summaryrefslogtreecommitdiffstats
path: root/docs/writeups/ImaginaryCTF_2021
diff options
context:
space:
mode:
authorMalfurious <m@lfurio.us>2022-03-16 04:11:11 -0400
committerMalfurious <m@lfurio.us>2022-03-17 03:58:41 -0400
commit6a617f6dea973862fc88fdbdbbf9c7afed44de62 (patch)
tree9e954ae6e7e5cde322e418473c6280b06bf16607 /docs/writeups/ImaginaryCTF_2021
parentc557d154b49eb76ddc955e9fa023bf4d7f3bb5b5 (diff)
downloadlib-des-gnux-6a617f6dea973862fc88fdbdbbf9c7afed44de62.tar.gz
lib-des-gnux-6a617f6dea973862fc88fdbdbbf9c7afed44de62.zip
sploit: Rework payload builder
The design/implementation of class Payload is updated for better compatibility with Symtbl, and to address some usability issues that have come up so far: No more automatically fixed-up stack alignment by default: In fact, alignment as a concept is fully removed from the tool, in preparation for another upcoming ROP-centric addon to Payload. Therefore, insertion of return addresses (via .ret()) are now equivalent to any other integer value. No instance size value: Each call to .pad() uses an independent size passed as a parameter, but functions in the same manor as before. Padding can also now be inserted at the beginning of the payload: .pad_front() prepends the necessary amount of data, and updates the tracked offsets of values that were already inserted to the payload. Payload now directly extends Symtbl: Instead of possessing a Symtbl member, payload objects can directly be treated as symbol tables for things like mounting them as subtables, or mapping them to access absolute addresses. New call syntax to access binary data: As a shorthand, users may now use the call syntax to get the bytes string built by the tool. If an argument is passed, it is another byte string containing illegal bytes that we check the built payload for. Unfortunately, the __str__ magic func doesn't like returning bytes string; plus, that overload is already in use for formatting the symbol table content (worth not hiding). New semantic insertion functions: .bin(), .str() [C-style strings], .int(), .ret(), and more. Some of these functions are direct synonyms, however their use can provide more clarity in Sploit scripts. Smarter default element symbol names: Instead of just using '_' as a placeholder if no symbol name is ever given, we now uniquely name each inserted element according to the API function that was used, then slap on an incrementing number. An explicit name still bypasses this scheme. Insertion functions can now be chained together: Functions previously returned the offset/address of the inserted value. However, this feature was seldom used, and there is now the possibility of .pad_front() invalidating previously-returned offsets. Instead, functional-style chaining is enabled to reduce boilerplate, and help with quick oneliners. Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
Diffstat (limited to '')
0 files changed, 0 insertions, 0 deletions