heapinfo 0.0.3 → 0.0.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: e90a4db825f5e6b53989edc82441a0800d13aaa7
-  data.tar.gz: f638662fb165a7c884c5427b378cfac091ebe83a
+  metadata.gz: 3afc942b75cd48a72f4d699b68423d2b6e23ff01
+  data.tar.gz: 69bbf96563700cdf3275b680229f65c6ba20e8e5
 SHA512:
-  metadata.gz: f2356a124a5a9480e2e170f6abb2ee782f671734d4e7edbe2f15f47f690609a40580ac1d3d8f027342d03a82901c996b32d9dc21dccb4473105f027814149503
-  data.tar.gz: 3e3df55aca650bf6c8277185afdf56bb3f9c4e3ded9ec444af64f6159302aa9eb5d001da0f3f7dac82d174348c5e8af5b4340abfa1a5cca6f205a7936fa640b0
+  metadata.gz: c3cceb98b2e06f7c02a6ce16c9d9322de0a554742a213aeb26e8e7dce945fb35f9e425cf2e316e9317128df0ef061317c57fbcf449842888c9a35886c6549783
+  data.tar.gz: b1285f36856258f0834707b54252cc2989050fc72f99a9ebead0fadc565ab10e0e090fe03bbd42bb1c3ebd6e52c293ea1ef49e237451dcc81f33d43d9f5f30ac

data/lib/heapinfo/arena.rb

@@ -35,7 +35,10 @@ module HeapInfo
       return self if top_ptr == 0 # arena not init yet
       @top_chunk = Chunk.new size_t, top_ptr, @dumper
       @last_remainder = Chunk.new size_t, top_ptr_offset + 8, @dumper
-      @system_mem = Helper.unpack(size_t, @dumper.call(top_ptr_offset + 258 * size_t + 16, size_t))
+      # this offset diff after 2.23
+      @system_mem = 2.times.map do |off|
+        Helper.unpack(size_t, @dumper.call(top_ptr_offset + 258 * size_t + 16 + off * size_t, size_t))
+      end.find { |val| val >= 0x21000 and (val & 0xfff) == 0 }
       @fastbin = Array.new(7) do |idx|
         f = Fastbin.new(size_t, @base + 8 - size_t * 2 + size_t * idx, @dumper, head: true)
         f.index = idx

data/lib/heapinfo/version.rb

@@ -1,3 +1,3 @@
 module HeapInfo
-  VERSION = '0.0.3'.freeze
+  VERSION = '0.0.4'.freeze
 end

data/spec/dumper_spec.rb

@@ -1,17 +1,31 @@
 # encoding: ascii-8bit
 require 'heapinfo'
 describe HeapInfo::Dumper do
+  before(:all) do
+    @self_maps = IO.binread('/proc/self/maps').lines.map do |seg|
+      s = seg.split(/\s/)
+      s[0] = s[0].split('-').map { |addr| addr.to_i(16) }
+      [s[0][0], s[0][1], s[1], s[-1]] # start, end, perm, name
+    end
+
+    @get_elf_base = ->() do
+      exe = File.readlink('/proc/self/exe')
+      @self_maps.find { |arr| arr[3] == exe }[0]
+    end
+  end
+
   describe 'dump' do
     before(:each) do
       @mem_filename = '/proc/self/mem'
+      @elf_base = @get_elf_base.call
     end
     it 'simple' do
       dumper = HeapInfo::Dumper.new(nil, @mem_filename)
-      expect(dumper.dump(0x400000, 4)).to eq "\x7fELF"
+      expect(dumper.dump(@elf_base, 4)).to eq "\x7fELF"
     end
     it 'segment' do
-      class S;def elf; HeapInfo::Segment.new(0x400000, 'elf'); end; end
-      dumper = HeapInfo::Dumper.new(S.new, @mem_filename)
+      class S;def initialize(base);@base = base;end; def elf; HeapInfo::Segment.new(@base, 'elf'); end; end
+      dumper = HeapInfo::Dumper.new(S.new(@elf_base), @mem_filename)
       expect(dumper.dump(:elf, 4)).to eq "\x7fELF"
     end
     it 'invalid' do
@@ -34,26 +48,33 @@ describe HeapInfo::Dumper do
 
   describe 'find' do
     before(:all) do
-      class S;def elf; HeapInfo::Segment.new(0x400000, ''); end; def bits; 64; end; end
-      @dumper = HeapInfo::Dumper.new(S.new, '/proc/self/mem')
+      @elf_base = @get_elf_base.call
+      class S; def bits; 64; end; end
+      @dumper = HeapInfo::Dumper.new(S.new(@elf_base), '/proc/self/mem')
+      @end_of_maps = ->() do
+        @self_maps.find.with_index do |seg, i|
+          seg[2].include?('r') and seg[1] != @self_maps[i][0] # incontinuously segment
+        end[1]
+      end
     end
     it 'simple' do
-      expect(@dumper.find("ELF", :elf, 4)).to eq 0x400001
+      expect(@dumper.find("ELF", :elf, 4)).to eq @elf_base + 1
       expect(@dumper.find("ELF", :elf, 3)).to be nil
     end
     it 'regexp' do
-      addr = @dumper.find(/ru.y/, :elf, 0x1000)
-      expect(@dumper.dump(addr, 4) =~ /ru.y/).to eq 0
+      addr = @dumper.find(/lin.x/, :elf, 0x1000)
+      expect(@dumper.dump(addr, 5) =~ /lin.x/).to eq 0
     end
     it 'invalid' do
       expect(@dumper.find(nil, :elf, 1)).to be nil
     end
     it 'parser' do
-      expect(@dumper.find("ELF", ':elf + 1', 3)).to eq 0x400001
+      expect(@dumper.find("ELF", ':elf + 1', 3)).to eq @elf_base + 1
     end
     it 'reach end' do
+      mem = @end_of_maps.call
       # check dumper won't return nil when remain readable memory less than one page
-      expect(@dumper.find("\x00", 0x601010, 0x1000).nil?).to be false
+      expect(@dumper.find("\x00", mem - 0xff0, 0x1000).nil?).to be false
     end
   end
 

data/spec/files/victim.cpp

@@ -28,5 +28,6 @@ int main(int argc, char **argv) {
   v = malloc(152); // let 136 put into smallbin
   malloc(200); // to prevent merge with top_chunk
   free(v); // put into unsorted bin 
-  scanf("%*c");
+  char dummy;
+  read(0, &dummy, 1); // function which not use heap
 }

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: heapinfo
 version: !ruby/object:Gem::Version
-  version: 0.0.3
+  version: 0.0.4
 platform: ruby
 authors:
 - david942j
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-12-20 00:00:00.000000000 Z
+date: 2016-12-28 00:00:00.000000000 Z
 dependencies: []
 description: create an interactive memory info interface while pwn / exploiting
 email: