Add functions for writing 4 bytes and 4 nulls

Co-authored-by: Chris Gora <34940205+ChrisGora@users.noreply.github.com>
Co-authored-by: jack bond-preston <jackbondpreston@outlook.com>
This commit is contained in:
Liam Dalgarno 2020-11-28 15:56:14 +00:00
parent 3b26f5c27c
commit 0e9e49935a

View File

@ -83,6 +83,33 @@ class ROPMakerX86(object):
return p
def __write4bytes(self, address, data, data_addr, popDst, popSrc, write4where):
p = pack("<I", popDst['vaddr'])
p += pack("<I", address)
p += self.__padding(popDst, {})
p += pack("<I", popSrc['vaddr'])
p += data
p += self.__padding(popSrc, {popDst["gadget"].split()[1]: data_addr}) # Don't overwrite reg dst
p += pack("<I", write4where['vaddr'])
p += self.__padding(write4where, {})
return p
def __write4nulls(self, address, popDst, xorSrc, write4where):
p = pack("<I", popDst['vaddr'])
p += pack("<I", address)
p += self.__padding(popDst, {})
p += pack("<I", xorSrc["vaddr"])
p += self.__padding(xorSrc, {})
p += pack("<I", write4where["vaddr"])
p += self.__padding(write4where, {})
return p
def __buildRopChain(self, write4where, popDst, popSrc, xorSrc, xorEax, incEax, popEbx, popEcx, popEdx, syscall):
sects = self.__binary.getDataSections()
dataAddr = None
@ -135,29 +162,19 @@ class ROPMakerX86(object):
for i, chunk in enumerate(command_chunks):
address = exec_addr + (i * 4)
p += pack("<I", popDst['vaddr'])
p += pack("<I", address)
p += self.__padding(popDst, {})
p += pack("<I", popSrc['vaddr'])
p += bytes(chunk, "ascii")
p += self.__padding(popSrc, {popDst["gadget"].split()[1]: dataAddr}) # Don't overwrite reg dst
p += pack("<I", write4where['vaddr'])
p += self.__padding(write4where, {})
# write 4 char chunk of the command
p += self.__write4bytes(
address,
bytes(chunk, "ascii"),
dataAddr, popDst, popSrc, write4where
)
# write null byte after exec path string
p += pack("<I", popDst['vaddr'])
p += pack("<I", exec_addr + len(command))
p += self.__padding(popDst, {})
p += pack("<I", xorSrc["vaddr"])
p += self.__padding(xorSrc, {})
p += pack("<I", write4where["vaddr"])
p += self.__padding(write4where, {})
p += self.__write4nulls(
exec_addr + len(command),
popDst, xorSrc, write4where
)
##########################
# Write Argument Strings #
@ -168,32 +185,18 @@ class ROPMakerX86(object):
# Write Argv Array #
####################
# put argvAddr in edx
p += pack('<I', popDst['vaddr'])
p += pack('<I', argv_addr) # @ .data + {offset + 4}
p += self.__padding(popDst, {})
# write argv[0] = exec_addr
p += self.__write4bytes(
argv_addr,
pack('<I', exec_addr),
dataAddr, popDst, popSrc, write4where
)
# write the exec path address to eax
p += pack('<I', popSrc['vaddr'])
p += pack('<I', exec_addr) # @ .data
p += self.__padding(popSrc, {popDst["gadget"].split()[1]: dataAddr}) # Don't overwrite reg dst
# perform the write: eax -> [edx]
# write the exec path address to argv[0]
p += pack('<I', write4where['vaddr']) # {write4where['gadget']}")
p += self.__padding(write4where, {})
# ARGV MUST BE FOLLOWED BY NULL
p += pack('<I', popDst['vaddr']) # { popDst['gadget'] }
p += pack('<I', argv_addr + (len(args) * 4) + 4) # @ .data + {offset + 8}
p += self.__padding(popDst, {})
p += pack('<I', xorSrc["vaddr"])
p += self.__padding(xorSrc, {})
p += pack('<I', write4where["vaddr"])
p += self.__padding(write4where, {})
# write null byte after argv array
p += self.__write4nulls(
argv_addr + (len(args) * 4) + 4,
popDst, xorSrc, write4where
)
##################################
# Setup execve Args in Registers #