| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Rename all affected files, references to file paths, and module imports
within the code. Since this line of development represents a fork from
the original sploit, a name change is seen as necessary to distinguish
the projects, as well as allow them to be installed side by side.
What does the "n" mean? Great question! You can think of it as meaning
"new sploit" if you want, though that's not quite intended. The name is
simply distinct and easy to pronounce. I had originally settled on
"msploit" (something along the lines of "Malf's sploit"), but this name
is too close to "metasploit" for me - and N is right next to it on the
keyboard.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
PayloadEntry pointer will no longer pre-compute it's offset to target on
construction, but instead save a reference to the target field and
dynamically compute the pointer value on demand.
This has the restriction that pointer targets must now reside in the
same Payload object, at the same encapsulation level. However, pointers
will now dynamically react to their target's relocation due to padding
change or other field alterations.
When a pointer is generated, we now simply encode the address of the
target field as it currently stands at the time. A new property "math"
may be given a lambda function, which will have the chance to massage
this final pointer value before use.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Previously, the auto alignment tool would ensure that the next payload
byte address was evenly divisible by the padding size, and nothing more.
Users now have the added flexibility to specify a basis or "reference"
address. The next payload byte address will then be an even multiple of
the padding size away from this reference.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Previously, the len(payload) operation required the generation of the
full payload binary content, in order to count how many bytes long it
was. This is no longer the case, as there are opportunities for
optimizations, primarily regarding fixed-length dynamic payload entries
where we can simply grab the size parameter without having to generate a
buffer.
In addition to potential speedups, this fix also allows the user to
insert PayloadEntry pointers for fields which are not yet present in the
payload being built (ie: whenever the pointer is to exist before the
pointed-to data). Whereas previously, the inability to generate the
ill-formed pointer would break length calculations necessary to insert
additional data.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
There is a small network of mutually-recursive helper functions which
produce the main outputs for Payload objects (the length, bytes, etc.).
The runtime performance of this code can suffer as a Payload grows to
contain more and more items.
These issues are heavily mitigated by implementing memoization within
one of these functions (which propagates the benefit to the rest of the
call tree). Memo dictionary is only used for a single operation
(lifetime) to avoid the possibility of bad cached results.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
This updates the ROP class to work with the new Payload changes. Its
behavior should be largely the same, and I've taken the opportunity to
touch up documentation.
The main change here is that we no longer extend the Payload class.
Instead, each function constructs and returns a Payload representation
of the generated ROP chain. These returned objects can easily be lumped
into the Payload being built by a user script, or interrogated to help
troubleshoot their use.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
This leverages some code reuse and helps these types play nicely with
the new Symtbl updates.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Payload is now an index table, wherein each index is a byte string (or
compatible type). The retrieval of indices will return a corresponding
offset or address of the indexed data (which is sensitive to the payload
base). There is no longer a Symtbl member.
Due to this new design, the class no longer keeps a running payload
buffer that is appended to every time the payload is updated. When the
user wants to get the full data, this buffer is constructed from the
Lict elements backing the payload. This allows individual elements to
be modified or removed easily after they are inserted.
The use of a Lict allows data elements to be referred to by either their
positional array index, or the key specified when first creating that
element (done using the IndexTbl interface).
Payload objects may now be directly nested inside eachother, as opposed
to simply taking a payload's bytes and inserting those. This allows
payloads to be used in a way resembling C structures.
The type-specific insertion functions have been removed and we instead
now lean on the __setindex__ interface inherited from IndexTbl to
directly assign values and append them to the payload. In this case,
values are taken as-is from the assignment if they are bytes-like, and
automatically converted in some cases.
Payload's __call__ overload is now used to perform the quick, chainable,
and inline value insertion that was lost by the removal of the
type-specific functions. "Calling" a payload with zero arguments will
still provide the old behavior of returning the payload bytes, however.
The semi-advanced features such as padding, alignment, and inserting
placeholder bytes have been removed from the main payload interface and
are now provided as compatible types that can be directly inserted into
Payload via the means described above. In most cases, these are now
implemented to dynamically react to changes in the Payload content. For
example, a "padlen" element, which is constructed with a fixed target
length parameter, will grow or shrink in length if the data preceding it
changes.
Automatic "badbytes" detection is removed, simply due to API conflict.
In my experience, this feature was little-used and can easily be done
manually by scripts if desired. I don't plan to reintroduce this
feature.
pad_front functionality is also removed by this patch, since at the
moment it doesn't fit into the new design very well. We may attempt to
reimplement it as a PayloadEntry down the road. However, this feature
has also only seen rare use in my experience.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
This follows in the package contents export change. Additionally, the
builder package is renamed to "payload".
"payload" is actually the preferred name of this package. It was
previously renamed due to the absurdity of importing
"sploit.payload.payload.Payload()", and the fact that additional modules
were being bundled together so a more broad name _seemed_ desirable.
Signed-off-by: Malfurious <m@lfurio.us>
|
