pwntools 0.1.0 → 1.0.0

data/lib/pwnlib/util/ruby.rb

@@ -0,0 +1,18 @@
+# encoding: ASCII-8BIT
+
+module Pwnlib
+  module Util
+    # module for some utilities for Ruby metaprogramming.
+    module Ruby
+      def self.private_class_method_block
+        define_singleton_method(:singleton_method_added) do |m|
+          private_class_method m
+        end
+        yield
+        class << self
+          remove_method(:singleton_method_added)
+        end
+      end
+    end
+  end
+end

data/lib/pwnlib/version.rb

@@ -1,5 +1,6 @@
 # encoding: ASCII-8BIT
 
 module Pwnlib
-  VERSION = '0.1.0'.freeze
+  # version of pwntools-ruby
+  VERSION = '1.0.0'.freeze
 end

data/test/abi_test.rb

@@ -0,0 +1,21 @@
+# encoding: ASCII-8BIT
+
+require 'test_helper'
+
+require 'pwnlib/abi'
+require 'pwnlib/context'
+
+class AbiTest < MiniTest::Test
+  include ::Pwnlib::Context
+  ABI = ::Pwnlib::ABI
+
+  def test_default
+    context.local(arch: 'i386', os: 'linux') { assert_same ABI::DEFAULT[[32, 'i386', 'linux']], ABI::ABI.default }
+    context.local(arch: 'amd64', os: 'linux') { assert_same ABI::DEFAULT[[64, 'amd64', 'linux']], ABI::ABI.default }
+  end
+
+  def test_syscall
+    context.local(arch: 'i386', os: 'linux') { assert_same ABI::SYSCALL[[32, 'i386', 'linux']], ABI::ABI.syscall }
+    context.local(arch: 'amd64', os: 'linux') { assert_same ABI::SYSCALL[[64, 'amd64', 'linux']], ABI::ABI.syscall }
+  end
+end

data/test/asm_test.rb

@@ -0,0 +1,104 @@
+# encoding: ASCII-8BIT
+
+require 'test_helper'
+
+require 'pwnlib/asm'
+require 'pwnlib/shellcraft/shellcraft'
+
+class AsmTest < MiniTest::Test
+  include ::Pwnlib::Context
+  Asm = ::Pwnlib::Asm
+
+  def setup
+    skip 'Not test asm/disasm on Windows' if TTY::Platform.new.windows?
+    @shellcraft = ::Pwnlib::Shellcraft::Shellcraft.instance
+  end
+
+  def test_i386_asm
+    context.local(arch: 'i386') do
+      assert_equal("\x90", Asm.asm('nop'))
+      assert_equal("\xeb\xfe", Asm.asm(@shellcraft.infloop))
+      assert_equal("jhh///sh/binj\x0bX\x89\xe31\xc9\x99\xcd\x80", Asm.asm(@shellcraft.sh))
+      # issue #51
+      assert_equal("j\x01\xfe\x0c$h\x01\x01\x01\x01\x814$\xf2\xf3\x0b\xfe",
+                   Asm.asm(@shellcraft.pushstr("\xf3\xf2\x0a\xff")))
+    end
+  end
+
+  def test_amd64_asm
+    context.local(arch: 'amd64') do
+      assert_equal("\x90", Asm.asm('nop'))
+      assert_equal("\xeb\xfe", Asm.asm(@shellcraft.infloop))
+      assert_equal("jhH\xb8/bin///sPj;XH\x89\xe71\xf6\x99\x0f\x05", Asm.asm(@shellcraft.sh))
+      assert_equal("j\x01\xfe\x0c$H\xb8\x01\x01\x01\x01\x01\x01\x01\x01PH\xb8\xfe\xfe\xfe\xfe\xfe\xfe\x0b\xfeH1\x04$",
+                   Asm.asm(@shellcraft.pushstr("\xff\xff\xff\xff\xff\xff\x0a\xff")))
+    end
+  end
+
+  def test_i386_disasm
+    context.local(arch: 'i386') do
+      str = Asm.disasm("h\x01\x01\x01\x01\x814$ri\x01\x011\xd2"\
+                       "Rj\x04Z\x01\xe2R\x89\xe2jhh///sh/binj\x0bX\x89\xe3\x89\xd1\x99\xcd\x80")
+      assert_equal(<<-EOS, str)
+   0:   68 01 01 01 01       push    0x1010101
+   5:   81 34 24 72 69 01 01 xor     dword ptr [esp], 0x1016972
+   c:   31 d2                xor     edx, edx
+   e:   52                   push    edx
+   f:   6a 04                push    4
+  11:   5a                   pop     edx
+  12:   01 e2                add     edx, esp
+  14:   52                   push    edx
+  15:   89 e2                mov     edx, esp
+  17:   6a 68                push    0x68
+  19:   68 2f 2f 2f 73       push    0x732f2f2f
+  1e:   68 2f 62 69 6e       push    0x6e69622f
+  23:   6a 0b                push    0xb
+  25:   58                   pop     eax
+  26:   89 e3                mov     ebx, esp
+  28:   89 d1                mov     ecx, edx
+  2a:   99                   cdq
+  2b:   cd 80                int     0x80
+      EOS
+      assert_equal(<<-EOS, Asm.disasm("\xb8\x5d\x00\x00\x00"))
+  0:   b8 5d 00 00 00 mov     eax, 0x5d
+      EOS
+    end
+  end
+
+  def test_amd64_disasm
+    context.local(arch: 'amd64') do
+      str = Asm.disasm("hri\x01\x01\x814$\x01\x01\x01\x011\xd2" \
+                       "Rj\x08ZH\x01\xe2RH\x89\xe2jhH\xb8/bin///sPj;XH\x89\xe7H\x89\xd6\x99\x0f\x05", vma: 0xfff)
+
+      assert_equal(<<-EOS, str)
+   fff:   68 72 69 01 01                push    0x1016972
+  1004:   81 34 24 01 01 01 01          xor     dword ptr [rsp], 0x1010101
+  100b:   31 d2                         xor     edx, edx
+  100d:   52                            push    rdx
+  100e:   6a 08                         push    8
+  1010:   5a                            pop     rdx
+  1011:   48 01 e2                      add     rdx, rsp
+  1014:   52                            push    rdx
+  1015:   48 89 e2                      mov     rdx, rsp
+  1018:   6a 68                         push    0x68
+  101a:   48 b8 2f 62 69 6e 2f 2f 2f 73 movabs  rax, 0x732f2f2f6e69622f
+  1024:   50                            push    rax
+  1025:   6a 3b                         push    0x3b
+  1027:   58                            pop     rax
+  1028:   48 89 e7                      mov     rdi, rsp
+  102b:   48 89 d6                      mov     rsi, rdx
+  102e:   99                            cdq
+  102f:   0f 05                         syscall
+      EOS
+      assert_equal(<<-EOS, Asm.disasm("\xb8\x17\x00\x00\x00"))
+  0:   b8 17 00 00 00 mov     eax, 0x17
+      EOS
+    end
+  end
+
+  # To ensure coverage
+  def test_require
+    err = assert_raises(LoadError) { Asm.__send__(:require_message, 'no_such_lib', 'meow') }
+    assert_match(/meow/, err.message)
+  end
+end

data/test/constants/constant_test.rb

@@ -1,6 +1,7 @@
 # encoding: ASCII-8BIT
 
 require 'test_helper'
+
 require 'pwnlib/constants/constant'
 
 class ConstantTest < MiniTest::Test

data/test/constants/constants_test.rb

@@ -1,6 +1,7 @@
 # encoding: ASCII-8BIT
 
 require 'test_helper'
+
 require 'pwnlib/constants/constants'
 require 'pwnlib/context'
 
@@ -13,8 +14,9 @@ class ConstantsTest < MiniTest::Test
       assert_equal('Constant("SYS_read", 0x0)', Constants.SYS_read.inspect)
       assert_equal('__NR_arch_prctl', Constants.__NR_arch_prctl.to_s)
       assert_equal('Constant("(O_CREAT)", 0x40)', Constants.eval('O_CREAT').inspect)
-      # TODO(david942j): implement 'real' Constants.eval
-      # assert_equal('Constant("(O_CREAT | O_WRONLY)", 0x41)', Constants.eval('O_CREAT | O_WRONLY').inspect)
+      assert_equal('Constant("(O_CREAT | O_WRONLY)", 0x41)', Constants.eval('O_CREAT | O_WRONLY').inspect)
+      err = assert_raises(NameError) { Constants.eval('rax') }
+      assert_equal('no value provided for variables: rax', err.message)
     end
   end
 

data/test/context_test.rb

@@ -1,6 +1,7 @@
 # encoding: ASCII-8BIT
 
 require 'test_helper'
+
 require 'pwnlib/context'
 
 class ContextTest < MiniTest::Test

data/test/data/echo.rb

@@ -0,0 +1,20 @@
+#!/usr/bin/env ruby
+
+require 'socket'
+
+if ARGV.empty?
+  puts "Usage #{__FILE__} port"
+  exit 1
+end
+
+server = TCPServer.open('127.0.0.1', ARGV[0].to_i)
+
+STDOUT.puts 'Start!'
+STDOUT.flush
+
+client = server.accept
+s = client.gets
+client.puts(s)
+client.close
+
+STDOUT.puts 'Bye!'

data/test/data/elfs/Makefile

@@ -0,0 +1,22 @@
+source=source.cpp
+FLAGS=
+PIE_FLAGS=-pie
+NOPIE_FLAGS=-no-pie
+FULL_RELRO_FLAGS=-Wl,-z,relro,-z,now
+PARTIAL_RELRO_FLAGS=-Wl,-z,relro
+NO_RELRO_FLAGS=-Wl,-z,norelro
+TARGETS=amd64 i386
+.PHONY: clean
+all: ${TARGETS}
+
+amd64: ${source}
+	g++ -m64 ${source} -o amd64.frelro.elf ${FLAGS} ${FULL_RELRO_FLAGS} ${NOPIE_FLAGS}
+	g++ -m64 ${source} -o amd64.frelro.pie.elf ${FLAGS} ${FULL_RELRO_FLAGS} ${PIE_FLAGS}
+	g++ -m64 ${source} -o amd64.prelro.elf ${FLAGS} ${PARTIAL_RELRO_FLAGS} ${NOPIE_FLAGS}
+	g++ -m64 ${source} -o amd64.nrelro.elf ${FLAGS} ${NO_RELRO_FLAGS} ${NOPIE_FLAGS}
+i386: ${source}
+	g++ -m32 ${source} -o i386.prelro.elf ${FLAGS} ${PARTIAL_RELRO_FLAGS} ${NOPIE_FLAGS}
+	g++ -m32 ${source} -o i386.frelro.pie.elf ${FLAGS} ${FULL_RELRO_FLAGS} ${PIE_FLAGS}
+
+clean:
+	rm -f *.elf

data/test/data/elfs/source.cpp

@@ -0,0 +1,19 @@
+#include <stdio.h>
+#include <stdlib.h>
+char s[101];
+void func() {
+  static int test = 0;
+  test++;
+  puts("In func:");
+  printf("test = %d\n", test);
+}
+int main() {
+  fgets(s, 100, stdin);
+  printf("%s", s);
+  int n;
+  scanf("%d", &n);
+  while(n--) {
+    func();
+  }
+  return 0;
+}

data/test/data/flag

@@ -0,0 +1 @@
+flag{pwntools_ruby}

data/test/dynelf_test.rb

@@ -5,43 +5,78 @@ require 'open3'
 require 'tty-platform'
 
 require 'test_helper'
+
+require 'pwnlib/context'
 require 'pwnlib/dynelf'
+require 'pwnlib/elf/elf'
 
 class DynELFTest < MiniTest::Test
-  def test_lookup
+  include ::Pwnlib
+  include ::Pwnlib::Context
+  include ::Pwnlib::ELF
+
+  def setup
     skip 'Only tested on linux' unless TTY::Platform.new.linux?
+  end
+
+  # popen victim with specific libc.so.6
+  def popen_victim(b)
+    lib_path = File.expand_path("data/lib#{b}/", __dir__)
+    libc_path = File.expand_path('libc.so.6', lib_path)
+    ld_path = File.expand_path('ld.so.2', lib_path)
+    victim_path = File.expand_path("data/victim#{b}", __dir__)
+
+    Open3.popen2("#{ld_path} --library-path #{lib_path} #{victim_path}") do |i, o, t|
+      main_ra = Integer(o.readline)
+      mem = open("/proc/#{t.pid}/mem", 'rb')
+      d = DynELF.new(main_ra) do |addr|
+        mem.seek(addr)
+        mem.getc
+      end
+
+      yield d, { libc: libc_path, main_ra: main_ra, pid: t.pid }
+
+      mem.close
+      i.write('bye')
+    end
+  end
+
+  def test_find_base
     [32, 64].each do |b|
-      # TODO(hh): Use process instead of popen2
-      Open3.popen2(File.expand_path("../data/victim#{b}", __FILE__)) do |i, o, t|
-        main_ra = Integer(o.readline)
-        libc_path = nil
-        IO.readlines("/proc/#{t.pid}/maps").map(&:split).each do |s|
+      popen_victim(b) do |d, options|
+        main_ra = options[:main_ra]
+        realbase = nil
+        IO.readlines("/proc/#{options[:pid]}/maps").map(&:split).each do |s|
           st, ed = s[0].split('-').map { |x| x.to_i(16) }
           next unless main_ra.between?(st, ed)
-          libc_path = s[-1]
+          realbase = st
           break
         end
-        refute_nil(libc_path)
-
-        # TODO(hh): Use ELF instead of objdump
-        # Methods in libc might have multi-versions, so we record and check if
-        # we can find one of them.
-        h = Hash.new { |hsh, key| hsh[key] = [] }
-        symbols = `objdump -T #{libc_path}`.lines.map(&:split).select { |a| a[2] == 'DF' }
-        symbols.map { |a| h[a[-1]] << a[0].to_i(16) }
-
-        mem = open("/proc/#{t.pid}/mem", 'rb')
-        d = ::Pwnlib::DynELF.new(main_ra) do |addr|
-          mem.seek(addr)
-          mem.getc
-        end
+        refute_nil(realbase)
+        assert_equal(realbase, d.libbase)
+      end
+    end
+  end
 
+  def test_lookup
+    [32, 64].each do |b|
+      popen_victim(b) do |d, options|
         assert_nil(d.lookup('pipi_hao_wei!'))
-        h.each do |sym, off|
-          assert_includes(off, d.lookup(sym) - d.libbase)
+        elf = ELF.new(options[:libc], checksec: false)
+        %i(system open read write execve printf puts sprintf mmap mprotect).each do |sym|
+          assert_equal(d.libbase + elf.symbols[sym], d.lookup(sym))
         end
+      end
+    end
+  end
 
-        i.write('bye')
+  def test_build_id
+    [
+      [32, 'ac333186c6b532511a68d16aca4c61422eb772da', 'i386'],
+      [64, '088a6e00a1814622219f346b41e775b8dd46c518', 'amd64']
+    ].each do |b, answer, arch|
+      context.local(arch: arch) do
+        popen_victim(b) { |d| assert_equal(answer, d.build_id) }
       end
     end
   end

data/test/elf/elf_test.rb

@@ -0,0 +1,120 @@
+# encoding: ASCII-8BIT
+
+require 'test_helper'
+
+require 'pwnlib/elf/elf'
+require 'pwnlib/logger'
+
+class ELFTest < MiniTest::Test
+  include ::Pwnlib::Logger
+
+  def setup
+    @path_of = ->(file) { File.join(__dir__, '..', 'data', 'elfs', file) }
+    @elf = ::Pwnlib::ELF::ELF.new(@path_of.call('i386.prelro.elf'), checksec: false)
+  end
+
+  # check stdout when loaded
+  def test_load
+    file = @path_of.call('amd64.prelro.elf')
+    assert_output(<<-EOS) { log_stdout { ::Pwnlib::ELF::ELF.new(file) } }
+[INFO] #{File.realpath(file).inspect}
+    RELRO:    Partial RELRO
+    Stack:    Canary found
+    NX:       NX enabled
+    PIE:      No PIE (0x400000)
+    EOS
+
+    file = @path_of.call('amd64.frelro.elf')
+    assert_output(<<-EOS) { log_stdout { ::Pwnlib::ELF::ELF.new(file) } }
+[WARN] No REL.PLT section found, PLT not loaded
+[INFO] #{File.realpath(file).inspect}
+    RELRO:    Full RELRO
+    Stack:    Canary found
+    NX:       NX enabled
+    PIE:      No PIE (0x400000)
+    EOS
+  end
+
+  def test_checksec
+    assert_equal(<<-EOS.strip, @elf.checksec)
+RELRO:    Partial RELRO
+Stack:    Canary found
+NX:       NX enabled
+PIE:      No PIE (0x8048000)
+    EOS
+
+    nrelro_elf = ::Pwnlib::ELF::ELF.new(@path_of.call('amd64.nrelro.elf'), checksec: false)
+    assert_equal(<<-EOS.strip, nrelro_elf.checksec)
+RELRO:    No RELRO
+Stack:    Canary found
+NX:       NX enabled
+PIE:      No PIE (0x400000)
+    EOS
+
+    frelro_elf = ::Pwnlib::ELF::ELF.new(@path_of.call('amd64.frelro.elf'), checksec: false)
+    assert_equal(<<-EOS.strip, frelro_elf.checksec)
+RELRO:    Full RELRO
+Stack:    Canary found
+NX:       NX enabled
+PIE:      No PIE (0x400000)
+    EOS
+  end
+
+  def test_got
+    assert_same(8, @elf.got.to_h.size)
+    assert_same(0x8049ff8, @elf.got['__gmon_start__'])
+    assert_same(0x8049ff8, @elf.got[:__gmon_start__])
+    assert_same(0x804a000, @elf.symbols['_GLOBAL_OFFSET_TABLE_'])
+    assert_same(0x804856d, @elf.symbols['main'])
+    assert_same(@elf.symbols.main, @elf.symbols[:main])
+  end
+
+  def test_plt
+    assert_same(6, @elf.plt.to_h.size)
+    assert_same(0x80483b0, @elf.plt.printf)
+    assert_same(0x80483f0, @elf.plt[:scanf])
+
+    elf = ::Pwnlib::ELF::ELF.new(@path_of.call('amd64.frelro.pie.elf'), checksec: false)
+    assert_nil(elf.plt)
+  end
+
+  def test_address
+    old_address = @elf.address
+    assert_equal(0x8048000, @elf.address)
+    old_main = @elf.symbols.main
+    new_address = 0x12340000
+    @elf.address = new_address
+    assert_equal(old_main - old_address + new_address, @elf.symbols.main)
+
+    elf = ::Pwnlib::ELF::ELF.new(@path_of.call('i386.frelro.pie.elf'), checksec: false)
+    assert_equal(0, elf.address)
+    assert_same(0x6c2, elf.symbols.main)
+    elf.address = 0xdeadbeef0000
+    # use 'equal' instead of 'same' because their +object_id+ are different on Windows.
+    assert_equal(0xdeadbeef06c2, elf.symbols.main)
+  end
+
+  def test_search
+    elf = ::Pwnlib::ELF::ELF.new(File.join(__dir__, '..', 'data', 'lib32', 'libc.so.6'), checksec: false)
+    assert_equal([0x1, 0x15e613], elf.search('ELF').to_a)
+    assert_equal(0x15900b, elf.find('/bin/sh').next)
+
+    result = elf.find(/E.F/)
+    assert_equal(0x1, result.next)
+    assert_equal(0xc8efa, result.next)
+    assert_equal(0xc9118, result.next)
+    assert_equal(0x158284, result.next)
+    assert_equal(0x158285, result.next)
+
+    elf.address = 0x1234000
+    assert_equal([0x1234001, 0x1392613], elf.search('ELF').to_a)
+    assert_equal(0x138d00b, elf.find('/bin/sh').next)
+  end
+
+  def log_stdout
+    old = log.instance_variable_get(:@logdev)
+    log.instance_variable_set(:@logdev, $stdout)
+    yield
+    log.instance_variable_set(:@logdev, old)
+  end
+end