rex-rop_builder 0.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/.gitignore +9 -0
- data/.rspec +2 -0
- data/.travis.yml +5 -0
- data/CODE_OF_CONDUCT.md +49 -0
- data/Gemfile +4 -0
- data/README.md +31 -0
- data/Rakefile +6 -0
- data/bin/console +14 -0
- data/bin/msfrop +159 -0
- data/bin/setup +8 -0
- data/lib/rex/rop_builder.rb +9 -0
- data/lib/rex/rop_builder/rop.rb +275 -0
- data/lib/rex/rop_builder/version.rb +5 -0
- data/rex-rop_builder.gemspec +29 -0
- metadata +219 -0
- metadata.gz.sig +1 -0
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA1:
|
3
|
+
metadata.gz: 7bc2354d88b4f91955160ec7f9105e8108026b61
|
4
|
+
data.tar.gz: 937e2285bd4255995307f85d77f06e7ddd399fe2
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: 847e25734d93938aadbc2a84111a876e703ea770073e9164e0b20603f993b0c7c64bd3e38a7a60acf41ef3f8ea215f5093e6cb171eae892f380532f913a223b7
|
7
|
+
data.tar.gz: 25ecb9cc8dca756392349bd16bf5e97f4f55d837a71aeadddad643a27f0d6ba65e58faeadc996eac49238c968e77a7f7cd12cb9a613f5ff113670f316975b8c8
|
checksums.yaml.gz.sig
ADDED
Binary file
|
data.tar.gz.sig
ADDED
Binary file
|
data/.gitignore
ADDED
data/.rspec
ADDED
data/.travis.yml
ADDED
data/CODE_OF_CONDUCT.md
ADDED
@@ -0,0 +1,49 @@
|
|
1
|
+
# Contributor Code of Conduct
|
2
|
+
|
3
|
+
As contributors and maintainers of this project, and in the interest of
|
4
|
+
fostering an open and welcoming community, we pledge to respect all people who
|
5
|
+
contribute through reporting issues, posting feature requests, updating
|
6
|
+
documentation, submitting pull requests or patches, and other activities.
|
7
|
+
|
8
|
+
We are committed to making participation in this project a harassment-free
|
9
|
+
experience for everyone, regardless of level of experience, gender, gender
|
10
|
+
identity and expression, sexual orientation, disability, personal appearance,
|
11
|
+
body size, race, ethnicity, age, religion, or nationality.
|
12
|
+
|
13
|
+
Examples of unacceptable behavior by participants include:
|
14
|
+
|
15
|
+
* The use of sexualized language or imagery
|
16
|
+
* Personal attacks
|
17
|
+
* Trolling or insulting/derogatory comments
|
18
|
+
* Public or private harassment
|
19
|
+
* Publishing other's private information, such as physical or electronic
|
20
|
+
addresses, without explicit permission
|
21
|
+
* Other unethical or unprofessional conduct
|
22
|
+
|
23
|
+
Project maintainers have the right and responsibility to remove, edit, or
|
24
|
+
reject comments, commits, code, wiki edits, issues, and other contributions
|
25
|
+
that are not aligned to this Code of Conduct, or to ban temporarily or
|
26
|
+
permanently any contributor for other behaviors that they deem inappropriate,
|
27
|
+
threatening, offensive, or harmful.
|
28
|
+
|
29
|
+
By adopting this Code of Conduct, project maintainers commit themselves to
|
30
|
+
fairly and consistently applying these principles to every aspect of managing
|
31
|
+
this project. Project maintainers who do not follow or enforce the Code of
|
32
|
+
Conduct may be permanently removed from the project team.
|
33
|
+
|
34
|
+
This code of conduct applies both within project spaces and in public spaces
|
35
|
+
when an individual is representing the project or its community.
|
36
|
+
|
37
|
+
Instances of abusive, harassing, or otherwise unacceptable behavior may be
|
38
|
+
reported by contacting a project maintainer at DMaloney@rapid7.com. All
|
39
|
+
complaints will be reviewed and investigated and will result in a response that
|
40
|
+
is deemed necessary and appropriate to the circumstances. Maintainers are
|
41
|
+
obligated to maintain confidentiality with regard to the reporter of an
|
42
|
+
incident.
|
43
|
+
|
44
|
+
This Code of Conduct is adapted from the [Contributor Covenant][homepage],
|
45
|
+
version 1.3.0, available at
|
46
|
+
[http://contributor-covenant.org/version/1/3/0/][version]
|
47
|
+
|
48
|
+
[homepage]: http://contributor-covenant.org
|
49
|
+
[version]: http://contributor-covenant.org/version/1/3/0/
|
data/Gemfile
ADDED
data/README.md
ADDED
@@ -0,0 +1,31 @@
|
|
1
|
+
# Rex::RopBuilder
|
2
|
+
|
3
|
+
This is the Ruby Exploitation(Rex) Library for building ROP chains. It also comes with the msfrop command line tool.
