Mod -4 to calculate padding

Co-authored-by: Chris Gora <34940205+ChrisGora@users.noreply.github.com> Co-authored-by: jack bond-preston <jackbondpreston@outlook.com>
2020-11-28 16:19:37 +00:00 · 2020-11-28 16:19:37 +00:00 · e5c6aa6060
commit e5c6aa6060
parent 0e9e49935a
1 changed files with 16 additions and 5 deletions
--- a/ROPgadget/ropgadget/ropchain/arch/ropmakerx86.py
+++ b/ROPgadget/ropgadget/ropchain/arch/ropmakerx86.py
@ -11,6 +11,7 @@ import re
 from   capstone import *
 from textwrap import wrap
 import sys
+import math
 from struct import pack


@ -126,26 +127,30 @@ class ROPMakerX86(object):
        command = self.execPath
        # split command into chunks of 4, prepend with /s as necessary
        if len(command) % 4 > 0:
-            command = (4 - (len(command) % 4)) * "/" + command
+            command = padding_len(len(command)) * "/" + command
        command_chunks = wrap(command, 4)

        ## EXEC (ARG0) \0 ARG1 \0 ARG2 \0 ... \0 PTR->EXEC PTR->ARG1 PTR->ARG2 ... \0 ##

-        args = []
+        args = ["test", "test1", "long string example"]
+        chunked_args = []
+        for arg in args:
+            if len(arg) % 4 > 0:
+                arg = arg + padding_len(len(arg)) * "!"
+            chunked_args.append(wrap)
        
        # & ( "cat" \0 )
        exec_addr = dataAddr

-        arg_addr  = []
-
        # setup argv array
        # [ & "--run" \0 , & "--verbose" \0 ]
        # note that the null bytes may be written "earlier", when the string is not len % 4 == 0
+        arg_addr  = []
        acc_addr = exec_addr + len(command) + 4
        for i, arg in enumerate(args):
            arg_addr.append(acc_addr)

-            acc_addr += len(arg) + (4 - (len(arg) % 4)) + 4
+            acc_addr += len(arg) + padding_len(len(arg)) + 4

        # & ( [ ptr -> "cat" ] ++ arg_addr )
        argv_addr = acc_addr
@ -181,6 +186,7 @@ class ROPMakerX86(object):
        ##########################

        
+
        ####################
        # Write Argv Array #
        ####################
@ -308,3 +314,8 @@ class ROPMakerX86(object):

        self.__buildRopChain(write4where[0], popDst, popSrc, xorSrc, xorEax, incEax, popEbx, popEcx, popEdx, syscall)

+# def round_n(x, n):
+#     return int(math.ceil(x / n) * n)
+
+def padding_len(x):
+    return -(x % -4)