`pwnlib.shellcraft.arm` — Shellcode for ARM¶

`pwnlib.shellcraft.arm`¶

Shellcraft module containing generic ARM little endian shellcodes.

pwnlib.shellcraft.arm.crash()[source]¶

Crash.

Example

>>> run_assembly(shellcraft.crash()).poll(True)
-11

pwnlib.shellcraft.arm.infloop()[source]¶: An infinite loop.

pwnlib.shellcraft.arm.itoa(v, buffer='sp', allocate_stack=True)[source]¶

Converts an integer into its string representation, and pushes it onto the stack. Uses registers r0-r5.

Parameters:	v (str, int) – Integer constant or register that contains the value to convert. alloca –

Example

>>> sc = shellcraft.arm.mov('r0', 0xdeadbeef)
>>> sc += shellcraft.arm.itoa('r0')
>>> sc += shellcraft.arm.linux.write(1, 'sp', 32)
>>> run_assembly(sc).recvuntil('\x00')
'3735928559\x00'

pwnlib.shellcraft.arm.memcpy(dest, src, n)[source]¶

Copies memory.

Parameters:	dest – Destination address src – Source address n – Number of bytes

pwnlib.shellcraft.arm.mov(dst, src)[source]¶

Move src into dest.

Support for automatically avoiding newline and null bytes has to be done.

If src is a string that is not a register, then it will locally set context.arch to ‘arm’ and use pwnlib.constants.eval() to evaluate the string. Note that this means that this shellcode can change behavior depending on the value of context.os.

Examples

>>> print shellcraft.arm.mov('r0','r1').rstrip()
    mov  r0, r1
>>> print shellcraft.arm.mov('r0', 5).rstrip()
    mov  r0, #5
>>> print shellcraft.arm.mov('r0', 0x34532).rstrip()
    movw r0, #0x34532 & 0xffff
    movt r0, #0x34532 >> 16
>>> print shellcraft.arm.mov('r0', 0x101).rstrip()
    movw r0, #0x101
>>> print shellcraft.arm.mov('r0', 0xff << 14).rstrip()
    mov  r0, #0x3fc000
>>> print shellcraft.arm.mov('r0', 0xff << 15).rstrip()
    movw r0, #0x7f8000 & 0xffff
    movt r0, #0x7f8000 >> 16
>>> print shellcraft.arm.mov('r0', 0xf00d0000).rstrip()
    eor  r0, r0
    movt r0, #0xf00d0000 >> 16
>>> print shellcraft.arm.mov('r0', 0xffff00ff).rstrip()
    mvn  r0, #(0xffff00ff ^ (-1))
>>> print shellcraft.arm.mov('r0', 0x1fffffff).rstrip()
    mvn  r0, #(0x1fffffff ^ (-1))

Parameters:	dest (str) – ke destination register. src (str) – Either the input register, or an immediate value.

pwnlib.shellcraft.arm.nop()[source]¶: A nop instruction.

pwnlib.shellcraft.arm.push(word, register='r12')[source]¶

Pushes a 32-bit integer onto the stack. Uses r12 as a temporary register.

r12 is defined as the inter-procedural scartch register ($ip), so this should not interfere with most usage.

Parameters:	word (int, str) – The word to push tmpreg (str) – Register to use as a temporary register. R7 is used by default.

pwnlib.shellcraft.arm.pushstr(string, append_null=True, register='r7')[source]¶

Pushes a string onto the stack.

Parameters:	string (str) – The string to push. append_null (bool) – Whether to append a single NULL-byte before pushing. register (str) – Temporary register to use. By default, R7 is used.

Examples

>>> print shellcraft.arm.pushstr("Hello!").rstrip()
    /* push 'Hello!\x00A' */
    movw r7, #0x4100216f & 0xffff
    movt r7, #0x4100216f >> 16
    push {r7}
    movw r7, #0x6c6c6548 & 0xffff
    movt r7, #0x6c6c6548 >> 16
    push {r7}

pwnlib.shellcraft.arm.pushstr_array(reg, array)[source]¶

Pushes an array/envp-style array of pointers onto the stack.

Parameters:	reg (str) – Destination register to hold the pointer. array (str,list) – Single argument or list of arguments to push. NULL termination is normalized so that each argument ends with exactly one NULL byte.

pwnlib.shellcraft.arm.ret(return_value=None)[source]¶

A single-byte RET instruction.

Parameters:	return_value – Value to return

Examples

>>> with context.local(arch='arm'):
...     print enhex(asm(shellcraft.ret()))
...     print enhex(asm(shellcraft.ret(0)))
...     print enhex(asm(shellcraft.ret(0xdeadbeef)))
1eff2fe1
000020e01eff2fe1
ef0e0be3ad0e4de31eff2fe1

pwnlib.shellcraft.arm.setregs(reg_context, stack_allowed=True)[source]¶

Sets multiple registers, taking any register dependencies into account (i.e., given eax=1,ebx=eax, set ebx first).

Parameters:	reg_context (dict) – Desired register context stack_allowed (bool) – Can the stack be used?

Example

>>> print shellcraft.setregs({'r0':1, 'r2':'r3'}).rstrip()
    mov  r0, #1
    mov  r2, r3
>>> print shellcraft.setregs({'r0':'r1', 'r1':'r0', 'r2':'r3'}).rstrip()
    mov  r2, r3
    eor  r0, r0, r1 /* xchg r0, r1 */
    eor  r1, r0, r1
    eor  r0, r0, r1

pwnlib.shellcraft.arm.to_thumb(reg=None, avoid=[])[source]¶: Go from ARM to THUMB mode.

pwnlib.shellcraft.arm.trap()[source]¶: A trap instruction.

pwnlib.shellcraft.arm.udiv_10(N)[source]¶

Divides r0 by 10. Result is stored in r0, N and Z flags are updated.

Code is from generated from here:: https://raw.githubusercontent.com/rofirrim/raspberry-pi-assembler/master/chapter15/magic.py
With code:: python magic.py 10 code_for_unsigned

pwnlib.shellcraft.arm.xor(key, address, count)[source]¶

XORs data a constant value.

Parameters:	key (int,str) – XOR key either as a 4-byte integer, If a string, length must be a power of two, and not longer than 4 bytes. address (int) – Address of the data (e.g. 0xdead0000, ‘rsp’) count (int) – Number of bytes to XOR.

Example

>>> sc  = shellcraft.read(0, 'sp', 32)
>>> sc += shellcraft.xor(0xdeadbeef, 'sp', 32)
>>> sc += shellcraft.write(1, 'sp', 32)
>>> io = run_assembly(sc)
>>> io.send(cyclic(32))
>>> result = io.recvn(32)
>>> expected = xor(cyclic(32), p32(0xdeadbeef))
>>> result == expected
True

`pwnlib.shellcraft.arm.linux`¶

Shellcraft module containing ARM shellcodes for Linux.

pwnlib.shellcraft.arm.linux.accept(fd, addr, addr_len)[source]¶

Invokes the syscall accept. See ‘man 2 accept’ for more information.

Parameters:	fd (int) – fd addr (SOCKADDR_ARG) – addr addr_len (socklen_t) – addr_len

pwnlib.shellcraft.arm.linux.access(name, type)[source]¶

Invokes the syscall access. See ‘man 2 access’ for more information.

Parameters:	name (char) – name type (int) – type

pwnlib.shellcraft.arm.linux.acct(name)[source]¶

Invokes the syscall acct. See ‘man 2 acct’ for more information.

Parameters:	name (char) – name

pwnlib.shellcraft.arm.linux.alarm(seconds)[source]¶

Invokes the syscall alarm. See ‘man 2 alarm’ for more information.

