Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Shellcraft Syscall Madness #685

Closed
zachriggle opened this issue Aug 22, 2016 · 14 comments
Closed

Shellcraft Syscall Madness #685

zachriggle opened this issue Aug 22, 2016 · 14 comments
Assignees
@kristoff3r @RobertLarsen
Labels
enhancement
Milestone
3.5.0

Comments

@zachriggle
Copy link
Member

The 3.0 release added a bunch of syscall wrappers, but it did two things wrong:

  1. i386 syscalls which should call via socketcall do not (listen, socket, etc.)
  2. Syscalls are inter-mingled with the other templates
    • This makes shellcode hard to navigate
    • In particular, it's hard to find the ez-mode stuff among a sea of options

The syscalls should be migrated into their own syscalls sub-directory, e.g. pwnlib/shellcraft/templates/i386/linux/syscalls/execve.asm.

The fall-through logic of the shellcraft module will make these accessible as top-level attributes on the shellcraft object.

This introduces some ambiguity with current ez-mode wrappers which are named after syscalls. These will either need to be renamed, or we accept the ambiguity in these few cases.
@zachriggle zachriggle added this to the Someday milestone Aug 22, 2016
@zachriggle zachriggle mentioned this issue Aug 24, 2016
Closed
@kristoff3r
Copy link
Contributor

I have been working on this, I'll add a pull request with some commits later tonight.

@kokjo
Copy link
Contributor

kokjo commented Aug 31, 2016

It would also be nice if the shellcraft CLI ignored all the syscalls and only listed the 'useful' shellcodes...

@kristoff3r
Copy link
Contributor

It would also be nice if the shellcraft CLI ignored all the syscalls and only listed the 'useful' shellcodes...

It already does that, you need to pass the flag --syscalls for it to list syscalls. I have improved the UX for the shellcraft CLI by making it print only the help/usage when using it without arguments, and adding a -l/--list which lists every shellcode, and takes an optional argument to narrow down the list (e.g. -l i386.linux).

@zachriggle
Copy link
Member Author

Doesn't it already have a --list option?

Would you mind adding your PR so I can follow progress?
On Wed, Aug 31, 2016 at 3:23 PM Kristoffer Søholm [email protected]
wrote:

It would also be nice if the shellcraft CLI ignored all the syscalls and
only listed the 'useful' shellcodes...

It already does that, you need to pass the flag --syscalls for it to list
syscalls. I have improved the UX for the shellcraft CLI by making it print
only the help/usage when using it without arguments, and adding a -l/--list
which lists every shellcode, and takes an optional argument to narrow down
the list (e.g. -l i386.linux).


You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#685 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAG0GCtqhrakXfA0t3TzE48yxkTLw5ISks5qlf7ngaJpZM4JqZqN
.

@kristoff3r
Copy link
Contributor

kristoff3r commented Sep 1, 2016
edited
Loading

Doesn't it already have a --list option?

It does, because you added it a week ago and I hadn't pulled. Wouldn't it be even better if shellcraft with no arguments just prints what shellcraft -h does now?

Would you mind adding your PR so I can follow progress?

Added.

@zachriggle
Copy link
Member Author

Since we have a --list I'm cool with dumping the --help output as default.

@RobertLarsen
Copy link
Member

How is this going?
I'll be adding some shellcode after this is done.

@kristoff3r
Copy link
Contributor

I'll try to get a mergeable version of this pushed tomorrow, thanks for reminding me.

@RobertLarsen
Copy link
Member

@kristoff3r If you need help with this just push up your branch

@zachriggle
Copy link
Member Author

++agree

@RobertLarsen
Copy link
Member

@kristoff3r Ping

2 similar comments
@RobertLarsen
Copy link
Member

@kristoff3r Ping

@RobertLarsen
Copy link
Member

@kristoff3r Ping

@zachriggle zachriggle mentioned this issue Jan 25, 2017
Merged
@TethysSvensson TethysSvensson mentioned this issue Jan 26, 2017
Closed
@kristoff3r kristoff3r mentioned this issue Feb 4, 2017
Closed
@zachriggle
Copy link
Member Author

Ping on both my and @krisoff3r's pull requests.

I think his does a great job solving this particular PR, and mine solves the generic case of all syscalls, and the ability to generate them on the fly (and a few things are made easier, like passing strings to open() and having it "just work").

@zachriggle zachriggle modified the milestones: 3.5.0, Someday Mar 4, 2017
Kyle-Kyle pushed a commit to Kyle-Kyle/pwntools that referenced this issue Apr 25, 2021
@disconnect3d
vmmap: add QEMU kernel support (Gallopsled#685)
ccc597d 
* vmmap: add QEMU kernel support

This feature uses GDB's `monitor info mem` to fetch
memory pages for QEMU in kernel mode.

However, at least on QEMU 3.0.0 on `qemu-system-x86_64`
the `monitor info mem` command returns memory pages without the
`executable` permission bit, so for now we assume that all pages are executable.

The `monitor info mem` works only in QEMU kernel mode
and in QEMU-user it does:
```
(gdb) monitor info mem
Target does not support this command.
```

* Update vmmap command docs

* Use monitor_info_mem only on X86/X64

* monitor_info_mem: fix comment about executable perm

* Update vmmap help
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kristoff3r kristoff3r

@RobertLarsen RobertLarsen

Labels
enhancement
Projects
None yet
Milestone
3.5.0
Development

No branches or pull requests
4 participants
@zachriggle @kristoff3r @kokjo @RobertLarsen