Gallopsled · crclark96 · Jan 3, 2018 · Jan 4, 2018 · Jan 25, 2018 · Jan 25, 2018
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -66,6 +66,28 @@ To be released on Mar 31, 2018.
 [5fdc08]: https://github.com/Gallopsled/pwntools/commit/5fdc08
 [63dfed]: https://github.com/Gallopsled/pwntools/commit/63dfed
 
+## 3.12.1
+
+- [#1159][1159] Fix check for `/proc/.../status`
+- [#1162][1162] Fix broken package versions
+- [#1150][1150] Fix exception raised when a cache file is missing
+- [#1156][1156] Fix ROP gadget selection logic involving `int` and `syscall` instructions
+- [#1152][1152] Fix QEMU LD_PREFIX calculation (wrong parameter passed)
+- [#1155][1155] Use Ubuntu Trusty for all CI builds
+- [#1131][1131] Add "libc-" to libc prefixes in `process` tubes
+- [#1125][1125] Fix a typo
+- [#1121][1121] Fix tests which were broken by an upstream Sphinx change
+
+[1159]: https://github.com/Gallopsled/pwntools/pull/1159
+[1162]: https://github.com/Gallopsled/pwntools/pull/1162
+[1150]: https://github.com/Gallopsled/pwntools/pull/1150
+[1156]: https://github.com/Gallopsled/pwntools/pull/1156
+[1152]: https://github.com/Gallopsled/pwntools/pull/1152
+[1155]: https://github.com/Gallopsled/pwntools/pull/1155
+[1131]: https://github.com/Gallopsled/pwntools/pull/1131
+[1125]: https://github.com/Gallopsled/pwntools/pull/1125
+[1121]: https://github.com/Gallopsled/pwntools/pull/1121
+
 ## 3.12.0
 
 - [#1083][1083] Better error messages for `gdb` when `LD_PRELOAD` is incorrect

diff --git a/docs/dashbuild.py b/docs/dashbuild.py
@@ -44,7 +44,7 @@ def main(args):
 		doc2dash.__main__.main.main( \
 			[ os.path.join(dstdir, "html"), "-d", dstdir, "-n", name, \
 					"-f", "-I", "index.html"], "doc2dash", False)
-	except SystemExit,e:
+	except SystemExit as e:
 		pass
 
 	# Insert a link to the online version.

diff --git a/pwnlib/abi.py b/pwnlib/abi.py
@@ -1,5 +1,6 @@
 # -*- coding: utf-8 -*-
 from __future__ import absolute_import
+from __future__ import division
 
 from pwnlib.context import LocalContext
 from pwnlib.context import context

diff --git a/pwnlib/adb/__init__.py b/pwnlib/adb/__init__.py
@@ -2,3 +2,5 @@
 
 from pwnlib.adb.adb import *
 from pwnlib.adb.protocol import Client
+from pwnlib.adb.bootimg import BootImage
+from pwnlib.adb.bootloader import BootloaderImage
diff --git a/pwnlib/adb/adb.py b/pwnlib/adb/adb.py
@@ -46,6 +46,7 @@
 
 """
 from __future__ import absolute_import
+from __future__ import division
 
 import functools
 import glob
@@ -881,9 +882,16 @@ def logcat(stream=False):
 def pidof(name):
     """Returns a list of PIDs for the named process."""
     with context.quiet:
-        io = process(['pidof', name])
-        data = io.recvall().split()
-    return list(map(int, data))
+        # Older devices have a broken 'pidof', apparently.
+        # Try pgrep first.
+        io = process(['pgrep', name])
+        data = io.recvall()
+
+        if 'not found' in data:
+            io = process(['pidof', name])
+            data = io.recvall()
+
+    return list(map(int, data.split()))
 
