add RETURN_CONST as an allowed _const_code in safeeval #2351
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Fix `remote` and `listen` in sagemath sage's Integer doesn't seem to inherit from python's base int. ``` ----> 1 listen(Integer(1337)) OSError: Int or String expected ``` Fixes Gallopsled#2201 * Update CHANGELOG
…llopsled#2117) * Add formats for hex * Add formats for hex coverage Relates to Gallopsled#2117. Adding coverage as requested. * Use util.lists.group * Update CHANGELOG * Fix Python 2 support * Simplify hex formatting Co-authored-by: Arusekk <[email protected]> --------- Co-authored-by: marcan2020 <[email protected]> Co-authored-by: carydrew <[email protected]> Co-authored-by: Peace-Maker <[email protected]> Co-authored-by: Arusekk <[email protected]>
…allopsled#2208) `threading.Event.isSet` is deprecated here: python/cpython@9825bdf
Use $TMPDIR first. If $TMPDIR is unset/empty, use /tmp (AFAIK most distros don't set $TMPDIR by default)
We don't use Travis CI anymore. Closes Gallopsled#1740
* Add shellcraft.sleep template wrapping SYS_nanosleep Accepts the time in seconds as a float argument and calls SYS_nanosleep. Fixes Gallopsled#1428 * Update CHANGELOG * Use nanosleep wrapper Co-authored-by: Arusekk <[email protected]>
From: Peace-Maker <[email protected]> * Shellcraft: Fix spilling syscall args to the stack There was a typo in the generated syscall template causing only the last stack argument to be generated. $ shellcraft -f asm mips.linux.sendto 3 0x123456 0x100 0 0xabcdefff 0x10 The 0xabcdefff argument was missing. * Shellcraft: Generate 6 syscall arguments for unknown functions There are syscalls with 6 arguments like mmap and sendto which couldn't be called with all 6 arguments set. $ shellcraft -f asm mips.linux.mmap2 0 0x1000 'PROT_READ | PROT_WRITE | PROT_EXEC' 'MAP_PRIVATE | MAP_ANONYMOUS' -1 0 * Shellcraft: Fix typo in error message The `syscalls` variable is only present in the generate.py, not the generated template. * Regenerate syscall templates * MIPS shellcraft: Push last two syscall arguments to the stack The mips.linux.syscall template was only handling 4 syscall arguments and silently discarded the remaining ones. Push the arguments to the stack instead. $ shellcraft -f asm mips.linux.syscall SYS_sendto 3 0x123456 0x100 0 0xabcdefff 0x10 Fixes Gallopsled#2153 * Fix mips syscall doctest * Update CHANGELOG Co-authored-by: Peace-Maker <[email protected]>
* Don't change log level for Corefile._parse_stack() If we don't want to see the log, don't print it. There are no spammy debug logs anymore. Fixes Gallopsled#1666 * Fix doctest
This appears to be fixed in setuptools 62, but Python 2 is stuck at version 44. Use a workaround which overrides the disabled user installs temporarily. This fixes our develop Dockerfile too!
This commit adds information that the sleep shellcraft function does not check if it returned as part of an interrupt and it does not retry the syscall if this occured.
* Resolved issue Gallopsled#1411 abt serial-tube misbehaving. * Removed redundant docstrings
Two minor changes were made in the commit: - `which` was replaced with `command -v` - Minor bug fix ## Why bother with `which` ? - `POSIX` compatible - `which` is an external process you're launching for doing very little (meaning builtins like hash, type or command are way cheaper), you can also rely on the builtins to actually do what you want, while the effects of external commands can easily vary from system to system. - Many operating systems have a which that doesn't even set an exit status, meaning the if which foo won't even work there and will always report that foo exists, even if it doesn't (note that some POSIX shells appear to do this for hash too). - Many operating systems make which do custom and evil stuff like change the output or even hook into the package manager. Reference [here](https://stackoverflow.com/a/677212) Co-authored-by: Debjeet Banerjee <[email protected]>
* shellcraft/i386: optimize stackhunter * shellcraft/i386: add+opt long-gone stackhunter_helper * shellcraft/i386: concise doctests
* shellcraft/*/freebsd: match linux in switching cs * shellcraft: note trashed registers in switching cs
* Add ELF.set_runpath() Shells out to the `patchelf` tool to patch the ELF's RUNPATH. This lets the dynamic loader look for needed shared libraries in the given path first before the system libraries when running the binary. * Add ELF.set_interpreter() Shells out to the `patchelf` tool to patch the ELF's PT_INTERP segment. This allows to change the ld.so used when running the binary. * Add convenience wrapper to set runpath & interpreter A helper function to patch the ELF such that it uses the dynamic loader and other libraries in the given folder. * Add method to download libraries matching a libc Download the matching libraries for the given libc binary and cache them in a local directory using `libcdb.download_libraries()`. The libraries are looked up using libc.rip and fetched from the official package repositories if available. Only .deb and .pkg.tar.* packages are currently supported (Debian/Ubuntu, Arch). * Add --libc argument to pwnup template This generates code into the template which allows you to run the binary using the given libc. The foreign libc is used by default, but you can choose to run the binary against your system's local libc using the `LOCAL_LIBC` command line argument when executing the exploit script. * Work around Python 2 tarfile not supporting xz * Fix crash when libc wasn't found on libc.rip * Update README * Use subprocess.check_output instead of pwnlib.process * Special case Python 2 instead of 3 * Only catch Exceptions instead of everything Co-authored-by: Arusekk <[email protected]> * Check launchpad.net for Ubuntu libcs This mimics the way io12/pwninit obtains the ld.so. If the download from libc.rip fails, try launchpad.net. * Hide comment in template when --quiet * Please confused pylint in PY2 context Co-authored-by: Arusekk <[email protected]> --------- Co-authored-by: Arusekk <[email protected]>
Rebuild the images on push to the respective branch.
* ci: stabilize coverage * fix cache dirs
* Fix format string badbytes inconsistency Fixes Gallopsled#1888 * fmtstr: Make sure initial atom is considered
…ed#2328) * Lookup process executable using PATHEXT file extensions Windows uses some file extensions to determine which file to run when given a non-existing file. This allows to run `calc` instead of `calc.exe`. * Try PATHEXT in `which` directly * Update CHANGELOG
* Explicitly define p64/u64 functions for IDE support Instead of dynamically generating the packing and unpacking helper functions using `setattr(module, name, routine)` at runtime, unroll the loop and explicitly declare all 8 helpers. This allows IDEs to know about the function statically without running the code. Fixes Gallopsled#1657 * Update CHANGELOG * Fix u16 comment
* fix: Allow setting attributes on gdb Breakpoints * Update CHANGELOG * Add __getattr__ accidentally deleted from FinishBreakpoint
Visual Studio Code sets the $TERM_PROGRAM environment variable to `"vscode"` in its terminal pane, but doesn't support opening new panes from the command line and there is no "vscode" binary. Make sure the target binary exists before trying to launch it.
* Retry failed lookups after one week in libcdb The libc databases might be updated to include the searched version, so a request that failed once might work in the future. Refs Gallopsled#983 * Update CHANGELOG
* Match against local system libc first in libcdb Don't do any requests if the libc currently in use on the system running the exploit matches already. This is a small short circuit optimization when the remote target uses the same libc as the local one. This looks at the libc loaded by the local shell binary. This appears more dynamic than hardcoding library paths. Refs Gallopsled#983 * Update CHANGELOG * Handle missing SHELL envvar * Fix hash lookup
* Add `ELF.stripped` and `ELF.debuginfo` Show status in checksec output too. * Update CHANGELOG * Show stripped and debuginfo status in red in checksec
…n_shellcode/run_assembly
basic darwin support for shellcrafter
…ed#2344) (Gallopsled#2345) * Fix pwn constgrep when it matches a non-constant type This commit fixes the following issue: ``` root@pwndbg:~# pwn constgrep a Traceback (most recent call last): File "/usr/local/bin/pwn", line 8, in <module> sys.exit(main()) File "/usr/local/lib/python3.10/dist-packages/pwnlib/commandline/main.py", line 58, in main commands[args.command](args) File "/usr/local/lib/python3.10/dist-packages/pwnlib/commandline/constgrep.py", line 110, in main for _, k in sorted(out): TypeError: '<' not supported between instances of 'Constant' and 'type' ``` Note that it was caused because of the following type object being matched and fetched from the module object: ``` ipdb> out[25:27] [(Constant('CS', 0xd), 'CS'), (<class 'pwnlib.constants.constant.Constant'>, 'Constant')] ipdb> sorted(out[24:27]) *** TypeError: '<' not supported between instances of 'type' and 'Constant' ``` * Add test for `pwn constgrep C` to the CI * Add changelog entry
…2341) * fix: split current iterm window during gdb.debug process * add change to changelog * escape cmd before writing osascript file * use the previously sanitized command to run the osascript --------- Co-authored-by: peace-maker <[email protected]>
* Optimized dynelf when using an ELF object
* Fixed minor bugs, added a new way to lookup symbols
Improved _rel_lookup and added Elf64_Rel datatype
Added support for _rel_lookup in x86 binaries
* Spelling fix
* Converted prints to python2 style
+ changelog entry
* Fixed a bug with real leaker not being resotred
---------
Co-authored-by: Bl4ckC4t <[email protected]>
* Add a `flatten` argument to `ssh.libs` This option makes us able to avoid getting the file tree of the remote server and just downloads the desired files in the output folder * Update changelog * Add a warning in ssh.libs for duplicate filenames * Add documentation in ssh.libs for duplicate filenames fallback * [ssh.libs] Fix flatten's duplicate check Fix this: Gallopsled#2268 (comment) * [ssh.libs] Add better warning for flatten's duplicates Fix this: Gallopsled#2268 (comment) * [ssh.libs] Add doctests This commit adds: - The `no_duplicate` binary that depends on - `a/lib.so` - `b/lib2.so` - The `duplicate` binary that depends on - `a/lib.so` - `b/lib.so` Then, the doctest tries to pull the libs from both binaries with different `flatten` values. * [ssh.libs] Add `remote` arg to documentation * [ssh.libs] Remove fallback to unflattened when flatten fails * [ssh.libs] Fix doctests * [ssh.libs] Import pwnlib.data.elf.ssh_libs in pwnlib.data.elf * [ssh.libs] Fix corrupted binaries * [ssh.libs] We actually need to set the cwd since libs paths are relative * [ssh.libs] Fix permission issues for CI * [ssh.libs] Fix doctest * Remove doctest attempts --------- Co-authored-by: peace-maker <[email protected]> Co-authored-by: Arusekk <[email protected]> Co-authored-by: Peace-Maker <[email protected]>
