Add cat2 to shellcraft (#1995)

* Introduce shellcraft.linux.cat2 to avoid sendfile

Fixes #1871

* Switch CAT_PROC_MAPS_EXIT to shellcraft.linux.cat2

Author: Arusekk

pwnlib/elf/elf.py

@@ -767,7 +767,7 @@ def _patch_elf_and_read_maps(self):
             >>> for arch in CAT_PROC_MAPS_EXIT:
             ...   context.clear()
             ...   with context.local(arch=arch):
-            ...     sc = shellcraft.cat("/proc/self/maps")
+            ...     sc = shellcraft.cat2("/proc/self/maps")
             ...     sc += shellcraft.exit()
             ...     sc = asm(sc)
             ...     sc = enhex(sc)

pwnlib/elf/maps.py

@@ -3,25 +3,25 @@
 # Pre-assembled shellcode for each architecture.
 #
 # This is literally the output of:
-#     shellcraft $ARCH.linux.cat /proc/self/maps
+#     shellcraft $ARCH.linux.cat2 /proc/self/maps
 #     shellcraft $ARCH.linux.syscalls.exit 0
 CAT_PROC_MAPS_EXIT = {
     'i386':
-        '680101010181342460717201686c662f6d68632f7365682f70726f89e331c931d26a0558cd806a015b89c131d268ffffff7f5e31c0b0bbcd80'
+        '680101010181342460717201686c662f6d68632f7365682f70726f89e331c931d2b6406a0558cd8029d489c389e16a0358cd806a015b89e189c26a0458cd80'
         '31db6a0158cd80',
     'amd64':
-        '48b801010101010101015048b86d672e6c607172014831042448b82f70726f632f7365506a02584889e731f6990f0541baffffff7f4889c66a28586a015f990f05'
+        '48b801010101010101015048b86d672e6c607172014831042448b82f70726f632f7365506a02584889e731d2b64031f60f054829d44889c731c04889e60f054889c26a01586a015f4889e60f05'
         '31ff6a3c580f05',
     'arm':
-        '617007e3737040e304702de56c7606e32f7d46e304702de5637f02e3737546e304702de52f7007e3727f46e304702de50d00a0e1011021e0022022e00570a0e3000000ef0010a0e10100a0e3022022e00231e0e3bb70a0e3000000ef'
+        '617007e3737040e304702de56c7606e32f7d46e304702de5637f02e3737546e304702de52f7007e3727f46e304702de50d00a0e1011021e00129a0e30570a0e3000000ef02d04de00d10a0e10370a0e3000000ef0020a0e10100a0e30d10a0e10470a0e3000000ef'
         '000020e00170a0e3000000ef',
     'thumb':
-        '004f01e0617073ff4fea07274fea172780b4dff8047001e06c662f6d80b4dff8047001e0632f736580b4dff8047001e02f70726f80b4684681ea010182ea02024ff0050741df05464ff00100294682ea02026ff000434ff0bb0741df'
+        '004f01e0617073ff4fea07274fea172780b4dff8047001e06c662f6d80b4dff8047001e0632f736580b4dff8047001e02f70726f80b4684681ea01014ff480424ff0050741dfadeb020d69464ff0030741df02464ff0010069464ff0040741df'
         '80ea00004ff0010741df00bf',
     'mips':
-        '726f093c2f702935f0ffa9af7365093c632f2935f4ffa9af2f6d093c6c662935f8ffa9af8cff193c9e8f393727482003fcffa9aff0ffbd272020a003ffff0528ffff0628a50f02340c010101feff192427202003fcffa2affcffa58fffff0628ff7f073cffffe7346f1002340c010101'
+        '726f093c2f702935f0ffa9af7365093c632f2935f4ffa9af2f6d093c6c662935f8ffa9af8cff193c9e8f393727482003fcffa9aff0ffbd272020a003ffff0528ffbf192427302003a50f02340c01010122e8a603fcffa2affcffa48f2028a003a30f02340c010101feff1924272020032028a003fcffa2affcffa68fa40f02340c010101'
         'ffff0428a10f02340c010101',
     'aarch64':
-        'ee058ed24eeeadf26eecc5f26eaeecf28fcd8cd2efa5adf22f0ccef26f0ee0f2ee3fbfa980f39fd2e0ffbff2e0ffdff2e0fffff2e1030091e2031faae3031faa080780d2010000d4e10300aa200080d2e2031faae3ff9fd2e3ffaff2e80880d2010000d4'
+        'ee058ed24eeeadf26eecc5f26eaeecf28fcd8cd2efa5adf22f0ccef26f0ee0f2ee3fbfa980f39fd2e0ffbff2e0ffdff2e0fffff2e1030091e2031faa080780d2010000d4020088d2ff6322cbe1030091e80780d2010000d4e20300aa200080d2e1030091080880d2010000d4'
         'e0031faaa80b80d2010000d4',
 }

