pwnlib.rop.call — Return Oriented Programming Function Calling

Abstracting ROP calls

class pwnlib.rop.call.AppendedArgument(value, address=0)[source]

Encapsulates information about a pointer argument, and the data which is pointed to, where the absolute address of the data must be known, and the data can be appended to the ROP chain.

Examples

>>> context.clear()
>>> context.arch = 'amd64'
>>> u = AppendedArgument([1,2,b'hello',3])
>>> len(u)
32
>>> u.resolve()
[1, 2, b'hello\x00$$', 3]
>>> u = AppendedArgument([1,2,[b'hello'],3])
>>> u.resolve()
[1, 2, 32, 3, b'hello\x00$$']
>>> u.resolve(10000)
[1, 2, 10032, 3, b'hello\x00$$']
>>> u.address = 20000
>>> u.resolve()
[1, 2, 20032, 3, b'hello\x00$$']
>>> u = AppendedArgument([[[[[[[[[b'pointers!']]]]]]]]], 1000)
>>> u.resolve()
[1008, 1016, 1024, 1032, 1040, 1048, 1056, 1064, b'pointers!\x00$$$$$$']
__init__(value, address=0)[source]

x.__init__(…) initializes x; see help(type(x)) for signature

__repr__() <==> repr(x)[source]
resolve(addr=None)[source]

Return a flat list of int or bytes objects which can be passed to flat().

Parameters:addr (int) – Address at which the data starts in memory. If None, self.addr is used.
address[source]

Absolute address of the target data in memory. When modified, updates recursively.

name = None[source]

Symbolic name of the value.

size = 0[source]

The size of the fully-resolved argument, in bytes

values = [][source]

The values to be placed at a known location

A list of any of the following types: - int - str - UnresolvedArgument (allows nesting)

class pwnlib.rop.call.Call(name, target, args, abi=None, before=())[source]

Encapsulates ABI-agnostic information about a function call, which is to be executed with ROP.

All non-integer arguments are assumed to be pointer arguments. The raw data is placed at the end of the ROP chain, and the argument is replaced with an exact pointer to the argument.

Example

>>> Call('system', 0xdeadbeef, [1, 2, b'/bin/sh'])
Call('system', 0xdeadbeef, [1, 2, AppendedArgument([b'/bin/sh'], 0x0)])
__init__(name, target, args, abi=None, before=())[source]

x.__init__(…) initializes x; see help(type(x)) for signature

__repr__() <==> repr(x)[source]
__str__() <==> str(x)[source]
__weakref__[source]

list of weak references to the object (if defined)

args = [][source]

Arguments to the call

name = None[source]

Pretty name of the call target, e.g. ‘system’

target = 0[source]

Address of the call target

class pwnlib.rop.call.CurrentStackPointer[source]

Unresolved argument which will be replaced with the address of itself.

class pwnlib.rop.call.NextGadgetAddress[source]

Unresolved argument which will be replaced with the address of the next gadget on the stack.

This is useful for gadgets which set the stack pointer to an absolute value, when we wish to continue “execution” of the ROP stack at the next gadget. In particular, SROP needs this.

class pwnlib.rop.call.StackAdjustment[source]

Placeholder for a ROP gadget which will adjust the stack pointer such that “execution” continues at the next ROP gadget.

This is necessary for ABIs which place arguments on the stack.

If no stack adjustment is necessary (e.g. a call with no stack-based arguments), no data is emitted and the ROP will fall-through to the next gadget.

class pwnlib.rop.call.Unresolved[source]

Encapsulates logic for deferring evaluation of a value used in a ROP chain which is in some way self-referential.

For example, it may be necessary to point to arbitrary data appended to the ROP chain, but whose address is not known until the full ROP chain is complete (because the data is appended after all of the gadgets).

__weakref__[source]

list of weak references to the object (if defined)