Update specs (#209)

Signed-off-by: david942j <[email protected]>
david942j · Nov 29, 2023 · f8c0c84 · f8c0c84
1 parent 08ffec7
commit f8c0c84
Showing 1 changed file with 43 additions and 22 deletions.
diff --git a/spec/cli_spec.rb b/spec/cli_spec.rb
@@ -38,41 +38,55 @@
 
   it 'base' do
     expect { hook_logger { described_class.work(b_param + %w[--base 0x7fff7f000000]) } }.to output(<<-EOS).to_stdout
+0x7fff7f04f2be execve("/bin/sh", rsp+0x40, environ)
+constraints:
+  address rsp+0x50 is writable
+  rsp & 0xf == 0
+  rcx == NULL || {rcx, "-c", r12, NULL} is a valid argv
+
 0x7fff7f04f2c5 execve("/bin/sh", rsp+0x40, environ)
 constraints:
+  address rsp+0x50 is writable
   rsp & 0xf == 0
-  rcx == NULL
+  rcx == NULL || {rcx, rax, r12, NULL} is a valid argv
 
 0x7fff7f04f322 execve("/bin/sh", rsp+0x40, environ)
 constraints:
-  [rsp+0x40] == NULL
+  [rsp+0x40] == NULL || {[rsp+0x40], [rsp+0x48], [rsp+0x50], [rsp+0x58], ...} is a valid argv
 
 0x7fff7f10a38c execve("/bin/sh", rsp+0x70, environ)
 constraints:
-  [rsp+0x70] == NULL
+  [rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv
     EOS
   end
 
   it 'build id' do
     expect { described_class.work(b_param) }.to output(<<-EOS).to_stdout
+0x4f2be execve("/bin/sh", rsp+0x40, environ)
+constraints:
+  address rsp+0x50 is writable
+  rsp & 0xf == 0
+  rcx == NULL || {rcx, "-c", r12, NULL} is a valid argv
+
 0x4f2c5 execve("/bin/sh", rsp+0x40, environ)
 constraints:
+  address rsp+0x50 is writable
   rsp & 0xf == 0
-  rcx == NULL
+  rcx == NULL || {rcx, rax, r12, NULL} is a valid argv
 
 0x4f322 execve("/bin/sh", rsp+0x40, environ)
 constraints:
-  [rsp+0x40] == NULL
+  [rsp+0x40] == NULL || {[rsp+0x40], [rsp+0x48], [rsp+0x50], [rsp+0x58], ...} is a valid argv
 
 0x10a38c execve("/bin/sh", rsp+0x70, environ)
 constraints:
-  [rsp+0x70] == NULL
+  [rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv
     EOS
   end
 
   it 'build id with raw' do
     expect { described_class.work(b_param + %w[--raw --level 1]) }.to output(<<-EOS).to_stdout
-324293 324386 939679 940120 940127 940131 1090444 1090456
+324279 324286 324293 324386 939679 940120 940127 940131 1090444 1090456
     EOS
   end
 
@@ -88,6 +102,7 @@
     skip_on_windows
 
     expect { hook_logger { described_class.work(b_param + %w[-s true]) } }.to output(<<-EOS).to_stdout
+[OneGadget] Trying 0x4f2be...
 [OneGadget] Trying 0x4f2c5...
 [OneGadget] Trying 0x4f322...
 [OneGadget] Trying 0x10a38c...
@@ -105,25 +120,31 @@
 [OneGadget] Gadgets near system(0x3f4d0):
 0x3f3aa execve("/bin/sh", rsp+0x30, environ)
 constraints:
-  [rsp+0x30] == NULL
+  [rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv
 
 0x3f356 execve("/bin/sh", rsp+0x30, environ)
 constraints:
-  rax == NULL
+  address rsp+0x40 is writable
+  rax == NULL || {rax, "-c", rbx, NULL} is a valid argv
+
+0x3f34f execve("/bin/sh", rsp+0x30, environ)
+constraints:
+  address rsp+0x40 is writable
+  {"sh", "-c", rbx, NULL} is a valid argv
 
 0xb8a38 execve("/bin/sh", r13, r12)
 constraints:
-  [r13] == NULL || r13 == NULL
-  [r12] == NULL || r12 == NULL
+  [r13] == NULL || r13 == NULL || r13 is a valid argv
+  [r12] == NULL || r12 == NULL || r12 is a valid envp
 
 0xd67e5 execve("/bin/sh", rsp+0x70, environ)
 constraints:
-  [rsp+0x70] == NULL
+  [rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv
 
 0xd67f1 execve("/bin/sh", rsi, [rax])
 constraints:
-  [rsi] == NULL || rsi == NULL
-  [[rax]] == NULL || [rax] == NULL
+  [rsi] == NULL || rsi == NULL || rsi is a valid argv
+  [[rax]] == NULL || [rax] == NULL || [rax] is a valid envp
 
       EOS
     end
@@ -132,10 +153,10 @@
       file = data_path('libc-2.24-8cba3297f538691eb1875be62986993c004f3f4d.so')
       expect { hook_logger { described_class.work(%w[-n wscanf,pwrite -l 1 -r] + [file]) } }.to output(<<-EOS).to_stdout
 [OneGadget] Gadgets near pwrite(0xd9b70):
-878577 878565 756280 258986 258902
+878577 878565 756280 258986 258902 258895
 
 [OneGadget] Gadgets near wscanf(0x6afe0):
-258986 258902 756280 878565 878577
+258986 258902 258895 756280 878565 878577
 
       EOS
     end
@@ -146,22 +167,22 @@
       argv = ['-n', bin_file, '-l1', '-r', lib_file]
       expect { hook_logger { described_class.work(argv) } }.to output(<<-EOS).to_stdout
 [OneGadget] Gadgets near exit(0x359d0):
-258902 258986 756280 878565 878577
+258895 258902 258986 756280 878565 878577
 
 [OneGadget] Gadgets near puts(0x68fe0):
-258986 258902 756280 878565 878577
+258986 258902 258895 756280 878565 878577
 
 [OneGadget] Gadgets near printf(0x4f1e0):
-258986 258902 756280 878565 878577
+258986 258902 258895 756280 878565 878577
 
 [OneGadget] Gadgets near strlen(0x80420):
-756280 258986 258902 878565 878577
+756280 258986 258902 258895 878565 878577
 
 [OneGadget] Gadgets near __cxa_finalize(0x35c70):
-258902 258986 756280 878565 878577
+258895 258902 258986 756280 878565 878577
 
 [OneGadget] Gadgets near __libc_start_main(0x201a0):
-258902 258986 756280 878565 878577
+258895 258902 258986 756280 878565 878577
 
       EOS
     end