Add shellcraft support for LoongArch64

Author: xtexx

pwnlib/shellcraft/templates/loong64/__doc__

@@ -0,0 +1 @@
+Shellcraft module containing generic LoongArch64 shellcodes.

pwnlib/shellcraft/templates/loong64/linux/__doc__

@@ -0,0 +1 @@
+Shellcraft module containing LoongArch64 shellcodes for Linux.

pwnlib/shellcraft/templates/loong64/linux/syscall.asm

@@ -0,0 +1,108 @@
+<%
+  from pwnlib.shellcraft import loong64, pretty
+  from pwnlib.constants import Constant
+  from pwnlib.abi import linux_loong64_syscall as abi
+  from six import text_type
+%>
+<%page args="syscall = None, arg0 = None, arg1 = None, arg2 = None, arg3 = None, arg4=None, arg5=None"/>
+<%docstring>
+Args: [syscall_number, \*args]
+    Does a syscall
+
+Any of the arguments can be expressions to be evaluated by :func:`pwnlib.constants.eval`.
+
+Example:
+
+        >>> print(pwnlib.shellcraft.loong64.linux.syscall('SYS_execve', 1, 'sp', 2, 0).rstrip())
+            /* call execve(1, 'sp', 2, 0) */
+            c.li a0, 1
+            c.mv a1, sp
+            c.li a2, 2
+            c.li a3, 0
+            /* mv a7, 0xdd */
+            xori a7, zero, 0x722
+            xori a7, a7, 0x7ff
+            ecall
+        >>> print(pwnlib.shellcraft.loong64.linux.syscall('SYS_execve', 2, 1, 0, 20).rstrip())
+            /* call execve(2, 1, 0, 0x14) */
+            c.li a0, 2
+            c.li a1, 1
+            c.li a2, 0
+            c.li a3, 0x14
+            /* mv a7, 0xdd */
+            xori a7, zero, 0x722
+            xori a7, a7, 0x7ff
+            ecall
+        >>> print(pwnlib.shellcraft.loong64.linux.syscall().rstrip())
+            /* call syscall() */
+            ecall
+        >>> print(pwnlib.shellcraft.loong64.linux.syscall('a7', 'a0', 'a1').rstrip())
+            /* call syscall('a7', 'a0', 'a1') */
+            /* setregs noop */
+            ecall
+        >>> print(pwnlib.shellcraft.loong64.linux.syscall('a3', None, None, 1).rstrip())
+            /* call syscall('a3', ?, ?, 1) */
+            c.li a2, 1
+            c.mv a7, a3
+            ecall
+        >>> print(pwnlib.shellcraft.loong64.linux.syscall(
+        ...               'SYS_mmap', 0, 0x1000,
+        ...               'PROT_READ | PROT_WRITE | PROT_EXEC',
+        ...               'MAP_PRIVATE',
+        ...               -1, 0).rstrip())
+            /* call mmap(0, 0x1000, 'PROT_READ | PROT_WRITE | PROT_EXEC', 'MAP_PRIVATE', -1, 0) */
+            c.li a0, 0
+            c.lui a1, 1 /* mv a1, 0x1000 */
+            c.li a2, 7
+            c.li a3, 2
+            c.li a4, 0xffffffffffffffff
+            c.li a5, 0
+            /* mv a7, 0xde */
+            xori a7, zero, 0x721
+            xori a7, a7, 0x7ff
+            ecall
+        >>> print(pwnlib.shellcraft.openat('AT_FDCWD', '/home/pwn/flag').rstrip())
+            /* openat(fd='AT_FDCWD', file='/home/pwn/flag', oflag=0) */
+            /* push b'/home/pwn/flag\x00' */
+            li t4, 0x77702f656d6f682f
+            sd t4, -16(sp)
+            li t4, 0x67616c662f6e
+            sd t4, -8(sp)
+            addi sp, sp, -16
+            c.mv a1, sp
+            xori a0, zero, 0xffffffffffffff9c
+            c.li a2, 0
+            /* call openat() */
+            /* mv a7, 0x38 */
+            xori a7, zero, 0x7c7
+            xori a7, a7, 0x7ff
+            ecall
+</%docstring>
+<%
+  if isinstance(syscall, (str, text_type, Constant)) and str(syscall).startswith('SYS_'):
+      syscall_repr = str(syscall)[4:] + "(%s)"
+      args = []
+  else:
+      syscall_repr = 'syscall(%s)'
+      if syscall is None:
+          args = ['?']
+      else:
+          args = [pretty(syscall, False)]
+
+  for arg in [arg0, arg1, arg2, arg3, arg4, arg5]:
+      if arg is None:
+          args.append('?')
+      else:
+          args.append(pretty(arg, False))
+  while args and args[-1] == '?':
+      args.pop()
+  syscall_repr = syscall_repr % ', '.join(args)
+
+  registers = abi.register_arguments
+  arguments = [syscall, arg0, arg1, arg2, arg3, arg4, arg5]
+  regctx    = dict(zip(registers, arguments))
+%>\
+%if any(a is not None for a in arguments):
+    ${loong64.setregs(regctx)}
+%endif
+    syscall

