adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c3f5bd3de2d1affa01e2f6c2066c6bb0fc6413bc
metasploit-gs/api/Msf/Exploit/FormatString.html
T
jenkins-metasploit c3f5bd3de2 Reboot gh-pages
2026-05-08 17:08:43 +00:00

1401 lines
53 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>
Module: Msf::Exploit::FormatString
&mdash; Documentation by YARD 0.9.37
</title>
<link rel="stylesheet" href="../../css/style.css" type="text/css" />
<link rel="stylesheet" href="../../css/common.css" type="text/css" />
<script type="text/javascript">
pathId = "Msf::Exploit::FormatString";
relpath = '../../';
</script>
<script type="text/javascript" charset="utf-8" src="../../js/jquery.js"></script>
<script type="text/javascript" charset="utf-8" src="../../js/app.js"></script>
</head>
<body>
<div class="nav_wrap">
<iframe id="nav" src="../../class_list.html?1"></iframe>
<div id="resizer"></div>
</div>
<div id="main" tabindex="-1">
<div id="header">
<div id="menu">
<a href="../../_index.html">Index (F)</a> &raquo;
<span class='title'><span class='object_link'><a href="../../Msf.html" title="Msf (module)">Msf</a></span></span> &raquo; <span class='title'><span class='object_link'><a href="../Exploit.html" title="Msf::Exploit (class)">Exploit</a></span></span>
&raquo;
<span class="title">FormatString</span>
</div>
<div id="search">
<a class="full_list_link" id="class_list_link"
href="../../class_list.html">
<svg width="24" height="24">
<rect x="0" y="4" width="24" height="4" rx="1" ry="1"></rect>
<rect x="0" y="12" width="24" height="4" rx="1" ry="1"></rect>
<rect x="0" y="20" width="24" height="4" rx="1" ry="1"></rect>
</svg>
</a>
</div>
<div class="clear"></div>
</div>
<div id="content"><h1>Module: Msf::Exploit::FormatString
</h1>
<div class="box_info">
<dl>
<dt>Defined in:</dt>
<dd>lib/msf/core/exploit/format_string.rb</dd>
</dl>
</div>
<h2>Overview</h2><div class="docstring">
<div class="discussion">
<p>This mixin provides an interface to generating format string exploits in a more intelligent way.</p>
<p>Author: jduck</p>
</div>
</div>
<div class="tags">
</div>
<h2>
Instance Method Summary
<small><a href="#" class="summary_toggle">collapse</a></small>
</h2>
<ul class="summary">
<li class="public ">
<span class="summary_signature">
<a href="#fmtstr_advance_count-instance_method" title="#fmtstr_advance_count (instance method)">#<strong>fmtstr_advance_count</strong>(prec) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Generate a fmt that will advance the printed count by the specified amount.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#fmtstr_count_printed-instance_method" title="#fmtstr_count_printed (instance method)">#<strong>fmtstr_count_printed</strong>(num_printed, num_pad, num_pops, arr) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Count how many bytes will print before we reach the writing..</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#fmtstr_detect_cap_dpa-instance_method" title="#fmtstr_detect_cap_dpa (instance method)">#<strong>fmtstr_detect_cap_dpa</strong> &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'></div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#fmtstr_detect_cap_fpu-instance_method" title="#fmtstr_detect_cap_fpu (instance method)">#<strong>fmtstr_detect_cap_fpu</strong> &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'></div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#fmtstr_detect_caps-instance_method" title="#fmtstr_detect_caps (instance method)">#<strong>fmtstr_detect_caps</strong> &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Detect the capabilities (only works for non-blind).</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#fmtstr_detect_exploitable-instance_method" title="#fmtstr_detect_exploitable (instance method)">#<strong>fmtstr_detect_exploitable</strong> &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>NOTE: This will likely crash the target process.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#fmtstr_detect_vulnerable-instance_method" title="#fmtstr_detect_vulnerable (instance method)">#<strong>fmtstr_detect_vulnerable</strong> &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'></div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#fmtstr_gen_array_from_buf-instance_method" title="#fmtstr_gen_array_from_buf (instance method)">#<strong>fmtstr_gen_array_from_buf</strong>(write_to, buffer, targ = target) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Generates and returns an array of what/where pairs from the supplied buffer.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#fmtstr_gen_from_array-instance_method" title="#fmtstr_gen_from_array (instance method)">#<strong>fmtstr_gen_from_array</strong>(num_printed, arr, targ = target) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Generates a format string from an array of value/address pairs.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#fmtstr_set_caps-instance_method" title="#fmtstr_set_caps (instance method)">#<strong>fmtstr_set_caps</strong>(fpu, dpa) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Allow caller to override the capabilities.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#fmtstr_stack_read-instance_method" title="#fmtstr_stack_read (instance method)">#<strong>fmtstr_stack_read</strong>(offset, extra = &#39;&#39;) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Read a single 32-bit integer from the stack at the specified offset.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#fmtstr_target_short-instance_method" title="#fmtstr_target_short (instance method)">#<strong>fmtstr_target_short</strong>(value, num_printed) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Generate the number to be used for precision that will create the specified value to write.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#generate_fmt_two_shorts-instance_method" title="#generate_fmt_two_shorts (instance method)">#<strong>generate_fmt_two_shorts</strong>(num_printed, write_to, write_what, targ = target) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Generates a format string that will perform an arbitrary write using two separate short values.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#generate_fmtstr_from_buf-instance_method" title="#generate_fmtstr_from_buf (instance method)">#<strong>generate_fmtstr_from_buf</strong>(num_printed, write_to, buffer, targ = target) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Generates a format string that will perform an arbitrary write using two separate short values.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#initialize-instance_method" title="#initialize (instance method)">#<strong>initialize</strong>(info = {}) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Creates an instance of a format string exploit.</p>
</div></span>
</li>
</ul>
<div id="instance_method_details" class="method_details_list">
<h2>Instance Method Details</h2>
<div class="method_details first">
<h3 class="signature first" id="fmtstr_advance_count-instance_method">
#<strong>fmtstr_advance_count</strong>(prec) &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Generate a fmt that will advance the printed count by the specified amount</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
236
237
238
239
240
241
242
243
244
245
246
247
248</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/format_string.rb', line 236</span>
<span class='kw'>def</span> <span class='id identifier rubyid_fmtstr_advance_count'>fmtstr_advance_count</span><span class='lparen'>(</span><span class='id identifier rubyid_prec'>prec</span><span class='rparen'>)</span>
<span class='comment'># no need to advance :)
</span> <span class='kw'>return</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_end'>&quot;</span></span> <span class='kw'>if</span> <span class='id identifier rubyid_prec'>prec</span> <span class='op'>==</span> <span class='int'>0</span>
<span class='comment'># assuming %x max normal length is 8...
</span> <span class='kw'>if</span> <span class='id identifier rubyid_prec'>prec</span> <span class='op'>&gt;=</span> <span class='int'>8</span>
<span class='kw'>return</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>%0</span><span class='tstring_end'>&quot;</span></span> <span class='op'>+</span> <span class='id identifier rubyid_prec'>prec</span><span class='period'>.</span><span class='id identifier rubyid_to_s'>to_s</span> <span class='op'>+</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>x</span><span class='tstring_end'>&quot;</span></span>
<span class='kw'>end</span>
<span class='comment'># anything else, we just put some chars in...
</span> <span class='kw'>return</span> <span class='id identifier rubyid_rand_text'>rand_text</span><span class='lparen'>(</span><span class='id identifier rubyid_prec'>prec</span><span class='rparen'>)</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="fmtstr_count_printed-instance_method">
#<strong>fmtstr_count_printed</strong>(num_printed, num_pad, num_pops, arr) &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Count how many bytes will print before we reach the writing..</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/format_string.rb', line 201</span>
<span class='kw'>def</span> <span class='id identifier rubyid_fmtstr_count_printed'>fmtstr_count_printed</span><span class='lparen'>(</span><span class='id identifier rubyid_num_printed'>num_printed</span><span class='comma'>,</span> <span class='id identifier rubyid_num_pad'>num_pad</span><span class='comma'>,</span> <span class='id identifier rubyid_num_pops'>num_pops</span><span class='comma'>,</span> <span class='id identifier rubyid_arr'>arr</span><span class='rparen'>)</span>
<span class='id identifier rubyid_num'>num</span> <span class='op'>=</span> <span class='id identifier rubyid_num_printed'>num_printed</span> <span class='op'>+</span> <span class='id identifier rubyid_num_pad'>num_pad</span>
<span class='kw'>if</span> <span class='kw'>not</span> <span class='ivar'>@use_dpa</span>
<span class='id identifier rubyid_num'>num</span> <span class='op'>+=</span> <span class='lparen'>(</span><span class='int'>8</span> <span class='op'>*</span> <span class='id identifier rubyid_num_pops'>num_pops</span><span class='rparen'>)</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_npr'>npr</span> <span class='op'>=</span> <span class='id identifier rubyid_num'>num</span>
<span class='id identifier rubyid_arr'>arr</span><span class='period'>.</span><span class='id identifier rubyid_each'>each</span> <span class='kw'>do</span> <span class='op'>|</span><span class='id identifier rubyid_el'>el</span><span class='op'>|</span>
<span class='id identifier rubyid_prec'>prec</span> <span class='op'>=</span> <span class='id identifier rubyid_fmtstr_target_short'>fmtstr_target_short</span><span class='lparen'>(</span><span class='id identifier rubyid_el'>el</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span><span class='comma'>,</span> <span class='id identifier rubyid_npr'>npr</span><span class='rparen'>)</span>
<span class='comment'># this gets popped in order to advance the column (dpa doesn&#39;t need these)
</span> <span class='kw'>if</span> <span class='kw'>not</span> <span class='ivar'>@use_dpa</span> <span class='kw'>and</span> <span class='id identifier rubyid_prec'>prec</span> <span class='op'>&gt;=</span> <span class='int'>8</span>
<span class='id identifier rubyid_num'>num</span> <span class='op'>+=</span> <span class='int'>4</span>
<span class='kw'>end</span>
<span class='comment'># account for the addr to write to
</span> <span class='id identifier rubyid_num'>num</span> <span class='op'>+=</span> <span class='int'>4</span>
<span class='id identifier rubyid_npr'>npr</span> <span class='op'>=</span> <span class='id identifier rubyid_el'>el</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='kw'>end</span>
<span class='kw'>return</span> <span class='id identifier rubyid_num'>num</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="fmtstr_detect_cap_dpa-instance_method">
#<strong>fmtstr_detect_cap_dpa</strong> &#x21d2; <tt>Object</tt>
</h3><table class="source_code">
<tr>
<td>
<pre class="lines">
42
43
44
45
46
47
48
49
50</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/format_string.rb', line 42</span>
<span class='kw'>def</span> <span class='id identifier rubyid_fmtstr_detect_cap_dpa'>fmtstr_detect_cap_dpa</span>
<span class='id identifier rubyid_res'>res</span> <span class='op'>=</span> <span class='id identifier rubyid_trigger_fmt'>trigger_fmt</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>|%1$08x|</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='kw'>return</span> <span class='kw'>nil</span> <span class='kw'>if</span> <span class='kw'>not</span> <span class='id identifier rubyid_res'>res</span>
<span class='id identifier rubyid_res'>res</span> <span class='op'>=</span> <span class='id identifier rubyid_extract_fmt_output'>extract_fmt_output</span><span class='lparen'>(</span><span class='id identifier rubyid_res'>res</span><span class='rparen'>)</span>
<span class='kw'>if</span> <span class='id identifier rubyid_res'>res</span> <span class='op'>=~</span> <span class='tstring'><span class='regexp_beg'>/</span><span class='tstring_content'>^\|[0-9a-f]{8}\|$</span><span class='regexp_end'>/</span></span>
<span class='kw'>return</span> <span class='kw'>true</span>
<span class='kw'>end</span>
<span class='kw'>return</span> <span class='kw'>false</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="fmtstr_detect_cap_fpu-instance_method">
#<strong>fmtstr_detect_cap_fpu</strong> &#x21d2; <tt>Object</tt>
</h3><table class="source_code">
<tr>
<td>
<pre class="lines">
52
53
54
55
56
57
58
59
60</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/format_string.rb', line 52</span>
<span class='kw'>def</span> <span class='id identifier rubyid_fmtstr_detect_cap_fpu'>fmtstr_detect_cap_fpu</span>
<span class='id identifier rubyid_res'>res</span> <span class='op'>=</span> <span class='id identifier rubyid_trigger_fmt'>trigger_fmt</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>|%g|</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='kw'>return</span> <span class='kw'>nil</span> <span class='kw'>if</span> <span class='kw'>not</span> <span class='id identifier rubyid_res'>res</span>
<span class='id identifier rubyid_res'>res</span> <span class='op'>=</span> <span class='id identifier rubyid_extract_fmt_output'>extract_fmt_output</span><span class='lparen'>(</span><span class='id identifier rubyid_res'>res</span><span class='rparen'>)</span>
<span class='kw'>if</span> <span class='id identifier rubyid_res'>res</span> <span class='op'>=~</span> <span class='tstring'><span class='regexp_beg'>/</span><span class='tstring_content'>^\|[\-0-9]+\.[0-9]+\|$</span><span class='regexp_end'>/</span></span>
<span class='kw'>return</span> <span class='kw'>true</span>
<span class='kw'>end</span>
<span class='kw'>return</span> <span class='kw'>false</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="fmtstr_detect_caps-instance_method">
#<strong>fmtstr_detect_caps</strong> &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Detect the capabilities (only works for non-blind)</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
36
37
38
39
40</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/format_string.rb', line 36</span>
<span class='kw'>def</span> <span class='id identifier rubyid_fmtstr_detect_caps'>fmtstr_detect_caps</span>
<span class='ivar'>@use_dpa</span> <span class='op'>=</span> <span class='id identifier rubyid_fmtstr_detect_cap_dpa'>fmtstr_detect_cap_dpa</span>
<span class='ivar'>@use_fpu</span> <span class='op'>=</span> <span class='id identifier rubyid_fmtstr_detect_cap_fpu'>fmtstr_detect_cap_fpu</span>
<span class='comment'>#print_status(&quot;support dpa:#{@use_dpa.to_s}, fpu:#{@use_fpu.to_s}&quot;)
</span><span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="fmtstr_detect_exploitable-instance_method">
#<strong>fmtstr_detect_exploitable</strong> &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>NOTE: This will likely crash the target process</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
73
74
75
76
77
78
79
80
81
82
83
84
85</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/format_string.rb', line 73</span>
<span class='kw'>def</span> <span class='id identifier rubyid_fmtstr_detect_exploitable'>fmtstr_detect_exploitable</span>
<span class='kw'>begin</span>
<span class='id identifier rubyid_res'>res</span> <span class='op'>=</span> <span class='id identifier rubyid_trigger_fmt'>trigger_fmt</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>|</span><span class='tstring_end'>&quot;</span></span> <span class='op'>+</span> <span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>%n</span><span class='tstring_end'>&quot;</span></span> <span class='op'>*</span> <span class='int'>16</span><span class='rparen'>)</span> <span class='op'>+</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>|</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='kw'>rescue</span> <span class='op'>::</span><span class='const'>Exception</span>
<span class='id identifier rubyid_res'>res</span> <span class='op'>=</span> <span class='kw'>nil</span>
<span class='kw'>end</span>
<span class='kw'>return</span> <span class='kw'>true</span> <span class='kw'>if</span> <span class='kw'>not</span> <span class='id identifier rubyid_res'>res</span>
<span class='id identifier rubyid_res'>res</span> <span class='op'>=</span> <span class='id identifier rubyid_extract_fmt_output'>extract_fmt_output</span><span class='lparen'>(</span><span class='id identifier rubyid_res'>res</span><span class='rparen'>)</span>
<span class='kw'>if</span> <span class='id identifier rubyid_res'>res</span> <span class='op'>=~</span> <span class='tstring'><span class='regexp_beg'>/</span><span class='tstring_content'>^\|\|$</span><span class='regexp_end'>/</span></span>
<span class='kw'>return</span> <span class='kw'>true</span>
<span class='kw'>end</span>
<span class='kw'>return</span> <span class='kw'>false</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="fmtstr_detect_vulnerable-instance_method">
#<strong>fmtstr_detect_vulnerable</strong> &#x21d2; <tt>Object</tt>
</h3><table class="source_code">
<tr>
<td>
<pre class="lines">
62
63
64
65
66
67
68
69
70</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/format_string.rb', line 62</span>
<span class='kw'>def</span> <span class='id identifier rubyid_fmtstr_detect_vulnerable'>fmtstr_detect_vulnerable</span>
<span class='id identifier rubyid_res'>res</span> <span class='op'>=</span> <span class='id identifier rubyid_trigger_fmt'>trigger_fmt</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>|%08x|</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='kw'>return</span> <span class='kw'>false</span> <span class='kw'>if</span> <span class='kw'>not</span> <span class='id identifier rubyid_res'>res</span>
<span class='id identifier rubyid_res'>res</span> <span class='op'>=</span> <span class='id identifier rubyid_extract_fmt_output'>extract_fmt_output</span><span class='lparen'>(</span><span class='id identifier rubyid_res'>res</span><span class='rparen'>)</span>
<span class='kw'>if</span> <span class='id identifier rubyid_res'>res</span> <span class='op'>=~</span> <span class='tstring'><span class='regexp_beg'>/</span><span class='tstring_content'>^\|[0-9a-f]{8}\|$</span><span class='regexp_end'>/</span></span>
<span class='kw'>return</span> <span class='kw'>true</span>
<span class='kw'>end</span>
<span class='kw'>return</span> <span class='kw'>false</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="fmtstr_gen_array_from_buf-instance_method">
#<strong>fmtstr_gen_array_from_buf</strong>(write_to, buffer, targ = target) &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Generates and returns an array of what/where pairs from the supplied buffer</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/format_string.rb', line 118</span>
<span class='kw'>def</span> <span class='id identifier rubyid_fmtstr_gen_array_from_buf'>fmtstr_gen_array_from_buf</span><span class='lparen'>(</span><span class='id identifier rubyid_write_to'>write_to</span><span class='comma'>,</span> <span class='id identifier rubyid_buffer'>buffer</span><span class='comma'>,</span> <span class='id identifier rubyid_targ'>targ</span> <span class='op'>=</span> <span class='id identifier rubyid_target'>target</span><span class='rparen'>)</span>
<span class='comment'># break buffer into shorts
</span> <span class='id identifier rubyid_arr'>arr</span> <span class='op'>=</span> <span class='const'>Array</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span>
<span class='id identifier rubyid_off'>off</span> <span class='op'>=</span> <span class='int'>0</span>
<span class='kw'>if</span> <span class='lparen'>(</span><span class='lparen'>(</span><span class='id identifier rubyid_buffer'>buffer</span><span class='period'>.</span><span class='id identifier rubyid_length'>length</span> <span class='op'>%</span> <span class='int'>2</span><span class='rparen'>)</span> <span class='op'>==</span> <span class='int'>1</span><span class='rparen'>)</span>
<span class='id identifier rubyid_buffer'>buffer</span> <span class='op'>&lt;&lt;</span> <span class='id identifier rubyid_rand_text'>rand_text</span><span class='lparen'>(</span><span class='int'>1</span><span class='rparen'>)</span>
<span class='kw'>end</span>
<span class='kw'>while</span> <span class='id identifier rubyid_off'>off</span> <span class='op'>&lt;</span> <span class='id identifier rubyid_buffer'>buffer</span><span class='period'>.</span><span class='id identifier rubyid_length'>length</span>
<span class='comment'># convert short to number
</span> <span class='id identifier rubyid_tb'>tb</span> <span class='op'>=</span> <span class='id identifier rubyid_buffer'>buffer</span><span class='lbracket'>[</span><span class='id identifier rubyid_off'>off</span><span class='comma'>,</span><span class='int'>2</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>v</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_to_i'>to_i</span>
<span class='comment'>#print_status(&quot;%d %d %d&quot; % [off,buffer.length,tb])
</span> <span class='id identifier rubyid_addr'>addr</span> <span class='op'>=</span> <span class='id identifier rubyid_write_to'>write_to</span> <span class='op'>+</span> <span class='id identifier rubyid_off'>off</span>
<span class='id identifier rubyid_arr'>arr</span> <span class='op'>&lt;&lt;</span> <span class='lbracket'>[</span> <span class='id identifier rubyid_tb'>tb</span><span class='comma'>,</span> <span class='id identifier rubyid_addr'>addr</span> <span class='rbracket'>]</span>
<span class='id identifier rubyid_off'>off</span> <span class='op'>+=</span> <span class='int'>2</span>
<span class='kw'>end</span>
<span class='kw'>return</span> <span class='id identifier rubyid_arr'>arr</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="fmtstr_gen_from_array-instance_method">
#<strong>fmtstr_gen_from_array</strong>(num_printed, arr, targ = target) &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Generates a format string from an array of value/address pairs</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/format_string.rb', line 141</span>
<span class='kw'>def</span> <span class='id identifier rubyid_fmtstr_gen_from_array'>fmtstr_gen_from_array</span><span class='lparen'>(</span><span class='id identifier rubyid_num_printed'>num_printed</span><span class='comma'>,</span> <span class='id identifier rubyid_arr'>arr</span><span class='comma'>,</span> <span class='id identifier rubyid_targ'>targ</span> <span class='op'>=</span> <span class='id identifier rubyid_target'>target</span><span class='rparen'>)</span>
<span class='id identifier rubyid_num_pops'>num_pops</span> <span class='op'>=</span> <span class='id identifier rubyid_targ'>targ</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>NumPops</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span>
<span class='id identifier rubyid_num_pad'>num_pad</span> <span class='op'>=</span> <span class='id identifier rubyid_targ'>targ</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>PadBytes</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span> <span class='op'>||</span> <span class='int'>0</span>
<span class='comment'># sort the array -- for optimization
</span> <span class='id identifier rubyid_arr'>arr</span> <span class='op'>=</span> <span class='id identifier rubyid_arr'>arr</span><span class='period'>.</span><span class='id identifier rubyid_sort'>sort</span> <span class='lbrace'>{</span> <span class='op'>|</span><span class='id identifier rubyid_x'>x</span><span class='comma'>,</span><span class='id identifier rubyid_y'>y</span><span class='op'>|</span> <span class='id identifier rubyid_x'>x</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span> <span class='op'>&lt;=&gt;</span> <span class='id identifier rubyid_y'>y</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span> <span class='rbrace'>}</span>
<span class='comment'># build up the addrs and fmts buffers
</span> <span class='id identifier rubyid_fmts'>fmts</span> <span class='op'>=</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_end'>&quot;</span></span>
<span class='id identifier rubyid_addrs'>addrs</span> <span class='op'>=</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_end'>&quot;</span></span>
<span class='id identifier rubyid_num'>num</span> <span class='op'>=</span> <span class='id identifier rubyid_fmtstr_count_printed'>fmtstr_count_printed</span><span class='lparen'>(</span><span class='id identifier rubyid_num_printed'>num_printed</span><span class='comma'>,</span> <span class='id identifier rubyid_num_pad'>num_pad</span><span class='comma'>,</span> <span class='id identifier rubyid_num_pops'>num_pops</span><span class='comma'>,</span> <span class='id identifier rubyid_arr'>arr</span><span class='rparen'>)</span>
<span class='id identifier rubyid_arr'>arr</span><span class='period'>.</span><span class='id identifier rubyid_each'>each</span> <span class='kw'>do</span> <span class='op'>|</span><span class='id identifier rubyid_el'>el</span><span class='op'>|</span>
<span class='comment'># find out how much to advance the column value
</span> <span class='id identifier rubyid_prec'>prec</span> <span class='op'>=</span> <span class='id identifier rubyid_fmtstr_target_short'>fmtstr_target_short</span><span class='lparen'>(</span><span class='id identifier rubyid_el'>el</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span><span class='comma'>,</span> <span class='id identifier rubyid_num'>num</span><span class='rparen'>)</span>
<span class='comment'># for non-dpa, if the prec is more than 8, we need something to pop
</span> <span class='kw'>if</span> <span class='kw'>not</span> <span class='ivar'>@use_dpa</span> <span class='kw'>and</span> <span class='id identifier rubyid_prec'>prec</span> <span class='op'>&gt;=</span> <span class='int'>8</span>
<span class='id identifier rubyid_addrs'>addrs</span> <span class='op'>&lt;&lt;</span> <span class='id identifier rubyid_rand_text'>rand_text</span><span class='lparen'>(</span><span class='int'>4</span><span class='rparen'>)</span>
<span class='kw'>end</span>
<span class='comment'># write here!
</span> <span class='id identifier rubyid_addrs'>addrs</span> <span class='op'>&lt;&lt;</span> <span class='lbracket'>[</span><span class='id identifier rubyid_el'>el</span><span class='lbracket'>[</span><span class='int'>1</span><span class='rbracket'>]</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_pack'>pack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>V</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='comment'># put our advancement fmt (or bytes)
</span> <span class='id identifier rubyid_fmts'>fmts</span> <span class='op'>&lt;&lt;</span> <span class='id identifier rubyid_fmtstr_advance_count'>fmtstr_advance_count</span><span class='lparen'>(</span><span class='id identifier rubyid_prec'>prec</span><span class='rparen'>)</span>
<span class='comment'># fmt to cause the write :)
</span> <span class='kw'>if</span> <span class='ivar'>@use_dpa</span>
<span class='id identifier rubyid_fmts'>fmts</span> <span class='op'>&lt;&lt;</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>%</span><span class='tstring_end'>&quot;</span></span> <span class='op'>+</span> <span class='id identifier rubyid_num_pops'>num_pops</span><span class='period'>.</span><span class='id identifier rubyid_to_s'>to_s</span> <span class='op'>+</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>$hn</span><span class='tstring_end'>&quot;</span></span>
<span class='id identifier rubyid_num_pops'>num_pops</span> <span class='op'>+=</span> <span class='int'>1</span>
<span class='kw'>else</span>
<span class='id identifier rubyid_fmts'>fmts</span> <span class='op'>&lt;&lt;</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>%hn</span><span class='tstring_end'>&quot;</span></span>
<span class='kw'>end</span>
<span class='comment'># update written count
</span> <span class='id identifier rubyid_num'>num</span> <span class='op'>=</span> <span class='id identifier rubyid_el'>el</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='kw'>end</span>
<span class='comment'># make sure we dont have bad characters ...
</span> <span class='kw'>if</span> <span class='lparen'>(</span><span class='id identifier rubyid_bad_idx'>bad_idx</span> <span class='op'>=</span> <span class='const'><span class='object_link'><a href="../../Rex.html" title="Rex (module)">Rex</a></span></span><span class='op'>::</span><span class='const'>Text</span><span class='period'>.</span><span class='id identifier rubyid_badchar_index'>badchar_index</span><span class='lparen'>(</span><span class='id identifier rubyid_addrs'>addrs</span><span class='comma'>,</span> <span class='id identifier rubyid_payload_badchars'>payload_badchars</span><span class='rparen'>)</span><span class='rparen'>)</span>
<span class='id identifier rubyid_raise'>raise</span> <span class='const'><span class='object_link'><a href="../BadcharError.html" title="Msf::BadcharError (class)">BadcharError</a></span></span><span class='period'>.</span><span class='id identifier rubyid_new'><span class='object_link'><a href="../BadcharError.html#initialize-instance_method" title="Msf::BadcharError#initialize (method)">new</a></span></span><span class='lparen'>(</span><span class='id identifier rubyid_addrs'>addrs</span><span class='comma'>,</span> <span class='id identifier rubyid_bad_idx'>bad_idx</span><span class='comma'>,</span> <span class='id identifier rubyid_addrs'>addrs</span><span class='period'>.</span><span class='id identifier rubyid_length'>length</span><span class='comma'>,</span> <span class='id identifier rubyid_addrs'>addrs</span><span class='lbracket'>[</span><span class='id identifier rubyid_bad_idx'>bad_idx</span><span class='rbracket'>]</span><span class='rparen'>)</span><span class='comma'>,</span>
<span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>The format string address area contains invalid characters.</span><span class='tstring_end'>&quot;</span></span><span class='comma'>,</span>
<span class='id identifier rubyid_caller'>caller</span>
<span class='kw'>end</span>
<span class='comment'># put it all together
</span> <span class='id identifier rubyid_stuff'>stuff</span> <span class='op'>=</span> <span class='id identifier rubyid_rand_text'>rand_text</span><span class='lparen'>(</span><span class='id identifier rubyid_num_pad'>num_pad</span><span class='rparen'>)</span>
<span class='id identifier rubyid_stuff'>stuff</span> <span class='op'>&lt;&lt;</span> <span class='id identifier rubyid_addrs'>addrs</span>
<span class='kw'>if</span> <span class='kw'>not</span> <span class='ivar'>@use_dpa</span>
<span class='id identifier rubyid_stuff'>stuff</span> <span class='op'>&lt;&lt;</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>%8x</span><span class='tstring_end'>&quot;</span></span> <span class='op'>*</span> <span class='id identifier rubyid_num_pops'>num_pops</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_stuff'>stuff</span> <span class='op'>&lt;&lt;</span> <span class='id identifier rubyid_fmts'>fmts</span>
<span class='kw'>return</span> <span class='id identifier rubyid_stuff'>stuff</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="fmtstr_set_caps-instance_method">
#<strong>fmtstr_set_caps</strong>(fpu, dpa) &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Allow caller to override the capabilities</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
28
29
30
31</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/format_string.rb', line 28</span>
<span class='kw'>def</span> <span class='id identifier rubyid_fmtstr_set_caps'>fmtstr_set_caps</span><span class='lparen'>(</span><span class='id identifier rubyid_fpu'>fpu</span><span class='comma'>,</span> <span class='id identifier rubyid_dpa'>dpa</span><span class='rparen'>)</span>
<span class='ivar'>@use_fpu</span> <span class='op'>=</span> <span class='id identifier rubyid_fpu'>fpu</span>
<span class='ivar'>@use_dpa</span> <span class='op'>=</span> <span class='id identifier rubyid_dpa'>dpa</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="fmtstr_stack_read-instance_method">
#<strong>fmtstr_stack_read</strong>(offset, extra = &#39;&#39;) &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Read a single 32-bit integer from the stack at the specified offset</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/format_string.rb', line 254</span>
<span class='kw'>def</span> <span class='id identifier rubyid_fmtstr_stack_read'>fmtstr_stack_read</span><span class='lparen'>(</span><span class='id identifier rubyid_offset'>offset</span><span class='comma'>,</span> <span class='id identifier rubyid_extra'>extra</span> <span class='op'>=</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='comment'># cant read offset 0!
</span> <span class='kw'>return</span> <span class='kw'>nil</span> <span class='kw'>if</span> <span class='id identifier rubyid_offset'>offset</span> <span class='op'>&lt;</span> <span class='int'>1</span>
<span class='id identifier rubyid_fmt'>fmt</span> <span class='op'>=</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_end'>&#39;</span></span>
<span class='id identifier rubyid_fmt'>fmt</span> <span class='op'>&lt;&lt;</span> <span class='id identifier rubyid_extra'>extra</span>
<span class='kw'>if</span> <span class='ivar'>@use_dpa</span>
<span class='id identifier rubyid_fmt'>fmt</span> <span class='op'>&lt;&lt;</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>|%</span><span class='tstring_end'>&quot;</span></span> <span class='op'>+</span> <span class='id identifier rubyid_offset'>offset</span><span class='period'>.</span><span class='id identifier rubyid_to_s'>to_s</span> <span class='op'>+</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>$x</span><span class='tstring_end'>&quot;</span></span>
<span class='kw'>else</span>
<span class='id identifier rubyid_x'>x</span> <span class='op'>=</span> <span class='id identifier rubyid_offset'>offset</span>
<span class='kw'>if</span> <span class='ivar'>@use_fpu</span> <span class='kw'>and</span> <span class='id identifier rubyid_x'>x</span> <span class='op'>&gt;=</span> <span class='int'>2</span>
<span class='id identifier rubyid_fmt'>fmt</span> <span class='op'>&lt;&lt;</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>%g</span><span class='tstring_end'>&quot;</span></span> <span class='op'>*</span> <span class='lparen'>(</span><span class='id identifier rubyid_x'>x</span><span class='op'>/</span><span class='int'>2</span><span class='rparen'>)</span>
<span class='id identifier rubyid_x'>x</span> <span class='op'>%=</span> <span class='int'>2</span><span class='semicolon'>;</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_fmt'>fmt</span> <span class='op'>&lt;&lt;</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>%x</span><span class='tstring_end'>&quot;</span></span> <span class='op'>*</span> <span class='lparen'>(</span><span class='id identifier rubyid_x'>x</span><span class='op'>-</span><span class='int'>1</span><span class='rparen'>)</span>
<span class='id identifier rubyid_fmt'>fmt</span> <span class='op'>&lt;&lt;</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>|</span><span class='tstring_end'>&quot;</span></span>
<span class='id identifier rubyid_fmt'>fmt</span> <span class='op'>&lt;&lt;</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>%x</span><span class='tstring_end'>&quot;</span></span>
<span class='kw'>end</span>
<span class='id identifier rubyid_res'>res</span> <span class='op'>=</span> <span class='id identifier rubyid_trigger_fmt'>trigger_fmt</span><span class='lparen'>(</span><span class='id identifier rubyid_fmt'>fmt</span><span class='rparen'>)</span>
<span class='kw'>return</span> <span class='id identifier rubyid_res'>res</span> <span class='kw'>if</span> <span class='kw'>not</span> <span class='id identifier rubyid_res'>res</span>
<span class='id identifier rubyid_numstr'>numstr</span> <span class='op'>=</span> <span class='id identifier rubyid_extract_fmt_output'>extract_fmt_output</span><span class='lparen'>(</span><span class='id identifier rubyid_res'>res</span><span class='rparen'>)</span>
<span class='id identifier rubyid_dw'>dw</span> <span class='op'>=</span> <span class='id identifier rubyid_numstr'>numstr</span><span class='period'>.</span><span class='id identifier rubyid_split'>split</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>|</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>1</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_to_i'>to_i</span><span class='lparen'>(</span><span class='int'>16</span><span class='rparen'>)</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="fmtstr_target_short-instance_method">
#<strong>fmtstr_target_short</strong>(value, num_printed) &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Generate the number to be used for precision that will create the specified value to write</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
226
227
228
229
230
231</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/format_string.rb', line 226</span>
<span class='kw'>def</span> <span class='id identifier rubyid_fmtstr_target_short'>fmtstr_target_short</span><span class='lparen'>(</span><span class='id identifier rubyid_value'>value</span><span class='comma'>,</span> <span class='id identifier rubyid_num_printed'>num_printed</span><span class='rparen'>)</span>
<span class='kw'>if</span> <span class='id identifier rubyid_value'>value</span> <span class='op'>&lt;</span> <span class='id identifier rubyid_num_printed'>num_printed</span>
<span class='kw'>return</span> <span class='lparen'>(</span><span class='int'>0x10000</span> <span class='op'>-</span> <span class='id identifier rubyid_num_printed'>num_printed</span><span class='rparen'>)</span> <span class='op'>+</span> <span class='id identifier rubyid_value'>value</span>
<span class='kw'>end</span>
<span class='kw'>return</span> <span class='id identifier rubyid_value'>value</span> <span class='op'>-</span> <span class='id identifier rubyid_num_printed'>num_printed</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="generate_fmt_two_shorts-instance_method">
#<strong>generate_fmt_two_shorts</strong>(num_printed, write_to, write_what, targ = target) &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Generates a format string that will perform an arbitrary write using two separate short values</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
92
93
94
95
96
97
98
99</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/format_string.rb', line 92</span>
<span class='kw'>def</span> <span class='id identifier rubyid_generate_fmt_two_shorts'>generate_fmt_two_shorts</span><span class='lparen'>(</span><span class='id identifier rubyid_num_printed'>num_printed</span><span class='comma'>,</span> <span class='id identifier rubyid_write_to'>write_to</span><span class='comma'>,</span> <span class='id identifier rubyid_write_what'>write_what</span><span class='comma'>,</span> <span class='id identifier rubyid_targ'>targ</span> <span class='op'>=</span> <span class='id identifier rubyid_target'>target</span><span class='rparen'>)</span>
<span class='id identifier rubyid_arr'>arr</span> <span class='op'>=</span> <span class='const'>Array</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span>
<span class='id identifier rubyid_arr'>arr</span> <span class='op'>&lt;&lt;</span> <span class='lbracket'>[</span> <span class='id identifier rubyid_write_what'>write_what</span> <span class='op'>&amp;</span> <span class='int'>0xffff</span><span class='comma'>,</span> <span class='id identifier rubyid_write_to'>write_to</span> <span class='rbracket'>]</span>
<span class='id identifier rubyid_arr'>arr</span> <span class='op'>&lt;&lt;</span> <span class='lbracket'>[</span> <span class='id identifier rubyid_write_what'>write_what</span> <span class='op'>&gt;&gt;</span> <span class='int'>16</span><span class='comma'>,</span> <span class='id identifier rubyid_write_to'>write_to</span> <span class='op'>+</span> <span class='int'>2</span> <span class='rbracket'>]</span>
<span class='id identifier rubyid_stuff'>stuff</span> <span class='op'>=</span> <span class='id identifier rubyid_fmtstr_gen_from_array'>fmtstr_gen_from_array</span><span class='lparen'>(</span><span class='id identifier rubyid_num_printed'>num_printed</span><span class='comma'>,</span> <span class='id identifier rubyid_arr'>arr</span><span class='comma'>,</span> <span class='id identifier rubyid_targ'>targ</span><span class='rparen'>)</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="generate_fmtstr_from_buf-instance_method">
#<strong>generate_fmtstr_from_buf</strong>(num_printed, write_to, buffer, targ = target) &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Generates a format string that will perform an arbitrary write using two separate short values</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
105
106
107
108
109
110
111
112</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/format_string.rb', line 105</span>
<span class='kw'>def</span> <span class='id identifier rubyid_generate_fmtstr_from_buf'>generate_fmtstr_from_buf</span><span class='lparen'>(</span><span class='id identifier rubyid_num_printed'>num_printed</span><span class='comma'>,</span> <span class='id identifier rubyid_write_to'>write_to</span><span class='comma'>,</span> <span class='id identifier rubyid_buffer'>buffer</span><span class='comma'>,</span> <span class='id identifier rubyid_targ'>targ</span> <span class='op'>=</span> <span class='id identifier rubyid_target'>target</span><span class='rparen'>)</span>
<span class='comment'># break buffer into shorts
</span> <span class='id identifier rubyid_arr'>arr</span> <span class='op'>=</span> <span class='id identifier rubyid_fmtstr_gen_array_from_buf'>fmtstr_gen_array_from_buf</span><span class='lparen'>(</span><span class='id identifier rubyid_write_to'>write_to</span><span class='comma'>,</span> <span class='id identifier rubyid_buffer'>buffer</span><span class='comma'>,</span> <span class='id identifier rubyid_targ'>targ</span><span class='rparen'>)</span>
<span class='comment'># now build the format string in its entirety
</span> <span class='id identifier rubyid_stuff'>stuff</span> <span class='op'>=</span> <span class='id identifier rubyid_fmtstr_gen_from_array'>fmtstr_gen_from_array</span><span class='lparen'>(</span><span class='id identifier rubyid_num_printed'>num_printed</span><span class='comma'>,</span> <span class='id identifier rubyid_arr'>arr</span><span class='comma'>,</span> <span class='id identifier rubyid_targ'>targ</span><span class='rparen'>)</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="initialize-instance_method">
#<strong>initialize</strong>(info = {}) &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Creates an instance of a format string exploit</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
17
18
19
20
21
22</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/format_string.rb', line 17</span>
<span class='kw'>def</span> <span class='id identifier rubyid_initialize'>initialize</span><span class='lparen'>(</span><span class='id identifier rubyid_info'>info</span> <span class='op'>=</span> <span class='lbrace'>{</span><span class='rbrace'>}</span><span class='rparen'>)</span>
<span class='kw'>super</span>
<span class='ivar'>@use_fpu</span> <span class='op'>=</span> <span class='kw'>false</span>
<span class='ivar'>@use_dpa</span> <span class='op'>=</span> <span class='kw'>false</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
</div>
</div>
<div id="footer">
Generated on Fri May 8 17:01:38 2026 by
<a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
0.9.37 (ruby-3.1.5).
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink