Exemple #1
0
    def __init__(self, execute_fmt, offset=None, padlen=0, numbwritten=0):
        self.execute_fmt = execute_fmt
        self.offset = offset
        self.padlen = padlen
        self.numbwritten = numbwritten

        if self.offset is None:
            self.offset, self.padlen = self.find_offset()
            log.info("Found format string offset: %d", self.offset)

        self.writes = {}
        self.leaker = MemLeak(self._leaker)
Exemple #2
0
    def __init__(self, leak, pointer=None, elf=None, libcdb=True):
        '''
        Instantiates an object which can resolve symbols in a running binary
        given a :class:`pwnlib.memleak.MemLeak` leaker and a pointer inside
        the binary.

        Arguments:
            leak(MemLeak): Instance of pwnlib.memleak.MemLeak for leaking memory
            pointer(int):  A pointer into a loaded ELF file
            elf(str,ELF):  Path to the ELF file on disk, or a loaded :class:`pwnlib.elf.ELF`.
            libcdb(bool):  Attempt to use libcdb to speed up libc lookups
        '''
        self.libcdb = libcdb
        self._elfclass = None
        self._elftype = None
        self._link_map = None
        self._waitfor = None
        self._bases = {}
        self._dynamic = None

        if not (pointer or (elf and elf.address)):
            log.error(
                "Must specify either a pointer into a module and/or an ELF file with a valid base address"
            )

        pointer = pointer or elf.address

        if not isinstance(leak, MemLeak):
            leak = MemLeak(leak)

        if not elf:
            log.warn_once(
                "No ELF provided.  Leaking is much faster if you have a copy of the ELF being leaked."
            )

        self.elf = elf
        self.leak = leak
        self.libbase = self._find_base(pointer or elf.address)

        if elf:
            self._find_linkmap_assisted(elf)
Exemple #3
0
    def __init__(self, execute_fmt, offset=None, padlen=0, numbwritten=0):
        """
        Instantiates an object which try to automating exploit the vulnerable process

        Arguments:
            execute_fmt(function): function to call for communicate with the vulnerable process
            offset(int): the first formatter's offset you control
            padlen(int): size of the pad you want to add before the payload
            numbwritten(int): number of already written bytes
        """
        self.execute_fmt = execute_fmt
        self.offset = offset
        self.padlen = padlen
        self.numbwritten = numbwritten

        if self.offset is None:
            self.offset, self.padlen = self.find_offset()
            log.info("Found format string offset: %d", self.offset)

        self.writes = {}
        self.leaker = MemLeak(self._leaker)