Add sigreturn_frame_x64

ptr-yudai · Sep 5, 2024 · 08adcce · 08adcce
1 parent 0b89b2b
commit 08adcce
Show file tree

Hide file tree

Showing 4 changed files with 93 additions and 0 deletions.
diff --git a/ptrlib/pwn/__init__.py b/ptrlib/pwn/__init__.py
@@ -1,3 +1,4 @@
 from .dynlink import *
 from .fsb import *
 from .fuzz import *
+from .rop import *
diff --git a/ptrlib/pwn/rop/__init__.py b/ptrlib/pwn/rop/__init__.py
@@ -0,0 +1 @@
+from .srop import *
diff --git a/ptrlib/pwn/rop/srop.py b/ptrlib/pwn/rop/srop.py
@@ -0,0 +1,24 @@
+from ptrlib.binary.packing.pack import p64
+from ptrlib.binary.packing.flat import flat
+
+def sigreturn_frame_x64(uc_flags: int = 0, uc_link: int = 0,
+                        ss_sp: int = 0, ss_flags: int = 0, ss_size: int = 0,
+                        r8: int = 0, r9: int = 0, r10: int = 0,
+                        r11: int = 0, r12: int = 0, r13: int = 0,
+                        r14: int = 0, r15: int = 0, rdi: int = 0,
+                        rsi: int = 0, rbp: int = 0, rbx: int = 0,
+                        rdx: int = 0, rax: int = 0, rcx: int = 0,
+                        rsp: int = 0, rip: int = 0, eflags: int = 0,
+                        cs: int = 0x33, gs: int = 0, fs: int = 0, pad0: int = 0,
+                        err: int = 0, trapno: int = 0, oldmask: int = 0,
+                        cr2: int = 0, pfpstate: int = 0, reserved: int = 0,
+                        mask: int = 0, fpstate: int = 0,):
+    """Create sigreturn frame for x64
+    """
+    return flat([
+        uc_flags, uc_link, ss_sp, ss_flags, ss_size,
+        r8, r9, r10, r11, r12, r13, r14, r15,
+        rdi, rsi, rbp, rbx, rdx, rax, rcx, rsp, rip,
+        eflags, cs | (gs << 16) | (fs << 32) | (pad0 << 48),
+        err, trapno, oldmask, cr2, pfpstate, reserved, mask, fpstate
+    ], map=p64)
diff --git a/tests/pwn/test_srop.py b/tests/pwn/test_srop.py
@@ -0,0 +1,67 @@
+import inspect
+import os
+import random
+import unittest
+from logging import FATAL, getLogger
+
+from ptrlib import sigreturn_frame_x64, u16, u64
+
+
+class TestSROP(unittest.TestCase):
+    def setUp(self):
+        getLogger("ptrlib").setLevel(FATAL)
+
+    def test_srop_x64(self):
+        (uc_flags, uc_link, ss_sp, ss_flags, ss_size,
+         r8, r9, r10, r11, r12, r13, r14, r15,
+         rdi, rsi, rbp, rbx, rdx, rax, rcx, rsp, rip,
+         eflags, err, trapno, oldmask, cr2, pfpstate,
+         mask, fpstate) = (random.randrange(0, 1<<64) for _ in range(30))
+        gs = random.randrange(0, 1<<16)
+        fs = random.randrange(0, 1<<16)
+
+        srop = sigreturn_frame_x64(
+            uc_flags=uc_flags, uc_link=uc_link,
+            ss_sp=ss_sp, ss_flags=ss_flags, ss_size=ss_size,
+            r8=r8, r9=r9, r10=r10, r11=r11, r12=r12, r13=r13, r14=r14, r15=r15,
+            rdi=rdi, rsi=rsi, rbp=rbp, rbx=rbx, rdx=rdx, rax=rax,
+            rcx=rcx, rsp=rsp, rip=rip, eflags=eflags, err=err,
+            trapno=trapno, oldmask=oldmask, cr2=cr2, pfpstate=pfpstate,
+            mask=mask, fpstate=fpstate, gs=gs, fs=fs
+        )
+
+        self.assertEqual(u64(srop[0x00:0x08]), uc_flags)
+        self.assertEqual(u64(srop[0x08:0x10]), uc_link)
+        self.assertEqual(u64(srop[0x10:0x18]), ss_sp)
+        self.assertEqual(u64(srop[0x18:0x20]), ss_flags)
+        self.assertEqual(u64(srop[0x20:0x28]), ss_size)
+        self.assertEqual(u64(srop[0x28:0x30]), r8)
+        self.assertEqual(u64(srop[0x30:0x38]), r9)
+        self.assertEqual(u64(srop[0x38:0x40]), r10)
+        self.assertEqual(u64(srop[0x40:0x48]), r11)
+        self.assertEqual(u64(srop[0x48:0x50]), r12)
+        self.assertEqual(u64(srop[0x50:0x58]), r13)
+        self.assertEqual(u64(srop[0x58:0x60]), r14)
+        self.assertEqual(u64(srop[0x60:0x68]), r15)
+        self.assertEqual(u64(srop[0x68:0x70]), rdi)
+        self.assertEqual(u64(srop[0x70:0x78]), rsi)
+        self.assertEqual(u64(srop[0x78:0x80]), rbp)
+        self.assertEqual(u64(srop[0x80:0x88]), rbx)
+        self.assertEqual(u64(srop[0x88:0x90]), rdx)
+        self.assertEqual(u64(srop[0x90:0x98]), rax)
+        self.assertEqual(u64(srop[0x98:0xa0]), rcx)
+        self.assertEqual(u64(srop[0xa0:0xa8]), rsp)
+        self.assertEqual(u64(srop[0xa8:0xb0]), rip)
+        self.assertEqual(u64(srop[0xb0:0xb8]), eflags)
+        self.assertEqual(u16(srop[0xb8:0xba]), 0x33)
+        self.assertEqual(u16(srop[0xba:0xbc]), gs)
+        self.assertEqual(u16(srop[0xbc:0xbe]), fs)
+        self.assertEqual(u16(srop[0xbe:0xc0]), 0)
+        self.assertEqual(u64(srop[0xc0:0xc8]), err)
+        self.assertEqual(u64(srop[0xc8:0xd0]), trapno)
+        self.assertEqual(u64(srop[0xd0:0xd8]), oldmask)
+        self.assertEqual(u64(srop[0xd8:0xe0]), cr2)
+        self.assertEqual(u64(srop[0xe0:0xe8]), pfpstate)
+        self.assertEqual(u64(srop[0xe8:0xf0]), 0)
+        self.assertEqual(u64(srop[0xf0:0xf8]), mask)
+        self.assertEqual(u64(srop[0xf8:0x100]), fpstate)