diff --git a/ROPgadget/ropgadget/ropchain/arch/ropmakerx86.py b/ROPgadget/ropgadget/ropchain/arch/ropmakerx86.py index 368f728..e7d858a 100644 --- a/ROPgadget/ropgadget/ropchain/arch/ropmakerx86.py +++ b/ROPgadget/ropgadget/ropchain/arch/ropmakerx86.py @@ -11,6 +11,7 @@ import re from capstone import * from textwrap import wrap import sys +import math from struct import pack @@ -126,26 +127,30 @@ class ROPMakerX86(object): command = self.execPath # split command into chunks of 4, prepend with /s as necessary if len(command) % 4 > 0: - command = (4 - (len(command) % 4)) * "/" + command + command = padding_len(len(command)) * "/" + command command_chunks = wrap(command, 4) ## EXEC (ARG0) \0 ARG1 \0 ARG2 \0 ... \0 PTR->EXEC PTR->ARG1 PTR->ARG2 ... \0 ## - args = [] + args = ["test", "test1", "long string example"] + chunked_args = [] + for arg in args: + if len(arg) % 4 > 0: + arg = arg + padding_len(len(arg)) * "!" + chunked_args.append(wrap) # & ( "cat" \0 ) exec_addr = dataAddr - arg_addr = [] - # setup argv array # [ & "--run" \0 , & "--verbose" \0 ] # note that the null bytes may be written "earlier", when the string is not len % 4 == 0 + arg_addr = [] acc_addr = exec_addr + len(command) + 4 for i, arg in enumerate(args): arg_addr.append(acc_addr) - acc_addr += len(arg) + (4 - (len(arg) % 4)) + 4 + acc_addr += len(arg) + padding_len(len(arg)) + 4 # & ( [ ptr -> "cat" ] ++ arg_addr ) argv_addr = acc_addr @@ -180,6 +185,7 @@ class ROPMakerX86(object): # Write Argument Strings # ########################## + #################### # Write Argv Array # @@ -308,3 +314,8 @@ class ROPMakerX86(object): self.__buildRopChain(write4where[0], popDst, popSrc, xorSrc, xorEax, incEax, popEbx, popEcx, popEdx, syscall) +# def round_n(x, n): +# return int(math.ceil(x / n) * n) + +def padding_len(x): + return -(x % -4)