Shellcraft stackargs (#2219)

From: Peace-Maker <[email protected]> * Shellcraft: Fix spilling syscall args to the stack There was a typo in the generated syscall template causing only the last stack argument to be generated. $ shellcraft -f asm mips.linux.sendto 3 0x123456 0x100 0 0xabcdefff 0x10 The 0xabcdefff argument was missing. * Shellcraft: Generate 6 syscall arguments for unknown functions There are syscalls with 6 arguments like mmap and sendto which couldn't be called with all 6 arguments set. $ shellcraft -f asm mips.linux.mmap2 0 0x1000 'PROT_READ | PROT_WRITE | PROT_EXEC' 'MAP_PRIVATE | MAP_ANONYMOUS' -1 0 * Shellcraft: Fix typo in error message The `syscalls` variable is only present in the generate.py, not the generated template. * Regenerate syscall templates * MIPS shellcraft: Push last two syscall arguments to the stack The mips.linux.syscall template was only handling 4 syscall arguments and silently discarded the remaining ones. Push the arguments to the stack instead. $ shellcraft -f asm mips.linux.syscall SYS_sendto 3 0x123456 0x100 0 0xabcdefff 0x10 Fixes #2153 * Fix mips syscall doctest * Update CHANGELOG Co-authored-by: Peace-Maker <[email protected]>
Gallopsled · Jul 9, 2023 · 1399c7a · 1399c7a
1 parent 8d10485
commit 1399c7a
Show file tree

Hide file tree

Showing 475 changed files with 1,976 additions and 1,959 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -70,10 +70,12 @@ The table below shows which release corresponds to each branch, and what date th
 - [#2202][2202] Fix `remote` and `listen` in sagemath
 - [#2117][2117] Add -p (--prefix) and -s (--separator) arguments to `hex` command
 - [#2221][2221] Add shellcraft.sleep template wrapping SYS_nanosleep
+- [#2219][2219] Fix passing arguments on the stack in shellcraft syscall template
 
 [2202]: https://github.com/Gallopsled/pwntools/pull/2202
 [2117]: https://github.com/Gallopsled/pwntools/pull/2117
 [2221]: https://github.com/Gallopsled/pwntools/pull/2221
+[2219]: https://github.com/Gallopsled/pwntools/pull/2219
 
 ## 4.11.0 (`beta`)
 

diff --git a/pwnlib/data/syscalls/generate.py b/pwnlib/data/syscalls/generate.py
@@ -72,7 +72,7 @@
                 target = regs[index]
                 register_arguments[target] = arg
             elif arg is not None:
-                stack_arguments[index] = arg
+                stack_arguments[name] = arg
 
         # The argument is not a register.  It is a string value, and we
         # are expecting a string value
@@ -100,15 +100,15 @@
                 target = regs[index]
                 register_arguments[target] = arg
             elif arg is not None:
-                stack_arguments[target] = arg
+                stack_arguments[name] = arg
 
     # Some syscalls have different names on various architectures.
     # Determine which syscall number to use for the current architecture.
     for syscall in {syscalls!r}:
         if hasattr(pwnlib.constants, syscall):
             break
     else:
-        raise Exception("Could not locate any syscalls: %r" % syscalls)
+        raise Exception("Could not locate any syscalls: %r" % {syscalls!r})
 %>
     /* {name}(${{', '.join(syscall_repr)}}) */
 %for name, arg in string_arguments.items():
@@ -249,7 +249,7 @@ def generate_one(target):
             # Mako is unable to use *vararg and *kwarg, so we just stub in
             # a whole bunch of additional arguments.
             if argname == 'vararg':
-                for j in range(5):
+                for j in range(6):
                     argname = 'vararg_%i' % j
                     argument_names.append(argname)
                     argument_names_.append(argname)

diff --git a/pwnlib/shellcraft/templates/common/linux/syscalls/_llseek.asm b/pwnlib/shellcraft/templates/common/linux/syscalls/_llseek.asm
@@ -5,7 +5,7 @@ import pwnlib.constants
 import pwnlib.shellcraft
 import six
 %>
-<%docstring>_llseek(vararg_0, vararg_1, vararg_2, vararg_3, vararg_4) -> str
+<%docstring>_llseek(vararg_0, vararg_1, vararg_2, vararg_3, vararg_4, vararg_5) -> str
 
 Invokes the syscall _llseek.
 
