pwnlib.shellcraft.loongarch64 — Shellcode for LoongArch64
pwnlib.shellcraft.loongarch64
Shellcraft module containing generic LoongArch64 shellcodes.
- pwnlib.shellcraft.loongarch64.mov(dst, src)[source]
Move src into dst.
If src is a string that is not a register, then it will locally set context.arch to ‘loongarch64’ and use
pwnlib.constants.eval()to evaluate the string. Note that this means that this shellcode can change behavior depending on the value of context.os.There is no effort done to avoid newlines and null bytes in the generated code.
- Parameters:
Example
>>> print(shellcraft.loongarch64.mov('t0', 0).rstrip()) addi.d $t0, $r0, 0 >>> print(shellcraft.loongarch64.mov('t0', 0x2000).rstrip()) addi.d $t0, $r0, 2 lu52i.d $t0, $t0, 0 >>> print(shellcraft.loongarch64.mov('t0', 0xcafebabe).rstrip()) addi.d $t0, $r0, 202 lu52i.d $t0, $t0, -21 lu52i.d $t0, $t0, -1346 >>> print(shellcraft.loongarch64.mov('t1', 'sp').rstrip()) addi.d $t1, $sp, 0
- pwnlib.shellcraft.loongarch64.push(value)[source]
Pushes a value onto the stack.
Register t8 is not guaranteed to be preserved.
- pwnlib.shellcraft.loongarch64.pushstr(string, append_null=True)[source]
Pushes a string onto the stack.
There is no effort done to avoid newlines and null bytes in the generated code.
Register t8 is not guaranteed to be preserved.
Example
>>> print(shellcraft.loongarch64.pushstr('').rstrip()) st.d $r0, -8(sp) >>> print(shellcraft.loongarch64.pushstr('a').rstrip()) addi.d $t8, $r0, 97 addi.d $sp, $sp, -8 st.d $t8, $sp, 0 >>> print(shellcraft.loongarch64.pushstr('aa').rstrip()) addi.d $t8, $r0, 6 lu52i.d $t8, $t8, 353 addi.d $sp, $sp, -8 st.d $t8, $sp, 0 >>> print(shellcraft.loongarch64.pushstr('aaaa').rstrip()) addi.d $t8, $r0, 97 lu52i.d $t8, $t8, 1558 lu52i.d $t8, $t8, 353 addi.d $sp, $sp, -8 st.d $t8, $sp, 0 >>> print(shellcraft.loongarch64.pushstr('aaaaa').rstrip()) addi.d $t8, $r0, 6 lu52i.d $t8, $t8, 353 lu52i.d $t8, $t8, 1558 lu52i.d $t8, $t8, 353 addi.d $sp, $sp, -8 st.d $t8, $sp, 0 >>> print(shellcraft.loongarch64.pushstr('aaaa', append_null = False).rstrip()) addi.d $t8, $r0, 97 lu52i.d $t8, $t8, 1558 lu52i.d $t8, $t8, 353 addi.d $sp, $sp, -8 st.d $t8, $sp, 0 >>> print(shellcraft.loongarch64.pushstr(b'\xc3').rstrip()) addi.d $t8, $r0, 195 addi.d $sp, $sp, -8 st.d $t8, $sp, 0 >>> print(shellcraft.loongarch64.pushstr(b'\xc3', append_null = False).rstrip()) addi.d $t8, $r0, 195 addi.d $sp, $sp, -8 st.d $t8, $sp, 0
- pwnlib.shellcraft.loongarch64.pushstr_array(reg, array)[source]
Pushes an array/envp-style array of pointers onto the stack.
- pwnlib.shellcraft.loongarch64.setregs(reg_context, stack_allowed=True)[source]
Sets multiple registers, taking any register dependencies into account (i.e., given eax=1,ebx=eax, set ebx first).
- Parameters:
Example
>>> print(shellcraft.setregs({'t0':1, 'a3':'0'}).rstrip()) addi.d $a3, $r0, 0 addi.d $t0, $r0, 1 >>> print(shellcraft.setregs({'a0':'a1', 'a1':'a0', 'a2':'a1'}).rstrip()) addi.d $a2, $a1, 0 xor $a1, $a1, $a0 /* xchg a1, a0 */ xor $a0, $a0, $a1 xor $a1, $a1, $a0
pwnlib.shellcraft.loongarch64.linux
Shellcraft module containing LoongArch64 shellcodes for Linux.
