def do_generate(self, line):
"""Generate ROP gadgets for binary """
if line == "":
self.help_generate()
return ''
line = line.split()
file_in = line[0]
file_out = os.path.basename(file_in) + ".ggt"
try:
depth = int(line[1])
except:
depth = 3
try:
open(file_in, 'r')
except:
print "Cannot access " + file_in
return ''
if self.__gadgets.info()["hash"] != "": # remove the old gadget
del self.__gadgets
self.__gadgets = gadgets.ROPGadget()
self.__gadgets.generate(file_in, depth)
self.__gadgets.save_asm(file_out)
print "OK"
return ''
def __init__(self, program, libc="/lib/libc.so.6", memdump="", debug=0):
self.debug = debug
self.program = program
if memdump == "":
self.memdump = program
else:
self.memdump = memdump
gadget_file = os.path.basename(program) + ".ggt"
self.binary = open(self.memdump, "rb").read()
self.libc = libc
self.elf = readelf.Elf()
self.gadget = gadgets.ROPGadget(debug=0)
try:
open(gadget_file, 'r')
self.gadget.load_asm(gadget_file)
except:
self.gadget.generate(self.program)
self.gadget.save_asm(gadget_file)
self.elf.read_headers(program)
self.base = self.elf.get_header("base")
self.search_end = self.elf.get_header(".comment")
self.got = self.elf.get_header(".got")
self.data = self.elf.get_header(".data")
self.bss = self.elf.get_header(".bss")
self.stack = self.bss + 256 - (self.bss % 256) + 8
self.frames = [] # list of frame offset
self.plt_address = {}
self.got_address = {}
self.libc_address = {}
self.gadget_address = {}
self.get_plt_address("sprintf", "strcpy", "__libc_start_main")
self.get_got_address("sprintf", "strcpy", "__libc_start_main")
self.get_libc_address("sprintf", "strcpy", "__libc_start_main",
"setreuid", "execve", "mprotect", "read")
self.get_common_gadget_address()
def __init__(self):
cmd.Cmd.__init__(self)
self.prompt = "\033[1;31mROPeMe> \033[0m"
self.intro = "Simple ROP interactive shell: [generate, load, search] gadgets"
self.ruler = '-'
self.__gadgets = gadgets.ROPGadget(debug=0)