Class: Pwnlib::MemLeak

Inherits:

Object

• Object
• Pwnlib::MemLeak

Defined in:

lib/pwnlib/memleak.rb

Overview

A class caching and heuristic tool for exploiting memory leaks.

Instance Method Summary

• #b(addr) ⇒ Integer

  Leak a byte at *((uint8_t*) addr).

• #d(addr) ⇒ Integer

  Leak a dword at *((uint32_t*) addr).

• #initialize {|leak_addr| ... } ⇒ MemLeak constructor

  Instantiate a MemLeak object.

• #n(addr, numb) ⇒ String

  Leak numb bytes at addr.

• #q(addr) ⇒ Integer

  Leak a qword at *((uint64_t*) addr).

• #w(addr) ⇒ Integer

  Leak a word at *((uint16_t*) addr).

Constructor Details

#initialize {|leak_addr| ... } ⇒ MemLeak

Instantiate a Pwnlib::MemLeak object.

Yield Parameters:

• leak_addr (Integer) —

  The start address that the leaker should leak from.

Yield Returns:

• (String) —

  A leaked non-empty byte string, starting from leak_addr.

# File 'lib/pwnlib/memleak.rb', line 16

def initialize(&block)
  @leak = block
  @cache = {}
end

Instance Method Details

#b(addr) ⇒ Integer

Leak a byte at *((uint8_t*) addr).

Parameters:

• addr (Integer) —

  The address of the leak.

Returns:

• (Integer) —

  The leaked byte.

# File 'lib/pwnlib/memleak.rb', line 42

def b(addr)
  Util::Packing.u8(n(addr, 1))
end

#d(addr) ⇒ Integer

Leak a dword at *((uint32_t*) addr).

Parameters:

• addr (Integer) —

  The address of the leak.

Returns:

• (Integer) —

  The leaked dword.

# File 'lib/pwnlib/memleak.rb', line 64

def d(addr)
  Util::Packing.u32(n(addr, 4))
end

#n(addr, numb) ⇒ String

Leak numb bytes at addr. Returns a string with the leaked bytes.

Parameters:

• addr (Integer) —

  The starting address of the leak.

• numb (Integer) —

  Number of bytes to be leaked.

Returns:

• (String) —

  The leaked byte string.

# File 'lib/pwnlib/memleak.rb', line 31

def n(addr, numb)
  (0...numb).map { |i| do_leak(addr + i) }.pack('C*')
end

#q(addr) ⇒ Integer

Leak a qword at *((uint64_t*) addr).

Parameters:

• addr (Integer) —

  The address of the leak.

Returns:

• (Integer) —

  The leaked qword.

# File 'lib/pwnlib/memleak.rb', line 75

def q(addr)
  Util::Packing.u64(n(addr, 8))
end

#w(addr) ⇒ Integer

Leak a word at *((uint16_t*) addr).

Parameters:

• addr (Integer) —

  The address of the leak.

Returns:

• (Integer) —

  The leaked word.

# File 'lib/pwnlib/memleak.rb', line 53

def w(addr)
  Util::Packing.u16(n(addr, 2))
end