pwntools 0.1.0 → 1.2.1

data/lib/pwnlib/dynelf.rb

@@ -1,60 +1,130 @@
 # encoding: ASCII-8BIT
+# frozen_string_literal: true
+
+require 'elftools'
 
 require 'pwnlib/context'
 require 'pwnlib/memleak'
 require 'pwnlib/util/packing'
 
-# TODO(hh): Use ELF datatype instead of magic offset
-
 module Pwnlib
   # DynELF class, resolve symbols in loaded, dynamically-linked ELF binaries.
-  # Given a function which can leak data at an arbitrary address,
-  # any symbol in any loaded library can be resolved.
+  # Given a function which can leak data at an arbitrary address, any symbol in any loaded library can be resolved.
   class DynELF
-    PT_DYNAMIC = 2
-    DT_GNU_HASH = 0x6ffffef5
-    DT_HASH = 4
-    DT_STRTAB = 5
-    DT_SYMTAB = 6
-
-    attr_reader :libbase
+    attr_reader :libbase # @return [Integer] Base of lib.
 
+    # Instantiate a {Pwnlib::DynELF} object.
+    #
+    # @param [Integer] addr
+    #   An address known to be inside the ELF.
+    #
+    # @yieldparam [Integer] leak_addr
+    #   The start address that the leaker should leak from.
+    #
+    # @yieldreturn [String]
+    #   A leaked non-empty byte string, starting from +leak_addr+.
     def initialize(addr, &block)
       @leak = ::Pwnlib::MemLeak.new(&block)
-      @libbase = @leak.find_elf_base(addr)
-      @elfclass = { "\x01" => 32, "\x02" => 64 }[@leak.b(@libbase + 4)]
+      @libbase = find_base(addr)
+      @elfclass = { 0x1 => 32, 0x2 => 64 }[@leak.b(@libbase + 4)]
       @elfword = @elfclass / 8
-      @unp = ->(x) { Util::Packing.public_send({ 32 => :u32, 64 => :u64 }[@elfclass], x) }
       @dynamic = find_dynamic
       @hshtab = @strtab = @symtab = nil
     end
 
-    def lookup(symb)
-      @hshtab ||= find_dt(DT_GNU_HASH)
-      @strtab ||= find_dt(DT_STRTAB)
-      @symtab ||= find_dt(DT_SYMTAB)
-      resolve_symbol_gnu(symb)
+    # Lookup a symbol from the ELF.
+    #
+    # @param [String] symbol
+    #   The symbol name.
+    #
+    # @return [Integer, nil]
+    #   The address of the symbol, or +nil+ if not found.
+    def lookup(symbol)
+      symbol = symbol.to_s
+      sym_size = { 32 => 16, 64 => 24 }[@elfclass]
+      # Leak GNU_HASH section header.
+      nbuckets = @leak.d(hshtab)
+      symndx = @leak.d(hshtab + 4)
+      maskwords = @leak.d(hshtab + 8)
+
+      l_gnu_buckets = hshtab + 16 + (@elfword * maskwords)
+      l_gnu_chain_zero = l_gnu_buckets + (4 * nbuckets) - (4 * symndx)
+
+      hsh = gnu_hash(symbol)
+      bucket = hsh % nbuckets
+
+      i = @leak.d(l_gnu_buckets + bucket * 4)
+      return nil if i.zero?
+
+      hsh2 = 0
+      while (hsh2 & 1).zero?
+        hsh2 = @leak.d(l_gnu_chain_zero + i * 4)
+        if ((hsh ^ hsh2) >> 1).zero?
+          sym = symtab + sym_size * i
+          st_name = @leak.d(sym)
+          name = @leak.n(strtab + st_name, symbol.length + 1)
+          if name == ("#{symbol}\x00")
+            offset = { 32 => 4, 64 => 8 }[@elfclass]
+            st_value = unpack(@leak.n(sym + offset, @elfword))
+            return @libbase + st_value
+          end
+        end
+        i += 1
+      end
+      nil
+    end
+
+    # Leak the BuildID of the remote libc.so.
+    #
+    # @return [String?]
+    #   Return BuildID in hex format or +nil+.
+    def build_id
+      build_id_offsets.each do |offset|
+        next unless @leak.n(@libbase + offset + 12, 4) == "GNU\x00"
+
+        return @leak.n(@libbase + offset + 16, 20).unpack1('H*')
+      end
+      nil
     end
 
     private
 
+    PAGE_SIZE = 0x1000
+    PAGE_MASK = ~(PAGE_SIZE - 1)
+
+    def unpack(x)
+      Util::Packing.public_send({ 32 => :u32, 64 => :u64 }[@elfclass], x)
+    end
+
     # Function used to generated GNU-style hashes for strings.
     def gnu_hash(s)
       s.bytes.reduce(5381) { |acc, elem| (acc * 33 + elem) & 0xffffffff }
     end
 
+    # Get the base address of the ELF, based on heuristic of finding ELF header.
+    # A known address in ELF should be given.
+    def find_base(ptr)
+      ptr &= PAGE_MASK
+      loop do
+        return @base = ptr if @leak.n(ptr, 4) == "\x7fELF"
+
+        ptr -= PAGE_SIZE
+      end
+    end
+
     def find_dynamic
       e_phoff_offset = { 32 => 28, 64 => 32 }[@elfclass]
-      e_phoff = @libbase + @unp.call(@leak.n(@libbase + e_phoff_offset, @elfword))
+      e_phoff = @libbase + unpack(@leak.n(@libbase + e_phoff_offset, @elfword))
       phdr_size = { 32 => 32, 64 => 56 }[@elfclass]
       loop do
         ptype = @leak.d(e_phoff)
-        break if ptype == PT_DYNAMIC
+        break if ptype == ELFTools::Constants::PT::PT_DYNAMIC
+
         e_phoff += phdr_size
       end
       offset = { 32 => 8, 64 => 16 }[@elfclass]
-      dyn = @unp.call(@leak.n(e_phoff + offset, @elfword))
-      # Sometimes this is an offset instead of an address
+      dyn = unpack(@leak.n(e_phoff + offset, @elfword))
+      # Sometimes this is an offset instead of an address.
       dyn += @libbase if (0...0x400000).cover?(dyn)
       dyn
     end
@@ -64,47 +134,45 @@ module Pwnlib
       ptr = @dynamic
       loop do
         tmp = @leak.n(ptr, @elfword * 2)
-        d_tag = @unp.call(tmp[0, @elfword])
-        d_addr = @unp.call(tmp[@elfword, @elfword])
+        d_tag = unpack(tmp[0, @elfword])
+        d_addr = unpack(tmp[@elfword, @elfword])
         break if d_tag.zero?
         return d_addr if tag == d_tag
+
         ptr += dyn_size
       end
       nil
     end
 
-    def resolve_symbol_gnu(symb)
-      sym_size = { 32 => 16, 64 => 24 }[@elfclass]
-      # Leak GNU_HASH section header
-      nbuckets = @leak.d(@hshtab)
-      symndx = @leak.d(@hshtab + 4)
-      maskwords = @leak.d(@hshtab + 8)
-
-      l_gnu_buckets = @hshtab + 16 + (@elfword * maskwords)
-      l_gnu_chain_zero = l_gnu_buckets + (4 * nbuckets) - (4 * symndx)
+    def hshtab
+      @hshtab ||= find_dt(ELFTools::Constants::DT::DT_GNU_HASH)
+    end
 
-      hsh = gnu_hash(symb)
-      bucket = hsh % nbuckets
+    def strtab
+      @strtab ||= find_dt(ELFTools::Constants::DT::DT_STRTAB)
+    end
 
-      i = @leak.d(l_gnu_buckets + bucket * 4)
-      return nil if i.zero?
+    def symtab
+      @symtab ||= find_dt(ELFTools::Constants::DT::DT_SYMTAB)
+    end
 
-      hsh2 = 0
-      while (hsh2 & 1).zero?
-        hsh2 = @leak.d(l_gnu_chain_zero + i * 4)
-        if ((hsh ^ hsh2) >> 1).zero?
-          sym = @symtab + sym_size * i
-          st_name = @leak.d(sym)
-          name = @leak.n(@strtab + st_name, symb.length + 1)
-          if name == (symb + "\x00")
-            offset = { 32 => 4, 64 => 8 }[@elfclass]
-            st_value = @unp.call(@leak.n(sym + offset, @elfword))
-            return @libbase + st_value
-          end
-        end
-        i += 1
-      end
-      nil
+    # Given the corpus of almost all libc to have been released on RedHat, Fedora, Ubuntu, Debian,
+    # etc. over the past several years, there is a strong possibility the GNU Build ID section will
+    # be at one of the specified addresses.
+    def build_id_offsets
+      {
+        i386: [0x174],
+        arm: [0x174],
+        thumb: [0x174],
+        aarch64: [0x238],
+        amd64: [0x270, 0x174],
+        powerpc: [0x174],
+        powerpc64: [0x238],
+        sparc: [0x174],
+        sparc64: [0x270]
+      }[context.arch.to_sym] || []
     end
+
+    include Context
   end
 end

data/lib/pwnlib/elf/elf.rb

@@ -0,0 +1,340 @@
+# frozen_string_literal: true
+
+require 'ostruct'
+
+require 'elftools'
+require 'one_gadget/one_gadget'
+require 'rainbow'
+
+require 'pwnlib/logger'
+
+module Pwnlib
+  # ELF module includes classes for parsing an ELF file.
+  module ELF
+    # Main class for using {Pwnlib::ELF} module.
+    class ELF
+      # @return [OpenStruct] GOT symbols.
+      attr_reader :got
+
+      # @return [OpenStruct] PLT symbols.
+      attr_reader :plt
+
+      # @return [OpenStruct] All symbols.
+      attr_reader :symbols
+
+      # @return [Integer] Base address.
+      attr_reader :address
+
+      # Instantiate an {Pwnlib::ELF::ELF} object.
+      #
+      # Will show checksec information to stdout.
+      #
+      # @param [String] path
+      #   The path to the ELF file.
+      # @param [Boolean] checksec
+      #   The checksec information will be printed to stdout after ELF loaded. Pass +checksec: false+ to disable this
+      #   feature.
+      #
+      # @example
+      #   ELF.new('/lib/x86_64-linux-gnu/libc.so.6')
+      #   # RELRO:    Partial RELRO
+      #   # Stack:    No canary found
+      #   # NX:       NX enabled
+      #   # PIE:      PIE enabled
+      #   #=> #<Pwnlib::ELF::ELF:0x00559bd670dcb8>
+      def initialize(path, checksec: true)
+        @path = File.realpath(path)
+        @elf_file = ELFTools::ELFFile.new(File.open(path, 'rb'))
+        load_got
+        load_plt
+        load_symbols
+        @address = base_address
+        @load_addr = @address
+        @one_gadgets = nil
+        show_info(@path) if checksec
+      end
+
+      # Set the base address.
+      #
+      # Values in following tables will be changed simultaneously:
+      #   got
+      #   plt
+      #   symbols
+      #   one_gadgets
+      #
+      # @param [Integer] val
+      #   Address to be changed to.
+      #
+      # @return [Integer]
+      #   The new address.
+      def address=(val)
+        old = @address
+        @address = val
+        [@got, @plt, @symbols].compact.each do |tbl|
+          tbl.each_pair { |k, _| tbl[k] += val - old }
+        end
+        @one_gadgets&.map! { |off| off + val - old }
+      end
+
+      # Return the protection information, wrapper with color codes.
+      #
+      # @return [String]
+      #   The checksec information.
+      def checksec
+        [
+          'RELRO:'.ljust(10) + {
+            full: Rainbow('Full RELRO').green,
+            partial: Rainbow('Partial RELRO').yellow,
+            none: Rainbow('No RELRO').red
+          }[relro],
+          'Stack:'.ljust(10) + {
+            true => Rainbow('Canary found').green,
+            false => Rainbow('No canary found').red
+          }[canary?],
+          'NX:'.ljust(10) + {
+            true => Rainbow('NX enabled').green,
+            false => Rainbow('NX disabled').red
+          }[nx?],
+          'PIE:'.ljust(10) + {
+            true => Rainbow('PIE enabled').green,
+            false => Rainbow(format('No PIE (0x%x)', address)).red
+          }[pie?]
+        ].join("\n")
+      end
+
+      # The method used in relro.
+      #
+      # @return [:full, :partial, :none]
+      def relro
+        return :none unless @elf_file.segment_by_type(:gnu_relro)
+        return :full if dynamic_tag(:bind_now)
+
+        flags = dynamic_tag(:flags)
+        return :full if flags && (flags.value & ::ELFTools::Constants::DF_BIND_NOW) != 0
+
+        flags1 = dynamic_tag(:flags_1)
+        return :full if flags1 && (flags1.value & ::ELFTools::Constants::DF_1_NOW) != 0
+
+        :partial
+      end
+
+      # Is this ELF file has canary?
+      #
+      # Actually judged by if +__stack_chk_fail+ in got symbols.
+      #
+      # @return [Boolean] Yes or not.
+      def canary?
+        @got.respond_to?('__stack_chk_fail') || @symbols.respond_to?('__stack_chk_fail')
+      end
+
+      # Is stack executable?
+      #
+      # @return [Boolean] Yes or not.
+      def nx?
+        !@elf_file.segment_by_type(:gnu_stack).executable?
+      end
+
+      # Is this ELF file a position-independent executable?
+      #
+      # @return [Boolean] Yes or not.
+      def pie?
+        @elf_file.elf_type == 'DYN'
+      end
+
+      # There's too many objects inside, let pry not so verbose.
+      # @return [String]
+      def inspect
+        "#<Pwnlib::ELF::ELF:#{::Pwnlib::Util::Fiddling.hex(__id__)}>"
+      end
+
+      # Yields the ELF's virtual address space for the specified string or regexp.
+      # Returns an Enumerator if no block given.
+      #
+      # @param [String, Regexp] needle
+      #   The specified string to search.
+      #
+      # @return [Enumerator<Integer>]
+      #   An enumerator for offsets in ELF's virtual address space.
+      #
+      # @example
+      #   ELF.new('/bin/sh', checksec: false).find('ELF')
+      #   #=> #<Enumerator: ...>
+      #
+      #   ELF.new('/bin/sh', checksec: false).find(/E.F/).each { |i| puts i.hex }
+      #   # 0x1
+      #   # 0x11477
+      #   # 0x1c84f
+      #   # 0x1d5ee
+      #   #=> true
+      def search(needle)
+        return enum_for(:search, needle) unless block_given?
+
+        load_address_fixup = @address - @load_addr
+        stream = @elf_file.stream
+        @elf_file.each_segments do |seg|
+          addr = seg.header.p_vaddr
+          memsz = seg.header.p_memsz
+          offset = seg.header.p_offset
+
+          stream.pos = offset
+          data = stream.read(memsz).ljust(seg.header.p_filesz, "\x00")
+
+          offset = 0
+          loop do
+            offset = data.index(needle, offset)
+            break if offset.nil?
+
+            yield (addr + offset + load_address_fixup)
+            offset += 1
+          end
+        end
+        true
+      end
+      alias find search
+
+      # Returns one-gadgets of glibc.
+      #
+      # @return [Array<Integer>]
+      #   Returns array of one-gadgets, see examples.
+      #
+      # @example
+      #   ELF::ELF.new('/lib/x86_64-linux-gnu/libc.so.6').one_gadgets[0]
+      #   #=> 324293 # 0x4f2c5
+      #
+      # @example
+      #   libc = ELF::ELF.new('/lib/x86_64-linux-gnu/libc.so.6')
+      #   libc.one_gadgets[1]
+      #   #=> 324386 # 0x4f322
+      #
+      #   libc.address = 0x7fff7fff0000
+      #   libc.one_gadgets[1]
+      #   #=> 140735341130530 # 0x7fff8003f322
+      #
+      # @example
+      #   libc = ELF::ELF.new('/lib/x86_64-linux-gnu/libc.so.6')
+      #   context.log_level = :debug
+      #   libc.one_gadgets[0]
+      #   # [DEBUG] 0x4f2c5 execve("/bin/sh", rsp+0x40, environ)
+      #   # constraints:
+      #   #   rcx == NULL
+      #   #=> 324293
+      def one_gadgets
+        return @one_gadgets if @one_gadgets
+
+        gadgets = OneGadget.gadgets(file: @path, details: true, level: 1)
+        @one_gadgets = gadgets.map { |g| g.offset + address }
+        @one_gadgets.instance_variable_set(:@gadgets, gadgets)
+
+        class << @one_gadgets
+          def [](idx)
+            super.tap { log.debug(@gadgets[idx].inspect) }
+          end
+
+          def first
+            self[0]
+          end
+
+          def last
+            self[-1]
+          end
+
+          include ::Pwnlib::Logger
+        end
+
+        @one_gadgets
+      end
+
+      private
+
+      def show_info(path)
+        log.info(path.inspect)
+        log.indented(checksec, level: ::Pwnlib::Logger::INFO)
+      end
+
+      # Get the dynamic tag with +type+.
+      # @return [ELFTools::Dynamic::Tag, nil]
+      def dynamic_tag(type)
+        dynamic = @elf_file.segment_by_type(:dynamic) || @elf_file.section_by_name('.dynamic')
+        return nil if dynamic.nil? # No dynamic table presents, might be statically linked.
+
+        dynamic.tag_by_type(type)
+      end
+
+      # Load got symbols
+      def load_got
+        @got = OpenStruct.new
+        sections_by_types(%i(rel rela)).each do |rel_sec|
+          symtab = @elf_file.section_at(rel_sec.header.sh_link)
+          next unless symtab.respond_to?(:symbol_at)
+
+          rel_sec.relocations.each do |rel|
+            symbol = symtab.symbol_at(rel.symbol_index)
+            next if symbol.nil? # Unusual case.
+
+            @got[symbol.name] = rel.header.r_offset.to_i
+          end
+        end
+      end
+
+      PLT_OFFSET = 0x10 # magic offset, correct in i386/amd64.
+      # Load all plt symbols.
+      def load_plt
+        # Unlike pwntools-python, which use unicorn emulating instructions to find plt(s).
+        # Here only use section information, which won't find any plt(s) when compile option '-Wl' is enabled.
+        #
+        # The implementation here same as pwntools-python 3.5, and supports i386 and amd64 only.
+        @plt = nil
+        plt_sec = @elf_file.section_by_name('.plt')
+        return log.warn('No PLT section found, PLT not loaded') if plt_sec.nil?
+
+        rel_sec = @elf_file.section_by_name('.rel.plt') || @elf_file.section_by_name('.rela.plt')
+        return log.warn('No REL.PLT section found, PLT not loaded') if rel_sec.nil?
+
+        symtab = @elf_file.section_at(rel_sec.header.sh_link)
+        return unless symtab.respond_to?(:symbol_at) # unusual case
+
+        @plt = OpenStruct.new
+        address = plt_sec.header.sh_addr.to_i + PLT_OFFSET
+        rel_sec.relocations.each do |rel|
+          symbol = symtab.symbol_at(rel.symbol_index)
+          next if symbol.nil? # unusual case
+
+          @plt[symbol.name] = address
+          address += PLT_OFFSET
+        end
+      end
+
+      # Load all exist symbols.
+      def load_symbols
+        @symbols = OpenStruct.new
+        @elf_file.each_sections do |section|
+          next unless section.respond_to?(:symbols)
+
+          section.each_symbols do |symbol|
+            # Don't care symbols without a name.
+            next if symbol.name.empty?
+            next if symbol.header.st_value.zero?
+
+            # TODO(david942j): handle symbols with the same name.
+            @symbols[symbol.name] = symbol.header.st_value.to_i
+          end
+        end
+      end
+
+      def sections_by_types(types)
+        types.map { |type| @elf_file.sections_by_type(type) }.flatten
+      end
+
+      def base_address
+        return 0 if pie?
+
+        # Find the min of PT_LOAD's p_vaddr
+        @elf_file.segments_by_type(:load)
+                 .map { |seg| seg.header.p_vaddr }
+                 .min
+      end
+
+      include ::Pwnlib::Logger
+    end
+  end
+end