Created
March 23, 2014 08:37
-
-
Save inaz2/9720399 to your computer and use it in GitHub Desktop.
list ROP gadgets in a library
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ python list_gadgets.py libc.so.6 | head | |
| 78a: dec edi | |
| 877: or al,BYTE PTR [ecx] | |
| 8ee: dec esp | |
| cf2: add BYTE PTR [eax],al | |
| 106e: add BYTE PTR [eax],al | |
| 122e: add BYTE PTR [eax],al | |
| 13ea: add BYTE PTR [eax],al | |
| 1736: add BYTE PTR [eax],al | |
| 1735: pop es; add BYTE PTR [eax],al | |
| 1a32: pop es |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys | |
| from subprocess import Popen, PIPE | |
| fpath = sys.argv[1] | |
| with open(fpath, 'rb') as f: | |
| blob = f.read() | |
| try: | |
| i = -1 | |
| while True: | |
| i = blob.index('\xc3', i+1) | |
| for j in range(4): | |
| p1 = Popen(['objdump', '-M', 'intel', '-D', '-b', 'binary', '-m', 'i386', "--start-address=%d" % (i-j-1), "--stop-address=%d" % (i+1), fpath], stdout=PIPE) | |
| p2 = Popen(['grep', '^ '], stdin=p1.stdout, stdout=PIPE) | |
| stdout, stderr = p2.communicate() | |
| if not stdout or '(bad)' in stdout or '<internal disassembler error>' in stdout: | |
| continue | |
| lines = stdout.splitlines() | |
| if lines[-1].endswith('\tret '): | |
| print lines[0].split('\t',1)[0] + '\t', | |
| print '; \t'.join(line.split('\t')[2] for line in lines[:-1]) | |
| except ValueError: | |
| pass |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment