heapinfo 0.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 1ba7cc3de8a173a616d298c30836fa0bb5a2800a
+  data.tar.gz: 792feedd7e5a6deea7b956082150cb7b4609d887
+SHA512:
+  metadata.gz: d97610801e28487dd52e3e100558e746e8d23784a7925be2f99e4e35dd101c9976cbb526e1f18c18105b4a6bef2b00a305139f5406bd02021cedb75df6394749
+  data.tar.gz: 434774059d8ff5f5fcebc1fb81788a8fd9e78856f295c5bbfd3a045ae1b8b28cfa5237d4bd5cd330f71b319e1333efb65cfaffc557263721836a90f48687480f

data/README.md

@@ -0,0 +1,130 @@
+[![Build Status](https://travis-ci.org/david942j/heapinfo.svg?branch=master)](https://travis-ci.org/david942j/heapinfo)
+[![Code Climate](https://codeclimate.com/github/david942j/heapinfo/badges/gpa.svg)](https://codeclimate.com/github/david942j/heapinfo)
+[![Issue Count](https://codeclimate.com/github/david942j/heapinfo/badges/issue_count.svg)](https://codeclimate.com/github/david942j/heapinfo)
+[![Test Coverage](https://codeclimate.com/github/david942j/heapinfo/badges/coverage.svg)](https://codeclimate.com/github/david942j/heapinfo/coverage)
+[![Inline docs](https://inch-ci.org/github/david942j/heapinfo.svg?branch=master)](https://inch-ci.org/github/david942j/heapinfo)
+[![MIT License](https://img.shields.io/badge/license-MIT-blue.svg)](http://choosealicense.com/licenses/mit/)
+
+## HeapInfo
+As pwn lovers, while playing CTF with heap exploitation, we always need a debugger (e.g. gdb) for tracking memory layout. But we don't really need a debugger if we just want to see whether the heap layout same as our imagine or not. Hope this small tool helps us exploit easier ;).
+
+Implement with ruby because I love ruby :P. But might also implement with Python (if no others did) in the future.
+
+If you prefer [pwntools](https://github.com/Gallopsled/pwntools) for exploiting, you can still use **HeapInfo** in irb/pry as a small debugger.
+
+Any suggestion of features or bug issues is welcome.
+
+Relation works are [pwntools-ruby](https://github.com/peter50216/pwntools-ruby) and [gdbpwn](https://github.com/scwuaptx/Pwngdb).
+
+## Install
+**HeapInfo** is still under developing for more features, so the version might change frequently :p
+
+```
+$ gem install heapinfo
+```
+
+## Features
+* Can use in your ruby exploit script or in irb/pry
+* **HeapInfo** works when the `victim` is being traced! i.e. you can use ltrace/strace/gdb and **HeapInfo** simultaneously!
+* `dump` - dump arbitrarily address memory.
+* `layouts` - show the current bin layouts, very useful for heap exploitation.
+* `x` - Provide gdb-like commands.
+* `find` - Provide gdb-like commands.
+* More features and details can be found in [RDoc](http://www.rubydoc.info/github/david942j/heapinfo/master/)
+
+## Usage
+
+#### Load
+
+```ruby
+require 'heapinfo'
+# ./victim is running
+h = heapinfo('victim') 
+# or use h = heapinfo(20568) to prevent multi processes exist
+
+# will present simple info when loading:
+# Program: /home/heapinfo/victim PID: 20568
+# victim          base @ 0x400000
+# [heap]          base @ 0x11cc000
+# [stack]         base @ 0x7fff2b244000
+# libc-2.19.so    base @ 0x7f892a63a000
+# ld-2.19.so      base @ 0x7f892bee6000
+
+# query segments' info
+"%#x" % h.libc.base
+# => "0x7f892a63a000"
+h.libc.name
+# => "/lib/x86_64-linux-gnu/libc-2.19.so"
+"%#x" % h.elf.base
+# => "0x400000"
+"%#x" % h.heap.base
+# => "0x11cc000"
+```
+
+NOTICE: While the process is not found, most methods will return `nil`. One way to prevent some error happend is to wrapper methods within `debug`, the block will be ignored while doing remote exploitation.
+
+```ruby
+h = heapinfo('remote')
+# Process not found
+h.pid # nil
+h.debug {
+  fail unless leak_libc_base == h.libc.base
+  # wrapper with `debug` so that no error will be raised when pwning remote service
+}
+```
+
+#### Dump
+Query content of specific address.
+
+NOTICE: you MUST have permission of attaching a program, otherwise dump will fail.
+
+i.e. `/proc/sys/kernel/yama/ptrace_scope` set to 0 or run as root.
+
+```ruby
+h.debug {
+  p h.dump(:libc, 8)
+  # => "\x7FELF\x02\x01\x01\x00"
+  p h.dump(:heap, 16)
+  # => "\x00\x00\x00\x00\x00\x00\x00\x00\x31\x00\x00\x00\x00\x00\x00\x00"
+  p h.dump('heap+0x30, 16') # support offset!
+  # => "\x00\x00\x00\x00\x00\x00\x00\x00\x81\x00\x00\x00\x00\x00\x00\x00"
+  p h.dump(:elf, 8)
+  # => "\x7FELF\x02\x01\x01\x00"
+  p h.dump(0x400000, 8) # or simply give addr
+  # => "\x7FELF\x02\x01\x01\x00"
+}
+# invalid examples:
+# h.dump('meow') # no such segment
+# h.dump('heap-1, 64') # not support `-`
+```
+
+#### layouts
+```ruby
+h.layouts :fastbin
+```
+![fastbin layouts](https://github.com/david942j/heapinfo/blob/master/examples/fastbin_layouts.png?raw=true)
+
+```ruby
+h.layouts :unsorted_bin, :smallbin
+```
+![smallbin layouts](https://github.com/david942j/heapinfo/blob/master/examples/unsorted_smallbin_layouts.png?raw=true)
+
+#### x - gdb-like command
+```ruby
+h.x 8, :heap
+```
+![x/8gx](https://github.com/david942j/heapinfo/blob/master/examples/x8_heap.png?raw=true)
+
+#### find - gdb-like command
+Provide a searcher of memory, easier to use than in (naive) gdb.
+
+Support search integer, string, and even regular expression.
+
+```ruby
+h.find(/E.F/, 0x400000, 4)
+# => 4194305 # 0x400001
+h.find(/E.F/, 0x400000, 3)
+# => nil
+sh_offset = h.find('/bin/sh', :libc) - h.libc.base
+# => 1559771 # 0x17ccdb
+```

data/lib/heapinfo.rb

@@ -0,0 +1,75 @@
+# Basic requirements from standard library
+require 'fileutils'
+
+# HeapInfo - an interactive debugger for heap exploitation
+#
+# HeapInfo makes pwning life easier with ruby style memory dumper.
+# Easy to show bin(s) layouts, or dump memory for checking whether exploit (will) works.
+# HeapInfo can be used with ltrace/strace/gdb simultaneously since it not use any ptrace.
+#
+# @author david942j
+module HeapInfo
+  # Directory for writing some tmp files when working,
+  # make sure /tmp is writable
+  TMP_DIR = '/tmp/.heapinfo'
+
+  # Directory for caching files.
+  # e.g. HeapInfo will record main_arena_offset for glibc(s)
+  CACHE_DIR = '~/.cache/heapinfo'
+
+  FileUtils.mkdir_p(TMP_DIR)
+  FileUtils.mkdir_p(CACHE_DIR)
+
+  # Entry point for using HeapInfo.
+  # Show segments info of the process after loaded
+  # @param [String, Fixnum] prog The program name of victim. If a number is given, seem as pid (useful when multi-processes exist)
+  # @param [Hash] options Give library's file name.
+  # @option options [String, Regexp] :libc file name of glibc, default is <tt>/libc[^\w]/</tt>
+  # @option options [String, Regexp] :ld file name of dynamic linker/loader, default is <tt>/\/ld-.+\.so/</tt>
+  # @return [HeapInfo::Process] The object for further usage
+  # @example
+  #   h = heapinfo './victim'
+  #   # outputs:
+  #   # Program: /home/heapinfo/victim PID: 20568
+  #   # victim          base @ 0x400000
+  #   # [heap]          base @ 0x11cc000
+  #   # [stack]         base @ 0x7fff2b244000
+  #   # libc-2.19.so    base @ 0x7f892a63a000
+  #   # ld-2.19.so      base @ 0x7f892bee6000
+  #   p h.libc.name
+  #   # => "/lib/x86_64-linux-gnu/libc-2.19.so"
+  #   p h.ld.name
+  #   # => "/lib/x86_64-linux-gnu/ld-2.19.so"
+  #  
+  # @example
+  #   h = heapinfo(27605, libc: 'libc.so.6', ld: 'ld-linux-x86-64.so.2')
+  #   # pid 27605 is run by custom loader
+  #   p h.libc.name
+  #   # => "/home/heapinfo/libc.so.6"
+  #   p h.ld.name
+  #   # => "/home/heapinfo/ld-linux-x86-64.so.2"
+  def self.heapinfo(prog, options = {})
+    h = HeapInfo::Process.new(prog, options)
+    puts h
+    h
+  end
+end
+
+# Alias method of #HeapInfo::heapinfo for global usage
+# @return [HeapInfo::Process]
+# @param [Mixed] args see #HeapInfo::heapinfo for more information
+def heapinfo(*args)
+  ::HeapInfo::heapinfo(*args)
+end
+ 
+
+require 'heapinfo/helper'
+require 'heapinfo/nil'
+require 'heapinfo/process'
+require 'heapinfo/segment'
+require 'heapinfo/libc'
+require 'heapinfo/chunk'
+require 'heapinfo/chunks'
+require 'heapinfo/arena'
+require 'heapinfo/dumper'
+require 'heapinfo/ext/string.rb'

data/lib/heapinfo/arena.rb

@@ -0,0 +1,193 @@
+module HeapInfo
+  class Arena
+    attr_reader :fastbin, :unsorted_bin, :smallbin, :top_chunk
+    # attr_reader :largebin, :last_remainder
+
+    # Instantiate a <tt>HeapInfo::Arena</tt> object
+    #
+    # @param [Integer] base Base address of arena.
+    # @param [Integer] bits Either 64 or 32
+    # @param [Proc] dumper For dump more data
+    def initialize(base, bits, dumper)
+      @base, @dumper = base, dumper
+      @size_t = bits / 8
+      reload
+    end
+
+    # Refresh all attributes
+    # Retrive data using <tt>@dumper</tt>, load bins, top chunk etc.
+    # @return [HeapInfo::Arena] self
+    def reload
+      top_ptr = Helper.unpack(size_t, @dumper.call(@base + 8 + size_t * 10, size_t))
+      @fastbin = []
+      return self if top_ptr == 0 # arena not init yet
+      @top_chunk = Chunk.new size_t, top_ptr, @dumper
+      @fastbin = Array.new(7) do |idx|
+        f = Fastbin.new(size_t, @base + 8 - size_t * 2 + size_t * idx, @dumper, head: true)
+        f.index = idx
+        f
+      end
+      @unsorted_bin = UnsortedBin.new(size_t, @base + 8 + size_t * 10, @dumper, head: true)
+      @smallbin = Array.new(55) do |idx|
+        s = Smallbin.new(size_t, @base + 8 + size_t * (26 + 2 * idx), @dumper, head: true)
+        s.index = idx
+        s
+      end
+      self
+    end
+
+    # Pretty dump of bins layouts.
+    #
+    # @param [Symbol] args Bin type(s) you want to see.
+    # @return [String] Bin layouts that wrapper with color codes.
+    # @example
+    #   puts h.libc.main_arena.layouts :fastbin, :unsorted_bin, :smallbin
+    def layouts(*args)
+      res = ''
+      res += fastbin.map(&:inspect).join if args.include? :fastbin
+      res += unsorted_bin.inspect if args.include? :unsorted_bin
+      res += smallbin.map(&:inspect).join if args.include? :smallbin
+      res
+    end
+
+  private
+    attr_reader :size_t
+  end
+
+  class Fastbin < Chunk
+    attr_reader :fd
+    attr_accessor :index
+    
+    # Instantiate a <tt>HeapInfo::Fastbin</tt> object
+    #
+    # @param [Mixed] args See <tt>HeapInfo::Chunk</tt> for more information.
+    def initialize(*args)
+      super
+      @fd = Helper.unpack(size_t, @data[0, @size_t])
+    end
+
+    # Mapping index of fastbin to chunk size
+    # @return [Integer] size
+    def idx_to_size
+      index * size_t * 2 + size_t * 4
+    end
+
+    # For pretty inspect
+    # @return [String] Title with color codes
+    def title
+      "%s%s: " % [Helper.color(Helper.class_name(self), sev: :bin),  index.nil? ? nil : "[#{Helper.color("%#x" % idx_to_size)}]"]
+    end
+
+    def inspect
+      title + list.map do |ptr|
+        next "(#{ptr})\n" if ptr.is_a? Symbol
+        next " => (nil)\n" if ptr.nil?
+        " => %s" % Helper.color("%#x" % ptr)
+      end.join
+    end
+
+    # @return [Array<Integer, Symbol, NilClass>] single link list of <tt>fd</tt> chain.
+    #   Last element will be:
+    #   - <tt>:loop</tt> if loop detectded
+    #   - <tt>:invalid</tt> invalid address detected
+    #   - <tt>nil</tt> end with zero address (normal case)
+    def list
+      dup = {}
+      ptr = @fd
+      ret = []
+      while ptr != 0
+        ret << ptr
+        return ret << :loop if dup[ptr]
+        dup[ptr] = true
+        ptr = fd_of(ptr)
+        return ret << :invalid if ptr.nil?
+      end
+      ret << nil
+    end
+
+    def fd_of(ptr)
+      addr_of(ptr, 2)
+    end
+
+    def bk_of(ptr)
+      addr_of(ptr, 3)
+    end
+
+  private
+    def addr_of(ptr, offset)
+      t = dump(ptr + size_t * offset, size_t)
+      return nil if t.nil?
+      Helper.unpack(size_t, t)
+    end
+  end
+
+  class UnsortedBin < Fastbin
+    attr_reader :bk
+    def initialize(*args)
+      super
+      @bk = Helper.unpack(size_t, @data[@size_t, @size_t])
+    end
+
+    # size: at most extend size
+    # size=2: bk, bk, bin, fd, fd
+    def inspect(size: 2)
+      list = link_list(size)
+      return '' if list.size <= 1 and Helper.class_name(self) != 'UnsortedBin' # bad..
+      title + pretty_list(list) + "\n"
+    end
+
+    def pretty_list(list)
+      center = nil
+      list.map.with_index do |c, idx|
+        next center = Helper.color("[self]", sev: :bin) if c == @base
+        fwd = fd_of(c)
+        next "%s(invalid)" % Helper.color("%#x" % c) if fwd.nil? # invalid c
+        bck = bk_of(c)
+        if center.nil? # bk side
+          next Helper.color("%s%s" % [
+            Helper.color("%#x" % c),
+            fwd == list[idx+1] ? nil : "(%#x)" % fwd,
+          ])
+        else #fd side
+          next Helper.color("%s%s" % [
+            bck == list[idx-1] ? nil : "(%#x)" % bck,
+            Helper.color("%#x" % c),
+          ])
+        end
+      end.join(" === ")
+    end
+
+    def link_list(expand_size)
+      list = [@base]
+      # fd
+      work = Proc.new do |ptr, nxt, append|
+        sz = 0
+        dup = {}
+        while ptr != @base and sz < expand_size
+          append.call ptr
+          break if ptr.nil? # invalid pointer
+          break if dup[ptr] # looped
+          dup[ptr] = true
+          ptr = self.send(nxt, ptr)
+          sz += 1
+        end
+      end
+      work.call(@fd, :fd_of, lambda{|ptr| list << ptr})
+      work.call(@bk, :bk_of, lambda{|ptr| list.unshift ptr})
+      list
+    end
+  end
+
+  class Smallbin < UnsortedBin
+
+    # Mapping index of smallbin to chunk size
+    # @return [Integer] size
+    def idx_to_size
+      index * size_t * 2 + size_t * 18
+    end
+  end
+
+  # class Largebin < Smallbin
+  #   attr_accessor :fd_nextsize, :bk_nextsize
+  # end
+end

data/lib/heapinfo/chunk.rb

@@ -0,0 +1,96 @@
+module HeapInfo
+  # The object of a heap chunk
+  class Chunk
+    # @return [Integer] 4 or 8 according to 32bit or 64bit, respectively.
+    attr_reader :size_t
+    # @return [Integer] previous chunk size
+    attr_reader :prev_size
+    # @return [String] chunk data
+    attr_reader :data
+    # @return [Integer] Base address of this chunk
+    attr_reader :base
+
+    # Instantiate a <tt>HeapInfo::Chunk</tt> object
+    #
+    # @param [Integer] size_t 4 or 8
+    # @param [Integer] base Start address of this chunk
+    # @param [Proc] dumper For dump more information of this chunk
+    # @param [Boolean] head For specific if is fake chunk in <tt>arena</tt>. If <tt>head</tt> is <tt>true</tt>, will not load <tt>size</tt> and <tt>prev_size</tt> (since it's meaningless)
+    # @example
+    #   HeapInfo::Chunk.new 8, 0x602000, lambda{|addr, len| [0,0x21, 0xda4a].pack("Q*")[addr-0x602000, len]}
+    #   # create a chunk with chunk size 0x21
+    def initialize(size_t, base, dumper, head: false)
+      fail unless [4, 8].include? size_t 
+      self.class.send(:define_method, :dump){|*args| dumper.call(*args)}
+      @size_t = size_t
+      @base = base
+      sz = dump(@base, size_t * 2)
+      if head # no need to read size if is bin
+        return @data = dump(@base + size_t * 2, size_t * 4)
+      end
+      @prev_size = Helper.unpack(size_t, sz[0, size_t])
+      @size = Helper.unpack(size_t, sz[size_t..-1])
+      r_size = [size - size_t * 2, size_t * 4].min # don't read too much data
+      r_size = [r_size, 0].max # prevent negative size
+      @data = dump(@base + size_t * 2, r_size)
+    end
+
+    # Hook <tt>#to_s</tt> for pretty printing
+    # @return [String]
+    def to_s
+      ret = Helper.color("#<%s:%#x>\n" % [self.class.to_s, @base], sev: :klass) +
+      "flags = [#{flags.map{|f|Helper.color(":#{f}", sev: :sym)}.join(',')}]\n" +
+      "size = #{Helper.color "%#x" % size} (#{bintype})\n"
+      ret += "prev_size = #{Helper.color "%#x" % @prev_size}\n" unless flags.include? :prev_inuse
+      ret += "data = #{Helper.color @data.inspect}#{'...' if @data.length < size - size_t * 2}\n"
+      ret
+    end
+
+    # The chunk flags record in low three bits of size
+    # @return [Array<Symbol>] flags of chunk
+    # @example
+    #   c = [0, 0x25].pack("Q*").to_chunk
+    #   c.flags
+    #   # [:non_main_arena, :prev_inuse]
+    def flags
+      mask = @size - size
+      flag = []
+      flag << :non_main_arena unless mask & 4 == 0
+      flag << :mmapped unless mask & 2 == 0
+      flag << :prev_inuse unless mask & 1 == 0
+      flag
+    end
+
+    # Size of chunk
+    # @return [Integer] The chunk size without flag masks
+    def size
+      @size & -8
+    end
+
+    # Bin type of this chunk
+    # @return [Symbol] Bin type is simply determined according to <tt>#size</tt>
+    # @example
+    #   [c.size, c.size_t]
+    #   # => [80, 8]
+    #   c.bintype
+    #   # => :fast
+    # @example
+    #   [c.size, c.size_t]
+    #   # => [80, 4]
+    #   c.bintype
+    #   # => :small
+    # @example
+    #   c.size
+    #   # => 135168
+    #   c.bintype
+    #   # => :mmap
+    def bintype
+      sz = size
+      return :unknown if sz < @size_t * 4
+      return :fast if sz <= @size_t * 16
+      return :small if sz <= @size_t * 0x7e
+      return :large if sz <= @size_t * 0x3ffe # is this correct? 
+      return :mmap
+    end
+  end
+end