matir/skel
1
0
Fork 0
mirror of https://github.com/Matir/skel.git synced 2026-05-25 21:19:09 -07:00
Code Issues Packages Projects Releases Wiki Activity
Files
e52cf7ae004390242ff69be02fd4d4d4add9dc74
skel/dotfiles/lldb/lisa.py
David Tomaschik 33223e5af0 Add lisa for LLDB.
2016-04-11 00:58:05 -07:00

2983 lines
110 KiB
Python
Raw Blame History

#!/usr/bin/env python
# Copyright 2015 ant4g0nist
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import os
import re
import cmd
import sys
import time
import shlex
import random
import string
import struct
import commands
import datetime
import optparse
import argparse
import platform
import httplib
from struct import *
from sys import version_info
from struct import pack
from binascii import *
from ctypes import *
import subprocess
#install package
def install(name):
subprocess.call(['sudo','pip', 'install', name])
try:
from capstone import *
except:
print "[+]\tGonna try installing capstone."
install('capstone')
from capstone import *
PYROPGADGET_VERSION = 'ich'
if sys.version_info.major == 3:
xrange = range
import lldb
#global vars#
lisaversion = 'v-ni'
PAGE_SIZE=4096
MAX_DISTANCE=PAGE_SIZE*10
g_ignore_frame_pointer= False
reportexploitable=""
###################
REGISTERS = {
8 : ["al", "ah", "bl", "bh", "cl", "ch", "dl", "dh"],
16: ["ax", "bx", "cx", "dx"],
32: ["eax", "ebx", "ecx", "edx", "esi", "edi", "ebp", "esp", "eip"],
64: ["rax", "rbx", "rcx", "rdx", "rsi", "rdi", "rbp", "rsp", "rip",
"r8", "r9", "r10", "r11", "r12", "r13", "r14", "r15"]
}
####################################
# Misc Utils #
####################################
def banner(debugger,command,result,dict):
lisa2="""
lllllll iiii
l:::::l i::::i
l:::::l iiii
l:::::l
l::::l iiiiiii ssssssssss aaaaaaaaaaaaa
l::::l i:::::i ss::::::::::s a::::::::::::a
l::::l i::::i ss:::::::::::::s aaaaaaaaa:::::a
l::::l i::::i s::::::ssss:::::s a::::a
l::::l i::::i s:::::s ssssss aaaaaaa:::::a
l::::l i::::i s::::::s aa::::::::::::a
l::::l i::::i s::::::s a::::aaaa::::::a
l::::l i::::i ssssss s:::::s a::::a a:::::a
l::::::li::::::is:::::ssss::::::sa::::a a:::::a
l::::::li::::::is::::::::::::::s a:::::aaaa::::::a
l::::::li::::::i s:::::::::::ss a::::::::::aa:::a
lllllllliiiiiiii sssssssssss aaaaaaaaaa aaaa
"""
print tty_colors.green()+random.choice([lisa2])+tty_colors.default()
print tty_colors.red()+"\t-An Exploit Dev Swiss Army Knife. Version: "+lisaversion+tty_colors.default()
#convert to hex
def to_hex(var):
"""
converts given value to hex
"""
return hex(var)
#hextoascii
def hex2ascii(debugger,hex,result,dict):
"""
converts Hex to ascii
ex: h2a 0x41414141 prints AAAA
"""
print hex.replace('0x','').decode('hex')
#generate random hex of length between n - m
def urandom(debugger,n,result,dict):
"""
Generates random hex of given length
"""
if not n:
print 'rand command an argument: example: rand 23'
return
print open('/dev/urandom','r').read(random.randint(int(n)/2,int(n)/2)).encode('hex')
# run os commands
def shell(debugger,command,result,dict):
"""
runs shell command and prints output
"""
try:
if command:
os.system(command)
else:
print 'Please enter a proper shell command.Eg: shell ls'
return
except:
print 'Please enter a proper shell command.Eg: shell ls'
return
#term colors
class TerminalColors:
'''Simple terminal colors class'''
def __init__(self, enabled = True):
# TODO: discover terminal type from "file" and disable if
# it can't handle the color codes
self.enabled = enabled
def reset(self):
'''Reset all terminal colors and formatting.'''
if self.enabled:
return "\x1b[0m";
return ''
def bold(self, on = True):
'''Enable or disable bold depending on the "on" parameter.'''
if self.enabled:
if on:
return "\x1b[1m";
else:
return "\x1b[22m";
return ''
def italics(self, on = True):
'''Enable or disable italics depending on the "on" parameter.'''
if self.enabled:
if on:
return "\x1b[3m";
else:
return "\x1b[23m";
return ''
def underline(self, on = True):
'''Enable or disable underline depending on the "on" parameter.'''
if self.enabled:
if on:
return "\x1b[4m";
else:
return "\x1b[24m";
return ''
def inverse(self, on = True):
'''Enable or disable inverse depending on the "on" parameter.'''
if self.enabled:
if on:
return "\x1b[7m";
else:
return "\x1b[27m";
return ''
def strike(self, on = True):
'''Enable or disable strike through depending on the "on" parameter.'''
if self.enabled:
if on:
return "\x1b[9m";
else:
return "\x1b[29m";
return ''
def black(self, fg = True):
'''Set the foreground or background color to black.
The foreground color will be set if "fg" tests True. The background color will be set if "fg" tests False.'''
if self.enabled:
if fg:
return "\x1b[30m";
else:
return "\x1b[40m";
return ''
def red(self, fg = True):
'''Set the foreground or background color to red.
The foreground color will be set if "fg" tests True. The background color will be set if "fg" tests False.'''
if self.enabled:
if fg:
return "\x1b[31m";
else:
return "\x1b[41m";
return ''
def green(self, fg = True):
'''Set the foreground or background color to green.
The foreground color will be set if "fg" tests True. The background color will be set if "fg" tests False.'''
if self.enabled:
if fg:
return "\x1b[32m";
else:
return "\x1b[42m";
return ''
def yellow(self, fg = True):
'''Set the foreground or background color to yellow.
The foreground color will be set if "fg" tests True. The background color will be set if "fg" tests False.'''
if self.enabled:
if fg:
return "\x1b[43m";
else:
return "\x1b[33m";
return ''
def blue(self, fg = True):
'''Set the foreground or background color to blue.
The foreground color will be set if "fg" tests True. The background color will be set if "fg" tests False.'''
if self.enabled:
if fg:
return "\x1b[34m";
else:
return "\x1b[44m";
return ''
def magenta(self, fg = True):
'''Set the foreground or background color to magenta.
The foreground color will be set if "fg" tests True. The background color will be set if "fg" tests False.'''
if self.enabled:
if fg:
return "\x1b[35m";
else:
return "\x1b[45m";
return ''
def cyan(self, fg = True):
'''Set the foreground or background color to cyan.
The foreground color will be set if "fg" tests True. The background color will be set if "fg" tests False.'''
if self.enabled:
if fg:
return "\x1b[36m";
else:
return "\x1b[46m";
return ''
def white(self, fg = True):
'''Set the foreground or background color to white.
The foreground color will be set if "fg" tests True. The background color will be set if "fg" tests False.'''
if self.enabled:
if fg:
return "\x1b[37m";
else:
return "\x1b[47m";
return ''
def default(self, fg = True):
'''Set the foreground or background color to the default.
The foreground color will be set if "fg" tests True. The background color will be set if "fg" tests False.'''
if self.enabled:
if fg:
return "\x1b[39m";
else:
return "\x1b[49m";
return ''
####################################
# LLDB #
####################################
#set malloc debugging features
def setMallocDebug(debugger,c,result,dict):
"""sets DYLD_INSERT_LIBRARIES to /usr/lib/libgmalloc.dylib"""
execute(debugger,'settings set target.env-vars DYLD_INSERT_LIBRARIES=/usr/lib/libgmalloc.dylib',result,dict)
return True
#execute given LLDB command
def execute(debugger,lldb_command,result,dict):
"""
Execute given command and print the outout to stdout
"""
debugger.HandleCommand(lldb_command)
#execute command and return output
def executeReturnOutput(debugger,lldb_command,result,dict):
"""Execute given command and returns the outout"""
ci = debugger.GetCommandInterpreter()
res=lldb.SBCommandReturnObject()
ci.HandleCommand(lldb_command,res)
output= res.GetOutput()
error = res.GetError()
return (output,error)
def s(debugger,command,result,dict):
"""step command"""
executeReturnOutput(debugger,"thread step-in",result,dict)
context(debugger,command,result,dict)
def si(debugger,command,result,dict):
"""step into command"""
executeReturnOutput(debugger,"thread step-inst",result,dict)
context(debugger,command,result,dict)
def so(debugger,command,result,dict):
"""step over"""
executeReturnOutput(debugger,"thread step-over",result,dict)
context(debugger,command,result,dict)
def stepnInstructions(debugger,count,result,dict):
"""step-in n time"""
c=0
while c<int(count):
command=""
executeReturnOutput(debugger,"thread step-in",result,dict)
c+=1
context(debugger,command,result,dict)
def testjump(debugger,command,result,dict):
"""
Test if jump instruction is taken or not
Returns:
True if jump is taken or False if not
"""
inst=None
flags = get_eflags(debugger,command,result,dict)
if not flags:
return None
if not inst:
pc =getregvalue(debugger,"pc",result,dict)
inst, error = executeReturnOutput(debugger,"x/1i $pc",result,dict)
if not inst:
return None
opcode = inst.split(' ')[2]
if opcode == "jmp":
return (True,inst.split(' ')[4])
if opcode == "je" and flags["ZF"]:
print inst.split(' ')[4]
return (True,inst.split(' ')[4])
if opcode == "jne" and not flags["ZF"]:
return (True,inst.split(' ')[4])
if opcode == "jg" and not flags["ZF"] and (flags["SF"] == flags["OF"]):
return (True,inst.split(' ')[4])
if opcode == "jge" and (flags["SF"] == flags["OF"]):
return (True,inst.split(' ')[4])
if opcode == "ja" and not flags["CF"] and not flags["ZF"]:
return (True,inst.split(' ')[4])
if opcode == "jae" and not flags["CF"]:
return (True,inst.split(' ')[4])
if opcode == "jl" and (flags["SF"] != flags["OF"]):
return (True,inst.split(' ')[4])
if opcode == "jle" and (flags["ZF"] or (flags["SF"] != flags["OF"])):
return (True,inst.split(' ')[4])
if opcode == "jb" and flags["CF"]:
return (True,inst.split(' ')[4])
if opcode == "jbe" and (flags["CF"] or flags["ZF"]):
return (True,inst.split(' ')[4])
if opcode == "jo" and flags["OF"]:
return (True,inst.split(' ')[4])
if opcode == "jno" and not flags["OF"]:
return (True,inst.split(' ')[4])
if opcode == "jz" and flags["ZF"]:
return (True,inst.split(' ')[4])
if opcode == "jnz" and flags["OF"]:
return (True,inst.split(' ')[4])
return (False,None)
def context(debugger,command,result,dict):
"""Prints context of current execution"""
try:
#disas
op, error=executeReturnOutput(debugger,"disassemble -c 2 -s $pc",result,dict)
print tty_colors.red()+"[*] Disassembly :\n"+tty_colors.default()
print op
#stack
op, error=executeReturnOutput(debugger,"x/10x $sp",result,dict)
print tty_colors.red()+"[*] Stack :\n"+tty_colors.default()
print tty_colors.blue()+op+tty_colors.default()
#registers
op, error=executeReturnOutput(debugger,"register read",result,dict)
print tty_colors.red()+"[*] Registers\t:"+tty_colors.default()
print op.split("\n\n")[0].split('General Purpose Registers:\n')[1].split('eflags')[0]
print '\n'
#jump
dis, error=executeReturnOutput(debugger,'disassemble -c 1 -s $pc',result,dict)
if dis:
dis = dis.split(': ')[1].split()[0]
if 'j' in dis:
jumpto, destination = testjump(debugger,command,result,dict)
if jumpto==True:
print tty_colors.red()+"[*] Jumping to\t:"+destination+tty_colors.default()
else:
print tty_colors.red()+"[*] Jump not taken."+tty_colors.default()
else:
print error,
except Exception as e:
print 'error running context'
def get_eflags(debugger,command,result,dict):
"""
Get flags value from EFLAGS register
Returns:
- dictionary of named flags
"""
# Eflags bit masks, source vdb
EFLAGS_CF = 1 << 0
EFLAGS_PF = 1 << 2
EFLAGS_AF = 1 << 4
EFLAGS_ZF = 1 << 6
EFLAGS_SF = 1 << 7
EFLAGS_TF = 1 << 8
EFLAGS_IF = 1 << 9
EFLAGS_DF = 1 << 10
EFLAGS_OF = 1 << 11
flags = {"CF":0, "PF":0, "AF":0, "ZF":0, "SF":0, "TF":0, "IF":0, "DF":0, "OF":0}
eflags = getregvalue(debugger,"eflags",result,dict)
if not eflags:
eflags = getregvalue(debugger,"rflags",result,dict)
eflags=int(eflags,16)
flags["CF"] = bool(eflags & EFLAGS_CF)
flags["PF"] = bool(eflags & EFLAGS_PF)
flags["AF"] = bool(eflags & EFLAGS_AF)
flags["ZF"] = bool(eflags & EFLAGS_ZF)
flags["SF"] = bool(eflags & EFLAGS_SF)
flags["TF"] = bool(eflags & EFLAGS_TF)
flags["IF"] = bool(eflags & EFLAGS_IF)
flags["DF"] = bool(eflags & EFLAGS_DF)
flags["OF"] = bool(eflags & EFLAGS_OF)
return flags
####################################
# Exploitation #
####################################
#pattern create and pattern offset
def pattern_create(debugger,size,result,dict):
"""creates a cyclic pattern of given length"""
try:length=int(size)
except:print "[+] Usage: pattern_create <length> [set a] [set b] [set c]"
seta="ABCDEFGHIJKLMNOPQRSTUVWXYZ"
setb="abcdefghijklmnopqrstuvwxyz"
setc="0123456789"
string="" ; a=0 ; b=0 ; c=0
while len(string) < length:
string += seta[a] + setb[b] + setc[c]
c+=1
if c == len(setc):c=0;b+=1
if b == len(setb):b=0;a+=1
if a == len(seta):a=0
print tty_colors.red()+ string[:length]+tty_colors.default()
return string[:length]
#check if given pattern is in cyclic pattern
def check_if_cyclic(debugger,pat,result,dict):
"""check if given pattern is in cyclic pattern"""
seta="ABCDEFGHIJKLMNOPQRSTUVWXYZ"
setb="abcdefghijklmnopqrstuvwxyz"
setc="0123456789"
if not pat:
print '[+] Usage: check_if_cyclic <some string>'
return
string=pat ; a=0 ; b=0 ; c=0
length=len(string)
i=0
while i<(length-2):
if string[i].isalpha():
if string[i].islower():
if string[i+1].isupper():
if string[i+2].isdigit():
pass
else:
print tty_colors.red()+"Not a cyclic pattern"+tty_colors.default()
return False
else:
print tty_colors.red()+"Not a cyclic pattern"+tty_colors.default()
return False
elif string[i].isupper():
if string[i+1].islower():
if string[i+2].isdigit():
pass
else:
print tty_colors.red()+"Not a cyclic pattern"+tty_colors.default()
return False
else:
print tty_colors.red()+"Not a cyclic pattern"+tty_colors.default()
return False
elif string[i].isdigit():
if string[i+1].isalpha():
if string[i+1].isupper():
if string[i+2].islower():
pass
else:
print tty_colors.red()+"Not a cyclic pattern"+tty_colors.default()
return False
else:
print tty_colors.red()+"Not a cyclic pattern"+tty_colors.default()
return False
i+=3
print "seems to be a valid pattern"
return True
#pattern search
def pattern_offset(debugger,sizepat,result,dict):
"""search offset of pattern."""