Parameters:	seconds (unsigned) – seconds

pwnlib.shellcraft.arm.linux.bind(fd, addr, length)[source]¶

Invokes the syscall bind. See ‘man 2 bind’ for more information.

Parameters:	fd (int) – fd addr (CONST_SOCKADDR_ARG) – addr len (socklen_t) – len

pwnlib.shellcraft.arm.linux.brk(addr)[source]¶

Invokes the syscall brk. See ‘man 2 brk’ for more information.

Parameters:	addr (void) – addr

pwnlib.shellcraft.arm.linux.cacheflush()[source]¶

Invokes the cache-flush operation, without using any NULL or newline bytes.

Effectively is just:

mov r0, #0 mov r1, #-1 mov r2, #0 swi 0x9F0002

How this works:

... However, SWI generates a software interrupt and to the interrupt handler, 0x9F0002 is actually data and as a result will not be read via the instruction cache, so if we modify the argument to SWI in our self-modifyign code, the argument will be read correctly.

pwnlib.shellcraft.arm.linux.cat(filename, fd=1)[source]¶

Opens a file and writes its contents to the specified file descriptor.

Example

>>> f = tempfile.mktemp()
>>> write(f, 'FLAG\n')
>>> run_assembly(shellcraft.arm.linux.cat(f)).recvline()
'FLAG\n'

pwnlib.shellcraft.arm.linux.chdir(path)[source]¶

Invokes the syscall chdir. See ‘man 2 chdir’ for more information.

Parameters:	path (char) – path

pwnlib.shellcraft.arm.linux.chmod(file, mode)[source]¶

Invokes the syscall chmod. See ‘man 2 chmod’ for more information.

Parameters:	file (char) – file mode (mode_t) – mode

pwnlib.shellcraft.arm.linux.chown(file, owner, group)[source]¶

Invokes the syscall chown. See ‘man 2 chown’ for more information.

Parameters:	file (char) – file owner (uid_t) – owner group (gid_t) – group

pwnlib.shellcraft.arm.linux.chroot(path)[source]¶

Invokes the syscall chroot. See ‘man 2 chroot’ for more information.

Parameters:	path (char) – path

pwnlib.shellcraft.arm.linux.clock_getres(clock_id, res)[source]¶

Invokes the syscall clock_getres. See ‘man 2 clock_getres’ for more information.

Parameters:	clock_id (clockid_t) – clock_id res (timespec) – res

pwnlib.shellcraft.arm.linux.clock_gettime(clock_id, tp)[source]¶

Invokes the syscall clock_gettime. See ‘man 2 clock_gettime’ for more information.

Parameters:	clock_id (clockid_t) – clock_id tp (timespec) – tp

pwnlib.shellcraft.arm.linux.clock_nanosleep(clock_id, flags, req, rem)[source]¶

Invokes the syscall clock_nanosleep. See ‘man 2 clock_nanosleep’ for more information.

Parameters:	clock_id (clockid_t) – clock_id flags (int) – flags req (timespec) – req rem (timespec) – rem

pwnlib.shellcraft.arm.linux.clock_settime(clock_id, tp)[source]¶

Invokes the syscall clock_settime. See ‘man 2 clock_settime’ for more information.

Parameters:	clock_id (clockid_t) – clock_id tp (timespec) – tp

pwnlib.shellcraft.arm.linux.clone(fn, child_stack, flags, arg, vararg)[source]¶

Invokes the syscall clone. See ‘man 2 clone’ for more information.

Parameters:	fn (int) – fn child_stack (void) – child_stack flags (int) – flags arg (void) – arg vararg (int) – vararg

pwnlib.shellcraft.arm.linux.close(fd)[source]¶

Invokes the syscall close. See ‘man 2 close’ for more information.

Parameters:	fd (int) – fd

pwnlib.shellcraft.arm.linux.connect(host, port, network='ipv4')[source]¶: Connects to the host on the specified port. Network is either ‘ipv4’ or ‘ipv6’. Leaves the connected socket in R6.

pwnlib.shellcraft.arm.linux.creat(file, mode)[source]¶

Invokes the syscall creat. See ‘man 2 creat’ for more information.

Parameters:	file (char) – file mode (mode_t) – mode

pwnlib.shellcraft.arm.linux.dir(in_fd='r6', size=2048, allocate_stack=True)[source]¶

Reads to the stack from a directory.

Parameters:	in_fd (int/str) – File descriptor to be read from. size (int) – Buffer size. allocate_stack (bool) – allocate ‘size’ bytes on the stack.

You can optioanlly shave a few bytes not allocating the stack space.

The size read is left in eax.

pwnlib.shellcraft.arm.linux.dup(fd)[source]¶

Invokes the syscall dup. See ‘man 2 dup’ for more information.

Parameters:	fd (int) – fd

pwnlib.shellcraft.arm.linux.dup2(fd, fd2)[source]¶

Invokes the syscall dup2. See ‘man 2 dup2’ for more information.

Parameters:	fd (int) – fd fd2 (int) – fd2

pwnlib.shellcraft.arm.linux.dup3(fd, fd2, flags)[source]¶

Invokes the syscall dup3. See ‘man 2 dup3’ for more information.

Parameters:	fd (int) – fd fd2 (int) – fd2 flags (int) – flags

pwnlib.shellcraft.arm.linux.echo(string, sock='1')[source]¶

Writes a string to a file descriptor

Example

>>> run_assembly(shellcraft.echo('hello\n', 1)).recvline()
'hello\n'

pwnlib.shellcraft.arm.linux.egghunter(egg, start_address = 0, double_check = True)[source]¶: Searches for an egg, which is either a four byte integer or a four byte string. The egg must appear twice in a row if double_check is True. When the egg has been found the egghunter branches to the address following it. If start_address has been specified search will start on the first address of the page that contains that address.

pwnlib.shellcraft.arm.linux.epoll_create(size)[source]¶

Invokes the syscall epoll_create. See ‘man 2 epoll_create’ for more information.

Parameters:	size (int) – size

pwnlib.shellcraft.arm.linux.epoll_create1(flags)[source]¶

Invokes the syscall epoll_create1. See ‘man 2 epoll_create1’ for more information.

Parameters:	flags (int) – flags

pwnlib.shellcraft.arm.linux.epoll_ctl(epfd, op, fd, event)[source]¶

Invokes the syscall epoll_ctl. See ‘man 2 epoll_ctl’ for more information.

Parameters:	epfd (int) – epfd op (int) – op fd (int) – fd event (epoll_event) – event

pwnlib.shellcraft.arm.linux.epoll_pwait(epfd, events, maxevents, timeout, ss)[source]¶

Invokes the syscall epoll_pwait. See ‘man 2 epoll_pwait’ for more information.

Parameters:	epfd (int) – epfd events (epoll_event) – events maxevents (int) – maxevents timeout (int) – timeout ss (sigset_t) – ss

pwnlib.shellcraft.arm.linux.epoll_wait(epfd, events, maxevents, timeout)[source]¶

Invokes the syscall epoll_wait. See ‘man 2 epoll_wait’ for more information.

Parameters:	epfd (int) – epfd events (epoll_event) – events maxevents (int) – maxevents timeout (int) – timeout

pwnlib.shellcraft.arm.linux.execve(path='/bin///sh', argv=[], envp={})[source]¶

Execute a different process.

>>> path = '/bin/sh'
>>> argv = ['sh', '-c', 'echo Hello, $NAME; exit $STATUS']
>>> envp = {'NAME': 'zerocool', 'STATUS': 3}
>>> sc = shellcraft.arm.linux.execve(path, argv, envp)
>>> io = run_assembly(sc)
>>> io.recvall()
'Hello, zerocool\n'
>>> io.poll(True)
3

pwnlib.shellcraft.arm.linux.exit(status)[source]¶

Invokes the syscall exit. See ‘man 2 exit’ for more information.

