def get_gadgets_for_segment(self, segment, gadget_list, validate,
bad_bytes):
"""Iteratively step through an executable section looking for gadgets at each address"""
data, seg_address = self.parser.get_segment_bytes_address(segment)
if self.base_address == 0 and seg_address == 0:
self.logger.warning(
"No base address given for library or PIE executable. Addresses may be wrong"
)
startVA = self.base_address + seg_address
classifier = cl.GadgetClassifier(self.arch,
data,
startVA,
validate,
log_level=self.level)
classic_gadgets = []
for i in range(0, len(data), self.arch.instruction_alignment): #{
#fix-me: applying ROPGadget here to black-list all bad code points.
address = startVA + i
if bad_bytes != None and utils.address_contains_bad_byte(
address, bad_bytes, self.arch):
continue
gadgets = classifier.create_gadgets_from_instructions(address)
if finder.FILTER_FUNC != None:
gadgets = finder.FILTER_FUNC(gadgets)
classic_gadgets += gadgets
#}end for
gadget_list.add_gadgets(classic_gadgets)
#harvest the JCC gadgets if there are
jcc_gadgets = classifier.harvest_jcc_gadgets(classic_gadgets)
gadget_list.add_gadgets(jcc_gadgets)
def create_load_registers_chain(self,
next_address,
input_reg,
registers,
no_clobber=None):
if any(
map(
lambda value: utils.address_contains_bad_byte(
value, self.bad_bytes, self.arch),
registers.values())):
return create_load_registers_chain_with_bad_bytes(
next_address, input_reg, registers, no_clobber)
gadgets = self.get_load_registers_gadgets(input_reg, registers,
no_clobber)
if gadgets == None:
return None, None
chain = ""
for gadget in gadgets[::-1]:
gadget_registers = map(
lambda x: registers[x]
if x in registers else 0x5A5A5A5A5A5A5A5A,
gadget.outputs) # Fill in all "Z" for any missing registers
chain = gadget.chain(next_address, gadget_registers) + chain
next_address = gadget.address
return chain, next_address
def create_load_registers_chain_with_bad_bytes(self, next_address, input_reg, registers, no_clobber = None):
bad_registers = {}
# Sort out the bad registers
for register, value in registers:
if utils.address_contains_bad_byte(value, self.bad_bytes, self.arch):
bad_registers[register] = value
del bad_registers[register]
print "Need to find custom load gadgets for registers", bad_registers
sys.exit(0)
def create_load_registers_chain(self, next_address, input_reg, registers, no_clobber = None):
if any(map(lambda value: utils.address_contains_bad_byte(value, self.bad_bytes, self.arch), registers.values())):
return create_load_registers_chain_with_bad_bytes(next_address, input_reg, registers, no_clobber)
gadgets = self.get_load_registers_gadgets(input_reg, registers, no_clobber)
if gadgets == None:
return None, None
chain = ""
for gadget in gadgets[::-1]:
gadget_registers = map(lambda x: registers[x] if x in registers else 0x5A5A5A5A5A5A5A5A, gadget.outputs) # Fill in all "Z" for any missing registers
chain = gadget.chain(next_address, gadget_registers) + chain
next_address = gadget.address
return chain, next_address
def create_load_registers_chain_with_bad_bytes(self,
next_address,
input_reg,
registers,
no_clobber=None):
bad_registers = {}
# Sort out the bad registers
for register, value in registers:
if utils.address_contains_bad_byte(value, self.bad_bytes,
self.arch):
bad_registers[register] = value
del bad_registers[register]
print "Need to find custom load gadgets for registers", bad_registers
sys.exit(0)
def get_gadgets_for_segment(self, segment, gadget_list, validate,
bad_bytes):
"""Iteratively step through an executable section looking for gadgets at each address"""
data, seg_address = self.parser.get_segment_bytes_address(segment)
if self.base_address == 0 and seg_address == 0:
self.logger.warning(
"No base address given for library or PIE executable. Addresses may be wrong"
)
classifier = cl.GadgetClassifier(self.arch,
validate,
log_level=self.level)
for i in range(0, len(data), self.arch.instruction_alignment):
address = self.base_address + seg_address + i
if bad_bytes != None and utils.address_contains_bad_byte(
address, bad_bytes, self.arch):
continue
end = i + self.MAX_GADGET_SIZE[self.arch.name]
code = data[i:end]
gadgets = classifier.create_gadgets_from_instructions(
code, address)
if finder.FILTER_FUNC != None:
gadgets = finder.FILTER_FUNC(gadgets)
gadget_list.add_gadgets(gadgets)
def has_bad_address(self, bad_bytes): return utils.address_contains_bad_byte(self.address, bad_bytes, self.arch)
def has_bad_address(self, bad_bytes):
return utils.address_contains_bad_byte(self.address, bad_bytes,
self.arch)