| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Often times, users of the Payload module wish to push a list of integers
to a payload buffer. Currently, the best (and intended) way to do this
is to make several calls to .int(). However, as part of the ROP effort,
I am planning to add function 'gadget(addr, *params)' to the Payload
class. Per the design of this function, calling it with an expanded
list of values would be equivalent to passing each to .int()
individually. In order to discourage the use of .gadget(), as a
shortcut to a series of .int()s, .int(), and most other insertion
functions, now accept arbitrarily many value arguments.
Functions that support additional options (such as .int()'s 'signed'
parameter) will apply such options to all values. If a symbol name is
defined, it will reference the beginning of the block of values.
Keep in mind, this will also allow inserting zero values. For example,
obj.bin(sym='end') will tag the end of the payload without extending its
content. This use-case is not intended to be particularly useful, but
exists as a consequence of the change.
Payload.rep() and the pad functions are not affected by this commit, as
I don't think changing their semantics in this way makes sense.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Due to line buffering, we may often trigger a burst of data to be sent
by the target, but resolve the non-blocking read only after the first
line is received. We would like to wait just a little longer to receive
the entire burst instead.
readall_nonblock() will now reset its timeout period whenever any data
becomes readable and will not return until we go an entire period of
silence. Under normal conditions, the full duration of readall_nonblock
should barely be any longer than the defined period itself.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
select's poll.poll() function expects its timeout argument to be in
milliseconds. This is an artifact from earlier developent where we were
using the higher-level 'selectors' API, which never got merged.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Add a layer of indirection to access the active arch config.
Currently when importing sploit.arch.arch, the name will be bound to
whatever the current reference is and won't follow if another module
(user script) updates the reference in sploit.arch. A layer of
indirection seemlessly solves that issue and also provides a cleaner
interface for setting the active arch from the user script.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
The design/implementation of class Payload is updated for better
compatibility with Symtbl, and to address some usability issues that
have come up so far:
No more automatically fixed-up stack alignment by default: In fact,
alignment as a concept is fully removed from the tool, in preparation
for another upcoming ROP-centric addon to Payload. Therefore, insertion
of return addresses (via .ret()) are now equivalent to any other integer
value.
No instance size value: Each call to .pad() uses an independent size
passed as a parameter, but functions in the same manor as before.
Padding can also now be inserted at the beginning of the payload:
.pad_front() prepends the necessary amount of data, and updates the
tracked offsets of values that were already inserted to the payload.
Payload now directly extends Symtbl: Instead of possessing a Symtbl
member, payload objects can directly be treated as symbol tables for
things like mounting them as subtables, or mapping them to access
absolute addresses.
New call syntax to access binary data: As a shorthand, users may now
use the call syntax to get the bytes string built by the tool. If an
argument is passed, it is another byte string containing illegal bytes
that we check the built payload for. Unfortunately, the __str__ magic
func doesn't like returning bytes string; plus, that overload is already
in use for formatting the symbol table content (worth not hiding).
New semantic insertion functions: .bin(), .str() [C-style strings],
.int(), .ret(), and more. Some of these functions are direct synonyms,
however their use can provide more clarity in Sploit scripts.
Smarter default element symbol names: Instead of just using '_' as a
placeholder if no symbol name is ever given, we now uniquely name each
inserted element according to the API function that was used, then slap
on an incrementing number. An explicit name still bypasses this scheme.
Insertion functions can now be chained together: Functions previously
returned the offset/address of the inserted value. However, this
feature was seldom used, and there is now the possibility of
.pad_front() invalidating previously-returned offsets. Instead,
functional-style chaining is enabled to reduce boilerplate, and help
with quick oneliners.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
__getattribute__ is the low-level magic func and will intercept every
attribute lookup, whereas __getattr__ is high-level, and is only invoked
in specific conditions (such as __getattribute__'s failure).
As such, any overload of __getattribute__ which preferentially falls
back to object.__getattribute__() before serving a request, can more
simply be replaced by a __getattr__ overload without the fallback.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
The recent implementation of the new design for Symtbl contained a few
bugs:
- Attempting to access .base on a Symtbl or intermediate
__InnerTable__ caused an exception.
- Symtbl objects all used the same static collection of nested
subtables, rather than an instanced one. If two table objects
contained the same named key, they would refer to the same
nested table from both locations.
- Printing the contents of a table accessed via an absolute
nesting (aka: via an __InnerTable__ object) would not show the
offsets adjusted for the curent context.
In addition to these fixes, the class implementation is largely
simplified as well. This is in part due to the removal of unnecessary
logic, such as the way our __getattribute__ overloads were implemented.
Mainly, this came down to merging the redundant abstractions in our
original design.
Over time, the differences between these interfaces became blurred to
the point where simply reusing one is not at all problematic. It is
very much the intent of this patch to preserve the semantics of the
tool's design (that being: flexable, nestable tables, to which a
separate, but linked, mapped view may be obtained), but to state it as
cleanly as possible.
Note that all of the working state of a Symtbl is kept in its new
_namesp member. This is primarily done to enable subclassing the Symtbl
class. Ordinarily, setattr() on self would force the incoming value
into the actual symbol table, making it impossible for subclasses to
store separate instance data. Furthermore, the consolidation of
properties into this object creates fewer potential collisions with
user-defined symbols.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Add rev for basic reverse engineering
* tag 'pull-sploit-rev' of https://github.com/Dusoleil/lib-des-gnux:
sploit: Move __attr_filter__ to a general place in util
sploit: Filter all magic python members by default in mem module
sploit: add stack base pointer to locals symtbl
sploit: print hex of addresses in rev logs
sploit: add status logging to rev module
sploit: lazy load libs for ELF
sploit: cache results of external commands
sploit: add the rest of r2 functions through elf
sploit: typo fix in rev.r2
sploit: cache ELF loads
sploit: add ELF helper class to rev
sploit: consolidate r2 symbol search calls
sploit: fix r2 module syntax error
sploit: reverse direction of r2 get_locals offsets
sploit: add r2 funcionality to rev module
sploit: add ldd ability to rev module
sploit: add rev module to sploit
|
|
The previous patches in this series have needed to utilize similar logic
as Comm.interact() throughout other parts of the Comm class. This patch
just revisits .interact() to clean up redundant code.
Co-authored-by: dusoleil <howcansocksbereal@gmail.com>
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
This is a free-function in the comm module, intended to help setup
Sploit plumbing when working in the Python interactive interpreter.
At the moment, the intended user experience in the interpreter is to err
on the side of being interactive/responsive. As such, the Comm object
returned from popen() is initialized with overridden IO settings to
prefer 'readonwrite' by default. Addtionally, any early output from the
target is also read, so that it may be immediately visible.
A consequence of this configuration is that, until readonwrite is set
False, most target output will be consumed before any .read* function
has a chance to return it. While that would be a hard showstopper for
any Sploit script, an interactive user can simply copy/paste any
important data that is produced. Given that the interpreter workflow is
likely going to be most useful for quick prototyping and recon with the
proposed rev module, I consider this tradeoff appropriate at the moment,
but will consider revisiting this if its usage is problematic.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
If readonwrite is set to True (default False), Sploit will catch up and
read all available stdin data from the target in a non-blocking fashion.
If logonread is also set to True, this data will immediately be
presented to the user whenever data is sent, but is otherwise lost (not
returned).
This mode is primarily intended for use in the interactive Python
interpreter, where it can be cumbersome to keep alternating read and
write calls when one does not care to actually record the read values.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Function should consume all available incoming data from target and
return it, however will return 'immediately' (according to a
configurable timeout) if the pipe is empty.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Found a spot to use __attr_filter__ in the rev module, so moving it out
of mem and into a shared place (util).
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
In the various __getattribute__() overloads in the mem module, we should
filter all of the built-in magic members to do the default
object.__getattribute__() behavior. This is opposed to the earlier
stance of just caring about the ones that I saw as realistically being
called.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
rather than cacheing ELF instantiations, just cache the results of
external commands
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
expose the rest of the rev.r2 capabilities through rev.elf
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
accidentally left the argument as "elf" instead of "binary" and had the
arguments in the wrong order
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
With recursive ELF loads, there is the possibility of loading in a heavy
ELF (like libc) multiple times. Hiding instantiation of the class
behind a factory method and caching instances should eliminate this
problem.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Create a class which encapsulates some basic information about an ELF
file and provides a convenient interface for basic reverse engineering.
In particular, ELF automatically loads the symbol table of the given elf
file and recursively creates ELF objects for any linked libraries.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Consolidate some of the r2 calls that get combined to create the symbol
list. Instead of doing multiple calls with different greps within
radare2, just do a single call and search it in the python side. This
gives us a slight, but noticeable performance increase.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
forgot to remove the r2 namespace from the calls from back when it was
implemented differently
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
rev.r2's get_locals() function returns a Symtbl of offsets representing
the local variables on in a stack frame of a particular function. The
offsets returned by r2 are based around the base of the stack, but they
are increasing in value as they grow from the stack. To properly model
memory, they should decrease in value as they grow from the stack.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Add an r2 module with several helper functions that do a number of
simple reverse engineering tasks to aid in writing simple sploit
scripts. The functions in this module invoke radare2 to accomplish their
tasks.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
add helper function to invoke ldd to get a list of libraries that will
be linked to a given ELF
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
length() fails on local stack frames (where it was originally intended
to be useful) when register based locals (like arguments) are present.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
len() will calculate the length of the symtbl in bytes rather than the
number of symbols
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Add the ability to shift all Symtbl offsets by a fixed amount with
adjust().
Add the ability to shift all Symtbl offsets so that a designated symbol
is now at offset 0 and all other symbols maintain their relative offsets
to that symbol with rebase().
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Add string cast to mem module types so that they can be printed out in a
human readable format.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Symtbl now only deals with offets. A read-only view of a symtbl can be
created via the Memmap class. This view also takes an absolute address
for a symbol and will return adjusted addresses based on this. This
replaces the addr() method.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
This _should_ be accurate for ARMv7-a at least (including thumb mode).