Parameters:	status (int) – status

pwnlib.shellcraft.arm.linux.faccessat(fd, file, type, flag)[source]¶

Invokes the syscall faccessat. See ‘man 2 faccessat’ for more information.

Parameters:	fd (int) – fd file (char) – file type (int) – type flag (int) – flag

pwnlib.shellcraft.arm.linux.fallocate(fd, mode, offset, length)[source]¶

Invokes the syscall fallocate. See ‘man 2 fallocate’ for more information.

Parameters:	fd (int) – fd mode (int) – mode offset (off_t) – offset len (off_t) – len

pwnlib.shellcraft.arm.linux.fchdir(fd)[source]¶

Invokes the syscall fchdir. See ‘man 2 fchdir’ for more information.

Parameters:	fd (int) – fd

pwnlib.shellcraft.arm.linux.fchmod(fd, mode)[source]¶

Invokes the syscall fchmod. See ‘man 2 fchmod’ for more information.

Parameters:	fd (int) – fd mode (mode_t) – mode

pwnlib.shellcraft.arm.linux.fchmodat(fd, file, mode, flag)[source]¶

Invokes the syscall fchmodat. See ‘man 2 fchmodat’ for more information.

Parameters:	fd (int) – fd file (char) – file mode (mode_t) – mode flag (int) – flag

pwnlib.shellcraft.arm.linux.fchown(fd, owner, group)[source]¶

Invokes the syscall fchown. See ‘man 2 fchown’ for more information.

Parameters:	fd (int) – fd owner (uid_t) – owner group (gid_t) – group

pwnlib.shellcraft.arm.linux.fchownat(fd, file, owner, group, flag)[source]¶

Invokes the syscall fchownat. See ‘man 2 fchownat’ for more information.

Parameters:	fd (int) – fd file (char) – file owner (uid_t) – owner group (gid_t) – group flag (int) – flag

pwnlib.shellcraft.arm.linux.fcntl(fd, cmd, vararg)[source]¶

Invokes the syscall fcntl. See ‘man 2 fcntl’ for more information.

Parameters:	fd (int) – fd cmd (int) – cmd vararg (int) – vararg

pwnlib.shellcraft.arm.linux.fdatasync(fildes)[source]¶

Invokes the syscall fdatasync. See ‘man 2 fdatasync’ for more information.

Parameters:	fildes (int) – fildes

pwnlib.shellcraft.arm.linux.flock(fd, operation)[source]¶

Invokes the syscall flock. See ‘man 2 flock’ for more information.

Parameters:	fd (int) – fd operation (int) – operation

pwnlib.shellcraft.arm.linux.fork()[source]¶

Invokes the syscall fork. See ‘man 2 fork’ for more information.

Arguments:

pwnlib.shellcraft.arm.linux.forkbomb()[source]¶: Performs a forkbomb attack.

pwnlib.shellcraft.arm.linux.forkexit()[source]¶: Attempts to fork. If the fork is successful, the parent exits.

pwnlib.shellcraft.arm.linux.fstat(fd, buf)[source]¶

Invokes the syscall fstat. See ‘man 2 fstat’ for more information.

Parameters:	fd (int) – fd buf (stat) – buf

pwnlib.shellcraft.arm.linux.fstat64(fd, buf)[source]¶

Invokes the syscall fstat64. See ‘man 2 fstat64’ for more information.

Parameters:	fd (int) – fd buf (stat64) – buf

pwnlib.shellcraft.arm.linux.fstatat64(fd, file, buf, flag)[source]¶

Invokes the syscall fstatat64. See ‘man 2 fstatat64’ for more information.

Parameters:	fd (int) – fd file (char) – file buf (stat64) – buf flag (int) – flag

pwnlib.shellcraft.arm.linux.fsync(fd)[source]¶

Invokes the syscall fsync. See ‘man 2 fsync’ for more information.

Parameters:	fd (int) – fd

pwnlib.shellcraft.arm.linux.ftruncate(fd, length)[source]¶

Invokes the syscall ftruncate. See ‘man 2 ftruncate’ for more information.

Parameters:	fd (int) – fd length (off_t) – length

pwnlib.shellcraft.arm.linux.ftruncate64(fd, length)[source]¶

Invokes the syscall ftruncate64. See ‘man 2 ftruncate64’ for more information.

Parameters:	fd (int) – fd length (off64_t) – length

pwnlib.shellcraft.arm.linux.futimesat(fd, file, tvp)[source]¶

Invokes the syscall futimesat. See ‘man 2 futimesat’ for more information.

Parameters:	fd (int) – fd file (char) – file tvp (timeval) – tvp

pwnlib.shellcraft.arm.linux.getcwd(buf, size)[source]¶

Invokes the syscall getcwd. See ‘man 2 getcwd’ for more information.

Parameters:	buf (char) – buf size (size_t) – size

pwnlib.shellcraft.arm.linux.getdents(fd, dirp, count)[source]¶

Invokes the syscall getdents. See ‘man 2 getdents’ for more information.

Parameters:	fd (int) – fd dirp (int) – dirp count (int) – count

pwnlib.shellcraft.arm.linux.getegid()[source]¶

Invokes the syscall getegid. See ‘man 2 getegid’ for more information.

Arguments:

pwnlib.shellcraft.arm.linux.geteuid()[source]¶

Invokes the syscall geteuid. See ‘man 2 geteuid’ for more information.

Arguments:

pwnlib.shellcraft.arm.linux.getgid()[source]¶

Invokes the syscall getgid. See ‘man 2 getgid’ for more information.

Arguments:

pwnlib.shellcraft.arm.linux.getgroups(size, list)[source]¶

Invokes the syscall getgroups. See ‘man 2 getgroups’ for more information.

Parameters:	size (int) – size list (gid_t) – list

pwnlib.shellcraft.arm.linux.getitimer(which, value)[source]¶

Invokes the syscall getitimer. See ‘man 2 getitimer’ for more information.

Parameters:	which (itimer_which_t) – which value (itimerval) – value

pwnlib.shellcraft.arm.linux.getpeername(fd, addr, length)[source]¶

Invokes the syscall getpeername. See ‘man 2 getpeername’ for more information.

Parameters:	fd (int) – fd addr (SOCKADDR_ARG) – addr len (socklen_t) – len

pwnlib.shellcraft.arm.linux.getpgid(pid)[source]¶

Invokes the syscall getpgid. See ‘man 2 getpgid’ for more information.

Parameters:	pid (pid_t) – pid

pwnlib.shellcraft.arm.linux.getpgrp()[source]¶

Invokes the syscall getpgrp. See ‘man 2 getpgrp’ for more information.

Arguments:

pwnlib.shellcraft.arm.linux.getpid()[source]¶

Invokes the syscall getpid. See ‘man 2 getpid’ for more information.

Arguments:

pwnlib.shellcraft.arm.linux.getpmsg(fildes, ctlptr, dataptr, bandp, flagsp)[source]¶

Invokes the syscall getpmsg. See ‘man 2 getpmsg’ for more information.

Parameters:	fildes (int) – fildes ctlptr (strbuf) – ctlptr dataptr (strbuf) – dataptr bandp (int) – bandp flagsp (int) – flagsp

pwnlib.shellcraft.arm.linux.getppid()[source]¶

Invokes the syscall getppid. See ‘man 2 getppid’ for more information.

Arguments:

pwnlib.shellcraft.arm.linux.getpriority(which, who)[source]¶

Invokes the syscall getpriority. See ‘man 2 getpriority’ for more information.

Parameters:	which (priority_which_t) – which who (id_t) – who

pwnlib.shellcraft.arm.linux.getresgid(rgid, egid, sgid)[source]¶

Invokes the syscall getresgid. See ‘man 2 getresgid’ for more information.

