pwnlib.shellcraft.mips
— Shellcode for MIPS¶
pwnlib.shellcraft.mips
¶
Shellcraft module containing generic MIPS shellcodes.
-
pwnlib.shellcraft.mips.
mov
(dst, src)[源代码]¶ Move src into dst without newlines and null bytes.
Register $t8 and $t9 are not guarenteed to be preserved.
If src is a string that is not a register, then it will locally set context.arch to ‘mips’ and use
pwnlib.constants.eval()
to evaluate the string. Note that this means that this shellcode can change behavior depending on the value of context.os.参数: Example
>>> print shellcraft.mips.mov('$t0', 0).rstrip() slti $t0, $zero, 0xFFFF /* $t0 = 0 */ >>> print shellcraft.mips.mov('$t2', 0).rstrip() xor $t2, $t2, $t2 /* $t2 = 0 */ >>> print shellcraft.mips.mov('$t0', 0xcafebabe).rstrip() li $t0, 0xcafebabe >>> print shellcraft.mips.mov('$t2', 0xcafebabe).rstrip() li $t9, 0xcafebabe add $t2, $t9, $zero >>> print shellcraft.mips.mov('$s0', 0xca0000be).rstrip() li $t9, ~0xca0000be not $s0, $t9 >>> print shellcraft.mips.mov('$s0', 0xca0000ff).rstrip() li $t9, 0x1010101 ^ 0xca0000ff li $s0, 0x1010101 xor $s0, $t9, $s0 >>> print shellcraft.mips.mov('$t9', 0xca0000be).rstrip() li $t9, ~0xca0000be not $t9, $t9 >>> print shellcraft.mips.mov('$t2', 0xca0000be).rstrip() li $t9, ~0xca0000be not $t9, $t9 add $t2, $t9, $0 /* mov $t2, $t9 */ >>> print shellcraft.mips.mov('$t2', 0xca0000ff).rstrip() li $t8, 0x1010101 ^ 0xca0000ff li $t9, 0x1010101 xor $t9, $t8, $t9 add $t2, $t9, $0 /* mov $t2, $t9 */ >>> print shellcraft.mips.mov('$a0', '$t2').rstrip() add $a0, $t2, $0 /* mov $a0, $t2 */ >>> print shellcraft.mips.mov('$a0', '$t8').rstrip() sw $t8, -4($sp) /* mov $a0, $t8 */ lw $a0, -4($sp)
-
pwnlib.shellcraft.mips.
pushstr
(string, append_null=True)[源代码]¶ Pushes a string onto the stack without using null bytes or newline characters.
Example
>>> print shellcraft.mips.pushstr('').rstrip() /* push '\x00' */ sw $zero, -4($sp) addiu $sp, $sp, -4 >>> print shellcraft.mips.pushstr('a').rstrip() /* push 'a\x00' */ li $t9, ~0x61 not $t1, $t9 sw $t1, -4($sp) addiu $sp, $sp, -4 >>> print shellcraft.mips.pushstr('aa').rstrip() /* push 'aa\x00' */ ori $t1, $zero, 24929 sw $t1, -4($sp) addiu $sp, $sp, -4 >>> print shellcraft.mips.pushstr('aaa').rstrip() /* push 'aaa\x00' */ li $t9, ~0x616161 not $t1, $t9 sw $t1, -4($sp) addiu $sp, $sp, -4 >>> print shellcraft.mips.pushstr('aaaa').rstrip() /* push 'aaaa\x00' */ li $t1, 0x61616161 sw $t1, -8($sp) sw $zero, -4($sp) addiu $sp, $sp, -8 >>> print shellcraft.mips.pushstr('aaaaa').rstrip() /* push 'aaaaa\x00' */ li $t1, 0x61616161 sw $t1, -8($sp) li $t9, ~0x61 not $t1, $t9 sw $t1, -4($sp) addiu $sp, $sp, -8 >>> print shellcraft.mips.pushstr('aaaa', append_null = False).rstrip() /* push 'aaaa' */ li $t1, 0x61616161 sw $t1, -4($sp) addiu $sp, $sp, -4 >>> print shellcraft.mips.pushstr('\xc3').rstrip() /* push '\xc3\x00' */ li $t9, ~0xc3 not $t1, $t9 sw $t1, -4($sp) addiu $sp, $sp, -4 >>> print shellcraft.mips.pushstr('\xc3', append_null = False).rstrip() /* push '\xc3' */ li $t9, ~0xc3 not $t1, $t9 sw $t1, -4($sp) addiu $sp, $sp, -4 >>> print enhex(asm(shellcraft.mips.pushstr("/bin/sh"))) 696e093c2f622935f8ffa9af97ff193cd08c393727482003fcffa9aff8ffbd27 >>> print enhex(asm(shellcraft.mips.pushstr(""))) fcffa0affcffbd27 >>> print enhex(asm(shellcraft.mips.pushstr("\x00", False))) fcffa0affcffbd27
参数:
-
pwnlib.shellcraft.mips.
