| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Rename all affected files, references to file paths, and module imports
within the code. Since this line of development represents a fork from
the original sploit, a name change is seen as necessary to distinguish
the projects, as well as allow them to be installed side by side.
What does the "n" mean? Great question! You can think of it as meaning
"new sploit" if you want, though that's not quite intended. The name is
simply distinct and easy to pronounce. I had originally settled on
"msploit" (something along the lines of "Malf's sploit"), but this name
is too close to "metasploit" for me - and N is right next to it on the
keyboard.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
This leverages some code reuse and helps these types play nicely with
the new Symtbl updates.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
We would like to move additional modules under the namespace of "util"
to clean up the top-level "sploit" package. To start, the functions
from the previous util module are moved. Given the package is named
"util" the module is renamed to "cmd" to somewhat match the theme of the
contained functions.
Per the previous commits, these functions are now exposed via the util
package as well.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
This is the start of an overarching change meant to simplify sploit
library imports. In general, all packages (directories) are intended to
export all the classes, methods, and variables of their contained
modules. This way users need only import the package, which leads to
less verbose import statements (and usually fewer import statements).
We would still like to gate objects behind their respective packages,
rather than providing the whole world with `from sploit import *` so
that users can still have some amount of control over what is brought
into their global namespace.
Beware: For code internal to sploit, full module imports should probably
continue to be used. Otherwise, there is a possibility for circular
imports if two modules from two packages cross import.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
Reviewed-by: Malfurious <m@lfurio.us>
|
|
Originally I was deciding whether to get a reloc based on the type. I'm
not sure what SET_64 vs ADD_64 means, but the SET* types seemed to be
the only symbols we care about. After running into a binary where a
SET* symbol didn't have a name (and crashed sploit), I have decided to
filter on that instead.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Grabbing the json and returning that dict directly avoids all of the
processing we were doing before. I also added in a small, temporary
band-aid for PE files until we add actual support for them. The 'relro'
key doesn't exist on PE files, so just default it to '' in ELF.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
This addresses a couple issues with get_elf_symbols().
First of all, we can greatly simplify our processing of the r2 output by
getting back json instead of trying to do string processing on their
pretty-printed tables. This resolves a number of issues we were running
into and also makes the code way more maintainable.
Second, we have reevaluated what we actually want to get out of r2. We
now grab section offsets, all FUNC, OBJ, and NOTYPE symbols, and all
strings. The strings and section offsets no longer try to escape
special characters and sometimes aren't accessible through normal object
attributes, but now that we have dictionary subscripting, this isn't an
issue.
Lastly, a few subsets of the symbols are separated into their own tables
and added to the main table as subtables. Sections are located at
sym.sect and offset at 0. Imported symbols are located at sym.imp and are
offset at sect['.plt']. Relocations are located at sym.rel and are offset at
sect['.got']. Strings are located at sym.str and are offset at
sect['.rodata'].
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
ROP gadgets returned through search from the r2 API will now always
contain a file-relative offset, even if they come from a non-pic binary
using a fixed baddr.
However, gadgets returned through the ELF API will be mapped according
to the ELF's Symtbl. This ensures the correct offset is returned
following a library leak, and allows the user to always safely insert an
ELF-returned gadget into that ELF's Symtbl without issue.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
On ELF construction, call r2.get_bin_info() and keep the results under
the psuedo-namespaces .info and .security. Also add a pretty-print to
these in a tabulated form. Also rewrite the ELF pretty-print to just
summarize and not print out the entirety of .sym. Lastly, fixed a small
bug where ELF could crash on construction if ldd fails (loading a
non-native ELF, for instance).
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Code reuse since we were using r2 iI in get_elf_symbols to get the
baddr. This can cause get_bin_info to be called (and log that it's
being called) multiple times, so I'm also adding the @cache annotation.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Call r2's iI command and return a subset of the fields that we care
about.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Sets the value of rop.len = 10 in r2, to give the search function more
data to sift through. This is a doubling from the default value (5).
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Development on the rop chain builder has produced this upgrade to our
gadget search facility. The primary advantages in this version are
increased flexibility and runtime performance.
It is now easier to find specific 'stray' instructions (not immediately
followed by a ret) since we search from every position in the data
returned by r2. If you _do_ want a ret, just specify it in your input
regexes. For this reason, a dedicated function for locating a simple
'ret' gadget is no longer present - elf.gadget("ret") is the equivalent.
A major change in this version is that we now obtain and operate on r2's
JSON representation of the gadget data. We now only reach out to r2
once to get all information for a binary (which is cached) and the
actual 'search' is implemented in Python. This provides a significant
performance speedup in cases where we need many gadgets from one binary,
as r2 doesn't need to inspect the entire file each time. Additional
caching is done on specific search results, so that 100% redundant
searches are returned immediately. Access to the raw JSON data is made
available through a new function rop_json(), but is not exposed in the
ELF interface, since it seems like a niche need.
Search results are returned via Gadget objects (or a list thereof),
which contain regular expression Match objects for each assembly
instruction found in the gadget. This allows the caller to retrieve the
values contained in regular expression capture groups if present.
Also, anecdotally, the search functionality in r2 has seemed to return
false negatives for some queries in the past, whereas I haven't noticed
similar cases with this implementation yet.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
This new class is intended to be used to return data from gadget
searches, and is able to be nested within object Symtbls.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Previously, due to precedence rules, the text produced for any library
whose corresponding ELF object has already been initialized would simply
be `str(lib.path)`, instead of the intended formatted string.
Also fixes a typo.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Define human-readable string formatting for objects in repr, rather than
str, as this will enable an interactive interpreter to more conveniently
show this data to the user. I believe this especially makes sense in
cases where __str__ doesn't perform a semantic type conversion for its
class (currently, all affected cases).
Scripts can still easily yield this information by using
`print(object)`, as print will fallback to repr(object) when there is
not an explicitly defined __str__.
Furthermore, this patch still maintains backwards compatability (for the
time being) of using str(object) to retrieve the information. This is
because the default __str__ implementation will defer to __repr__ if
provided. This made the Symtbl case of providing both of them
especially redundant.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
I assume that the preferred style is to leave one major class each to a
file. In this case, synchronize the names of the Symtbl class and its
containing module. Per PEP8, the module is lowercase, and the class
remains Pascal case.
If other memory-oriented utilities are introduced in the future, we may
wish to move them, as well as Symtbl, back into a subpackage named
'mem'.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
The baddr property identified by r2 is now used as the base address for
ELF symbol tables. This should not change the addresses retrieved via
the table normally, however should fix the internal offsets of the table
so that rebasing makes sense.
Note that for PIC/PIE binaries we would already get a Symtbl with
'correct' offsets, as r2 is unable to absolutely resolve them for us.
In these cases, the Symtbl base value remains at zero.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
__getattribute__ is the low-level magic func and will intercept every
attribute lookup, whereas __getattr__ is high-level, and is only invoked
in specific conditions (such as __getattribute__'s failure).
As such, any overload of __getattribute__ which preferentially falls
back to object.__getattribute__() before serving a request, can more
simply be replaced by a __getattr__ overload without the fallback.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Found a spot to use __attr_filter__ in the rev module, so moving it out
of mem and into a shared place (util).
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
rather than cacheing ELF instantiations, just cache the results of
external commands
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
expose the rest of the rev.r2 capabilities through rev.elf
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
accidentally left the argument as "elf" instead of "binary" and had the
arguments in the wrong order
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
With recursive ELF loads, there is the possibility of loading in a heavy
ELF (like libc) multiple times. Hiding instantiation of the class
behind a factory method and caching instances should eliminate this
problem.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Create a class which encapsulates some basic information about an ELF
file and provides a convenient interface for basic reverse engineering.
In particular, ELF automatically loads the symbol table of the given elf
file and recursively creates ELF objects for any linked libraries.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Consolidate some of the r2 calls that get combined to create the symbol
list. Instead of doing multiple calls with different greps within
radare2, just do a single call and search it in the python side. This
gives us a slight, but noticeable performance increase.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
forgot to remove the r2 namespace from the calls from back when it was
implemented differently
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
rev.r2's get_locals() function returns a Symtbl of offsets representing
the local variables on in a stack frame of a particular function. The
offsets returned by r2 are based around the base of the stack, but they
are increasing in value as they grow from the stack. To properly model
memory, they should decrease in value as they grow from the stack.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Add an r2 module with several helper functions that do a number of
simple reverse engineering tasks to aid in writing simple sploit
scripts. The functions in this module invoke radare2 to accomplish their
tasks.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
add helper function to invoke ldd to get a list of libraries that will
be linked to a given ELF
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
