jack/security-cw
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Mod -4 to calculate padding

Browse Source 
Co-authored-by: Chris Gora <34940205+ChrisGora@users.noreply.github.com>
Co-authored-by: jack bond-preston <jackbondpreston@outlook.com>
This commit is contained in:
Liam Dalgarno 2020-11-28 16:19:37 +00:00
parent 0e9e49935a
commit e5c6aa6060
1 changed files with 16 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
ROPgadget/ropgadget/ropchain/arch/ropmakerx86.py
View File

@ -11,6 +11,7 @@ import re
from capstone import * from capstone import *
from textwrap import wrap from textwrap import wrap
import sys import sys
import math
from struct import pack from struct import pack
@ -126,26 +127,30 @@ class ROPMakerX86(object):
command = self.execPath command = self.execPath
# split command into chunks of 4, prepend with /s as necessary # split command into chunks of 4, prepend with /s as necessary
if len(command) % 4 > 0: if len(command) % 4 > 0:
command = (4 - (len(command) % 4)) * "/" + command command = padding_len(len(command)) * "/" + command
command_chunks = wrap(command, 4) command_chunks = wrap(command, 4)
## EXEC (ARG0) \0 ARG1 \0 ARG2 \0 ... \0 PTR->EXEC PTR->ARG1 PTR->ARG2 ... \0 ## ## EXEC (ARG0) \0 ARG1 \0 ARG2 \0 ... \0 PTR->EXEC PTR->ARG1 PTR->ARG2 ... \0 ##
args = [] args = ["test", "test1", "long string example"]
chunked_args = []
for arg in args:
if len(arg) % 4 > 0:
arg = arg + padding_len(len(arg)) * "!"
chunked_args.append(wrap)
# & ( "cat" \0 ) # & ( "cat" \0 )
exec_addr = dataAddr exec_addr = dataAddr
arg_addr = []
# setup argv array # setup argv array
# [ & "--run" \0 , & "--verbose" \0 ] # [ & "--run" \0 , & "--verbose" \0 ]
# note that the null bytes may be written "earlier", when the string is not len % 4 == 0 # note that the null bytes may be written "earlier", when the string is not len % 4 == 0
arg_addr = []
acc_addr = exec_addr + len(command) + 4 acc_addr = exec_addr + len(command) + 4
for i, arg in enumerate(args): for i, arg in enumerate(args):
arg_addr.append(acc_addr) arg_addr.append(acc_addr)
acc_addr += len(arg) + (4 - (len(arg) % 4)) + 4 acc_addr += len(arg) + padding_len(len(arg)) + 4
# & ( [ ptr -> "cat" ] ++ arg_addr ) # & ( [ ptr -> "cat" ] ++ arg_addr )
argv_addr = acc_addr argv_addr = acc_addr
@ -181,6 +186,7 @@ class ROPMakerX86(object):
########################## ##########################
#################### ####################
# Write Argv Array # # Write Argv Array #
#################### ####################
@ -308,3 +314,8 @@ class ROPMakerX86(object):
self.__buildRopChain(write4where[0], popDst, popSrc, xorSrc, xorEax, incEax, popEbx, popEcx, popEdx, syscall) self.__buildRopChain(write4where[0], popDst, popSrc, xorSrc, xorEax, incEax, popEbx, popEcx, popEdx, syscall)
# def round_n(x, n):
# return int(math.ceil(x / n) * n)
def padding_len(x):
return -(x % -4)