lib-des-gnux/tools/sploit, branch master Library of GNU Exploitation Remove sploit tool 2024-02-14T06:23:45+00:00 Malfurious m@lfurio.us 2024-02-14T06:23:45+00:00 aa09111dcd13deb6ce725e551732bf8b45dffca3 Sploit has been living on in another repository for the past year or so. Remove the stale files from this repository. Signed-off-by: Malfurious <m@lfurio.us> 
Sploit has been living on in another repository for the past year or so.
Remove the stale files from this repository.

Signed-off-by: Malfurious <m@lfurio.us>
Merge branch 'sploit/symtbl-base' 2022-09-13T00:33:37+00:00 Malfurious m@lfurio.us 2022-09-13T00:33:37+00:00 3df225eb84bf3415854e922271b2901810e2a81e This branch brings some conveniences to the semantics behind Symtbl base values. * sploit/symtbl-base: sploit: rev: Properly base Symtbls for non-PIC binaries sploit: Fix bugs involving Symtbl base value sploit: mem: Allow Symtbl base to be modified 
This branch brings some conveniences to the semantics behind Symtbl base
values.

* sploit/symtbl-base:
  sploit: rev: Properly base Symtbls for non-PIC binaries
  sploit: Fix bugs involving Symtbl base value
  sploit: mem: Allow Symtbl base to be modified
sploit: rev: Properly base Symtbls for non-PIC binaries 2022-09-13T00:19:09+00:00 Malfurious m@lfurio.us 2022-07-07T04:00:41+00:00 fe63ef169d3ce1e6e14842f716cdbc62b458e1f1 The baddr property identified by r2 is now used as the base address for ELF symbol tables. This should not change the addresses retrieved via the table normally, however should fix the internal offsets of the table so that rebasing makes sense. Note that for PIC/PIE binaries we would already get a Symtbl with 'correct' offsets, as r2 is unable to absolutely resolve them for us. In these cases, the Symtbl base value remains at zero. Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
The baddr property identified by r2 is now used as the base address for
ELF symbol tables.  This should not change the addresses retrieved via
the table normally, however should fix the internal offsets of the table
so that rebasing makes sense.

Note that for PIC/PIE binaries we would already get a Symtbl with
'correct' offsets, as r2 is unable to absolutely resolve them for us.
In these cases, the Symtbl base value remains at zero.

Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
sploit: Fix bugs involving Symtbl base value 2022-09-13T00:19:03+00:00 Malfurious m@lfurio.us 2022-07-07T03:42:57+00:00 1480e6ba39fdaacaf558dd099ccf1b87c9b92d6a Some code previously assumed a Symtbl's base value to always be zero. This was often the case, however the assumption would break (for example) when attempting to rebase() a mapped Symtbl. As of the previous patch enabling freer modification of base, the potentiality of these bugs will be higher. Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
Some code previously assumed a Symtbl's base value to always be zero.
This was often the case, however the assumption would break (for example)
when attempting to rebase() a mapped Symtbl.

As of the previous patch enabling freer modification of base, the
potentiality of these bugs will be higher.

Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
sploit: mem: Allow Symtbl base to be modified 2022-09-13T00:18:55+00:00 Malfurious m@lfurio.us 2022-07-07T03:30:49+00:00 81f8130fa479fd827bc84354ee9a72b80c9cde02 Allow a Symtbl's base to be modified in-place, without mapping into a new object. This is useful when working with the Symtbl aspect of a Payload. This includes setting a non-zero base on construction. As usual, when defining base on construction, any additional kwargs symbols are interpreted relative to the given base. The order of arguments does not matter. Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
Allow a Symtbl's base to be modified in-place, without mapping into a
new object.  This is useful when working with the Symtbl aspect of a
Payload.

This includes setting a non-zero base on construction.  As usual, when
defining base on construction, any additional kwargs symbols are
interpreted relative to the given base.  The order of arguments does not
matter.

Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
sploit: payload: Promote private methods to "protected" access 2022-09-13T00:16:16+00:00 Malfurious m@lfurio.us 2022-07-08T04:49:35+00:00 85320ac3a6f58483c01d52e39ee67241db6c165f Lift restriction (name mangling) to Payload helper functions, as their use will be useful in Payload subclasses. Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
Lift restriction (name mangling) to Payload helper functions, as their
use will be useful in Payload subclasses.

Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
sploit: payload: Clean up automatic symbol naming 2022-09-13T00:15:35+00:00 Malfurious m@lfurio.us 2022-07-08T04:04:02+00:00 51d92be1f5eb0ec188b635366d588f61f5f3bca4 This is just a slight code reduction, but will make any future code simpler as well. Explicit comparision to None is more correct as well; centralizing this for reuse better justifies the wordier if statement. Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
This is just a slight code reduction, but will make any future code
simpler as well.  Explicit comparision to None is more correct as well;
centralizing this for reuse better justifies the wordier if statement.

Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
sploit: payload: Class no longer extends Symtbl 2022-09-13T00:15:29+00:00 Malfurious m@lfurio.us 2022-07-08T03:56:25+00:00 9759d731da4787ea0679ebe9700d72397ec788b2 Given the current design of Symtbl, creating subclasses of it gets more tedious the further one goes down a potential class hierarchy. As I am planning to introduce new features in the future that explicitly extend Payload, make this change now to minimize the impact. Additionally, switching Payload's relationship with Symtbl from "is-a" to "has-a" makes it more consistent with rev.ELF, the other major user of Symtbl. (And in both cases, the member is named 'sym') Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
Given the current design of Symtbl, creating subclasses of it gets more
tedious the further one goes down a potential class hierarchy.  As I am
planning to introduce new features in the future that explicitly extend
Payload, make this change now to minimize the impact.

Additionally, switching Payload's relationship with Symtbl from "is-a"
to "has-a" makes it more consistent with rev.ELF, the other major user
of Symtbl.  (And in both cases, the member is named 'sym')

Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
sploit: payload: Allow variadic insertions 2022-09-13T00:15:23+00:00 Malfurious m@lfurio.us 2022-05-28T05:10:05+00:00 d673d458922b640ca3f384288356a33a308cdc9b Often times, users of the Payload module wish to push a list of integers to a payload buffer. Currently, the best (and intended) way to do this is to make several calls to .int(). However, as part of the ROP effort, I am planning to add function 'gadget(addr, *params)' to the Payload class. Per the design of this function, calling it with an expanded list of values would be equivalent to passing each to .int() individually. In order to discourage the use of .gadget(), as a shortcut to a series of .int()s, .int(), and most other insertion functions, now accept arbitrarily many value arguments. Functions that support additional options (such as .int()'s 'signed' parameter) will apply such options to all values. If a symbol name is defined, it will reference the beginning of the block of values. Keep in mind, this will also allow inserting zero values. For example, obj.bin(sym='end') will tag the end of the payload without extending its content. This use-case is not intended to be particularly useful, but exists as a consequence of the change. Payload.rep() and the pad functions are not affected by this commit, as I don't think changing their semantics in this way makes sense. Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
Often times, users of the Payload module wish to push a list of integers
to a payload buffer.  Currently, the best (and intended) way to do this
is to make several calls to .int().  However, as part of the ROP effort,
I am planning to add function 'gadget(addr, *params)' to the Payload
class.  Per the design of this function, calling it with an expanded
list of values would be equivalent to passing each to .int()
individually.  In order to discourage the use of .gadget(), as a
shortcut to a series of .int()s, .int(), and most other insertion
functions, now accept arbitrarily many value arguments.

Functions that support additional options (such as .int()'s 'signed'
parameter) will apply such options to all values.  If a symbol name is
defined, it will reference the beginning of the block of values.

Keep in mind, this will also allow inserting zero values.  For example,
obj.bin(sym='end') will tag the end of the payload without extending its
content.  This use-case is not intended to be particularly useful, but
exists as a consequence of the change.

Payload.rep() and the pad functions are not affected by this commit, as
I don't think changing their semantics in this way makes sense.

Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
sploit: Allow multiple reads in Comm.readall_nonblock() 2022-04-09T03:41:39+00:00 Malfurious m@lfurio.us 2022-03-23T11:09:11+00:00 93c6adcbc97f6cdd9b45b78b95279abb82e8a05c Due to line buffering, we may often trigger a burst of data to be sent by the target, but resolve the non-blocking read only after the first line is received. We would like to wait just a little longer to receive the entire burst instead. readall_nonblock() will now reset its timeout period whenever any data becomes readable and will not return until we go an entire period of silence. Under normal conditions, the full duration of readall_nonblock should barely be any longer than the defined period itself. Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
Due to line buffering, we may often trigger a burst of data to be sent
by the target, but resolve the non-blocking read only after the first
line is received.  We would like to wait just a little longer to receive
the entire burst instead.

readall_nonblock() will now reset its timeout period whenever any data
becomes readable and will not return until we go an entire period of
silence.  Under normal conditions, the full duration of readall_nonblock
should barely be any longer than the defined period itself.

Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>