Esempio n. 1
0
 def collect(self, do_filter_unsafe=True):
     print('Collecting...')
     logging.info("Starting Collection phase")
     options = {
         'color':
         False,  # if gadgets are printed, use colored output: default: False
         'badbytes':
         '',  # bad bytes which should not be in addresses or ropchains; default: ''
         'all':
         False,  # Show all gadgets, this means to not remove double gadgets; default: False
         'inst_count': 6,  # Number of instructions in a gadget; default: 6
         'type': 'rop',  # rop, jop, sys, all; default: all
         'detailed': True
     }  # if gadgets are printed, use detailed output; default: False
     rs = RopperService(options)
     rs.addFile(self._filename)
     rs.loadGadgetsFor(name=self._filename)
     ropper_gadgets = rs.getFileFor(name=self._filename).gadgets
     # set architecture!!
     Arch.init(str(rs.getFileFor(name=self._filename).arch))
     gadgets = []
     for g in ropper_gadgets:
         address = g._lines[0][0] + g.imageBase
         address_end = g._lines[-1][0] + g.imageBase
         hex_bytes = g._bytes
         #check ret type
         ret = next(
             Arch.md.disasm(hex_bytes[address_end - address:], 0x0,
                            count=1))
         if ret.id != X86_INS_RET:
             continue
         if ret.operands:
             retn = ret.operands[0].value.imm
         else:
             retn = 0
         if retn < MAX_RETN:
             gadgets.append(
                 Gadget(hex_bytes,
                        address=address,
                        address_end=address_end,
                        retn=retn,
                        arch=Arch.ARCH_BITS))
     if do_filter_unsafe:
         return filter_unsafe(gadgets)
     else:
         return gadgets
Esempio n. 2
0
    def sys_collect(self, do_filter_unsafe=True):
        # add syscall gadgets
        options = {
            'color':
            False,  # if gadgets are printed, use colored output: default: False
            'badbytes':
            '',  # bad bytes which should not be in addresses or ropchains; default: ''
            'all':
            False,  # Show all gadgets, this means to not remove double gadgets; default: False
            'inst_count': 6,  # Number of instructions in a gadget; default: 6
            'type': 'sys',  # rop, jop, sys, all; default: all
            'detailed': True
        }  # if gadgets are printed, use detailed output; default: False

        rs = RopperService(options)
        rs.addFile(self._filename)
        rs.loadGadgetsFor(name=self._filename)
        ropper_gadgets = rs.getFileFor(name=self._filename).gadgets

        gadgets = []
        for g in ropper_gadgets:
            address = g._lines[0][0] + g.imageBase
            address_end = g._lines[-1][0] + g.imageBase
            hex_bytes = g._bytes

            _g = Gadget(hex_bytes,
                        address=address,
                        address_end=address_end,
                        retn=0,
                        modified_regs=[],
                        arch=Arch.ARCH_BITS)
            gadgets.append(Other_Gadget(_g))
        if do_filter_unsafe:
            return sys_filter_unsafe(gadgets)
        else:
            return gadgets
Esempio n. 3
0
rs.options.type = 'jop'
rs.loadGadgetsFor() 

rs.options.type = 'rop'
rs.loadGadgetsFor() 

# change instruction count
rs.options.inst_count = 10
rs.loadGadgetsFor() 

##### print gadgets #######
rs.printGadgetsFor() # print all gadgets
rs.printGadgetsFor(name=ls)

##### Get gadgets ######
gadgets = rs.getFileFor(name=ls).gadgets


##### search pop pop ret ######
pprs = rs.searchPopPopRet(name=ls) # looks for ppr only in 'test-binaries/ls-x86'
pprs = rs.searchPopPopRet()        # looks for ppr in all opened files
for file, ppr in pprs.items():
    for p in ppr:
        print p

##### load jmp reg ######
jmp_regs = rs.searchJmpReg(name=ls, regs=['esp', 'eax']) # looks for jmp reg only in 'test-binaries/ls-x86'
jmp_regs = rs.searchJmpReg(regs=['esp', 'eax'])
jmp_regs = rs.searchJmpReg()                             # looks for jmp esp in all opened files
for file, jmp_reg in jmp_regs.items():
    for j in jmp_reg:
Esempio n. 4
0
#!/usr/bin/env python3
from ropper import RopperService

def are_bytes_printable(num):
    for x in range(0, 4):
        byte = (num >> x * 8) & 0xFF
        if byte < 0x20 or byte > 0x7f:
            return False
    return True


options = {'color': False, 'all': True, type: 'all'}

rs = RopperService(options) 
rs.addFile('libc-2.15.so')
rs.loadGadgetsFor()

gadgets = rs.getFileFor(name='libc-2.15.so').gadgets
printable = [gadget for gadget in gadgets if are_bytes_printable(gadget.address + 0x5555e000)]

for gadget in printable:
    print(gadget)
Esempio n. 5
0
from ropper import RopperService
import argparse
"""The regular Ropper.py was throwing an error, so im doing this"""

parser = argparse.ArgumentParser()
parser.add_argument("filepath", help="File to get gadgets from")
args = parser.parse_args()

options = {
    'color': False,
    'badbytes': '00',
    'all': False,
    'inst_count': 6,
    'type': 'all',
    'detailed': False
}

filename = args.filepath

rs = RopperService(options)
rs.addFile(filename)
rs.loadGadgetsFor()
gadgets = rs.getFileFor(filename).gadgets
for i in gadgets:
    print(f"{hex(i.address)}:  {i.simpleInstructionString()}")
Esempio n. 6
0
rs.options.type = 'jop'
rs.loadGadgetsFor()

rs.options.type = 'rop'
rs.loadGadgetsFor()

# change instruction count
rs.options.inst_count = 10
rs.loadGadgetsFor()

##### print gadgets #######
rs.printGadgetsFor()  # print all gadgets
rs.printGadgetsFor(name=ls)

##### Get gadgets ######
gadgets = rs.getFileFor(name=ls).gadgets

##### search pop pop ret ######
pprs = rs.searchPopPopRet(
    name=ls)  # looks for ppr only in 'test-binaries/ls-x86'
pprs = rs.searchPopPopRet()  # looks for ppr in all opened files
for file, ppr in pprs.items():
    for p in ppr:
        print p

##### load jmp reg ######
jmp_regs = rs.searchJmpReg(
    name=ls, regs=['esp',
                   'eax'])  # looks for jmp reg only in 'test-binaries/ls-x86'
jmp_regs = rs.searchJmpReg(regs=['esp', 'eax'])
jmp_regs = rs.searchJmpReg()  # looks for jmp esp in all opened files
Esempio n. 7
0
    ]
    rg_args = Args(config).getArgs()
    rg_bin = Binary(rg_args)
    G = Gadgets(rg_bin, rg_args, rg_offset)
    exec_sections = rg_bin.getExecSections()
    rg_gadgets = []
    for section in exec_sections:
        rg_gadgets += G.addROPGadgets(section)
    rg_gadgets = G.passClean(rg_gadgets, rg_args.multibr)
    rg_gadgets = Options(rg_args, rg_bin, rg_gadgets).getGadgets()
    # ---------------------

    if not ropper_parsing_error:
        rs.setArchitectureFor(name=f, arch='x86')
        rs.loadGadgetsFor(name=f)
        rp_gadgets = rs.getFileFor(f).gadgets
        rp_gadgets.sort(key=attrgetter('address'))
        print 'Found {} gadgets!'.format(len(rp_gadgets))
        rs.setImageBaseFor(name=f, imagebase=0x0)
    else:
        rp_gadgets = []

    rp_len = len(rp_gadgets)
    rg_len = len(rg_gadgets)
    rp = True
    gadgets = rp_gadgets
    if rp_len < rg_len:
        gadgets = rg_gadgets
        rp = False
    rep = (len(gadgets) / 5000) + 1
    for r in xrange(rep):