heapinfo 0.0.0

data/lib/heapinfo/process.rb

@@ -0,0 +1,205 @@
+#encoding: ascii-8bit
+module HeapInfo
+  # Main class of heapinfo.
+  class Process
+    # The dafault options of libaries,
+    # use for matching glibc and ld segments in <tt>/proc/[pid]/maps</tt>
+    DEFAULT_LIB = {
+      libc: /libc[^\w]/,
+      ld:   /\/ld-.+\.so/,
+    }
+    # @return [Fixnum, NilClass] return the pid of process, <tt>nil</tt> if no such process found
+    attr_reader :pid
+    attr_reader :status
+
+    # Instantiate a <tt>HeapInfo::Process</tt> object
+    # @param [String, Fixnum] prog Process name or pid, see <tt>HeapInfo::heapinfo</tt> for more information
+    # @param [Hash] options libraries' filename, see <tt>HeapInfo::heapinfo</tt> for more information
+    def initialize(prog, options = {})
+      @prog = prog
+      @options = DEFAULT_LIB.merge options
+      load!
+      return unless load?
+      @dumper = Dumper.new(@status, mem_filename)
+    end
+
+    # Use this method to wrapper all HeapInfo methods.
+    #
+    # Since <tt>::HeapInfo</tt> is a tool(debugger) for local usage, 
+    # while exploiting remote service, all methods will not work properly.
+    # So I suggest to wrapper all methods inside <tt>#debug</tt>,
+    # which will ignore the block while the victim process is not found.
+    #
+    # @example
+    #   h = heapinfo('./victim') # such process doesn't exist
+    #   libc_base = leak_libc_base_of_victim # normal exploit
+    #   h.debug {
+    #     # for local to check if exploit correct
+    #     fail('libc_base') unless libc_base == h.libc.base
+    #   }
+    #   # block of #debug will not execute if can't found process
+    def debug
+      return unless load!
+      yield if block_given?
+    end
+
+    # Dump the content of specific memory address.
+    #
+    # Note: This method require you have permission of attaching another process. If not, a warning message will present.
+    #
+    # @param [Mixed] args Will be parsed into <tt>[base, offset, length]</tt>, see Examples for more information.
+    # @return [String, HeapInfo::Nil] The content needed. When the request address is not readable or the process not exists, <tt>HeapInfo::Nil.new</tt> is returned.
+    #
+    # @example
+    #   h = heapinfo('victim')
+    #   h.dump(:heap) # &heap[0, 8]
+    #   h.dump(:heap, 64) # &heap[0, 64]
+    #   h.dump(:heap, 256, 64) # &heap[256, 64]
+    #   h.dump('heap+256, 64'  # &heap[256, 64]
+    #   h.dump('heap+0x100', 64) # &heap[256, 64]
+    #   h.dump(<segment>, 8) # semgent can be [heap, stack, (program|elf), libc, ld]
+    #   h.dump(addr, 64) # addr[0, 64]
+    #
+    #   # Invalid usage
+    #   dump(:meow) # no such segment
+    #   dump('heap-1, 64') # not support '-'
+    def dump(*args)
+      return Nil.new unless load?
+      @dumper.dump(*args)
+    end
+
+    # Return the dump result as chunks.
+    # see <tt>HeapInfo::Dumper#dump_chunks</tt> for more information.
+    #
+    # @return [HeapInfo::Chunks, HeapInfo::Nil] An array of chunk(s).
+    # @param [Mixed] args Same as arguments of <tt>#dump</tt>
+    def dump_chunks(*args)
+      return Nil.new unless load?
+      @dumper.dump_chunks(*args)
+    end
+
+    # Gdb-like command
+    #
+    # Show dump results like in gdb's command <tt>x</tt>,
+    # while will auto detect the current elf class to decide using <tt>gx</tt> or <tt>wx</tt>.
+    #
+    # The dump results wrapper with color codes and nice typesetting will output to <tt>stdout</tt> by default.
+    # @param [Integer] count The number of result need to dump, see examples for more information
+    # @param [Mixed] commands Same format as <tt>#dump(*args)</tt>, see <tt>#dump</tt> for more information
+    # @param [IO] io <tt>IO</tt> that use for printing, default is <tt>$stdout</tt>
+    # @return [NilClass] The return value of <tt>io.puts</tt>.
+    # @example
+    #   h.x 8, :heap
+    #   # 0x1f0d000:      0x0000000000000000      0x0000000000002011
