pwnlib.shellcraft.i386
— Shellcode for Intel 80386
pwnlib.shellcraft.i386
Shellcraft module containing generic Intel i386 shellcodes.
- pwnlib.shellcraft.i386.crash()[source]
Crash.
Example
>>> run_assembly(shellcraft.crash()).poll(True) -11
- pwnlib.shellcraft.i386.epilog(nargs=0)[source]
Function epilogue.
- Parameters
nargs (int) – Number of arguments to pop off the stack.
- pwnlib.shellcraft.i386.function(name, template_function, *registers)[source]
Converts a shellcraft template into a callable function.
- Parameters
>>> shellcode = '' >>> shellcode += shellcraft.function('write', shellcraft.i386.linux.write, ) >>> hello = shellcraft.i386.linux.echo("Hello!", 'eax') >>> hello_fn = shellcraft.i386.function(hello, 'eax').strip() >>> exit = shellcraft.i386.linux.exit('edi') >>> exit_fn = shellcraft.i386.function(exit, 'edi').strip() >>> shellcode = ''' ... push STDOUT_FILENO ... call hello ... push 33 ... call exit ... hello: ... %(hello_fn)s ... exit: ... %(exit_fn)s ... ''' % (locals()) >>> p = run_assembly(shellcode) >>> p.recvall() b'Hello!' >>> p.wait_for_close() >>> p.poll() 33
Notes
Can only be used on a shellcraft template which takes all of its arguments as registers. For example, the pushstr
- pwnlib.shellcraft.i386.getpc(register='ecx')[source]
Retrieves the value of EIP, stores it in the desired register.
- Parameters
return_value – Value to return
- pwnlib.shellcraft.i386.itoa(v, buffer='esp', allocate_stack=True)[source]
Converts an integer into its string representation, and pushes it onto the stack.
Example
>>> sc = shellcraft.i386.mov('eax', 0xdeadbeef) >>> sc += shellcraft.i386.itoa('eax') >>> sc += shellcraft.i386.linux.write(1, 'esp', 32) >>> run_assembly(sc).recvuntil(b'\x00') b'3735928559\x00'
- pwnlib.shellcraft.i386.memcpy(dest, src, n)[source]
Copies memory.
- Parameters
dest – Destination address
src – Source address
n – Number of bytes
- pwnlib.shellcraft.i386.mov(dest, src, stack_allowed=True)[source]
Move src into dest without newlines and null bytes.
If the src is a register smaller than the dest, then it will be zero-extended to fit inside the larger register.
If the src is a register larger than the dest, then only some of the bits will be used.
If src is a string that is not a register, then it will locally set context.arch to ‘i386’ and use
pwnlib.constants.eval()
to evaluate the string. Note that this means that this shellcode can change behavior depending on the value of context.os.- Parameters
Example
>>> print(shellcraft.i386.mov('eax','ebx').rstrip()) mov eax, ebx >>> print(shellcraft.i386.mov('eax', 0).rstrip()) xor eax, eax >>> print(shellcraft.i386.mov('ax', 0).rstrip()) xor ax, ax >>> print(shellcraft.i386.mov('ax', 17).rstrip()) xor ax, ax mov al, 0x11 >>> print(shellcraft.i386.mov('edi', ord('\n')).rstrip()) push 9 /* mov edi, '\n' */ pop edi inc edi >>> print(shellcraft.i386.mov('al', 'ax').rstrip()) /* moving ax into al, but this is a no-op */ >>> print(shellcraft.i386.mov('al','ax').rstrip()) /* moving ax into al, but this is a no-op */ >>> print(shellcraft.i386.mov('esp', 'esp').rstrip()) /* moving esp into esp, but this is a no-op */ >>> print(shellcraft.i386.mov('ax', 'bl').rstrip()) movzx ax, bl >>> print(shellcraft.i386.mov('eax', 1).rstrip()) push 1 pop eax >>> print(shellcraft.i386.mov('eax', 1, stack_allowed=False).rstrip()) xor eax, eax mov al, 1 >>> print(shellcraft.i386.mov('eax', 0xdead00ff).rstrip()) mov eax, -0xdead00ff neg eax >>> print(shellcraft.i386.mov('eax', 0xc0).rstrip()) xor eax, eax mov al, 0xc0 >>> print(shellcraft.i386.mov('edi', 0xc0).rstrip()) mov edi, -0xc0 neg edi >>> print(shellcraft.i386.mov('eax', 0xc000).rstrip()) xor eax, eax mov ah, 0xc000 >> 8 >>> print(shellcraft.i386.mov('eax', 0xffc000).rstrip()) mov eax, 0x1010101 xor eax, 0x1010101 ^ 0xffc000 >>> print(shellcraft.i386.mov('edi', 0xc000).rstrip()) mov edi, (-1) ^ 0xc000 not edi >>> print(shellcraft.i386.mov('edi', 0xf500).rstrip()) mov edi, 0x1010101 xor edi, 0x1010101 ^ 0xf500 >>> print(shellcraft.i386.mov('eax', 0xc0c0).rstrip()) xor eax, eax mov ax, 0xc0c0 >>> print(shellcraft.i386.mov('eax', 'SYS_execve').rstrip()) push SYS_execve /* 0xb */ pop eax >>> with context.local(os='freebsd'): ... print(shellcraft.i386.mov('eax', 'SYS_execve').rstrip()) push SYS_execve /* 0x3b */ pop eax >>> print(shellcraft.i386.mov('eax', 'PROT_READ | PROT_WRITE | PROT_EXEC').rstrip()) push (PROT_READ | PROT_WRITE | PROT_EXEC) /* 7 */ pop eax
- pwnlib.shellcraft.i386.push(value)[source]
Pushes a value onto the stack without using null bytes or newline characters.