- pwnlib.shellcraft.loongarch64.linux.syscall(syscall=None, arg0=None, arg1=None, arg2=None, arg3=None, arg4=None, arg5=None)[source]
- Args: [syscall_number, *args]
Does a syscall
Any of the arguments can be expressions to be evaluated by
pwnlib.constants.eval().Example
>>> print(pwnlib.shellcraft.loongarch64.linux.syscall('SYS_execve', 1, 'sp', 2, 0).rstrip()) addi.d $a0, $r0, 1 addi.d $a1, $sp, 0 addi.d $a2, $r0, 2 addi.d $a3, $r0, 0 addi.d $a7, $r0, 221 syscall 0 >>> print(pwnlib.shellcraft.loongarch64.linux.syscall('SYS_execve', 2, 1, 0, 20).rstrip()) addi.d $a0, $r0, 2 addi.d $a1, $r0, 1 addi.d $a2, $r0, 0 addi.d $a3, $r0, 20 addi.d $a7, $r0, 221 syscall 0 >>> print(pwnlib.shellcraft.loongarch64.linux.syscall().rstrip()) syscall 0 >>> print(pwnlib.shellcraft.loongarch64.linux.syscall('a7', 'a0', 'a1').rstrip()) syscall 0 >>> print(pwnlib.shellcraft.loongarch64.linux.syscall('a3', None, None, 1).rstrip()) addi.d $a2, $r0, 1 addi.d $a7, $a3, 0 syscall 0 >>> print(pwnlib.shellcraft.loongarch64.linux.syscall( ... 'SYS_mmap', 0, 0x1000, ... 'PROT_READ | PROT_WRITE | PROT_EXEC', ... 'MAP_PRIVATE', ... -1, 0).rstrip()) addi.d $a0, $r0, 0 addi.d $a1, $r0, 1 lu52i.d $a1, $a1, 0 addi.d $a2, $r0, 7 addi.d $a3, $r0, 2 addi.d $a4, $r0, 15 lu52i.d $a4, $a4, -1 lu52i.d $a4, $a4, -1 lu52i.d $a4, $a4, -1 lu52i.d $a4, $a4, -1 lu52i.d $a4, $a4, -1 addi.d $a5, $r0, 0 addi.d $a7, $r0, 222 syscall 0 >>> print(pwnlib.shellcraft.loongarch64.linux.syscall( ... 'SYS_mmap', 0, 0x1000, ... 'PROT_READ | PROT_WRITE | PROT_EXEC', ... 'MAP_PRIVATE', ... -1, 0).rstrip()) addi.d $a0, $r0, 0 addi.d $a1, $r0, 1 lu52i.d $a1, $a1, 0 addi.d $a2, $r0, 7 addi.d $a3, $r0, 2 addi.d $a4, $r0, 15 lu52i.d $a4, $a4, -1 lu52i.d $a4, $a4, -1 lu52i.d $a4, $a4, -1 lu52i.d $a4, $a4, -1 lu52i.d $a4, $a4, -1 addi.d $a5, $r0, 0 addi.d $a7, $r0, 222 syscall 0 >>> print(pwnlib.shellcraft.loongarch64.openat('AT_FDCWD', '/home/pwn/flag').rstrip()) /* openat(fd='AT_FDCWD', file='/home/pwn/flag', oflag=0) */ addi.d $t8, $r0, 7 lu52i.d $t8, $t8, 1904 lu52i.d $t8, $t8, 758 lu52i.d $t8, $t8, 1389 lu52i.d $t8, $t8, 1782 lu52i.d $t8, $t8, -2001 addi.d $sp, $sp, -8 st.d $t8, $sp, 0 addi.d $t8, $r0, 1654 lu52i.d $t8, $t8, 364 lu52i.d $t8, $t8, 1634 lu52i.d $t8, $t8, -146 addi.d $sp, $sp, -8 st.d $t8, $sp, 0 addi.d $a1, $sp, 0 addi.d $a0, $r0, 15 lu52i.d $a0, $a0, -1 lu52i.d $a0, $a0, -1 lu52i.d $a0, $a0, -1 lu52i.d $a0, $a0, -1 lu52i.d $a0, $a0, -100 addi.d $a2, $r0, 0 addi.d $a7, $r0, 56 syscall 0