def _load32_migrate(self): leave = '\xc9\xc3' popebp = '\x5d\xc3' ls = [] ps = [] for data, addr in self.elf.executable_segments(): idxs = pwn.findall(data, leave) ls += map(lambda i: i + addr, idxs) idxs = pwn.findall(data, popebp) ps += map(lambda i: i + addr, idxs) self._gadgets['leave'] = ls self._gadgets['popebp'] = ps
def search(self, s, non_writable = False): self._load_data() for seg in self.segments: if 'W' in seg['flg'] and non_writable: continue off = seg['offset'] siz = seg['filesiz'] dat = self._data[off : off + siz] yield map(lambda i: i + seg['virtaddr'], pwn.findall(dat, list(s)))
def search(self, s, non_writable=False): self._load_data() for seg in self.segments: if 'W' in seg['flg'] and non_writable: continue off = seg['offset'] siz = seg['filesiz'] dat = self._data[off:off + siz] yield map(lambda i: i + seg['virtaddr'], pwn.findall(dat, list(s)))
def _pivot(self, args): pivot = None rets = self._gadgets['popret'] for size in sorted(rets.keys()): if size >= len(args): pivot = rets[size][0] break if pivot is None: for i in pwn.findall(args, None): if i in rets.keys(): res = self._pivot(args[i + 1:]) if res is None: continue pivot, size = res args[i] = pivot pivot = rets[i][0] size += i + 1 break if pivot is not None: return (pivot, size)
def replace(self, s, repl, non_writable = False, padding = '\x90'): import types self._load_data() for seg in self.segments: if 'W' in seg['flg'] and non_writable: continue off = seg['offset'] siz = seg['filesiz'] dat = self._data[off : off + siz] for idx in pwn.findall(dat, list(s)): addr = idx + seg['virtaddr'] if isinstance(repl, types.FunctionType): rep = repl(addr, s) else: rep = repl if rep is None: continue rep = rep.ljust(len(s), padding) if len(rep) > len(s): pwn.die('Replacement is larger than the replaced') self._data[off + idx : off + idx + len(s)] = rep
def replace(self, s, repl, non_writable=False, padding='\x90'): import types self._load_data() for seg in self.segments: if 'W' in seg['flg'] and non_writable: continue off = seg['offset'] siz = seg['filesiz'] dat = self._data[off:off + siz] for idx in pwn.findall(dat, list(s)): addr = idx + seg['virtaddr'] if isinstance(repl, types.FunctionType): rep = repl(addr, s) else: rep = repl if rep is None: continue rep = rep.ljust(len(s), padding) if len(rep) > len(s): pwn.die('Replacement is larger than the replaced') self._data[off + idx:off + idx + len(s)] = rep