Module: HeapInfo

Defined in:
lib/heapinfo.rb,
lib/heapinfo/nil.rb,
lib/heapinfo/libc.rb,
lib/heapinfo/arena.rb,
lib/heapinfo/cache.rb,
lib/heapinfo/chunk.rb,
lib/heapinfo/chunks.rb,
lib/heapinfo/dumper.rb,
lib/heapinfo/helper.rb,
lib/heapinfo/process.rb,
lib/heapinfo/segment.rb,
lib/heapinfo/version.rb,
lib/heapinfo/ext/string.rb,
lib/heapinfo/glibc/free.rb,
lib/heapinfo/glibc/error.rb,
lib/heapinfo/glibc/glibc.rb,
lib/heapinfo/glibc/helper.rb,
lib/heapinfo/process_info.rb

Overview

HeapInfo - an interactive debugger for heap exploitation

HeapInfo makes pwning life easier with ruby style memory dumper. Easy to show bin(s) layouts, or dump memory for checking whether exploit (will) works. HeapInfo can be used with ltrace/strace/gdb simultaneously since it not use any ptrace.

Author:

  • david942j

Defined Under Namespace

Modules: Cache, Ext, Glibc, Helper Classes: Arena, Chunk, Chunks, Dumper, Fastbin, Libc, Nil, Process, ProcessInfo, Segment, Smallbin, UnsortedBin

Constant Summary collapse

TMP_DIR =

Directory for writing some tmp files when working, make sure /tmp is writable

'/tmp/.heapinfo'.freeze
VERSION =

Current gem version.

'1.1.0'.freeze

Class Method Summary collapse

Class Method Details

.heapinfo(prog, options = {}) ⇒ HeapInfo::Process

Entry point for using HeapInfo. Show segments info of the process after loaded.

Examples:

h = heapinfo './victim'
# outputs:
# Program: /home/heapinfo/victim PID: 20568
# victim          base @ 0x400000
# [heap]          base @ 0x11cc000
# [stack]         base @ 0x7fff2b244000
# libc-2.19.so    base @ 0x7f892a63a000
# ld-2.19.so      base @ 0x7f892bee6000
# canary          value: 0x84b742f03d94c100
p h.libc.name
#=> "/lib/x86_64-linux-gnu/libc-2.19.so"
p h.ld.name
#=> "/lib/x86_64-linux-gnu/ld-2.19.so"
p h.heap.base.to_s(16)
#=> '11cc000'
h = heapinfo(27605, libc: 'libc.so.6')
# pid 27605 is run by custom loader
p h.libc.name
#=> "/home/heapinfo/libc.so.6"
p h.ld.name
#=> "/home/heapinfo/ld-linux-x86-64.so.2"

Parameters:

  • prog (String, Integer)

    The program name of victim. If a number is given, seem as pid (useful when multi-processes exist).

  • options (Hash) (defaults to: {})

    Give library's file name.

Options Hash (options):

  • :libc (String, Regexp)

    file name of glibc, default is /bc*.so/.

Returns:


48
49
50
51
52
# File 'lib/heapinfo.rb', line 48

def self.heapinfo(prog, options = {})
  h = HeapInfo::Process.new(prog, options)
  puts h
  h
end