pushstr_array
(reg, array)[源代码]¶ Pushes an array/envp-style array of pointers onto the stack.
参数:
-
pwnlib.shellcraft.mips.
setregs
(reg_context, stack_allowed=True)[源代码]¶ Sets multiple registers, taking any register dependencies into account (i.e., given eax=1,ebx=eax, set ebx first).
参数: Example
>>> print shellcraft.setregs({'$t0':1, '$a3':'0'}).rstrip() slti $a3, $zero, 0xFFFF /* $a3 = 0 */ li $t9, ~1 not $t0, $t9 >>> print shellcraft.setregs({'$a0':'$a1', '$a1':'$a0', '$a2':'$a1'}).rstrip() sw $a1, -4($sp) /* mov $a2, $a1 */ lw $a2, -4($sp) xor $a1, $a1, $a0 /* xchg $a1, $a0 */ xor $a0, $a1, $a0 xor $a1, $a1, $a0
pwnlib.shellcraft.mips.linux
¶
Shellcraft module containing MIPS shellcodes for Linux.
-
pwnlib.shellcraft.mips.linux.
bindsh
(port, network)[源代码]¶ Listens on a TCP port and spawns a shell for the first to connect. Port is the TCP port to listen on, network is either ‘ipv4’ or ‘ipv6’.
-
pwnlib.shellcraft.mips.linux.
cat
(filename, fd=1)[源代码]¶ Opens a file and writes its contents to the specified file descriptor.
Example
>>> f = tempfile.mktemp() >>> write(f, 'FLAG') >>> asm = shellcraft.mips.linux.cat(f) >>> asm += shellcraft.mips.linux.exit(0) >>> run_assembly(asm).recvall() 'FLAG'
-
pwnlib.shellcraft.mips.linux.
connect
(host, port, network='ipv4')[源代码]¶ Connects to the host on the specified port. Network is either ‘ipv4’ or ‘ipv6’. Leaves the connected socket in $s0.
-
pwnlib.shellcraft.mips.linux.
dupsh
(sock='$s0')[源代码]¶ Args: [sock (imm/reg) = s0 ] Duplicates sock to stdin, stdout and stderr and spawns a shell.
-
pwnlib.shellcraft.mips.linux.
findpeer
(port)[源代码]¶ Finds a connected socket. If port is specified it is checked against the peer port. Resulting socket is left in $s0.
-
pwnlib.shellcraft.mips.linux.
findpeersh
(port)[源代码]¶ Finds a connected socket. If port is specified it is checked against the peer port. A dup2 shell is spawned on it.
-
pwnlib.shellcraft.mips.linux.
forkexit
()[源代码]¶ Attempts to fork. If the fork is successful, the parent exits.
-
pwnlib.shellcraft.mips.linux.
killparent
()[源代码]¶ Kills its parent process until whatever the parent is (probably init) cannot be killed any longer.
-
pwnlib.shellcraft.mips.linux.
listen
(port, network)[源代码]¶ Listens on a TCP port, accept a client and leave his socket in $s0. Port is the TCP port to listen on, network is either ‘ipv4’ or ‘ipv6’.
-
pwnlib.shellcraft.mips.linux.
readfile
(path, dst='$s0')[源代码]¶ Args: [path, dst (imm/reg) = $s0 ] Opens the specified file path and sends its content to the specified file descriptor.
-
pwnlib.shellcraft.mips.linux.
stager
(sock, size)[源代码]¶ Read ‘size’ bytes from ‘sock’ and place them in an executable buffer and jump to it. The socket will be left in $s0.
-
pwnlib.shellcraft.mips.linux.
syscall
(syscall=None, arg0=None, arg1=None, arg2=None, arg3=None, arg4=None, arg5=None)[源代码]¶ - Args: [syscall_number, *args]
- Does a syscall
Any of the arguments can be expressions to be evaluated by
pwnlib.constants.eval()
.Example
>>> print pwnlib.shellcraft.mips.linux.syscall('SYS_execve', 1, '$sp', 2, 0).rstrip() /* call execve(1, '$sp', 2, 0) */ li $t9, ~1 not $a0, $t9 add $a1, $sp, $0 /* mov $a1, $sp */ li $t9, ~2 not $a2, $t9 slti $a3, $zero, 0xFFFF /* $a3 = 0 */ ori $v0, $zero, SYS_execve syscall 0x40404 >>> print pwnlib.shellcraft.mips.linux.syscall('SYS_execve', 2, 1, 0, 20).rstrip() /* call execve(2, 1, 0, 0x14) */ li $t9, ~2 not $a0, $t9 li $t9, ~1 not $a1, $t9 slti $a2, $zero, 0xFFFF /* $a2 = 0 */ li $t9, ~0x14 not $a3, $t9 ori $v0, $zero, SYS_execve syscall 0x40404 >>> print pwnlib.shellcraft.mips.linux.syscall().rstrip() /* call syscall() */ syscall 0x40404 >>> print pwnlib.shellcraft.mips.linux.syscall('$v0', '$a0', '$a1').rstrip() /* call syscall('$v0', '$a0', '$a1') */ /* setregs noop */ syscall 0x40404 >>> print pwnlib.shellcraft.mips.linux.syscall('$a3', None, None, 1).rstrip() /* call syscall('$a3', ?, ?, 1) */ li $t9, ~1 not $a2, $t9 sw $a3, -4($sp) /* mov $v0, $a3 */ lw $v0, -4($sp) syscall 0x40404 >>> print pwnlib.shellcraft.mips.linux.syscall( ... 'SYS_mmap2', 0, 0x1000, ... 'PROT_READ | PROT_WRITE | PROT_EXEC', ... 'MAP_PRIVATE | MAP_ANONYMOUS', ... -1, 0).rstrip() /* call mmap2(0, 0x1000, 'PROT_READ | PROT_WRITE | PROT_EXEC', 'MAP_PRIVATE | MAP_ANONYMOUS', -1, 0) */ slti $a0, $zero, 0xFFFF /* $a0 = 0 */ li $t9, ~0x1000 not $a1, $t9 li $t9, ~(PROT_READ | PROT_WRITE | PROT_EXEC) /* 7 */ not $a2, $t9 ori $a3, $zero, (MAP_PRIVATE | MAP_ANONYMOUS) ori $v0, $zero, SYS_mmap2 syscall 0x40404 >>> print pwnlib.shellcraft.open('/home/pwn/flag').rstrip() /* open(file='/home/pwn/flag', oflag=0, mode=0) */ /* push '/home/pwn/flag\x00' */ li $t1, 0x6d6f682f sw $t1, -16($sp) li $t1, 0x77702f65 sw $t1, -12($sp) li $t1, 0x6c662f6e sw $t1, -8($sp) ori $t1, $zero, 26465 sw $t1, -4($sp) addiu $sp, $sp, -16 add $a0, $sp, $0 /* mov $a0, $sp */ slti $a1, $zero, 0xFFFF /* $a1 = 0 */ slti $a2, $zero, 0xFFFF /* $a2 = 0 */ /* call open() */ ori $v0, $zero, SYS_open syscall 0x40404