pwnlib/shellcraft/templates/aarch64/linux/cat2.asm

@@ -0,0 +1,25 @@
+<%
+  from pwnlib import shellcraft
+%>
+<%page args="filename, fd=1, length=0x4000"/>
+<%docstring>
+Opens a file and writes its contents to the specified file descriptor.
+Uses an extra stack buffer and must know the length.
+
+Example:
+
+    >>> f = tempfile.mktemp()
+    >>> write(f, 'This is the flag\n')
+    >>> shellcode = shellcraft.cat2(f) + shellcraft.exit(0)
+    >>> run_assembly(shellcode).recvline()
+    b'This is the flag\n'
+</%docstring>
+<%
+if fd == 'x0':
+  raise Exception("File descriptor cannot be x0, it will be overwritten")
+%>
+    ${shellcraft.open(filename)}
+    ${shellcraft.mov('x2', length)}
+    sub sp, sp, x2
+    ${shellcraft.read('x0', 'sp', 'x2')}
+    ${shellcraft.write(fd, 'sp', 'x0')}

pwnlib/shellcraft/templates/aarch64/linux/open.asm

@@ -1,7 +1,7 @@
 <%
   from pwnlib import shellcraft
 %>
-<%page args="filename, flags='O_RDONLY', mode=0"/>
+<%page args="filename, flags='O_RDONLY', mode='x3'"/>
 <%docstring>
 Opens a file
 </%docstring>

pwnlib/shellcraft/templates/amd64/linux/cat.asm

@@ -8,5 +8,5 @@ Opens a file and writes its contents to the specified file descriptor.
 </%docstring>
 
     ${pushstr(filename)}
-    ${syscall('SYS_open', 'rsp', 'O_RDONLY', 0)}
-    ${syscall('SYS_sendfile', fd, 'rax', 0, 0x7fffffff)}
+    ${syscall('SYS_open', 'rsp', 'O_RDONLY', 'rdx')}
+    ${syscall('SYS_sendfile', fd, 'rax', 0, 0x7fffffff)}

pwnlib/shellcraft/templates/amd64/linux/cat2.asm

@@ -0,0 +1,15 @@
+<%
+  from pwnlib.shellcraft.amd64 import syscall, pushstr
+  from pwnlib.shellcraft import common
+%>
+<%page args="filename, fd=1, length=0x4000"/>
+<%docstring>
+Opens a file and writes its contents to the specified file descriptor.
+Uses an extra stack buffer and must know the length.
+</%docstring>
+
+    ${pushstr(filename)}
+    ${syscall('SYS_open', 'rsp', 'O_RDONLY', length)}
+    sub rsp, rdx
+    ${syscall('SYS_read', 'rax', 'rsp', 'rdx')}
+    ${syscall('SYS_write', fd, 'rsp', 'rax')}

pwnlib/shellcraft/templates/arm/linux/cat.asm

@@ -15,5 +15,5 @@ Example:
 
 </%docstring>
     ${arm.pushstr(filename)}
-    ${arm.linux.open('sp', int(constants.O_RDONLY), 0)}
+    ${arm.linux.open('sp', int(constants.O_RDONLY), 'r2')}
     ${arm.linux.sendfile(fd, 'r0', 0, 0x7fffffff)}

pwnlib/shellcraft/templates/arm/linux/cat2.asm

@@ -0,0 +1,22 @@
+<%
+  from pwnlib import constants
+  from pwnlib.shellcraft import arm
+%>
+<%page args="filename, fd=1, length=0x4000"/>
+<%docstring>
+Opens a file and writes its contents to the specified file descriptor.
+Uses an extra stack buffer and must know the length.
+
+Example:
+
+    >>> f = tempfile.mktemp()
+    >>> write(f, 'FLAG\n')
+    >>> run_assembly(shellcraft.arm.linux.cat2(f)).recvline()
+    b'FLAG\n'
+
+</%docstring>
+    ${arm.pushstr(filename)}
+    ${arm.linux.open('sp', int(constants.O_RDONLY), length)}
+    sub sp, r2
+    ${arm.linux.read('r0', 'sp', 'r2')}
+    ${arm.linux.write(fd, 'sp', 'r0')}

