diff --git a/CHANGELOG.md b/CHANGELOG.md index be1969f95..54a1901bf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -72,6 +72,7 @@ The table below shows which release corresponds to each branch, and what date th ## 4.14.0 (`dev`) +- [#2430][2430] Add resolution_addr parameter to Ret2dlresolvePayload - [#2371][2371] Add functions for retrieving process mappings - [#2360][2360] Add offline parameter for `search_by_hash` series function - [#2356][2356] Add local libc database provider for libcdb @@ -91,6 +92,7 @@ The table below shows which release corresponds to each branch, and what date th - [#2382][2382] added optional port, gdb_args and gdbserver_args parameters to gdb.debug() - [#2435][2435] Speed up gdbserver handshake in gdb.debug() +[2430]: https://github.com/Gallopsled/pwntools/pull/2430 [2371]: https://github.com/Gallopsled/pwntools/pull/2371 [2360]: https://github.com/Gallopsled/pwntools/pull/2360 [2356]: https://github.com/Gallopsled/pwntools/pull/2356 diff --git a/pwnlib/rop/ret2dlresolve.py b/pwnlib/rop/ret2dlresolve.py index 6b9aeaca5..08a05420a 100644 --- a/pwnlib/rop/ret2dlresolve.py +++ b/pwnlib/rop/ret2dlresolve.py @@ -219,11 +219,24 @@ class Ret2dlresolvePayload(object): elf (ELF): Binary to search symbol (str): Function to search for args (list): List of arguments to pass to the function + data_addr (int|None): The address where the payload will + be written to. If not provided, a suitable address will + be chosen automatically (recommended). + resolution_addr (int|None): The address where the location + of the resolved symbol will be written to. If not provided + will be equal to data_addr. Returns: - A ``Ret2dlresolvePayload`` object which can be passed to ``rop.ret2dlresolve`` + A ``Ret2dlresolvePayload`` object. It can be passed to ``rop.ret2dlresolve`` + for automatic exploitation. + + If that is not suitable the object generates useful values (.reloc_index + and .payload) which can be used to aid manual exploitation. In this case + it is recommended to set .resolution_addr to the GOT address of an easily + callable function (do not set it when passing the object to + rop.ret2dlresolve). """ - def __init__(self, elf, symbol, args, data_addr=None): + def __init__(self, elf, symbol, args, data_addr=None, resolution_addr=None): self.elf = elf self.elf_load_address_fixup = self.elf.address - self.elf.load_addr self.strtab = elf.dynamic_value_by_tag("DT_STRTAB") + self.elf_load_address_fixup @@ -236,6 +249,7 @@ def __init__(self, elf, symbol, args, data_addr=None): self.unreliable = False self.data_addr = data_addr if data_addr is not None else self._get_recommended_address() + self.resolution_addr = resolution_addr if resolution_addr is not None else self.data_addr # Will be set when built self.reloc_index = -1 @@ -302,11 +316,11 @@ def _build_structures(self): # ElfRel rel_addr = self.jmprel + self.reloc_index * ElfRel.size rel_type = 7 - rel = ElfRel(r_offset=self.data_addr, r_info=(index<