search

Gallopsled / pwntools

CTF framework and exploit development library
http://pwntools.com
Other
12.1k stars 1.71k forks source link

Improve shellcraft.<arch>.freebsd #1284

Open io12 opened 5 years ago

io12 commented 5 years ago

Right now we have shellcraft.<arch>.linux with a full set of syscalls and high-level wrappers like dupsh(), but shellcraft.<arch>.freebsd still needs a generic syscall template and specific syscalls.

zachriggle commented 5 years ago

Yep, this would be useful! Please contribute a Pull Request and we can get this in. We don’t have a way to test BSD currently, but I expect it would be useful for macOS indirectly

On Sun, Mar 10, 2019 at 4:20 PM io12 notifications@github.com wrote:

Right now we have shellcraft..linux with a full set of syscalls and high-level wrappers like dupsh(), but shellcraft..freebsd still needs a generic syscall template and specific syscalls.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/Gallopsled/pwntools/issues/1284, or mute the thread https://github.com/notifications/unsubscribe-auth/AAG0GCbp_jZBz4sL3Y3MDOOhT75eqsxLks5vVXcmgaJpZM4bngtS .

--

Zach Riggle

io12 commented 5 years ago

I'll start work on a PR, but properly abstracting over multiple POSIX kernels (for macOS and other OSes) will require a bit of work. Maybe we could have a shellcraft.<arch>.posix with the lowest common denominator between UNIXes (shared syscalls and high-level wrappers) and have Linux/FreeBSD shadow it? Then OS-specific syscalls like seccomp could be only in shellcraft.<arch>.linux. Also, functions might need to be modified to include a flag whether the syscalls are POSIX or kernel-specific. We need some way to get a list of POSIX and OS-specific syscall prototypes.

zachriggle commented 5 years ago

I don't think there will be too much benefit by pulling out the POSIX spec, I was referring to macOS having some BSD roots and made a naive assumption that some basic syscalls (read/write/execve) would be conveniently compatible.

I don't think we would need to change functions since we can just pull out which syscalls are valid via the presence of __NR_ defenitions (or the BSD equivalent).

My PR suggestion was simply for the shellcraft.freebsd.syscall arch-specific templates themself, we can address auto-generating stubs in a future PR.

io12 commented 5 years ago

Okay, I can make generic shellcraft.freebsd.syscall templates. The main difference with Linux is FreeBSD mirrors its syscall ABI after its ABI for regular functions, so syscall arguments are sometimes passed on the stack. Only the x86 32-bit syscall interface seems documented from what I can tell, so will probably have to peek at FreeBSD libc code.