if len(sizepat.split(' '))==2:
try:
size=int(sizepat.split(' ')[0])
pat=sizepat.split(' ')[1]
pattern=pattern_create(debugger,size,result,dict)
if "0x" in pat:
pat=pat.replace("0x","")
pat=pat.decode("hex")[::-1]
try:
p=int(pat)
pat=pat.decode('hex')
except:
pass
found=[m.start() for m in re.finditer(pat, pattern)]
if found!=-1:
print 'offsets:',found
except:
print "please check the syntax"
print "pattern_offset 250 Aa2A"
elif len(sizepat.split(' '))==1:
try:
size=10000
pat=sizepat.split(' ')[1]
pattern=pattern_create(debugger,size,result,dict,True)
if "0x" in pat:
pat=pat.replace("0x","")
pat=pat.decode("hex")[::-1]
try:
p=int(pat)
pat=pat.decode('hex')
except:
pass
found=[m.start() for m in re.finditer(pat, pattern)]
# found=pattern.find(pat)
if found!=-1:
print found
except:
print "please check the syntax"
print "pattern_offset 250 Aa2A"
#return address in register
def getregvalue(debugger,reg,result,dict):
output,error=executeReturnOutput(debugger,'register read '+reg,result,dict)
return output.split("= ")[-1].split(" ")[0]
lldb_stop_reasons = { 'eStateCrashed' : 8, 'eStateDetached' : 9, 'eStateExited' : 10, 'eStateInvalid' : 0,
'eStateLaunching' : 4, 'eStateRunning' : 6, 'eStateStepping' : 7,'eStateStopped' : 5,
'eStateSuspended' : 11, 'eStopReasonBreakpoint' : 3, 'eStopReasonException' : 6,
'eStopReasonExec' : 7, 'eStopReasonInvalid' : 0, 'eStopReasonNone' : 1, 'eStopReasonSignal' : 5,
'eStopReasonThreadExiting' : 9, 'eStopReasonTrace' : 2, 'eStopReasonWatchpoint' : 4
}
def getexception(exception_description):
type1 = exception_description
try:
exception = re.search("EXC_(.+?) ",type1).group().strip(' ')
except:
exception = None
try:
code = re.search("\(code(.+?),",type1).group().split('=')[1].strip(',')
except:
try:
code = re.search("\(code(.+?)\)",type1).group().split('=')[1].strip(')')
except:
code = None
try:
address = re.search(", address(.+?)\)",type1).group().split('=')[1].strip(')')
except:
address = None
return exception,code,address
def getsignal(signal_description):
return signal_description.split(' ')[1]
def type_for_two_memory(access_address, disassembly):
first_reg_val = value_for_first_register(disassembly)
if first_reg_val != access_address:
return "read"
else:
return "write"
def stack_access_crash(access_address, sp_val):
access_address=int(access_address,0)
sp_val = int(sp_val,0)
if ((sp_val - access_address) <= PAGE_SIZE):
return True
return False
def getexceptiontype(access_address, disassembly, registers):
if disassembly!=None:
last_comma = disassembly.find(',')
right_paren = disassembly.find(']')
sp = registers['sp']
if disassembly[right_paren+1:].find(']')!=-1:
type_=type_for_two_memory(access_address, disassembly)
return type_
elif disassembly.find('call')!=-1:
if not right_paren or last_comma:
type_ = "recursion"
elif stack_access_crash(access_address,sp):
print 'ohhh'
type_ = "recursion"
else:
type_ = "exec"
return type_
elif disassembly.find("cmp")!=-1 or disassembly.find("test")!=-1 or disassembly.find("fld")!=-1:
type_ = "read"
return type_
elif disassembly.find("fst")!=-1:
type_ = "write"
return type_
elif disassembly.find("mov")!=-1:
if last_comma>right_paren:
type_ = "read"
else:
type_ = "write"
return type_
elif disassembly.find('jmp')!=-1:
type_ = "exec"
return type_
elif disassembly.find('push')!=-1:
if right_paren:
type_ = "read"
else:
type_ = "recursion"
return type_
elif disassembly.find('inc')!=-1 or disassembly.find('dec')!=-1:
type_ = "write"
return type_
elif disassembly.find("stos")!=-1:
type_ = "write"
return type_
elif disassembly.find("lods")!=-1:
type_ = "read"
return type_
else:
type_ = "unknown"
return type_
if disassembly.find("st") == 2:
type_ = "write"
return type_
elif disassembly.find("ld") == 2:
type_ = "read"
return type_
elif disassembly.find("push") == 2:
type_ = "recursion"
return type_
else:
type_ = "unknown"
return type_
else:
type_ = "unknown"
return type_
def is_stack_suspicious(exc_address, exception, backtrace):
global reportexploitable
global is_exploitable
suspicious_functions = [
"__chk_fail", "__stack_chk_fail", "szone_error", "CFRelease", "CFRetain", "_CFRelease", "_CFRetain",
"malloc", "calloc", "realloc", "objc_msgSend",
"szone_free", "free_small", "tiny_free_list_add_ptr", "tiny_free_list_remove_ptr",
"small_free_list_add_ptr", "small_free_list_remove_ptr", "large_entries_free_no_lock",
"large_free_no_lock", "szone_batch_free", "szone_destroy", "free",
"CSMemDisposeHandle", "CSMemDisposePtr",
"append_int", "release_file_streams_for_task", "__guard_setup",
"_CFStringAppendFormatAndArgumentsAux", "WTF::fastFree", "WTF::fastMalloc",
"WTF::FastCalloc", "WTF::FastRealloc", " WTF::tryFastCalloc", "WTF::tryFastMalloc",
"WTF::tryFastRealloc", "WTF::TCMalloc_Central_FreeList", "GMfree", "GMmalloc_zone_free",
"GMrealloc", "GMmalloc_zone_realloc"]
if exc_address=="0xbbadbeef":
# WebCore functions call CRASH() in various assertions or if the amount to allocate was too big. CRASH writes a null byte to 0xbbadbeef.
is_exploitable=False
print tty_colors.red()+"Exploitable = %s"%is_exploitable+tty_colors.default()
reportexploitable = "Not exploitable. Seems to be a safe crash. Calls to CRASH() function writes a null byte to 0xbbadbeef"
print tty_colors.red()+"Not exploitable. Seems to be a safe crash. Calls to CRASH() function writes a null byte to 0xbbadbeef"+tty_colors.default()
return
if "0 ???" in backtrace:
is_exploitable = True
print tty_colors.red()+"Exploitable = %s"%is_exploitable+tty_colors.default()
print tty_colors.red()+"This crash is suspected to be exploitable because the crashing instruction is outside of a known function, i.e. in dynamically generated code"+tty_colors.default()
reportexploitable="This crash is suspected to be exploitable because the crashing instruction is outside of a known function, i.e. in dynamically generated code"
return
for i in suspicious_functions:
if i in backtrace:
if exception == "EXC_BREAKPOINT" and (i=="CFRelease" or i=="CFRetain"):
is_exploitable = "no"
return
elif i=="_CFRelease" or i=="CFRelease" and "CGContextDelegateFinalize" in backtrace:
return
elif i=="objc_msgSend" and exc_address<<PAGE_SIZE:
continue
else:
is_exploitable = True
print tty_colors.red()+"Exploitable = %s"%is_exploitable+tty_colors.default()
print tty_colors.red()+"The crash is suspected to be an exploitable issue due to the suspicious function in the stack trace of the crashing thread: "+i+tty_colors.default()
reportexploitable="The crash is suspected to be an exploitable issue due to the suspicious function in the stack trace of the crashing thread."
return
#return whether or not the base pointer is far away from the stack pointer.
