fix #51

peter50216 · Oct 9, 2017 · 34dc2cd · 34dc2cd
1 parent 9206b30
commit 34dc2cd
Show file tree

Hide file tree

Showing 7 changed files with 18 additions and 13 deletions.
diff --git a/lib/pwnlib/shellcraft/generators/amd64/common/pushstr.rb b/lib/pwnlib/shellcraft/generators/amd64/common/pushstr.rb
@@ -51,7 +51,7 @@ def pushstr(str, append_null: true)
                 a = u64(xor_pair(word).first, endian: 'little', signed: false)
                 cat "mov rax, #{pretty(a)}"
                 cat 'push rax'
-                cat "mov rax, #{pretty(a)} ^ #{pretty(sign)}"
+                cat "mov rax, #{pretty(a ^ sign)} /* #{pretty(a)} ^ #{pretty(sign)} */"
                 cat 'xor [rsp], rax'
               end
             end

diff --git a/lib/pwnlib/shellcraft/generators/i386/common/pushstr.rb b/lib/pwnlib/shellcraft/generators/i386/common/pushstr.rb
@@ -28,7 +28,7 @@ def pushstr(str, append_null: true)
               else
                 a = u32(xor_pair(word).first, endian: 'little', signed: false)
                 cat "push #{pretty(a)}"
-                cat "xor dword ptr [esp], #{pretty(a)} ^ #{pretty(sign)}"
+                cat "xor dword ptr [esp], #{pretty(a ^ sign)} /* #{pretty(a)} ^ #{pretty(sign)} */"
               end
             end
           end

diff --git a/test/asm_test.rb b/test/asm_test.rb
@@ -19,6 +19,9 @@ def test_i386_asm
       assert_equal("\x90", Asm.asm('nop'))
       assert_equal("\xeb\xfe", Asm.asm(@shellcraft.infloop))
       assert_equal("jhh///sh/binj\x0bX\x89\xe31\xc9\x99\xcd\x80", Asm.asm(@shellcraft.sh))
+      # issue #51
+      assert_equal("j\x01\xfe\x0c$h\x01\x01\x01\x01\x814$\xf2\xf3\x0b\xfe",
+                   Asm.asm(@shellcraft.pushstr("\xf3\xf2\x0a\xff")))
     end
   end
 
@@ -27,6 +30,8 @@ def test_amd64_asm
       assert_equal("\x90", Asm.asm('nop'))
       assert_equal("\xeb\xfe", Asm.asm(@shellcraft.infloop))
       assert_equal("jhH\xb8/bin///sPj;XH\x89\xe71\xf6\x99\x0f\x05", Asm.asm(@shellcraft.sh))
+      assert_equal("j\x01\xfe\x0c$H\xb8\x01\x01\x01\x01\x01\x01\x01\x01PH\xb8\xfe\xfe\xfe\xfe\xfe\xfe\x0b\xfeH1\x04$",
+                   Asm.asm(@shellcraft.pushstr("\xff\xff\xff\xff\xff\xff\x0a\xff")))
     end
   end
 

diff --git a/test/shellcraft/linux/sh_test.rb b/test/shellcraft/linux/sh_test.rb
@@ -62,7 +62,7 @@ def test_amd64
   push rax
   mov rax, 0x101010101010101
   push rax
-  mov rax, 0x101010101010101 ^ 0x636500632d006873
+  mov rax, 0x626401622c016972 /* 0x101010101010101 ^ 0x636500632d006873 */
   xor [rsp], rax
   xor esi, esi /* 0 */
   push rsi /* null terminate */

diff --git a/test/shellcraft/linux/syscalls/execve_test.rb b/test/shellcraft/linux/syscalls/execve_test.rb
@@ -45,7 +45,7 @@ def test_amd64
   /* push "PWD=.\x00" */
   mov rax, 0x101010101010101
   push rax
-  mov rax, 0x101010101010101 ^ 0x2e3d445750
+  mov rax, 0x101012f3c455651 /* 0x101010101010101 ^ 0x2e3d445750 */
   xor [rsp], rax
   xor edx, edx /* 0 */
   push rdx /* null terminate */
@@ -94,7 +94,7 @@ def test_i386
   /* push argument array ["sh\x00"] */
   /* push "sh\x00" */
   push 0x1010101
-  xor dword ptr [esp], 0x1010101 ^ 0x6873
+  xor dword ptr [esp], 0x1016972 /* 0x1010101 ^ 0x6873 */
   xor ecx, ecx /* 0 */
   push ecx /* null terminate */
   push 4

diff --git a/test/shellcraft/pushstr_array_test.rb b/test/shellcraft/pushstr_array_test.rb
@@ -35,7 +35,7 @@ def test_amd64
   push rax
   mov rax, 0x101010101010101
   push rax
-  mov rax, 0x101010101010101 ^ 0x636500632d006873
+  mov rax, 0x626401622c016972 /* 0x101010101010101 ^ 0x636500632d006873 */
   xor [rsp], rax
   xor esp, esp /* 0 */
   push rsp /* null terminate */
@@ -62,13 +62,13 @@ def test_i386
   /* push argument array ["sh\x00", "-c\x00", "echo pusheen\x00"] */
   /* push "sh\x00-c\x00echo pusheen\x00" */
   push 0x1010101
-  xor dword ptr [esp], 0x1010101 ^ 0x6e65
+  xor dword ptr [esp], 0x1016f64 /* 0x1010101 ^ 0x6e65 */
   push 0x65687375
   push 0x70206f68
   push 0x1010101
-  xor dword ptr [esp], 0x1010101 ^ 0x63650063
+  xor dword ptr [esp], 0x62640162 /* 0x1010101 ^ 0x63650063 */
   push 0x1010101
-  xor dword ptr [esp], 0x1010101 ^ 0x2d006873
+  xor dword ptr [esp], 0x2c016972 /* 0x1010101 ^ 0x2d006873 */
   xor esp, esp /* 0 */
   push esp /* null terminate */
   push 9 /* mov esp, '\n' */

diff --git a/test/shellcraft/pushstr_test.rb b/test/shellcraft/pushstr_test.rb
@@ -48,14 +48,14 @@ def test_amd64
   /* push "/bin/sh\x00" */
   mov rax, 0x101010101010101
   push rax
-  mov rax, 0x101010101010101 ^ 0x68732f6e69622f
+  mov rax, 0x169722e6f68632e /* 0x101010101010101 ^ 0x68732f6e69622f */
   xor [rsp], rax
       EOS
       assert_equal(<<-'EOS', @shellcraft.pushstr("\x00\xff\xff\xff\xff\xff\xff\xff", append_null: false))
   /* push "\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF" */
   mov rax, 0x101010101010101
   push rax
-  mov rax, 0x101010101010101 ^ -0x100
+  mov rax, -0x1010101010101ff /* 0x101010101010101 ^ -0x100 */
   xor [rsp], rax
       EOS
     end
@@ -95,12 +95,12 @@ def test_i386
   push 1
   dec byte ptr [esp]
   push 0x1010101
-  xor dword ptr [esp], 0x1010101 ^ 0xa0a0a0a
+  xor dword ptr [esp], 0xb0b0b0b /* 0x1010101 ^ 0xa0a0a0a */
       EOS
       assert_equal(<<-'EOS', @shellcraft.pushstr('/bin/sh'))
   /* push "/bin/sh\x00" */
   push 0x1010101
-  xor dword ptr [esp], 0x1010101 ^ 0x68732f
+  xor dword ptr [esp], 0x169722e /* 0x1010101 ^ 0x68732f */
   push 0x6e69622f
       EOS
     end