Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Shellcraft generation fails with strings that contains end of multiline comment #1427

Closed
disconnect3d opened this issue Feb 8, 2020 · 1 comment

Comments

@disconnect3d
Copy link
Contributor

PoC||GTFO:

In [161]: print(shellcraft.amd64.write(0, '*/', 2))
    /* write(fd=0, buf='*/', n=2) */
    /* push '*/\x00' */
    push 0x1010101 ^ 0x2f2a
    xor dword ptr [rsp], 0x1010101
    mov rsi, rsp
    xor edi, edi /* 0 */
    push 2
    pop rdx
    /* call write() */
    push SYS_write /* 1 */
    pop rax
    syscall


In [162]: asm(shellcraft.amd64.write(0, '*/', 2))
[DEBUG] cpp -C -nostdinc -undef -P -I/usr/local/lib/python2.7/dist-packages/pwnlib/data/includes /dev/stdin
[ERROR] There was an error running ['cpp', '-C', '-nostdinc', '-undef', '-P', '-I/usr/local/lib/python2.7/dist-packages/pwnlib/data/includes', '/dev/stdin']:
    It had this on stdout:
    /dev/stdin:2:27: warning: missing terminating ' character
    /dev/stdin:3:20: warning: missing terminating ' character

Bug is in /* write(fd=0, buf='*/', n=2) */, the input string ends the multi-line comment so cpp fails to compile our assembly.

This happens for me on 3.12.0:

In [168]: pwnlib.__version__
Out[168]: '3.12.0'

But was also reproduced on 4.2.0dev (commit id: ed3c30a).

@zachriggle
Copy link
Member

zachriggle commented Feb 9, 2020 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants