diff options
author | Malfurious <m@lfurio.us> | 2022-03-16 04:11:11 -0400 |
---|---|---|
committer | Malfurious <m@lfurio.us> | 2022-03-17 03:58:41 -0400 |
commit | 6a617f6dea973862fc88fdbdbbf9c7afed44de62 (patch) | |
tree | 9e954ae6e7e5cde322e418473c6280b06bf16607 /docs/writeups/ImaginaryCTF_2021 | |
parent | c557d154b49eb76ddc955e9fa023bf4d7f3bb5b5 (diff) | |
download | lib-des-gnux-6a617f6dea973862fc88fdbdbbf9c7afed44de62.tar.gz lib-des-gnux-6a617f6dea973862fc88fdbdbbf9c7afed44de62.zip |
sploit: Rework payload builder
The design/implementation of class Payload is updated for better
compatibility with Symtbl, and to address some usability issues that
have come up so far:
No more automatically fixed-up stack alignment by default: In fact,
alignment as a concept is fully removed from the tool, in preparation
for another upcoming ROP-centric addon to Payload. Therefore, insertion
of return addresses (via .ret()) are now equivalent to any other integer
value.
No instance size value: Each call to .pad() uses an independent size
passed as a parameter, but functions in the same manor as before.
Padding can also now be inserted at the beginning of the payload:
.pad_front() prepends the necessary amount of data, and updates the
tracked offsets of values that were already inserted to the payload.
Payload now directly extends Symtbl: Instead of possessing a Symtbl
member, payload objects can directly be treated as symbol tables for
things like mounting them as subtables, or mapping them to access
absolute addresses.
New call syntax to access binary data: As a shorthand, users may now
use the call syntax to get the bytes string built by the tool. If an
argument is passed, it is another byte string containing illegal bytes
that we check the built payload for. Unfortunately, the __str__ magic
func doesn't like returning bytes string; plus, that overload is already
in use for formatting the symbol table content (worth not hiding).
New semantic insertion functions: .bin(), .str() [C-style strings],
.int(), .ret(), and more. Some of these functions are direct synonyms,
however their use can provide more clarity in Sploit scripts.
Smarter default element symbol names: Instead of just using '_' as a
placeholder if no symbol name is ever given, we now uniquely name each
inserted element according to the API function that was used, then slap
on an incrementing number. An explicit name still bypasses this scheme.
Insertion functions can now be chained together: Functions previously
returned the offset/address of the inserted value. However, this
feature was seldom used, and there is now the possibility of
.pad_front() invalidating previously-returned offsets. Instead,
functional-style chaining is enabled to reduce boilerplate, and help
with quick oneliners.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
Diffstat (limited to '')
0 files changed, 0 insertions, 0 deletions