nsploit/sploit/rev/elf.py, branch v0.3 Process interaction tool for software exploitation rev: Normalize the reported offset of found gadgets 2023-03-19T08:19:21+00:00 Malfurious m@lfurio.us 2023-03-19T01:21:44+00:00 31ef0e9a7a67ba3c361e72d279ae84b9285fb470 ROP gadgets returned through search from the r2 API will now always contain a file-relative offset, even if they come from a non-pic binary using a fixed baddr. However, gadgets returned through the ELF API will be mapped according to the ELF's Symtbl. This ensures the correct offset is returned following a library leak, and allows the user to always safely insert an ELF-returned gadget into that ELF's Symtbl without issue. Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
ROP gadgets returned through search from the r2 API will now always
contain a file-relative offset, even if they come from a non-pic binary
using a fixed baddr.

However, gadgets returned through the ELF API will be mapped according
to the ELF's Symtbl.  This ensures the correct offset is returned
following a library leak, and allows the user to always safely insert an
ELF-returned gadget into that ELF's Symtbl without issue.

Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
elf: Add docstrings 2023-03-16T22:57:11+00:00 dusoleil howcansocksbereal@gmail.com 2023-03-16T22:57:11+00:00 42ab380423553720a2a80d03dee68957e6f3b4ff Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
elf: Automatically lookup Arch on ELF construction 2023-03-16T22:55:59+00:00 dusoleil howcansocksbereal@gmail.com 2023-03-16T22:55:59+00:00 143f585b0e02ae87e0d383e27c48aa76745db51b Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
elf: Add bininfo to ELF under .info and .security 2023-03-16T22:47:10+00:00 dusoleil howcansocksbereal@gmail.com 2023-03-16T22:47:10+00:00 d0aee78d96aade08c8e6180a4b8f067c947cf20a On ELF construction, call r2.get_bin_info() and keep the results under the psuedo-namespaces .info and .security. Also add a pretty-print to these in a tabulated form. Also rewrite the ELF pretty-print to just summarize and not print out the entirety of .sym. Lastly, fixed a small bug where ELF could crash on construction if ldd fails (loading a non-native ELF, for instance). Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
On ELF construction, call r2.get_bin_info() and keep the results under
the psuedo-namespaces .info and .security.  Also add a pretty-print to
these in a tabulated form.  Also rewrite the ELF pretty-print to just
summarize and not print out the entirety of .sym.  Lastly, fixed a small
bug where ELF could crash on construction if ldd fails (loading a
non-native ELF, for instance).

Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
rev: Update rop gadget search functionality 2023-03-15T21:49:22+00:00 Malfurious m@lfurio.us 2023-03-15T21:12:32+00:00 873cf63768302bab81b06987803e9d108e3ceebb Development on the rop chain builder has produced this upgrade to our gadget search facility. The primary advantages in this version are increased flexibility and runtime performance. It is now easier to find specific 'stray' instructions (not immediately followed by a ret) since we search from every position in the data returned by r2. If you _do_ want a ret, just specify it in your input regexes. For this reason, a dedicated function for locating a simple 'ret' gadget is no longer present - elf.gadget("ret") is the equivalent. A major change in this version is that we now obtain and operate on r2's JSON representation of the gadget data. We now only reach out to r2 once to get all information for a binary (which is cached) and the actual 'search' is implemented in Python. This provides a significant performance speedup in cases where we need many gadgets from one binary, as r2 doesn't need to inspect the entire file each time. Additional caching is done on specific search results, so that 100% redundant searches are returned immediately. Access to the raw JSON data is made available through a new function rop_json(), but is not exposed in the ELF interface, since it seems like a niche need. Search results are returned via Gadget objects (or a list thereof), which contain regular expression Match objects for each assembly instruction found in the gadget. This allows the caller to retrieve the values contained in regular expression capture groups if present. Also, anecdotally, the search functionality in r2 has seemed to return false negatives for some queries in the past, whereas I haven't noticed similar cases with this implementation yet. Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
Development on the rop chain builder has produced this upgrade to our
gadget search facility.  The primary advantages in this version are
increased flexibility and runtime performance.

It is now easier to find specific 'stray' instructions (not immediately
followed by a ret) since we search from every position in the data
returned by r2.  If you _do_ want a ret, just specify it in your input
regexes.  For this reason, a dedicated function for locating a simple
'ret' gadget is no longer present - elf.gadget("ret") is the equivalent.

A major change in this version is that we now obtain and operate on r2's
JSON representation of the gadget data.  We now only reach out to r2
once to get all information for a binary (which is cached) and the
actual 'search' is implemented in Python.  This provides a significant
performance speedup in cases where we need many gadgets from one binary,
as r2 doesn't need to inspect the entire file each time.  Additional
caching is done on specific search results, so that 100% redundant
searches are returned immediately.  Access to the raw JSON data is made
available through a new function rop_json(), but is not exposed in the
ELF interface, since it seems like a niche need.

Search results are returned via Gadget objects (or a list thereof),
which contain regular expression Match objects for each assembly
instruction found in the gadget.  This allows the caller to retrieve the
values contained in regular expression capture groups if present.

Also, anecdotally, the search functionality in r2 has seemed to return
false negatives for some queries in the past, whereas I haven't noticed
similar cases with this implementation yet.

Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
elf: Fix visual bug printing libraries list 2023-03-13T23:21:49+00:00 Malfurious m@lfurio.us 2023-03-11T14:03:56+00:00 7f6ca05f2448e0f17af5d9aa692fc85b21c3af1e Previously, due to precedence rules, the text produced for any library whose corresponding ELF object has already been initialized would simply be `str(lib.path)`, instead of the intended formatted string. Also fixes a typo. Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
Previously, due to precedence rules, the text produced for any library
whose corresponding ELF object has already been initialized would simply
be `str(lib.path)`, instead of the intended formatted string.

Also fixes a typo.

Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
Prefer __repr__ for pretty-printing objects 2023-03-13T23:21:48+00:00 Malfurious m@lfurio.us 2023-03-11T13:56:26+00:00 a412a9a14a73f8041af34f0612c534c80bf9d13d Define human-readable string formatting for objects in repr, rather than str, as this will enable an interactive interpreter to more conveniently show this data to the user. I believe this especially makes sense in cases where __str__ doesn't perform a semantic type conversion for its class (currently, all affected cases). Scripts can still easily yield this information by using `print(object)`, as print will fallback to repr(object) when there is not an explicitly defined __str__. Furthermore, this patch still maintains backwards compatability (for the time being) of using str(object) to retrieve the information. This is because the default __str__ implementation will defer to __repr__ if provided. This made the Symtbl case of providing both of them especially redundant. Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
Define human-readable string formatting for objects in repr, rather than
str, as this will enable an interactive interpreter to more conveniently
show this data to the user.  I believe this especially makes sense in
cases where __str__ doesn't perform a semantic type conversion for its
class (currently, all affected cases).

Scripts can still easily yield this information by using
`print(object)`, as print will fallback to repr(object) when there is
not an explicitly defined __str__.

Furthermore, this patch still maintains backwards compatability (for the
time being) of using str(object) to retrieve the information.  This is
because the default __str__ implementation will defer to __repr__ if
provided.  This made the Symtbl case of providing both of them
especially redundant.

Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
sploit: Clean up use of __getattribute__ 2022-03-17T07:48:43+00:00 Malfurious m@lfurio.us 2022-03-16T03:04:16+00:00 d7c7c96b4ff932078d0399b5ec6b4f8b8d87f43e __getattribute__ is the low-level magic func and will intercept every attribute lookup, whereas __getattr__ is high-level, and is only invoked in specific conditions (such as __getattribute__'s failure). As such, any overload of __getattribute__ which preferentially falls back to object.__getattribute__() before serving a request, can more simply be replaced by a __getattr__ overload without the fallback. Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
__getattribute__ is the low-level magic func and will intercept every
attribute lookup, whereas __getattr__ is high-level, and is only invoked
in specific conditions (such as __getattribute__'s failure).

As such, any overload of __getattribute__ which preferentially falls
back to object.__getattribute__() before serving a request, can more
simply be replaced by a __getattr__ overload without the fallback.

Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
sploit: Move __attr_filter__ to a general place in util 2022-03-14T03:34:23+00:00 dusoleil howcansocksbereal@gmail.com 2022-03-14T03:34:23+00:00 c493a8f8073702bcdccdbc40bf09931e201c9013 Found a spot to use __attr_filter__ in the rev module, so moving it out of mem and into a shared place (util). Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
Found a spot to use __attr_filter__ in the rev module, so moving it out
of mem and into a shared place (util).

Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
sploit: lazy load libs for ELF 2022-03-14T03:27:30+00:00 dusoleil howcansocksbereal@gmail.com 2022-03-13T01:36:30+00:00 8897faa7387f8103df9dfdb54149d59bfde0e681 Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>