@@ -16,7 +16,7 @@ Arguments:
 Returns:
     long
 </%docstring>
-<%page args="vararg_0=None, vararg_1=None, vararg_2=None, vararg_3=None, vararg_4=None"/>
+<%page args="vararg_0=None, vararg_1=None, vararg_2=None, vararg_3=None, vararg_4=None, vararg_5=None"/>
 <%
     abi = pwnlib.abi.ABI.syscall()
     stack = abi.stack
@@ -26,8 +26,8 @@ Returns:
     can_pushstr = []
     can_pushstr_array = []
 
-    argument_names = ['vararg_0', 'vararg_1', 'vararg_2', 'vararg_3', 'vararg_4']
-    argument_values = [vararg_0, vararg_1, vararg_2, vararg_3, vararg_4]
+    argument_names = ['vararg_0', 'vararg_1', 'vararg_2', 'vararg_3', 'vararg_4', 'vararg_5']
+    argument_values = [vararg_0, vararg_1, vararg_2, vararg_3, vararg_4, vararg_5]
 
     # Load all of the arguments into their destination registers / stack slots.
     register_arguments = dict()
@@ -48,7 +48,7 @@ Returns:
                 target = regs[index]
                 register_arguments[target] = arg
             elif arg is not None:
-                stack_arguments[index] = arg
+                stack_arguments[name] = arg
 
         # The argument is not a register.  It is a string value, and we
         # are expecting a string value
@@ -76,15 +76,15 @@ Returns:
                 target = regs[index]
                 register_arguments[target] = arg
             elif arg is not None:
-                stack_arguments[target] = arg
+                stack_arguments[name] = arg
 
     # Some syscalls have different names on various architectures.
     # Determine which syscall number to use for the current architecture.
     for syscall in ['SYS__llseek']:
         if hasattr(pwnlib.constants, syscall):
             break
     else:
-        raise Exception("Could not locate any syscalls: %r" % syscalls)
+        raise Exception("Could not locate any syscalls: %r" % ['SYS__llseek'])
 %>
     /* _llseek(${', '.join(syscall_repr)}) */
 %for name, arg in string_arguments.items():

diff --git a/pwnlib/shellcraft/templates/common/linux/syscalls/_newselect.asm b/pwnlib/shellcraft/templates/common/linux/syscalls/_newselect.asm
@@ -5,7 +5,7 @@ import pwnlib.constants
 import pwnlib.shellcraft
 import six
 %>
-<%docstring>_newselect(vararg_0, vararg_1, vararg_2, vararg_3, vararg_4) -> str
+<%docstring>_newselect(vararg_0, vararg_1, vararg_2, vararg_3, vararg_4, vararg_5) -> str
 
 Invokes the syscall _newselect.
 
@@ -16,7 +16,7 @@ Arguments:
 Returns:
     long
 </%docstring>
-<%page args="vararg_0=None, vararg_1=None, vararg_2=None, vararg_3=None, vararg_4=None"/>
+<%page args="vararg_0=None, vararg_1=None, vararg_2=None, vararg_3=None, vararg_4=None, vararg_5=None"/>
 <%
     abi = pwnlib.abi.ABI.syscall()
     stack = abi.stack
@@ -26,8 +26,8 @@ Returns:
     can_pushstr = []
     can_pushstr_array = []
 
-    argument_names = ['vararg_0', 'vararg_1', 'vararg_2', 'vararg_3', 'vararg_4']
-    argument_values = [vararg_0, vararg_1, vararg_2, vararg_3, vararg_4]
+    argument_names = ['vararg_0', 'vararg_1', 'vararg_2', 'vararg_3', 'vararg_4', 'vararg_5']
+    argument_values = [vararg_0, vararg_1, vararg_2, vararg_3, vararg_4, vararg_5]
 
     # Load all of the arguments into their destination registers / stack slots.
     register_arguments = dict()
@@ -48,7 +48,7 @@ Returns:
                 target = regs[index]
                 register_arguments[target] = arg
             elif arg is not None:
-                stack_arguments[index] = arg
+                stack_arguments[name] = arg
 
         # The argument is not a register.  It is a string value, and we
         # are expecting a string value
@@ -76,15 +76,15 @@ Returns:
                 target = regs[index]
                 register_arguments[target] = arg
             elif arg is not None:
-                stack_arguments[target] = arg
+                stack_arguments[name] = arg
 
     # Some syscalls have different names on various architectures.
     # Determine which syscall number to use for the current architecture.
     for syscall in ['SYS__newselect']:
         if hasattr(pwnlib.constants, syscall):
             break
     else:
-        raise Exception("Could not locate any syscalls: %r" % syscalls)
+        raise Exception("Could not locate any syscalls: %r" % ['SYS__newselect'])
 %>
     /* _newselect(${', '.join(syscall_repr)}) */
 %for name, arg in string_arguments.items():

diff --git a/pwnlib/shellcraft/templates/common/linux/syscalls/_sysctl.asm b/pwnlib/shellcraft/templates/common/linux/syscalls/_sysctl.asm
@@ -5,7 +5,7 @@ import pwnlib.constants
 import pwnlib.shellcraft
 import six
 %>
-<%docstring>_sysctl(vararg_0, vararg_1, vararg_2, vararg_3, vararg_4) -> str
+<%docstring>_sysctl(vararg_0, vararg_1, vararg_2, vararg_3, vararg_4, vararg_5) -> str
 
 Invokes the syscall _sysctl.
 
