May-12-2019, 04:59 PM
I am trying to exploit an old python bug in a 64 bit environment.
In order to do that, I need to pass a 64 bit argument with LOAD_CONST. The problem is that LOAD_COST only accepts 2 byte argument,
I can extend that to 4 byte with the EXTENDED_ARG opcode, but I need 8 bytes, not 4.
Is there a way to do that?
This is my code so far:
Thank you!
In order to do that, I need to pass a 64 bit argument with LOAD_CONST. The problem is that LOAD_COST only accepts 2 byte argument,
I can extend that to 4 byte with the EXTENDED_ARG opcode, but I need 8 bytes, not 4.
Is there a way to do that?
This is my code so far:
#!/usr/bin/env python # -*- coding: utf-8 -*- import opcode import types def a(): pass const_tuple = () addr_const_tuple = id(const_tuple) print 'addr_const_tuple: ' + hex(addr_const_tuple) a.func_code = types.CodeType( 0, 0, 0, 0, #chr(opcode.opmap['EXTENDED_ARG']) + '\xaa\xbb' + chr(opcode.opmap['EXTENDED_ARG']) + '\xad\xde' + chr(opcode.opmap['LOAD_CONST']) + '\xef\xbe', const_tuple, (), (), '', '', 0, '' ) a()Adding multiple EXTENDED_ARG does not work.
Thank you!