heapinfo 1.0.1 → 1.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d934f5ad5614d320a103119b23a48312b5034598
-  data.tar.gz: 188ca4fe298b9859cbd546397d1176836a92e967
+  metadata.gz: 961ba248f261232617b7ed7ee649fd3fc21b72b9
+  data.tar.gz: 7bffd6cf6c33d2a6868ec59ba9d8b3509ab1512f
 SHA512:
-  metadata.gz: 3051a5f8568e6a57d48ea2604193710a635c1fbd0c880b7a3e971b3608869e4c3d34e34a4c69886f422c0fe96e941c6be2c8d1f8d7a113759d244a6c739d1266
-  data.tar.gz: 8a441e5ed3acebf552a047123d897fcaafd7b31117b26e07a5d2499d4e298da1baabd271517b84a065225e3fd47a1547da26da6796fb85763a1a2417adcf5f71
+  metadata.gz: 13d13edbcaab506b3b9044894f51bf10f5b9a32eb2e10d81a397f913a2488b947877d1d3747e1cb8d02f3f8304aa7c59e44f20ee3009bce20c7cd8c7f47ca658
+  data.tar.gz: 6680a5c6ab2a2483acbd0317d2dc3bf3871800d66136cd2d4263a23cff4b5367b5c10901e0788e21b3b4dc8af675fab1b270f1ac57d7d8c9bc1bea0162fb5b4a

data/README.md

@@ -9,6 +9,10 @@
 ## HeapInfo
 As pwn lovers, while playing CTF with heap exploitation, we always need a debugger (e.g. gdb) for tracking memory layout. But we don't really need gdb if we want to see whether the heap layout same as our imagine or not. Hope this small tool helps us exploit easier ;).
 
+#### Why
+**HeapInfo** is very helpful when binary has somehow anti-debugger limitations, e.g being ptraced.
+**HeapInfo** still works because it doesn't use ptrace.
+
 Implement with ruby because I love ruby :P. But might also implement with Python (if no others did) in the future.
 
 If you prefer [pwntools](https://github.com/Gallopsled/pwntools) for exploiting, you can still use **HeapInfo** in irb/pry as a small debugger.
@@ -30,12 +34,13 @@ $ gem install heapinfo
 * `dump` - Dump arbitrarily address memory.
 * `layouts` - Show the current bin layouts, very useful for heap exploitation.
 * `offset` - Show the offset between given address and segment. Very useful for calculating relative offset.
+* `canary` - Fetch the value of stack guard!
 * `x` - Provide gdb-like commands.
 * `find` - Provide gdb-like commands.
 * More features and details can be found in [RDoc](http://www.rubydoc.info/github/david942j/heapinfo/master/)
 
 ### Under developing
-* `free` - Show what will happend when `free` an address.
+* `free` - Show what will happend when calling `glibc#free` an address.
 
 ## Usage
 
@@ -45,7 +50,7 @@ $ gem install heapinfo
 require 'heapinfo'
 # ./victim is running
 h = heapinfo('victim') 
-# or use h = heapinfo(20568) to prevent multi processes exist
+# or use h = heapinfo(20568) to specific pid
 
 # will present simple info when loading:
 # Program: /home/heapinfo/victim PID: 20568
@@ -54,16 +59,17 @@ h = heapinfo('victim')
 # [stack]         base @ 0x7fff2b244000
 # libc-2.19.so    base @ 0x7f892a63a000
 # ld-2.19.so      base @ 0x7f892bee6000
+# canary          value: 0x84b742f03d94c100
 
