nsploit/sploit/rev, branch v0.3 Process interaction tool for software exploitation r2: limit gadget search to exec privilege sections 2023-03-19T13:26:08+00:00 dusoleil howcansocksbereal@gmail.com 2023-03-19T13:26:08+00:00 e4793b798fe84c856c76817814b3867d3ce7b85e Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
rev: Normalize the reported offset of found gadgets 2023-03-19T08:19:21+00:00 Malfurious m@lfurio.us 2023-03-19T01:21:44+00:00 31ef0e9a7a67ba3c361e72d279ae84b9285fb470 ROP gadgets returned through search from the r2 API will now always contain a file-relative offset, even if they come from a non-pic binary using a fixed baddr. However, gadgets returned through the ELF API will be mapped according to the ELF's Symtbl. This ensures the correct offset is returned following a library leak, and allows the user to always safely insert an ELF-returned gadget into that ELF's Symtbl without issue. Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
ROP gadgets returned through search from the r2 API will now always
contain a file-relative offset, even if they come from a non-pic binary
using a fixed baddr.

However, gadgets returned through the ELF API will be mapped according
to the ELF's Symtbl.  This ensures the correct offset is returned
following a library leak, and allows the user to always safely insert an
ELF-returned gadget into that ELF's Symtbl without issue.

Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
elf: Add docstrings 2023-03-16T22:57:11+00:00 dusoleil howcansocksbereal@gmail.com 2023-03-16T22:57:11+00:00 42ab380423553720a2a80d03dee68957e6f3b4ff Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
elf: Automatically lookup Arch on ELF construction 2023-03-16T22:55:59+00:00 dusoleil howcansocksbereal@gmail.com 2023-03-16T22:55:59+00:00 143f585b0e02ae87e0d383e27c48aa76745db51b Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
elf: Add bininfo to ELF under .info and .security 2023-03-16T22:47:10+00:00 dusoleil howcansocksbereal@gmail.com 2023-03-16T22:47:10+00:00 d0aee78d96aade08c8e6180a4b8f067c947cf20a On ELF construction, call r2.get_bin_info() and keep the results under the psuedo-namespaces .info and .security. Also add a pretty-print to these in a tabulated form. Also rewrite the ELF pretty-print to just summarize and not print out the entirety of .sym. Lastly, fixed a small bug where ELF could crash on construction if ldd fails (loading a non-native ELF, for instance). Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
On ELF construction, call r2.get_bin_info() and keep the results under
the psuedo-namespaces .info and .security.  Also add a pretty-print to
these in a tabulated form.  Also rewrite the ELF pretty-print to just
summarize and not print out the entirety of .sym.  Lastly, fixed a small
bug where ELF could crash on construction if ldd fails (loading a
non-native ELF, for instance).

Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
r2: Use get_bin_info in get_elf_symbols 2023-03-16T22:38:57+00:00 dusoleil howcansocksbereal@gmail.com 2023-03-16T22:38:57+00:00 0bdf7d37fc2aa3cfc2fa02348f006996fa0bcce8 Code reuse since we were using r2 iI in get_elf_symbols to get the baddr. This can cause get_bin_info to be called (and log that it's being called) multiple times, so I'm also adding the @cache annotation. Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
Code reuse since we were using r2 iI in get_elf_symbols to get the
baddr.  This can cause get_bin_info to be called (and log that it's
being called) multiple times, so I'm also adding the @cache annotation.

Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
r2: Add ability to lookup info about a binary. 2023-03-16T22:37:37+00:00 dusoleil howcansocksbereal@gmail.com 2023-03-16T22:37:37+00:00 6e2d648cd7ffa7866a511bd27ba60188909d79cb Call r2's iI command and return a subset of the fields that we care about. Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
Call r2's iI command and return a subset of the fields that we care
about.

Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
r2: Increase maximum rop gadget length 2023-03-15T21:49:23+00:00 Malfurious m@lfurio.us 2023-03-15T21:12:33+00:00 d2763180e6c92c901448fa85aca01a2780ea5e79 Sets the value of rop.len = 10 in r2, to give the search function more data to sift through. This is a doubling from the default value (5). Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
Sets the value of rop.len = 10 in r2, to give the search function more
data to sift through.  This is a doubling from the default value (5).

Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
rev: Update rop gadget search functionality 2023-03-15T21:49:22+00:00 Malfurious m@lfurio.us 2023-03-15T21:12:32+00:00 873cf63768302bab81b06987803e9d108e3ceebb Development on the rop chain builder has produced this upgrade to our gadget search facility. The primary advantages in this version are increased flexibility and runtime performance. It is now easier to find specific 'stray' instructions (not immediately followed by a ret) since we search from every position in the data returned by r2. If you _do_ want a ret, just specify it in your input regexes. For this reason, a dedicated function for locating a simple 'ret' gadget is no longer present - elf.gadget("ret") is the equivalent. A major change in this version is that we now obtain and operate on r2's JSON representation of the gadget data. We now only reach out to r2 once to get all information for a binary (which is cached) and the actual 'search' is implemented in Python. This provides a significant performance speedup in cases where we need many gadgets from one binary, as r2 doesn't need to inspect the entire file each time. Additional caching is done on specific search results, so that 100% redundant searches are returned immediately. Access to the raw JSON data is made available through a new function rop_json(), but is not exposed in the ELF interface, since it seems like a niche need. Search results are returned via Gadget objects (or a list thereof), which contain regular expression Match objects for each assembly instruction found in the gadget. This allows the caller to retrieve the values contained in regular expression capture groups if present. Also, anecdotally, the search functionality in r2 has seemed to return false negatives for some queries in the past, whereas I haven't noticed similar cases with this implementation yet. Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
Development on the rop chain builder has produced this upgrade to our
gadget search facility.  The primary advantages in this version are
increased flexibility and runtime performance.

It is now easier to find specific 'stray' instructions (not immediately
followed by a ret) since we search from every position in the data
returned by r2.  If you _do_ want a ret, just specify it in your input
regexes.  For this reason, a dedicated function for locating a simple
'ret' gadget is no longer present - elf.gadget("ret") is the equivalent.

A major change in this version is that we now obtain and operate on r2's
JSON representation of the gadget data.  We now only reach out to r2
once to get all information for a binary (which is cached) and the
actual 'search' is implemented in Python.  This provides a significant
performance speedup in cases where we need many gadgets from one binary,
as r2 doesn't need to inspect the entire file each time.  Additional
caching is done on specific search results, so that 100% redundant
searches are returned immediately.  Access to the raw JSON data is made
available through a new function rop_json(), but is not exposed in the
ELF interface, since it seems like a niche need.

Search results are returned via Gadget objects (or a list thereof),
which contain regular expression Match objects for each assembly
instruction found in the gadget.  This allows the caller to retrieve the
values contained in regular expression capture groups if present.

Also, anecdotally, the search functionality in r2 has seemed to return
false negatives for some queries in the past, whereas I haven't noticed
similar cases with this implementation yet.

Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
rev: Add rop gadget description class 2023-03-15T21:49:22+00:00 Malfurious m@lfurio.us 2023-03-15T21:12:31+00:00 c9f5d7113c6f977fb31fd7699bd2d5a5869954ad This new class is intended to be used to return data from gadget searches, and is able to be nested within object Symtbls. Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
This new class is intended to be used to return data from gadget
searches, and is able to be nested within object Symtbls.

Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>