Parameters:	rgid (gid_t) – rgid egid (gid_t) – egid sgid (gid_t) – sgid

pwnlib.shellcraft.arm.linux.getresuid(ruid, euid, suid)[source]¶

Invokes the syscall getresuid. See ‘man 2 getresuid’ for more information.

Parameters:	ruid (uid_t) – ruid euid (uid_t) – euid suid (uid_t) – suid

pwnlib.shellcraft.arm.linux.getrlimit(resource, rlimits)[source]¶

Invokes the syscall getrlimit. See ‘man 2 getrlimit’ for more information.

Parameters:	resource (rlimit_resource_t) – resource rlimits (rlimit) – rlimits

pwnlib.shellcraft.arm.linux.getrusage(who, usage)[source]¶

Invokes the syscall getrusage. See ‘man 2 getrusage’ for more information.

Parameters:	who (rusage_who_t) – who usage (rusage) – usage

pwnlib.shellcraft.arm.linux.getsid(pid)[source]¶

Invokes the syscall getsid. See ‘man 2 getsid’ for more information.

Parameters:	pid (pid_t) – pid

pwnlib.shellcraft.arm.linux.getsockname(fd, addr, length)[source]¶

Invokes the syscall getsockname. See ‘man 2 getsockname’ for more information.

Parameters:	fd (int) – fd addr (SOCKADDR_ARG) – addr len (socklen_t) – len

pwnlib.shellcraft.arm.linux.getsockopt(fd, level, optname, optval, optlen)[source]¶

Invokes the syscall getsockopt. See ‘man 2 getsockopt’ for more information.

Parameters:	fd (int) – fd level (int) – level optname (int) – optname optval (void) – optval optlen (socklen_t) – optlen

pwnlib.shellcraft.arm.linux.gettimeofday(tv, tz)[source]¶

Invokes the syscall gettimeofday. See ‘man 2 gettimeofday’ for more information.

Parameters:	tv (timeval) – tv tz (timezone_ptr_t) – tz

pwnlib.shellcraft.arm.linux.getuid()[source]¶

Invokes the syscall getuid. See ‘man 2 getuid’ for more information.

Arguments:

pwnlib.shellcraft.arm.linux.gtty(fd, params)[source]¶

Invokes the syscall gtty. See ‘man 2 gtty’ for more information.

Parameters:	fd (int) – fd params (sgttyb) – params

pwnlib.shellcraft.arm.linux.ioctl(fd, request, vararg)[source]¶

Invokes the syscall ioctl. See ‘man 2 ioctl’ for more information.

Parameters:	fd (int) – fd request (unsigned) – request vararg (int) – vararg

pwnlib.shellcraft.arm.linux.ioperm(from_, num, turn_on)[source]¶

Invokes the syscall ioperm. See ‘man 2 ioperm’ for more information.

Parameters:	from (unsigned) – from num (unsigned) – num turn_on (int) – turn_on

pwnlib.shellcraft.arm.linux.iopl(level)[source]¶

Invokes the syscall iopl. See ‘man 2 iopl’ for more information.

Parameters:	level (int) – level

pwnlib.shellcraft.arm.linux.kill(pid, sig)[source]¶

Invokes the syscall kill. See ‘man 2 kill’ for more information.

Parameters:	pid (pid_t) – pid sig (int) – sig

pwnlib.shellcraft.arm.linux.killparent()[source]¶: Kills its parent process until whatever the parent is (probably init) cannot be killed any longer.

pwnlib.shellcraft.arm.linux.lchown(file, owner, group)[source]¶

Invokes the syscall lchown. See ‘man 2 lchown’ for more information.

Parameters:	file (char) – file owner (uid_t) – owner group (gid_t) – group

pwnlib.shellcraft.arm.linux.link(from_, to)[source]¶

Invokes the syscall link. See ‘man 2 link’ for more information.

Parameters:	from (char) – from to (char) – to

pwnlib.shellcraft.arm.linux.linkat(fromfd, from_, tofd, to, flags)[source]¶

Invokes the syscall linkat. See ‘man 2 linkat’ for more information.

Parameters:	fromfd (int) – fromfd from (char) – from tofd (int) – tofd to (char) – to flags (int) – flags

pwnlib.shellcraft.arm.linux.listen(fd, n)[source]¶

Invokes the syscall listen. See ‘man 2 listen’ for more information.

Parameters:	fd (int) – fd n (int) – n

pwnlib.shellcraft.arm.linux.lseek(fd, offset, whence)[source]¶

Invokes the syscall lseek. See ‘man 2 lseek’ for more information.

Parameters:	fd (int) – fd offset (off_t) – offset whence (int) – whence

pwnlib.shellcraft.arm.linux.lstat(file, buf)[source]¶

Invokes the syscall lstat. See ‘man 2 lstat’ for more information.

Parameters:	file (char) – file buf (stat) – buf

pwnlib.shellcraft.arm.linux.lstat64(file, buf)[source]¶

Invokes the syscall lstat64. See ‘man 2 lstat64’ for more information.

Parameters:	file (char) – file buf (stat64) – buf

pwnlib.shellcraft.arm.linux.madvise(addr, length, advice)[source]¶

Invokes the syscall madvise. See ‘man 2 madvise’ for more information.

Parameters:	addr (void) – addr len (size_t) – len advice (int) – advice

pwnlib.shellcraft.arm.linux.mincore(start, length, vec)[source]¶

Invokes the syscall mincore. See ‘man 2 mincore’ for more information.

Parameters:	start (void) – start len (size_t) – len vec (unsigned) – vec

pwnlib.shellcraft.arm.linux.mkdir(path, mode)[source]¶

Invokes the syscall mkdir. See ‘man 2 mkdir’ for more information.

Parameters:	path (char) – path mode (mode_t) – mode

pwnlib.shellcraft.arm.linux.mkdirat(fd, path, mode)[source]¶

Invokes the syscall mkdirat. See ‘man 2 mkdirat’ for more information.

Parameters:	fd (int) – fd path (char) – path mode (mode_t) – mode

pwnlib.shellcraft.arm.linux.mknod(path, mode, dev)[source]¶

Invokes the syscall mknod. See ‘man 2 mknod’ for more information.

Parameters:	path (char) – path mode (mode_t) – mode dev (dev_t) – dev

pwnlib.shellcraft.arm.linux.mknodat(fd, path, mode, dev)[source]¶

Invokes the syscall mknodat. See ‘man 2 mknodat’ for more information.

Parameters:	fd (int) – fd path (char) – path mode (mode_t) – mode dev (dev_t) – dev

pwnlib.shellcraft.arm.linux.mlock(addr, length)[source]¶

Invokes the syscall mlock. See ‘man 2 mlock’ for more information.

Parameters:	addr (void) – addr len (size_t) – len

pwnlib.shellcraft.arm.linux.mlockall(flags)[source]¶

Invokes the syscall mlockall. See ‘man 2 mlockall’ for more information.

Parameters:	flags (int) – flags

pwnlib.shellcraft.arm.linux.mmap(addr=0, length=4096, prot=7, flags=34, fd=-1, offset=0)[source]¶

Invokes the syscall mmap. See ‘man 2 mmap’ for more information.

Parameters:	addr (void) – addr length (size_t) – length prot (int) – prot flags (int) – flags fd (int) – fd offset (off_t) – offset

pwnlib.shellcraft.arm.linux.mprotect(addr, length, prot)[source]¶

Invokes the syscall mprotect. See ‘man 2 mprotect’ for more information.

Parameters:	addr (void) – addr length (size_t) – length prot (int) – prot

pwnlib.shellcraft.arm.linux.mq_notify(mqdes, notification)[source]¶

Invokes the syscall mq_notify. See ‘man 2 mq_notify’ for more information.