 # query segments' info
 "%#x" % h.libc.base
-# => "0x7f892a63a000"
+#=> "0x7f892a63a000"
 h.libc.name
-# => "/lib/x86_64-linux-gnu/libc-2.19.so"
+#=> "/lib/x86_64-linux-gnu/libc-2.19.so"
 "%#x" % h.elf.base
-# => "0x400000"
+#=> "0x400000"
 "%#x" % h.heap.base
-# => "0x11cc000"
+#=> "0x11cc000"
 ```
 
 NOTICE: While the process is not found, most methods will return `nil`. One way to prevent some error happend is to wrapper methods within `debug`, the block will be ignored while doing remote exploitation.
@@ -87,17 +93,17 @@ i.e. `/proc/sys/kernel/yama/ptrace_scope` set to 0 or run as root.
 ```ruby
 h.debug do
   p h.dump(:libc, 8)
-  # => "\x7FELF\x02\x01\x01\x00"
+  #=> "\x7FELF\x02\x01\x01\x00"
   p h.dump(:heap, 16)
-  # => "\x00\x00\x00\x00\x00\x00\x00\x00\x31\x00\x00\x00\x00\x00\x00\x00"
+  #=> "\x00\x00\x00\x00\x00\x00\x00\x00\x31\x00\x00\x00\x00\x00\x00\x00"
   p h.dump('heap+0x30', 16) # support offset!
-  # => "\x00\x00\x00\x00\x00\x00\x00\x00\x81\x00\x00\x00\x00\x00\x00\x00"
+  #=> "\x00\x00\x00\x00\x00\x00\x00\x00\x81\x00\x00\x00\x00\x00\x00\x00"
   p h.dump('heap+0x30 * 3 + 0x8', 16) # and even complex formula!
-  # => "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+  #=> "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
   p h.dump(:program, 8)
-  # => "\x7FELF\x02\x01\x01\x00"
+  #=> "\x7FELF\x02\x01\x01\x00"
   p h.dump(0x400000, 8) # or simply give address
-  # => "\x7FELF\x02\x01\x01\x00"
+  #=> "\x7FELF\x02\x01\x01\x00"
 end
 
 # invalid example:
@@ -126,6 +132,12 @@ h.offset(0x1839cd0)
 ```
 ![offset](https://github.com/david942j/heapinfo/blob/master/examples/offset.png?raw=true)
 
+#### canary
+```ruby
+h.canary.to_s(16)
+#=> '84b742f03d94c100'
+```
+
 #### x - gdb-like command
 ```ruby
 h.x 8, :heap
@@ -139,11 +151,11 @@ Support search integer, string, and even regular expression.
 
 ```ruby
 h.find(0xdeadbeef, 'heap+0x10', 0x1000)
-# => 6299664 # 0x602010
+#=> 6299664 # 0x602010
 h.find(/E.F/, 0x400000, 4)
-# => 4194305 # 0x400001
+#=> 4194305 # 0x400001
 h.find(/E.F/, 0x400000, 3)
-# => nil
+#=> nil
 h.offset(h.find('/bin/sh', :libc))
 # 0x18c177 after libc
 ```
@@ -153,3 +165,4 @@ h.offset(h.find('/bin/sh', :libc))
 * libc-2.19
 * libc-2.23
 * libc-2.24
+* libc-2.25

data/lib/heapinfo.rb

@@ -20,8 +20,7 @@ module HeapInfo
   #   The program name of victim. If a number is given, seem as pid (useful when multi-processes exist).
   # @param [Hash] options Give library's file name.
   # @option options [String, Regexp] :libc file name of glibc, default is +/bc[^a-z]*\.so/+.
-  # @option options [String, Regexp] :ld file name of dynamic linker/loader, default is +/\/ld-.+\.so/+.
-  # @return [HeapInfo::Process] The object for further usage
+  # @return [HeapInfo::Process] The object for further usage.
   # @example
   #   h = heapinfo './victim'
   #   # outputs:
@@ -31,18 +30,21 @@ module HeapInfo
   #   # [stack]         base @ 0x7fff2b244000
   #   # libc-2.19.so    base @ 0x7f892a63a000
   #   # ld-2.19.so      base @ 0x7f892bee6000
+  #   # canary          value: 0x84b742f03d94c100
   #   p h.libc.name
-  #   # => "/lib/x86_64-linux-gnu/libc-2.19.so"
+  #   #=> "/lib/x86_64-linux-gnu/libc-2.19.so"
   #   p h.ld.name
-  #   # => "/lib/x86_64-linux-gnu/ld-2.19.so"
+  #   #=> "/lib/x86_64-linux-gnu/ld-2.19.so"
+  #   p h.heap.base.to_s(16)
+  #   #=> '11cc000'
   #
   # @example
-  #   h = heapinfo(27605, libc: 'libc.so.6', ld: 'ld-linux-x86-64.so.2')
+  #   h = heapinfo(27605, libc: 'libc.so.6')
   #   # pid 27605 is run by custom loader
   #   p h.libc.name
-  #   # => "/home/heapinfo/libc.so.6"
+  #   #=> "/home/heapinfo/libc.so.6"
   #   p h.ld.name
-  #   # => "/home/heapinfo/ld-linux-x86-64.so.2"
+  #   #=> "/home/heapinfo/ld-linux-x86-64.so.2"
   def self.heapinfo(prog, options = {})
     h = HeapInfo::Process.new(prog, options)
     puts h

data/lib/heapinfo/chunk.rb

@@ -92,19 +92,19 @@ module HeapInfo
     # @return [Symbol] Bin type is simply determined according to +#size+
     # @example
     #   [c.size, c.size_t]
-    #   # => [80, 8]
+    #   #=> [80, 8]
     #   c.bintype
-    #   # => :fast
+    #   #=> :fast
     # @example
     #   [c.size, c.size_t]
-    #   # => [80, 4]
+    #   #=> [80, 4]
     #   c.bintype
-    #   # => :small
+    #   #=> :small
     # @example
     #   c.size
-    #   # => 135168
+    #   #=> 135168
     #   c.bintype
-    #   # => :mmap
+    #   #=> :mmap
     def bintype
       sz = size
       return :unknown if sz < @size_t * 4

data/lib/heapinfo/dumper.rb

@@ -21,7 +21,7 @@ module HeapInfo
     # @return [String, nil] Dump results. If error happend, +nil+ is returned.
     # @example
     #   p dump(:elf, 4)
-    #   # => "\x7fELF"
+    #   #=> "\x7fELF"
     def dump(*args)
       return need_permission unless dumpable?
       base, len = base_len_of(*args)
@@ -78,11 +78,11 @@ module HeapInfo
     # @return [Integer, nil] The first matched address, +nil+ is returned when no such pattern found.
     # @example
     #   find(/E.F/, :elf)
-    #   # => 4194305
+    #   #=> 4194305
     #   find(0x4141414141414141, 'heap+0x10', 0x1000)
-    #   # => 6291472
+    #   #=> 6291472
     #   find('/bin/sh', :libc)
-    #   # => 140662379588827
+    #   #=> 140662379588827
     def find(pattern, from, length)
       from = base_of(from)
       length = 1 << 40 if length.is_a? Symbol

data/lib/heapinfo/glibc/free.rb

@@ -1,11 +1,11 @@
-# Implment glibc's free-related functions
-# [Reference](https://code.woboq.org/userspace/glibc/malloc/malloc.c.html)
 module HeapInfo
   # Implement free-related functions.
   module Glibc
-    # Implmentation of <tt>void __libc_free(void *mem)</tt>.
-    # [glibc-2.23](https://github.com/david942j/heapinfo/blob/master/examples/libcdb/libc-2.23/malloc.c#L2934) or
-    # [Online Source](https://code.woboq.org/userspace/glibc/malloc/malloc.c.html#__libc_free)
+    # Implmentation of +void __libc_free(void *mem)+.
+    #
+    # Reference:
+    # {https://github.com/david942j/heapinfo/blob/master/examples/libcdb/libc-2.23/malloc.c#L2934 glibc-2.23}
+    # and {https://code.woboq.org/userspace/glibc/malloc/malloc.c.html#__libc_free Online Source}
     # @param [Integer] mem Memory address to be free.
     def libc_free(mem)
       # TODO: free_hook
@@ -21,8 +21,6 @@ module HeapInfo
     private
 
     # Implmentation of <tt>void _int_free (mstate av, mchunkptr p, [int have_lock])</tt>.
-    # [glibc-2.23](https://github.com/david942j/heapinfo/blob/master/examples/libcdb/libc-2.23/malloc.c#L2934) or
-    # [Online Source](https://code.woboq.org/userspace/glibc/malloc/malloc.c.html#__libc_free)
     #
     # The original method in C is too long, split to multiple methods to match ruby convention.
     # @param [HeapInfo::Arena] av

data/lib/heapinfo/helper.rb

@@ -5,7 +5,7 @@ module HeapInfo
   # Some helper functions.
   module Helper
     # Create read +/proc/[pid]/*+ methods.
-    %w(exe maps).each do |method|
+    %w(exe maps auxv).each do |method|
       define_singleton_method("#{method}_of".to_sym) do |pid|
         begin
           IO.binread("/proc/#{pid}/#{method}")
@@ -65,12 +65,12 @@ module HeapInfo
       # Color codes for pretty print.
       COLOR_CODE = {
         esc_m: "\e[0m",
-        normal_s: "\e[31m", # red
-        integer: "\e[1m\e[34m", # light blue
+        normal_s: "\e[38;5;209m", # red
+        integer: "\e[38;5;153m", # light blue
         fatal: "\e[38;5;197m", # dark red
         bin: "\e[38;5;120m", # light green
-        klass: "\e[38;5;155m", # pry like
-        sym: "\e[33m", # pry like
+        klass: "\e[38;5;155m",
+        sym: "\e[38;5;230m"
       }.freeze
       # Wrapper color codes for pretty inspect.
       # @param [String] s Contents for wrapper.
@@ -110,7 +110,7 @@ module HeapInfo
       # @param [Integer] num Non-negative integer.
       # @return [String] number in hex format.
       # @example
-      #   HeapInfo::Helper.hex(1000) # => '0x3e8'
+      #   HeapInfo::Helper.hex(1000) #=> '0x3e8'
       def hex(num)
         return format('0x%x', num) if num >= 0
         format('-0x%x', -num)
@@ -122,7 +122,7 @@ module HeapInfo
       # @example
       #   # suppose obj is an instance of HeapInfo::Chunk
       #   Helper.class_name(obj)
-      #   # => 'Chunk'
+      #   #=> 'Chunk'
       def class_name(obj)
         obj.class.name.split('::').last || obj.class.name
       end
@@ -132,11 +132,11 @@ module HeapInfo
       # @return [Boolean] If +str+ can be converted into integer.
       # @example
       #   Helper.integer? '1234'
-      #   # => true
+      #   #=> true
       #   Helper.integer? '0x1234'
-      #   # => true
+      #   #=> true
       #   Helper.integer? '0xheapoverflow'
-      #   # => false
+      #   #=> false
       def integer?(str)
         true if Integer(str)
       rescue ArgumentError, TypeError

data/lib/heapinfo/nil.rb

@@ -13,7 +13,7 @@ module HeapInfo
     # @example
     #   # h.dump would return Nil when process not found
     #   p h.dump(:heap)[8, 8].unpack('Q*')
-    #   # => nil
+    #   #=> nil
     def method_missing(method_sym, *args, &block)
       return nil.send(method_sym, *args, &block) if nil.respond_to?(method_sym)
       self || super

data/lib/heapinfo/process.rb

@@ -3,22 +3,21 @@ module HeapInfo
   # Main class of heapinfo.
   class Process
     # The default options of libraries,
-    # use for matching glibc and ld segments in +/proc/[pid]/maps+.
+    # use for matching glibc segments in +/proc/[pid]/maps+.
     DEFAULT_LIB = {
-      libc: /bc[^a-z]*\.so/,
-      ld:   %r{/ld-.+\.so}
+      libc: /bc[^a-z]*\.so/
     }.freeze
-    # @return [Integer, nil] return the pid of process, +nil+ if no such process found
+    # @return [Integer, nil] The pid of process, +nil+ if no such process found.
     attr_reader :pid
 
     # Instantiate a {HeapInfo::Process} object.
-    # @param [String, Integer] prog Process name or pid, see {HeapInfo::heapinfo} for more information
-    # @param [Hash{Symbol => Regexp, String}] options libraries' filename, see {HeapInfo::heapinfo} for more information
+    # @param [String, Integer] prog Process name or pid, see {HeapInfo::heapinfo} for more information.
+    # @param [Hash{Symbol => Regexp, String}] options
+    #   Libraries' filename, see {HeapInfo::heapinfo} for more information.
     def initialize(prog, options = {})
       @prog = prog
       @options = DEFAULT_LIB.merge options
       load!
-      return unless load?
     end
 
     # Reload a new process with same program name
@@ -157,13 +156,13 @@ module HeapInfo
     # @return [Integer, nil] The first matched address, +nil+ is returned when no such pattern found.
     # @example
     #   h.find(0xdeadbeef, 'heap+0x10', 0x1000)
-    #   # => 6299664 # 0x602010
+    #   #=> 6299664 # 0x602010
     #   h.find(/E.F/, 0x400000, 4)
-    #   # => 4194305 # 0x400001
+    #   #=> 4194305 # 0x400001
     #   h.find(/E.F/, 0x400000, 3)
-    #   # => nil
+    #   #=> nil
     #   sh_offset = h.find('/bin/sh', :libc) - h.libc.base
-    #   # => 1559771 # 0x17ccdb
+    #   #=> 1559771 # 0x17ccdb
     def find(pattern, from, length = :unlimited)
       return Nil.new unless load?
       length = 1 << 40 if length.is_a? Symbol
@@ -193,12 +192,32 @@ module HeapInfo
     #   puts h
     def to_s
       return 'Process not found' unless load?
-      "Program: #{Helper.color program.name} PID: #{Helper.color pid}\n" +
+      "Program: #{Helper.color(program.name)} PID: #{Helper.color(pid)}\n" +
         program.to_s +
         heap.to_s +
         stack.to_s +
         libc.to_s +
-        ld.to_s
+        ld.to_s +
+        format("%-28s\tvalue: #{Helper.color(format('%#x', canary), sev: :sym)}", Helper.color('canary', sev: :sym))
+    end
+
+    # Get the value of stack guard.
+    #
+    # @return [Integer]
+    # @example
+    #   h.canary
+    #   #=> 11342701118118205184 # 0x9d695e921adc9700
+    def canary
+      return Nil.new unless load?
+      addr = @info.auxv[:random]
+      Helper.unpack(bits / 8, @dumper.dump(addr, bits / 8)) & 0xffffffffffffff00
+    end
+
+    # Make pry not so verbose.
+    #
+    # @return [nil]
+    def inspect
+      nil
     end
 
     private

data/lib/heapinfo/process_info.rb

@@ -1,12 +1,13 @@
 # encoding: ascii-8bit
 module HeapInfo
-  # for {Process} to record current info(s)
-  # {Process} has a +process_info+ object iff the process found (pid not +nil+).
+  # For {Process} to record basic process information.
+  #
+  # {Process} has a +process_info+ object iff the process exists (pid not +nil+).
   # Mainly records segments' base.
   class ProcessInfo
     # Methods to be transparent to +process+.
     # e.g. +process.libc+ alias to +process.info.libc+.
-    EXPORT = %i(libc ld heap program elf stack bits).freeze
+    EXPORT = %i(libc ld heap program elf stack bits auxv).freeze
 
     # @return [Integer] 32 or 64.
     attr_reader :bits
@@ -18,6 +19,11 @@ module HeapInfo
     attr_reader :libc
     # @return [HeapInfo::Segment]
     attr_reader :ld
+    # @return [Hash{Symbol => Integer}] The parsed auxv hash.
+    # @example
+    #   auxv
+    #   #=> {:ld_base => 4152033280, :random => 4294374299}
+    attr_reader :auxv
     alias elf program
 
     # Instantiate a {ProcessInfo} object.
@@ -29,10 +35,12 @@ module HeapInfo
       maps = load_maps
       @bits = bits_of(Helper.exe_of(@pid))
       @program = Segment.find(maps, File.readlink("/proc/#{@pid}/exe"))
-      @stack = Segment.find(maps, '[stack]')
       # well.. stack is a strange case because it will grow in runtime..
       # should i detect stack base growing..?
-      @ld = Segment.find(maps, match_maps(maps, options[:ld]))
+      @stack = Segment.find(maps, '[stack]')
+      @auxv = parse_auxv(Helper.auxv_of(@pid))
+      ld_seg = maps.find { |m| m[0] == @auxv[:ld_base] } # nil if static-linked elf
+      @ld = ld_seg.nil? ? Nil.new : Segment.new(@auxv[:ld_base], ld_seg.last)
       @libc = Libc.find(maps, match_maps(maps, options[:libc]), @bits, @ld.name, ->(*args) { process.dump(*args) })
     end
 
@@ -59,6 +67,22 @@ module HeapInfo
       Helper.parse_maps(Helper.maps_of(@pid))
     end
 
+    def parse_auxv(str)
+      auxv = {}
+      sio = StringIO.new(str)
+      fetch = ->() { Helper.unpack(@bits / 8, sio.read(@bits / 8)) }
+      loop do
+        type = fetch.call
+        val = fetch.call
+        case type
+        when 7 then auxv[:ld_base] = val # AT_BASE
+        when 25 then auxv[:random] = val # AT_RANDOM
+        end
+        break if type.zero?
+      end
+      auxv
+    end
+
     def bits_of(elf)
       elf[4] == "\x01" ? 32 : 64
     end

data/lib/heapinfo/segment.rb

@@ -19,7 +19,7 @@ module HeapInfo
       format("%-28s\tbase @ #{Helper.color(format('%#x', base))}\n", Helper.color(name.split('/')[-1]))
     end
 
-    # Helper for create a {HeapInfo::Segment}.
+    # Helper for creating a {HeapInfo::Segment}.
     #
     # Search the specific <tt>pattern</tt> in <tt>maps</tt> and return a {HeapInfo::Segment} object.
     #
@@ -27,7 +27,7 @@ module HeapInfo
     # @param [Regexp, String] pattern
     #   The segment name want to match in maps. If +String+ is given, the pattern is matched as a substring.
     # @return [HeapInfo::Segment, nil]
-    #   The request {HeapInfo::Segment} object. If the pattern is not matched, <tt>nil</tt> will be returned.
+    #   The request {HeapInfo::Segment} object. If the pattern is not matched, instance of {Nil} will be returned.
     def self.find(maps, pattern)
       return Nil.new if pattern.nil?
       needs = maps.select { |m| pattern.is_a?(Regexp) ? m[3] =~ pattern : m[3].include?(pattern) }

data/lib/heapinfo/version.rb

@@ -1,4 +1,4 @@
 module HeapInfo
   # Current gem version.
-  VERSION = '1.0.1'.freeze
+  VERSION = '1.0.2'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: heapinfo
 version: !ruby/object:Gem::Version
-  version: 1.0.1
+  version: 1.0.2
 platform: ruby
 authors:
 - david942j
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-03-28 00:00:00.000000000 Z
+date: 2017-04-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dentaku
@@ -94,7 +94,11 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.6'
-description: create an interactive memory info interface while pwn / exploiting
+description: |
+  Create an interactive memory info interface while pwn / exploiting.
+  Useful for rubiers writing exploit scripts.
+  HeapInfo can be used even when target is being ptraced,
+  this tool helps a lot when one needs to debug an ptraced process.
 email:
 - david942j@gmail.com
 executables: []