nsploit/sploit, branch v0.4 Process interaction tool for software exploitation comm: Fix bug where readline thinks pipe is broken 2023-04-02T21:25:59+00:00 dusoleil howcansocksbereal@gmail.com 2023-04-02T21:25:59+00:00 3f5532857807d628a5dadaf5c30a384f873878ea We should strip the newline from the data after checking if we got an empty string returned. Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
We should strip the newline from the data after checking if we got an
empty string returned.

Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
Allow control of named pipe location via command-line 2023-04-01T02:23:34+00:00 Malfurious m@lfurio.us 2023-03-30T06:46:44+00:00 dd243d60cf75813812ac0115b6373b108b6b0ed8 Add the ability to select which location to create FIFOs when running in pipes mode, by passing the directory name to sploit where a target executable would usually go. This has been an API feature from the start, but not exposed via the sploit runner command-line interface. There are a couple new use-cases where this is very convenient, including scriptifying sploit in pipes mode (testing, for example) and when running sploit under Docker. If pipes are placed in the working directory, all project files can be shared with a single bind mount. Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
Add the ability to select which location to create FIFOs when running in
pipes mode, by passing the directory name to sploit where a target
executable would usually go.  This has been an API feature from the start,
but not exposed via the sploit runner command-line interface.

There are a couple new use-cases where this is very convenient, including
scriptifying sploit in pipes mode (testing, for example) and when running
sploit under Docker.  If pipes are placed in the working directory, all
project files can be shared with a single bind mount.

Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
symtbl: Fix function docstring formatting 2023-04-01T02:23:30+00:00 Malfurious m@lfurio.us 2023-03-30T06:44:34+00:00 5b0e6af99723b362052c9f5bbba1743170848f8d Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
r2: Don't return duplicate gadgets in gadget search 2023-03-24T07:50:55+00:00 dusoleil howcansocksbereal@gmail.com 2023-03-23T08:07:28+00:00 61971e65dd280c84e4c4e06e86f0c4ba1aed03aa Signed-off-by: dusoleil <howcansocksbereal@gmail.com> Reviewed-by: Malfurious <m@lfurio.us> 
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
Reviewed-by: Malfurious <m@lfurio.us>
r2: Get all relocs that have a name 2023-03-23T12:19:34+00:00 dusoleil howcansocksbereal@gmail.com 2023-03-23T12:19:34+00:00 e313b0eb10278ddc3cfdb42baa100fa8f60aba61 Originally I was deciding whether to get a reloc based on the type. I'm not sure what SET_64 vs ADD_64 means, but the SET* types seemed to be the only symbols we care about. After running into a binary where a SET* symbol didn't have a name (and crashed sploit), I have decided to filter on that instead. Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
Originally I was deciding whether to get a reloc based on the type.  I'm
not sure what SET_64 vs ADD_64 means, but the SET* types seemed to be
the only symbols we care about.  After running into a binary where a
SET* symbol didn't have a name (and crashed sploit), I have decided to
filter on that instead.

Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
rev: Use json output for get_bin_info() 2023-03-23T07:45:20+00:00 dusoleil howcansocksbereal@gmail.com 2023-03-23T07:45:20+00:00 f388499a625af89e56669a8c76c65da21a7c1b1a Grabbing the json and returning that dict directly avoids all of the processing we were doing before. I also added in a small, temporary band-aid for PE files until we add actual support for them. The 'relro' key doesn't exist on PE files, so just default it to '' in ELF. Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
Grabbing the json and returning that dict directly avoids all of the
processing we were doing before.  I also added in a small, temporary
band-aid for PE files until we add actual support for them.  The 'relro'
key doesn't exist on PE files, so just default it to '' in ELF.

Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
r2: Rewrite get_elf_symbols() 2023-03-23T07:23:18+00:00 dusoleil howcansocksbereal@gmail.com 2023-03-23T07:23:18+00:00 382737c817a172a03b054bcc447437019eabcfb3 This addresses a couple issues with get_elf_symbols(). First of all, we can greatly simplify our processing of the r2 output by getting back json instead of trying to do string processing on their pretty-printed tables. This resolves a number of issues we were running into and also makes the code way more maintainable. Second, we have reevaluated what we actually want to get out of r2. We now grab section offsets, all FUNC, OBJ, and NOTYPE symbols, and all strings. The strings and section offsets no longer try to escape special characters and sometimes aren't accessible through normal object attributes, but now that we have dictionary subscripting, this isn't an issue. Lastly, a few subsets of the symbols are separated into their own tables and added to the main table as subtables. Sections are located at sym.sect and offset at 0. Imported symbols are located at sym.imp and are offset at sect['.plt']. Relocations are located at sym.rel and are offset at sect['.got']. Strings are located at sym.str and are offset at sect['.rodata']. Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
This addresses a couple issues with get_elf_symbols().

First of all, we can greatly simplify our processing of the r2 output by
getting back json instead of trying to do string processing on their
pretty-printed tables.  This resolves a number of issues we were running
into and also makes the code way more maintainable.

Second, we have reevaluated what we actually want to get out of r2.  We
now grab section offsets, all FUNC, OBJ, and NOTYPE symbols, and all
strings.  The strings and section offsets no longer try to escape
special characters and sometimes aren't accessible through normal object
attributes, but now that we have dictionary subscripting, this isn't an
issue.

Lastly, a few subsets of the symbols are separated into their own tables
and added to the main table as subtables.  Sections are located at
sym.sect and offset at 0.  Imported symbols are located at sym.imp and are
offset at sect['.plt'].  Relocations are located at sym.rel and are offset at
sect['.got'].  Strings are located at sym.str and are offset at
sect['.rodata'].

Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
symtbl: order symtbl iteration by offset 2023-03-22T15:18:07+00:00 dusoleil howcansocksbereal@gmail.com 2023-03-22T15:18:07+00:00 6c36678e2f75c3cf33bc48fa93ebdd577fc5c3d7 When iterating over a symtbl, the returned tuples should be sorted by offset. Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
When iterating over a symtbl, the returned tuples should be sorted by
offset.

Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
r2: limit gadget search to exec privilege sections 2023-03-19T13:26:08+00:00 dusoleil howcansocksbereal@gmail.com 2023-03-19T13:26:08+00:00 e4793b798fe84c856c76817814b3867d3ce7b85e Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
builder: Add initial version of ROP chain tools 2023-03-19T10:14:10+00:00 Malfurious m@lfurio.us 2023-03-19T01:21:48+00:00 990fb887e08811ed0017045bd7064b244fa81285 Adds a ROP-enabled payload builder under the builder namespace. Much of the behavior is parameterized by the active arch, so several new columns are added to the Arch class. Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com> 
Adds a ROP-enabled payload builder under the builder namespace.  Much of
the behavior is parameterized by the active arch, so several new columns
are added to the Arch class.

Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>