+    #   # 0x1f0d010:      0x00007f892a9f87b8      0x00007f892a9f87b8
+    #   # 0x1f0d020:      0x0000000000000000      0x0000000000000000
+    #   # 0x1f0d030:      0x0000000000000000      0x0000000000000000 
+    # @example
+    #   h.x 3, 0x400000
+    #   # 0x400000:       0x00010102464c457f      0x0000000000000000
+    #   # 0x400010:       0x00000001003e0002
+    def x(count, *commands, io: $stdout)
+      return unless load? and io.respond_to? :puts
+      @dumper.x(count, *commands, io: io)
+    end
+
+    # Gdb-like command.
+    #
+    # Search a specific value/string/regexp in memory.
+    # <tt>#find</tt> only return the first matched address, if want to find all adress, use <tt>#find_all</tt> instead.
+    # @param [Integer, String, Regexp] pattern The desired search pattern, can be value(<tt>Integer</tt>), string, or regular expression.
+    # @param [Integer, String, Symbol] from Start address for searching, can be segment(<tt>Symbol</tt>) or segments with offset. See examples for more information.
+    # @param [Integer] length The search length limit, default is unlimited, which will search until pattern found or reach unreadable memory.
+    # @return [Integer, NilClass] The first matched address, <tt>nil</tt> is returned when no such pattern found.
+    # @example
+    #   h.find(0xdeadbeef, :heap)
+    #   h.find(0xdeadbeef, 'heap+0x10', 0x1000)
+    def find(pattern, from, length = :unlimited)
+      return Nil.new unless load?
+      length = 1 << 40 if length.is_a? Symbol
+      @dumper.find(pattern, from, length)
+    end
+
+    # <tt>search</tt> is more intutive to me
+    alias :search :find
+
+    # Pretty dump of bins layouts.
+    #
+    # The request layouts will output to <tt>stdout</tt> by default.
+    # @param [Array<Symbol>] args Bin type(s) you want to see.
+    # @param [IO] io <tt>IO</tt> that use for printing, default is <tt>$stdout</tt>
+    # @return [NilClass] The return value of <tt>io.puts</tt>.
+    # @example
+    #   h.layouts :fastbin, :unsorted_bin, :smallbin
+    def layouts(*args, io: $stdout)
+      return unless load? and io.respond_to? :puts
+      io.puts self.libc.main_arena.layouts(*args)
+    end
+
+    # Show simple information of target process.
+    # Contains program names, pid, and segments' info.
+    #
+    # @return [String]
+    # @example
+    #   puts h
+    def to_s
+      return "Process not found" unless load?
+      "Program: #{Helper.color program.name} PID: #{Helper.color pid}\n" +
+      program.to_s +
+      heap.to_s + 
+      stack.to_s +
+      libc.to_s +
+      ld.to_s
+    end
+
+  private
+    attr_reader :dumper
+    def load?
+      @pid != nil
+    end
+
+    def load! # force load is not efficient
+      @pid = fetch_pid
+      return false if @pid.nil? # still can't load
+      load_status @options
+      true
+    end
+
+    def fetch_pid
+      pid = nil
+      if @prog.is_a? String
+        pid = Helper.pidof @prog
+      elsif @prog.is_a? Integer
+        pid = @prog
+      end
+      pid
+    end
+
+    def load_status(options)
+      elf  = Helper.exe_of pid
+      maps = Helper.parse_maps Helper.maps_of pid
+      @status = {
+        program: Segment.find(maps, File.readlink("/proc/#{pid}/exe")),
+        libc:    Libc.find(maps, match_maps(maps, options[:libc]), self),
+        heap:    Segment.find(maps, '[heap]'),
+        stack:   Segment.find(maps, '[stack]'),
+        ld:      Segment.find(maps, match_maps(maps, options[:ld])),
+        bits:    bits_of(elf),
+      }
+      @status[:elf] = @status[:program] #alias
+      @status.keys.each do |m|
+        self.class.send(:define_method, m) {@status[m]}
+      end
+      @dumper = Dumper.new(@status, mem_filename)
+    end
+    def match_maps(maps, pattern)
+      maps.map{|s| s[3]}.find{|seg| pattern.is_a?(Regexp) ? seg =~ pattern : seg.include?(pattern)}
+    end
+    def bits_of(elf)
+      elf[4] == "\x01" ? 32 : 64
+    end
+    def mem_filename
+      "/proc/#{pid}/mem"
+    end
+  end
+end

data/lib/heapinfo/segment.rb

@@ -0,0 +1,34 @@
+module HeapInfo
+  class Segment
+
+    # Base address of segment
+    attr_reader :base
+    # Name of segment
+    attr_reader :name
+    # Instantiate a <tt>HeapInfo::Segment</tt> object
+    # @param [Integer] base Base address
+    # @param [String] name Name of segment
+    def initialize(base, name)
+      @base = base
+      @name = name
+    end
+
+    # Hook <tt>#to_s</tt> for pretty printing
+    # @return [String] Information of name and base address wrapper with color codes.
+    def to_s
+      "%-28s\tbase @ #{Helper.color("%#x" % base)}\n" % Helper.color(name.split('/')[-1])
+    end
+
+    # Helper for create an <tt>Segment</tt>
+    #
+    # Search the specific <tt>pattern</tt> in <tt>maps</tt> and return a <tt>HeapInfo::Segment</tt> object.
+    #
+    # @param [Array] maps <tt>maps</tt> is in the form of the return value of <tt>HeapInfo::Helper.parse_maps</tt>
+    # @param [Regexp, String] pattern The segment name want to match in maps. If <tt>String</tt> is given, the pattern is matched as a substring.
+    # @return [HeapInfo::Segment, NilClass] The request <tt>Segment</tt> object. If the pattern is not matched, <tt>nil</tt> will be returned.
+    def self.find(maps, pattern)
+      needs = maps.select{|m| pattern.is_a?(Regexp) ? m[3] =~ pattern : m[3].include?(pattern)}
+      self.new needs.map{|m| m[0]}.min, needs[0][3] unless needs.empty?
+    end
+  end
+end

data/lib/heapinfo/tools/get_arena.c

@@ -0,0 +1,29 @@
+/*
+ @author: david942j
+ use for get libc's main_arena offset
+ Sample Usage
+ > ./get_arena
+ > LD_LIBRARY_PATH=. ./get_arena
+ > ./ld-linux.so.2 --library-path . ./get_arena
+ */
+#include <stdlib.h>
+#include <stdio.h>
+#include <stddef.h>
+#define SZ sizeof(size_t)
+#define PAGE_SIZE 0x1000
+void *search_head(size_t e) {
+  e = (e >> 12) << 12;
+  while(strncmp((void*)e, "\177ELF", 4)) e -= PAGE_SIZE;
+  return (void*) e;
+}
+int main() {
+  void **p = (void**)malloc(SZ*16); // small bin with chunk size SZ*18
+  void *z = malloc(SZ); // prevent p merge with top chunk
+  *p = z; // prevent compiler optimize
+  free(p); // now *p must be the pointer of the (chunk_ptr) unsorted bin
+  //TODO: check if this offset change in different version glibc
+  z = (void*)((*p) - (4 + 4 + SZ * 10 )); // mutex+flags+fastbin[]
+  void* a = search_head((size_t)__builtin_return_address(0));
+  printf("%p\n", z-a);
+  return 0;
+}

data/lib/heapinfo/version.rb

@@ -0,0 +1,3 @@
+module HeapInfo
+  VERSION = '0.0.0'.freeze
+end

data/spec/chunk_spec.rb

@@ -0,0 +1,40 @@
+# encoding: ascii-8bit
+require 'heapinfo'
+describe HeapInfo::Chunk do
+  describe '32bit' do
+    before(:all) do
+      @fast = [0, 0x47, 0x1337].pack("L*").to_chunk(bits: 32)
+      @small = [0, 0x48, 0xabcdef].pack("L*").to_chunk(bits: 32)
+    end
+    it 'basic' do
+      expect(@fast.size_t).to be 4
+      expect(@fast.size).to be 0x40
+      expect(@fast.flags).to eq [:non_main_arena, :mmapped, :prev_inuse]
+      expect(@fast.bintype).to eq :fast
+      expect(@fast.data).to eq [0x1337].pack("L*")
+      expect(@small.bintype).to eq :small
+    end
+
+    it 'to_s' do
+      expect(@small.to_s).to eq "\e[38;5;155m#<HeapInfo::Chunk:0>\n\e[0mflags = []\nsize = \e[38;5;12m0x48\e[0m (small)\nprev_size = \e[38;5;12m0\e[0m\ndata = \e[38;5;1m\"\\xEF\\xCD\\xAB\\x00\"\e[0m...\n"
+    end
+  end
+
+  describe '64bit' do
+    before(:all) do
+      @fast = [0, 0x87, 0x1337].pack("Q*").to_chunk # default 64bits
+      @small = [0, 0x90, 0xdead].pack("Q*").to_chunk
+    end
+    it 'basic' do
+      expect(@fast.size_t).to be 8
+      expect(@fast.size).to be 0x80
+      expect(@fast.flags).to eq [:non_main_arena, :mmapped, :prev_inuse]
+      expect(@fast.bintype).to eq :fast
+      expect(@fast.data).to eq [0x1337].pack("Q*")
+      expect(@small.bintype).to eq :small
+    end
+    it 'to_s' do
+      expect(@small.to_s).to eq "\e[38;5;155m#<HeapInfo::Chunk:0>\n\e[0mflags = []\nsize = \e[38;5;12m0x90\e[0m (small)\nprev_size = \e[38;5;12m0\e[0m\ndata = \e[38;5;1m\"\\xAD\\xDE\\x00\\x00\\x00\\x00\\x00\\x00\"\e[0m...\n"
+    end
+  end
+end

data/spec/chunks_spec.rb

@@ -0,0 +1,25 @@
+# encoding: ascii-8bit
+require 'heapinfo'
+describe HeapInfo::Chunks do
+  before(:each) do
+    @chunks = HeapInfo::Chunks.new
+    @chunks << 0; @chunks << 1; @chunks << 2
+  end
+  it '<<' do
+    expect(@chunks.size).to be 3
+    @chunks << ("\x00"*16).to_chunk
+    expect(@chunks.size).to be 4
+  end
+  it 'each' do
+    @chunks.each_with_index{|c, idx|
+      expect(c).to be idx
+    }
+  end
+  it 'to_s' do
+    expect(@chunks.to_s).to eq @chunks.instance_variable_get(:@chunks).map(&:to_s).join("\n")
+  end
+  it 'size' do
+    expect(@chunks.size).to eq @chunks.instance_variable_get(:@chunks).size
+    expect(@chunks.length).to eq @chunks.instance_variable_get(:@chunks).length
+  end
+end

data/spec/dumper_spec.rb

@@ -0,0 +1,79 @@
+# encoding: ascii-8bit
+require 'heapinfo'
+describe HeapInfo::Dumper do
+  describe 'dump' do
+    before(:each) do
+      @mem_filename = '/proc/self/mem'
+    end
+    it 'simple' do
+      dumper = HeapInfo::Dumper.new(nil, @mem_filename)
+      expect(dumper.dump(0x400000, 4)).to eq "\x7fELF"
+    end
+    it 'segment' do
+      segments = {elf: HeapInfo::Segment.new(0x400000, 'elf')}
+      dumper = HeapInfo::Dumper.new(segments, @mem_filename)
+      expect(dumper.dump(:elf, 4)).to eq "\x7fELF"
+    end
+    it 'invalid' do
+      dumper = HeapInfo::Dumper.new({}, @mem_filename)
+      expect(dumper.dump(:zzz, 1)).to be nil
+      expect(dumper.dump(0x12345, 1)).to be nil
+    end
+  end
+
+  it 'dumpable?' do
+    dumper = HeapInfo::Dumper.new({}, '/proc/self/mem')
+    expect(dumper.send(:dumpable?)).to be true
+    # a little hack
+    dumper.instance_variable_set(:@filename, '/proc/1/mem')
+    expect(dumper.send(:dumpable?)).to be false
+    expect(dumper.dump).to be nil # show need permission
+    dumper.instance_variable_set(:@filename, '/proc/-1/mem')
+    expect {dumper.send(:dumpable?)}.to raise_error ArgumentError
+  end
+
+  describe 'find' do
+    before(:all) do
+      @dumper = HeapInfo::Dumper.new({elf: HeapInfo::Segment.new(0x400000, ''), bits: 64}, '/proc/self/mem')
+    end
+    it 'simple' do
+      expect(@dumper.find("ELF", :elf, 4)).to eq 0x400001
+      expect(@dumper.find("ELF", :elf, 3)).to be nil
+    end
+    it 'regexp' do
+      addr = @dumper.find(/ru.y/, :elf, 0x1000)
+      expect(@dumper.dump(addr, 4) =~ /ru.y/).to eq 0
+    end
+    it 'invalid' do
+      expect(@dumper.find(nil, :elf, 1)).to be nil
+    end
+    it 'parser' do
+      expect(@dumper.find("ELF", ':elf + 1', 3)).to eq 0x400001
+    end
+  end
+
+  describe 'parse_cmd' do
+    it 'normal' do
+      expect(HeapInfo::Dumper.parse_cmd [0x30]).to eq [0x30, 0, 8]
+      expect(HeapInfo::Dumper.parse_cmd [0x30, 3]).to eq [0x30, 0, 3]
+      expect(HeapInfo::Dumper.parse_cmd [0x30, 2, 3]).to eq [0x30, 2, 3]
+    end
+    it 'symbol' do
+      expect(HeapInfo::Dumper.parse_cmd [:heap]).to eq [:heap,0 , 8]
+      expect(HeapInfo::Dumper.parse_cmd [:heap, 10]).to eq [:heap,0 , 10]
+      expect(HeapInfo::Dumper.parse_cmd [:heap, 3, 10]).to eq [:heap,3 , 10]
+    end 
+    it 'string' do
+      expect(HeapInfo::Dumper.parse_cmd ['heap']).to eq [:heap, 0, 8]
+      expect(HeapInfo::Dumper.parse_cmd ['heap, 10']).to eq [:heap, 0, 10]
+      expect(HeapInfo::Dumper.parse_cmd ['heap, 0x33, 10']).to eq [:heap, 51, 10]
+      expect(HeapInfo::Dumper.parse_cmd ['heap+0x15, 10']).to eq [:heap, 0x15, 10]
+      expect(HeapInfo::Dumper.parse_cmd ['heap + 0x15, 10']).to eq [:heap, 0x15, 10]
+      expect(HeapInfo::Dumper.parse_cmd ['heap +  0x15']).to eq [:heap, 0x15, 8]
+    end
+    it 'mixed' do
+      expect(HeapInfo::Dumper.parse_cmd ['heap+ 0x10', 10]).to eq [:heap, 0x10, 10]
+      expect(HeapInfo::Dumper.parse_cmd ['heap', 10]).to eq [:heap, 0, 10]
+    end
+  end
+end

