nsploit/sploit, branch v0.3 Process interaction tool for software exploitation r2: limit gadget search to exec privilege sections 2023-03-19T13:26:08+00:00 dusoleil howcansocksbereal@gmail.com 2023-03-19T13:26:08+00:00 e4793b798fe84c856c76817814b3867d3ce7b85e Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
builder: Add initial version of ROP chain tools 2023-03-19T10:14:10+00:00 Malfurious m@lfurio.us 2023-03-19T01:21:48+00:00 990fb887e08811ed0017045bd7064b244fa81285 Adds a ROP-enabled payload builder under the builder namespace. Much of the behavior is parameterized by the active arch, so several new columns are added to the Arch class. Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
Adds a ROP-enabled payload builder under the builder namespace.  Much of
the behavior is parameterized by the active arch, so several new columns
are added to the Arch class.

Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
builder: Add rop gadget annotation class 2023-03-19T08:19:22+00:00 Malfurious m@lfurio.us 2023-03-19T01:21:47+00:00 218b5717802defe0218b1237bdfc21634582d502 This dataclass is intended to be used directly with the new ROP builder class. GadHints allow users to teach the library about gadgets it can not find on its own and how to use them correctly. Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
This dataclass is intended to be used directly with the new ROP builder
class.  GadHints allow users to teach the library about gadgets it can
not find on its own and how to use them correctly.

Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
payload: Add method end() 2023-03-19T08:19:22+00:00 Malfurious m@lfurio.us 2023-03-19T01:21:46+00:00 088a85f6f25be9cc282a8d8295634ff8bbe22389 To determine the address of the end of a payload, based on its Symtbl data. I believe it makes the most sense to make this a part of the Payload API, since Symtbl lacks a concept of element size. Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
To determine the address of the end of a payload, based on its Symtbl
data.  I believe it makes the most sense to make this a part of the
Payload API, since Symtbl lacks a concept of element size.

Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
Create new subpackage 'builder' 2023-03-19T08:19:22+00:00 Malfurious m@lfurio.us 2023-03-19T01:21:45+00:00 1ccdadce015abd4f57371168d2b3922716e9980d This is a package to contain the related Payload and ROP modules, as well as utility classes. Payload is moved into the new package. Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
This is a package to contain the related Payload and ROP modules, as
well as utility classes.  Payload is moved into the new package.

Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
rev: Normalize the reported offset of found gadgets 2023-03-19T08:19:21+00:00 Malfurious m@lfurio.us 2023-03-19T01:21:44+00:00 31ef0e9a7a67ba3c361e72d279ae84b9285fb470 ROP gadgets returned through search from the r2 API will now always contain a file-relative offset, even if they come from a non-pic binary using a fixed baddr. However, gadgets returned through the ELF API will be mapped according to the ELF's Symtbl. This ensures the correct offset is returned following a library leak, and allows the user to always safely insert an ELF-returned gadget into that ELF's Symtbl without issue. Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
ROP gadgets returned through search from the r2 API will now always
contain a file-relative offset, even if they come from a non-pic binary
using a fixed baddr.

However, gadgets returned through the ELF API will be mapped according
to the ELF's Symtbl.  This ensures the correct offset is returned
following a library leak, and allows the user to always safely insert an
ELF-returned gadget into that ELF's Symtbl without issue.

Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
symtbl: Support offset translation for int-like objects 2023-03-19T08:19:18+00:00 Malfurious m@lfurio.us 2023-03-19T01:21:43+00:00 205f828bd669772ee319595fa6792953f0abd327 This fixes a bug with Symtbl's __getitem__. An object that is convertable to int should also cause __getitem__ to behave as though an int was given, and translate the object as a foreign offset. Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
This fixes a bug with Symtbl's __getitem__.  An object that is
convertable to int should also cause __getitem__ to behave as though an
int was given, and translate the object as a foreign offset.

Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
elf: Add docstrings 2023-03-16T22:57:11+00:00 dusoleil howcansocksbereal@gmail.com 2023-03-16T22:57:11+00:00 42ab380423553720a2a80d03dee68957e6f3b4ff Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
elf: Automatically lookup Arch on ELF construction 2023-03-16T22:55:59+00:00 dusoleil howcansocksbereal@gmail.com 2023-03-16T22:55:59+00:00 143f585b0e02ae87e0d383e27c48aa76745db51b Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
elf: Add bininfo to ELF under .info and .security 2023-03-16T22:47:10+00:00 dusoleil howcansocksbereal@gmail.com 2023-03-16T22:47:10+00:00 d0aee78d96aade08c8e6180a4b8f067c947cf20a On ELF construction, call r2.get_bin_info() and keep the results under the psuedo-namespaces .info and .security. Also add a pretty-print to these in a tabulated form. Also rewrite the ELF pretty-print to just summarize and not print out the entirety of .sym. Lastly, fixed a small bug where ELF could crash on construction if ldd fails (loading a non-native ELF, for instance). Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
On ELF construction, call r2.get_bin_info() and keep the results under
the psuedo-namespaces .info and .security.  Also add a pretty-print to
these in a tabulated form.  Also rewrite the ELF pretty-print to just
summarize and not print out the entirety of .sym.  Lastly, fixed a small
bug where ELF could crash on construction if ldd fails (loading a
non-native ELF, for instance).

Signed-off-by: dusoleil <howcansocksbereal@gmail.com>