pwnlib/shellcraft/templates/i386/linux/cat.asm

@@ -19,5 +19,5 @@ label = common.label("sendfile_loop")
 %>
 
     ${sc.pushstr(filename)}
-    ${sc.open('esp', 'O_RDONLY', 0)}
+    ${sc.open('esp', 'O_RDONLY', 'edx')}
     ${sc.sendfile(fd, 'eax', 0, 0x7fffffff)}

pwnlib/shellcraft/templates/i386/linux/cat2.asm

@@ -0,0 +1,23 @@
+<%
+  import pwnlib.shellcraft as sc
+  from pwnlib.shellcraft import common
+%>
+<%page args="filename, fd=1, length=0x4000"/>
+<%docstring>
+Opens a file and writes its contents to the specified file descriptor.
+Uses an extra stack buffer and must know the length.
+
+Example:
+
+    >>> f = tempfile.mktemp()
+    >>> write(f, 'FLAG')
+    >>> run_assembly(shellcraft.i386.linux.cat2(f)).recvall()
+    b'FLAG'
+
+</%docstring>
+
+    ${sc.pushstr(filename)}
+    ${sc.open('esp', 'O_RDONLY', length)}
+    sub esp, edx
+    ${sc.read('eax', 'esp', 'edx')}
+    ${sc.write(fd, 'esp', 'eax')}

pwnlib/shellcraft/templates/mips/linux/cat.asm

@@ -22,5 +22,5 @@ label = common.label("sendfile_loop")
 %>
 
     ${mips.pushstr(filename)}
-    ${mips.open('$sp', int(constants.O_RDONLY), 0)}
+    ${mips.open('$sp', int(constants.O_RDONLY), '$a2')}
     ${mips.sendfile(fd, '$v0', 0, 0x7fffffff)}

pwnlib/shellcraft/templates/mips/linux/cat2.asm

@@ -0,0 +1,26 @@
+<%
+  from pwnlib import constants
+  from pwnlib.shellcraft import mips
+  from pwnlib.shellcraft import common
+%>
+<%page args="filename, fd=1, length=0x4000"/>
+<%docstring>
+Opens a file and writes its contents to the specified file descriptor.
+Uses an extra stack buffer and must know the length.
+
+Example:
+
+    >>> f = tempfile.mktemp()
+    >>> write(f, 'FLAG')
+    >>> sc = shellcraft.mips.linux.cat2(f)
+    >>> sc += shellcraft.mips.linux.exit(0)
+    >>> run_assembly(sc).recvall()
+    b'FLAG'
+
+</%docstring>
+
+    ${mips.pushstr(filename)}
+    ${mips.open('$sp', int(constants.O_RDONLY), length)}
+    sub $sp, $a2
+    ${mips.read('$v0', '$sp', '$a2')}
+    ${mips.write(fd, '$sp', '$v0')}

pwnlib/shellcraft/templates/thumb/linux/cat.asm

@@ -20,6 +20,6 @@ label = common.label("sendfile_loop")
 %>
 
     ${thumb.pushstr(filename)}
-    ${thumb.linux.open('sp', constants.O_RDONLY, 0)}
+    ${thumb.linux.open('sp', constants.O_RDONLY, 'r2')}
     ${thumb.mov('r5', 'r0')}
     ${thumb.linux.sendfile(fd, 'r5', 0, 0x7fffffff)}

pwnlib/shellcraft/templates/thumb/linux/cat2.asm

@@ -0,0 +1,24 @@
+<%
+  from pwnlib import constants
+  from pwnlib.shellcraft import thumb
+  from pwnlib.shellcraft import common
+%>
+<%page args="filename, fd=1, length=0x4000"/>
+<%docstring>
+Opens a file and writes its contents to the specified file descriptor.
+Uses an extra stack buffer and must know the length.
+
+Example:
+
+    >>> f = tempfile.mktemp()
+    >>> write(f, 'FLAG\n')
+    >>> run_assembly(shellcraft.arm.to_thumb()+shellcraft.thumb.linux.cat2(f)).recvline()
+    b'FLAG\n'
+
+</%docstring>
+
+    ${thumb.pushstr(filename)}
+    ${thumb.linux.open('sp', constants.O_RDONLY, length)}
+    sub sp, r2
+    ${thumb.linux.read('r0', 'sp', 'r2')}
+    ${thumb.linux.write(fd, 'sp', 'r0')}