one_gadget 1.1.1 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 43bf496ed69e442f3a6672eff7b0e3f7dffe9256
-  data.tar.gz: 2ef6da1b0f7173adf036ad43e99533fd98005606
+  metadata.gz: 25904f1508d192a00e1702d7adb48d52af589ae0
+  data.tar.gz: abe1ec3e6b3f57420326aad5100a3a6d4a260b6b
 SHA512:
-  metadata.gz: fa4a2851e9ad28b690c7f2d7c4bcb4c3797d4b587b0b5a02d130d06628576aabbc73812d837c8efd04ea099c98659f0b9447c3d184894781198deae234707a44
-  data.tar.gz: 76ff23514c99da82136f7f55d3ba44d7dfcf48a56dba3db853e994ad90bcd8f341d963cb5cf9fb53bebf562dcadf1819bab6d02fbbd5f80625ce9ac20f94504d
+  metadata.gz: 0d8593c144d504c00ea3f1e3b80397391012a3414054bdc586c52340830b22b7bb7ec57b054c20d6198ded00b25443dbe42225f2804da504474d531777ba922e
+  data.tar.gz: a06dce9ee9693fe06422000c6d7105ab55655fbdd79b4edcf69dd9f2a618b9b5f4e5c041941f809fa251296825e63e7ae2f4c90a401ac3d20d05dbe37b8138ac

data/README.md

@@ -1,4 +1,5 @@
 [![Build Status](https://travis-ci.org/david942j/one_gadget.svg?branch=master)](https://travis-ci.org/david942j/one_gadget)
+![](http://ruby-gem-downloads-badge.herokuapp.com/one_gadget?type=total&color=orange)
 [![Code Climate](https://codeclimate.com/github/david942j/one_gadget/badges/gpa.svg)](https://codeclimate.com/github/david942j/one_gadget)
 [![Issue Count](https://codeclimate.com/github/david942j/one_gadget/badges/issue_count.svg)](https://codeclimate.com/github/david942j/one_gadget)
 [![Test Coverage](https://codeclimate.com/github/david942j/one_gadget/badges/coverage.svg)](https://codeclimate.com/github/david942j/one_gadget/coverage)
@@ -22,6 +23,10 @@ Available on RubyGems.org!
 gem install one_gadget
 ```
 
+## Implementation
+
+OneGadget use simple self-implement symbolic execution to find the constraints of gadgets.
+
 ## Usage
 
 ### Command Line Tool

data/lib/one_gadget/emulators/amd64.rb

@@ -0,0 +1,44 @@
+require 'one_gadget/emulators/processor'
+require 'one_gadget/emulators/instruction'
+
+module OneGadget
+  module Emulators
+    # Emulator of amd64 instruction set.
+    class Amd64 < Processor
+      REGISTERS = %w(rax rbx rcx rdx rdi rsi rbp rsp rip) + 7.upto(15).map { |i| "r#{i}" }
+
+      # Instantiate a {Amd64} object.
+      def initialize
+        super(REGISTERS)
+      end
+
+      # Process one command.
+      # @param [String] cmd
+      #   One line from result of objdump.
+      # @return [void]
+      def process(cmd)
+        inst, args = parse(cmd)
+        # where should this be defined..?
+        return if inst.inst == 'call' # later
+        case inst.inst
+        when 'mov', 'lea'
+          tar = args[0]
+          src = OneGadget::Emulators::Lambda.parse(args[1], predefined: @registers)
+        end
+        src.ref! if inst.inst == 'lea'
+
+        @registers[tar] = src
+      end
+
+      # Support instruction set.
+      # @return [Array<Instruction>] The support instructions.
+      def instructions
+        [
+          Instruction.new('mov', 2),
+          Instruction.new('lea', 2),
+          Instruction.new('call', 1)
+        ]
+      end
+    end
+  end
+end

data/lib/one_gadget/emulators/instruction.rb

@@ -0,0 +1,36 @@
+module OneGadget
+  module Emulators
+    # Define instruction name and it's argument count.
+    class Instruction
+      attr_reader :inst # @return [String]  The instruction name.
+      attr_reader :argc # @return [Integer] Count of arguments.
+      # Instantiate a n{Instruction} object.
+      # @param [String] inst The instruction name.
+      # @param [Integer] argc Count of arguments.
+      def initialize(inst, argc)
+        @inst = inst
+        @argc = argc
+      end
+
+      # Extract arguments from command.
+      # @param [String] cmd
+      # @return [Array<String>] Arguments.
+      def fetch_args(cmd)
+        idx = cmd.index(inst)
+        cmd = cmd[0...cmd.rindex('#')] if cmd.rindex('#')
+        args = cmd[idx + inst.size..-1].split(',')
+        raise ArgumentError, "Incorrect argument number in #{cmd}, expect: #{argc}" if args.size != argc
+        args.map do |arg|
+          arg.gsub(/QWORD|DWORD|WORD|BYTE|PTR/, '').strip
+        end
+      end
+
+      # If the command contains this instruction.
+      # @param [String] cmd
+      # @return [Boolean]
+      def match?(cmd)
+        cmd.include?(inst)
+      end
+    end
+  end
+end

data/lib/one_gadget/emulators/lambda.rb

@@ -0,0 +1,105 @@
+require 'one_gadget/helper'
+
+module OneGadget
+  module Emulators
+    # A {Lambda} object can be:
+    # 1. {String} # variable name
+    # 2. {Numeric}
+    # 3. {Lambda} + {Numeric}
+    # 4. dereference {Lambda}
+    class Lambda
+      attr_accessor :obj # @return [String, Lambda] The object currently related to.
+      attr_accessor :immi # @return [Integer] The immidiate value currently added.
+      attr_accessor :deref_count # @return [Integer] The times of dereference.
+      # Instantiate a {Lambda} object.
+      # @param [Lambda, String] obj
+      def initialize(obj)
+        @immi = 0
+        @obj = obj
+        @deref_count = 0
+      end
+
+      # Implement addition with +Numeric+.
+      # @param [Numeric] other Value to add.
+      # @return [Lambda] The result.
+      def +(other)
+        raise ArgumentError, 'Expect other to be Numeric.' unless other.is_a?(Numeric)
+        if deref_count > 0
+          ret = Lambda.new(self)
+        else
+          ret = Lambda.new(obj)
+          ret.immi = immi
+        end
+        ret.immi += other
+        ret
+      end
+
+      # Implement substract with +Numeric+.
+      # @param [Numeric] other Value to substract.
+      # @return [Lambda] The result.
+      def -(other)
+        self.+(-other)
+      end
+
+      # Increase dreference count with 1.
+      # @return [void]
+      def deref!
+        @deref_count += 1
+      end
+
+      # Decrease dreference count with 1.
+      # @return [void]
+      def ref!
+        raise ArgumentError, 'Cannot reference anymore!' if @deref_count <= 0
+        @deref_count -= 1
+      end
+
+      # A new {Lambda} object with dreference count increase 1.
+      # @return [Lambda]
+      def deref
+        ret = Lambda.new(obj)
+        ret.immi = immi
+        ret.deref_count = deref_count + 1
+        ret
+      end
+
+      # Expand the lambda presentation.
+      # @return [String] The expand result.
+      def to_s
+        str = ''
+        str += '[' * deref_count
+        str += obj.to_s unless obj.nil?
+        str += OneGadget::Helper.hex(immi, psign: true) unless immi.zero?
+        str += ']' * deref_count
+        str
+      end
+
+      class << self
+        # Target: parse something like +[rsp+0x50]+ into a {Lambda} object.
+        # @param [String] arg
+        # @param [Hash{String => Lambda}] predefined
+        # @return [OneGadget::Emulators::Lambda, Integer]
+        #   If +arg+ contains number only, return it.
+        #   Otherwise, return a {Lambda} object.
+        # @example
+        #   parse('[rsp+0x50]') #=> #<Lambda @obj='rsp', @immi=80, @deref_count=1>
+        def parse(arg, predefined: {})
+          ret = Lambda.new('tmp')
+          if arg[0] == '[' # a little hack because there should nerver something like +[[rsp+1]+2]+ to parse.
+            arg = arg[1..-2]
+            ret.deref_count += 1
+          end
+          return Integer(arg) if OneGadget::Helper.integer?(arg)
+          sign = arg =~ /[+-]/
+          raise ArgumentError, "Not support #{arg}" if sign && !OneGadget::Helper.integer?(arg[sign..-1])
+          if sign
+            ret.immi = Integer(arg[sign..-1])
+            arg = arg[0, sign]
+          end
+          ret.obj = predefined[arg] || arg
+          ret
+        end
+      end
+    end
+  end
+end

data/lib/one_gadget/emulators/processor.rb

@@ -0,0 +1,36 @@
+require 'one_gadget/emulators/lambda'
+
+module OneGadget
+  # Instruction emulator to solve the constraint of gadgets.
+  module Emulators
+    # Base class of a processor.
+    class Processor
+      attr_reader :registers # @return [Hash{String => OneGadget::Emulators::Lambda}] The current registers' state.
+      # Instantiate a {Processor} object.
+      # @param [Array<String>] registers Registers that supported in the architecture.
+      def initialize(registers)
+        @registers = registers.map { |reg| [reg, OneGadget::Emulators::Lambda.new(reg)] }.to_h
+      end
+
+      # Parse one command into instruction and arguments.
+      # @param [String] cmd One line of result of objdump.
+      # @return [Array(Instruction, Array<String>)]
+      #   The parsing result.
+      def parse(cmd)
+        inst = instructions.find { |i| i.match?(cmd) }
+        raise ArgumentError, "Not implemented instruction in #{cmd}" if inst.nil?
+        [inst, inst.fetch_args(cmd)]
+      end
+
+      # Method need to be implemented in inheritors.
+      # @return [void]
+      def process(_cmd); raise NotImplementedError
+      end
+
+      # Method need to be implemented in inheritors.
+      # @return [Array<Instruction>] The support instructions.
+      def instructions; raise NotImplementedError
+      end
+    end
+  end
+end

data/lib/one_gadget/fetchers/amd64.rb

@@ -1,4 +1,5 @@
 require 'one_gadget/fetchers/base'
+require 'one_gadget/emulators/amd64'
 module OneGadget
   module Fetcher
     # Fetcher for amd64.
@@ -13,10 +14,32 @@ module OneGadget
           true
         end
         cands.map do |candidate|
-          convert_to_gadget(candidate) do |line|
-            ['rsi'].any? { |r| line.include?(r) }
-          end
-        end
+          processor = OneGadget::Emulators::Amd64.new
+          candidate.lines.each { |l| processor.process(l) }
+          offset = offset_of(candidate)
+          constraints = gen_constraints(processor)
+          next nil if constraints.nil? # impossible be a gadget
+          OneGadget::Gadget::Gadget.new(offset, constraints: constraints)
+        end.compact
+      end
+
+      private
+
+      def gen_constraints(processor)
+        # check rdi should always related to rip
+        return unless processor.registers['rdi'].to_s.include?('rip')
+        # rsi or [rsi] should be zero
+        [
+          should_null(processor.registers['rsi'].to_s),
+          should_null(processor.registers['rdx'].to_s, allow_global: true)
+        ].compact
+      end
+
+      def should_null(str, allow_global: false)
+        return nil if allow_global && str.include?('rip')
+        ret = "[#{str}] == NULL"
+        ret += " || #{str} == NULL" unless str.include?('rsp')
+        ret
       end
     end
   end

data/lib/one_gadget/fetchers/base.rb

@@ -54,6 +54,11 @@ module OneGadget
         match.split.first.to_i(16)
       end
 
+      def offset_of(assembly)
+        lines = assembly.lines
+        lines.first.scan(/^([\da-f]+):/)[0][0].to_i(16)
+      end
+
       def convert_to_gadget(assembly, &block)
         lines = assembly.lines
         offset = lines.first.scan(/^([\da-f]+):/)[0][0].to_i(16)

data/lib/one_gadget/helper.rb

@@ -137,6 +137,37 @@ module OneGadget
         return :i386 if str.include?('Intel 80386')
         :unknown
       end
+
+      # Present number in hex format.
+      # @param [Integer] val The number.
+      # @param [Boolean] psign Need to show plus sign when +val >= 0+.
+      # @return [String] string in hex format.
+      # @example
+      #   hex(32) #=> 0x20
+      #   hex(32, psign: true) #=> +0x20
+      #   hex(-40) #=> -0x28
+      #   hex(0) #=> 0x0
+      #   hex(0, psign: true) #=> +0x0
+      def hex(val, psign: false)
+        return format("#{psign ? '+' : ''}0x%x", val) if val >= 0
+        format('-0x%x', -val)
+      end
+
+      # For checking a string is actually an integer.
+      # @param [String] str String to be checked.
+      # @return [Boolean] If +str+ can be converted into integer.
+      # @example
+      #   Helper.integer? '1234'
+      #   # => true
+      #   Helper.integer? '0x1234'
+      #   # => true
+      #   Helper.integer? '0xheapoverflow'
+      #   # => false
+      def integer?(str)
+        true if Integer(str)
+      rescue ArgumentError, TypeError
+        false
+      end
     end
     extend ClassMethods
   end

data/lib/one_gadget/version.rb

@@ -1,3 +1,3 @@
 module OneGadget
-  VERSION = '1.1.1'.freeze
+  VERSION = '1.2.0'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: one_gadget
 version: !ruby/object:Gem::Version
-  version: 1.1.1
+  version: 1.2.0
 platform: ruby
 authors:
 - david942j
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-02-14 00:00:00.000000000 Z
+date: 2017-02-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rspec
@@ -101,6 +101,10 @@ files:
 - lib/one_gadget/builds/libc-2.23-60131540dadc6796cab33388349e6e4e68692053.rb
 - lib/one_gadget/builds/libc-2.23-926eb99d49cab2e5622af38ab07395f5b32035e9.rb
 - lib/one_gadget/builds/libc-2.23-edceed30099baad51871c5fc277daf9b74dc726a.rb
+- lib/one_gadget/emulators/amd64.rb
+- lib/one_gadget/emulators/instruction.rb
+- lib/one_gadget/emulators/lambda.rb
+- lib/one_gadget/emulators/processor.rb
 - lib/one_gadget/fetcher.rb
 - lib/one_gadget/fetchers/amd64.rb
 - lib/one_gadget/fetchers/base.rb
@@ -129,7 +133,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.2
+rubygems_version: 2.6.10
 signing_key: 
 specification_version: 4
 summary: one_gadget