…ixes Gallopsled#2343) (Gallopsled#2347) * Fix Unicorn Engine 1GB limit exit(): raise OSError instead (Fixes Gallopsled#2343) This commit fixes Gallopsled#2343: an issue where `pwn checksec <binary>` would fail with a bogus error of: ``` $ pwn checksec /root/x/bin/main Could not allocate dynamic translator buffer ``` This actually comes from Unicorn Engine which tries to allocate a 1GB RWX mapping: ``` root@pwndbg:~# strace -e openat,mmap pwn checksec /root/x/bin/main 2>&1 | tail -n 10 openat(AT_FDCWD, "/usr/lib/python3/dist-packages/mpmath-0.0.0.egg-info/PKG-INFO", O_RDONLY|O_CLOEXEC) = 7 openat(AT_FDCWD, "/usr/local/lib/python3.10/dist-packages/unicorn/lib/libunicorn.so.2", O_RDONLY|O_CLOEXEC) = 7 mmap(NULL, 22447520, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 7, 0) = 0x7f2604f9d000 mmap(0x7f2605339000, 13496320, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 7, 0x39c000) = 0x7f2605339000 mmap(0x7f2606018000, 3039232, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 7, 0x107b000) = 0x7f2606018000 mmap(0x7f26062fe000, 1601536, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 7, 0x1360000) = 0x7f26062fe000 mmap(0x7f2606485000, 525728, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f2606485000 mmap(NULL, 1073741824, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = -1 ENOMEM (Cannot allocate memory) Could not allocate dynamic translator buffer +++ exited with 1 +++ ``` ...and if it fails, it calls `exit()`. This can be seen in Unicorn Engine code: https://github.com/unicorn-engine/unicorn/blob/56f3bdedb42d26bee1532cc01baf5eaf44a9aa23/qemu/accel/tcg/translate-all.c#L960-L963 This issue has been reported to Unicorn Engine in unicorn-engine/unicorn#1766 but since it hasn't been fixed, this commit applies a workaround for it. * CI: add test for pwn checksec with 500MB limit for UE 1GB limit * Add changelog entry * Update .github/workflows/ci.yml --------- Co-authored-by: peace-maker <[email protected]>
…2233) * Bugfix gdb.debug: exe parameter now respected This commit now properly supports the exe parameter in `pwnlib/gdb.py:debug()`, allowing a different argv[0] than the executable. It achieves this by leveraging the gdbsever`--wrapper` argument with a python script that calls execve with the specified args. * Backintegration for python2 * Update Changelog.md * pwnlib gdb.py, try to pass these tests... * Encode script in ssh.process(run=False) for tests * Re-trigger Pull request tests * gdb.py: easier script if argv[0] == exe * gdb.py: Add test case for LD_Preload * Add check that "=" not in misc.normalize_argv_env This check checks prevents the use of "=" in the key of an environment variable, which is generally impossible. * gdb.py Correct handling of LD_ env-variables * Update pwnlib/gdb.py Co-authored-by: peace-maker <[email protected]> * gdb.py address comments 1. explicit ctypes.CDLL('libc.so.6'), handle execve failing 2. consistent namedTempFile 3. drop packing._encode() since it's done earlier 4. testcases solve argv-args confusion * gdb.py: Fix Namedtempfile-prefix + Bugfix * Restore prefix for gdbscript * Unify execve wrapper script under one function * gdb.py, Remove leftover script * Fix logging scope and ignore_environ argument --------- Co-authored-by: Youheng Lü <[email protected]> Co-authored-by: peace-maker <[email protected]> Co-authored-by: peace-maker <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
On my m1 mac, with python 3.12.1, evaluating
safeeval.const('1')requires'RETURN_CONST'as an allowed opcode. I added this opcode to allowed opcodes, and also changed some error mesage generation in ssh.process() (which is where the problem occured for me). I removed thepython.recvall()call in the error message generation, since this caused everything to hang for me in a very confusing way, but I can re-add it if you want me to.