| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Since renaming the file to "README" (no file extension), the build
backend can no longer automatically determine the file content type, so
specify text/plain in pyproject.toml.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Ditch the txt extension...
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Radare2 commit 0fcffc4cbf5c ("Use raw symbol name in flatItem.realname
instead of the flag name"), which first appeared in release 5.9.8,
changes the value of "realname" for each of the object's imported
symbols (PLTs).
Previously, a symbol "imp.read" (for instance) would report a realname
of "read". Now the "imp." prefix persists in this value, meaning a
symbol lookup within nsploit like so would fail:
binary.sym.imp.read
binary.sym.imp['imp.read'] # The working lookup
To restore the previous behavior in nsploit, actively filter out the
"imp." substring if it appears at the beginning of a symbol's realname
value. Sploit adds this back in by embedding imported symbols in the
"imp" subtable, as before.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
I feel there is a good case for automatically providing scripts with
nsploit's custom data container modules. These are typically used
directly by a vast majority of exploit scripts.
__version__ does not need explicitly set in the user scope dictionary,
as it comes from the "lib" import, so remove this line.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Move Symtbl to the types subpackage, where the other IndexTbl modules
reside. This is a more logical home for this module since it represents
more of a pure data storage type.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Breaks up the "payload" subpackage for a more logical project structure.
A few modules have been appearing in the payload package which implement
support for specific exploit techniques. These are moved to a new home
in the "tech" subpackage.
The remaining payload class and modules are moved into the "types"
subpackage, as they extend from, and provide similar services as the
content currently found there.
* tech:
payload: Move to types package
ret2dlresolve: Move to tech package
fmtstring: Move to tech package
rop: Move to new package tech
|
|
Move the payload modules into the types subpackage, since the Payload
system largely functions as a domain-specific data type for nsploit.
This removes the payload subpackage.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Move the ROP modules into a new nsploit subpackage called "tech". This
new package is designated for exploit technique implementations. In
general, its contents should not be depended upon by the rest of the
library.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
The original use-case for this feature is covered by an external tool.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Rename fork to nsploit and touch up project files. We switch from
automatically obtaining version via git-describe to a static definition
in pyproject.toml, to support more install use-cases.
* nsploit:
Update pyproject file for nsploit
Don't rely on git for version information
main: Update ASCII banner for nsploit
Rename sploit package to nsploit
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
The version information for the nsploit distribution is now defined in
pyproject.toml, and we no longer attempt to obtain details via
git-describe. As previously, the library version is made available via
`nsploit.__version__`.
The main benefit of working this way is to allow a proper install of
nsploit from a simple tarball of the source code, or even a shallow git
clone. In each of these cases, tag information will not usually be
present.
As an added feature over the previous system, nsploit will now report in
its version string if the running version is from a source tree, rather
than an installed copy.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Rename all affected files, references to file paths, and module imports
within the code. Since this line of development represents a fork from
the original sploit, a name change is seen as necessary to distinguish
the projects, as well as allow them to be installed side by side.
What does the "n" mean? Great question! You can think of it as meaning
"new sploit" if you want, though that's not quite intended. The name is
simply distinct and easy to pronounce. I had originally settled on
"msploit" (something along the lines of "Malf's sploit"), but this name
is too close to "metasploit" for me - and N is right next to it on the
keyboard.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
PayloadEntry pointer will no longer pre-compute it's offset to target on
construction, but instead save a reference to the target field and
dynamically compute the pointer value on demand.
This has the restriction that pointer targets must now reside in the
same Payload object, at the same encapsulation level. However, pointers
will now dynamically react to their target's relocation due to padding
change or other field alterations.
When a pointer is generated, we now simply encode the address of the
target field as it currently stands at the time. A new property "math"
may be given a lambda function, which will have the chance to massage
this final pointer value before use.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Previously, the auto alignment tool would ensure that the next payload
byte address was evenly divisible by the padding size, and nothing more.
Users now have the added flexibility to specify a basis or "reference"
address. The next payload byte address will then be an even multiple of
the padding size away from this reference.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Previously, the len(payload) operation required the generation of the
full payload binary content, in order to count how many bytes long it
was. This is no longer the case, as there are opportunities for
optimizations, primarily regarding fixed-length dynamic payload entries
where we can simply grab the size parameter without having to generate a
buffer.
In addition to potential speedups, this fix also allows the user to
insert PayloadEntry pointers for fields which are not yet present in the
payload being built (ie: whenever the pointer is to exist before the
pointed-to data). Whereas previously, the inability to generate the
ill-formed pointer would break length calculations necessary to insert
additional data.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
There is a small network of mutually-recursive helper functions which
produce the main outputs for Payload objects (the length, bytes, etc.).
The runtime performance of this code can suffer as a Payload grows to
contain more and more items.
These issues are heavily mitigated by implementing memoization within
one of these functions (which propagates the benefit to the rest of the
call tree). Memo dictionary is only used for a single operation
(lifetime) to avoid the possibility of bad cached results.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
This branch is a major semantic redesign of Symtbl and Payload. These
two classes are now implemented as derivitives of the newly refactored
IndexTbl mechanism.
Necessary cascading changes have been made to keep these tools in
working order.
* indextbl:
payload: rop: Update for new Payload class
Update ROP gadget types to extend IndexEntry
payload: Refactor as a concrete IndexTbl
lict: Add new list-dictionary hybrid type
symtbl: Refactor abstract IndexTbl interface
|
|
This updates the ROP class to work with the new Payload changes. Its
behavior should be largely the same, and I've taken the opportunity to
touch up documentation.
The main change here is that we no longer extend the Payload class.
Instead, each function constructs and returns a Payload representation
of the generated ROP chain. These returned objects can easily be lumped
into the Payload being built by a user script, or interrogated to help
troubleshoot their use.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
This leverages some code reuse and helps these types play nicely with
the new Symtbl updates.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Payload is now an index table, wherein each index is a byte string (or
compatible type). The retrieval of indices will return a corresponding
offset or address of the indexed data (which is sensitive to the payload
base). There is no longer a Symtbl member.
Due to this new design, the class no longer keeps a running payload
buffer that is appended to every time the payload is updated. When the
user wants to get the full data, this buffer is constructed from the
Lict elements backing the payload. This allows individual elements to
be modified or removed easily after they are inserted.
The use of a Lict allows data elements to be referred to by either their
positional array index, or the key specified when first creating that
element (done using the IndexTbl interface).
Payload objects may now be directly nested inside eachother, as opposed
to simply taking a payload's bytes and inserting those. This allows
payloads to be used in a way resembling C structures.
The type-specific insertion functions have been removed and we instead
now lean on the __setindex__ interface inherited from IndexTbl to
directly assign values and append them to the payload. In this case,
values are taken as-is from the assignment if they are bytes-like, and
automatically converted in some cases.
Payload's __call__ overload is now used to perform the quick, chainable,
and inline value insertion that was lost by the removal of the
type-specific functions. "Calling" a payload with zero arguments will
still provide the old behavior of returning the payload bytes, however.
The semi-advanced features such as padding, alignment, and inserting
placeholder bytes have been removed from the main payload interface and
are now provided as compatible types that can be directly inserted into
Payload via the means described above. In most cases, these are now
implemented to dynamically react to changes in the Payload content. For
example, a "padlen" element, which is constructed with a fixed target
length parameter, will grow or shrink in length if the data preceding it
changes.
Automatic "badbytes" detection is removed, simply due to API conflict.
In my experience, this feature was little-used and can easily be done
manually by scripts if desired. I don't plan to reintroduce this
feature.
pad_front functionality is also removed by this patch, since at the
moment it doesn't fit into the new design very well. We may attempt to
reimplement it as a PayloadEntry down the road. However, this feature
has also only seen rare use in my experience.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Lict is a fairly fully-featured data structure which stores elements in
a well ordered list, while offering opt-in support for per-element
dictionary keys. This type is intended to be the new back-end storage
for Payload data, but may have other use-cases as well.
An OrderedDict is not a suitable replacement, as they do not permit
unkeyed elements.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
There are some useful concepts expressed in the Symtbl class that can
provide good value if applied elsewhere as well. In this particular
case, I want to address the somewhat awkward relationship between Symtbl
and the Payload class by providing an abstract base for both of them. I
will go into more details in an upcoming commit for Payload.
This patch shouldn't change any behavior for Symtbl barring perhaps its
new preference of the new IndexEntry type described below. Some
characteristics of Symtbl are refactored into two new interface types:
IndexEntry provides "base" and implements logic supporting the use of
instance objects as integers. The intent is to extend from this class
when creating special types to be used in IndexTbls, Symtbls, etc.
IndexTbl (extends IndexEntry) provides a unified system for attribute /
element access, and acts as an abstract container where storage and
lookup semantics are up to the specific implementation.
Symtbl (extends IndexTbl) is now better described as an Index table,
where indices represent numeric addresses. The nominal data type is
int, however IndexEntries (which are int-like) may be nested to record
the addresses of ROP gadgets, sub-symtbls, and perhaps more in the
future.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
This branch is a rework of nsploit's intended package imports. User
scripts need only import a given nsploit subpackage to obtain that
package's full collection of classes, functions, etc. This is the new
intended style for exploit scripts.
