pwntools icon indicating copy to clipboard operation
pwntools copied to clipboard

Published 20 hours ago verified publisher icon Gallopsled

Improve shellcraft.<arch>.freebsd

Open io12 opened this issue 6 years ago • 4 comments

Right now we have shellcraft.<arch>.linux with a full set of syscalls and high-level wrappers like dupsh(), but shellcraft.<arch>.freebsd still needs a generic syscall template and specific syscalls.

io12 avatar Mar 10 '19 21:03 io12

Yep, this would be useful! Please contribute a Pull Request and we can get this in. We don’t have a way to test BSD currently, but I expect it would be useful for macOS indirectly

On Sun, Mar 10, 2019 at 4:20 PM io12 [email protected] wrote:

Right now we have shellcraft..linux with a full set of syscalls and high-level wrappers like dupsh(), but shellcraft..freebsd still needs a generic syscall template and specific syscalls.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/Gallopsled/pwntools/issues/1284, or mute the thread https://github.com/notifications/unsubscribe-auth/AAG0GCbp_jZBz4sL3Y3MDOOhT75eqsxLks5vVXcmgaJpZM4bngtS .

--

Zach Riggle

zachriggle avatar Mar 10 '19 22:03 zachriggle

I'll start work on a PR, but properly abstracting over multiple POSIX kernels (for macOS and other OSes) will require a bit of work. Maybe we could have a shellcraft.<arch>.posix with the lowest common denominator between UNIXes (shared syscalls and high-level wrappers) and have Linux/FreeBSD shadow it? Then OS-specific syscalls like seccomp could be only in shellcraft.<arch>.linux. Also, functions might need to be modified to include a flag whether the syscalls are POSIX or kernel-specific. We need some way to get a list of POSIX and OS-specific syscall prototypes.

io12 avatar Mar 11 '19 18:03 io12

I don't think there will be too much benefit by pulling out the POSIX spec, I was referring to macOS having some BSD roots and made a naive assumption that some basic syscalls (read/write/execve) would be conveniently compatible.

I don't think we would need to change functions since we can just pull out which syscalls are valid via the presence of __NR_ defenitions (or the BSD equivalent).

My PR suggestion was simply for the shellcraft.freebsd.syscall arch-specific templates themself, we can address auto-generating stubs in a future PR.

zachriggle avatar Mar 12 '19 17:03 zachriggle

Okay, I can make generic shellcraft.freebsd.syscall templates. The main difference with Linux is FreeBSD mirrors its syscall ABI after its ABI for regular functions, so syscall arguments are sometimes passed on the stack. Only the x86 32-bit syscall interface seems documented from what I can tell, so will probably have to peek at FreeBSD libc code.

io12 avatar Mar 12 '19 23:03 io12