def bp_inconsistent_with_sp(bp_val,sp_val):
#define MAX_DISTANCE (PAGE_SIZE * 10)
# No check if bp_val > sp_val since bp_val - sp_val may have underflowed.
if (int(bp_val,0) - int(sp_val,0)) > MAX_DISTANCE:
return True
return False
class Lisa:
def __init__(self, debugger,result,dict):
self.debugger = debugger
self.target = self.debugger.GetSelectedTarget()
self.process = self.target.process
self.thread = self.process.selected_thread
self.frame = self.thread.GetFrameAtIndex(0)
self.pc = hex(self.frame.pc)
self.sp = hex(self.frame.sp)
self.bp = hex(self.frame.fp)
disas,disas_error = executeReturnOutput(debugger,"disassemble -c 1 -s $pc",result,dict)
if disas_error:
self.pc_disas = None
else:
self.pc_disas = re.search("->(.+?)\n",disas).group().split(':')[1]
self.backtrace, self.backtrace_error = executeReturnOutput(debugger,"bt",result,dict)
self.crash_reason = self.thread.GetStopReason()
if self.crash_reason == lldb_stop_reasons['eStopReasonException']:
self.exception = self.thread.GetStopDescription(80)
self.exception,self.exc_code,self.exc_address = getexception(self.exception)
self.signal = None
print tty_colors.red()+"Exception : "+self.exception+tty_colors.default()
elif self.crash_reason == lldb_stop_reasons['eStopReasonSignal']:
self.signal = self.thread.GetStopDescription(80)
self.signal = getsignal(self.signal)
self.exc_address = None
self.exception = None
print tty_colors.red()+"Signal : "+self.signal+tty_colors.default()
else:
return
self.gen_registers = list(self.frame.registers)[0]
self.registers = {}
for i in self.gen_registers.__iter__():
self.registers[i.name]=i.value
max_offset = 1024
if self.exception:
if self.exception=="EXC_BAD_ACCESS":
# check pc == access_address
if self.exc_address and int(self.exc_address,0)==int(self.pc,0):
# IP over write
is_exploitable = True
print tty_colors.red()+"Exploitable = %s"%is_exploitable+tty_colors.default()
print tty_colors.red()+"Trying to execute a bad address, this is a potentially exploitable issue"+tty_colors.default()
reportexploitable="Trying to execute a bad address, this is a potentially exploitable issue"
else:
self.access_type = getexceptiontype(self.exc_address, self.pc_disas, self.registers)
if self.exc_address and int(self.exc_address,16)<int(PAGE_SIZE):
is_exploitable=False
print tty_colors.red()+"Exploitable = %s"%is_exploitable+tty_colors.default()
print tty_colors.blue()+"Null Dereference. Probably not exploitable"+tty_colors.default()
reportexploitable="Null Dereference. Probably not exploitable"
return
elif self.access_type == "recursion":
is_exploitable=False
stack=self.backtrace
MINIMUM_RECURSION_LENGTH = 300
stack_length= len(stack.split("\n"))
if stack_length>MINIMUM_RECURSION_LENGTH:
print tty_colors.red()+"Exploitable = %s"%is_exploitable+tty_colors.default()
print tty_colors.red()+"The crash is suspected to be not exploitable due to unbounded recursion since there were %d stack frames."%stack_length+tty_colors.default()
reportexploitable="The crash is suspected to be not exploitable due to unbounded recursion since there were %d stack frames."%stack_length
return
else:
is_exploitable=True
if self.access_type == "exec":
is_exploitable = True
addr = self.exc_address
max_offset = 1024
if (addr > 0x55555555 - max_offset and addr < 0x55555555 + max_offset):
print tty_colors.red()+"Exploitable = %s"%is_exploitable+tty_colors.default()
print tty_colors.red()+"The access address indicates the use of freed memory if MallocScribble was used, or uninitialized memory if libgmalloc and MALLOC_FILL_SPACE was used."+tty_colors.default()
reportexploitable="The access address indicates the use of freed memory if MallocScribble was used, or uninitialized memory if libgmalloc and MALLOC_FILL_SPACE was used."
elif (addr > 0xaaaaaaaa - max_offset and addr < 0xaaaaaaaa + max_offset):
print tty_colors.red()+"Exploitable = %s"%is_exploitable+tty_colors.default()
print tty_colors.red()+"The access address indicates that uninitialized memory was being used if MallocScribble was used."+tty_colors.default()
reportexploitable="The access address indicates that uninitialized memory was being used if MallocScribble was used."
elif "EXC_I386_GPFLT" == self.exc_code:
print tty_colors.red()+"Exploitable = %s"%is_exploitable+tty_colors.default()
print tty_colors.red()+"The exception code indicates that the access address was invalid in the 64-bit ABI (it was > 0x0000800000000000)."+tty_colors.default()
reportexploitable="The exception code indicates that the access address was invalid in the 64-bit ABI (it was > 0x0000800000000000)."
elif not g_ignore_frame_pointer and bp_inconsistent_with_sp(self.bp,self.sp):
is_exploitable = True
print tty_colors.red()+"Exploitable = %s"%is_exploitable+tty_colors.default()
print tty_colors.red()+"Presumed exploitable based on the discrepancy between the stack pointer and base pointer registers. "+tty_colors.default()
reportexploitable="Presumed exploitable based on the discrepancy between the stack pointer and base pointer registers."
else:
print tty_colors.red()+"Exploitable = %s"%is_exploitable+tty_colors.default()
if self.access_type=="read" or self.access_type=="write":
print tty_colors.red()+"Crash "+self.access_type+"'g invalid address."+tty_colors.default()
reportexploitable= "Crash "+self.access_type+"'g invalid address."
else:
print tty_colors.red()+"Crash accessing invalid address."+tty_colors.default()
reportexploitable= "Crash accessing invalid address."
elif self.exception=="EXC_BAD_INSTRUCTION":
is_exploitable = True
print tty_colors.red()+"Exploitable = %s"%is_exploitable+tty_colors.default()
print tty_colors.blue()+"Illegal instruction at %s, probably a exploitable issue unless the crash was in libdispatch/xpc."%self.pc+tty_colors.default()
reportexploitable="Illegal instruction at %s, probably a exploitable issue unless the crash was in libdispatch/xpc."%self.pc
elif self.exception=="EXC_ARITHMETIC":
is_exploitable = False
print tty_colors.red()+"Exploitable = %s"%is_exploitable+tty_colors.default()
print tty_colors.blue()+"Arithmetic exception at %s, probably not exploitable."%self.pc+tty_colors.default()
reportexploitable="Arithmetic exception at %s, probably not exploitable."%self.pc
elif self.exception=="EXC_SOFTWARE":
is_exploitable=False
print tty_colors.red()+"Exploitable = %s"%is_exploitable+tty_colors.default()
print tty_colors.blue()+"Software exception, probably not exploitable."+tty_colors.default()
reportexploitable="Software exception, probably not exploitable."
elif self.exception=="EXC_BREAKPOINT":
is_exploitable=False
print tty_colors.red()+"Exploitable = %s"%is_exploitable+tty_colors.default()
print tty_colors.blue()+"Software breakpoint, probably not exploitable."+tty_colors.default()
reportexploitable="Software breakpoint, probably not exploitable."
elif self.exc_address=="EXC_CRASH":
is_exploitable= False
print tty_colors.red()+"Exploitable = %s"%is_exploitable+tty_colors.default()
elif self.signal:
is_stack_suspicious(self.exc_address, self.exception, self.backtrace)
def exploitable(debugger,cmd,res,dict):
"""checks if the crash is exploitable"""
lisa_=Lisa(debugger,res,dict)
class ShellStorm:
def __init__(self):
pass
def searchShellcode(self, keyword):
try:
print "Connecting to shell-storm.org..."
s = httplib.HTTPConnection("shell-storm.org")
s.request("GET", "/api/?s="+str(keyword))
res = s.getresponse()
data_l = res.read().split('\n')
except:
print "Cannot connect to shell-storm.org"
return None
data_dl = []
for data in data_l:
try:
desc = data.split("::::")
try:
dico = {
'ScAuthor': desc[0],
'ScArch': desc[1],
'ScTitle': desc[2],
'ScId': desc[3],
'ScUrl': desc[4],
'ScSize': int(''.join(x for x in desc[2][-10:-5] if x.isdigit()))
}
except Exception:
dico = {
'ScAuthor': desc[0],
'ScArch': desc[1],
'ScTitle': desc[2],
'ScId': desc[3],
'ScUrl': desc[4],
'ScSize': 0
}
data_dl.append(dico)
except:
pass
try:
return sorted(data_dl, key=lambda x: x['ScSize'], reverse=True)
except Exception:
print("Could not sort by size")
return data_dl
def displayShellcode(self, shellcodeId):
if shellcodeId is None:
return None
try:
print "Connecting to shell-storm.org..."
s = httplib.HTTPConnection("shell-storm.org")
except:
print "Cannot connect to shell-storm.org"
return None
try:
s.request("GET", "/shellcode/files/shellcode-"+str(shellcodeId)+".php")
res = s.getresponse()
data = res.read().split("<pre>")[1].split("<body>")[0]
except:
print "Failed to download shellcode from shell-storm.org"
return None
data = data.replace("&quot;", "\"")
data = data.replace("&amp;", "&")
data = data.replace("&lt;", "<")
data = data.replace("&gt;", ">")
return data
@staticmethod
def version():
print "shell-storm API - v0.1"
print "Search and display all shellcodes in shell-storm database"
print "Jonathan Salwan - @JonathanSalwan - 2012"
print "http://shell-storm.org"
return
def extract_from_universal_binary(debugger,command,result,dict):
"""Uses lipo to extract a given architecture from a Universal binary
Syntax: extract x86_64 <input file> <output file>
Ex: extract x86_64 /usr/lib/system/libsystem_kernel.dylib ./libsystem_kernel.dylib
"""
args = shlex.split(command)
if len(args)==3:
architecture = args[0]
intputfile = args[1]
outputfile = args[2]
commands.getoutput('lipo '+intputfile+' -extract '+architecture+' -output '+outputfile)
else:
print "Syntax: extract x86_64 /usr/lib/system/libsystem_kernel.dylib ./libsystem_kernel.dylib"
def shellcode(debugger, command, result, dict):
"""Searches shell-storm for shellcode
Syntax:shellcode"""
mod = shlex.split(command)
if len(mod)!=2:
print "Syntax: shellcode <option> <arg>\n"
print "Options: -search <keyword>"
print " -display <shellcode id>"
print " -save <shellcode id>"
return
arg = mod[1]
mod = mod[0]
if mod != "-search" and mod != "-display" and mod != "-save":
syntax()
return
if mod == "-search":
api = ShellStorm()
res_dl = api.searchShellcode(arg)
if not res_dl:
print "Shellcode not found"
sys.exit(0)
print "Found %d shellcodes" % len(res_dl)
print "%s\t%s %s" %("ScId", "Size", "Title")
for data_d in res_dl:
if data_d['ScSize'] == 0:
print "[%s]\tn/a %s - %s"%(data_d['ScId'], data_d['ScArch'], data_d['ScTitle'])
else:
print "[%s]\t%s%s - %s"%(data_d['ScId'], str(data_d['ScSize']).ljust(5), data_d['ScArch'], data_d['ScTitle'])
elif mod == "-display":
res = ShellStorm().displayShellcode(arg)
if not res:
print "Shellcode id not found"
return
print tty_colors.red()+res+tty_colors.default()
elif mod == "-save":
res = ShellStorm().displayShellcode(arg)
if not res:
print "Shellcode id not found"
return
f=open('shellcode_'+str(time.time())+'.c','w')
f.write(res)
f.close()
print tty_colors.red()+"Written to file shellcode_"+str(time.time())+'.c'+tty_colors.default()
def dump(debugger,command,result,dict):
"""Dump's Memory of the process in a given address range
Syntax: dump outfile 0x6080000fe680 0x6080000fe680+1000
dump will not read over 1024 bytes of data. To overwride this use -f
Syntax: dump outfile 0x6080000fe680 0x6080000fe680+1000 -f"""
args = shlex.split(command)
if len(args)<3:
print "Syntax: dump outfile 0x6080000fe680 0x6080000fe680+1000"
return
outfile = args[0]
start_range = args[1]
end_range = args[2]
force=False
if len(args)>3:
force=True
if force:
output,error=executeReturnOutput(debugger,"memory read -b --force --outfile "+outfile+' '+start_range+' '+end_range,result,dict)
else:
output,error=executeReturnOutput(debugger,"memory read -b --outfile "+outfile+' '+start_range+' '+end_range,result,dict)
if not error:
print output,
else:
if "--force" in error:
print "dump will not read over 1024 bytes of data. To overwride this use -f."