pwnlib/shellcraft/templates/loong64/linux/syscalls

@@ -0,0 +1 @@
+../../common/linux/syscalls

pwnlib/shellcraft/templates/loong64/mov.asm

@@ -0,0 +1,88 @@
+<%
+  from pwnlib.util import lists, packing, fiddling, misc
+  from pwnlib.constants import eval, Constant
+  from pwnlib.context import context as ctx # Ugly hack, mako will not let it be called context
+  from pwnlib.log import getLogger
+  from pwnlib.shellcraft import loong64, registers, pretty, okay
+  import six
+  log = getLogger('pwnlib.shellcraft.loong64.mov')
+%>
+<%page args="dst, src"/>
+<%docstring>
+Move src into dst without newlines and null bytes.
+
+If src is a string that is not a register, then it will locally set
+`context.arch` to `'loong64'` and use :func:`pwnlib.constants.eval` to evaluate the
+string. Note that this means that this shellcode can change behavior depending
+on the value of `context.os`.
+
+Args:
+
+  dst (str): The destination register.
+  src (str): Either the input register, or an immediate value.
+
+Example:
+
+    >>> print(shellcraft.loong64.mov('t0', 0).rstrip())
+        addi.d   $t0, $r0, 0
+    >>> print(shellcraft.loong64.mov('t0', 0x2000).rstrip())
+        addi.d   $t0, $r0, 2
+        lu52i.d  $t0, $t0, 0
+    >>> print(shellcraft.loong64.mov('t0', 0xcafebabe).rstrip())
+        addi.d   $t0, $r0, 202
+        lu52i.d  $t0, $t0, -21
+        lu52i.d  $t0, $t0, -1346
+    >>> print(shellcraft.loong64.mov('t1', 'sp').rstrip())
+        addi.d   $t1, $sp, 0
+
+</%docstring>
+<%
+if not isinstance(dst, str) or dst not in registers.loong64:
+    log.error("Unknown register %r", dst)
+    return
+
+if isinstance(src, str) and src not in registers.loong64:
+    src = eval(src)
+
+if isinstance(src, str) and src not in registers.loong64:
+    log.error("Unknown register %r", src)
+    return
+
+src_reg = registers.loong64.get(src, None)
+dst_reg = registers.loong64[dst]
+
+# If source register is zero, treat it as immediate 0
+if src_reg == 0:
+    src = 0
+    src_reg = None
+%>
+
+% if dst_reg == 0 or dst_reg == src_reg:
+    /* ld ${dst}, ${src} is a noop */
+% elif src_reg is not None:
+    addi.d   $${dst}, $${src}, 0
+% else:
+## Source is an immediate, normalize to [0, 2**64)
+
+<% src = packing.unpack(packing.pack(src, word_size=64), word_size=64, sign=False) %>
+## Immediates are always sign-extended to 64-bit
+
+% if src == 0:
+    addi.d   $${dst}, $r0, 0
+% else:
+<%
+parts = []
+fullsrc = src
+while src != 0:
+    parts.append(packing.unpack(packing.pack((src & 0xfff), word_size=12, sign=False), word_size=12, sign=True))
+    src = src >> 12
+%>
+% for idx, part in enumerate(reversed(parts)):
+    % if idx == 0:
+    addi.d   $${dst}, $r0, ${part}
+    % else:
+    lu52i.d  $${dst}, $${dst}, ${part}
+    % endif
+% endfor
+% endif
+% endif

