#
#--
# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
# payload crafting functionality.
#
# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
#++
#

require 'ronin/exploits/exceptions/payload_size'
require 'ronin/exploits/buffer_overflow_target'
require 'ronin/exploits/binary_exploit'

module Ronin
  module Exploits
    class BufferOverflow < BinaryExploit

      objectify :ronin_buffer_overflow

      # Targets of the buffer overflow
      has n, :targets, :class_name => 'BufferOverflowTarget'

      #
      # Adds a new BufferOverflowTarget with the given _attributes_. If a
      # _block_ is given, it will be passed the BufferOverflowTarget object.
      #
      def target(attributes={},&block)
        self.targets << BufferOverflowTarget.new(
          attributes.merge(:exploit => self),
          &block
        )
      end

      #
      # Builds the exploit buffer with the given _options_.
      #
      def build_buffer(options={})
        target = (options[:target] || selected_target)
        payload = (options[:payload] || @payload).to_s

        unless payload.length<=target.buffer_length
          raise(PayloadSize,"the specified payload is too large for the target's buffer length",caller)
        end

        buffer = pad_buffer(@pad,(target.buffer_length-payload.length))+payload

        ip_packed = target.ip.pack(target.arch)
        unless target.bp==0
          buffer += (target.bp.pack(target.arch)+ip_packed)*target.return_length
        else
          buffer += ip_packed*(target.return_length*2)
        end

        return buffer
      end

      #
      # Default builder method which simply calls build_buffer.
      #
      def builder
        @exploit = build_buffer
      end

    end
  end
end