Class PayloadBuilder

Class Documentation

class PayloadBuilder

A class designed to construct and optimize exploit payloads.

This builder manages multiple payload components, ROP (Return-Oriented Programming) chains, and stack pivots to create a cohesive and functional exploit payload. It attempts to find suitable stack pivots and apply ROP actions efficiently.

The implementation tracks StackShiftingInfo for every RopAction. If two actions can be stored adjacently, the StackShiftingInfo between them will represent an empty shift.

Public Functions

inline PayloadBuilder(const Pivots &pivots, uint64_t kaslr_base)

Constructs a PayloadBuilder instance.

Parameters:

  • pivots – Available stack pivot gadgets.

  • kaslr_base – The Kernel Address Space Layout Randomization base address.

void AddPayload(Payload &payload, const std::vector<Register> &registers = {}, std::optional<size_t> rip_ptr_offset = std::nullopt)

Adds a new payload component to the builder.

Parameters:

  • payload – A reference to the Payload object to add.

  • registers – Optional vector of Registers pointing to this buffer when RIP control is triggered (defaults to empty).

  • rip_ptr_offset – Optional offset of a field containing a function pointer which if overwritten can lead to RIP control. If nullopt, then this payload does not contain such a field.

void AddPayload(Payload &payload, std::optional<Register> reg = std::nullopt, std::optional<size_t> rip_ptr_offset = std::nullopt)

Adds a new payload component with an optional single register.

Parameters:

  • payload – A reference to the Payload object to add.

  • reg – Optional register pointing to this buffer when RIP control is triggered (defaults to nullopt - so no register points to this buffer).

  • rip_ptr_offset – Optional offset of a field containing a function pointer which if overwritten can lead to RIP control. If nullopt, then this payload does not contain such a field.

void AddRopChain(const RopChain &rop_chain)

Appends a ROP chain to the builder’s sequence of ROP actions.

Parameters:

rop_chain – The RopChain object to add.

void SetRopShift(const uint64_t shift_value)

Uses stack shift gadgets to shift the stack by at least shift_value.

This method is useful for moving the rop chain towards the end of the buffer. This can prevent function calls from clobbering data before the buffer.

Parameters:

shift_value – Shifts the stack by at least shift_value.

bool Build(bool need_pivot = true)

Attempts to build the final payload.

This method tries to find a suitable stack pivot, applies it to the payload, and then attempts to integrate all ROP actions, performing stack shifts as necessary.

Parameters:

need_pivot – If true, the builder will explicitly look for a pivot (defaults to true).

Throws:

ExpKitError – if multiple RIP offsets are found when need_pivot is true.

Returns:

true if a successful payload is built, false otherwise.

void PrintDebugInfo() const

Prints debug information about the built payload, if successful.

This includes details about the chosen stack pivot, stack shifts, and ROP chain layout.

StackPivot GetStackPivot()

Returns the chosen stack pivot.

This function may be called after Build() to get the stack pivot gadget that was chosen.