| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
These patches correct some issues I've run into using the interactive
workflow in Sploit during picoCTF.
* sploit/interactive-fixes:
sploit: Allow multiple reads in Comm.readall_nonblock()
sploit: Fix units for Comm.timeout
|
|
Due to line buffering, we may often trigger a burst of data to be sent
by the target, but resolve the non-blocking read only after the first
line is received. We would like to wait just a little longer to receive
the entire burst instead.
readall_nonblock() will now reset its timeout period whenever any data
becomes readable and will not return until we go an entire period of
silence. Under normal conditions, the full duration of readall_nonblock
should barely be any longer than the defined period itself.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
select's poll.poll() function expects its timeout argument to be in
milliseconds. This is an artifact from earlier developent where we were
using the higher-level 'selectors' API, which never got merged.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Add indirection to arch access
* tag 'pull-sploit-arch-fix' of https://github.com/Dusoleil/lib-des-gnux:
Add indirection to arch access
|
|
* malf-pico-2022:
picoCTF 2022 results
Add signal and coredump tips to gdb document
Add writeup for picoCTF 2022 / unpackme
Add writeup for picoCTF 2022 / Eavesdrop
Add writeup for picoCTF 2022 / Wizardlike
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Add a layer of indirection to access the active arch config.
Currently when importing sploit.arch.arch, the name will be bound to
whatever the current reference is and won't follow if another module
(user script) updates the reference in sploit.arch. A layer of
indirection seemlessly solves that issue and also provides a cleaner
interface for setting the active arch from the user script.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
The design/implementation of class Payload is updated for better
compatibility with Symtbl, and to address some usability issues that
have come up so far:
No more automatically fixed-up stack alignment by default: In fact,
alignment as a concept is fully removed from the tool, in preparation
for another upcoming ROP-centric addon to Payload. Therefore, insertion
of return addresses (via .ret()) are now equivalent to any other integer
value.
No instance size value: Each call to .pad() uses an independent size
passed as a parameter, but functions in the same manor as before.
Padding can also now be inserted at the beginning of the payload:
.pad_front() prepends the necessary amount of data, and updates the
tracked offsets of values that were already inserted to the payload.
Payload now directly extends Symtbl: Instead of possessing a Symtbl
member, payload objects can directly be treated as symbol tables for
things like mounting them as subtables, or mapping them to access
absolute addresses.
New call syntax to access binary data: As a shorthand, users may now
use the call syntax to get the bytes string built by the tool. If an
argument is passed, it is another byte string containing illegal bytes
that we check the built payload for. Unfortunately, the __str__ magic
func doesn't like returning bytes string; plus, that overload is already
in use for formatting the symbol table content (worth not hiding).
New semantic insertion functions: .bin(), .str() [C-style strings],
.int(), .ret(), and more. Some of these functions are direct synonyms,
however their use can provide more clarity in Sploit scripts.
Smarter default element symbol names: Instead of just using '_' as a
placeholder if no symbol name is ever given, we now uniquely name each
inserted element according to the API function that was used, then slap
on an incrementing number. An explicit name still bypasses this scheme.
Insertion functions can now be chained together: Functions previously
returned the offset/address of the inserted value. However, this
feature was seldom used, and there is now the possibility of
.pad_front() invalidating previously-returned offsets. Instead,
functional-style chaining is enabled to reduce boilerplate, and help
with quick oneliners.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Fixes some problems found in the Sploit Symtbl module, and includes some
additional cleanup suggested by dusoleil.
* sploit/symtbl-retcon:
sploit: Clean up use of __getattribute__
sploit: Fix bugs and simplify Symtbl
|
|
__getattribute__ is the low-level magic func and will intercept every
attribute lookup, whereas __getattr__ is high-level, and is only invoked
in specific conditions (such as __getattribute__'s failure).
As such, any overload of __getattribute__ which preferentially falls
back to object.__getattribute__() before serving a request, can more
simply be replaced by a __getattr__ overload without the fallback.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
The recent implementation of the new design for Symtbl contained a few
bugs:
- Attempting to access .base on a Symtbl or intermediate
__InnerTable__ caused an exception.
- Symtbl objects all used the same static collection of nested
subtables, rather than an instanced one. If two table objects
contained the same named key, they would refer to the same
nested table from both locations.
- Printing the contents of a table accessed via an absolute
nesting (aka: via an __InnerTable__ object) would not show the
offsets adjusted for the curent context.
In addition to these fixes, the class implementation is largely
simplified as well. This is in part due to the removal of unnecessary
logic, such as the way our __getattribute__ overloads were implemented.
Mainly, this came down to merging the redundant abstractions in our
original design.
Over time, the differences between these interfaces became blurred to
the point where simply reusing one is not at all problematic. It is
very much the intent of this patch to preserve the semantics of the
tool's design (that being: flexable, nestable tables, to which a
separate, but linked, mapped view may be obtained), but to state it as
cleanly as possible.
Note that all of the working state of a Symtbl is kept in its new
_namesp member. This is primarily done to enable subclassing the Symtbl
class. Ordinarily, setattr() on self would force the incoming value
into the actual symbol table, making it impossible for subclasses to
store separate instance data. Furthermore, the consolidation of
properties into this object creates fewer potential collisions with
user-defined symbols.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Add rev for basic reverse engineering
* tag 'pull-sploit-rev' of https://github.com/Dusoleil/lib-des-gnux:
sploit: Move __attr_filter__ to a general place in util
sploit: Filter all magic python members by default in mem module
sploit: add stack base pointer to locals symtbl
sploit: print hex of addresses in rev logs
sploit: add status logging to rev module
sploit: lazy load libs for ELF
sploit: cache results of external commands
sploit: add the rest of r2 functions through elf
sploit: typo fix in rev.r2
sploit: cache ELF loads
sploit: add ELF helper class to rev
sploit: consolidate r2 symbol search calls
sploit: fix r2 module syntax error
sploit: reverse direction of r2 get_locals offsets
sploit: add r2 funcionality to rev module
sploit: add ldd ability to rev module
sploit: add rev module to sploit
|
|
This branch addresses some user experience issues when attempting to use
Sploit interactively, in the Python REPL (or iPython).
In particular:
- Target output is more responsive
- Setting up io plumbing is simplified
* sploit/repl-qol:
sploit: Clean up function Comm.interact()
sploit: Add function popen()
sploit: Add Comm property 'readonwrite'
sploit: Add function Comm.readall_nonblock()
|
|
The previous patches in this series have needed to utilize similar logic
as Comm.interact() throughout other parts of the Comm class. This patch
just revisits .interact() to clean up redundant code.
Co-authored-by: dusoleil <howcansocksbereal@gmail.com>
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
This is a free-function in the comm module, intended to help setup
Sploit plumbing when working in the Python interactive interpreter.
At the moment, the intended user experience in the interpreter is to err
on the side of being interactive/responsive. As such, the Comm object
returned from popen() is initialized with overridden IO settings to
prefer 'readonwrite' by default. Addtionally, any early output from the
target is also read, so that it may be immediately visible.
A consequence of this configuration is that, until readonwrite is set
False, most target output will be consumed before any .read* function
has a chance to return it. While that would be a hard showstopper for
any Sploit script, an interactive user can simply copy/paste any
important data that is produced. Given that the interpreter workflow is
likely going to be most useful for quick prototyping and recon with the
proposed rev module, I consider this tradeoff appropriate at the moment,
but will consider revisiting this if its usage is problematic.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
If readonwrite is set to True (default False), Sploit will catch up and
read all available stdin data from the target in a non-blocking fashion.
If logonread is also set to True, this data will immediately be
presented to the user whenever data is sent, but is otherwise lost (not
returned).
This mode is primarily intended for use in the interactive Python
interpreter, where it can be cumbersome to keep alternating read and
write calls when one does not care to actually record the read values.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Function should consume all available incoming data from target and
return it, however will return 'immediately' (according to a
configurable timeout) if the pipe is empty.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Found a spot to use __attr_filter__ in the rev module, so moving it out
of mem and into a shared place (util).
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
In the various __getattribute__() overloads in the mem module, we should
filter all of the built-in magic members to do the default
object.__getattribute__() behavior. This is opposed to the earlier
stance of just caring about the ones that I saw as realistically being
called.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
rather than cacheing ELF instantiations, just cache the results of
external commands
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
expose the rest of the rev.r2 capabilities through rev.elf
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
accidentally left the argument as "elf" instead of "binary" and had the
arguments in the wrong order
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
With recursive ELF loads, there is the possibility of loading in a heavy
ELF (like libc) multiple times. Hiding instantiation of the class
behind a factory method and caching instances should eliminate this
problem.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Create a class which encapsulates some basic information about an ELF
file and provides a convenient interface for basic reverse engineering.
In particular, ELF automatically loads the symbol table of the given elf
file and recursively creates ELF objects for any linked libraries.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Consolidate some of the r2 calls that get combined to create the symbol
list. Instead of doing multiple calls with different greps within
radare2, just do a single call and search it in the python side. This
gives us a slight, but noticeable performance increase.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
forgot to remove the r2 namespace from the calls from back when it was
implemented differently
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
rev.r2's get_locals() function returns a Symtbl of offsets representing
the local variables on in a stack frame of a particular function. The
offsets returned by r2 are based around the base of the stack, but they
are increasing in value as they grow from the stack. To properly model
memory, they should decrease in value as they grow from the stack.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Add an r2 module with several helper functions that do a number of
simple reverse engineering tasks to aid in writing simple sploit
scripts. The functions in this module invoke radare2 to accomplish their
tasks.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
add helper function to invoke ldd to get a list of libraries that will
be linked to a given ELF
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
https://github.com/Dusoleil/lib-des-gnux
Redesign mem module
* tag 'pull-sploit-symtbl-redesign' of https://github.com/Dusoleil/lib-des-gnux:
sploit: Add support for nested Symtbls
sploit: Instantiate Memmap with integer offset
sploit: remove length calculation from Symtbl
sploit: code reuse for mem string methods
sploit: add len func to mem
sploit: move adjust and rebase into member funcs
Add adjust and rebase functions to mem module
sploit: Add string cast for Symtbl and Memmap
sploit: Split Symtbl funcionality with Memmap
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
length() fails on local stack frames (where it was originally intended
to be useful) when register based locals (like arguments) are present.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
len() will calculate the length of the symtbl in bytes rather than the
number of symbols
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Add the ability to shift all Symtbl offsets by a fixed amount with
adjust().
Add the ability to shift all Symtbl offsets so that a designated symbol
is now at offset 0 and all other symbols maintain their relative offsets
to that symbol with rebase().
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
