Mod -4 to calculate padding

Co-authored-by: Chris Gora <34940205+ChrisGora@users.noreply.github.com>
Co-authored-by: jack bond-preston <jackbondpreston@outlook.com>
This commit is contained in:
Liam Dalgarno 2020-11-28 16:19:37 +00:00
parent 0e9e49935a
commit e5c6aa6060

View File

@ -11,6 +11,7 @@ import re
from capstone import *
from textwrap import wrap
import sys
import math
from struct import pack
@ -126,26 +127,30 @@ class ROPMakerX86(object):
command = self.execPath
# split command into chunks of 4, prepend with /s as necessary
if len(command) % 4 > 0:
command = (4 - (len(command) % 4)) * "/" + command
command = padding_len(len(command)) * "/" + command
command_chunks = wrap(command, 4)
## EXEC (ARG0) \0 ARG1 \0 ARG2 \0 ... \0 PTR->EXEC PTR->ARG1 PTR->ARG2 ... \0 ##
args = []
args = ["test", "test1", "long string example"]
chunked_args = []
for arg in args:
if len(arg) % 4 > 0:
arg = arg + padding_len(len(arg)) * "!"
chunked_args.append(wrap)
# & ( "cat" \0 )
exec_addr = dataAddr
arg_addr = []
# setup argv array
# [ & "--run" \0 , & "--verbose" \0 ]
# note that the null bytes may be written "earlier", when the string is not len % 4 == 0
arg_addr = []
acc_addr = exec_addr + len(command) + 4
for i, arg in enumerate(args):
arg_addr.append(acc_addr)
acc_addr += len(arg) + (4 - (len(arg) % 4)) + 4
acc_addr += len(arg) + padding_len(len(arg)) + 4
# & ( [ ptr -> "cat" ] ++ arg_addr )
argv_addr = acc_addr
@ -181,6 +186,7 @@ class ROPMakerX86(object):
##########################
####################
# Write Argv Array #
####################
@ -308,3 +314,8 @@ class ROPMakerX86(object):
self.__buildRopChain(write4where[0], popDst, popSrc, xorSrc, xorEax, incEax, popEbx, popEcx, popEdx, syscall)
# def round_n(x, n):
# return int(math.ceil(x / n) * n)
def padding_len(x):
return -(x % -4)