nsploit/sploit/rev, branch v0.4

r2: Don't return duplicate gadgets in gadget search

2023-03-24T07:50:55+00:00

Signed-off-by: dusoleil 
Reviewed-by: Malfurious

r2: Get all relocs that have a name

2023-03-23T12:19:34+00:00

Originally I was deciding whether to get a reloc based on the type.  I'm
not sure what SET_64 vs ADD_64 means, but the SET* types seemed to be
the only symbols we care about.  After running into a binary where a
SET* symbol didn't have a name (and crashed sploit), I have decided to
filter on that instead.

Signed-off-by: dusoleil

rev: Use json output for get_bin_info()

2023-03-23T07:45:20+00:00

Grabbing the json and returning that dict directly avoids all of the
processing we were doing before.  I also added in a small, temporary
band-aid for PE files until we add actual support for them.  The 'relro'
key doesn't exist on PE files, so just default it to '' in ELF.

Signed-off-by: dusoleil

r2: Rewrite get_elf_symbols()

2023-03-23T07:23:18+00:00

This addresses a couple issues with get_elf_symbols().

First of all, we can greatly simplify our processing of the r2 output by
getting back json instead of trying to do string processing on their
pretty-printed tables.  This resolves a number of issues we were running
into and also makes the code way more maintainable.

Second, we have reevaluated what we actually want to get out of r2.  We
now grab section offsets, all FUNC, OBJ, and NOTYPE symbols, and all
strings.  The strings and section offsets no longer try to escape
special characters and sometimes aren't accessible through normal object
attributes, but now that we have dictionary subscripting, this isn't an
issue.

Lastly, a few subsets of the symbols are separated into their own tables
and added to the main table as subtables.  Sections are located at
sym.sect and offset at 0.  Imported symbols are located at sym.imp and are
offset at sect['.plt'].  Relocations are located at sym.rel and are offset at
sect['.got'].  Strings are located at sym.str and are offset at
sect['.rodata'].

Signed-off-by: dusoleil

r2: limit gadget search to exec privilege sections

2023-03-19T13:26:08+00:00

Signed-off-by: dusoleil

rev: Normalize the reported offset of found gadgets

2023-03-19T08:19:21+00:00

ROP gadgets returned through search from the r2 API will now always
contain a file-relative offset, even if they come from a non-pic binary
using a fixed baddr.

However, gadgets returned through the ELF API will be mapped according
to the ELF's Symtbl.  This ensures the correct offset is returned
following a library leak, and allows the user to always safely insert an
ELF-returned gadget into that ELF's Symtbl without issue.

Signed-off-by: Malfurious 
Signed-off-by: dusoleil

elf: Add docstrings

2023-03-16T22:57:11+00:00

Signed-off-by: dusoleil

elf: Automatically lookup Arch on ELF construction

2023-03-16T22:55:59+00:00

Signed-off-by: dusoleil

elf: Add bininfo to ELF under .info and .security

2023-03-16T22:47:10+00:00

On ELF construction, call r2.get_bin_info() and keep the results under
the psuedo-namespaces .info and .security.  Also add a pretty-print to
these in a tabulated form.  Also rewrite the ELF pretty-print to just
summarize and not print out the entirety of .sym.  Lastly, fixed a small
bug where ELF could crash on construction if ldd fails (loading a
non-native ELF, for instance).

Signed-off-by: dusoleil

r2: Use get_bin_info in get_elf_symbols

2023-03-16T22:38:57+00:00

Code reuse since we were using r2 iI in get_elf_symbols to get the
baddr.  This can cause get_bin_info to be called (and log that it's
being called) multiple times, so I'm also adding the @cache annotation.

Signed-off-by: dusoleil