Along the way, some modules are reorganized into different packages, the
"builder" package is renamed to "payload", and some unnecessary files
are consolidated.
* pkg-reorg:
main: Automatically provide top-level sploit modules to user scripts
sploit: Expose modules' contents through package
Remove extra "main.py" file
comm: Promote from module to package
log: Move to sploit.util package
util: Promote from module to package
builder: Rename package to payload and expose contents
rev: Expose modules' contents through package
Remove outer __init__.py file
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
This completes the overarching package reorganization changes. The
contents of the top-level "sploit" package's direct children modules are
exported via the package. Explicit imports for sploit's subpackages are
not necessary.
Other package __init__.py files are using relative imports. However,
doing so here causes the hatchling build process to fail. Fortunately,
since this is the top level, absolute paths aren't too long.
The last few modules left in this package have been kept back since they
lack any specific niche, are considered "universally relevant", or are
typically imported so frequently that it makes sense to provide them to
scripts automatically.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
The CLI logic is moved to sploit/__main__.py. This file is now the
target of:
- python -m sploit
- sploit.py (via import)
- sploit (installed executable - via pyproject.toml)
A module guard (`if __name__ == "__main__"`) is added to allow the
application to run when this file is invoked directly. And the
entrypoint symlink is no longer necessary.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
This is done to help clean the top-level "sploit" package. Furthermore,
there is some planned future work to refactor comm into multiple
modules, so this lays some groundwork for that.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
We would like to move additional modules under the namespace of "util"
to clean up the top-level "sploit" package. To start, the functions
from the previous util module are moved. Given the package is named
"util" the module is renamed to "cmd" to somewhat match the theme of the
contained functions.
Per the previous commits, these functions are now exposed via the util
package as well.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
This follows in the package contents export change. Additionally, the
builder package is renamed to "payload".
"payload" is actually the preferred name of this package. It was
previously renamed due to the absurdity of importing
"sploit.payload.payload.Payload()", and the fact that additional modules
were being bundled together so a more broad name _seemed_ desirable.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
This is the start of an overarching change meant to simplify sploit
library imports. In general, all packages (directories) are intended to
export all the classes, methods, and variables of their contained
modules. This way users need only import the package, which leads to
less verbose import statements (and usually fewer import statements).
We would still like to gate objects behind their respective packages,
rather than providing the whole world with `from sploit import *` so
that users can still have some amount of control over what is brought
into their global namespace.
Beware: For code internal to sploit, full module imports should probably
continue to be used. Otherwise, there is a possibility for circular
imports if two modules from two packages cross import.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
This file doesn't seem to be serving any purpose, and removing it
doesn't break any of the supported ways to run sploit.
sploit.py, python -m sploit, interpreter, installed, uninstalled, in or
out of the repo, are all fine.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
We should strip the newline from the data after checking if we got an
empty string returned.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Add the ability to select which location to create FIFOs when running in
pipes mode, by passing the directory name to sploit where a target
executable would usually go. This has been an API feature from the start,
but not exposed via the sploit runner command-line interface.
There are a couple new use-cases where this is very convenient, including
scriptifying sploit in pipes mode (testing, for example) and when running
sploit under Docker. If pipes are placed in the working directory, all
project files can be shared with a single bind mount.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
Reviewed-by: Malfurious <m@lfurio.us>
|
|
Originally I was deciding whether to get a reloc based on the type. I'm
not sure what SET_64 vs ADD_64 means, but the SET* types seemed to be
the only symbols we care about. After running into a binary where a
SET* symbol didn't have a name (and crashed sploit), I have decided to
filter on that instead.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Grabbing the json and returning that dict directly avoids all of the
processing we were doing before. I also added in a small, temporary
band-aid for PE files until we add actual support for them. The 'relro'
key doesn't exist on PE files, so just default it to '' in ELF.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
This addresses a couple issues with get_elf_symbols().
First of all, we can greatly simplify our processing of the r2 output by
getting back json instead of trying to do string processing on their
pretty-printed tables. This resolves a number of issues we were running
into and also makes the code way more maintainable.
Second, we have reevaluated what we actually want to get out of r2. We
now grab section offsets, all FUNC, OBJ, and NOTYPE symbols, and all
strings. The strings and section offsets no longer try to escape
special characters and sometimes aren't accessible through normal object
attributes, but now that we have dictionary subscripting, this isn't an
issue.
Lastly, a few subsets of the symbols are separated into their own tables
and added to the main table as subtables. Sections are located at
sym.sect and offset at 0. Imported symbols are located at sym.imp and are
offset at sect['.plt']. Relocations are located at sym.rel and are offset at
sect['.got']. Strings are located at sym.str and are offset at
sect['.rodata'].
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
