pwntools 0.1.0 → 1.0.0

data/lib/pwnlib/constants/linux/amd64.rb

@@ -235,7 +235,6 @@ const :__NR_epoll_ctl, 233
 const :__NR_tgkill, 234
 const :__NR_utimes, 235
 const :__NR_vserver, 236
-const :__NR_vserver, 236
 const :__NR_mbind, 237
 const :__NR_set_mempolicy, 238
 const :__NR_get_mempolicy, 239
@@ -302,6 +301,36 @@ const :__NR_recvmmsg, 299
 const :__NR_fanotify_init, 300
 const :__NR_fanotify_mark, 301
 const :__NR_prlimit64, 302
+const :__NR_name_to_handle_at, 303
+const :__NR_open_by_handle_at, 304
+const :__NR_clock_adjtime, 305
+const :__NR_syncfs, 306
+const :__NR_sendmmsg, 307
+const :__NR_setns, 308
+const :__NR_getcpu, 309
+const :__NR_process_vm_readv, 310
+const :__NR_process_vm_writev, 311
+const :__NR_kcmp, 312
+const :__NR_finit_module, 313
+const :__NR_sched_setattr, 314
+const :__NR_sched_getattr, 315
+const :__NR_renameat2, 316
+const :__NR_seccomp, 317
+const :__NR_getrandom, 318
+const :__NR_memfd_create, 319
+const :__NR_kexec_file_load, 320
+const :__NR_bpf, 321
+const :__NR_execveat, 322
+const :__NR_userfaultfd, 323
+const :__NR_membarrier, 324
+const :__NR_mlock2, 325
+const :__NR_copy_file_range, 326
+const :__NR_preadv2, 327
+const :__NR_pwritev2, 328
+const :__NR_pkey_mprotect, 329
+const :__NR_pkey_alloc, 330
+const :__NR_pkey_free, 331
+const :__NR_statx, 332
 const :SYS32_restart_syscall, 0
 const :SYS32_exit, 1
 const :SYS32_fork, 2

data/lib/pwnlib/context.rb

@@ -17,7 +17,7 @@ module Pwnlib
         newline: "\n",
         os: 'linux',
         signed: false,
-        timeout: Float::INFINITY
+        timeout: :forever
       }.freeze
 
       OSES = %w(linux freebsd windows).sort
@@ -30,10 +30,11 @@ module Pwnlib
       LITTLE_64 = { endian: 'little', bits: 64 }.freeze
 
       class << self
+        private
+
         def longest(d)
           Hash[d.sort_by { |k, _v| k.size }.reverse]
         end
-        private :longest
       end
 
       ARCHS = longest(
@@ -76,9 +77,7 @@ module Pwnlib
 
       VALID_SIGNED = SIGNEDNESSES.keys
 
-      # XXX(Darkpi): Should we just hard-coded all levels here,
-      # or should we use Logger#const_defined?
-      # (This would include constant SEV_LEVEL, and exclude UNKNOWN)?
+      # We use Logger#const_defined for pwnlib logger.
       LOG_LEVELS = %w(DEBUG INFO WARN ERROR FATAL UNKNOWN).freeze
 
       def initialize(**kwargs)
@@ -105,8 +104,9 @@ module Pwnlib
       # This would return what the block return.
       def local(**kwargs)
         raise ArgumentError, "Need a block for #{self.class}##{__callee__}" unless block_given?
-        # XXX(Darkpi): improve performance for this if this is too slow, since we use this in many
-        #              places that has argument endian / signed / ...
+        # XXX(Darkpi):
+        #   improve performance for this if this is too slow, since we use this in many places that has argument
+        #   endian / signed / ...
         old_attrs = @attrs.dup
         begin
           update(**kwargs)
@@ -129,13 +129,11 @@ module Pwnlib
         @attrs[:newline] = newline
       end
 
-      # TODO(Darkpi): Timeout module.
       def timeout=(timeout)
         @attrs[:timeout] = timeout
       end
 
-      # Difference from Python pwntools:
-      # We always change +bits+ and +endian+ field whether user have already changed them.
+      # @diff We always change +bits+ and +endian+ field whether user have already changed them.
       def arch=(arch)
         arch = arch.downcase.gsub(/[[:punct:]]/, '')
         defaults = ARCHS[arch]
@@ -166,8 +164,8 @@ module Pwnlib
       def log_level=(value)
         log_level = nil
         case value
-        when String
-          value = value.upcase
+        when String, Symbol
+          value = value.to_s.upcase
           log_level = Logger.const_get(value) if LOG_LEVELS.include?(value)
         when Integer
           log_level = value
@@ -201,20 +199,30 @@ module Pwnlib
 
     @context = ContextType.new
 
+    # @!attribute [r] context
+    #   @return [ContextType] the singleton context for all class.
     class << self
       attr_reader :context
     end
 
-    # For include.
+    # A module for include hook for context.
+    # Including Pwnlib::Context from module M would add +context+ as a private instance method and a private class
+    # method for module M.
     # @!visibility private
-    def context
-      ::Pwnlib::Context.context
+    module IncludeContext
+      private
+
+      def context
+        ::Pwnlib::Context.context
+      end
     end
 
     # @!visibility private
     def self.included(base)
-      # XXX(Darkpi): Should we do this?
-      base.__send__(:private, :context)
+      base.include(IncludeContext)
+      class << base
+        include IncludeContext
+      end
     end
   end
 end

data/lib/pwnlib/dynelf.rb

@@ -1,60 +1,126 @@
 # encoding: ASCII-8BIT
 
+require 'elftools'
+
 require 'pwnlib/context'
 require 'pwnlib/memleak'
 require 'pwnlib/util/packing'
 
-# TODO(hh): Use ELF datatype instead of magic offset
-
 module Pwnlib
   # DynELF class, resolve symbols in loaded, dynamically-linked ELF binaries.
-  # Given a function which can leak data at an arbitrary address,
-  # any symbol in any loaded library can be resolved.
+  # Given a function which can leak data at an arbitrary address, any symbol in any loaded library can be resolved.
   class DynELF
-    PT_DYNAMIC = 2
-    DT_GNU_HASH = 0x6ffffef5
-    DT_HASH = 4
-    DT_STRTAB = 5
-    DT_SYMTAB = 6
-
-    attr_reader :libbase
+    attr_reader :libbase # @return [Integer] Base of lib.
 
+    # Instantiate a {Pwnlib::DynELF} object.
+    #
+    # @param [Integer] addr
+    #   An address known to be inside the ELF.
+    #
+    # @yieldparam [Integer] leak_addr
+    #   The start address that the leaker should leak from.
+    #
+    # @yieldreturn [String]
+    #   A leaked non-empty byte string, starting from +leak_addr+.
     def initialize(addr, &block)
       @leak = ::Pwnlib::MemLeak.new(&block)
-      @libbase = @leak.find_elf_base(addr)
-      @elfclass = { "\x01" => 32, "\x02" => 64 }[@leak.b(@libbase + 4)]
+      @libbase = find_base(addr)
+      @elfclass = { 0x1 => 32, 0x2 => 64 }[@leak.b(@libbase + 4)]
       @elfword = @elfclass / 8
-      @unp = ->(x) { Util::Packing.public_send({ 32 => :u32, 64 => :u64 }[@elfclass], x) }
       @dynamic = find_dynamic
       @hshtab = @strtab = @symtab = nil
     end
 
-    def lookup(symb)
-      @hshtab ||= find_dt(DT_GNU_HASH)
-      @strtab ||= find_dt(DT_STRTAB)
-      @symtab ||= find_dt(DT_SYMTAB)
-      resolve_symbol_gnu(symb)
+    # Lookup a symbol from the ELF.
+    #
+    # @param [String] symbol
+    #   The symbol name.
+    #
+    # @return [Integer, nil]
+    #   The address of the symbol, or +nil+ if not found.
+    def lookup(symbol)
+      symbol = symbol.to_s
+      sym_size = { 32 => 16, 64 => 24 }[@elfclass]
+      # Leak GNU_HASH section header.
+      nbuckets = @leak.d(hshtab)
+      symndx = @leak.d(hshtab + 4)
+      maskwords = @leak.d(hshtab + 8)
+
+      l_gnu_buckets = hshtab + 16 + (@elfword * maskwords)
+      l_gnu_chain_zero = l_gnu_buckets + (4 * nbuckets) - (4 * symndx)
+
+      hsh = gnu_hash(symbol)
+      bucket = hsh % nbuckets
+
+      i = @leak.d(l_gnu_buckets + bucket * 4)
+      return nil if i.zero?
+
+      hsh2 = 0
+      while (hsh2 & 1).zero?
+        hsh2 = @leak.d(l_gnu_chain_zero + i * 4)
+        if ((hsh ^ hsh2) >> 1).zero?
+          sym = symtab + sym_size * i
+          st_name = @leak.d(sym)
+          name = @leak.n(strtab + st_name, symbol.length + 1)
+          if name == (symbol + "\x00")
+            offset = { 32 => 4, 64 => 8 }[@elfclass]
+            st_value = unpack(@leak.n(sym + offset, @elfword))
+            return @libbase + st_value
+          end
+        end
+        i += 1
+      end
+      nil
+    end
+
+    # Leak the BuildID of the remote libc.so.
+    #
+    # @return [String?]
+    #   Return BuildID in hex format or +nil+.
+    def build_id
+      build_id_offsets.each do |offset|
+        next unless @leak.n(@libbase + offset + 12, 4) == "GNU\x00"
+        return @leak.n(@libbase + offset + 16, 20).unpack('H*').first
+      end
+      nil
     end
 
     private
 
+    PAGE_SIZE = 0x1000
+    PAGE_MASK = ~(PAGE_SIZE - 1)
+
+    def unpack(x)
+      Util::Packing.public_send({ 32 => :u32, 64 => :u64 }[@elfclass], x)
+    end
+
     # Function used to generated GNU-style hashes for strings.
     def gnu_hash(s)
       s.bytes.reduce(5381) { |acc, elem| (acc * 33 + elem) & 0xffffffff }
     end
 
+    # Get the base address of the ELF, based on heuristic of finding ELF header.
+    # A known address in ELF should be given.
+    def find_base(ptr)
+      ptr &= PAGE_MASK
+      loop do
+        return @base = ptr if @leak.n(ptr, 4) == "\x7fELF"
+        ptr -= PAGE_SIZE
+      end
+    end
+
     def find_dynamic
       e_phoff_offset = { 32 => 28, 64 => 32 }[@elfclass]
-      e_phoff = @libbase + @unp.call(@leak.n(@libbase + e_phoff_offset, @elfword))
+      e_phoff = @libbase + unpack(@leak.n(@libbase + e_phoff_offset, @elfword))
       phdr_size = { 32 => 32, 64 => 56 }[@elfclass]
       loop do
         ptype = @leak.d(e_phoff)
-        break if ptype == PT_DYNAMIC
+        break if ptype == ELFTools::Constants::PT::PT_DYNAMIC
         e_phoff += phdr_size
       end
       offset = { 32 => 8, 64 => 16 }[@elfclass]
-      dyn = @unp.call(@leak.n(e_phoff + offset, @elfword))
-      # Sometimes this is an offset instead of an address
+      dyn = unpack(@leak.n(e_phoff + offset, @elfword))
+      # Sometimes this is an offset instead of an address.
       dyn += @libbase if (0...0x400000).cover?(dyn)
       dyn
     end
@@ -64,8 +130,8 @@ module Pwnlib
       ptr = @dynamic
       loop do
         tmp = @leak.n(ptr, @elfword * 2)
-        d_tag = @unp.call(tmp[0, @elfword])
-        d_addr = @unp.call(tmp[@elfword, @elfword])
+        d_tag = unpack(tmp[0, @elfword])
+        d_addr = unpack(tmp[@elfword, @elfword])
         break if d_tag.zero?
         return d_addr if tag == d_tag
         ptr += dyn_size
@@ -73,38 +139,35 @@ module Pwnlib
       nil
     end
 
-    def resolve_symbol_gnu(symb)
-      sym_size = { 32 => 16, 64 => 24 }[@elfclass]
-      # Leak GNU_HASH section header
-      nbuckets = @leak.d(@hshtab)
-      symndx = @leak.d(@hshtab + 4)
-      maskwords = @leak.d(@hshtab + 8)
-
-      l_gnu_buckets = @hshtab + 16 + (@elfword * maskwords)
-      l_gnu_chain_zero = l_gnu_buckets + (4 * nbuckets) - (4 * symndx)
+    def hshtab
+      @hshtab ||= find_dt(ELFTools::Constants::DT::DT_GNU_HASH)
+    end
 
-      hsh = gnu_hash(symb)
-      bucket = hsh % nbuckets
+    def strtab
+      @strtab ||= find_dt(ELFTools::Constants::DT::DT_STRTAB)
+    end
 
-      i = @leak.d(l_gnu_buckets + bucket * 4)
-      return nil if i.zero?
+    def symtab
+      @symtab ||= find_dt(ELFTools::Constants::DT::DT_SYMTAB)
+    end
 
-      hsh2 = 0
-      while (hsh2 & 1).zero?
-        hsh2 = @leak.d(l_gnu_chain_zero + i * 4)
-        if ((hsh ^ hsh2) >> 1).zero?
-          sym = @symtab + sym_size * i
-          st_name = @leak.d(sym)
-          name = @leak.n(@strtab + st_name, symb.length + 1)
-          if name == (symb + "\x00")
-            offset = { 32 => 4, 64 => 8 }[@elfclass]
-            st_value = @unp.call(@leak.n(sym + offset, @elfword))
-            return @libbase + st_value
-          end
-        end
-        i += 1
-      end
-      nil
+    # Given the corpus of almost all libc to have been released on RedHat, Fedora, Ubuntu, Debian,
+    # etc. over the past several years, there is a strong possibility the GNU Build ID section will
+    # be at one of the specified addresses.
+    def build_id_offsets
+      {
+        i386: [0x174],
+        arm:  [0x174],
+        thumb:  [0x174],
+        aarch64: [0x238],
+        amd64: [0x270, 0x174],
+        powerpc: [0x174],
+        powerpc64: [0x238],
+        sparc: [0x174],
+        sparc64: [0x270]
+      }[context.arch.to_sym] || []
     end
+
+    include Context
   end
 end

data/lib/pwnlib/elf/elf.rb

@@ -0,0 +1,267 @@
+require 'elftools'
+require 'ostruct'
+require 'rainbow'
+
+require 'pwnlib/logger'
+
+module Pwnlib
+  # ELF module includes classes for parsing an ELF file.
+  module ELF
+    # Main class for using {Pwnlib::ELF} module.
+    class ELF
+      # @return [OpenStruct] GOT symbols.
+      attr_reader :got
+
+      # @return [OpenStruct] PLT symbols.
+      attr_reader :plt
+
+      # @return [OpenStruct] All symbols.
+      attr_reader :symbols
+
+      # @return [Integer] Base address.
+      attr_reader :address
+
+      # Instantiate an {Pwnlib::ELF::ELF} object.
+      #
+      # Will show checksec information to stdout.
+      #
+      # @param [String] path
+      #   The path to the ELF file.
+      # @param [Boolean] checksec
+      #   The checksec information will be printed to stdout after ELF loaded. Pass +checksec: false+ to disable this
+      #   feature.
+      #
+      # @example
+      #   ELF.new('/lib/x86_64-linux-gnu/libc.so.6')
+      #   # RELRO:    Partial RELRO
+      #   # Stack:    No canary found
+      #   # NX:       NX enabled
+      #   # PIE:      PIE enabled
+      #   #=> #<Pwnlib::ELF::ELF:0x00559bd670dcb8>
+      def initialize(path, checksec: true)
+        path = File.realpath(path)
+        @elf_file = ELFTools::ELFFile.new(File.open(path, 'rb')) # rubocop:disable Style/AutoResourceCleanup
+        load_got
+        load_plt
+        load_symbols
+        @address = base_address
+        @load_addr = @address
+        show_info(path) if checksec
+      end
+
+      # Set the base address.
+      #
+      # Values in following tables will be changed simultaneously:
+      #   got
+      #   plt
+      #   symbols
+      #
+      # @param [Integer] val
+      #   Address to be changed to.
+      #
+      # @return [Integer]
+      #   The new address.
+      def address=(val)
+        old = @address
+        @address = val
+        [@got, @plt, @symbols].compact.each do |tbl|
+          tbl.each_pair { |k, _| tbl[k] += val - old }
+        end
+        val
+      end
+
+      # Return the protection information, wrapper with color codes.
+      #
+      # @return [String]
+      #   The checksec information.
+      def checksec
+        [
+          'RELRO:'.ljust(10) + {
+            full: Rainbow('Full RELRO').green,
+            partial: Rainbow('Partial RELRO').yellow,
+            none: Rainbow('No RELRO').red
+          }[relro],
+          'Stack:'.ljust(10) + {
+            true =>  Rainbow('Canary found').green,
+            false => Rainbow('No canary found').red
+          }[canary?],
+          'NX:'.ljust(10) + {
+            true => Rainbow('NX enabled').green,
+            false => Rainbow('NX disabled').red
+          }[nx?],
+          'PIE:'.ljust(10) + {
+            true => Rainbow('PIE enabled').green,
+            false => Rainbow(format('No PIE (0x%x)', address)).red
+          }[pie?]
+        ].join("\n")
+      end
+
+      # The method used in relro.
+      #
+      # @return [:full, :partial, :none]
+      def relro
+        return :none unless @elf_file.segment_by_type(:gnu_relro)
+        return :full if dynamic_tag(:bind_now)
+        flags = dynamic_tag(:flags)
+        return :full if flags && (flags.value & ::ELFTools::Constants::DF_BIND_NOW) != 0
+        flags1 = dynamic_tag(:flags_1)
+        return :full if flags1 && (flags1.value & ::ELFTools::Constants::DF_1_NOW) != 0
+        :partial
+      end
+
+      # Is this ELF file has canary?
+      #
+      # Actually judged by if +__stack_chk_fail+ in got symbols.
+      #
+      # @return [Boolean] Yes or not.
+      def canary?
+        @got.respond_to?('__stack_chk_fail')
+      end
+
+      # Is stack executable?
+      #
+      # @return [Boolean] Yes or not.
+      def nx?
+        !@elf_file.segment_by_type(:gnu_stack).executable?
+      end
+
+      # Is this ELF file a position-independent executable?
+      #
+      # @return [Boolean] Yes or not.
+      def pie?
+        @elf_file.elf_type == 'DYN'
+      end
+
+      # There's too many objects inside, let pry not so verbose.
+      # @return [nil]
+      def inspect
+        nil
+      end
+
+      # Yields the ELF's virtual address space for the specified string or regexp.
+      # Returns an Enumerator if no block given.
+      #
+      # @param [String, Regexp] needle
+      #   The specified string to search.
+      #
+      # @return [Enumerator<Integer>]
+      #   An enumerator for offsets in ELF's virtual address space.
+      #
+      # @example
+      #   ELF.new('/bin/sh', checksec: false).find('ELF')
+      #   #=> #<Enumerator: ...>
+      #
+      #   ELF.new('/bin/sh', checksec: false).find(/E.F/).each { |i| puts i.hex }
+      #   # 0x1
+      #   # 0x11477
+      #   # 0x1c84f
+      #   # 0x1d5ee
+      #   #=> true
+      def search(needle)
+        return enum_for(:search, needle) unless block_given?
+        load_address_fixup = @address - @load_addr
+        stream = @elf_file.stream
+        @elf_file.each_segments do |seg|
+          addr = seg.header.p_vaddr
+          memsz = seg.header.p_memsz
+          offset = seg.header.p_offset
+
+          stream.pos = offset
+          data = stream.read(memsz).ljust(seg.header.p_filesz, "\x00")
+
+          offset = 0
+          loop do
+            offset = data.index(needle, offset)
+            break if offset.nil?
+            yield (addr + offset + load_address_fixup)
+            offset += 1
+          end
+        end
+        true
+      end
+      alias find search
+
+      private
+
+      def show_info(path)
+        log.info(path.inspect)
+        log.indented(checksec, level: ::Pwnlib::Logger::INFO)
+      end
+
+      # Get the dynamic tag with +type+.
+      # @return [ELFTools::Dynamic::Tag, nil]
+      def dynamic_tag(type)
+        dynamic = @elf_file.segment_by_type(:dynamic) || @elf.section_by_name('.dynamic')
+        return nil if dynamic.nil? # No dynamic present, might be static-linked.
+        dynamic.tag_by_type(type)
+      end
+
+      # Load got symbols
+      def load_got
+        @got = OpenStruct.new
+        sections_by_types(%i(rel rela)).each do |rel_sec|
+          symtab = @elf_file.section_at(rel_sec.header.sh_link)
+          next unless symtab.respond_to?(:symbol_at)
+          rel_sec.relocations.each do |rel|
+            symbol = symtab.symbol_at(rel.symbol_index)
+            next if symbol.nil? # Unusual case.
+            @got[symbol.name] = rel.header.r_offset.to_i
+          end
+        end
+      end
+
+      PLT_OFFSET = 0x10 # magic offset, correct in i386/amd64.
+      # Load all plt symbols.
+      def load_plt
+        # Unlike pwntools-python, which use unicorn emulating instructions to find plt(s).
+        # Here only use section information, which won't find any plt(s) when compile option '-Wl' is enabled.
+        #
+        # The implementation here same as pwntools-python 3.5, and supports i386 and amd64 only.
+        @plt = nil
+        plt_sec = @elf_file.section_by_name('.plt')
+        return log.warn('No PLT section found, PLT not loaded') if plt_sec.nil?
+        rel_sec = @elf_file.section_by_name('.rel.plt') || @elf_file.section_by_name('.rela.plt')
+        return log.warn('No REL.PLT section found, PLT not loaded') if rel_sec.nil?
+        symtab = @elf_file.section_at(rel_sec.header.sh_link)
+        return unless symtab.respond_to?(:symbol_at) # unusual case
+        @plt = OpenStruct.new
+        address = plt_sec.header.sh_addr.to_i + PLT_OFFSET
+        rel_sec.relocations.each do |rel|
+          symbol = symtab.symbol_at(rel.symbol_index)
+          next if symbol.nil? # unusual case
+          @plt[symbol.name] = address
+          address += PLT_OFFSET
+        end
+      end
+
+      # Load all exist symbols.
+      def load_symbols
+        @symbols = OpenStruct.new
+        @elf_file.each_sections do |section|
+          next unless section.respond_to?(:symbols)
+          section.each_symbols do |symbol|
+            # Don't care symbols without name.
+            next if symbol.name.empty?
+            next if symbol.header.st_value.zero?
+            # TODO(david942j): handle symbols with same name.
+            @symbols[symbol.name] = symbol.header.st_value.to_i
+          end
+        end
+      end
+
+      def sections_by_types(types)
+        types.map { |type| @elf_file.sections_by_type(type) }.flatten
+      end
+
+      def base_address
+        return 0 if pie?
+        # Find the min of PT_LOAD's p_vaddr
+        @elf_file.segments_by_type(:load)
+                 .map { |seg| seg.header.p_vaddr }
+                 .min
+      end
+
+      include ::Pwnlib::Logger
+    end
+  end
+end