 @with_device
 def proc_exe(pid):

diff --git a/pwnlib/adb/bootimg.py b/pwnlib/adb/bootimg.py
@@ -0,0 +1,52 @@
+from __future__ import division
+
+import ctypes
+
+BOOT_MAGIC = b"ANDROID!"
+BOOT_MAGIC_SIZE = 8
+BOOT_NAME_SIZE = 16
+BOOT_ARGS_SIZE = 512
+BOOT_EXTRA_ARGS_SIZE = 1024
+
+
+class boot_img_hdr(ctypes.Structure):
+    _fields_ = [
+        ('magic', ctypes.c_char * BOOT_MAGIC_SIZE),
+
+        ('kernel_size', ctypes.c_uint32),
+        ('kernel_addr', ctypes.c_uint32),
+
+        ('ramdisk_size', ctypes.c_uint32),
+        ('ramdisk_addr', ctypes.c_uint32),
+
+        ('second_size', ctypes.c_uint32),
+        ('second_addr', ctypes.c_uint32),
+
+        ('tags_addr', ctypes.c_uint32),
+        ('page_size', ctypes.c_uint32),
+        ('unused', ctypes.c_uint32),
+
+        ('os_version', ctypes.c_uint32),
+
+        ('name', ctypes.c_char * BOOT_NAME_SIZE),
+        ('cmdline', ctypes.c_char * BOOT_ARGS_SIZE),
+        ('id', ctypes.c_char * 8),
+
+        ('extra_cmdline', ctypes.c_char * BOOT_EXTRA_ARGS_SIZE),
+    ]
+
+class BootImage(object):
+    def __init__(self, data):
+        self.data = data
+        self.header = boot_img_hdr.from_buffer_copy(data)
+
+        PAGE = self.page_size
+
+        # The kernel starts at the beginning of the second page.
+        self.kernel = self.data[PAGE:PAGE+self.kernel_size]
+
+    def __getattr__(self, name):
+        value = getattr(self.header, name, None)
+        if value is not None:
+            return value
+        return getattr(super(BootImage, self), name)
diff --git a/pwnlib/adb/bootloader.py b/pwnlib/adb/bootloader.py
@@ -1,10 +1,15 @@
 from __future__ import unicode_literals
+from __future__ import division
 
 import ctypes
 import io
 import os
 import sys
 
+from pwnlib.log import getLogger
+
+log = getLogger(__name__)
+
 class img_info(ctypes.Structure):
     _fields_ = [
         ('name', ctypes.c_char * 64),
@@ -19,11 +24,7 @@ class bootloader_images_header(ctypes.Structure):
         ('bootldr_size', ctypes.c_uint32),
     ]
 
-    def __init__(self, *a, **kw):
-        super(bootloader_images_header, self).__init__(*a, **kw)
-        if self.magic != self.MAGIC:
-            raise ValueError("Incorrect magic (%r, expected %r)" % (self.magic, self.MAGIC))
-    MAGIC = 'BOOTLDR!'
+BOOTLDR_MAGIC = bytes('BOOTLDR!')
 
 class BootloaderImage(object):
     def __init__(self, data):
@@ -35,7 +36,21 @@ def __init__(self, data):
         self.data = data
         self.header = bootloader_images_header.from_buffer_copy(data)
 
-        imgarray = ctypes.ARRAY(img_info, self.header.num_images)
+        if self.magic != BOOTLDR_MAGIC:
+            log.error("Incorrect magic (%r, expected %r)" % (self.magic, BOOTLDR_MAGIC))
+
+        if(self.bootldr_size > len(data)):
+            log.warn_once("Bootloader is supposed to be %#x bytes, only have %#x",
+                          self.bootldr_size,
+                          len(data))
+
+        if(self.num_images >= 0x100):
+            old = self.num_images
+            self.num_images = 1
+            log.warn_once("Bootloader num_images (%#x) appears corrupted, truncating to 1",
+                          old)
+
+        imgarray = ctypes.ARRAY(img_info, self.num_images)
         self.img_info = imgarray.from_buffer_copy(data, ctypes.sizeof(self.header))
 
     def extract(self, index_or_name):
@@ -62,7 +77,7 @@ def extract(self, index_or_name):
         if index >= len(self.img_info):
             raise ValueError("index out of range (%s, max %s)" % (index, len(self.img_info)))
 