We might want to later include ARMv8 details, which would primarily
include a 64-bit profile - I just don't have the details at the moment.
A namedtuple is now used as the implementation of type 'Arch', which
allows the definitions to be much more compact and table-like,
aiding readability.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
A new function, Comm.shutdown(), is added. It will close only the
stdout stream of the communications backend, potentially making the
termination of the target program more fluid.
The name 'shutdown' is chosen to emulate shutdown(2) from the low-level
socket api, which is used to close just part of a full-duplex file
descriptor. This is in contrast to 'close', which I would expect to
completely terminate the given object IO.
comm.shutdown() is now called by main.py, after the user script returns,
to ensure that the subsequent readall() doesn't get stuck because our
target is blocked reading its stdin.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
If execution is stuck inside readall() (for example, due to blocked IO),
handling KeyboardInterrupt allows the user a way to get out, without
exiting the active script early or losing the data read so far.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
This function has a momentary side-effect of switching self.logonread to
False. This patch ensures its original value is always restored, even
if an exception is raised.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
If enabled, data sent to the target will be printed/logged as alt text,
similar to data directly printed by the user. Feature is off by
default.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
This function will no longer mistakenly log data when logonread is set
to False.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
This just adds a fancy 'SPLOIT' header to the beginning of Sploit's
startup preamble data. It has the ability to display a few lines of
text beside itself, but most of the things we've planned to put here are
not available yet, so just the operating mode is printed for now.
The SPLOIT text has a colored stripe which, at the moment, also
indicates the operating mode. This stripe was originally chosen to
balance out the amount of color present in the preamble text, but I've
grown to like it.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
The log module is updated to support binary encodings, colors, and for
improved compatibility with Python's print() builtin.
Encoding semantics are switched up, since it seems like some of the more
interesting encoding modes (from a CTF perspective) actually use
bytes-like objects as their high-level form (that is, bytes are encoded
to another form, such as hex, then decoded back to the original form).
So the logged value is now passed to encode instead of decode, and only
if the object is of type 'bytes', as unicode strings are now considered
out-of-scope for this operation. Additionally, the bytes wrapper (b'')
is no longer visible in the logged content.
For readability, several standard colors have been defined for use
within Sploit:
- RED: Errors
- YELLOW: Warnings
- GREEN: Status messages / Startup messages
- WHITE: Target output
- GRAY: User output / Alt text
Logging functions now support an optional color option to select the
desired color, and have specific defaults based on who is invoking the
log (see below...)
Logging functions are now also fully compatible with the builtin print()
function. This is because Sploit now replaces the standard print() with
a logging function within the user's script (which is done to maintain
additional consistency of messages displayed in the console).
Function ilog (internal log) has default values tuned for the library's
convenience: Text goes to stderr, and is presented as status messages
(green).
Function elog (external log) has default values tuned for the user: Text
goes to stdout, and is presented as alt text to distinguish it from data
read from the target. Within the user context, 'print' refers to this
function.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
A couple of facts have influenced the decision to remove this option:
- If a sploit script uses a shebang to launch sploit, it is
tricky to specify this option. Specifically, one must add it
to their shebang line, which couples more information to the
script than was originally intended.
- Single-pass pipe mode wasn't all that useful. One can
accomplish the same thing by running pipe-daemon, and it is
easy to exit after one iteration. Electing to run normal pipe
mode requires you to know you only want to run once, which is
much more common when running via direct subprocess.
As a result of this change, running in pipe mode will now be equivalent to
the previous pipe-daemon mode, and subprocess target mode remains single
pass.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
https://github.com/Dusoleil/lib-des-gnux
Refactor exception handling and cleanup in main.py
Refactor exception handling to be simpler and easier to read/maintain
Manually call garbage collector after exec to handle some weird python
behavior.
* tag 'pull-sploit-error-handling' of https://github.com/Dusoleil/lib-des-gnux:
Manually run garbage collection after exec
Clean up exception handling in main.py
|
|
The import list is alphabetized and listed one per line, to prevent this
from becoming unwieldy as more modules are introduced.
__all__ has been shown to be redundant, given that explicit imports are
now done, so it is removed.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
class Payload is a tool for constructing stack-smash payloads and ROP
chains. Its design is intended to abstract away some of the more
tedious details of crafting a payload.
Payload utilizes mem.Symtbl internally to optionally manage a collection
of named offsets into its own buffer (these are usually in reference to
entities appended to the payload via its main API). Alternatively, the
API calls to append any entity will return the address of that entity as
well.
Returned (and looked-up) addresses are relative to the beginning of the
payload by default. However, when the payload is constructed with a
known base address value, these become absolute. This is useful for
reusing addresses later in the payload body.
class Placeholder is designed to be functionally compatible with
bytearrays and bytestrings. When constructed, they take the value of
'zero', according to the current arch config. This facility enables
some API's to detect whether a dummy value was passed as a required
argument when said argument _may_ be unnecessary in niche situations.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
