Created
November 30, 2013 16:31
-
-
Save csmatt/7721132 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import ObjdumpHandler | |
| import Utils | |
| objdump_functions = None | |
| def get_objdump_functions(file_path): | |
| global objdump_functions | |
| if objdump_functions is None: | |
| f = open(file_path, 'r') | |
| objdump_lines = f.readlines() | |
| f.close() | |
| objdump_functions = ObjdumpHandler.extract_functions_from_objdump_lines(objdump_lines) | |
| return objdump_functions | |
| def find_loads_from_stack(file_path, limit_to=5, jump_register="t9", disallowed_registers=None): | |
| def gadget_sorter(gadget): | |
| """Returns the longest continuous sequence of loads into s-registers in a given gadget""" | |
| greatest_count = 0 | |
| count = 0 | |
| for inst in gadget: | |
| if inst.operator == 'lw' and inst.operands[0].startswith('s') and 'sp' in inst.operands[1]: | |
| count += 1 | |
| else: | |
| if count > greatest_count: | |
| greatest_count = count | |
| count = 0 | |
| if count > greatest_count: | |
| greatest_count = count | |
| return greatest_count | |
| functions = get_objdump_functions(file_path) | |
| if not disallowed_registers: | |
| disallowed_registers = [jump_register] | |
| elif jump_register not in disallowed_registers: | |
| disallowed_registers.append(jump_register) | |
| rop_gadgets = [] | |
| for function in functions: | |
| rop_gadgets.extend(function.search("lw s*,sp", disallowed_registers, jump_register)) | |
| return sorted(rop_gadgets, key=gadget_sorter, reverse=True)[:limit_to] | |
| def find_load_arg_for_sleep(file_path, limit_to=5, jump_register="t9", disallowed_registers=None): | |
| functions = get_objdump_functions(file_path) | |
| if not disallowed_registers: | |
| disallowed_registers = [jump_register] | |
| elif jump_register not in disallowed_registers: | |
| disallowed_registers.append(jump_register) | |
| rop_gadgets = [] | |
| for function in functions: | |
| rop_gadgets.extend(function.search("li a0", disallowed_registers, jump_register)) | |
| return rop_gadgets[:limit_to] | |
| def find_locating_of_stack(file_path, limit_to=5, jump_register="t9", disallowed_registers=None): | |
| functions = get_objdump_functions(file_path) | |
| if not disallowed_registers: | |
| disallowed_registers = [jump_register] | |
| elif jump_register not in disallowed_registers: | |
| disallowed_registers.append(jump_register) | |
| rop_gadgets = [] | |
| for function in functions: | |
| rop_gadgets.extend(function.search("addiu **,sp", disallowed_registers, jump_register)) | |
| def prioritize_starts_with_move(gadget): | |
| if gadget[0].operator == "move": | |
| return 100 | |
| else: | |
| return 0 | |
| return sorted(rop_gadgets, key=prioritize_starts_with_move, reverse=True)[:limit_to] | |
| libc_path = '../libc' | |
| print "Loads from stack" | |
| Utils.print_list(find_loads_from_stack(libc_path)) | |
| print "Load argument for sleep" | |
| Utils.print_list(find_load_arg_for_sleep(libc_path)) | |
| print "Locating of stack" | |
| Utils.print_list(find_locating_of_stack(libc_path)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment