RubyGems - pwntools - Versions diffs - 0.1.0 → 1.2.1 - Mend

pwntools 0.1.0 → 1.2.1

Files changed (168) hide show

checksums.yaml +5 -5
data/README.md +96 -15
data/Rakefile +8 -2
data/lib/pwn.rb +10 -7
data/lib/pwnlib/abi.rb +61 -0
data/lib/pwnlib/asm.rb +357 -0
data/lib/pwnlib/constants/constant.rb +19 -3
data/lib/pwnlib/constants/constants.rb +46 -20
data/lib/pwnlib/constants/linux/amd64.rb +32 -1
data/lib/pwnlib/constants/linux/i386.rb +2 -0
data/lib/pwnlib/context.rb +128 -27
data/lib/pwnlib/dynelf.rb +122 -54
data/lib/pwnlib/elf/elf.rb +340 -0
data/lib/pwnlib/errors.rb +31 -0
data/lib/pwnlib/ext/array.rb +2 -1
data/lib/pwnlib/ext/helper.rb +6 -5
data/lib/pwnlib/ext/integer.rb +2 -1
data/lib/pwnlib/ext/string.rb +3 -2
data/lib/pwnlib/logger.rb +245 -0
data/lib/pwnlib/memleak.rb +59 -29
data/lib/pwnlib/pwn.rb +27 -9
data/lib/pwnlib/reg_sort.rb +109 -110
data/lib/pwnlib/runner.rb +53 -0
data/lib/pwnlib/shellcraft/generators/amd64/common/common.rb +16 -0
data/lib/pwnlib/shellcraft/generators/amd64/common/infloop.rb +24 -0
data/lib/pwnlib/shellcraft/generators/amd64/common/memcpy.rb +35 -0
data/lib/pwnlib/shellcraft/generators/amd64/common/mov.rb +131 -0
data/lib/pwnlib/shellcraft/generators/amd64/common/nop.rb +18 -0
data/lib/pwnlib/shellcraft/generators/amd64/common/popad.rb +28 -0
data/lib/pwnlib/shellcraft/generators/amd64/common/pushstr.rb +66 -0
data/lib/pwnlib/shellcraft/generators/amd64/common/pushstr_array.rb +24 -0
data/lib/pwnlib/shellcraft/generators/amd64/common/ret.rb +33 -0
data/lib/pwnlib/shellcraft/generators/amd64/common/setregs.rb +24 -0
data/lib/pwnlib/shellcraft/generators/amd64/linux/cat.rb +24 -0
data/lib/pwnlib/shellcraft/generators/amd64/linux/execve.rb +24 -0
data/lib/pwnlib/shellcraft/generators/amd64/linux/exit.rb +24 -0
data/lib/pwnlib/shellcraft/generators/amd64/linux/linux.rb +16 -0
data/lib/pwnlib/shellcraft/generators/amd64/linux/ls.rb +24 -0
data/lib/pwnlib/shellcraft/generators/amd64/linux/open.rb +24 -0
data/lib/pwnlib/shellcraft/generators/amd64/linux/sh.rb +24 -0
data/lib/pwnlib/shellcraft/generators/amd64/linux/sleep.rb +24 -0
data/lib/pwnlib/shellcraft/generators/amd64/linux/syscall.rb +24 -0
data/lib/pwnlib/shellcraft/generators/helper.rb +115 -0
data/lib/pwnlib/shellcraft/generators/i386/common/common.rb +16 -0
data/lib/pwnlib/shellcraft/generators/i386/common/infloop.rb +24 -0
data/lib/pwnlib/shellcraft/generators/i386/common/memcpy.rb +34 -0
data/lib/pwnlib/shellcraft/generators/i386/common/mov.rb +93 -0
data/lib/pwnlib/shellcraft/generators/i386/common/nop.rb +18 -0
data/lib/pwnlib/shellcraft/generators/i386/common/pushstr.rb +41 -0
data/lib/pwnlib/shellcraft/generators/i386/common/pushstr_array.rb +24 -0
data/lib/pwnlib/shellcraft/generators/i386/common/setregs.rb +24 -0
data/lib/pwnlib/shellcraft/generators/i386/linux/cat.rb +24 -0
data/lib/pwnlib/shellcraft/generators/i386/linux/execve.rb +24 -0
data/lib/pwnlib/shellcraft/generators/i386/linux/exit.rb +24 -0
data/lib/pwnlib/shellcraft/generators/i386/linux/linux.rb +16 -0
data/lib/pwnlib/shellcraft/generators/i386/linux/ls.rb +24 -0
data/lib/pwnlib/shellcraft/generators/i386/linux/open.rb +24 -0
data/lib/pwnlib/shellcraft/generators/i386/linux/sh.rb +24 -0
data/lib/pwnlib/shellcraft/generators/i386/linux/sleep.rb +24 -0
data/lib/pwnlib/shellcraft/generators/i386/linux/syscall.rb +24 -0
data/lib/pwnlib/shellcraft/generators/x86/common/common.rb +29 -0
data/lib/pwnlib/shellcraft/generators/x86/common/infloop.rb +24 -0
data/lib/pwnlib/shellcraft/generators/x86/common/memcpy.rb +17 -0
data/lib/pwnlib/shellcraft/generators/x86/common/mov.rb +17 -0
data/lib/pwnlib/shellcraft/generators/x86/common/pushstr.rb +17 -0
data/lib/pwnlib/shellcraft/generators/x86/common/pushstr_array.rb +86 -0
data/lib/pwnlib/shellcraft/generators/x86/common/setregs.rb +84 -0
data/lib/pwnlib/shellcraft/generators/x86/linux/cat.rb +54 -0
data/lib/pwnlib/shellcraft/generators/x86/linux/execve.rb +72 -0
data/lib/pwnlib/shellcraft/generators/x86/linux/exit.rb +34 -0
data/lib/pwnlib/shellcraft/generators/x86/linux/linux.rb +16 -0
data/lib/pwnlib/shellcraft/generators/x86/linux/ls.rb +67 -0
data/lib/pwnlib/shellcraft/generators/x86/linux/open.rb +47 -0
data/lib/pwnlib/shellcraft/generators/x86/linux/sh.rb +53 -0
data/lib/pwnlib/shellcraft/generators/x86/linux/sleep.rb +52 -0
data/lib/pwnlib/shellcraft/generators/x86/linux/syscall.rb +52 -0
data/lib/pwnlib/shellcraft/registers.rb +148 -0
data/lib/pwnlib/shellcraft/shellcraft.rb +73 -0
data/lib/pwnlib/timer.rb +67 -0
data/lib/pwnlib/tubes/buffer.rb +99 -0
data/lib/pwnlib/tubes/process.rb +155 -0
data/lib/pwnlib/tubes/serialtube.rb +114 -0
data/lib/pwnlib/tubes/sock.rb +101 -0
data/lib/pwnlib/tubes/tube.rb +442 -0
data/lib/pwnlib/ui.rb +21 -0
data/lib/pwnlib/util/cyclic.rb +97 -94
data/lib/pwnlib/util/fiddling.rb +288 -220
data/lib/pwnlib/util/getdents.rb +85 -0
data/lib/pwnlib/util/hexdump.rb +116 -112
data/lib/pwnlib/util/lists.rb +58 -0
data/lib/pwnlib/util/packing.rb +223 -228
data/lib/pwnlib/util/ruby.rb +19 -0
data/lib/pwnlib/version.rb +3 -1
data/test/abi_test.rb +22 -0
data/test/asm_test.rb +177 -0
data/test/constants/constant_test.rb +2 -0
data/test/constants/constants_test.rb +5 -2
data/test/context_test.rb +14 -3
data/test/data/assembly/aarch64.s +19 -0
data/test/data/assembly/amd64.s +21 -0
data/test/data/assembly/arm.s +9 -0
data/test/data/assembly/i386.s +21 -0
data/test/data/assembly/mips.s +16 -0
data/test/data/assembly/mips64.s +6 -0
data/test/data/assembly/powerpc.s +18 -0
data/test/data/assembly/powerpc64.s +36 -0
data/test/data/assembly/sparc.s +33 -0
data/test/data/assembly/sparc64.s +5 -0
data/test/data/assembly/thumb.s +37 -0
data/test/data/echo.rb +16 -0
data/test/data/elfs/Makefile +24 -0
data/test/data/elfs/amd64.frelro.elf +0 -0
data/test/data/elfs/amd64.frelro.pie.elf +0 -0
data/test/data/elfs/amd64.nrelro.elf +0 -0
data/test/data/elfs/amd64.prelro.elf +0 -0
data/test/data/elfs/amd64.static.elf +0 -0
data/test/data/elfs/i386.frelro.pie.elf +0 -0
data/test/data/elfs/i386.prelro.elf +0 -0
data/test/data/elfs/source.cpp +19 -0
data/test/data/flag +1 -0
data/test/data/lib32/ld.so.2 +0 -0
data/test/data/lib32/libc.so.6 +0 -0
data/test/data/lib64/ld.so.2 +0 -0
data/test/data/lib64/libc.so.6 +0 -0
data/test/dynelf_test.rb +62 -25
data/test/elf/elf_test.rb +147 -0
data/test/ext_test.rb +4 -2
data/test/files/use_pwn.rb +3 -6
data/test/files/use_pwnlib.rb +2 -1
data/test/full_file_test.rb +6 -0
data/test/logger_test.rb +120 -0
data/test/memleak_test.rb +5 -33
data/test/reg_sort_test.rb +4 -1
data/test/runner_test.rb +32 -0
data/test/shellcraft/infloop_test.rb +27 -0
data/test/shellcraft/linux/cat_test.rb +87 -0
data/test/shellcraft/linux/ls_test.rb +109 -0
data/test/shellcraft/linux/sh_test.rb +120 -0
data/test/shellcraft/linux/sleep_test.rb +68 -0
data/test/shellcraft/linux/syscalls/execve_test.rb +137 -0
data/test/shellcraft/linux/syscalls/exit_test.rb +57 -0
data/test/shellcraft/linux/syscalls/open_test.rb +87 -0
data/test/shellcraft/linux/syscalls/syscall_test.rb +84 -0
data/test/shellcraft/memcpy_test.rb +50 -0
data/test/shellcraft/mov_test.rb +99 -0
data/test/shellcraft/nop_test.rb +27 -0
data/test/shellcraft/popad_test.rb +30 -0
data/test/shellcraft/pushstr_array_test.rb +92 -0
data/test/shellcraft/pushstr_test.rb +109 -0
data/test/shellcraft/registers_test.rb +33 -0
data/test/shellcraft/ret_test.rb +31 -0
data/test/shellcraft/setregs_test.rb +63 -0
data/test/shellcraft/shellcraft_test.rb +30 -0
data/test/test_helper.rb +61 -2
data/test/timer_test.rb +42 -0
data/test/tubes/buffer_test.rb +46 -0
data/test/tubes/process_test.rb +105 -0
data/test/tubes/serialtube_test.rb +162 -0
data/test/tubes/sock_test.rb +68 -0
data/test/tubes/tube_test.rb +320 -0
data/test/ui_test.rb +18 -0
data/test/util/cyclic_test.rb +3 -1
data/test/util/fiddling_test.rb +12 -3
data/test/util/getdents_test.rb +33 -0
data/test/util/hexdump_test.rb +9 -10
data/test/util/lists_test.rb +22 -0
data/test/util/packing_test.rb +5 -3
metadata +357 -37

data/test/data/assembly/powerpc64.s ADDED Viewed

@@ -0,0 +1,36 @@
+# These tests are fetched from Capstone's test_ppc.c
+# context: endian: big
+# !skip asm
+# PPC-64
+  1000:   43 20 0c 07  bdnzla+  0xc04
+  1004:   41 56 7f 17  bdztla   4*cr5+eq, 0x7f14
+# Inconsistent output between capstone3 and later versions, skip
+  ; 1008:   80 20 00 00  lwz      r1, 0(0)
+  ; 100c:   80 3f 00 00  lwz      r1, 0(r31)
+  1008:   10 43 23 0e  vpkpx    v2, v3, v4
+  100c:   d0 44 00 80  stfs     f2, 0x80(r4)
+  1010:   4c 43 22 02  crand    2, 3, 4
+  1014:   2d 03 00 80  cmpwi    cr2, r3, 0x80
+  1018:   7c 43 20 14  addc     r2, r3, r4
+  101c:   7c 43 20 93  mulhd.   r2, r3, r4
+  1020:   4f 20 00 21  bdnzlrl+
+  1024:   4c c8 00 21  bgelrl-  cr2
+  1028:   40 82 00 14  bne      0x103c
+# context: endian: big
+# !skip disasm
+# PPC-64
+  1000:   43 20 0c 07  bdnzla+  0xc04
+  1004:   41 56 7f 17  bdztla   4*cr5+eq, 0x7f14
+  1008:   80 20 00 00  lwz      1, 0(0)
+  1010:   80 3f 00 00  lwz      1, 0(31)
+  1014:   10 43 23 0e  vpkpx    2, 3, 4
+  1018:   d0 44 00 80  stfs     2, 0x80(4)
+  101c:   4c 43 22 02  crand    2, 3, 4
+  1020:   2d 03 00 80  cmpwi    cr2, 3, 0x80
+  1024:   7c 43 20 14  addc     2, 3, 4
+  1028:   7c 43 20 93  mulhd.   2, 3, 4
+  102c:   4f 20 00 21  bdnzlrl+
+  1030:   4c c8 00 21  bgelrl-  cr2
+  1034:   40 82 00 14  bne      0x1044

data/test/data/assembly/sparc.s ADDED Viewed

@@ -0,0 +1,33 @@
+# These tests are fetched from Capstone's test_sparc.c
+# !skip asm # because of keystone-engine/keystone#405
+  1000:   80 a0 40 02  cmp     %g1, %g2
+  1004:   85 c2 60 08  jmpl    %o1+8, %g2
+  1008:   85 e8 20 01  restore %g0, 1, %g2
+  100c:   81 e8 00 00  restore
+  1010:   90 10 20 01  mov     1, %o0
+  1014:   d5 f6 10 16  casx    [%i0], %l6, %o2
+  1018:   21 00 00 0a  sethi   0xa, %l0
+  101c:   86 00 40 02  add     %g1, %g2, %g3
+  1020:   01 00 00 00  nop
+  1024:   12 bf ff ff  bne     0x1020
+  1028:   10 bf ff ff  ba      0x1024
+  102c:   a0 02 00 09  add     %o0, %o1, %l0
+  1030:   0d bf ff ff  fbg     0x102c
+  1034:   d4 20 40 00  st      %o2, [%g1]
+  1038:   d4 4e 00 16  ldsb    [%i0+%l6], %o2
+# The output between objdump/llvm/capstone is inconsistent
+  ; 103c:   2a c2 80 03  brnz,a,pn %o2, 0x1048
+# Copied from above, ignored branch instructions
+  1000:   80 a0 40 02  cmp     %g1, %g2
+  1004:   85 e8 20 01  restore %g0, 1, %g2
+  1008:   81 e8 00 00  restore
+  100c:   90 10 20 01  mov     1, %o0
+  1010:   d5 f6 10 16  casx    [%i0], %l6, %o2
+  1014:   21 00 00 0a  sethi   0xa, %l0
+  1018:   86 00 40 02  add     %g1, %g2, %g3
+  101c:   01 00 00 00  nop
+  1020:   a0 02 00 09  add     %o0, %o1, %l0
+  1024:   d4 20 40 00  st      %o2, [%g1]
+  1028:   d4 4e 00 16  ldsb    [%i0+%l6], %o2

data/test/data/assembly/sparc64.s ADDED Viewed

@@ -0,0 +1,5 @@
+# These tests are fetched from Capstone's test_sparc.c
+  1000:   81 a8 0a 24  fcmps %f0, %f4
+  1004:   89 a0 10 20  fstox %f0, %f4
+  1008:   89 a0 1a 60  fqtoi %f0, %f4
+  100c:   89 a0 00 e0  fnegq %f0, %f4

data/test/data/assembly/thumb.s ADDED Viewed

@@ -0,0 +1,37 @@
+# These tests are fetched from Capstone's test_arm.c
+# Thumb
+# PC-relative instructions are buggy in Capstone3, two lines are commented.
+  80001000:   60 f9 1f 04  vld3.8  {d16, d17, d18}, [r0:0x40]
+  80001004:   e0 f9 4f 07  vld4.16 {d16[1], d17[1], d18[1], d19[1]}, [r0]
+  80001008:   70 47        bx      lr
+  ; 8000100a:   00 f0 10 e8 blx     #0x8000102c
+  8000100a:   eb 46        mov     fp, sp
+  8000100c:   83 b0        sub     sp, #0xc
+  8000100e:   c9 68        ldr     r1, [r1, #0xc]
+  ; 80001010:   1f b1        cbz     r7, #0x8000101e
+  80001010:   30 bf        wfi
+  80001012:   af f3 20 84  cpsie.w f
+  80001016:   52 f8 23 f0  ldr.w   pc, [r2, r3, lsl #2]
+# Thumb-mixed
+  80001000:   d1 e8 00 f0  tbb   [r1, r0]
+  80001004:   f0 24        movs  r4, #0xf0
+  80001006:   04 07        lsls  r4, r0, #0x1c
+  80001008:   1f 3c        subs  r4, #0x1f
+  8000100a:   f2 c0        stm   r0!, {r1, r4, r5, r6, r7}
+  8000100c:   00 00        movs  r0, r0
+  8000100e:   4f f0 00 01  mov.w r1, #0
+  80001012:   46 6c        ldr   r6, [r0, #0x44]
+# Thumb-2 & register named with numbers
+# An `iteet` instruction is removed to make the `it` instruction valid
+  80001000:   4f f0 00 01  mov.w     r1, #0
+  80001004:   bd e8 00 88  pop.w     {fp, pc}
+  80001008:   d1 e8 00 f0  tbb       [r1, r0]
+  8000100c:   18 bf        it        ne
+  ; 8000100e:   ad bf        iteet     ge
+  8000100e:   f3 ff 0b 0c  vdupne.8  d16, d11[1]
+  80001012:   86 f3 00 89  msr       cpsr_fc, r6
+  80001016:   80 f3 00 8c  msr       apsr_nzcvqg, r0
+  8000101a:   4f fa 99 f6  sxtb.w    r6, sb, ror #8
+  8000101e:   d0 ff a2 01  vaddw.u16 q8, q8, d18

data/test/data/echo.rb ADDED Viewed

@@ -0,0 +1,16 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+require 'socket'
+server = TCPServer.open('127.0.0.1', 0)
+$stdout.puts "Start with port #{server.addr[1]}"
+$stdout.flush
+client = server.accept
+s = client.gets
+client.puts(s)
+client.close
+$stdout.puts 'Bye!'

data/test/data/elfs/Makefile ADDED Viewed

@@ -0,0 +1,24 @@
+source=source.cpp
+FLAGS=
+PIE_FLAGS=-pie
+NOPIE_FLAGS=-no-pie
+FULL_RELRO_FLAGS=-Wl,-z,relro,-z,now
+PARTIAL_RELRO_FLAGS=-Wl,-z,relro
+NO_RELRO_FLAGS=-Wl,-z,norelro
+STATIC_FLAGS=-static
+TARGETS=amd64 i386
+.PHONY: clean
+all: ${TARGETS}
+amd64: ${source}
+	g++ -m64 ${source} -o amd64.frelro.elf ${FLAGS} ${FULL_RELRO_FLAGS} ${NOPIE_FLAGS}
+	g++ -m64 ${source} -o amd64.frelro.pie.elf ${FLAGS} ${FULL_RELRO_FLAGS} ${PIE_FLAGS}
+	g++ -m64 ${source} -o amd64.prelro.elf ${FLAGS} ${PARTIAL_RELRO_FLAGS} ${NOPIE_FLAGS}
+	g++ -m64 ${source} -o amd64.nrelro.elf ${FLAGS} ${NO_RELRO_FLAGS} ${NOPIE_FLAGS}
+	g++ -m64 ${source} -o amd64.static.elf ${FLAGS} ${STATIC_FLAGS} ${NOPIE_FLAGS}
+i386: ${source}
+	g++ -m32 ${source} -o i386.prelro.elf ${FLAGS} ${PARTIAL_RELRO_FLAGS} ${NOPIE_FLAGS}
+	g++ -m32 ${source} -o i386.frelro.pie.elf ${FLAGS} ${FULL_RELRO_FLAGS} ${PIE_FLAGS}
+clean:
+	rm -f *.elf

data/test/data/elfs/amd64.frelro.elf ADDED Viewed

Binary file

data/test/data/elfs/amd64.frelro.pie.elf ADDED Viewed

Binary file

data/test/data/elfs/amd64.nrelro.elf ADDED Viewed

Binary file

data/test/data/elfs/amd64.prelro.elf ADDED Viewed

Binary file

data/test/data/elfs/amd64.static.elf ADDED Viewed

Binary file

data/test/data/elfs/i386.frelro.pie.elf ADDED Viewed

Binary file

data/test/data/elfs/i386.prelro.elf ADDED Viewed

Binary file

data/test/data/elfs/source.cpp ADDED Viewed

@@ -0,0 +1,19 @@
+#include <stdio.h>
+#include <stdlib.h>
+char s[101];
+void func() {
+  static int test = 0;
+  test++;
+  puts("In func:");
+  printf("test = %d\n", test);
+}
+int main() {
+  fgets(s, 100, stdin);
+  printf("%s", s);
+  int n;
+  scanf("%d", &n);
+  while(n--) {
+    func();
+  }
+  return 0;
+}

data/test/data/flag ADDED Viewed

	@@ -0,0 +1 @@
1	+ flag{pwntools_ruby}

data/test/data/lib32/ld.so.2 ADDED Viewed

Binary file

data/test/data/lib32/libc.so.6 ADDED Viewed

Binary file

data/test/data/lib64/ld.so.2 ADDED Viewed

Binary file

data/test/data/lib64/libc.so.6 ADDED Viewed

Binary file

data/test/dynelf_test.rb CHANGED Viewed

@@ -1,47 +1,84 @@
 # encoding: ASCII-8BIT
+# frozen_string_literal: true
 require 'open3'
 require 'tty-platform'
 require 'test_helper'
+require 'pwnlib/context'
 require 'pwnlib/dynelf'
+require 'pwnlib/elf/elf'
 class DynELFTest < MiniTest::Test
-  def test_lookup
-    skip 'Only tested on linux' unless TTY::Platform.new.linux?
+  include ::Pwnlib
+  include ::Pwnlib::Context
+  include ::Pwnlib::ELF
+  def setup
+    linux_only
+  end
+  # popen victim with specific libc.so.6
+  def popen_victim(b)
+    lib_path = File.expand_path("data/lib#{b}/", __dir__)
+    libc_path = File.expand_path('libc.so.6', lib_path)
+    ld_path = File.expand_path('ld.so.2', lib_path)
+    victim_path = File.expand_path("data/victim#{b}", __dir__)
+    Open3.popen2("#{ld_path} --library-path #{lib_path} #{victim_path}") do |i, o, t|
+      main_ra = Integer(o.readline)
+      mem = open("/proc/#{t.pid}/mem", 'rb')
+      d = DynELF.new(main_ra) do |addr|
+        mem.seek(addr)
+        mem.getc
+      end
+      yield d, { libc: libc_path, main_ra: main_ra, pid: t.pid }
+      mem.close
+      i.write('bye')
+    end
+  end
+  def test_find_base
     [32, 64].each do |b|
-      # TODO(hh): Use process instead of popen2
-      Open3.popen2(File.expand_path("../data/victim#{b}", __FILE__)) do |i, o, t|
-        main_ra = Integer(o.readline)
-        libc_path = nil
-        IO.readlines("/proc/#{t.pid}/maps").map(&:split).each do |s|
+      popen_victim(b) do |d, options|
+        main_ra = options[:main_ra]
+        realbase = nil
+        IO.readlines("/proc/#{options[:pid]}/maps").map(&:split).each do |s|
           st, ed = s[0].split('-').map { |x| x.to_i(16) }
           next unless main_ra.between?(st, ed)
-          libc_path = s[-1]
+          realbase = st
           break
         end
-        refute_nil(libc_path)
-        # TODO(hh): Use ELF instead of objdump
-        # Methods in libc might have multi-versions, so we record and check if
-        # we can find one of them.
-        h = Hash.new { |hsh, key| hsh[key] = [] }
-        symbols = `objdump -T #{libc_path}`.lines.map(&:split).select { |a| a[2] == 'DF' }
-        symbols.map { |a| h[a[-1]] << a[0].to_i(16) }
-        mem = open("/proc/#{t.pid}/mem", 'rb')
-        d = ::Pwnlib::DynELF.new(main_ra) do |addr|
-          mem.seek(addr)
-          mem.getc
-        end
+        refute_nil(realbase)
+        assert_equal(realbase, d.libbase)
+      end
+    end
+  end
+  def test_lookup
+    [32, 64].each do |b|
+      popen_victim(b) do |d, options|
         assert_nil(d.lookup('pipi_hao_wei!'))
-        h.each do |sym, off|
-          assert_includes(off, d.lookup(sym) - d.libbase)
+        elf = ELF.new(options[:libc], checksec: false)
+        %i(system open read write execve printf puts sprintf mmap mprotect).each do |sym|
+          assert_equal(d.libbase + elf.symbols[sym], d.lookup(sym))
         end
+      end
+    end
+  end
-        i.write('bye')
+  def test_build_id
+    [
+      [32, 'ac333186c6b532511a68d16aca4c61422eb772da', 'i386'],
+      [64, '088a6e00a1814622219f346b41e775b8dd46c518', 'amd64']
+    ].each do |b, answer, arch|
+      context.local(arch: arch) do
+        popen_victim(b) { |d| assert_equal(answer, d.build_id) }
       end
     end
   end

data/test/elf/elf_test.rb ADDED Viewed

@@ -0,0 +1,147 @@
+# encoding: ASCII-8BIT
+# frozen_string_literal: true
+require 'test_helper'
+require 'pwnlib/context'
+require 'pwnlib/elf/elf'
+require 'pwnlib/logger'
+class ELFTest < MiniTest::Test
+  include ::Pwnlib::Context
+  def setup
+    @path_of = ->(file) { File.join(__dir__, '..', 'data', 'elfs', file) }
+    @elf = to_elf_silent('i386.prelro.elf')
+  end
+  def to_elf_silent(filename)
+    log_null { ::Pwnlib::ELF::ELF.new(@path_of.call(filename), checksec: false) }
+  end
+  # check stdout when loaded
+  def test_load
+    file = @path_of.call('amd64.prelro.elf')
+    assert_output(<<-EOS) { log_stdout { ::Pwnlib::ELF::ELF.new(file) } }
+[INFO] #{File.realpath(file).inspect}
+    RELRO:    Partial RELRO
+    Stack:    Canary found
+    NX:       NX enabled
+    PIE:      No PIE (0x400000)
+    EOS
+    file = @path_of.call('amd64.frelro.elf')
+    assert_output(<<-EOS) { log_stdout { ::Pwnlib::ELF::ELF.new(file) } }
+[WARN] No REL.PLT section found, PLT not loaded
+[INFO] #{File.realpath(file).inspect}
+    RELRO:    Full RELRO
+    Stack:    Canary found
+    NX:       NX enabled
+    PIE:      No PIE (0x400000)
+    EOS
+  end
+  def test_checksec
+    assert_equal(<<-EOS.strip, @elf.checksec)
+RELRO:    Partial RELRO
+Stack:    Canary found
+NX:       NX enabled
+PIE:      No PIE (0x8048000)
+    EOS
+    nrelro_elf = to_elf_silent('amd64.nrelro.elf')
+    assert_equal(<<-EOS.strip, nrelro_elf.checksec)
+RELRO:    No RELRO
+Stack:    Canary found
+NX:       NX enabled
+PIE:      No PIE (0x400000)
+    EOS
+    frelro_elf = to_elf_silent('amd64.frelro.elf')
+    assert_equal(<<-EOS.strip, frelro_elf.checksec)
+RELRO:    Full RELRO
+Stack:    Canary found
+NX:       NX enabled
+PIE:      No PIE (0x400000)
+    EOS
+  end
+  def test_inspect
+    assert_match(/#<Pwnlib::ELF::ELF:0x[0-9a-f]+>/, @elf.inspect)
+  end
+  def test_got
+    assert_same(8, @elf.got.to_h.size)
+    assert_same(0x8049ff8, @elf.got['__gmon_start__'])
+    assert_same(0x8049ff8, @elf.got[:__gmon_start__])
+    assert_same(0x804a000, @elf.symbols['_GLOBAL_OFFSET_TABLE_'])
+    assert_same(0x804856d, @elf.symbols['main'])
+    assert_same(@elf.symbols.main, @elf.symbols[:main])
