New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot put 0xaabbccdd00112233 into 'rax' without using stack #1221

Closed
Arusekk opened this Issue Oct 30, 2018 · 3 comments

Comments

Projects
None yet
2 participants
@Arusekk
Contributor

Arusekk commented Oct 30, 2018

% else:
<% log.error("Cannot put %s into '%s' without using stack." % (pretty(src), dest_orig)) %>\

>>> from pwn import *
>>> shellcraft.amd64.mov('rax', 0xaabbccdd00112233, stack_allowed=False)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "<string>", line 8, in mov
  File "/usr/lib/python2.7/site-packages/mako/template.py", line 445, in render
    return runtime._render(self, self.callable_, args, data)
  File "/usr/lib/python2.7/site-packages/mako/runtime.py", line 829, in _render
    **_kwargs_for_callable(callable_, data))
  File "/usr/lib/python2.7/site-packages/mako/runtime.py", line 864, in _render_context
    _exec_template(inherit, lclcontext, args=args, kwargs=kwargs)
  File "/usr/lib/python2.7/site-packages/mako/runtime.py", line 890, in _exec_template
    callable_(context, *args, **kwargs)
  File "/home/are/.pwntools-cache-2.7/mako/amd64/mov.asm.py", line 239, in render_body
    log.error("Cannot put %s into '%s' without using stack." % (pretty(src), dest_orig)) 
  File "/usr/lib/python2.7/site-packages/mako/runtime.py", line 226, in __str__
    raise NameError("Undefined")
NameError: Undefined

And the error is wrong possibly because there is no dest_orig in the template's namespace (a typo?).

I agree that such case is extremely rare (normally stack is usable).
But apparently, it is possible to put such values into rax.
It is acheiveable by using:

val = 0xaabbccdd00112233
shellcraft.mov('rax', val>>32) + '''\
    shl rax, 0x20
''' + shellcraft.mov('rax', val&0xffffffff).replace('eax','rax').replace('mov', 'xor')

In this example:

    mov eax, 0xaabbccdd
    shl rax, 0x20
    xor rax, 0x1010101 /* 1122867 == 0x112233 */
    xor rax, 0x1102332

I think such a solution would not make the code much more complex, but would instead enable to do what was previously impossible.

@zachriggle

This comment has been minimized.

Contributor

zachriggle commented Nov 23, 2018

Yes, this is correct, as Pwntools makes a best-effort to exclude NULL bytes in any generated shellcode.

0xaabbccdd00112233 contains an embedded null, so it cannot be used as a literal.

If you'd like to extend shellcraft.mov to support this optimization, I recommend opening a pull request.

@zachriggle

This comment has been minimized.

Contributor

zachriggle commented Nov 23, 2018

Ah, I see now that the issue is that an exception is thrown when an error message is being raised.

@zachriggle

This comment has been minimized.

Contributor

zachriggle commented Nov 23, 2018

In any case, if you'd like to add the optimization to mov.asm, go for it! It's probably best to check at the beginning with okay() and try both directions of bit-shifting. Since the search space is at most 8 bits (otherwise shifting would itself introduce a NULL byte) this doesn't sound too expensive.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment