pwntools 0.1.0

data/lib/pwnlib/context.rb

@@ -0,0 +1,220 @@
+# encoding: ASCII-8BIT
+
+require 'logger'
+
+# TODO(Darkpi): Check if there should be special care for threading.
+
+module Pwnlib
+  # Context module, store some platform-dependent informations.
+  module Context
+    # The type for context. User should never need to initialize one by themself.
+    class ContextType
+      DEFAULT = {
+        arch: 'i386',
+        bits: 32,
+        endian: 'little',
+        log_level: Logger::INFO,
+        newline: "\n",
+        os: 'linux',
+        signed: false,
+        timeout: Float::INFINITY
+      }.freeze
+
+      OSES = %w(linux freebsd windows).sort
+
+      BIG_32    = { endian: 'big', bits: 32 }.freeze
+      BIG_64    = { endian: 'big', bits: 64 }.freeze
+      LITTLE_8  = { endian: 'little', bits: 8 }.freeze
+      LITTLE_16 = { endian: 'little', bits: 16 }.freeze
+      LITTLE_32 = { endian: 'little', bits: 32 }.freeze
+      LITTLE_64 = { endian: 'little', bits: 64 }.freeze
+
+      class << self
+        def longest(d)
+          Hash[d.sort_by { |k, _v| k.size }.reverse]
+        end
+        private :longest
+      end
+
+      ARCHS = longest(
+        'aarch64' => LITTLE_64,
+        'alpha' => LITTLE_64,
+        'avr' => LITTLE_8,
+        'amd64' => LITTLE_64,
+        'arm' => LITTLE_32,
+        'cris' => LITTLE_32,
+        'i386' => LITTLE_32,
+        'ia64' => BIG_64,
+        'm68k' => BIG_32,
+        'mips' => LITTLE_32,
+        'mips64' => LITTLE_64,
+        'msp430' => LITTLE_16,
+        'powerpc' => BIG_32,
+        'powerpc64' => BIG_64,
+        's390' => BIG_32,
+        'sparc' => BIG_32,
+        'sparc64' => BIG_64,
+        'thumb' => LITTLE_32,
+        'vax' => LITTLE_32
+      )
+
+      ENDIANNESSES = longest(
+        'be' => 'big',
+        'eb' => 'big',
+        'big' => 'big',
+        'le' => 'little',
+        'el' => 'little',
+        'little' => 'little'
+      )
+
+      SIGNEDNESSES = {
+        'unsigned' => false,
+        'no' => false,
+        'yes' => true,
+        'signed' => true
+      }.freeze
+
+      VALID_SIGNED = SIGNEDNESSES.keys
+
+      # XXX(Darkpi): Should we just hard-coded all levels here,
+      # or should we use Logger#const_defined?
+      # (This would include constant SEV_LEVEL, and exclude UNKNOWN)?
+      LOG_LEVELS = %w(DEBUG INFO WARN ERROR FATAL UNKNOWN).freeze
+
+      def initialize(**kwargs)
+        @attrs = DEFAULT.dup
+        update(**kwargs)
+      end
+
+      def update(**kwargs)
+        kwargs.each do |k, v|
+          next if v.nil?
+          public_send("#{k}=", v)
+        end
+        self
+      end
+
+      alias [] update
+      alias call update
+
+      def to_s
+        vals = @attrs.map { |k, v| "#{k} = #{v.inspect}" }
+        "#{self.class}(#{vals.join(', ')})"
+      end
+
+      # This would return what the block return.
+      def local(**kwargs)
+        raise ArgumentError, "Need a block for #{self.class}##{__callee__}" unless block_given?
+        # XXX(Darkpi): improve performance for this if this is too slow, since we use this in many
+        #              places that has argument endian / signed / ...
+        old_attrs = @attrs.dup
+        begin
+          update(**kwargs)
+          yield
+        ensure
+          @attrs = old_attrs
+        end
+      end
+
+      def clear
+        @attrs = DEFAULT.dup
+      end
+
+      # Getters here.
+      DEFAULT.each_key do |k|
+        define_method(k) { @attrs[k] }
+      end
+
+      def newline=(newline)
+        @attrs[:newline] = newline
+      end
+
+      # TODO(Darkpi): Timeout module.
+      def timeout=(timeout)
+        @attrs[:timeout] = timeout
+      end
+
+      # Difference from Python pwntools:
+      # We always change +bits+ and +endian+ field whether user have already changed them.
+      def arch=(arch)
+        arch = arch.downcase.gsub(/[[:punct:]]/, '')
+        defaults = ARCHS[arch]
+        raise ArgumentError, "arch must be one of #{ARCHS.keys.sort.inspect}" unless defaults
+        defaults.each { |k, v| @attrs[k] = v }
+        @attrs[:arch] = arch
+      end
+
+      def bits=(bits)
+        raise ArgumentError, "bits must be > 0 (#{bits} given)" unless bits > 0
+        @attrs[:bits] = bits
+      end
+
+      def bytes
+        bits / 8
+      end
+
+      def bytes=(bytes)
+        self.bits = bytes * 8
+      end
+
+      def endian=(endian)
+        endian = ENDIANNESSES[endian.downcase]
+        raise ArgumentError, "endian must be one of #{ENDIANNESSES.sort.inspect}" if endian.nil?
+        @attrs[:endian] = endian
+      end
+
+      def log_level=(value)
+        log_level = nil
+        case value
+        when String
+          value = value.upcase
+          log_level = Logger.const_get(value) if LOG_LEVELS.include?(value)
+        when Integer
+          log_level = value
+        end
+        raise ArgumentError, "log_level must be an integer or one of #{LOG_LEVELS.inspect}" unless log_level
+        @attrs[:log_level] = log_level
+      end
+
+      def os=(os)
+        os = os.downcase
+        raise ArgumentError, "os must be one of #{OSES.sort.inspect}" unless OSES.include?(os)
+        @attrs[:os] = os
+      end
+
+      def signed=(value)
+        signed = nil
+        case value
+        when String
+          signed = SIGNEDNESSES[value.downcase]
+        when true, false
+          signed = value
+        end
+        if signed.nil?
+          raise ArgumentError, "signed must be boolean or one of #{SIGNEDNESSES.keys.sort.inspect}"
+        end
+        @attrs[:signed] = signed
+      end
+
+      # TODO(Darkpi): #binary when we can read ELF.
+    end
+
+    @context = ContextType.new
+
+    class << self
+      attr_reader :context
+    end
+
+    # For include.
+    # @!visibility private
+    def context
+      ::Pwnlib::Context.context
+    end
+
+    # @!visibility private
+    def self.included(base)
+      # XXX(Darkpi): Should we do this?
+      base.__send__(:private, :context)
+    end
+  end
+end

data/lib/pwnlib/dynelf.rb

@@ -0,0 +1,110 @@
+# encoding: ASCII-8BIT
+
+require 'pwnlib/context'
+require 'pwnlib/memleak'
+require 'pwnlib/util/packing'
+
+# TODO(hh): Use ELF datatype instead of magic offset
+
+module Pwnlib
+  # DynELF class, resolve symbols in loaded, dynamically-linked ELF binaries.
+  # Given a function which can leak data at an arbitrary address,
+  # any symbol in any loaded library can be resolved.
+  class DynELF
+    PT_DYNAMIC = 2
+    DT_GNU_HASH = 0x6ffffef5
+    DT_HASH = 4
+    DT_STRTAB = 5
+    DT_SYMTAB = 6
+
+    attr_reader :libbase
+
+    def initialize(addr, &block)
+      @leak = ::Pwnlib::MemLeak.new(&block)
+      @libbase = @leak.find_elf_base(addr)
+      @elfclass = { "\x01" => 32, "\x02" => 64 }[@leak.b(@libbase + 4)]
+      @elfword = @elfclass / 8
+      @unp = ->(x) { Util::Packing.public_send({ 32 => :u32, 64 => :u64 }[@elfclass], x) }
+      @dynamic = find_dynamic
+      @hshtab = @strtab = @symtab = nil
+    end
+
+    def lookup(symb)
+      @hshtab ||= find_dt(DT_GNU_HASH)
+      @strtab ||= find_dt(DT_STRTAB)
+      @symtab ||= find_dt(DT_SYMTAB)
+      resolve_symbol_gnu(symb)
+    end
+
+    private
+
+    # Function used to generated GNU-style hashes for strings.
+    def gnu_hash(s)
+      s.bytes.reduce(5381) { |acc, elem| (acc * 33 + elem) & 0xffffffff }
+    end
+
+    def find_dynamic
+      e_phoff_offset = { 32 => 28, 64 => 32 }[@elfclass]
+      e_phoff = @libbase + @unp.call(@leak.n(@libbase + e_phoff_offset, @elfword))
+      phdr_size = { 32 => 32, 64 => 56 }[@elfclass]
+      loop do
+        ptype = @leak.d(e_phoff)
+        break if ptype == PT_DYNAMIC
+        e_phoff += phdr_size
+      end
+      offset = { 32 => 8, 64 => 16 }[@elfclass]
+      dyn = @unp.call(@leak.n(e_phoff + offset, @elfword))
+      # Sometimes this is an offset instead of an address
+      dyn += @libbase if (0...0x400000).cover?(dyn)
+      dyn
+    end
+
+    def find_dt(tag)
+      dyn_size = @elfword * 2
+      ptr = @dynamic
+      loop do
+        tmp = @leak.n(ptr, @elfword * 2)
+        d_tag = @unp.call(tmp[0, @elfword])
+        d_addr = @unp.call(tmp[@elfword, @elfword])
+        break if d_tag.zero?
+        return d_addr if tag == d_tag
+        ptr += dyn_size
+      end
+      nil
+    end
+
+    def resolve_symbol_gnu(symb)
+      sym_size = { 32 => 16, 64 => 24 }[@elfclass]
+      # Leak GNU_HASH section header
+      nbuckets = @leak.d(@hshtab)
+      symndx = @leak.d(@hshtab + 4)
+      maskwords = @leak.d(@hshtab + 8)
+
+      l_gnu_buckets = @hshtab + 16 + (@elfword * maskwords)
+      l_gnu_chain_zero = l_gnu_buckets + (4 * nbuckets) - (4 * symndx)
+
+      hsh = gnu_hash(symb)
+      bucket = hsh % nbuckets
+
+      i = @leak.d(l_gnu_buckets + bucket * 4)
+      return nil if i.zero?
+
+      hsh2 = 0
+      while (hsh2 & 1).zero?
+        hsh2 = @leak.d(l_gnu_chain_zero + i * 4)
+        if ((hsh ^ hsh2) >> 1).zero?
+          sym = @symtab + sym_size * i
+          st_name = @leak.d(sym)
+          name = @leak.n(@strtab + st_name, symb.length + 1)
+          if name == (symb + "\x00")
+            offset = { 32 => 4, 64 => 8 }[@elfclass]
+            st_value = @unp.call(@leak.n(sym + offset, @elfword))
+            return @libbase + st_value
+          end
+        end
+        i += 1
+      end
+      nil
+    end
+  end
+end

data/lib/pwnlib/ext/array.rb

@@ -0,0 +1,21 @@
+# encoding: ASCII-8BIT
+
+require 'pwnlib/ext/helper'
+require 'pwnlib/util/fiddling'
+require 'pwnlib/util/packing'
+
+module Pwnlib
+  module Ext
+    module Array
+      # Methods to be mixed into Array.
+      module InstanceMethods
+        extend ::Pwnlib::Ext::Helper
+
+        def_proxy_method ::Pwnlib::Util::Packing, %w(flat)
+        def_proxy_method ::Pwnlib::Util::Fiddling, %w(unbits)
+      end
+    end
+  end
+end
+
+::Array.public_send(:include, ::Pwnlib::Ext::Array::InstanceMethods)

data/lib/pwnlib/ext/helper.rb

@@ -0,0 +1,21 @@
+# encoding: ASCII-8BIT
+
+module Pwnlib
+  module Ext
+    # Helper methods for defining extension
+    module Helper
+      def def_proxy_method(mod, *ms, **m2)
+        ms.flatten
+          .map { |x| [x, x] }
+          .concat(m2.to_a)
+          .each do |method, proxy_to|
+            class_eval <<-EOS
+            def #{method}(*args, &block)
+            #{mod}.#{proxy_to}(self, *args, &block)
+            end
+            EOS
+          end
+      end
+    end
+  end
+end

data/lib/pwnlib/ext/integer.rb

@@ -0,0 +1,21 @@
+# encoding: ASCII-8BIT
+
+require 'pwnlib/ext/helper'
+require 'pwnlib/util/packing'
+
+module Pwnlib
+  module Ext
+    module Integer
+      # Methods to be mixed into Integer.
+      module InstanceMethods
+        extend ::Pwnlib::Ext::Helper
+
+        def_proxy_method ::Pwnlib::Util::Packing, %w(pack p8 p16 p32 p64)
+        def_proxy_method ::Pwnlib::Util::Fiddling, %w(bits bits_str), bitswap: 'bitswap_int'
+        def_proxy_method ::Pwnlib::Util::Fiddling, %w(hex)
+      end
+    end
+  end
+end
+
+::Integer.public_send(:include, ::Pwnlib::Ext::Integer::InstanceMethods)

data/lib/pwnlib/ext/string.rb

@@ -0,0 +1,23 @@
+# encoding: ASCII-8BIT
+
+require 'pwnlib/ext/helper'
+require 'pwnlib/util/fiddling'
+require 'pwnlib/util/packing'
+
+module Pwnlib
+  module Ext
+    module String
+      # Methods to be mixed into String.
+      module InstanceMethods
+        extend ::Pwnlib::Ext::Helper
+
+        def_proxy_method ::Pwnlib::Util::Packing, %w(unpack unpack_many u8 u16 u32 u64)
+        def_proxy_method ::Pwnlib::Util::Fiddling, %w(
+          enhex unhex urlencode urldecode bits bits_str unbits bitswap b64e b64d
+        )
+      end
+    end
+  end
+end
+
+::String.public_send(:include, ::Pwnlib::Ext::String::InstanceMethods)

data/lib/pwnlib/memleak.rb

@@ -0,0 +1,61 @@
+# encoding: ASCII-8BIT
+
+require 'pwnlib/util/packing'
+
+module Pwnlib
+  # MemLeak is a caching and heuristic tool for exploiting memory leaks.
+  class MemLeak
+    PAGE_SIZE = 0x1000
+    PAGE_MASK = ~(PAGE_SIZE - 1)
+
+    def initialize(&block)
+      @leak = block
+      @base = nil
+      @cache = {}
+    end
+
+    def find_elf_base(ptr)
+      ptr &= PAGE_MASK
+      loop do
+        return @base = ptr if n(ptr, 4) == "\x7fELF"
+        ptr -= PAGE_SIZE
+      end
+    end
+
+    # Call the leaker function on address `addr`.
+    # Store the result to @cache
+    def do_leak(addr)
+      unless @cache.key?(addr)
+        data = @leak.call(addr)
+        data.bytes.each.with_index(addr) { |b, i| @cache[i] = b }
+      end
+      @cache[addr]
+    end
+
+    # Leak `numb` bytes at `addr`.
+    # Returns a string with the leaked bytes.
+    def n(addr, numb)
+      (0...numb).map { |i| do_leak(addr + i) }.pack('C*')
+    end
+
+    # Leak byte at ``((uint8_t*) addr)[ndx]``
+    def b(addr)
+      n(addr, 1)
+    end
+
+    # Leak word at ``((uint16_t*) addr)[ndx]``
+    def w(addr)
+      Util::Packing.u16(n(addr, 2))
+    end
+
+    # Leak dword at ``((uint32_t*) addr)[ndx]``
+    def d(addr)
+      Util::Packing.u32(n(addr, 4))
+    end
+
+    # Leak qword at ``((uint64_t*) addr)[ndx]``
+    def q(addr)
+      Util::Packing.u64(n(addr, 8))
+    end
+  end
+end