If src is a string, then we try to evaluate with context.arch = ‘i386’ using
pwnlib.constants.eval()
before determining how to push it. Note that this means that this shellcode can change behavior depending on the value of context.os.Example
>>> print(pwnlib.shellcraft.i386.push(0).rstrip()) /* push 0 */ push 1 dec byte ptr [esp] >>> print(pwnlib.shellcraft.i386.push(1).rstrip()) /* push 1 */ push 1 >>> print(pwnlib.shellcraft.i386.push(256).rstrip()) /* push 0x100 */ push 0x1010201 xor dword ptr [esp], 0x1010301 >>> print(pwnlib.shellcraft.i386.push('SYS_execve').rstrip()) /* push SYS_execve (0xb) */ push 0xb >>> print(pwnlib.shellcraft.i386.push('SYS_sendfile').rstrip()) /* push SYS_sendfile (0xbb) */ push 0x1010101 xor dword ptr [esp], 0x10101ba >>> with context.local(os = 'freebsd'): ... print(pwnlib.shellcraft.i386.push('SYS_execve').rstrip()) /* push SYS_execve (0x3b) */ push 0x3b
- pwnlib.shellcraft.i386.pushstr(string, append_null=True)[source]
Pushes a string onto the stack without using null bytes or newline characters.
Example
>>> print(shellcraft.i386.pushstr('').rstrip()) /* push '\x00' */ push 1 dec byte ptr [esp] >>> print(shellcraft.i386.pushstr('a').rstrip()) /* push 'a\x00' */ push 0x61 >>> print(shellcraft.i386.pushstr('aa').rstrip()) /* push 'aa\x00' */ push 0x1010101 xor dword ptr [esp], 0x1016060 >>> print(shellcraft.i386.pushstr('aaa').rstrip()) /* push 'aaa\x00' */ push 0x1010101 xor dword ptr [esp], 0x1606060 >>> print(shellcraft.i386.pushstr('aaaa').rstrip()) /* push 'aaaa\x00' */ push 1 dec byte ptr [esp] push 0x61616161 >>> print(shellcraft.i386.pushstr('aaaaa').rstrip()) /* push 'aaaaa\x00' */ push 0x61 push 0x61616161 >>> print(shellcraft.i386.pushstr('aaaa', append_null = False).rstrip()) /* push 'aaaa' */ push 0x61616161 >>> print(shellcraft.i386.pushstr(b'\xc3').rstrip()) /* push b'\xc3\x00' */ push 0x1010101 xor dword ptr [esp], 0x10101c2 >>> print(shellcraft.i386.pushstr(b'\xc3', append_null = False).rstrip()) /* push b'\xc3' */ push -0x3d >>> with context.local(): ... context.arch = 'i386' ... print(enhex(asm(shellcraft.pushstr("/bin/sh")))) 68010101018134242e726901682f62696e >>> with context.local(): ... context.arch = 'i386' ... print(enhex(asm(shellcraft.pushstr("")))) 6a01fe0c24 >>> with context.local(): ... context.arch = 'i386' ... print(enhex(asm(shellcraft.pushstr("\x00", False)))) 6a01fe0c24
- pwnlib.shellcraft.i386.pushstr_array(reg, array)[source]
Pushes an array/envp-style array of pointers onto the stack.
- pwnlib.shellcraft.i386.ret(return_value=None)[source]
A single-byte RET instruction.
- Parameters
return_value – Value to return
- pwnlib.shellcraft.i386.setregs(reg_context, stack_allowed=True)[source]
Sets multiple registers, taking any register dependencies into account (i.e., given eax=1,ebx=eax, set ebx first).
- Parameters
Example
>>> print(shellcraft.setregs({'eax':1, 'ebx':'eax'}).rstrip()) mov ebx, eax push 1 pop eax >>> print(shellcraft.setregs({'eax':'ebx', 'ebx':'eax', 'ecx':'ebx'}).rstrip()) mov ecx, ebx xchg eax, ebx
- pwnlib.shellcraft.i386.stackarg(index, register)[source]
Loads a stack-based argument into a register.
Assumes that the ‘prolog’ code was used to save EBP.
- pwnlib.shellcraft.i386.stackhunter(cookie=0xe4fffc75)[source]
Returns an an egghunter, which searches from esp and upwards for a cookie. However to save bytes, it only looks at a single 4-byte alignment. Use the function stackhunter_helper to generate a suitable cookie prefix for you.
The default cookie has been chosen, because it makes it possible to shave two bytes, but other cookies can be used too.
Example
>>> with context.local(arch='i386'): ... print(enhex(asm(shellcraft.stackhunter()))) 583d75fcffe4ebfa >>> with context.local(arch='i386'): ... print(enhex(asm(shellcraft.stackhunter(0x7afceb58)))) 3d58ebfc7a75faffe4 >>> with context.local(arch='i386'): ... print(enhex(asm(shellcraft.stackhunter(0xdeadbeef)))) 583defbeadde75f8ffe4
- pwnlib.shellcraft.i386.stackhunter_helper(cookie=0xe4fffc75)[source]
The helper for the stackhunter, which prepends the cookie at different alignments.
Example
>>> with context.local(arch='i386'): ... print(enhex(asm(shellcraft.stackhunter_helper()))) 75fcffe43d75fcffe43d75fcffe43d75fcffe4
- pwnlib.shellcraft.i386.strcpy(dst, src)[source]
Copies a string
Example
>>> sc = 'jmp get_str\n' >>> sc += 'pop_str: pop eax\n' >>> sc += shellcraft.i386.strcpy('esp', 'eax') >>> sc += shellcraft.i386.linux.write(1, 'esp', 32) >>> sc += shellcraft.i386.linux.exit(0) >>> sc += 'get_str: call pop_str\n' >>> sc += '.asciz "Hello, world\\n"' >>> run_assembly(sc).recvline() b'Hello, world\n'
- pwnlib.shellcraft.i386.strlen(string, reg='ecx')[source]
Calculate the length of the specified string.
- Parameters
Example
>>> sc = 'jmp get_str\n' >>> sc += 'pop_str: pop eax\n' >>> sc += shellcraft.i386.strlen('eax') >>> sc += 'push ecx;' >>> sc += shellcraft.i386.linux.write(1, 'esp', 4) >>> sc += shellcraft.i386.linux.exit(0) >>> sc += 'get_str: call pop_str\n' >>> sc += '.asciz "Hello, world\\n"' >>> run_assembly(sc).unpack() == len('Hello, world\n') True
- pwnlib.shellcraft.i386.xor(key, address, count)[source]
XORs data a constant value.
- Parameters
key (int,str) – XOR key either as a 4-byte integer, If a string, length must be a power of two, and not longer than 4 bytes. Alternately, may be a register.
address (int) – Address of the data (e.g. 0xdead0000, ‘esp’)
count (int) – Number of bytes to XOR, or a register containing the number of bytes to XOR.
Example
>>> sc = shellcraft.read(0, 'esp', 32) >>> sc += shellcraft.xor(0xdeadbeef, 'esp', 32) >>> sc += shellcraft.write(1, 'esp', 32) >>> io = run_assembly(sc) >>> io.send(cyclic(32)) >>> result = io.recvn(32) >>> expected = xor(cyclic(32), p32(0xdeadbeef)) >>> result == expected True
pwnlib.shellcraft.i386.linux
Shellcraft module containing Intel i386 shellcodes for Linux.
- pwnlib.shellcraft.i386.linux.acceptloop_ipv4(port)[source]
- Parameters
port (int) – the listening port
Waits for a connection. Leaves socket in EBP. ipv4 only
- pwnlib.shellcraft.i386.linux.cat(filename, fd=1)[source]
Opens a file and writes its contents to the specified file descriptor.
Example
>>> f = tempfile.mktemp() >>> write(f, 'FLAG') >>> run_assembly(shellcraft.i386.linux.cat(f)).recvall() b'FLAG'
- pwnlib.shellcraft.i386.linux.cat2(filename, fd=1, length=16384)[source]
Opens a file and writes its contents to the specified file descriptor. Uses an extra stack buffer and must know the length.
Example
>>> f = tempfile.mktemp() >>> write(f, 'FLAG') >>> run_assembly(shellcraft.i386.linux.cat2(f)).recvall() b'FLAG'
- pwnlib.shellcraft.i386.linux.connect(host, port, network='ipv4')[source]
Connects to the host on the specified port. Leaves the connected socket in edx
- Parameters
Examples
>>> l = listen(timeout=5) >>> assembly = shellcraft.i386.linux.connect('localhost', l.lport) >>> assembly += shellcraft.i386.pushstr('Hello') >>> assembly += shellcraft.i386.linux.write('edx', 'esp', 5) >>> p = run_assembly(assembly) >>> l.wait_for_connection().recv() b'Hello'
>>> l = listen(fam='ipv6', timeout=5) >>> assembly = shellcraft.i386.linux.connect('::1', l.lport, 'ipv6') >>> p = run_assembly(assembly) >>> assert l.wait_for_connection()
- pwnlib.shellcraft.i386.linux.connectstager(host, port, network='ipv4')[source]
connect recvsize stager :param host: :param where to connect to: :param port: :param which port to connect to: :param network: ipv4) :param ipv4 or ipv6? (default: ipv4)
- pwnlib.shellcraft.i386.linux.dir(in_fd='ebp', size=2048, allocate_stack=True)[source]
Reads to the stack from a directory.
- Parameters
You can optioanlly shave a few bytes not allocating the stack space.
The size read is left in eax.
- pwnlib.shellcraft.i386.linux.dupio(sock='ebp')[source]
Args: [sock (imm/reg) = ebp] Duplicates sock to stdin, stdout and stderr
- pwnlib.shellcraft.i386.linux.dupsh(sock='ebp')[source]
Args: [sock (imm/reg) = ebp] Duplicates sock to stdin, stdout and stderr and spawns a shell.
- pwnlib.shellcraft.i386.linux.echo(string, sock='1')[source]
Writes a string to a file descriptor
Example
>>> run_assembly(shellcraft.echo('hello', 1)).recvall() b'hello'
- pwnlib.shellcraft.i386.linux.egghunter(egg, start_address=0)[source]
Searches memory for the byte sequence ‘egg’.
Return value is the address immediately following the match, stored in RDI.
- pwnlib.shellcraft.i386.linux.findpeer(port=None)[source]
Args: port (defaults to any port) Finds a socket, which is connected to the specified port. Leaves socket in ESI.
- pwnlib.shellcraft.i386.linux.findpeersh(port=None)[source]
Args: port (defaults to any) Finds an open socket which connects to a specified port, and then opens a dup2 shell on it.
- pwnlib.shellcraft.i386.linux.findpeerstager(port=None)[source]
Findpeer recvsize stager :param port: :type port: defaults to any :param the port given to findpeer: :type the port given to findpeer: defaults to any
- pwnlib.shellcraft.i386.linux.forkexit()[source]
Attempts to fork. If the fork is successful, the parent exits.
- pwnlib.shellcraft.i386.linux.i386_to_amd64()[source]
Returns code to switch from i386 to amd64 mode. Trashes eax.
- pwnlib.shellcraft.i386.linux.kill(pid, sig) str [source]
Invokes the syscall kill.
See ‘man 2 kill’ for more information.
- Parameters
pid (pid_t) – pid
sig (int) – sig
- Returns
int
- pwnlib.shellcraft.i386.linux.killparent()[source]
Kills its parent process until whatever the parent is (probably init) cannot be killed any longer.
- pwnlib.shellcraft.i386.linux.loader(address)[source]
Loads a statically-linked ELF into memory and transfers control.
- Parameters
address (int) – Address of the ELF as a register or integer.
- pwnlib.shellcraft.i386.linux.loader_append(data=None)[source]
Loads a statically-linked ELF into memory and transfers control.
Similar to loader.asm but loads an appended ELF.
- Parameters
data (str) – If a valid filename, the data is loaded from the named file. Otherwise, this is treated as raw ELF data to append. If
None
, it is ignored.
