diff options
| author | Malfurious <m@lfurio.us> | 2024-05-19 13:10:42 -0400 |
|---|---|---|
| committer | Malfurious <m@lfurio.us> | 2025-01-02 03:47:03 -0500 |
| commit | ff9ac12af3b8552464a6abac14cc6c4d45d223ae (patch) | |
| tree | 7f1f30ffbbde100b2132903d6a111e75a1f6970d | |
| parent | bdd36861f7ae3517da0dd2486bf72b47b5a52e02 (diff) | |
| download | nsploit-ff9ac12af3b8552464a6abac14cc6c4d45d223ae.tar.gz nsploit-ff9ac12af3b8552464a6abac14cc6c4d45d223ae.zip | |
payload: Rework pointer to directly target another payload field
PayloadEntry pointer will no longer pre-compute it's offset to target on
construction, but instead save a reference to the target field and
dynamically compute the pointer value on demand.
This has the restriction that pointer targets must now reside in the
same Payload object, at the same encapsulation level. However, pointers
will now dynamically react to their target's relocation due to padding
change or other field alterations.
When a pointer is generated, we now simply encode the address of the
target field as it currently stands at the time. A new property "math"
may be given a lambda function, which will have the chance to massage
this final pointer value before use.
Signed-off-by: Malfurious <m@lfurio.us>
| -rw-r--r-- | sploit/payload/payload_entry.py | 18 |
1 files changed, 10 insertions, 8 deletions
diff --git a/sploit/payload/payload_entry.py b/sploit/payload/payload_entry.py index 295a91f..2f8dbdd 100644 --- a/sploit/payload/payload_entry.py +++ b/sploit/payload/payload_entry.py @@ -41,21 +41,23 @@ class PayloadEntry(IndexEntry): # Concrete payload entry definitions class pointer(PayloadEntry): - """Generate an integer which is always a fixed offset from self.base.""" + """Generate an integer which tracks the address of another payload field.""" - def __init__(self, target=None): + def __init__(self, target=None, math=None): self.target = target - - def payload_insert(self, payload): - if self.target is None: - self.target = self.base - self.target -= self.base + self.math = math def payload_len(self, payload): return arch.wordsize def payload_bytes(self, payload): - return itob(self.target + self.base) + if self.target is None: + addr = self.base + else: + addr = payload[self.target] + if callable(self.math): + addr = self.math(addr) + return itob(addr) class padlen(PayloadEntry): """Generate padding to reach a target payload length.""" |