pwnlib.shellcraft.loongarch64 — Shellcode for LoongArch64

pwnlib.shellcraft.loongarch64

Shellcraft module containing generic LoongArch64 shellcodes.

pwnlib.shellcraft.loongarch64.mov(dst, src)

Move src into dst.

If src is a string that is not a register, then it will locally set context.arch to ‘loongarch64’ and use pwnlib.constants.eval() to evaluate the string. Note that this means that this shellcode can change behavior depending on the value of context.os.

Parameters:

• dst (str) – The destination register.

• src (str) – Either the input register, or an immediate value.

Example

>>> print(shellcraft.loongarch64.mov('t0', 0).rstrip())
    li.d     $t0, 0
>>> print(shellcraft.loongarch64.mov('t0', 0x2000).rstrip())
    li.d     $t0, 8192
>>> print(shellcraft.loongarch64.mov('t0', 0xcafebabe).rstrip())
    li.d     $t0, 3405691582
>>> print(shellcraft.loongarch64.mov('t1', 'sp').rstrip())
    move     $t1, $sp

pwnlib.shellcraft.loongarch64.nop()

LoongArch64 nop instruction.

pwnlib.shellcraft.loongarch64.push(value)

Pushes a value onto the stack.

Register t8 is not guaranteed to be preserved.

pwnlib.shellcraft.loongarch64.pushstr(string, append_null=True)

Pushes a string onto the stack.

There is no effort done to avoid newlines and null bytes in the generated code.

Register t8 is not guaranteed to be preserved.

Example

>>> print(shellcraft.loongarch64.pushstr('').rstrip())
    st.d     $r0, -8(sp)
>>> print(shellcraft.loongarch64.pushstr('a').rstrip())
    li.d     $t8, 97
    addi.d   $sp, $sp, -8
    st.d     $t8, $sp, 0
>>> print(shellcraft.loongarch64.pushstr('aa').rstrip())
    li.d     $t8, 24929
    addi.d   $sp, $sp, -8
    st.d     $t8, $sp, 0
>>> print(shellcraft.loongarch64.pushstr('aaaa').rstrip())
    li.d     $t8, 1633771873
    addi.d   $sp, $sp, -8
    st.d     $t8, $sp, 0
>>> print(shellcraft.loongarch64.pushstr('aaaaa').rstrip())
    li.d     $t8, 418245599585
    addi.d   $sp, $sp, -8
    st.d     $t8, $sp, 0
>>> print(shellcraft.loongarch64.pushstr('aaaa', append_null = False).rstrip())
    li.d     $t8, 1633771873
    addi.d   $sp, $sp, -8
    st.d     $t8, $sp, 0
>>> print(shellcraft.loongarch64.pushstr(b'\xc3').rstrip())
    li.d     $t8, 195
    addi.d   $sp, $sp, -8
    st.d     $t8, $sp, 0
>>> print(shellcraft.loongarch64.pushstr(b'\xc3', append_null = False).rstrip())
    li.d     $t8, 195
    addi.d   $sp, $sp, -8
    st.d     $t8, $sp, 0

Parameters:

• string (str) – The string to push.

• append_null (bool) – Whether to append a single NULL-byte before pushing.

pwnlib.shellcraft.loongarch64.pushstr_array(reg, array)

Pushes an array/envp-style array of pointers onto the stack.

Parameters:

• reg (str) – Destination register to hold the pointer.

• array (str,list) – Single argument or list of arguments to push. NULL termination is normalized so that each argument ends with exactly one NULL byte.

pwnlib.shellcraft.loongarch64.setregs(reg_context, stack_allowed=True)

Sets multiple registers, taking any register dependencies into account (i.e., given eax=1,ebx=eax, set ebx first).

Parameters:

• reg_context (dict) – Desired register context

• stack_allowed (bool) – Can the stack be used?

Example

>>> print(shellcraft.setregs({'t0':1, 'a3':'0'}).rstrip())
    li.d     $a3, 0
    li.d     $t0, 1
>>> print(shellcraft.setregs({'a0':'a1', 'a1':'a0', 'a2':'a1'}).rstrip())
    move     $a2, $a1
    xor      $a1, $a1, $a0 /* xchg a1, a0 */
    xor      $a0, $a0, $a1
    xor      $a1, $a1, $a0

pwnlib.shellcraft.loongarch64.trap()

A trap instruction.

pwnlib.shellcraft.loongarch64.xor(dst, rs1, rs2)

XOR two registers rs1 and rs2, store result in register dst.

Register t4 is not guaranteed to be preserved.

pwnlib.shellcraft.loongarch64.linux

Shellcraft module containing LoongArch64 shellcodes for Linux.

pwnlib.shellcraft.loongarch64.linux.syscall(syscall=None, arg0=None, arg1=None, arg2=None, arg3=None, arg4=None, arg5=None)

Args: [syscall_number, *args]

Does a syscall

Any of the arguments can be expressions to be evaluated by pwnlib.constants.eval().

Example

>>> print(pwnlib.shellcraft.loongarch64.linux.syscall('SYS_execve', 1, 'sp', 2, 0).rstrip())
    li.d     $a0, 1
    move     $a1, $sp
    li.d     $a2, 2
    li.d     $a3, 0
    li.d     $a7, 221
    syscall  0
>>> print(pwnlib.shellcraft.loongarch64.linux.syscall('SYS_execve', 2, 1, 0, 20).rstrip())
    li.d     $a0, 2
    li.d     $a1, 1
    li.d     $a2, 0
    li.d     $a3, 20
    li.d     $a7, 221
    syscall  0
>>> print(pwnlib.shellcraft.loongarch64.linux.syscall().rstrip())
    syscall  0
>>> print(pwnlib.shellcraft.loongarch64.linux.syscall('a7', 'a0', 'a1').rstrip())
    syscall  0
>>> print(pwnlib.shellcraft.loongarch64.linux.syscall('a3', None, None, 1).rstrip())
    li.d     $a2, 1
    move     $a7, $a3
    syscall  0
>>> print(pwnlib.shellcraft.loongarch64.linux.syscall(
...               'SYS_mmap', 0, 0x1000,
...               'PROT_READ | PROT_WRITE | PROT_EXEC',
...               'MAP_PRIVATE',
...               -1, 0).rstrip())
    li.d     $a0, 0
    li.d     $a1, 4096
    li.d     $a2, 7
    li.d     $a3, 2
    li.d     $a4, 18446744073709551615
    li.d     $a5, 0
    li.d     $a7, 222
    syscall  0
>>> print(pwnlib.shellcraft.loongarch64.linux.syscall(
...               'SYS_mmap', 0, 0x1000,
...               'PROT_READ | PROT_WRITE | PROT_EXEC',
...               'MAP_PRIVATE',
...               -1, 0).rstrip())
    li.d     $a0, 0
    li.d     $a1, 4096
    li.d     $a2, 7
    li.d     $a3, 2
    li.d     $a4, 18446744073709551615
    li.d     $a5, 0
    li.d     $a7, 222
    syscall  0
>>> print(pwnlib.shellcraft.loongarch64.openat('AT_FDCWD', '/home/pwn/flag').rstrip())
    /* openat(fd='AT_FDCWD', file='/home/pwn/flag', oflag=0) */
    li.d     $t8, 8606431000579237935
    addi.d   $sp, $sp, -8
    st.d     $t8, $sp, 0
    li.d     $t8, 113668128124782
    addi.d   $sp, $sp, -8
    st.d     $t8, $sp, 0
    move     $a1, $sp
    li.d     $a0, 18446744073709551516
    li.d     $a2, 0
    li.d     $a7, 56
    syscall  0