Example
>>> payload = shellcraft.echo(b'Hello, world!\n') + shellcraft.exit(0) >>> payloadELF = ELF.from_assembly(payload) >>> payloadELF.arch 'i386' >>> loader = shellcraft.loader_append(payloadELF.data) >>> loaderELF = ELF.from_assembly(loader, vma=0, shared=True) >>> loaderELF.process().recvall() b'Hello, world!\n'
- pwnlib.shellcraft.i386.linux.mprotect_all(clear_ebx=True, fix_null=False)[source]
Calls mprotect(page, 4096, PROT_READ | PROT_WRITE | PROT_EXEC) for every page.
It takes around 0.3 seconds on my box, but your milage may vary.
- pwnlib.shellcraft.i386.linux.pidmax()[source]
Retrieves the highest numbered PID on the system, according to the sysctl kernel.pid_max.
- pwnlib.shellcraft.i386.linux.readfile(path, dst='esi')[source]
Args: [path, dst (imm/reg) = esi ] Opens the specified file path and sends its content to the specified file descriptor.
- pwnlib.shellcraft.i386.linux.readn(fd, buf, nbytes)[source]
Reads exactly nbytes bytes from file descriptor fd into the buffer buf.
- Parameters
fd (int) – fd
buf (void) – buf
nbytes (size_t) – nbytes
- pwnlib.shellcraft.i386.linux.recvsize(sock, reg='ecx')[source]
Recives 4 bytes size field Useful in conjuncion with findpeer and stager :param sock: :param the socket to read the payload from.: :param reg: :type reg: default ecx :param the place to put the size: :type the place to put the size: default ecx
Leaves socket in ebx
- pwnlib.shellcraft.i386.linux.setregid(gid='egid')[source]
Args: [gid (imm/reg) = egid] Sets the real and effective group id.
- pwnlib.shellcraft.i386.linux.setresuid(ruid=None, euid=None, suid=None)[source]
Args: [ruid = geteuid(), euid = ruid, suid = ruid] Sets real, effective and saved user ids to given values
- pwnlib.shellcraft.i386.linux.setreuid(uid='euid')[source]
Args: [uid (imm/reg) = euid] Sets the real and effective user id.
- pwnlib.shellcraft.i386.linux.sh()[source]
Execute a different process.
>>> p = run_assembly(shellcraft.i386.linux.sh()) >>> p.sendline(b'echo Hello') >>> p.recv() b'Hello\n'
- pwnlib.shellcraft.i386.linux.sleep(seconds)[source]
Sleeps for the specified amount of seconds.
Uses SYS_nanosleep under the hood. Doesn’t check for interrupts and doesn’t retry with the remaining time.
- pwnlib.shellcraft.i386.linux.socketcall(socketcall, socket, sockaddr, sockaddr_len)[source]
Invokes a socket call (e.g. socket, send, recv, shutdown)
- pwnlib.shellcraft.i386.linux.stage(fd=0, length=None)[source]
Migrates shellcode to a new buffer.
- Parameters
Example
>>> p = run_assembly(shellcraft.stage()) >>> sc = asm(shellcraft.echo("Hello\n", constants.STDOUT_FILENO)) >>> p.pack(len(sc)) >>> p.send(sc) >>> p.recvline() b'Hello\n'
- pwnlib.shellcraft.i386.linux.stager(sock, size, handle_error=False, tiny=False)[source]
Recives a fixed sized payload into a mmaped buffer Useful in conjuncion with findpeer. :param sock: :param the socket to read the payload from.: :param size: :param the size of the payload:
Example
>>> stage_2 = asm(shellcraft.echo('hello') + "\n" + shellcraft.syscalls.exit(42)) >>> p = run_assembly(shellcraft.stager(0, len(stage_2))) >>> for c in bytearray(stage_2): ... p.write(bytearray((c,))) >>> p.wait_for_close() >>> p.poll() 42 >>> p.recvall() b'hello'
- pwnlib.shellcraft.i386.linux.syscall(syscall=None, arg0=None, arg1=None, arg2=None, arg3=None, arg4=None, arg5=None)[source]
- Args: [syscall_number, *args]
Does a syscall
Any of the arguments can be expressions to be evaluated by
pwnlib.constants.eval()
.Example
>>> print(pwnlib.shellcraft.i386.linux.syscall('SYS_execve', 1, 'esp', 2, 0).rstrip()) /* call execve(1, 'esp', 2, 0) */ push SYS_execve /* 0xb */ pop eax push 1 pop ebx mov ecx, esp push 2 pop edx xor esi, esi int 0x80 >>> print(pwnlib.shellcraft.i386.linux.syscall('SYS_execve', 2, 1, 0, 20).rstrip()) /* call execve(2, 1, 0, 0x14) */ push SYS_execve /* 0xb */ pop eax push 2 pop ebx push 1 pop ecx push 0x14 pop esi cdq /* edx=0 */ int 0x80 >>> print(pwnlib.shellcraft.i386.linux.syscall().rstrip()) /* call syscall() */ int 0x80 >>> print(pwnlib.shellcraft.i386.linux.syscall('eax', 'ebx', 'ecx').rstrip()) /* call syscall('eax', 'ebx', 'ecx') */ /* setregs noop */ int 0x80 >>> print(pwnlib.shellcraft.i386.linux.syscall('ebp', None, None, 1).rstrip()) /* call syscall('ebp', ?, ?, 1) */ mov eax, ebp push 1 pop edx int 0x80 >>> print(pwnlib.shellcraft.i386.linux.syscall( ... 'SYS_mmap2', 0, 0x1000, ... 'PROT_READ | PROT_WRITE | PROT_EXEC', ... 'MAP_PRIVATE | MAP_ANONYMOUS', ... -1, 0).rstrip()) /* call mmap2(0, 0x1000, 'PROT_READ | PROT_WRITE | PROT_EXEC', 'MAP_PRIVATE | MAP_ANONYMOUS', -1, 0) */ xor eax, eax mov al, 0xc0 xor ebp, ebp xor ebx, ebx xor ecx, ecx mov ch, 0x1000 >> 8 push -1 pop edi push (PROT_READ | PROT_WRITE | PROT_EXEC) /* 7 */ pop edx push (MAP_PRIVATE | MAP_ANONYMOUS) /* 0x22 */ pop esi int 0x80 >>> print(pwnlib.shellcraft.open('/home/pwn/flag').rstrip()) /* open(file='/home/pwn/flag', oflag=0, mode=0) */ /* push b'/home/pwn/flag\x00' */ push 0x1010101 xor dword ptr [esp], 0x1016660 push 0x6c662f6e push 0x77702f65 push 0x6d6f682f mov ebx, esp xor ecx, ecx xor edx, edx /* call open() */ push SYS_open /* 5 */ pop eax int 0x80
pwnlib.shellcraft.i386.freebsd
Shellcraft module containing Intel i386 shellcodes for FreeBSD.
- pwnlib.shellcraft.i386.freebsd.acceptloop_ipv4(port)[source]
Args: port Waits for a connection. Leaves socket in EBP. ipv4 only
- pwnlib.shellcraft.i386.freebsd.i386_to_amd64()[source]
Returns code to switch from i386 to amd64 mode. Trashes eax.
- pwnlib.shellcraft.i386.freebsd.syscall(syscall=None, arg0=None, arg1=None, arg2=None, arg3=None, arg4=None, arg5=None)[source]
- Args: [syscall_number, *args]
Does a syscall
Any of the arguments can be expressions to be evaluated by
pwnlib.constants.eval()
.Example
>>> print(pwnlib.shellcraft.i386.freebsd.syscall('SYS_execve', 1, 'esp', 2, 0).rstrip()) /* call execve(1, 'esp', 2, 0) */ push SYS_execve /* 0x3b */ pop eax /* push 0 */ push 1 dec byte ptr [esp] /* push 2 */ push 2 push esp /* push 1 */ push 1 /* push padding DWORD */ push eax int 0x80 >>> print(pwnlib.shellcraft.i386.freebsd.syscall('SYS_execve', 2, 1, 0, 20).rstrip()) /* call execve(2, 1, 0, 0x14) */ push SYS_execve /* 0x3b */ pop eax /* push 0x14 */ push 0x14 /* push 0 */ push 1 dec byte ptr [esp] /* push 1 */ push 1 /* push 2 */ push 2 /* push padding DWORD */ push eax int 0x80 >>> print(pwnlib.shellcraft.i386.freebsd.syscall().rstrip()) /* call syscall() */ /* setregs noop */ /* push padding DWORD */ push eax int 0x80 >>> print(pwnlib.shellcraft.i386.freebsd.syscall('eax', 'ebx', 'ecx').rstrip()) /* call syscall('eax', 'ebx', 'ecx') */ /* setregs noop */ push ecx push ebx /* push padding DWORD */ push eax int 0x80