2, sorted_offsets)
 %>\
     /* push argument array ${repr(array)} */
-    ${shellcraft.pushstr(array_str, register1=register1, register2=register2)}
+    ${shellcraft.pushstr(string, register1=register1, register2=register2)}
 
-    /* adjust the stack pointer to account for the array of pointers */
-    sub sp, sp, ${num_pointers * ctx.bytes}
+    /* push null terminator */
+    ${shellcraft.mov(register1, 0)}
+    str ${register1}, [sp, #-8]!
 
-    /* push pointers onto the stack in pairs */
-%for i, (a, b) in enumerate(pairwise_offsets):
-    ${shellcraft.mov(register1, a)}
-    ${shellcraft.mov(register2, b)}
-    sub  ${register1}, sp, ${register1}
-    sub  ${register2}, sp, ${register2}
-    stp  ${register1}, ${register2}, [sp], ${i * 16}
+    /* push pointers onto the stack */
+%for i, value in enumerate(reversed(array)):
+   ${shellcraft.mov(register1, (i+1)*8 + string.index(value))}
+   add ${register1}, sp, ${register1}
+   str ${register1}, [sp, #-8]! /* ${array[-i]} */
 %endfor
 %if len(array[-1] != 'sp')