def __init__(self, execute_fmt, offset=None, padlen=0, numbwritten=0):
self.execute_fmt = execute_fmt
self.offset = offset
self.padlen = padlen
self.numbwritten = numbwritten
if self.offset is None:
self.offset, self.padlen = self.find_offset()
log.info("Found format string offset: %d", self.offset)
self.writes = {}
self.leaker = MemLeak(self._leaker)
def __init__(self, leak, pointer=None, elf=None, libcdb=True):
'''
Instantiates an object which can resolve symbols in a running binary
given a :class:`pwnlib.memleak.MemLeak` leaker and a pointer inside
the binary.
Arguments:
leak(MemLeak): Instance of pwnlib.memleak.MemLeak for leaking memory
pointer(int): A pointer into a loaded ELF file
elf(str,ELF): Path to the ELF file on disk, or a loaded :class:`pwnlib.elf.ELF`.
libcdb(bool): Attempt to use libcdb to speed up libc lookups
'''
self.libcdb = libcdb
self._elfclass = None
self._elftype = None
self._link_map = None
self._waitfor = None
self._bases = {}
self._dynamic = None
if not (pointer or (elf and elf.address)):
log.error(
"Must specify either a pointer into a module and/or an ELF file with a valid base address"
)
pointer = pointer or elf.address
if not isinstance(leak, MemLeak):
leak = MemLeak(leak)
if not elf:
log.warn_once(
"No ELF provided. Leaking is much faster if you have a copy of the ELF being leaked."
)
self.elf = elf
self.leak = leak
self.libbase = self._find_base(pointer or elf.address)
if elf:
self._find_linkmap_assisted(elf)
def __init__(self, execute_fmt, offset=None, padlen=0, numbwritten=0):
"""
Instantiates an object which try to automating exploit the vulnerable process
Arguments:
execute_fmt(function): function to call for communicate with the vulnerable process
offset(int): the first formatter's offset you control
padlen(int): size of the pad you want to add before the payload
numbwritten(int): number of already written bytes
"""
self.execute_fmt = execute_fmt
self.offset = offset
self.padlen = padlen
self.numbwritten = numbwritten
if self.offset is None:
self.offset, self.padlen = self.find_offset()
log.info("Found format string offset: %d", self.offset)
self.writes = {}
self.leaker = MemLeak(self._leaker)
