def getRopchain(properties, bad_bytes):
"""
' given n files, generate an execve rop chain and return it.
' I did not want to try and butcher ropper, so rs.createRopChain
' returns python code to print the rop chain to stdout
' I run it and steal the "rop" variable for my chain
'
' This is horrible code, do not repeat my mistakes
'badbytes': ''.join(bad_bytes),
"""
options = {
'color': False,
'badbytes': ''.join(bad_bytes),
'all': False,
'inst_count': 6,
'type': 'all',
'count_of_findings': 5,
'cfg_only': False,
'detailed': False
}
rs = RopperService(options)
if 'libc' in properties and properties['libc'] is not None:
rs.addFile(properties['libc'])
rs.addFile(properties['file'])
rs.loadGadgetsFor()
'''Acceptable arches are formated differently than pwntools:
x86
x86_64
ARM
... see https://github.com/sashs/Ropper/blob/a708fae670eece2b86daeaa276b38cb033eab231/README.md'''
# These arches can span to mips and ppc
arch = 'x86'
if '64' in properties['protections']['arch']:
arch = 'x86_64'
elif 'arm' in properties['protections']['arch'].lower():
arch = 'ARM'
# If you were looking for good programming examples, you've
# come to the wrong place friend
chain = rs.createRopChain("execve", arch, {'cmd': '/bin/sh'})
chain = chain.replace(" '", " b'") # convert all strings to bytes
chain = chain.replace("print rop", "") # removes invalid print statement
if "Cannot create chain" in chain or 'INSERT' in chain:
print("[-] Failed to create rop chain. Try adding linked libraries")
if 'libc' not in properties or properties['libc'] is None:
print("[~] Try adding linked libc")
exit(0)
namespace = {}
exec(chain,
namespace) # rop variable created inside of "chain" python script
if 'libc' in properties:
rs.removeFile(properties['libc'])
rs.removeFile(properties['file'])
return namespace['rop']
def getRopchain(properties, bad_bytes):
options = {
'color': False,
'badbytes': ''.join(bad_bytes),
'all': False,
'inst_count': 6,
'type': 'all',
'count_of_findings': 5,
'cfg_only': False,
'detailed': False
}
rs = RopperService(options)
print(properties['libc'])
if 'libc' in properties and properties['libc'] is not None:
rs.addFile(properties['libc'])
rs.addFile(properties['file'])
rs.loadGadgetsFor()
'''Acceptable arches are formated differently than pwntools:
x86
x86_64
ARM
... see https://github.com/sashs/Ropper/blob/a708fae670eece2b86daeaa276b38cb033eab231/README.md'''
#These arches can span to mips and ppc
arch = 'x86'
if '64' in properties['protections']['arch']:
arch = 'x86_64'
elif 'arm' in properties['protections']['arch'].lower():
arch = 'ARM'
#If you were looking for good programming examples, you've
#come to the wrong place friend
chain = rs.createRopChain("execve", arch, {'cmd': '/bin/sh'})
if "Cannot create chain" in chain or 'INSERT' in chain:
print("[-] Failed to create rop chain. Try adding linked libraries")
if 'libc' not in properties or properties['libc'] is None:
print("[~] Try adding linked libc")
exit(0)
namespace = {}
exec(chain,
namespace) #rop variable created inside of "chain" python script
if 'libc' in properties:
rs.removeFile(properties['libc'])
rs.removeFile(properties['file'])
return namespace['rop']
##### change options ######
rs.options.color = True
rs.options.badbytes = '00'
rs.options.badbytes = ''
rs.options.all = True
##### open binaries ######
# it is possible to open multiple files
rs.addFile('test-binaries/ls-x86')
rs.addFile('ls', bytes=open('test-binaries/ls-x86','rb').read()) # other possiblity
rs.addFile('ls_raw', bytes=open('test-binaries/ls-x86','rb').read(), raw=True, arch='x86')
##### close binaries ######
rs.removeFile('ls')
rs.removeFile('ls_raw')
# Set architecture of a binary, so it is possible to look for gadgets for a different architecture
# It is useful for ARM if you want to look for ARM gadgets or Thumb gadgets
# Or if you opened a raw file
ls = 'test-binaries/ls-x86'
rs.setArchitectureFor(name=ls, arch='x86')
rs.setArchitectureFor(name=ls, arch='x86_64')
rs.setArchitectureFor(name=ls, arch='ARM')
rs.setArchitectureFor(name=ls, arch='ARMTHUMB')
rs.setArchitectureFor(name=ls, arch='ARM64')
rs.setArchitectureFor(name=ls, arch='MIPS')
rs.setArchitectureFor(name=ls, arch='MIPS64')
rs.setArchitectureFor(name=ls, arch='PPC')
rs.options.badbytes = '00'
rs.options.badbytes = ''
rs.options.all = True
##### open binaries ######
# it is possible to open multiple files
rs.addFile('test-binaries/ls-x86')
rs.addFile('ls', bytes=open('test-binaries/ls-x86',
'rb').read()) # other possiblity
rs.addFile('ls_raw',
bytes=open('test-binaries/ls-x86', 'rb').read(),
raw=True,
arch='x86')
##### close binaries ######
rs.removeFile('ls')
rs.removeFile('ls_raw')
# Set architecture of a binary, so it is possible to look for gadgets for a different architecture
# It is useful for ARM if you want to look for ARM gadgets or Thumb gadgets
# Or if you opened a raw file
ls = 'test-binaries/ls-x86'
rs.setArchitectureFor(name=ls, arch='x86')
rs.setArchitectureFor(name=ls, arch='x86_64')
rs.setArchitectureFor(name=ls, arch='ARM')
rs.setArchitectureFor(name=ls, arch='ARMTHUMB')
rs.setArchitectureFor(name=ls, arch='ARM64')
rs.setArchitectureFor(name=ls, arch='MIPS')
rs.setArchitectureFor(name=ls, arch='MIPS64')
rs.setArchitectureFor(name=ls, arch='PPC')
rs.setArchitectureFor(name=ls, arch='PPC64')
# _g_dict['Gadget'] = '{}'.format(g)
# analysis = analyser.analyse(g)
# g.info = analysis
# _g_dict['spOffset'] = g.info.spOffset if g.info else 'undef'
# _map[g.address] = _g_dict
# inserted += 1
# i += 1
# if j < rg_len:
# g = rg_gadgets[j]
# g_addr = g['vaddr'] - pe_info['ImageBase']
# if g_addr not in _map:
# _g_dict['Gadget'] = '0x{:08x}: {}'.format(g_addr, g['gadget'].replace(' ; ', '; '))
# analysis = ropper_analyser(g)
# _g_dict['spOffset'] = analysis.spOffset if analysis else 'undef'
# _map[g_addr] = _g_dict
# inserted += 1
# j += 1
# if inserted < 5000 and i >= rp_len and j >= rg_len:
# break
# rep += 1
# with open(
# os.path.join(
# os.getcwd(),
# OUTFILE_PATTERN.format(f, rep, inserted, f)
# ), 'w') as jf:
# json.dump(_map, jf, sort_keys=True)
# if i >= rp_len and j >= rg_len:
# break
rs.removeFile(f)