print "Syntax: dump outfile 0x6080000fe680 0x6080000fe680+1000 -f"
else:
print error
class MACH_HEADER(Structure):
_fields_ = [
("magic", c_uint),
("cputype", c_uint),
("cpusubtype", c_uint),
("filetype", c_uint),
("ncmds", c_uint),
("sizeofcmds", c_uint),
("flags", c_uint)
]
class LOAD_COMMAND(Structure):
_fields_ = [
("cmd", c_uint),
("cmdsize", c_uint)
]
class SEGMENT_COMMAND(Structure):
_fields_ = [
("cmd", c_uint),
("cmdsize", c_uint),
("segname", c_ubyte * 16),
("vmaddr", c_uint),
("vmsize", c_uint),
("fileoff", c_uint),
("filesize", c_uint),
("maxprot", c_uint),
("initprot", c_uint),
("nsects", c_uint),
("flags", c_uint)
]
class SEGMENT_COMMAND64(Structure):
_fields_ = [
("cmd", c_uint),
("cmdsize", c_uint),
("segname", c_ubyte * 16),
("vmaddr", c_ulonglong),
("vmsize", c_ulonglong),
("fileoff", c_ulonglong),
("filesize", c_ulonglong),
("maxprot", c_uint),
("initprot", c_uint),
("nsects", c_uint),
("flags", c_uint)
]
class SECTION(Structure):
_fields_ = [
("sectname", c_ubyte * 16),
("segname", c_ubyte * 16),
("addr", c_uint),
("size", c_uint),
("offset", c_uint),
("align", c_uint),
("reloff", c_uint),
("nreloc", c_uint),
("flags", c_uint),
("reserved1", c_uint),
("reserved2", c_uint)
]
class SECTION64(Structure):
_fields_ = [
("sectname", c_ubyte * 16),
("segname", c_ubyte * 16),
("addr", c_ulonglong),
("size", c_ulonglong),
("offset", c_uint),
("align", c_uint),
("reloff", c_uint),
("nreloc", c_uint),
("flags", c_uint),
("reserved1", c_uint),
("reserved2", c_uint)
]
class MACHOFlags:
CPU_TYPE_I386 = 0x7
CPU_TYPE_X86_64 = (CPU_TYPE_I386 | 0x1000000)
CPU_TYPE_MIPS = 0x8
CPU_TYPE_ARM = 12
CPU_TYPE_SPARC = 14
CPU_TYPE_POWERPC = 18
CPU_TYPE_POWERPC64 = (CPU_TYPE_POWERPC | 0x1000000)
LC_SEGMENT = 0x1
LC_SEGMENT_64 = 0x19
S_ATTR_SOME_INSTRUCTIONS = 0x00000400
S_ATTR_PURE_INSTRUCTIONS = 0x80000000
class MachOHeader(Structure):
_fields_ = [
("magic", c_uint),
("cputype", c_uint),
("cpusubtype", c_uint),
("filetype", c_uint),
("ncmds", c_uint),
("sizeofcmds", c_uint),
("flags", c_uint)
]
""" This class parses the Mach-O """
class MACHO:
def __init__(self, binary):
self.__binary = bytearray(binary)
self.__machHeader = None
self.__rawLoadCmd = None
self.__sections_l = []
self.__setHeader()
self.__setLoadCmd()
def __setHeader(self):
self.__machHeader = MACH_HEADER.from_buffer_copy(self.__binary)
if self.getArchMode() == CS_MODE_32:
self.__rawLoadCmd = self.__binary[28:28+self.__machHeader.sizeofcmds]
elif self.getArchMode() == CS_MODE_64:
self.__rawLoadCmd = self.__binary[32:32+self.__machHeader.sizeofcmds]
def __setLoadCmd(self):
base = self.__rawLoadCmd
for i in range(self.__machHeader.ncmds):
command = LOAD_COMMAND.from_buffer_copy(base)
if command.cmd == MACHOFlags.LC_SEGMENT:
segment = SEGMENT_COMMAND.from_buffer_copy(base)
self.__setSections(segment.nsects, base[56:], 32)
elif command.cmd == MACHOFlags.LC_SEGMENT_64:
segment = SEGMENT_COMMAND64.from_buffer_copy(base)
self.__setSections(segment.nsects, base[72:], 64)
base = base[command.cmdsize:]
def __setSections(self, sectionsNumber, base, sizeHeader):
for i in range(sectionsNumber):
if sizeHeader == 32:
section = SECTION.from_buffer_copy(base)
base = base[68:]
self.__sections_l += [section]
elif sizeHeader == 64:
section = SECTION64.from_buffer_copy(base)
base = base[80:]
self.__sections_l += [section]
def getEntryPoint(self):
for section in self.__sections_l:
if section.sectname[0:6] == "__text":
return section.addr
def getExecSections(self):
ret = []
for section in self.__sections_l:
if section.flags & MACHOFlags.S_ATTR_SOME_INSTRUCTIONS or section.flags & MACHOFlags.S_ATTR_PURE_INSTRUCTIONS:
ret += [{
"name" : section.sectname,
"offset" : section.offset,
"size" : section.size,
"vaddr" : section.addr,
"opcodes" : bytes(self.__binary[section.offset:section.offset+section.size])
}]
return ret
def getDataSections(self):
ret = []
for section in self.__sections_l:
if not section.flags & MACHOFlags.S_ATTR_SOME_INSTRUCTIONS and not section.flags & MACHOFlags.S_ATTR_PURE_INSTRUCTIONS:
ret += [{
"name" : section.sectname,
"offset" : section.offset,
"size" : section.size,
"vaddr" : section.addr,
"opcodes" : str(self.__binary[section.offset:section.offset+section.size])
}]
return ret
def getArch(self):
if self.__machHeader.cputype == MACHOFlags.CPU_TYPE_I386 or self.__machHeader.cputype == MACHOFlags.CPU_TYPE_X86_64:
return CS_ARCH_X86
if self.__machHeader.cputype == MACHOFlags.CPU_TYPE_ARM:
return CS_ARCH_ARM
if self.__machHeader.cputype == MACHOFlags.CPU_TYPE_MIPS:
return CS_ARCH_MIPS
else:
print("[Error] MACHO.getArch() - Architecture not supported")
return None
def getArchMode(self):
if self.__machHeader.magic == 0xfeedface:
return 4
elif self.__machHeader.magic == 0xfeedfacf:
return 8
else:
print("[Error] MACHO.getArchMode() - Bad Arch size")
return None
pass
def getFormat(self):
return "Mach-O"
class FAT_HEADER(BigEndianStructure):
_fields_ = [
("magic", c_uint),
("nfat_arch", c_uint)
]
class FAT_ARC(BigEndianStructure):
_fields_ = [
("cputype", c_uint),
("cpusubtype", c_uint),
("offset", c_uint),
("size", c_uint),
("align", c_uint)
]
class MACHOFlags:
CPU_TYPE_I386 = 0x7
CPU_TYPE_X86_64 = (CPU_TYPE_I386 | 0x1000000)
CPU_TYPE_MIPS = 0x8
CPU_TYPE_ARM = 12
CPU_TYPE_SPARC = 14
CPU_TYPE_POWERPC = 18
CPU_TYPE_POWERPC64 = (CPU_TYPE_POWERPC | 0x1000000)
LC_SEGMENT = 0x1
LC_SEGMENT_64 = 0x19
S_ATTR_SOME_INSTRUCTIONS = 0x00000400
S_ATTR_PURE_INSTRUCTIONS = 0x80000000
""" This class parses the Universal binary """
class UNIVERSAL:
def __init__(self, binary):
self.__binary = bytearray(binary)
self.__machoBinaries = []
self.__fatHeader = None
self.__rawLoadCmd = None
self.__sections_l = []
self.__setHeader()
self.__setBinaries()
def __setHeader(self):
self.__fatHeader = FAT_HEADER.from_buffer_copy(self.__binary)
def __setBinaries(self):
offset = 8
for i in xrange(self.__fatHeader.nfat_arch):
header = FAT_ARC.from_buffer_copy(self.__binary[offset:])
rawBinary = self.__binary[header.offset:header.offset+header.size]
if rawBinary[:4] == unhexlify(b"cefaedfe") or rawBinary[:4] == unhexlify(b"cffaedfe"):
self.__machoBinaries.append(MACHO(rawBinary))
else:
print("[Error] Binary #"+str(i+1)+" in Universal binary has an unsupported format")
offset += sizeof(header)
def getExecSections(self):
ret = []
for binary in self.__machoBinaries:
ret += binary.getExecSections()
return ret
def getDataSections(self):
ret = []
for binary in self.__machoBinaries:
ret += binary.getDataSections()
return ret
def getFormat(self):
return "Universal"
# TODO: These three will just return whatever is in the first binary.
# Perhaps the rest of ROPgadget should support loading multiple binaries?
def getEntryPoint(self):
for binary in self.__machoBinaries:
return binary.getEntryPoint()
def getArch(self):
for binary in self.__machoBinaries:
return binary.getArch()
def getArchMode(self):
for binary in self.__machoBinaries:
return binary.getArchMode()
def deleteDuplicateGadgets(currentGadgets):
gadgets_content_set = set()
unique_gadgets = []
for gadget in currentGadgets:
gad = gadget["gadget"]
if gad in gadgets_content_set:
continue
gadgets_content_set.add(gad)
unique_gadgets += [gadget]
return unique_gadgets
def alphaSortgadgets(currentGadgets):
return sorted(currentGadgets, key=lambda key : key["gadget"])
class Options:
def __init__(self, options, binary, gadgets):
self.__options = options
self.__gadgets = gadgets
self.__binary = binary
if options.filter: self.__filterOption()
if options.only: self.__onlyOption()
if options.range: self.__rangeOption()
if options.badbytes: self.__deleteBadBytes()
def __filterOption(self):
new = []
if not self.__options.filter:
return
filt = self.__options.filter.split("|")
if not len(filt):
return
for gadget in self.__gadgets:
flag = 0
insts = gadget["gadget"].split(" ; ")
for ins in insts:
if ins.split(" ")[0] in filt:
flag = 1
break
if not flag:
new += [gadget]
self.__gadgets = new
def __onlyOption(self):
new = []
if not self.__options.only:
return
only = self.__options.only.split("|")
if not len(only):
return
for gadget in self.__gadgets:
flag = 0
insts = gadget["gadget"].split(" ; ")
for ins in insts:
if ins.split(" ")[0] not in only:
flag = 1
break
if not flag:
new += [gadget]
self.__gadgets = new
def __rangeOption(self):
new = []
rangeS = int(self.__options.range.split('-')[0], 16)
rangeE = int(self.__options.range.split('-')[1], 16)
if rangeS == 0 and rangeE == 0:
return
for gadget in self.__gadgets:
vaddr = gadget["vaddr"]
if vaddr >= rangeS and vaddr <= rangeE:
new += [gadget]
self.__gadgets = new
def __deleteBadBytes(self):
if not self.__options.badbytes:
return
new = []
#Filter out empty badbytes (i.e if badbytes was set to 00|ff| there's an empty badbyte after the last '|')
#and convert each one to the corresponding byte
bbytes = [bb.decode('hex') for bb in self.__options.badbytes.split("|") if bb]
archMode = self.__binary.getArchMode()
for gadget in self.__gadgets:
gadAddr = pack("<L", gadget["vaddr"]) if archMode == CS_MODE_32 else pack("<Q", gadget["vaddr"])
try:
for x in bbytes:
if x in gadAddr: raise
new += [gadget]
except:
pass
self.__gadgets = new
def getGadgets(self):
return self.__gadgets
class ROPMakerX86:
def __init__(self, binary, gadgets, liboffset=0x0):
self.__binary = binary
self.__gadgets = gadgets
# If it's a library, we have the option to add an offset to the addresses
self.__liboffset = liboffset
self.__generate()
def __lookingForWrite4Where(self, gadgetsAlreadyTested):
for gadget in self.__gadgets:
if gadget in gadgetsAlreadyTested:
continue
f = gadget["gadget"].split(" ; ")[0]
# regex -> mov dword ptr [r32], r32
regex = re.search("mov dword ptr \[(?P<dst>([(eax)|(ebx)|(ecx)|(edx)|(esi)|(edi)]{3}))\], (?P<src>([(eax)|(ebx)|(ecx)|(edx)|(esi)|(edi)]{3}))$", f)
if regex:
lg = gadget["gadget"].split(" ; ")[1:]
try:
for g in lg:
if g.split()[0] != "pop" and g.split()[0] != "ret":
raise
# we need this to filterout 'ret' instructions with an offset like 'ret 0x6', because they ruin the stack pointer
if g != "ret":
if g.split()[0] == "ret" and g.split()[1] != "":
raise
print("\t[+] Gadget found: 0x%x %s" %(gadget["vaddr"], gadget["gadget"]))
return [gadget, regex.group("dst"), regex.group("src")]
except:
continue
return None
def __lookingForSomeThing(self, something):
for gadget in self.__gadgets:
lg = gadget["gadget"].split(" ; ")
if lg[0] == something:
try:
for g in lg[1:]:
if g.split()[0] != "pop" and g.split()[0] != "ret":
raise
# we need this to filterout 'ret' instructions with an offset like 'ret 0x6', because they ruin the stack pointer
if g != "ret":
if g.split()[0] == "ret" and g.split()[1] != "":
raise
print("\t[+] Gadget found: 0x%x %s" %(gadget["vaddr"], gadget["gadget"]))
return gadget
except:
continue
return None
def __padding(self, gadget, regAlreadSetted):
lg = gadget["gadget"].split(" ; ")
for g in lg[1:]:
if g.split()[0] == "pop":
reg = g.split()[1]
try:
print("\tp += pack('<I', 0x%08x) # padding without overwrite %s" %(regAlreadSetted[reg], reg))
except KeyError:
print("\tp += pack('<I', 0x41414141) # padding")
def __buildRopChain(self, write4where, popDst, popSrc, xorSrc, xorEax, incEax, popEbx, popEcx, popEdx, syscall):
sects = self.__binary.getDataSections()
dataAddr = None
for s in sects:
if s["name"] == ".data":
dataAddr = s["vaddr"] + self.__liboffset
if dataAddr == None:
print("\n[-] Error - Can't find a writable section")
return
print("\t#!/usr/bin/env python2")
print("\t# execve generated by ROPgadget\n" )
print("\tfrom struct import pack\n")
print("\t# Padding goes here")
print("\tp = ''\n")
print("\tp += pack('<I', 0x%08x) # %s" %(popDst["vaddr"], popDst["gadget"]))
print("\tp += pack('<I', 0x%08x) # @ .data" %(dataAddr))
self.__padding(popDst, {})
print("\tp += pack('<I', 0x%08x) # %s" %(popSrc["vaddr"], popSrc["gadget"]))
print("\tp += '/bin'")
self.__padding(popSrc, {popDst["gadget"].split()[1]: dataAddr}) # Don't overwrite reg dst
print("\tp += pack('<I', 0x%08x) # %s" %(write4where["vaddr"], write4where["gadget"]))
self.__padding(write4where, {})
print("\tp += pack('<I', 0x%08x) # %s" %(popDst["vaddr"], popDst["gadget"]))
print("\tp += pack('<I', 0x%08x) # @ .data + 4" %(dataAddr + 4))
self.__padding(popDst, {})
print("\tp += pack('<I', 0x%08x) # %s" %(popSrc["vaddr"], popSrc["gadget"]))
print("\tp += '//sh'")
self.__padding(popSrc, {popDst["gadget"].split()[1]: dataAddr + 4}) # Don't overwrite reg dst
print("\tp += pack('<I', 0x%08x) # %s" %(write4where["vaddr"], write4where["gadget"]))
self.__padding(write4where, {})
print("\tp += pack('<I', 0x%08x) # %s" %(popDst["vaddr"], popDst["gadget"]))
print("\tp += pack('<I', 0x%08x) # @ .data + 8" %(dataAddr + 8))
self.__padding(popDst, {})
print("\tp += pack('<I', 0x%08x) # %s" %(xorSrc["vaddr"], xorSrc["gadget"]))
self.__padding(xorSrc, {})
print("\tp += pack('<I', 0x%08x) # %s" %(write4where["vaddr"], write4where["gadget"]))
self.__padding(write4where, {})
print("\tp += pack('<I', 0x%08x) # %s" %(popEbx["vaddr"], popEbx["gadget"]))
print("\tp += pack('<I', 0x%08x) # @ .data" %(dataAddr))
self.__padding(popEbx, {})
print("\tp += pack('<I', 0x%08x) # %s" %(popEcx["vaddr"], popEcx["gadget"]))
print("\tp += pack('<I', 0x%08x) # @ .data + 8" %(dataAddr + 8))
self.__padding(popEcx, {"ebx": dataAddr}) # Don't overwrite ebx
print("\tp += pack('<I', 0x%08x) # %s" %(popEdx["vaddr"], popEdx["gadget"]))
print("\tp += pack('<I', 0x%08x) # @ .data + 8" %(dataAddr + 8))
self.__padding(popEdx, {"ebx": dataAddr, "ecx": dataAddr + 8}) # Don't overwrite ebx and ecx
print("\tp += pack('<I', 0x%08x) # %s" %(xorEax["vaddr"], xorEax["gadget"]))
self.__padding(xorEax, {"ebx": dataAddr, "ecx": dataAddr + 8}) # Don't overwrite ebx and ecx
for i in range(11):
print("\tp += pack('<I', 0x%08x) # %s" %(incEax["vaddr"], incEax["gadget"]))
self.__padding(incEax, {"ebx": dataAddr, "ecx": dataAddr + 8}) # Don't overwrite ebx and ecx
print("\tp += pack('<I', 0x%08x) # %s" %(syscall["vaddr"], syscall["gadget"]))
def __generate(self):
# To find the smaller gadget
self.__gadgets.reverse()
print("\nROP chain generation\n===========================================================")
print("\n- Step 1 -- Write-what-where gadgets\n")
gadgetsAlreadyTested = []
while True:
write4where = self.__lookingForWrite4Where(gadgetsAlreadyTested)
if not write4where:
print("\t[-] Can't find the 'mov dword ptr [r32], r32' gadget")
return
popDst = self.__lookingForSomeThing("pop %s" %(write4where[1]))
if not popDst:
print("\t[-] Can't find the 'pop %s' gadget. Try with another 'mov [reg], reg'\n" %(write4where[1]))
gadgetsAlreadyTested += [write4where[0]]
continue
popSrc = self.__lookingForSomeThing("pop %s" %(write4where[2]))
if not popSrc:
print("\t[-] Can't find the 'pop %s' gadget. Try with another 'mov [reg], reg'\n" %(write4where[2]))
gadgetsAlreadyTested += [write4where[0]]
continue
xorSrc = self.__lookingForSomeThing("xor %s, %s" %(write4where[2], write4where[2]))
if not xorSrc:
print("\t[-] Can't find the 'xor %s, %s' gadget. Try with another 'mov [r], r'\n" %(write4where[2], write4where[2]))
gadgetsAlreadyTested += [write4where[0]]
continue
else:
break
print("\n- Step 2 -- Init syscall number gadgets\n")
xorEax = self.__lookingForSomeThing("xor eax, eax")
if not xorEax:
print("\t[-] Can't find the 'xor eax, eax' instuction")
return
incEax = self.__lookingForSomeThing("inc eax")
if not incEax:
print("\t[-] Can't find the 'inc eax' instuction")
return
print("\n- Step 3 -- Init syscall arguments gadgets\n")
popEbx = self.__lookingForSomeThing("pop ebx")
if not popEbx:
print("\t[-] Can't find the 'pop ebx' instruction")
return
popEcx = self.__lookingForSomeThing("pop ecx")
if not popEcx:
print("\t[-] Can't find the 'pop ecx' instruction")
return
popEdx = self.__lookingForSomeThing("pop edx")
if not popEdx:
print("\t[-] Can't find the 'pop edx' instruction")
return
print("\n- Step 4 -- Syscall gadget\n")
syscall = self.__lookingForSomeThing("int 0x80")
if not syscall:
print("\t[-] Can't find the 'syscall' instruction")
return
print("\n- Step 5 -- Build the ROP chain\n")
self.__buildRopChain(write4where[0], popDst, popSrc, xorSrc, xorEax, incEax, popEbx, popEcx, popEdx, syscall)
class ROPMakerX64:
def __init__(self, binary, gadgets, liboffset=0x0):
self.__binary = binary
self.__gadgets = gadgets
# If it's a library, we have the option to add an offset to the addresses
self.__liboffset = liboffset
self.__generate()
def __lookingForWrite4Where(self, gadgetsAlreadyTested):
for gadget in self.__gadgets:
if gadget in gadgetsAlreadyTested:
continue
f = gadget["gadget"].split(" ; ")[0]
regex = re.search("mov .* ptr \[(?P<dst>([(rax)|(rbx)|(rcx)|(rdx)|(rsi)|(rdi)|(r9)|(r10)|(r11)|(r12)|(r13)|(r14)|(r15)]{3}))\], (?P<src>([(rax)|(rbx)|(rcx)|(rdx)|(rsi)|(rdi)|(r9)|(r10)|(r11)|(r12)|(r13)|(r14)|(r15)]{3}))$", f)
if regex:
lg = gadget["gadget"].split(" ; ")[1:]
try:
for g in lg:
if g.split()[0] != "pop" and g.split()[0] != "ret":
raise
# we need this to filterout 'ret' instructions with an offset like 'ret 0x6', because they ruin the stack pointer
if g != "ret":
if g.split()[0] == "ret" and g.split()[1] != "":
raise
print("\t[+] Gadget found: 0x%x %s" %(gadget["vaddr"], gadget["gadget"]))
return [gadget, regex.group("dst"), regex.group("src")]
except:
continue
return None
def __lookingForSomeThing(self, something):
for gadget in self.__gadgets:
lg = gadget["gadget"].split(" ; ")
if lg[0] == something:
try:
for g in lg[1:]:
if g.split()[0] != "pop" and g.split()[0] != "ret":
raise
if g != "ret":
# we need this to filterout 'ret' instructions with an offset like 'ret 0x6', because they ruin the stack pointer
if g.split()[0] == "ret" and g.split()[1] != "":
raise
print("\t[+] Gadget found: 0x%x %s" %(gadget["vaddr"], gadget["gadget"]))
return gadget
except:
continue
return None
def __padding(self, gadget, regAlreadSetted):
lg = gadget["gadget"].split(" ; ")
for g in lg[1:]:
if g.split()[0] == "pop":
reg = g.split()[1]
try:
print("\tp += pack('<Q', 0x%016x) # padding without overwrite %s" %(regAlreadSetted[reg], reg))
except KeyError:
print("\tp += pack('<Q', 0x4141414141414141) # padding")
def __buildRopChain(self, write4where, popDst, popSrc, xorSrc, xorRax, incRax, popRdi, popRsi, popRdx, syscall):
sects = self.__binary.getDataSections()
dataAddr = None
for s in sects:
if s["name"] == ".data":
dataAddr = s["vaddr"] + self.__liboffset
if dataAddr is None:
print("\n[-] Error - Can't find a writable section")
return
print("\t#!/usr/bin/env python2")
print("\t# execve generated by ROPgadget\n")
print("\tfrom struct import pack\n")
print("\t# Padding goes here")
print("\tp = ''\n")
print("\tp += pack('<Q', 0x%016x) # %s" %(popDst["vaddr"], popDst["gadget"]))
print("\tp += pack('<Q', 0x%016x) # @ .data" %(dataAddr))
self.__padding(popDst, {})
print("\tp += pack('<Q', 0x%016x) # %s" %(popSrc["vaddr"], popSrc["gadget"]))
print("\tp += '/bin//sh'")
self.__padding(popSrc, {popDst["gadget"].split()[1]: dataAddr}) # Don't overwrite reg dst
print("\tp += pack('<Q', 0x%016x) # %s" %(write4where["vaddr"], write4where["gadget"]))
self.__padding(write4where, {})
print("\tp += pack('<Q', 0x%016x) # %s" %(popDst["vaddr"], popDst["gadget"]))
print("\tp += pack('<Q', 0x%016x) # @ .data + 8" %(dataAddr + 8))
self.__padding(popDst, {})
print("\tp += pack('<Q', 0x%016x) # %s" %(xorSrc["vaddr"], xorSrc["gadget"]))
self.__padding(xorSrc, {})
print("\tp += pack('<Q', 0x%016x) # %s" %(write4where["vaddr"], write4where["gadget"]))
self.__padding(write4where, {})
print("\tp += pack('<Q', 0x%016x) # %s" %(popRdi["vaddr"], popRdi["gadget"]))
print("\tp += pack('<Q', 0x%016x) # @ .data" %(dataAddr))
self.__padding(popRdi, {})
print("\tp += pack('<Q', 0x%016x) # %s" %(popRsi["vaddr"], popRsi["gadget"]))
print("\tp += pack('<Q', 0x%016x) # @ .data + 8" %(dataAddr + 8))
self.__padding(popRsi, {"rdi": dataAddr}) # Don't overwrite rdi
print("\tp += pack('<Q', 0x%016x) # %s" %(popRdx["vaddr"], popRdx["gadget"]))
print("\tp += pack('<Q', 0x%016x) # @ .data + 8" %(dataAddr + 8))
self.__padding(popRdx, {"rdi": dataAddr, "rsi": dataAddr + 8}) # Don't overwrite rdi and rsi
print("\tp += pack('<Q', 0x%016x) # %s" %(xorRax["vaddr"], xorRax["gadget"]))
self.__padding(xorRax, {"rdi": dataAddr, "rsi": dataAddr + 8}) # Don't overwrite rdi and rsi
for i in range(59):
print("\tp += pack('<Q', 0x%016x) # %s" %(incRax["vaddr"], incRax["gadget"]))
self.__padding(incRax, {"rdi": dataAddr, "rsi": dataAddr + 8}) # Don't overwrite rdi and rsi
print("\tp += pack('<Q', 0x%016x) # %s" %(syscall["vaddr"], syscall["gadget"]))
def __generate(self):
# To find the smaller gadget
self.__gadgets.reverse()
print("\nROP chain generation\n===========================================================")
print("\n- Step 1 -- Write-what-where gadgets\n")
gadgetsAlreadyTested = []
while True:
write4where = self.__lookingForWrite4Where(gadgetsAlreadyTested)
if not write4where:
print("\t[-] Can't find the 'mov qword ptr [r64], r64' gadget")
return
popDst = self.__lookingForSomeThing("pop %s" %(write4where[1]))
if not popDst:
print("\t[-] Can't find the 'pop %s' gadget. Try with another 'mov [reg], reg'\n" %(write4where[1]))
gadgetsAlreadyTested += [write4where[0]]
continue
popSrc = self.__lookingForSomeThing("pop %s" %(write4where[2]))
if not popSrc:
print("\t[-] Can't find the 'pop %s' gadget. Try with another 'mov [reg], reg'\n" %(write4where[2]))
gadgetsAlreadyTested += [write4where[0]]
continue
xorSrc = self.__lookingForSomeThing("xor %s, %s" %(write4where[2], write4where[2]))
if not xorSrc:
print("\t[-] Can't find the 'xor %s, %s' gadget. Try with another 'mov [reg], reg'\n" %(write4where[2], write4where[2]))
gadgetsAlreadyTested += [write4where[0]]
continue
else:
break
print("\n- Step 2 -- Init syscall number gadgets\n")
xorRax = self.__lookingForSomeThing("xor rax, rax")
if not xorRax:
print("\t[-] Can't find the 'xor rax, rax' instuction")
return
incRax = self.__lookingForSomeThing("inc rax")
incEax = self.__lookingForSomeThing("inc eax")
incAx = self.__lookingForSomeThing("inc al")
addRax = self.__lookingForSomeThing("add rax, 1")
addEax = self.__lookingForSomeThing("add eax, 1")
addAx = self.__lookingForSomeThing("add al, 1")
instr = [incRax, incEax, incAx, addRax, addEax, addAx]
if all(v is None for v in instr):
print("\t[-] Can't find the 'inc rax' or 'add rax, 1' instuction")
return
for i in instr:
if i is not None:
incRax = i
break
print("\n- Step 3 -- Init syscall arguments gadgets\n")
popRdi = self.__lookingForSomeThing("pop rdi")
if not popRdi:
print("\t[-] Can't find the 'pop rdi' instruction")
return
popRsi = self.__lookingForSomeThing("pop rsi")
if not popRsi:
print("\t[-] Can't find the 'pop rsi' instruction")
return
popRdx = self.__lookingForSomeThing("pop rdx")
if not popRdx:
print("\t[-] Can't find the 'pop rdx' instruction")
return
print("\n- Step 4 -- Syscall gadget\n")
syscall = self.__lookingForSomeThing("syscall")
if not syscall:
print("\t[-] Can't find the 'syscall' instruction")
return
print("\n- Step 5 -- Build the ROP chain\n")
self.__buildRopChain(write4where[0], popDst, popSrc, xorSrc, xorRax, incRax, popRdi, popRsi, popRdx, syscall)
class ROPMaker:
def __init__(self, binary, gadgets, offset):
self.__binary = binary
self.__gadgets = gadgets
self.__offset = offset
self.__handlerArch()
def __handlerArch(self):
if self.__binary.getArch() == CS_ARCH_X86 \
and self.__binary.getArchMode() == CS_MODE_32 \
and self.__binary.getFormat() == "ELF":
ROPMakerX86(self.__binary, self.__gadgets, self.__offset)
elif self.__binary.getArch() == CS_ARCH_X86 \
and self.__binary.getArchMode() == CS_MODE_64 \
and self.__binary.getFormat() == "ELF":
ROPMakerX64(self.__binary, self.__gadgets, self.__offset)
else:
print("\n[Error] ROPMaker.__handlerArch - Arch not supported yet for the rop chain generation")
class Gadgets:
def __init__(self, binary, options, offset):
self.__binary = binary
self.__options = options
self.__offset = offset
def __checkInstructionBlackListedX86(self, insts):
bl = ["db", "int3"]
for inst in insts:
for b in bl:
if inst.split(" ")[0] == b:
return True
return False
def __checkMultiBr(self, insts, br):
count = 0
for inst in insts:
if inst.split()[0] in br:
count += 1
return count
def __passCleanX86(self, gadgets, multibr=False):
new = []
br = ["ret", "retf", "int", "sysenter", "jmp", "call", "syscall"]
for gadget in gadgets:
insts = gadget["gadget"].split(" ; ")
if len(insts) == 1 and insts[0].split(" ")[0] not in br:
continue
if insts[-1].split(" ")[0] not in br:
continue
if self.__checkInstructionBlackListedX86(insts):
continue
if not multibr and self.__checkMultiBr(insts, br) > 1:
continue
if len([m.start() for m in re.finditer("ret", gadget["gadget"])]) > 1:
continue
new += [gadget]
return new
def __gadgetsFinding(self, section, gadgets, arch, mode):
C_OP = 0
C_SIZE = 1
C_ALIGN = 2
ret = []
md = Cs(arch, mode)
for gad in gadgets:
allRefRet = [m.start() for m in re.finditer(gad[C_OP], section["opcodes"])]
for ref in allRefRet:
for i in range(self.__options.depth):
if (section["vaddr"]+ref-(i*gad[C_ALIGN])) % gad[C_ALIGN] == 0:
off = self.__offset
decodes = md.disasm(section["opcodes"][ref-(i*gad[C_ALIGN]):ref+gad[C_SIZE]], section["vaddr"]+ref)
gadget = ""
for decode in decodes:
gadget += (decode.mnemonic + " " + decode.op_str + " ; ").replace(" ", " ")
if len(gadget) > 0:
gadget = gadget[:-3]
off = self.__offset
ret += [{"vaddr" : off+section["vaddr"]+ref-(i*gad[C_ALIGN]), "gadget" : gadget, "decodes" : decodes, "bytes": section["opcodes"][ref-(i*gad[C_ALIGN]):ref+gad[C_SIZE]]}]
return ret
def addROPGadgets(self, section):
arch = self.__binary.getArch()
arch_mode = self.__binary.getArchMode()
if arch == CS_ARCH_X86:
gadgets = [
[b"\xc3", 1, 1], # ret
[b"\xc2[\x00-\xff]{2}", 3, 1], # ret <imm>
[b"\xcb", 1, 1], # retf
[b"\xca[\x00-\xff]{2}", 3, 1] # retf <imm>
]
elif arch == CS_ARCH_MIPS: gadgets = [] # MIPS doesn't contains RET instruction set. Only JOP gadgets
elif arch == CS_ARCH_PPC:
gadgets = [
[b"\x4e\x80\x00\x20", 4, 4] # blr
]
arch_mode = arch_mode + CS_MODE_BIG_ENDIAN
elif arch == CS_ARCH_SPARC:
gadgets = [
[b"\x81\xc3\xe0\x08", 4, 4], # retl
[b"\x81\xc7\xe0\x08", 4, 4], # ret
[b"\x81\xe8\x00\x00", 4, 4] # restore
]
arch_mode = CS_MODE_BIG_ENDIAN
elif arch == CS_ARCH_ARM: gadgets = [] # ARM doesn't contains RET instruction set. Only JOP gadgets
elif arch == CS_ARCH_ARM64:
gadgets = [
[b"\xc0\x03\x5f\xd6", 4, 4] # ret
]
arch_mode = CS_MODE_ARM
else:
print("Gadgets().addROPGadgets() - Architecture not supported")
return None
if len(gadgets) > 0 :
return self.__gadgetsFinding(section, gadgets, arch, arch_mode)
return gadgets
def addJOPGadgets(self, section):
arch = self.__binary.getArch()
arch_mode = self.__binary.getArchMode()
if arch == CS_ARCH_X86:
gadgets = [
[b"\xff[\x20\x21\x22\x23\x26\x27]{1}", 2, 1], # jmp [reg]
[b"\xff[\xe0\xe1\xe2\xe3\xe4\xe6\xe7]{1}", 2, 1], # jmp [reg]
[b"\xff[\x10\x11\x12\x13\x16\x17]{1}", 2, 1], # jmp [reg]
[b"\xff[\xd0\xd1\xd2\xd3\xd4\xd6\xd7]{1}", 2, 1] # call [reg]
]
elif arch == CS_ARCH_MIPS:
gadgets = [
[b"\x09\xf8\x20\x03[\x00-\xff]{4}", 8, 4], # jrl $t9
[b"\x08\x00\x20\x03[\x00-\xff]{4}", 8, 4], # jr $t9
[b"\x08\x00\xe0\x03[\x00-\xff]{4}", 8, 4] # jr $ra
]
elif arch == CS_ARCH_PPC: gadgets = [] # PPC architecture doesn't contains reg branch instruction
elif arch == CS_ARCH_SPARC:
gadgets = [
[b"\x81\xc0[\x00\x40\x80\xc0]{1}\x00", 4, 4] # jmp %g[0-3]
]
arch_mode = CS_MODE_BIG_ENDIAN
elif arch == CS_ARCH_ARM64:
gadgets = [
[b"[\x00\x20\x40\x60\x80\xa0\xc0\xe0]{1}[\x00\x02]{1}\x1f\xd6", 4, 4], # br reg
[b"[\x00\x20\x40\x60\x80\xa0\xc0\xe0]{1}[\x00\x02]{1}\x5C\x3f\xd6", 4, 4] # blr reg
]
arch_mode = CS_MODE_ARM
elif arch == CS_ARCH_ARM:
if self.__options.thumb or self.__options.rawMode == "thumb":
gadgets = [
[b"[\x00\x08\x10\x18\x20\x28\x30\x38\x40\x48\x70]{1}\x47", 2, 2], # bx reg
[b"[\x80\x88\x90\x98\xa0\xa8\xb0\xb8\xc0\xc8\xf0]{1}\x47", 2, 2], # blx reg
[b"[\x00-\xff]{1}\xbd", 2, 2] # pop {,pc}
]
arch_mode = CS_MODE_THUMB
else:
gadgets = [
[b"[\x10-\x19\x1e]{1}\xff\x2f\xe1", 4, 4], # bx reg
[b"[\x30-\x39\x3e]{1}\xff\x2f\xe1", 4, 4], # blx reg
[b"[\x00-\xff]{1}\x80\xbd\xe8", 4, 4] # pop {,pc}
]
arch_mode = CS_MODE_ARM
else:
print("Gadgets().addJOPGadgets() - Architecture not supported")
return None
if len(gadgets) > 0 :
return self.__gadgetsFinding(section, gadgets, arch, arch_mode)
return gadgets
def addSYSGadgets(self, section):
arch = self.__binary.getArch()
arch_mode = self.__binary.getArchMode()
if arch == CS_ARCH_X86:
gadgets = [
[b"\xcd\x80", 2, 1], # int 0x80
[b"\x0f\x34", 2, 1], # sysenter
[b"\x0f\x05", 2, 1], # syscall
[b"\x65\xff\x15\x10\x00\x00\x00", 7, 1], # call DWORD PTR gs:0x10
[b"\xcd\x80\xc3", 3, 1], # int 0x80 ; ret
[b"\x0f\x34\xc3", 3, 1], # sysenter ; ret
[b"\x0f\x05\xc3", 3, 1], # syscall ; ret
[b"\x65\xff\x15\x10\x00\x00\x00\xc3", 8, 1], # call DWORD PTR gs:0x10 ; ret
]
elif arch == CS_ARCH_MIPS:
gadgets = [
[b"\x0c\x00\x00\x00", 4, 4] # syscall
]
elif arch == CS_ARCH_PPC: gadgets = [] # TODO (sc inst)
elif arch == CS_ARCH_SPARC: gadgets = [] # TODO (ta inst)
elif arch == CS_ARCH_ARM64: gadgets = [] # TODO
elif arch == CS_ARCH_ARM:
if self.__options.thumb or self.__options.rawMode == "thumb":
gadgets = [
[b"\x00-\xff]{1}\xef", 2, 2] # svc
]
arch_mode = CS_MODE_THUMB
else:
gadgets = [
[b"\x00-\xff]{3}\xef", 4, 4] # svc
]
arch_mode = CS_MODE_ARM
else:
print("Gadgets().addSYSGadgets() - Architecture not supported")
return None
if len(gadgets) > 0 :
return self.__gadgetsFinding(section, gadgets, arch, arch_mode)
return []
def passClean(self, gadgets, multibr):
arch = self.__binary.getArch()
if arch == CS_ARCH_X86: return self.__passCleanX86(gadgets, multibr)
elif arch == CS_ARCH_MIPS: return gadgets
elif arch == CS_ARCH_PPC: return gadgets
elif arch == CS_ARCH_SPARC: return gadgets
elif arch == CS_ARCH_ARM: return gadgets
elif arch == CS_ARCH_ARM64: return gadgets
else:
print("Gadgets().passClean() - Architecture not supported")
return None
class Core(cmd.Cmd):
def __init__(self, options):
cmd.Cmd.__init__(self)
self.__options = options
self.__binary = None
self.__gadgets = []
self.__offset = 0
self.prompt = '(ROPgadget)> '
def __checksBeforeManipulations(self):
if self.__binary == None or self.__binary.getBinary() == None or self.__binary.getArch() == None or self.__binary.getArchMode() == None:
return False
return True
def __getAllgadgets(self):
if self.__checksBeforeManipulations() == False:
return False
G = Gadgets(self.__binary, self.__options, self.__offset)
execSections = self.__binary.getExecSections()
# Find ROP/JOP/SYS gadgets
self.__gadgets = []
for section in execSections:
if not self.__options.norop: self.__gadgets += G.addROPGadgets(section)
if not self.__options.nojop: self.__gadgets += G.addJOPGadgets(section)
if not self.__options.nosys: self.__gadgets += G.addSYSGadgets(section)
# Pass clean single instruction and unknown instructions
self.__gadgets = G.passClean(self.__gadgets, self.__options.multibr)
# Delete duplicate gadgets
if not self.__options.all:
self.__gadgets = deleteDuplicateGadgets(self.__gadgets)
# Applicate some Options
self.__gadgets = Options(self.__options, self.__binary, self.__gadgets).getGadgets()
# Sorted alphabetically
self.__gadgets = alphaSortgadgets(self.__gadgets)
return True
def __lookingForGadgets(self):
if self.__checksBeforeManipulations() == False:
return False
arch = self.__binary.getArchMode()
print("Gadgets information\n============================================================")
for gadget in self.__gadgets:
vaddr = gadget["vaddr"]
insts = gadget["gadget"]
bytes = gadget["bytes"]
bytesStr = " // " + bytes.encode('hex') if self.__options.dump else ""
print(("0x%08x" %(vaddr) if arch == CS_MODE_32 else "0x%016x" %(vaddr)) + " : %s" %(insts) + bytesStr)
print("\nUnique gadgets found: %d" %(len(self.__gadgets)))
return True
def __lookingForAString(self, string):
if self.__checksBeforeManipulations() == False:
return False
dataSections = self.__binary.getDataSections()
arch = self.__binary.getArchMode()
print("Strings information\n============================================================")
for section in dataSections:
allRef = [m.start() for m in re.finditer(string, section["opcodes"])]
for ref in allRef:
vaddr = self.__offset + section["vaddr"] + ref
string = section["opcodes"][ref:ref+len(string)]
rangeS = int(self.__options.range.split('-')[0], 16)
rangeE = int(self.__options.range.split('-')[1], 16)
if (rangeS == 0 and rangeE == 0) or (vaddr >= rangeS and vaddr <= rangeE):
print(("0x%08x" %(vaddr) if arch == CS_MODE_32 else "0x%016x" %(vaddr)) + " : %s" %(string))
return True
def __lookingForOpcodes(self, opcodes):
if self.__checksBeforeManipulations() == False:
return False
execSections = self.__binary.getExecSections()
arch = self.__binary.getArchMode()
print("Opcodes information\n============================================================")
for section in execSections:
allRef = [m.start() for m in re.finditer(opcodes.decode("hex"), section["opcodes"])]
for ref in allRef:
vaddr = self.__offset + section["vaddr"] + ref
rangeS = int(self.__options.range.split('-')[0], 16)
rangeE = int(self.__options.range.split('-')[1], 16)
if (rangeS == 0 and rangeE == 0) or (vaddr >= rangeS and vaddr <= rangeE):
print(("0x%08x" %(vaddr) if arch == CS_MODE_32 else "0x%016x" %(vaddr)) + " : %s" %(opcodes))
return True
def __lookingForMemStr(self, memstr):
if self.__checksBeforeManipulations() == False:
return False
sections = self.__binary.getExecSections()
sections += self.__binary.getDataSections()
arch = self.__binary.getArchMode()
print("Memory bytes information\n=======================================================")
chars = list(memstr)
for char in chars:
try:
for section in sections:
allRef = [m.start() for m in re.finditer(char, section["opcodes"])]
for ref in allRef:
vaddr = self.__offset + section["vaddr"] + ref
rangeS = int(self.__options.range.split('-')[0], 16)
rangeE = int(self.__options.range.split('-')[1], 16)
if (rangeS == 0 and rangeE == 0) or (vaddr >= rangeS and vaddr <= rangeE):
print(("0x%08x" %(vaddr) if arch == CS_MODE_32 else "0x%016x" %(vaddr)) + " : '%c'" %(char))
raise
except:
pass
return True
def analyze(self):
try:
self.__offset = int(self.__options.offset, 16) if self.__options.offset else 0
except ValueError:
print("[Error] The offset must be in hexadecimal")
return False
if self.__options.console:
if self.__options.binary:
self.__binary = Binary(self.__options)
if self.__checksBeforeManipulations() == False:
return False
self.cmdloop()
return True
self.__binary = Binary(self.__options)
if self.__checksBeforeManipulations() == False:
return False
if self.__options.string: return self.__lookingForAString(self.__options.string)
elif self.__options.opcode: return self.__lookingForOpcodes(self.__options.opcode)
elif self.__options.memstr: return self.__lookingForMemStr(self.__options.memstr)
else:
self.__getAllgadgets()
self.__lookingForGadgets()
if self.__options.ropchain:
ROPMaker(self.__binary, self.__gadgets, self.__offset)
return True
def gadgets(self):
return self.__gadgets
# Console methods ============================================
def do_binary(self, s, silent=False):
# Do not split the filename with spaces since it might contain
# whitespaces
if len(s) == 0:
if not silent:
return self.help_binary()
return False
binary = s
self.__options.binary = binary
self.__binary = Binary(self.__options)
if self.__checksBeforeManipulations() == False:
return False
if not silent:
print("[+] Binary loaded")
def help_binary(self):
print("Syntax: binary <file> -- Load a binary")
return False
def do_EOF(self, s, silent=False):
return self.do_quit(s, silent)
def do_quit(self, s, silent=False):
return True
def help_quit(self):
print("Syntax: quit -- Terminates the application")
return False
def do_load(self, s, silent=False):
if self.__binary == None:
if not silent:
print("[-] No binary loaded.")
return False
if not silent:
print("[+] Loading gadgets, please wait...")
self.__getAllgadgets()
if not silent:
print("[+] Gadgets loaded !")
def help_load(self):
print("Syntax: load -- Load all gadgets")
return False
def do_display(self, s, silent=False):
self.__lookingForGadgets()
def help_display(self):
print("Syntax: display -- Display all gadgets loaded")
return False
def do_depth(self, s, silent=False):
try:
depth = int(s.split()[0])
except:
if not silent:
return self.help_depth()
return False
if depth <= 0:
if not silent:
print("[-] The depth value must be > 0")
return False
self.__options.depth = int(depth)
if not silent:
print("[+] Depth updated. You have to reload gadgets")
def help_depth(self):
print("Syntax: depth <value> -- Set the depth search engine")
return False
def do_badbytes(self, s, silent=False):
try:
bb = s.split()[0]
except:
if not silent:
return self.help_badbytes()
else:
return False
self.__options.badbytes = bb
if not silent:
print("[+] Bad bytes updated. You have to reload gadgets")
def help_badbytes(self):
print("Syntax: badbytes <badbyte1|badbyte2...> -- ")
return False
def __withK(self, listK, gadget):
if len(listK) == 0:
return True
for a in listK:
if a not in gadget:
return False
return True
def __withoutK(self, listK, gadget):
for a in listK:
if a in gadget:
return False
return True
def do_search(self, s, silent=False):
args = s.split()
if not len(args):
return self.help_search()
withK, withoutK = [], []
for a in args:
if a[0:1] == "!":
withoutK += [a[1:]]
else:
withK += [a]
if self.__checksBeforeManipulations() == False:
if not silent:
print("[-] You have to load a binary")
return False
arch = self.__binary.getArchMode()
for gadget in self.__gadgets:
vaddr = gadget["vaddr"]
insts = gadget["gadget"]
if self.__withK(withK, insts) and self.__withoutK(withoutK, insts):
# What to do if silent = True?
print(("0x%08x" %(vaddr) if arch == CS_MODE_32 else "0x%016x" %(vaddr)) + " : %s" %(insts))
def help_search(self):
print("Syntax: search <keyword1 keyword2 keyword3...> -- Filter with or without keywords")
print("keyword = with")
print("!keyword = witout")
return False
def count(self):
return len(self.__gadgets)
def do_count(self, s, silent=False):
if not silent:
print("[+] %d loaded gadgets." % self.count())
def help_count(self):
print("Shows the number of loaded gadgets.")
return False
def do_filter(self, s, silent=False):
try:
self.__options.filter = s.split()[0]
except:
if not silent:
return self.help_filter()
return False
if not silent:
print("[+] Filter setted. You have to reload gadgets")
def help_filter(self):
print("Syntax: filter <filter1|filter2|...> - Suppress specific instructions")
return False
def do_only(self, s, silent=False):
try:
self.__options.only = s.split()[0]
except:
if not silent:
return self.help_only()
return False
if not silent:
print("[+] Only setted. You have to reload gadgets")
def help_only(self):
print("Syntax: only <only1|only2|...> - Only show specific instructions")
return False
def do_range(self, s, silent=False):
try:
rangeS = int(s.split('-')[0], 16)
rangeE = int(s.split('-')[1], 16)
self.__options.range = s.split()[0]
except:
if not silent:
return self.help_range()
return False
if rangeS > rangeE:
if not silent:
print("[-] The start value must be greater than the end value")
return False
if not silent:
print("[+] Range setted. You have to reload gadgets")
def help_range(self):
print("Syntax: range <start-and> - Search between two addresses (0x...-0x...)")
return False
def do_settings(self, s, silent=False):
print("All: %s" %(self.__options.all))
print("Badbytes: %s" %(self.__options.badbytes))
print("Binary: %s" %(self.__options.binary))
print("Depth: %s" %(self.__options.depth))
print("Filter: %s" %(self.__options.filter))
print("Memstr: %s" %(self.__options.memstr))
print("MultiBr: %s" %(self.__options.multibr))
print("NoJOP: %s" %(self.__options.nojop))
print("NoROP: %s" %(self.__options.norop))
print("NoSYS: %s" %(self.__options.nosys))
print("Offset: %s" %(self.__options.offset))
print("Only: %s" %(self.__options.only))
print("Opcode: %s" %(self.__options.opcode))
print("ROPchain: %s" %(self.__options.ropchain))
print("Range: %s" %(self.__options.range))
print("RawArch: %s" %(self.__options.rawArch))
print("RawMode: %s" %(self.__options.rawMode))
print("String: %s" %(self.__options.string))
print("Thumb: %s" %(self.__options.thumb))
def help_settings(self):
print("Display setting's environment")
return False
def do_nojop(self, s, silent=False):
try:
arg = s.split()[0]
except:
return self.help_nojop()
if arg == "enable":
self.__options.nojop = True
if not silent:
print("[+] NoJOP enable. You have to reload gadgets")
elif arg == "disable":
self.__options.nojop = False
if not silent:
print("[+] NoJOP disable. You have to reload gadgets")
else:
if not silent:
return self.help_nojop()
return False
def help_nojop(self):
print("Syntax: nojop <enable|disable> - Disable JOP search engin")
return False
def do_norop(self, s, silent=False):
try:
arg = s.split()[0]
except:
return self.help_norop()
if arg == "enable":
self.__options.norop = True
if not silent:
print("[+] NoROP enable. You have to reload gadgets")
elif arg == "disable":
self.__options.norop = False
if not silent:
print("[+] NoROP disable. You have to reload gadgets")
else:
if not silent:
return self.help_norop()
return False
def help_norop(self):
print("Syntax: norop <enable|disable> - Disable ROP search engin")
return False
def do_nosys(self, s, silent=False):
try:
arg = s.split()[0]
except:
return self.help_nosys()
if arg == "enable":
self.__options.nosys = True
if not silent:
print("[+] NoSYS enable. You have to reload gadgets")
elif arg == "disable":
self.__options.nosys = False
if not silent:
print("[+] NoSYS disable. You have to reload gadgets")
else:
if not silent:
return self.help_nosys()
return False
def help_nosys(self):
print("Syntax: nosys <enable|disable> - Disable SYS search engin")
return False
def do_thumb(self, s, silent=False):
try:
arg = s.split()[0]
except:
return self.help_thumb()
if arg == "enable":
self.__options.thumb = True
if not silent:
print("[+] Thumb enable. You have to reload gadgets")
elif arg == "disable":
self.__options.thumb = False
if not silent:
print("[+] Thumb disable. You have to reload gadgets")
else:
if not silent:
return self.help_thumb()
return False
def help_thumb(self):
print("Syntax: thumb <enable|disable> - Use the thumb mode for the search engine (ARM only)")
return False
def do_all(self, s, silent=False):
if s == "enable":
self.__options.all = True
if not silent:
print("[+] Showing all gadgets enabled. You have to reload gadgets")
elif s == "disable":
self.__options.all = False
if not silent:
print("[+] Showing all gadgets disabled. You have to reload gadgets")
else:
if not silent:
return self.help_all()
return False
def help_multibr(self):
print("Syntax: multibr <enable|disable> - Enable/Disable multiple branch gadgets")
return False
def do_multibr(self, s, silent=False):
if s == "enable":
self.__options.multibr = True
if not silent:
print("[+] Multiple branch gadgets enabled. You have to reload gadgets")
elif s == "disable":
self.__options.multibr = False
if not silent:
print("[+] Multiple branch gadgets disabled. You have to reload gadgets")
else:
if not silent:
return self.help_all()
return False
def help_all(self):
print("Syntax: all <enable|disable - Show all gadgets (disable removing duplice gadgets)")
return False
class Binary:
def __init__(self, options):
self.__fileName = options.binary
self.__rawBinary = None
self.__binary = None
try:
fd = open(self.__fileName, "rb")
self.__rawBinary = fd.read()
fd.close()
except:
print("[Error] Can't open the binary or binary not found")
return None
if self.__rawBinary[:4] == unhexlify(b"cafebabe"):
self.__binary = UNIVERSAL(self.__rawBinary)
elif self.__rawBinary[:4] == unhexlify(b"cefaedfe") or self.__rawBinary[:4] == unhexlify(b"cffaedfe"):
self.__binary = MACHO(self.__rawBinary)
def getFileName(self):
return self.__fileName
def getRawBinary(self):
return self.__rawBinary
def getBinary(self):
return self.__binary
def getEntryPoint(self):
return self.__binary.getEntryPoint()
def getDataSections(self):
return self.__binary.getDataSections()
def getExecSections(self):
return self.__binary.getExecSections()
def getArch(self):
return self.__binary.getArch()
def getArchMode(self):
return self.__binary.getArchMode()
def getFormat(self):
return self.__binary.getFormat()
class Args:
def __init__(self, arguments=None):
self.__args = None
custom_arguments_provided = True
# If no custom arguments are provided, use the program arguments
if not arguments:
arguments = args
custom_arguments_provided = False
sys.argv=arguments
self.__parse(arguments, custom_arguments_provided)
def __parse(self, arguments, custom_arguments_provided=False):
parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter,
description="""description:
rop(ROPgadget) lets you search your gadgets on a binary. It supports several
file formats and architectures and uses the Capstone disassembler for
the search engine.
formats supported:
- ELF
- PE
- Mach-O
- Raw
architectures supported:
- x86
- x86-64
- ARM
- ARM64
- MIPS
- PowerPC
- Sparc
""",
epilog="""examples:
rop --binary ./test-suite-binaries/elf-Linux-x86
rop --binary ./test-suite-binaries/elf-Linux-x86 --ropchain
rop --binary ./test-suite-binaries/elf-Linux-x86 --depth 3
rop --binary ./test-suite-binaries/elf-Linux-x86 --string "main"
rop --binary ./test-suite-binaries/elf-Linux-x86 --string "m..n"
rop --binary ./test-suite-binaries/elf-Linux-x86 --opcode c9c3
rop --binary ./test-suite-binaries/elf-Linux-x86 --only "mov|ret"
rop --binary ./test-suite-binaries/elf-Linux-x86 --only "mov|pop|xor|ret"
rop --binary ./test-suite-binaries/elf-Linux-x86 --filter "xchg|add|sub"
rop --binary ./test-suite-binaries/elf-Linux-x86 --norop --nosys
rop --binary ./test-suite-binaries/elf-Linux-x86 --range 0x08041000-0x08042000
rop --binary ./test-suite-binaries/elf-Linux-x86 --string main --range 0x080c9aaa-0x080c9aba
rop --binary ./test-suite-binaries/elf-Linux-x86 --memstr "/bin/sh"
rop --binary ./test-suite-binaries/elf-Linux-x86 --console
rop --binary ./test-suite-binaries/elf-Linux-x86 --badbytes "00|7f|42"
rop --binary ./test-suite-binaries/Linux_lib64.so --offset 0xdeadbeef00000000
rop --binary ./test-suite-binaries/elf-ARMv7-ls --depth 5
rop --binary ./test-suite-binaries/elf-ARM64-bash --depth 5
rop --binary ./test-suite-binaries/raw-x86.raw --rawArch=x86 --rawMode=32""")
parser.add_argument("--binary", type=str, metavar="<binary>", help="Specify a binary filename to analyze")
parser.add_argument("--opcode", type=str, metavar="<opcodes>", help="Search opcode in executable segment")
parser.add_argument("--string", type=str, metavar="<string>", help="Search string in readable segment")
parser.add_argument("--memstr", type=str, metavar="<string>", help="Search each byte in all readable segment")
parser.add_argument("--depth", type=int, metavar="<nbyte>", default=10, help="Depth for search engine (default 10)")
parser.add_argument("--only", type=str, metavar="<key>", help="Only show specific instructions")
parser.add_argument("--filter", type=str, metavar="<key>", help="Suppress specific instructions")
parser.add_argument("--range", type=str, metavar="<start-end>", default="0x0-0x0", help="Search between two addresses (0x...-0x...)")
parser.add_argument("--badbytes", type=str, metavar="<byte>", help="Rejects specific bytes in the gadget's address")
parser.add_argument("--rawArch", type=str, metavar="<arch>", help="Specify an arch for a raw file")
parser.add_argument("--rawMode", type=str, metavar="<mode>", help="Specify a mode for a raw file")
parser.add_argument("--offset", type=str, metavar="<hexaddr>", help="Specify an offset for gadget addresses")
parser.add_argument("--ropchain", action="store_true", help="Enable the ROP chain generation")
parser.add_argument("--thumb" , action="store_true", help="Use the thumb mode for the search engine (ARM only)")
parser.add_argument("--console", action="store_true", help="Use an interactive console for search engine")
parser.add_argument("--norop", action="store_true", help="Disable ROP search engine")
parser.add_argument("--nojop", action="store_true", help="Disable JOP search engine")
parser.add_argument("--nosys", action="store_true", help="Disable SYS search engine")
parser.add_argument("--multibr", action="store_true", help="Enable multiple branch gadgets")
parser.add_argument("--all", action="store_true", help="Disables the removal of duplicate gadgets")
parser.add_argument("--dump", action="store_true", help="Outputs the gadget bytes")
self.__args = parser.parse_args(arguments)
if self.__args.depth < 2:
print("[Error] The depth must be >= 2")
sys.exit(-1)
elif not custom_arguments_provided and not self.__args.binary and not self.__args.console:
print("[Error] Need a binary filename (--binary/--console or --help)")
sys.exit(-1)
elif self.__args.range:
try:
rangeS = int(self.__args.range.split('-')[0], 16)
rangeE = int(self.__args.range.split('-')[1], 16)
except:
print("[Error] A range must be set in hexadecimal. Ex: 0x08041000-0x08042000")
sys.exit(-1)
if rangeS > rangeE:
print("[Error] The start value must be greater than end value")
sys.exit(-1)
def __printVersion(self):
print("Version: %s" %(PYROPGADGET_VERSION))
print("Author: Jonathan Salwan" )
print("Author page: https://twitter.com/JonathanSalwan" )
print("Project page: http://shell-storm.org/project/ROPgadget/" )
def getArgs(self):
return self.__args
def rop(debugger,args,result,dict):
args=shlex.split(args)
if args:
Core(Args(arguments=args).getArgs()).analyze()
else:
print """description:
rop(ROPgadget) lets you search your gadgets on a binary. It supports several
file formats and architectures and uses the Capstone disassembler for
the search engine.
formats supported:
- ELF
- PE
- Mach-O
- Raw
architectures supported:
- x86
- x86-64
- ARM
- ARM64
- MIPS
- PowerPC
- Sparc
epilog=examples:
rop --binary ./test-suite-binaries/elf-Linux-x86
rop --binary ./test-suite-binaries/elf-Linux-x86 --ropchain
rop --binary ./test-suite-binaries/elf-Linux-x86 --depth 3
rop --binary ./test-suite-binaries/elf-Linux-x86 --string "main"
rop --binary ./test-suite-binaries/elf-Linux-x86 --string "m..n"
rop --binary ./test-suite-binaries/elf-Linux-x86 --opcode c9c3
rop --binary ./test-suite-binaries/elf-Linux-x86 --only "mov|ret"
rop --binary ./test-suite-binaries/elf-Linux-x86 --only "mov|pop|xor|ret"
rop --binary ./test-suite-binaries/elf-Linux-x86 --filter "xchg|add|sub"
rop --binary ./test-suite-binaries/elf-Linux-x86 --norop --nosys
rop --binary ./test-suite-binaries/elf-Linux-x86 --range 0x08041000-0x08042000
rop --binary ./test-suite-binaries/elf-Linux-x86 --string main --range 0x080c9aaa-0x080c9aba
rop --binary ./test-suite-binaries/elf-Linux-x86 --memstr "/bin/sh"
rop --binary ./test-suite-binaries/elf-Linux-x86 --console
rop --binary ./test-suite-binaries/elf-Linux-x86 --badbytes "00|7f|42"
rop --binary ./test-suite-binaries/Linux_lib64.so --offset 0xdeadbeef00000000
rop --binary ./test-suite-binaries/elf-ARMv7-ls --depth 5
rop --binary ./test-suite-binaries/elf-ARM64-bash --depth 5
rop --binary ./test-suite-binaries/raw-x86.raw --rawArch=x86 --rawMode=32"""
def __lldb_init_module(debugger, dict):
debugger.HandleCommand('command script add --function lisa.exploitable exploitable')
debugger.HandleCommand('command script add --function lisa.pattern_create pattern_create')
debugger.HandleCommand('command script add --function lisa.pattern_offset pattern_offset')
debugger.HandleCommand('command script add --function lisa.check_if_cyclic check_if_cyclic')
debugger.HandleCommand('command script add --function lisa.stepnInstructions sf')
debugger.HandleCommand('command script add --function lisa.context ct')
debugger.HandleCommand('command script add --function lisa.s s')
debugger.HandleCommand('command script add --function lisa.si si')
debugger.HandleCommand('command script add --function lisa.so so')
debugger.HandleCommand('command script add --function lisa.banner banner')
debugger.HandleCommand('command script add --function lisa.exploitable exploitable')
debugger.HandleCommand('command script add -function lisa.setMallocDebug setmalloc')
debugger.HandleCommand('command script add -function lisa.shellcode shellcode')
debugger.HandleCommand('command script add -function lisa.extract_from_universal_binary extract')
debugger.HandleCommand('command script add --function lisa.dump dump')
debugger.HandleCommand('command script add --function lisa.rop rop')
tty_colors = TerminalColors (True)
Reference in New Issue View Git Blame Copy Permalink