던진다!
사용법:
elf = elfleak(leak=특정 메모리를 몇 사이즈만큼 leak해서 str 형식으로 리턴해주는 함수)
import struct
p4 = lambda x: struct.pack(">L", x)
u4 = lambda x: struct.unpack(">L", x)[0]
class elfleak:
leak = lambda x: x
elf_got_dynamic = False
elf_dynamic = -1
base = -1
sections = {}
def __init__(self, *args, **kwargs):
print kwargs
if 'leak' in kwargs:
self.leak = kwargs['leak']
def get_elf(self, start):
pages = 0;
start &= 0xfffff000;
while self.leak(start - pages + 1, 3) != 'ELF':
pages += 0x1000
self.base = start - pages
return start - pages
def get_prog_headers(self, base):
return u4(self.leak(base + 28, 4))
def get_dynamic(self, prog):
if self.elf_got_dynamic == True:
return self.elf_dynamic
i = 0
while u4(self.leak(prog + i, 4)) != 2:
i += 32
self.elf_got_dynamic = True
self.elf_dynamic = u4(self.leak(prog + i + 8, 4))
print hex(i)
return self.elf_dynamic
def get_str_symtab(self, dynamic):
strtab = symtab = type = 0
i = 0
while ((5 not in self.sections) or (6 not in self.sections)):
type = u4(self.leak(dynamic + i, 4))
self.sections[type] = u4(self.leak(dynamic + i + 4, 4))
if 5 in self.sections:
strtab = self.sections[5]
if 6 in self.sections:
symtab = self.sections[6]
print hex(type), hex(u4(self.leak(dynamic + i + 4, 4)))
i += 8;
return (strtab, symtab)
def get_symbol(self, symbol, strtab, symtab):
offset = 0
i = 0
len_symbol = len(symbol)
while (1):
offset = u4(self.leak(symtab + i, 4))
if self.leak(strtab + offset, len_symbol) == symbol:
return u4(self.leak(symtab + i + 4, 4))
i += 16;
m = elfleak(leak = lambda x, y: str(bytearray([Byte(x + i) for i in range(y)])));
print m.get_str_symtab(m.get_dynamic(0x400000 + m.get_prog_headers(m.get_elf(here()))))