-        offset = self.header.start_offset
+        offset = self.start_offset
 
         for i in range(index):
             offset += self.img_info[i].size
@@ -87,16 +102,22 @@ def extract_all(self, path):
     def __str__(self):
         rv = []
         rv.append("Bootloader")
-        rv.append("  Magic:  %r" % self.header.magic)
-        rv.append("  Offset: %#x" % self.header.start_offset)
-        rv.append("  Size:   %#x" % self.header.bootldr_size)
-        rv.append("  Images: %s" % self.header.num_images)
+        rv.append("  Magic:  %r" % self.magic)
+        rv.append("  Offset: %#x" % self.start_offset)
+        rv.append("  Size:   %#x" % self.bootldr_size)
+        rv.append("  Images: %s" % self.num_images)
         for img in self.img_info:
             rv.append("    Name: %s" % img.name)
             rv.append("    Size: %#x" % img.size)
             rv.append("    Data: %r..." % self.extract(img.name)[:32])
         return '\n'.join(rv)
 
+    def __getattr__(self, name):
+        value = getattr(self.header, name, None)
+        if value is not None:
+            return value
+        return getattr(super(BootImage, self), name)
+
 if __name__ == '__main__':
     # Easy sanity checking
     b = BootloaderImage(open(sys.argv[1]).read())

diff --git a/pwnlib/args.py b/pwnlib/args.py
@@ -51,6 +51,7 @@
 
 """
 from __future__ import absolute_import
+from __future__ import division
 
 import collections
 import logging

diff --git a/pwnlib/asm.py b/pwnlib/asm.py
@@ -40,6 +40,7 @@
 
 """
 from __future__ import absolute_import
+from __future__ import division
 
 import errno
 import os
@@ -614,7 +615,7 @@ def asm(shellcode, vma = 0, extract = True, shared = False):
     Runs :func:`cpp` over a given shellcode and then assembles it into bytes.
 
     To see which architectures or operating systems are supported,
-    look in :mod:`pwnlib.contex`.
+    look in :mod:`pwnlib.context`.
 
     Assembling shellcode requires that the GNU assembler is installed
     for the target architecture.

diff --git a/pwnlib/atexception.py b/pwnlib/atexception.py
@@ -3,6 +3,7 @@
 be run if an unhandled exception occurs.
 """
 from __future__ import absolute_import
+from __future__ import division
 
 import sys
 import threading

diff --git a/pwnlib/atexit.py b/pwnlib/atexit.py
@@ -8,6 +8,7 @@
 printed twice when the standard :mod:`atexit` is used.
 """
 from __future__ import absolute_import
+from __future__ import division
 
 import sys
 import threading

diff --git a/pwnlib/commandline/asm.py b/pwnlib/commandline/asm.py
@@ -1,5 +1,6 @@
 #!/usr/bin/env python2
 from __future__ import absolute_import
+from __future__ import division
 
 import argparse
 import sys
@@ -45,22 +46,22 @@
 parser.add_argument(
     '-v', '--avoid',
     action='append',
-    help = 'Encode the shellcode to avoid the listed bytes (provided as hex; default: 000a)'
+    help = 'Encode the shellcode to avoid the listed bytes (provided as hex)'
 )
 
 parser.add_argument(
     '-n', '--newline',
     dest='avoid',
     action='append_const',
-    const='\n',
+    const='0a',
     help = 'Encode the shellcode to avoid newlines'
 )
 
 parser.add_argument(
     '-z', '--zero',
     dest='avoid',
     action='append_const',
-    const='\x00',
+    const='00',
     help = 'Encode the shellcode to avoid NULL bytes'
 )
 
@@ -106,7 +107,8 @@ def main(args):
     formatters = {'r':str, 'h':enhex, 's':repr}
 
     if args.avoid:
-        output = encode(output, args.avoid)
+        avoid = unhex(''.join(args.avoid))
+        output = encode(output, avoid)
 
     if args.debug:
         proc = gdb.debug_shellcode(output, arch=context.arch)

diff --git a/pwnlib/commandline/checksec.py b/pwnlib/commandline/checksec.py
@@ -1,5 +1,6 @@
 #!/usr/bin/env python2
 from __future__ import absolute_import
+from __future__ import division
 
 import argparse
 import sys

diff --git a/pwnlib/commandline/constgrep.py b/pwnlib/commandline/constgrep.py
@@ -1,5 +1,6 @@
 #!/usr/bin/env python2
 from __future__ import absolute_import
+from __future__ import division
 
 import argparse
 import os

diff --git a/pwnlib/commandline/cyclic.py b/pwnlib/commandline/cyclic.py
@@ -1,5 +1,6 @@
 #!/usr/bin/env python2
 from __future__ import absolute_import
+from __future__ import division
 
 import argparse
 import string

diff --git a/pwnlib/commandline/debug.py b/pwnlib/commandline/debug.py
@@ -1,5 +1,6 @@
 #!/usr/bin/env python2
 from __future__ import absolute_import
+from __future__ import division
 
 import argparse
 import sys
@@ -78,7 +79,12 @@ def main(args):
         # pidof() returns a list
         if not target:
             log.error("Could not find a PID for %r", args.process)
+
         target = target[0]
+
+        # pidof will sometimes return all PIDs, including init
+        if target == 1:
+            log.error("Got PID 1 from pidof.  Check the process name, or use --pid 1 to debug init")
     else:
         parser.print_usage()
         return 1

diff --git a/pwnlib/commandline/disablenx.py b/pwnlib/commandline/disablenx.py
@@ -1,5 +1,6 @@
 #!/usr/bin/env python2
 from __future__ import absolute_import
+from __future__ import division
 
 from pwn import *
 from pwnlib.commandline import common

diff --git a/pwnlib/commandline/disasm.py b/pwnlib/commandline/disasm.py
@@ -1,5 +1,6 @@
 #!/usr/bin/env python2
 from __future__ import absolute_import
+from __future__ import division
 
 import argparse
 import string

diff --git a/pwnlib/commandline/elfdiff.py b/pwnlib/commandline/elfdiff.py
@@ -1,5 +1,6 @@
 #!/usr/bin/env python2
 from __future__ import absolute_import
+from __future__ import division
 
 import shutil
 from argparse import ArgumentParser

diff --git a/pwnlib/commandline/elfpatch.py b/pwnlib/commandline/elfpatch.py
@@ -1,5 +1,6 @@
 #!/usr/bin/env python2
 from __future__ import absolute_import
+from __future__ import division
 
 import argparse
 import sys

diff --git a/pwnlib/commandline/hex.py b/pwnlib/commandline/hex.py
@@ -1,5 +1,6 @@
 #!/usr/bin/env python2
 from __future__ import absolute_import
+from __future__ import division
 
 import argparse
 import sys

diff --git a/pwnlib/commandline/phd.py b/pwnlib/commandline/phd.py
@@ -1,5 +1,6 @@
 #!/usr/bin/env python2
 from __future__ import absolute_import
+from __future__ import division
 
 import argparse
 import os

diff --git a/pwnlib/commandline/pwnstrip.py b/pwnlib/commandline/pwnstrip.py
@@ -1,4 +1,5 @@
 from __future__ import absolute_import
+from __future__ import division
 
 import argparse
 

diff --git a/pwnlib/commandline/scramble.py b/pwnlib/commandline/scramble.py
@@ -1,4 +1,5 @@
 from __future__ import absolute_import
+from __future__ import division
 
 import argparse
 import sys