def __get_elf_address(self, filename):
elf = readelf.Elf()
elf.read_headers(filename)
base_addr = elf.get_header("base")
data_addr = elf.get_header(".data")
return (base_addr, data_addr)
def __init__(self, program, libc="/lib/libc.so.6", memdump="", debug=0):
self.debug = debug
self.program = program
if memdump == "":
self.memdump = program
else:
self.memdump = memdump
gadget_file = os.path.basename(program) + ".ggt"
self.binary = open(self.memdump, "rb").read()
self.libc = libc
self.elf = readelf.Elf()
self.gadget = gadgets.ROPGadget(debug=0)
try:
open(gadget_file, 'r')
self.gadget.load_asm(gadget_file)
except:
self.gadget.generate(self.program)
self.gadget.save_asm(gadget_file)
self.elf.read_headers(program)
self.base = self.elf.get_header("base")
self.search_end = self.elf.get_header(".comment")
self.got = self.elf.get_header(".got")
self.data = self.elf.get_header(".data")
self.bss = self.elf.get_header(".bss")
self.stack = self.bss + 256 - (self.bss % 256) + 8
self.frames = [] # list of frame offset
self.plt_address = {}
self.got_address = {}
self.libc_address = {}
self.gadget_address = {}
self.get_plt_address("sprintf", "strcpy", "__libc_start_main")
self.get_got_address("sprintf", "strcpy", "__libc_start_main")
self.get_libc_address("sprintf", "strcpy", "__libc_start_main",
"setreuid", "execve", "mprotect", "read")
self.get_common_gadget_address()