data/spec/files/32bit_maps

@@ -0,0 +1,23 @@
+08048000-08049000 r-xp 00000000 ca:01 464143                             /home/heapinfo/examples/uaf/uaf
+08049000-0804a000 r--p 00000000 ca:01 464143                             /home/heapinfo/examples/uaf/uaf
+0804a000-0804b000 rw-p 00001000 ca:01 464143                             /home/heapinfo/examples/uaf/uaf
+f73d4000-f73d7000 rw-p 00000000 00:00 0
+f73d7000-f73f3000 r-xp 00000000 ca:01 160460                             /usr/lib32/libgcc_s.so.1
+f73f3000-f73f4000 rw-p 0001b000 ca:01 160460                             /usr/lib32/libgcc_s.so.1
+f73f4000-f7438000 r-xp 00000000 ca:01 402366                             /lib32/libm-2.19.so
+f7438000-f7439000 r--p 00043000 ca:01 402366                             /lib32/libm-2.19.so
+f7439000-f743a000 rw-p 00044000 ca:01 402366                             /lib32/libm-2.19.so
+f743a000-f75df000 r-xp 00000000 ca:01 463662                             /lib32/libc-2.19.so
+f75df000-f75e1000 r--p 001a5000 ca:01 463662                             /lib32/libc-2.19.so
+f75e1000-f75e2000 rw-p 001a7000 ca:01 463662                             /lib32/libc-2.19.so
+f75e2000-f75e5000 rw-p 00000000 00:00 0
+f75e5000-f76c1000 r-xp 00000000 ca:01 137147                             /usr/lib32/libstdc++.so.6.0.19
+f76c1000-f76c5000 r--p 000dc000 ca:01 137147                             /usr/lib32/libstdc++.so.6.0.19
+f76c5000-f76c6000 rw-p 000e0000 ca:01 137147                             /usr/lib32/libstdc++.so.6.0.19
+f76c6000-f76ce000 rw-p 00000000 00:00 0
+f76db000-f76dd000 rw-p 00000000 00:00 0
+f76dd000-f76de000 r-xp 00000000 00:00 0                                  [vdso]
+f76de000-f76fe000 r-xp 00000000 ca:01 463655                             /lib32/ld-2.19.so
+f76fe000-f76ff000 r--p 0001f000 ca:01 463655                             /lib32/ld-2.19.so
+f76ff000-f7700000 rw-p 00020000 ca:01 463655                             /lib32/ld-2.19.so
+ffdd7000-ffdf8000 rw-p 00000000 00:00 0                                  [stack]