Parameters:	mqdes (mqd_t) – mqdes notification (sigevent) – notification

pwnlib.shellcraft.arm.linux.mq_open(name, oflag, vararg)[source]¶

Invokes the syscall mq_open. See ‘man 2 mq_open’ for more information.

Parameters:	name (char) – name oflag (int) – oflag vararg (int) – vararg

pwnlib.shellcraft.arm.linux.mq_timedreceive(mqdes, msg_ptr, msg_len, msg_prio, abs_timeout)[source]¶

Invokes the syscall mq_timedreceive. See ‘man 2 mq_timedreceive’ for more information.

Parameters:	mqdes (mqd_t) – mqdes msg_ptr (char) – msg_ptr msg_len (size_t) – msg_len msg_prio (unsigned) – msg_prio abs_timeout (timespec) – abs_timeout

pwnlib.shellcraft.arm.linux.mq_timedsend(mqdes, msg_ptr, msg_len, msg_prio, abs_timeout)[source]¶

Invokes the syscall mq_timedsend. See ‘man 2 mq_timedsend’ for more information.

Parameters:	mqdes (mqd_t) – mqdes msg_ptr (char) – msg_ptr msg_len (size_t) – msg_len msg_prio (unsigned) – msg_prio abs_timeout (timespec) – abs_timeout

pwnlib.shellcraft.arm.linux.mq_unlink(name)[source]¶

Invokes the syscall mq_unlink. See ‘man 2 mq_unlink’ for more information.

Parameters:	name (char) – name

pwnlib.shellcraft.arm.linux.mremap(addr, old_len, new_len, flags, vararg)[source]¶

Invokes the syscall mremap. See ‘man 2 mremap’ for more information.

Parameters:	addr (void) – addr old_len (size_t) – old_len new_len (size_t) – new_len flags (int) – flags vararg (int) – vararg

pwnlib.shellcraft.arm.linux.msync(addr, length, flags)[source]¶

Invokes the syscall msync. See ‘man 2 msync’ for more information.

Parameters:	addr (void) – addr len (size_t) – len flags (int) – flags

pwnlib.shellcraft.arm.linux.munlock(addr, length)[source]¶

Invokes the syscall munlock. See ‘man 2 munlock’ for more information.

Parameters:	addr (void) – addr len (size_t) – len

pwnlib.shellcraft.arm.linux.munlockall()[source]¶

Invokes the syscall munlockall. See ‘man 2 munlockall’ for more information.

Arguments:

pwnlib.shellcraft.arm.linux.munmap(addr, length)[source]¶

Invokes the syscall munmap. See ‘man 2 munmap’ for more information.

Parameters:	addr (void) – addr length (size_t) – length

pwnlib.shellcraft.arm.linux.nanosleep(requested_time, remaining)[source]¶

Invokes the syscall nanosleep. See ‘man 2 nanosleep’ for more information.

Parameters:	requested_time (timespec) – requested_time remaining (timespec) – remaining

pwnlib.shellcraft.arm.linux.nice(inc)[source]¶

Invokes the syscall nice. See ‘man 2 nice’ for more information.

Parameters:	inc (int) – inc

pwnlib.shellcraft.arm.linux.open(file, oflag, vararg)[source]¶

Invokes the syscall open. See ‘man 2 open’ for more information.

Parameters:	file (char) – file oflag (int) – oflag vararg (int) – vararg

pwnlib.shellcraft.arm.linux.open_file(filepath, flags='O_RDONLY', mode=420)[source]¶

Opens a file. Leaves the file descriptor in r0.

Parameters:	filepath (str) – The file to open. flags (int/str) – The flags to call open with. mode (int/str) – The attribute to create the flag. Only matters of `flags & O_CREAT` is set.

pwnlib.shellcraft.arm.linux.openat(fd, file, oflag, vararg)[source]¶

Invokes the syscall openat. See ‘man 2 openat’ for more information.

Parameters:	fd (int) – fd file (char) – file oflag (int) – oflag vararg (int) – vararg

pwnlib.shellcraft.arm.linux.pause()[source]¶

Invokes the syscall pause. See ‘man 2 pause’ for more information.

Arguments:

pwnlib.shellcraft.arm.linux.pipe(pipedes)[source]¶

Invokes the syscall pipe. See ‘man 2 pipe’ for more information.

Parameters:	pipedes (int) – pipedes

pwnlib.shellcraft.arm.linux.pipe2(pipedes, flags)[source]¶

Invokes the syscall pipe2. See ‘man 2 pipe2’ for more information.

Parameters:	pipedes (int) – pipedes flags (int) – flags

pwnlib.shellcraft.arm.linux.poll(fds, nfds, timeout)[source]¶

Invokes the syscall poll. See ‘man 2 poll’ for more information.

Parameters:	fds (pollfd) – fds nfds (nfds_t) – nfds timeout (int) – timeout

pwnlib.shellcraft.arm.linux.ppoll(fds, nfds, timeout, ss)[source]¶

Invokes the syscall ppoll. See ‘man 2 ppoll’ for more information.

Parameters:	fds (pollfd) – fds nfds (nfds_t) – nfds timeout (timespec) – timeout ss (sigset_t) – ss

pwnlib.shellcraft.arm.linux.prctl(option, *vararg)[source]¶

Invokes the syscall prctl. See ‘man 2 prctl’ for more information.

Parameters:	option (int) – option vararg (int) – vararg

pwnlib.shellcraft.arm.linux.pread(fd, buf, nbytes, offset)[source]¶

Invokes the syscall pread. See ‘man 2 pread’ for more information.

Parameters:	fd (int) – fd buf (void) – buf nbytes (size_t) – nbytes offset (off_t) – offset

pwnlib.shellcraft.arm.linux.preadv(fd, iovec, count, offset)[source]¶

Invokes the syscall preadv. See ‘man 2 preadv’ for more information.

Parameters:	fd (int) – fd iovec (iovec) – iovec count (int) – count offset (off_t) – offset

pwnlib.shellcraft.arm.linux.prlimit64(pid, resource, new_limit, old_limit)[source]¶

Invokes the syscall prlimit64. See ‘man 2 prlimit64’ for more information.

Parameters:	pid (pid_t) – pid resource (rlimit_resource) – resource new_limit (rlimit64) – new_limit old_limit (rlimit64) – old_limit

pwnlib.shellcraft.arm.linux.profil(sample_buffer, size, offset, scale)[source]¶

Invokes the syscall profil. See ‘man 2 profil’ for more information.

Parameters:	sample_buffer (unsigned) – sample_buffer size (size_t) – size offset (size_t) – offset scale (unsigned) – scale

pwnlib.shellcraft.arm.linux.ptrace(request, *vararg)[source]¶

Invokes the syscall ptrace. See ‘man 2 ptrace’ for more information.

Parameters:	request (ptrace_request) – request vararg (int) – vararg

pwnlib.shellcraft.arm.linux.putpmsg(fildes, ctlptr, dataptr, band, flags)[source]¶

Invokes the syscall putpmsg. See ‘man 2 putpmsg’ for more information.

Parameters:	fildes (int) – fildes ctlptr (strbuf) – ctlptr dataptr (strbuf) – dataptr band (int) – band flags (int) – flags

pwnlib.shellcraft.arm.linux.pwrite(fd, buf, n, offset)[source]¶

Invokes the syscall pwrite. See ‘man 2 pwrite’ for more information.

Parameters:	fd (int) – fd buf (void) – buf n (size_t) – n offset (off_t) – offset

pwnlib.shellcraft.arm.linux.pwritev(fd, iovec, count, offset)[source]¶

Invokes the syscall pwritev. See ‘man 2 pwritev’ for more information.

