From d673d458922b640ca3f384288356a33a308cdc9b Mon Sep 17 00:00:00 2001 From: Malfurious Date: Sat, 28 May 2022 01:10:05 -0400 Subject: sploit: payload: Allow variadic insertions Often times, users of the Payload module wish to push a list of integers to a payload buffer. Currently, the best (and intended) way to do this is to make several calls to .int(). However, as part of the ROP effort, I am planning to add function 'gadget(addr, *params)' to the Payload class. Per the design of this function, calling it with an expanded list of values would be equivalent to passing each to .int() individually. In order to discourage the use of .gadget(), as a shortcut to a series of .int()s, .int(), and most other insertion functions, now accept arbitrarily many value arguments. Functions that support additional options (such as .int()'s 'signed' parameter) will apply such options to all values. If a symbol name is defined, it will reference the beginning of the block of values. Keep in mind, this will also allow inserting zero values. For example, obj.bin(sym='end') will tag the end of the payload without extending its content. This use-case is not intended to be particularly useful, but exists as a consequence of the change. Payload.rep() and the pad functions are not affected by this commit, as I don't think changing their semantics in this way makes sense. Signed-off-by: Malfurious Signed-off-by: dusoleil --- tools/sploit/sploit/payload.py | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/tools/sploit/sploit/payload.py b/tools/sploit/sploit/payload.py index 9fab65e..43f58c6 100644 --- a/tools/sploit/sploit/payload.py +++ b/tools/sploit/sploit/payload.py @@ -38,28 +38,30 @@ class Payload(Symtbl): self._namesp.payload = value + self._namesp.payload return self - def bin(self, value, sym=None): - return self.__append(value, sym or self.__name('bin')) + def bin(self, *values, sym=None): + return self.__append(b''.join(values), sym or self.__name('bin')) - def str(self, value, sym=None): - return self.bin(value.encode()+b'\x00', sym or self.__name('str')) + def str(self, *values, sym=None): + values = [ v.encode() + b'\x00' for v in values ] + return self.bin(*values, sym=(sym or self.__name('str'))) - def int(self, value, sym=None, signed=False): - return self.bin(itob(value, signed=signed), sym or self.__name('int')) + def int(self, *values, sym=None, signed=False): + values = [ itob(v, signed=signed) for v in values ] + return self.bin(*values, sym=(sym or self.__name('int'))) - def ret(self, value, sym=None): - return self.int(value, sym or self.__name('ret')) + def ret(self, *values, sym=None): + return self.int(*values, sym=(sym or self.__name('ret'))) - def sbp(self, value=None, sym=None): - if value is None: + def sbp(self, *values, sym=None): + if len(values) == 0: return self.rep(self.MAGIC, arch.wordsize, sym or self.__name('sbp')) - return self.int(value, sym or self.__name('sbp')) + return self.int(*values, sym=(sym or self.__name('sbp'))) def rep(self, value, size, sym=None): - return self.bin(self.__rep_helper(value, size), sym or self.__name('rep')) + return self.bin(self.__rep_helper(value, size), sym=(sym or self.__name('rep'))) def pad(self, size, value=None, sym=None): - return self.bin(self.__pad_helper(size, value), sym or self.__name('pad')) + return self.bin(self.__pad_helper(size, value), sym=(sym or self.__name('pad'))) def pad_front(self, size, value=None, sym=None): return self.__prepend(self.__pad_helper(size, value), sym or self.__name('pad')) -- cgit v1.2.3