pwnlib.shellcraft.aarch64 — Shellcode for AArch64

pwnlib.shellcraft.aarch64

pwnlib.shellcraft.aarch64.infloop()[source]

An infinite loop.

pwnlib.shellcraft.aarch64.mov(dst, src)[source]

Move src into dest.

Support for automatically avoiding newline and null bytes has to be done.

If src is a string that is not a register, then it will locally set context.arch to ‘arm’ and use pwnlib.constants.eval() to evaluate the string. Note that this means that this shellcode can change behavior depending on the value of context.os.

Examples

>>> print shellcraft.aarch64.mov('x0','x1').rstrip()
    mov  x0, x1
>>> print shellcraft.aarch64.mov('x0','0').rstrip()
    mov  x0, xzr
>>> print shellcraft.aarch64.mov('x0', 5).rstrip()
    mov  x0, #5
>>> print shellcraft.aarch64.mov('x0', 0x34532).rstrip()
    /* Set x0 = 214322 = 0x34532 */
    mov  x0, #17714
    movk x0, #3, lsl #16
Parameters:
  • dest (str) – The destination register.
  • src (str) – Either the input register, or an immediate value.
pwnlib.shellcraft.aarch64.pushstr(string, append_null=True, register='r12')[source]

Pushes a string onto the stack.

r12 is defined as the inter-procedural scratch register ($ip), so this should not interfere with most usage.

Parameters:
  • string (str) – The string to push.
  • append_null (bool) – Whether to append a single NULL-byte before pushing.
  • register (str) – Temporary register to use. By default, R7 is used.

Examples

>>> print shellcraft.aarch64.pushstr("Hello!").rstrip()
    /* push 'Hello!\x00\x00' */
    sub sp, sp, #16
    /* Set x0 = 36762444129608 = 0x216f6c6c6548 */
    mov  x0, #25928
    movk x0, #27756, lsl #16
    movk x0, #8559, lsl #0x20
    stur x0, [sp, #16 * 0]
pwnlib.shellcraft.aarch64.setregs(reg_context, stack_allowed=True)[source]

Sets multiple registers, taking any register dependencies into account (i.e., given eax=1,ebx=eax, set ebx first).

Parameters:
  • reg_context (dict) – Desired register context
  • stack_allowed (bool) – Can the stack be used?

Example

>>> print shellcraft.setregs({'x0':1, 'x2':'x3'}).rstrip()
    mov  x0, #1
    mov  x2, x3
>>> print shellcraft.setregs({'x0':'x1', 'x1':'x0', 'x2':'x3'}).rstrip()
    mov  x2, x3
    eor  x0, x0, x1 /* xchg x0, x1 */
    eor  x1, x0, x1
    eor  x0, x0, x1
pwnlib.shellcraft.aarch64.xor(key, address, count)[source]

XORs data a constant value.

Parameters:
  • key (int,str) – XOR key either as a 4-byte integer, If a string, length must be a power of two, and not longer than 4 bytes.
  • address (int) – Address of the data (e.g. 0xdead0000, ‘rsp’)
  • count (int) – Number of bytes to XOR.

Example

>>> sc  = shellcraft.read(0, 'sp', 32)
>>> sc += shellcraft.xor(0xdeadbeef, 'sp', 32)
>>> sc += shellcraft.write(1, 'sp', 32)
>>> io = run_assembly(sc)
>>> io.send(cyclic(32))
>>> result = io.recvn(32)
>>> expected = xor(cyclic(32), p32(0xdeadbeef))
>>> result == expected
True

pwnlib.shellcraft.aarch64.linux

pwnlib.shellcraft.aarch64.linux.cat(filename, fd=1)[source]

Opens a file and writes its contents to the specified file descriptor.

Example

>>> write('flag', 'This is the flag\n')
>>> shellcode = shellcraft.cat('flag') + shellcraft.exit(0)
>>> print disasm(asm(shellcode))
   0:   d10043ff        sub     sp, sp, #0x10
   4:   d28d8cc0        mov     x0, #0x6c66                     // #27750
   8:   f2acec20        movk    x0, #0x6761, lsl #16
   c:   f80003e0        stur    x0, [sp]
  10:   910003e0        mov     x0, sp
  14:   aa1f03e1        mov     x1, xzr
  18:   aa1f03e2        mov     x2, xzr
  1c:   d2808008        mov     x8, #0x400                      // #1024
  20:   d4000001        svc     #0x0
  24:   aa0003e1        mov     x1, x0
  28:   d2800020        mov     x0, #0x1                        // #1
  2c:   aa1f03e2        mov     x2, xzr
  30:   d29fffe3        mov     x3, #0xffff                     // #65535
  34:   f2afffe3        movk    x3, #0x7fff, lsl #16
  38:   d28008e8        mov     x8, #0x47                       // #71
  3c:   d4000001        svc     #0x0
  40:   aa1f03e0        mov     x0, xzr
  44:   d2800ba8        mov     x8, #0x5d                       // #93
  48:   d4000001        svc     #0x0
>>> run_assembly(shellcode).recvline()
'This is the flag\n'
pwnlib.shellcraft.aarch64.linux.connect(host, port, network='ipv4')[source]

Connects to the host on the specified port. Network is either ‘ipv4’ or ‘ipv6’. Leaves the connected socket in x12.

pwnlib.shellcraft.aarch64.linux.echo(string, sock='1')[source]

Writes a string to a file descriptor

Example

>>> run_assembly(shellcraft.echo('hello\n', 1)).recvline()
'hello\n'
pwnlib.shellcraft.aarch64.linux.forkexit()[source]

Attempts to fork. If the fork is successful, the parent exits.

pwnlib.shellcraft.aarch64.linux.loader(address)[source]

Loads a statically-linked ELF into memory and transfers control.

Parameters:address (int) – Address of the ELF as a register or integer.
pwnlib.shellcraft.aarch64.linux.loader_append(data=None)[source]

Loads a statically-linked ELF into memory and transfers control.

Similar to loader.asm but loads an appended ELF.

Parameters:data (str) – If a valid filename, the data is loaded from the named file. Otherwise, this is treated as raw ELF data to append. If None, it is ignored.

Example:

The following doctest is commented out because it doesn’t work on Travis for reasons I cannot diagnose. However, it should work just fine :-)

# >>> gcc = process([‘aarch64-linux-gnu-gcc’,’-xc’,’-static’,’-Wl,-Ttext-segment=0x20000000’,’-‘]) # >>> gcc.write(‘’’ # ... int main() { # ... printf(“Hello, %s!\n”, “world”); # ... } # ... ‘’‘) # >>> gcc.shutdown(‘send’) # >>> gcc.poll(True) # 0 # >>> sc = shellcraft.loader_append(‘a.out’) # >>> run_assembly(sc).recvline() # ‘Hello, world!n’
pwnlib.shellcraft.aarch64.linux.readn(fd, buf, nbytes)[source]

Reads exactly nbytes bytes from file descriptor fd into the buffer buf.

Parameters:
  • fd (int) – fd
  • buf (void) – buf
  • nbytes (size_t) – nbytes
pwnlib.shellcraft.aarch64.linux.sh()[source]

Execute a different process.

>>> p = run_assembly(shellcraft.aarch64.linux.sh())
>>> p.sendline('echo Hello')
>>> p.recv()
'Hello\n'
pwnlib.shellcraft.aarch64.linux.socket(network='ipv4', proto='tcp')[source]

Creates a new socket

pwnlib.shellcraft.aarch64.linux.stage(fd=0, length=None)[source]

Migrates shellcode to a new buffer.

Parameters:
  • fd (int) – Integer file descriptor to recv data from. Default is stdin (0).
  • length (int) – Optional buffer length. If None, the first pointer-width of data received is the length.

Example

>>> p = run_assembly(shellcraft.stage())
>>> sc = asm(shellcraft.echo("Hello\n", constants.STDOUT_FILENO))
>>> p.pack(len(sc))
>>> p.send(sc)
>>> p.recvline()
'Hello\n'
pwnlib.shellcraft.aarch64.linux.syscall(syscall=None, arg0=None, arg1=None, arg2=None, arg3=None, arg4=None, arg5=None, arg6=None)[source]
Args: [syscall_number, *args]
Does a syscall

Any of the arguments can be expressions to be evaluated by pwnlib.constants.eval().

Example

>>> print shellcraft.aarch64.linux.syscall(11, 1, 'sp', 2, 0).rstrip()
    /* call syscall(11, 1, 'sp', 2, 0) */
    mov  x0, #1
    mov  x1, sp
    mov  x2, #2
    mov  x3, xzr
    mov  x8, #11
    svc 0
>>> print shellcraft.aarch64.linux.syscall('SYS_exit', 0).rstrip()
    /* call exit(0) */
    mov  x0, xzr
    mov  x8, #SYS_exit
    svc 0
>>> print pwnlib.shellcraft.open('/home/pwn/flag').rstrip()
    /* open(file='/home/pwn/flag', oflag=0, mode=0) */
    /* push '/home/pwn/flag\x00\x00' */
    sub sp, sp, #16
    /* Set x0 = 8606431000579237935 = 0x77702f656d6f682f */
    mov  x0, #26671
    movk x0, #28015, lsl #16
    movk x0, #12133, lsl #0x20
    movk x0, #30576, lsl #0x30
    /* Set x1 = 113668128124782 = 0x67616c662f6e */
    mov  x1, #12142
    movk x1, #27750, lsl #16
    movk x1, #26465, lsl #0x20
    stp x0, x1, [sp, #16 * 0]
    mov  x0, sp
    mov  x1, xzr
    mov  x2, xzr
    /* call open() */
    mov  x8, #SYS_open
    svc 0