Parameters:	fd (int) – fd iovec (iovec) – iovec count (int) – count offset (off_t) – offset

pwnlib.shellcraft.arm.linux.read(fd, buf, nbytes)[source]¶

Invokes the syscall read. See ‘man 2 read’ for more information.

Parameters:	fd (int) – fd buf (void) – buf nbytes (size_t) – nbytes

pwnlib.shellcraft.arm.linux.readahead(fd, offset, count)[source]¶

Invokes the syscall readahead. See ‘man 2 readahead’ for more information.

Parameters:	fd (int) – fd offset (off64_t) – offset count (size_t) – count

pwnlib.shellcraft.arm.linux.readdir(dirp)[source]¶

Invokes the syscall readdir. See ‘man 2 readdir’ for more information.

Parameters:	dirp (DIR) – dirp

pwnlib.shellcraft.arm.linux.readlink(path, buf, length)[source]¶

Invokes the syscall readlink. See ‘man 2 readlink’ for more information.

Parameters:	path (char) – path buf (char) – buf len (size_t) – len

pwnlib.shellcraft.arm.linux.readlinkat(fd, path, buf, length)[source]¶

Invokes the syscall readlinkat. See ‘man 2 readlinkat’ for more information.

Parameters:	fd (int) – fd path (char) – path buf (char) – buf len (size_t) – len

pwnlib.shellcraft.arm.linux.readv(fd, iovec, count)[source]¶

Invokes the syscall readv. See ‘man 2 readv’ for more information.

Parameters:	fd (int) – fd iovec (iovec) – iovec count (int) – count

pwnlib.shellcraft.arm.linux.recv(fd, buf, n, flags)[source]¶

Invokes the syscall recv. See ‘man 2 recv’ for more information.

Parameters:	fd (int) – fd buf (void) – buf n (size_t) – n flags (int) – flags

pwnlib.shellcraft.arm.linux.recvfrom(fd, buf, n, flags, addr, addr_len)[source]¶

Invokes the syscall recvfrom. See ‘man 2 recvfrom’ for more information.

Parameters:	fd (int) – fd buf (void) – buf n (size_t) – n flags (int) – flags addr (SOCKADDR_ARG) – addr addr_len (socklen_t) – addr_len

pwnlib.shellcraft.arm.linux.recvmmsg(fd, vmessages, vlen, flags, tmo)[source]¶

Invokes the syscall recvmmsg. See ‘man 2 recvmmsg’ for more information.

Parameters:	fd (int) – fd vmessages (mmsghdr) – vmessages vlen (unsigned) – vlen flags (int) – flags tmo (timespec) – tmo

pwnlib.shellcraft.arm.linux.recvmsg(fd, message, flags)[source]¶

Invokes the syscall recvmsg. See ‘man 2 recvmsg’ for more information.

Parameters:	fd (int) – fd message (msghdr) – message flags (int) – flags

pwnlib.shellcraft.arm.linux.remap_file_pages(start, size, prot, pgoff, flags)[source]¶

Invokes the syscall remap_file_pages. See ‘man 2 remap_file_pages’ for more information.

Parameters:	start (void) – start size (size_t) – size prot (int) – prot pgoff (size_t) – pgoff flags (int) – flags

pwnlib.shellcraft.arm.linux.rename(old, new)[source]¶

Invokes the syscall rename. See ‘man 2 rename’ for more information.

Parameters:	old (char) – old new (char) – new

pwnlib.shellcraft.arm.linux.renameat(oldfd, old, newfd, new)[source]¶

Invokes the syscall renameat. See ‘man 2 renameat’ for more information.

Parameters:	oldfd (int) – oldfd old (char) – old newfd (int) – newfd new (char) – new

pwnlib.shellcraft.arm.linux.rmdir(path)[source]¶

Invokes the syscall rmdir. See ‘man 2 rmdir’ for more information.

Parameters:	path (char) – path

pwnlib.shellcraft.arm.linux.sched_get_priority_max(algorithm)[source]¶

Invokes the syscall sched_get_priority_max. See ‘man 2 sched_get_priority_max’ for more information.

Parameters:	algorithm (int) – algorithm

pwnlib.shellcraft.arm.linux.sched_get_priority_min(algorithm)[source]¶

Invokes the syscall sched_get_priority_min. See ‘man 2 sched_get_priority_min’ for more information.

Parameters:	algorithm (int) – algorithm

pwnlib.shellcraft.arm.linux.sched_getaffinity(pid, cpusetsize, cpuset)[source]¶

Invokes the syscall sched_getaffinity. See ‘man 2 sched_getaffinity’ for more information.

Parameters:	pid (pid_t) – pid cpusetsize (size_t) – cpusetsize cpuset (cpu_set_t) – cpuset

pwnlib.shellcraft.arm.linux.sched_getparam(pid, param)[source]¶

Invokes the syscall sched_getparam. See ‘man 2 sched_getparam’ for more information.

Parameters:	pid (pid_t) – pid param (sched_param) – param

pwnlib.shellcraft.arm.linux.sched_getscheduler(pid)[source]¶

Invokes the syscall sched_getscheduler. See ‘man 2 sched_getscheduler’ for more information.

Parameters:	pid (pid_t) – pid

pwnlib.shellcraft.arm.linux.sched_rr_get_interval(pid, t)[source]¶

Invokes the syscall sched_rr_get_interval. See ‘man 2 sched_rr_get_interval’ for more information.

Parameters:	pid (pid_t) – pid t (timespec) – t

pwnlib.shellcraft.arm.linux.sched_setaffinity(pid, cpusetsize, cpuset)[source]¶

Invokes the syscall sched_setaffinity. See ‘man 2 sched_setaffinity’ for more information.

Parameters:	pid (pid_t) – pid cpusetsize (size_t) – cpusetsize cpuset (cpu_set_t) – cpuset

pwnlib.shellcraft.arm.linux.sched_setparam(pid, param)[source]¶

Invokes the syscall sched_setparam. See ‘man 2 sched_setparam’ for more information.

Parameters:	pid (pid_t) – pid param (sched_param) – param

pwnlib.shellcraft.arm.linux.sched_setscheduler(pid, policy, param)[source]¶

Invokes the syscall sched_setscheduler. See ‘man 2 sched_setscheduler’ for more information.

Parameters:	pid (pid_t) – pid policy (int) – policy param (sched_param) – param

pwnlib.shellcraft.arm.linux.sched_yield()[source]¶

Invokes the syscall sched_yield. See ‘man 2 sched_yield’ for more information.

Arguments:

pwnlib.shellcraft.arm.linux.select(nfds, readfds, writefds, exceptfds, timeout)[source]¶

Invokes the syscall select. See ‘man 2 select’ for more information.

Parameters:	nfds (int) – nfds readfds (fd_set) – readfds writefds (fd_set) – writefds exceptfds (fd_set) – exceptfds timeout (timeval) – timeout

pwnlib.shellcraft.arm.linux.sendfile(out_fd, in_fd, offset, count)[source]¶

Invokes the syscall sendfile. See ‘man 2 sendfile’ for more information.

Parameters:	out_fd (int) – out_fd in_fd (int) – in_fd offset (off_t) – offset count (size_t) – count

pwnlib.shellcraft.arm.linux.sendfile64(out_fd, in_fd, offset, count)[source]¶

Invokes the syscall sendfile64. See ‘man 2 sendfile64’ for more information.

Parameters:	out_fd (int) – out_fd in_fd (int) – in_fd offset (off64_t) – offset count (size_t) – count

pwnlib.shellcraft.arm.linux.setdomainname(name, length)[source]¶

Invokes the syscall setdomainname. See ‘man 2 setdomainname’ for more information.

