From ff9ac12af3b8552464a6abac14cc6c4d45d223ae Mon Sep 17 00:00:00 2001 From: Malfurious Date: Sun, 19 May 2024 13:10:42 -0400 Subject: payload: Rework pointer to directly target another payload field PayloadEntry pointer will no longer pre-compute it's offset to target on construction, but instead save a reference to the target field and dynamically compute the pointer value on demand. This has the restriction that pointer targets must now reside in the same Payload object, at the same encapsulation level. However, pointers will now dynamically react to their target's relocation due to padding change or other field alterations. When a pointer is generated, we now simply encode the address of the target field as it currently stands at the time. A new property "math" may be given a lambda function, which will have the chance to massage this final pointer value before use. Signed-off-by: Malfurious --- sploit/payload/payload_entry.py | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) (limited to 'sploit/payload/payload_entry.py') diff --git a/sploit/payload/payload_entry.py b/sploit/payload/payload_entry.py index 295a91f..2f8dbdd 100644 --- a/sploit/payload/payload_entry.py +++ b/sploit/payload/payload_entry.py @@ -41,21 +41,23 @@ class PayloadEntry(IndexEntry): # Concrete payload entry definitions class pointer(PayloadEntry): - """Generate an integer which is always a fixed offset from self.base.""" + """Generate an integer which tracks the address of another payload field.""" - def __init__(self, target=None): + def __init__(self, target=None, math=None): self.target = target - - def payload_insert(self, payload): - if self.target is None: - self.target = self.base - self.target -= self.base + self.math = math def payload_len(self, payload): return arch.wordsize def payload_bytes(self, payload): - return itob(self.target + self.base) + if self.target is None: + addr = self.base + else: + addr = payload[self.target] + if callable(self.math): + addr = self.math(addr) + return itob(addr) class padlen(PayloadEntry): """Generate padding to reach a target payload length.""" -- cgit v1.2.3