+  end
+  def test_plt
+    assert_same(6, @elf.plt.to_h.size)
+    assert_same(0x80483b0, @elf.plt.printf)
+    assert_same(0x80483f0, @elf.plt[:scanf])
+    elf = to_elf_silent('amd64.frelro.pie.elf')
+    assert_nil(elf.plt)
+  end
+  def test_address
+    old_address = @elf.address
+    assert_equal(0x8048000, @elf.address)
+    old_main = @elf.symbols.main
+    new_address = 0x12340000
+    @elf.address = new_address
+    assert_equal(old_main - old_address + new_address, @elf.symbols.main)
+    elf = to_elf_silent('i386.frelro.pie.elf')
+    assert_equal(0, elf.address)
+    assert_same(0x6c2, elf.symbols.main)
+    elf.address = 0xdeadbeef0000
+    # use 'equal' instead of 'same' because their +object_id+ are different on Windows.
+    assert_equal(0xdeadbeef06c2, elf.symbols.main)
+  end
+  def test_static
+    elf = to_elf_silent('amd64.static.elf')
+    assert_equal(<<-EOS.strip, elf.checksec)
+RELRO:    Partial RELRO
+Stack:    Canary found
+NX:       NX enabled
+PIE:      No PIE (0x400000)
+    EOS
+  end
+  def test_search
+    elf = ::Pwnlib::ELF::ELF.new(File.join(__dir__, '..', 'data', 'lib32', 'libc.so.6'), checksec: false)
+    assert_equal([0x1, 0x15e613], elf.search('ELF').to_a)
+    assert_equal(0x15900b, elf.find('/bin/sh').next)
+    result = elf.find(/E.F/)
+    assert_equal(0x1, result.next)
+    assert_equal(0xc8efa, result.next)
+    assert_equal(0xc9118, result.next)
+    assert_equal(0x158284, result.next)
+    assert_equal(0x158285, result.next)
+    elf.address = 0x1234000
+    assert_equal([0x1234001, 0x1392613], elf.search('ELF').to_a)
+    assert_equal(0x138d00b, elf.find('/bin/sh').next)
+  end
+  def test_one_gadgets
+    libc = ::Pwnlib::ELF::ELF.new(File.join(__dir__, '..', 'data', 'lib64', 'libc.so.6'), checksec: false)
+    # Well.. one_gadget(s) may change in the future, so we just check the return type
+    val = libc.one_gadgets.first
+    assert(val.is_a?(Integer))
+    assert_equal(libc.one_gadgets[0], val)
+    assert_equal(libc.one_gadgets[-1], libc.one_gadgets.last)
+    libc.address = 0xdeadf000
+    assert_equal(0xdeadf000 + val, libc.one_gadgets[0])
+    assert_output(/execve/) { log_stdout { context.local(log_level: :debug) { libc.one_gadgets[0] } } }
+  end
+end