@@ -16,7 +16,7 @@ Arguments:
 Returns:
     long
 </%docstring>
-<%page args="vararg_0=None, vararg_1=None, vararg_2=None, vararg_3=None, vararg_4=None"/>
+<%page args="vararg_0=None, vararg_1=None, vararg_2=None, vararg_3=None, vararg_4=None, vararg_5=None"/>
 <%
     abi = pwnlib.abi.ABI.syscall()
     stack = abi.stack
@@ -26,8 +26,8 @@ Returns:
     can_pushstr = []
     can_pushstr_array = []
 
-    argument_names = ['vararg_0', 'vararg_1', 'vararg_2', 'vararg_3', 'vararg_4']
-    argument_values = [vararg_0, vararg_1, vararg_2, vararg_3, vararg_4]
+    argument_names = ['vararg_0', 'vararg_1', 'vararg_2', 'vararg_3', 'vararg_4', 'vararg_5']
+    argument_values = [vararg_0, vararg_1, vararg_2, vararg_3, vararg_4, vararg_5]
 
     # Load all of the arguments into their destination registers / stack slots.
     register_arguments = dict()
@@ -48,7 +48,7 @@ Returns:
                 target = regs[index]
                 register_arguments[target] = arg
             elif arg is not None:
-                stack_arguments[index] = arg
+                stack_arguments[name] = arg
 
         # The argument is not a register.  It is a string value, and we
         # are expecting a string value
@@ -76,15 +76,15 @@ Returns:
                 target = regs[index]
                 register_arguments[target] = arg
             elif arg is not None:
-                stack_arguments[target] = arg
+                stack_arguments[name] = arg
 
     # Some syscalls have different names on various architectures.
     # Determine which syscall number to use for the current architecture.
     for syscall in ['SYS__sysctl']:
         if hasattr(pwnlib.constants, syscall):
             break
     else:
-        raise Exception("Could not locate any syscalls: %r" % syscalls)
+        raise Exception("Could not locate any syscalls: %r" % ['SYS__sysctl'])
 %>
     /* _sysctl(${', '.join(syscall_repr)}) */
 %for name, arg in string_arguments.items():

diff --git a/pwnlib/shellcraft/templates/common/linux/syscalls/accept.asm b/pwnlib/shellcraft/templates/common/linux/syscalls/accept.asm
@@ -50,7 +50,7 @@ Returns:
                 target = regs[index]
                 register_arguments[target] = arg
             elif arg is not None:
-                stack_arguments[index] = arg
+                stack_arguments[name] = arg
 
         # The argument is not a register.  It is a string value, and we
         # are expecting a string value
@@ -78,15 +78,15 @@ Returns:
                 target = regs[index]
                 register_arguments[target] = arg
             elif arg is not None:
-                stack_arguments[target] = arg
+                stack_arguments[name] = arg
 
     # Some syscalls have different names on various architectures.
     # Determine which syscall number to use for the current architecture.
     for syscall in ['SYS_accept']:
         if hasattr(pwnlib.constants, syscall):
             break
     else:
-        raise Exception("Could not locate any syscalls: %r" % syscalls)
+        raise Exception("Could not locate any syscalls: %r" % ['SYS_accept'])
 %>
     /* accept(${', '.join(syscall_repr)}) */
 %for name, arg in string_arguments.items():

diff --git a/pwnlib/shellcraft/templates/common/linux/syscalls/accept4.asm b/pwnlib/shellcraft/templates/common/linux/syscalls/accept4.asm
@@ -51,7 +51,7 @@ Returns:
                 target = regs[index]
                 register_arguments[target] = arg
             elif arg is not None:
-                stack_arguments[index] = arg
+                stack_arguments[name] = arg
 
         # The argument is not a register.  It is a string value, and we
         # are expecting a string value
@@ -79,15 +79,15 @@ Returns:
                 target = regs[index]
                 register_arguments[target] = arg
             elif arg is not None:
-                stack_arguments[target] = arg
+                stack_arguments[name] = arg
 
     # Some syscalls have different names on various architectures.
     # Determine which syscall number to use for the current architecture.
     for syscall in ['SYS_accept4']:
         if hasattr(pwnlib.constants, syscall):
             break
     else:
-        raise Exception("Could not locate any syscalls: %r" % syscalls)
+        raise Exception("Could not locate any syscalls: %r" % ['SYS_accept4'])
 %>
     /* accept4(${', '.join(syscall_repr)}) */
 %for name, arg in string_arguments.items():

diff --git a/pwnlib/shellcraft/templates/common/linux/syscalls/access.asm b/pwnlib/shellcraft/templates/common/linux/syscalls/access.asm
@@ -49,7 +49,7 @@ Returns:
                 target = regs[index]
                 register_arguments[target] = arg
             elif arg is not None:
-                stack_arguments[index] = arg
+                stack_arguments[name] = arg
 
         # The argument is not a register.  It is a string value, and we
         # are expecting a string value
@@ -77,15 +77,15 @@ Returns:
                 target = regs[index]
                 register_arguments[target] = arg
             elif arg is not None:
-                stack_arguments[target] = arg
+                stack_arguments[name] = arg
 
     # Some syscalls have different names on various architectures.
     # Determine which syscall number to use for the current architecture.
     for syscall in ['SYS_access']:
         if hasattr(pwnlib.constants, syscall):
             break
     else:
-        raise Exception("Could not locate any syscalls: %r" % syscalls)
+        raise Exception("Could not locate any syscalls: %r" % ['SYS_access'])
 %>
     /* access(${', '.join(syscall_repr)}) */
 %for name, arg in string_arguments.items():

diff --git a/pwnlib/shellcraft/templates/common/linux/syscalls/acct.asm b/pwnlib/shellcraft/templates/common/linux/syscalls/acct.asm
@@ -48,7 +48,7 @@ Returns:
                 target = regs[index]
                 register_arguments[target] = arg
             elif arg is not None:
-                stack_arguments[index] = arg
+                stack_arguments[name] = arg
 
         # The argument is not a register.  It is a string value, and we
         # are expecting a string value
@@ -76,15 +76,15 @@ Returns:
                 target = regs[index]
                 register_arguments[target] = arg
             elif arg is not None:
-                stack_arguments[target] = arg
+                stack_arguments[name] = arg
 
     # Some syscalls have different names on various architectures.
     # Determine which syscall number to use for the current architecture.
     for syscall in ['SYS_acct']:
         if hasattr(pwnlib.constants, syscall):
             break
     else:
-        raise Exception("Could not locate any syscalls: %r" % syscalls)
+        raise Exception("Could not locate any syscalls: %r" % ['SYS_acct'])
 %>
     /* acct(${', '.join(syscall_repr)}) */
 %for name, arg in string_arguments.items():

diff --git a/pwnlib/shellcraft/templates/common/linux/syscalls/add_key.asm b/pwnlib/shellcraft/templates/common/linux/syscalls/add_key.asm
@@ -52,7 +52,7 @@ Returns:
                 target = regs[index]
                 register_arguments[target] = arg
             elif arg is not None:
-                stack_arguments[index] = arg
+                stack_arguments[name] = arg
 
         # The argument is not a register.  It is a string value, and we
         # are expecting a string value
@@ -80,15 +80,15 @@ Returns:
                 target = regs[index]
                 register_arguments[target] = arg
             elif arg is not None:
-                stack_arguments[target] = arg
+                stack_arguments[name] = arg
 
     # Some syscalls have different names on various architectures.
     # Determine which syscall number to use for the current architecture.
     for syscall in ['SYS_add_key']:
         if hasattr(pwnlib.constants, syscall):
             break
     else:
-        raise Exception("Could not locate any syscalls: %r" % syscalls)
+        raise Exception("Could not locate any syscalls: %r" % ['SYS_add_key'])
 %>
     /* add_key(${', '.join(syscall_repr)}) */
 %for name, arg in string_arguments.items():

diff --git a/pwnlib/shellcraft/templates/common/linux/syscalls/adjtimex.asm b/pwnlib/shellcraft/templates/common/linux/syscalls/adjtimex.asm
@@ -48,7 +48,7 @@ Returns:
                 target = regs[index]
                 register_arguments[target] = arg
             elif arg is not None:
-                stack_arguments[index] = arg
+                stack_arguments[name] = arg
 
         # The argument is not a register.  It is a string value, and we
         # are expecting a string value
@@ -76,15 +76,15 @@ Returns:
                 target = regs[index]
                 register_arguments[target] = arg
             elif arg is not None:
-                stack_arguments[target] = arg
+                stack_arguments[name] = arg
 
     # Some syscalls have different names on various architectures.
     # Determine which syscall number to use for the current architecture.
     for syscall in ['SYS_adjtimex']:
         if hasattr(pwnlib.constants, syscall):
             break
     else:
-        raise Exception("Could not locate any syscalls: %r" % syscalls)
+        raise Exception("Could not locate any syscalls: %r" % ['SYS_adjtimex'])
 %>
     /* adjtimex(${', '.join(syscall_repr)}) */
 %for name, arg in string_arguments.items():