Release 4.4.0beta1

Author: Arusekk

CHANGELOG.md

@@ -58,6 +58,12 @@ The table below shows which release corresponds to each branch, and what date th
 
 ## 4.5.0 (`dev`)
 
+- [#1261][1261] Misc `run_in_new_terminal` improvements (notably gdb terminated by default)
+- [#1695][1695] Allow using GDB Python API
+
+[1261]: https://github.com/Gallopsled/pwntools/pull/1261
+[1695]: https://github.com/Gallopsled/pwntools/pull/1695
+
 ## 4.4.0 (`beta`)
 
 - [#1541][1541] Use `context.newline` for tubes by default
@@ -80,6 +86,7 @@ The table below shows which release corresponds to each branch, and what date th
 - [#1688][1688] Add `__setattr__` and `__call__` interfaces to `ROP` for setting registers
 - [#1692][1692] Remove python2 shebangs where appropriate
 - [#1703][1703] Update libcdb buildid offsets for amd64 and i386
+- [#1704][1704] Try https://libc.rip/ for libcdb lookup
 
 [1541]: https://github.com/Gallopsled/pwntools/pull/1541
 [1602]: https://github.com/Gallopsled/pwntools/pull/1602
@@ -99,8 +106,15 @@ The table below shows which release corresponds to each branch, and what date th
 [1688]: https://github.com/Gallopsled/pwntools/pull/1688
 [1692]: https://github.com/Gallopsled/pwntools/pull/1692
 [1703]: https://github.com/Gallopsled/pwntools/pull/1703
+[1704]: https://github.com/Gallopsled/pwntools/pull/1704
+
+## 4.3.1 (`stable`)
+
+- [#1732][1732] Fix shellcraft SSTI vulnerability (first major pwntools vuln!)
+
+[1732]: https://github.com/Gallopsled/pwntools/pull/1732
 
-## 4.3.0 (`stable`)
+## 4.3.0
 
 - [#1576][1576] Add `executable=` argument to `ELF.search`
 - [#1584][1584] Add `jmp_esp`/`jmp_rsp` attribute to `ROP`

pwnlib/constants/__init__.py

@@ -145,7 +145,13 @@ def eval(self, string):
         if key not in self._env_store:
             self._env_store[key] = {key: getattr(self, key) for key in dir(self) if not key.endswith('__')}
 
-        return Constant('(%s)' % string, safeeval.values(string, self._env_store[key]))
+        val = safeeval.values(string, self._env_store[key])
+
+        # if the expression is not assembly-safe, it is not so vital to preserve it
+        if set(string) & (set(bytearray(range(32)).decode()) | set('"#$\',.;@[\\]`{}')):
+            string = val
+
+        return Constant('(%s)' % string, val)
 
 
 # To prevent garbage collection

pwnlib/data/syscalls/generate.py

@@ -1,6 +1,7 @@
 #!/usr/bin/env python2
 from __future__ import division
 import argparse
+import keyword
 import os
 
 from pwnlib import constants
@@ -62,7 +63,7 @@
 
     for name, arg in zip(argument_names, argument_values):
         if arg is not None:
-            syscall_repr.append('%s=%r' % (name, arg))
+            syscall_repr.append('%s=%s' % (name, pwnlib.shellcraft.pretty(arg, False)))
 
         # If the argument itself (input) is a register...
         if arg in allregs:
@@ -75,8 +76,8 @@
 
         # The argument is not a register.  It is a string value, and we
         # are expecting a string value
-        elif name in can_pushstr and isinstance(arg, (bytes, six.text_type)):
-            if not isinstance(arg, bytes):
+        elif name in can_pushstr and isinstance(arg, (six.binary_type, six.text_type)):
+            if isinstance(arg, six.text_type):
                 arg = arg.encode('utf-8')
             string_arguments[name] = arg
 
@@ -144,12 +145,11 @@ def can_be_array(arg):
 
 
 def fix_bad_arg_names(func, arg):
-    if arg.name == 'str':
-        return 'str_'
     if arg.name == 'len':
         return 'length'
-    if arg.name == 'repr':
-        return 'repr_'
+
+    if arg.name in ('str', 'repr') or keyword.iskeyword(arg.name):
+        return arg.name + '_'
 
     if func.name == 'open' and arg.name == 'vararg':
         return 'mode'
@@ -277,8 +277,10 @@ def generate_one(target):
             CALL.format(**template_variables)
         ]
 
-        with open(os.path.join(target, name + '.asm'), 'wt+') as f:
-            f.write('\n'.join(map(str.strip, lines)))
+        if keyword.iskeyword(name):
+            name += '_'
+        with open(os.path.join(target, name + '.asm'), 'wt') as f:
+            f.write('\n'.join(map(str.strip, lines)) + '\n')
 
 if __name__ == '__main__':
     p = argparse.ArgumentParser()

pwnlib/shellcraft/__init__.py

@@ -142,8 +142,11 @@ def eval(self, item):
         return constants.eval(item)
 
     def pretty(self, n, comment=True):
-        if isinstance(n, str):
-            return repr(n)
+        if isinstance(n, (str, bytes, list, tuple, dict)):
+            r = repr(n)
+            if not comment:  # then it can be inside a comment!
+                r = r.replace('*/', r'\x2a/')
+            return r
         if not isinstance(n, six.integer_types):
             return n
         if isinstance(n, constants.Constant):

pwnlib/shellcraft/templates/aarch64/freebsd/syscall.asm

@@ -36,7 +36,7 @@ Example:
       if syscall is None:
           args = ['?']
       else:
-          args = [repr(syscall)]
+          args = [pretty(syscall, False)]
 
   for arg in [arg0, arg1, arg2, arg3, arg4, arg5]:
       if arg is None:

pwnlib/shellcraft/templates/aarch64/linux/syscall.asm

@@ -1,5 +1,5 @@
 <%
-  from pwnlib.shellcraft import aarch64
+  from pwnlib.shellcraft import aarch64, pretty
   from pwnlib.constants import eval
   from pwnlib.abi import linux_aarch64_syscall as abi
   from six import text_type
@@ -14,7 +14,7 @@ Any of the arguments can be expressions to be evaluated by :func:`pwnlib.constan
 Example:
 
     >>> print(shellcraft.aarch64.linux.syscall(11, 1, 'sp', 2, 0).rstrip())
-        /* call syscall(11, 1, 'sp', 2, 0) */
+        /* call syscall(0xb, 1, 'sp', 2, 0) */
         mov  x0, #1
         mov  x1, sp
         mov  x2, #2
@@ -59,13 +59,13 @@ Example:
       if syscall is None:
           args = ['?']
       else:
-          args = [repr(syscall)]
+          args = [pretty(syscall, False)]
 
   for arg in [arg0, arg1, arg2, arg3, arg4, arg5]:
       if arg is None:
           args.append('?')
       else:
-          args.append(repr(arg))
+          args.append(pretty(arg, False))
   while args and args[-1] == '?':
       args.pop()
   syscall_repr = syscall_repr % ', '.join(args)

pwnlib/shellcraft/templates/aarch64/pushstr_array.asm

@@ -39,7 +39,7 @@ string = b''.join(array)
 if len(array) * 8 > 4095:
     raise Exception("Array size is too large (%i), max=4095" % len(array))
 %>\
-    /* push argument array ${repr(array)} */
+    /* push argument array ${shellcraft.pretty(array, False)} */
     ${shellcraft.pushstr(string, register1=register1, register2=register2)}
 
     /* push null terminator */

pwnlib/shellcraft/templates/amd64/freebsd/syscall.asm

@@ -79,7 +79,7 @@ Example:
       if syscall is None:
           args = ['?']
       else:
-          args = [repr(syscall)]
+          args = [pretty(syscall, False)]
 
   for arg in [arg0, arg1, arg2, arg3, arg4, arg5]:
       if arg is None:

pwnlib/shellcraft/templates/amd64/linux/syscall.asm

@@ -1,5 +1,5 @@
 <%
-  from pwnlib.shellcraft import amd64
+  from pwnlib.shellcraft import amd64, pretty
   from pwnlib.constants import Constant
   from pwnlib.abi import linux_amd64_syscall as abi
   from six import text_type
@@ -54,7 +54,7 @@ Example:
         ...               'PROT_READ | PROT_WRITE | PROT_EXEC',
         ...               'MAP_PRIVATE | MAP_ANONYMOUS',
         ...               -1, 0).rstrip())
-            /* call mmap(0, 4096, 'PROT_READ | PROT_WRITE | PROT_EXEC', 'MAP_PRIVATE | MAP_ANONYMOUS', -1, 0) */
+            /* call mmap(0, 0x1000, 'PROT_READ | PROT_WRITE | PROT_EXEC', 'MAP_PRIVATE | MAP_ANONYMOUS', -1, 0) */
             push (MAP_PRIVATE | MAP_ANONYMOUS) /* 0x22 */
             pop r10
             push -1
@@ -84,6 +84,20 @@ Example:
             push SYS_open /* 2 */
             pop rax
             syscall
+        >>> print(shellcraft.amd64.write(0, '*/', 2).rstrip())
+            /* write(fd=0, buf='\x2a/', n=2) */
+            /* push b'\x2a/\x00' */
+            push 0x1010101 ^ 0x2f2a
+            xor dword ptr [rsp], 0x1010101
+            mov rsi, rsp
+            xor edi, edi /* 0 */
+            push 2
+            pop rdx
+            /* call write() */
+            push SYS_write /* 1 */
+            pop rax
+            syscall
+
 </%docstring>
 <%
   append_cdq = False
@@ -95,13 +109,13 @@ Example:
       if syscall is None:
           args = ['?']
       else:
-          args = [repr(syscall)]
+          args = [pretty(syscall, False)]
 
   for arg in [arg0, arg1, arg2, arg3, arg4, arg5]:
       if arg is None:
           args.append('?')
       else:
-          args.append(repr(arg))
+          args.append(pretty(arg, False))
   while args and args[-1] == '?':
       args.pop()
   syscall_repr = syscall_repr % ', '.join(args)

pwnlib/shellcraft/templates/amd64/push.asm

@@ -1,6 +1,6 @@
 <%
   from pwnlib.util import packing
-  from pwnlib.shellcraft import amd64
+  from pwnlib.shellcraft import amd64, pretty
   from pwnlib.shellcraft.amd64 import pushstr
   from pwnlib import constants
   from pwnlib.shellcraft.registers import amd64 as regs
@@ -31,7 +31,7 @@ Example:
         /* push 1 */
         push 1
     >>> print(pwnlib.shellcraft.amd64.push(256).rstrip())
-        /* push 256 */
+        /* push 0x100 */
         push 0x1010201 ^ 0x100
         xor dword ptr [rsp], 0x1010201
     >>> with context.local(os = 'linux'):
@@ -58,7 +58,7 @@ Example:
         pass
 %>
 %if not is_reg:
-    /* push ${repr(value_orig)} */
+    /* push ${pretty(value_orig, False)} */
     ${re.sub(r'^\s*/.*\n', '', amd64.pushstr(packing.pack(value), False), 1)}
 % else:
     push ${value}