Parameters:	name (char) – name len (size_t) – len

pwnlib.shellcraft.arm.linux.setgid(gid)[source]¶

Invokes the syscall setgid. See ‘man 2 setgid’ for more information.

Parameters:	gid (gid_t) – gid

pwnlib.shellcraft.arm.linux.setgroups(n, groups)[source]¶

Invokes the syscall setgroups. See ‘man 2 setgroups’ for more information.

Parameters:	n (size_t) – n groups (gid_t) – groups

pwnlib.shellcraft.arm.linux.sethostname(name, length)[source]¶

Invokes the syscall sethostname. See ‘man 2 sethostname’ for more information.

Parameters:	name (char) – name len (size_t) – len

pwnlib.shellcraft.arm.linux.setitimer(which, new, old)[source]¶

Invokes the syscall setitimer. See ‘man 2 setitimer’ for more information.

Parameters:	which (itimer_which_t) – which new (itimerval) – new old (itimerval) – old

pwnlib.shellcraft.arm.linux.setpgid(pid, pgid)[source]¶

Invokes the syscall setpgid. See ‘man 2 setpgid’ for more information.

Parameters:	pid (pid_t) – pid pgid (pid_t) – pgid

pwnlib.shellcraft.arm.linux.setpriority(which, who, prio)[source]¶

Invokes the syscall setpriority. See ‘man 2 setpriority’ for more information.

Parameters:	which (priority_which_t) – which who (id_t) – who prio (int) – prio

pwnlib.shellcraft.arm.linux.setregid(rgid, egid)[source]¶

Invokes the syscall setregid. See ‘man 2 setregid’ for more information.

Parameters:	rgid (gid_t) – rgid egid (gid_t) – egid

pwnlib.shellcraft.arm.linux.setresgid(rgid, egid, sgid)[source]¶

Invokes the syscall setresgid. See ‘man 2 setresgid’ for more information.

Parameters:	rgid (gid_t) – rgid egid (gid_t) – egid sgid (gid_t) – sgid

pwnlib.shellcraft.arm.linux.setresuid(ruid, euid, suid)[source]¶

Invokes the syscall setresuid. See ‘man 2 setresuid’ for more information.

Parameters:	ruid (uid_t) – ruid euid (uid_t) – euid suid (uid_t) – suid

pwnlib.shellcraft.arm.linux.setreuid(ruid, euid)[source]¶

Invokes the syscall setreuid. See ‘man 2 setreuid’ for more information.

Parameters:	ruid (uid_t) – ruid euid (uid_t) – euid

pwnlib.shellcraft.arm.linux.setrlimit(resource, rlimits)[source]¶

Invokes the syscall setrlimit. See ‘man 2 setrlimit’ for more information.

Parameters:	resource (rlimit_resource_t) – resource rlimits (rlimit) – rlimits

pwnlib.shellcraft.arm.linux.setsid()[source]¶

Invokes the syscall setsid. See ‘man 2 setsid’ for more information.

Arguments:

pwnlib.shellcraft.arm.linux.setsockopt(sockfd, level, optname, optval, optlen)[source]¶

Invokes the syscall setsockopt. See ‘man 2 setsockopt’ for more information.

Parameters:	sockfd (int) – sockfd level (int) – level optname (int) – optname optval (void) – optval optlen (int) – optlen

pwnlib.shellcraft.arm.linux.setsockopt_timeout(sock, secs)[source]¶

Invokes the syscall for setsockopt with specified timeout. See ‘man 2 setsockopt’ for more information.

Parameters:	sock (int) – sock secs (int) – secs

pwnlib.shellcraft.arm.linux.settimeofday(tv, tz)[source]¶

Invokes the syscall settimeofday. See ‘man 2 settimeofday’ for more information.

Parameters:	tv (timeval) – tv tz (timezone) – tz

pwnlib.shellcraft.arm.linux.setuid(uid)[source]¶

Invokes the syscall setuid. See ‘man 2 setuid’ for more information.

Parameters:	uid (uid_t) – uid

pwnlib.shellcraft.arm.linux.sh()[source]¶

Execute a different process.

>>> p = run_assembly(shellcraft.arm.linux.sh())
>>> p.sendline('echo Hello')
>>> p.recv()
'Hello\n'

pwnlib.shellcraft.arm.linux.sigaction(sig, act, oact)[source]¶

Invokes the syscall sigaction. See ‘man 2 sigaction’ for more information.

Parameters:	sig (int) – sig act (sigaction) – act oact (sigaction) – oact

pwnlib.shellcraft.arm.linux.sigaltstack(ss, oss)[source]¶

Invokes the syscall sigaltstack. See ‘man 2 sigaltstack’ for more information.

Parameters:	ss (sigaltstack) – ss oss (sigaltstack) – oss

pwnlib.shellcraft.arm.linux.signal(sig, handler)[source]¶

Invokes the syscall signal. See ‘man 2 signal’ for more information.

Parameters:	sig (int) – sig handler (sighandler_t) – handler

pwnlib.shellcraft.arm.linux.sigpending(set)[source]¶

Invokes the syscall sigpending. See ‘man 2 sigpending’ for more information.

Parameters:	set (sigset_t) – set

pwnlib.shellcraft.arm.linux.sigprocmask(how, set, oset)[source]¶

Invokes the syscall sigprocmask. See ‘man 2 sigprocmask’ for more information.

Parameters:	how (int) – how set (sigset_t) – set oset (sigset_t) – oset

pwnlib.shellcraft.arm.linux.sigreturn()[source]¶: Invokes the syscall sigreturn. See ‘man 2 sigreturn’ for more information.

pwnlib.shellcraft.arm.linux.sigsuspend(set)[source]¶

Invokes the syscall sigsuspend. See ‘man 2 sigsuspend’ for more information.

Parameters:	set (sigset_t) – set

pwnlib.shellcraft.arm.linux.splice(fdin, offin, fdout, offout, length, flags)[source]¶

Invokes the syscall splice. See ‘man 2 splice’ for more information.

Parameters:	fdin (int) – fdin offin (off64_t) – offin fdout (int) – fdout offout (off64_t) – offout len (size_t) – len flags (unsigned) – flags

pwnlib.shellcraft.arm.linux.stat(file, buf)[source]¶

Invokes the syscall stat. See ‘man 2 stat’ for more information.

Parameters:	file (char) – file buf (stat) – buf

pwnlib.shellcraft.arm.linux.stat64(file, buf)[source]¶

Invokes the syscall stat64. See ‘man 2 stat64’ for more information.

Parameters:	file (char) – file buf (stat64) – buf

pwnlib.shellcraft.arm.linux.stime(when)[source]¶

Invokes the syscall stime. See ‘man 2 stime’ for more information.

Parameters:	when (time_t) – when

pwnlib.shellcraft.arm.linux.stty(fd, params)[source]¶

Invokes the syscall stty. See ‘man 2 stty’ for more information.

Parameters:	fd (int) – fd params (sgttyb) – params

pwnlib.shellcraft.arm.linux.symlink(from_, to)[source]¶

Invokes the syscall symlink. See ‘man 2 symlink’ for more information.

Parameters:	from (char) – from to (char) – to

pwnlib.shellcraft.arm.linux.symlinkat(from_, tofd, to)[source]¶

Invokes the syscall symlinkat. See ‘man 2 symlinkat’ for more information.

Parameters:	from (char) – from tofd (int) – tofd to (char) – to

pwnlib.shellcraft.arm.linux.sync()[source]¶

Invokes the syscall sync. See ‘man 2 sync’ for more information.

Arguments:

pwnlib.shellcraft.arm.linux.sync_file_range(fd, offset, count, flags)[source]¶

Invokes the syscall sync_file_range. See ‘man 2 sync_file_range’ for more information.

Parameters:	fd (int) – fd offset (off64_t) – offset count (off64_t) – count flags (unsigned) – flags

pwnlib.shellcraft.arm.linux.syscall(syscall=None, arg0=None, arg1=None, arg2=None, arg3=None, arg4=None, arg5=None, arg6=None)[source]¶

Args: [syscall_number, *args]: Does a syscall

Any of the arguments can be expressions to be evaluated by pwnlib.constants.eval().

Example

>>> print shellcraft.arm.linux.syscall(11, 1, 'sp', 2, 0).rstrip()
    /* call syscall(11, 1, 'sp', 2, 0) */
    mov  r0, #1
    mov  r1, sp
    mov  r2, #2
    eor  r3, r3 /* 0 (#0) */
    mov  r7, #0xb
    svc  0
>>> print shellcraft.arm.linux.syscall('SYS_exit', 0).rstrip()
    /* call exit(0) */
    eor  r0, r0 /* 0 (#0) */
    mov  r7, #(SYS_exit) /* 1 */
    svc  0

pwnlib.shellcraft.arm.linux.syslog(pri, fmt, vararg)[source]¶

Invokes the syscall syslog. See ‘man 2 syslog’ for more information.

Parameters:	pri (int) – pri fmt (char) – fmt vararg (int) – vararg

pwnlib.shellcraft.arm.linux.tee(fdin, fdout, length, flags)[source]¶

Invokes the syscall tee. See ‘man 2 tee’ for more information.

Parameters:	fdin (int) – fdin fdout (int) – fdout len (size_t) – len flags (unsigned) – flags

pwnlib.shellcraft.arm.linux.time(timer)[source]¶

Invokes the syscall time. See ‘man 2 time’ for more information.

Parameters:	timer (time_t) – timer

pwnlib.shellcraft.arm.linux.timer_create(clock_id, evp, timerid)[source]¶

Invokes the syscall timer_create. See ‘man 2 timer_create’ for more information.

Parameters:	clock_id (clockid_t) – clock_id evp (sigevent) – evp timerid (timer_t) – timerid

pwnlib.shellcraft.arm.linux.timer_delete(timerid)[source]¶

Invokes the syscall timer_delete. See ‘man 2 timer_delete’ for more information.

Parameters:	timerid (timer_t) – timerid

pwnlib.shellcraft.arm.linux.timer_getoverrun(timerid)[source]¶

Invokes the syscall timer_getoverrun. See ‘man 2 timer_getoverrun’ for more information.

Parameters:	timerid (timer_t) – timerid

pwnlib.shellcraft.arm.linux.timer_gettime(timerid, value)[source]¶

Invokes the syscall timer_gettime. See ‘man 2 timer_gettime’ for more information.

Parameters:	timerid (timer_t) – timerid value (itimerspec) – value

pwnlib.shellcraft.arm.linux.timer_settime(timerid, flags, value, ovalue)[source]¶

Invokes the syscall timer_settime. See ‘man 2 timer_settime’ for more information.

Parameters:	timerid (timer_t) – timerid flags (int) – flags value (itimerspec) – value ovalue (itimerspec) – ovalue

pwnlib.shellcraft.arm.linux.truncate(file, length)[source]¶

Invokes the syscall truncate. See ‘man 2 truncate’ for more information.

Parameters:	file (char) – file length (off_t) – length

pwnlib.shellcraft.arm.linux.truncate64(file, length)[source]¶

Invokes the syscall truncate64. See ‘man 2 truncate64’ for more information.

Parameters:	file (char) – file length (off64_t) – length

pwnlib.shellcraft.arm.linux.ulimit(cmd, vararg)[source]¶

Invokes the syscall ulimit. See ‘man 2 ulimit’ for more information.

Parameters:	cmd (int) – cmd vararg (int) – vararg

pwnlib.shellcraft.arm.linux.umask(mask)[source]¶

Invokes the syscall umask. See ‘man 2 umask’ for more information.

Parameters:	mask (mode_t) – mask

pwnlib.shellcraft.arm.linux.uname(name)[source]¶

Invokes the syscall uname. See ‘man 2 uname’ for more information.

Parameters:	name (utsname) – name

pwnlib.shellcraft.arm.linux.unlink(name)[source]¶

Invokes the syscall unlink. See ‘man 2 unlink’ for more information.

Parameters:	name (char) – name

pwnlib.shellcraft.arm.linux.unlinkat(fd, name, flag)[source]¶

Invokes the syscall unlinkat. See ‘man 2 unlinkat’ for more information.

Parameters:	fd (int) – fd name (char) – name flag (int) – flag

pwnlib.shellcraft.arm.linux.unshare(flags)[source]¶

Invokes the syscall unshare. See ‘man 2 unshare’ for more information.

Parameters:	flags (int) – flags

pwnlib.shellcraft.arm.linux.ustat(dev, ubuf)[source]¶

Invokes the syscall ustat. See ‘man 2 ustat’ for more information.

Parameters:	dev (dev_t) – dev ubuf (ustat) – ubuf

pwnlib.shellcraft.arm.linux.utime(file, file_times)[source]¶

Invokes the syscall utime. See ‘man 2 utime’ for more information.

Parameters:	file (char) – file file_times (utimbuf) – file_times

pwnlib.shellcraft.arm.linux.utimensat(fd, path, times, flags)[source]¶

Invokes the syscall utimensat. See ‘man 2 utimensat’ for more information.

Parameters:	fd (int) – fd path (char) – path times (timespec) – times flags (int) – flags

pwnlib.shellcraft.arm.linux.utimes(file, tvp)[source]¶

Invokes the syscall utimes. See ‘man 2 utimes’ for more information.

Parameters:	file (char) – file tvp (timeval) – tvp

pwnlib.shellcraft.arm.linux.vfork()[source]¶

Invokes the syscall vfork. See ‘man 2 vfork’ for more information.

Arguments:

pwnlib.shellcraft.arm.linux.vhangup()[source]¶

Invokes the syscall vhangup. See ‘man 2 vhangup’ for more information.

Arguments:

pwnlib.shellcraft.arm.linux.vmsplice(fdout, iov, count, flags)[source]¶

Invokes the syscall vmsplice. See ‘man 2 vmsplice’ for more information.

Parameters:	fdout (int) – fdout iov (iovec) – iov count (size_t) – count flags (unsigned) – flags

pwnlib.shellcraft.arm.linux.wait4(pid, stat_loc, options, usage)[source]¶

Invokes the syscall wait4. See ‘man 2 wait4’ for more information.

Parameters:	pid (pid_t) – pid stat_loc (WAIT_STATUS) – stat_loc options (int) – options usage (rusage) – usage

pwnlib.shellcraft.arm.linux.waitid(idtype, id, infop, options)[source]¶

Invokes the syscall waitid. See ‘man 2 waitid’ for more information.

Parameters:	idtype (idtype_t) – idtype id (id_t) – id infop (siginfo_t) – infop options (int) – options

pwnlib.shellcraft.arm.linux.waitpid(pid, stat_loc, options)[source]¶

Invokes the syscall waitpid. See ‘man 2 waitpid’ for more information.

Parameters:	pid (pid_t) – pid stat_loc (int) – stat_loc options (int) – options

pwnlib.shellcraft.arm.linux.write(fd, buf, n)[source]¶

Invokes the syscall write. See ‘man 2 write’ for more information.

Parameters:	fd (int) – fd buf (void) – buf n (size_t) – n

pwnlib.shellcraft.arm.linux.writev(fd, iovec, count)[source]¶

Invokes the syscall writev. See ‘man 2 writev’ for more information.

Parameters:	fd (int) – fd iovec (iovec) – iovec count (int) – count

pwnlib.shellcraft.arm — Shellcode for ARM¶