pwnlib/shellcraft/templates/loong64/nop.asm

@@ -0,0 +1,2 @@
+<%docstring>LoongArch64 nop instruction.</%docstring>
+    addi.d   $r0, $r0, 0

pwnlib/shellcraft/templates/loong64/push.asm

@@ -0,0 +1,27 @@
+<%
+  from pwnlib.shellcraft import loong64
+  from pwnlib import constants
+  from pwnlib.shellcraft import registers
+  from six import text_type, binary_type
+%>
+<%page args="value"/>
+<%docstring>
+Pushes a value onto the stack.
+
+Register t8 is not guaranteed to be preserved.
+</%docstring>
+<%
+is_reg = value in registers.loong64
+
+if not is_reg and isinstance(value, (binary_type, text_type)):
+    try:
+        value = constants.eval(value)
+    except (ValueError, AttributeError):
+        pass
+%>
+% if not is_reg:
+    ${loong64.mov('t8', value)}
+    <% value = 't8' %>\
+%endif
+    addi.d   $sp, $sp, -8
+    st.d     $${value}, $sp, 0

pwnlib/shellcraft/templates/loong64/setregs.asm

@@ -0,0 +1,41 @@
+<%
+  from pwnlib.regsort import regsort
+  from pwnlib.constants import Constant, eval
+  from pwnlib.shellcraft import registers
+  from pwnlib.shellcraft import loong64
+%>
+<%page args="reg_context, stack_allowed = True"/>
+<%docstring>
+Sets multiple registers, taking any register dependencies into account
+(i.e., given eax=1,ebx=eax, set ebx first).
+
+Args:
+    reg_context (dict): Desired register context
+    stack_allowed (bool): Can the stack be used?
+
+Example:
+
+    >>> print(shellcraft.setregs({'t0':1, 'a3':'0'}).rstrip())
+        addi.d   $a3, $r0, 0
+        addi.d   $t0, $r0, 1
+    >>> print(shellcraft.setregs({'a0':'a1', 'a1':'a0', 'a2':'a1'}).rstrip())
+        addi.d   $a2, $a1, 0
+        xor      $a1, $a1, $a0 /* xchg a1, a0 */
+        xor      $a0, $a0, $a1
+        xor      $a1, $a1, $a0
+</%docstring>
+<%
+reg_context = {k:v for k,v in reg_context.items() if v is not None}
+sorted_regs = regsort(reg_context, registers.loong64)
+%>
+% if sorted_regs:
+% for how, src, dst in regsort(reg_context, registers.loong64):
+% if how == 'xchg':
+    ${loong64.xor(dst, dst, src)} /* xchg ${dst}, ${src} */
+    ${loong64.xor(src, src, dst)}
+    ${loong64.xor(dst, dst, src)}
+% else:
+    ${loong64.mov(src, dst)}
+% endif
+% endfor
+% endif

pwnlib/shellcraft/templates/loong64/trap.asm

@@ -0,0 +1,2 @@
+<%docstring>A trap instruction.</%docstring>
+    break    0

pwnlib/shellcraft/templates/loong64/xor.asm

@@ -0,0 +1,23 @@
+<%
+  from pwnlib.shellcraft import loong64
+  from pwnlib.shellcraft import registers
+%>
+<%page args="dst,rs1,rs2"/>
+<%docstring>
+XOR two registers rs1 and rs2, store result in register dst.
+
+Register t4 is not guaranteed to be preserved.
+</%docstring>
+<%
+if not isinstance(dst, str) or dst not in registers.loong64:
+    log.error("Unknown register %r", dst)
+    return
+if not isinstance(rs1, str) or rs1 not in registers.loong64:
+    log.error("Unknown register %r", rs1)
+    return
+if not isinstance(rs2, str) or rs2 not in registers.loong64:
+    log.error("Unknown register %r", rs2)
+    return
+
+%>
+    xor      $${dst}, $${rs1}, $${rs2}