|
4
|
+
|
5
|
+
## Installation
|
6
|
+
|
7
|
+
Add this line to your application's Gemfile:
|
8
|
+
|
9
|
+
```ruby
|
10
|
+
gem 'rex-rop_builder'
|
11
|
+
```
|
12
|
+
|
13
|
+
And then execute:
|
14
|
+
|
15
|
+
$ bundle
|
16
|
+
|
17
|
+
Or install it yourself as:
|
18
|
+
|
19
|
+
$ gem install rex-rop_builder
|
20
|
+
|
21
|
+
|
22
|
+
## Development
|
23
|
+
|
24
|
+
After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
|
25
|
+
|
26
|
+
To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
|
27
|
+
|
28
|
+
## Contributing
|
29
|
+
|
30
|
+
Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/rex-rop_builder. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
|
31
|
+
|
data/Rakefile
ADDED
data/bin/console
ADDED
@@ -0,0 +1,14 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
|
3
|
+
require "bundler/setup"
|
4
|
+
require "rex/rop_builder"
|
5
|
+
|
6
|
+
# You can add fixtures and/or initialization code here to make experimenting
|
7
|
+
# with your gem easier. You can also use a different console, if you like.
|
8
|
+
|
9
|
+
# (If you use this, don't forget to add pry to your Gemfile!)
|
10
|
+
# require "pry"
|
11
|
+
# Pry.start
|
12
|
+
|
13
|
+
require "irb"
|
14
|
+
IRB.start
|
data/bin/msfrop
ADDED
@@ -0,0 +1,159 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
# -*- coding: binary -*-
|
3
|
+
#
|
4
|
+
# $Id$
|
5
|
+
#
|
6
|
+
# This tool will collect, export, and import ROP gadgets
|
7
|
+
# from various file formats (PE, ELF, Macho)
|
8
|
+
# $Revision$
|
9
|
+
#
|
10
|
+
|
11
|
+
require 'rex/rop_builder'
|
12
|
+
require 'rex/text/color'
|
13
|
+
require 'optparse'
|
14
|
+
|
15
|
+
def opt2i(o)
|
16
|
+
o.index("0x")==0 ? o.hex : o.to_i
|
17
|
+
end
|
18
|
+
|
19
|
+
opts = {}
|
20
|
+
color = true
|
21
|
+
|
22
|
+
opt = OptionParser.new
|
23
|
+
opt.banner = "Usage #{$PROGRAM_NAME} <option> [targets]"
|
24
|
+
opt.separator('')
|
25
|
+
opt.separator('Options:')
|
26
|
+
|
27
|
+
opt.on('-d', '--depth [size]', 'Number of maximum bytes to backwards disassemble from return instructions') do |d|
|
28
|
+
opts[:depth] = opt2i(d)
|
29
|
+
end
|
30
|
+
|
31
|
+
opt.on('-s', '--search [regex]', 'Search for gadgets matching a regex, match intel syntax or raw bytes') do |regex|
|
32
|
+
opts[:pattern] = regex
|
33
|
+
end
|
34
|
+
|
35
|
+
opt.on('-n', '--nocolor', 'Disable color. Useful for piping to other tools like the less and more commands') do
|
36
|
+
color = false
|
37
|
+
end
|
38
|
+
|
39
|
+
opt.on('-x', '--export [filename]', 'Export gadgets to CSV format') do |csv|
|
40
|
+
opts[:export] = csv
|
41
|
+
end
|
42
|
+
|
43
|
+
opt.on('-i', '--import [filename]', 'Import gadgets from previous collections') do |csv|
|
44
|
+
opts[:import] = csv
|
45
|
+
end
|
46
|
+
|
47
|
+
opt.on('-v', '--verbose', 'Output very verbosely') do
|
48
|
+
opts[:verbose] = true
|
49
|
+
end
|
50
|
+
|
51
|
+
opt.on_tail('-h', '--help', 'Show this message') do
|
52
|
+
puts opt
|
53
|
+
exit
|
54
|
+
end
|
55
|
+
|
56
|
+
begin
|
57
|
+
opt.parse!
|
58
|
+
rescue OptionParser::InvalidOption
|
59
|
+
puts "Invalid option, try -h for usage"
|
60
|
+
exit(1)
|
61
|
+
end
|
62
|
+
|
63
|
+
if opts.empty? and (ARGV.empty? or ARGV.nil?)
|
64
|
+
puts "no options"
|
65
|
+
puts opt
|
66
|
+
exit(1)
|
67
|
+
end
|
68
|
+
|
69
|
+
# set defaults
|
70
|
+
opts[:depth] ||= 5
|
71
|
+
|
72
|
+
gadgets = []
|
73
|
+
|
74
|
+
if opts[:import].nil?
|
75
|
+
files = []
|
76
|
+
ARGV.each do |file|
|
77
|
+
if(File.directory?(file))
|
78
|
+
dir = Dir.open(file)
|
79
|
+
dir.entries.each do |ent|
|
80
|
+
path = File.join(file, ent)
|
81
|
+
next if not File.file?(path)
|
82
|
+
files << File.join(path)
|
83
|
+
end
|
84
|
+
else
|
85
|
+
files << file
|
86
|
+
end
|
87
|
+
end
|
88
|
+
|
89
|
+
ropbuilder = Rex::RopBuilder::RopCollect.new
|
90
|
+
|
91
|
+
files.each do |file|
|
92
|
+
ret, retn = []
|
93
|
+
ropbuilder = Rex::RopBuilder::RopCollect.new(file)
|
94
|
+
ropbuilder.print_msg("Collecting gadgets from %bld%cya#{file}%clr\n", color)
|
95
|
+
retn = ropbuilder.collect(opts[:depth], "\xc2") # retn
|
96
|
+
ret = ropbuilder.collect(opts[:depth], "\xc3") # ret
|
97
|
+
ropbuilder.print_msg("Found %grn#{ret.count + retn.count}%clr gadgets\n\n", color)
|
98
|
+
|
99
|
+
# compile a list of all gadgets from all files
|
100
|
+
ret.each do |gadget|
|
101
|
+
gadgets << gadget
|
102
|
+
if opts[:verbose]
|
103
|
+
ropbuilder.print_msg("#{gadget[:file]} gadget: %bld%grn#{gadget[:address]}%clr\n", color)
|
104
|
+
ropbuilder.print_msg("#{gadget[:disasm]}\n", color)
|
105
|
+
end
|
106
|
+
end
|
107
|
+
|
108
|
+
retn.each do |gadget|
|
109
|
+
gadgets << gadget
|
110
|
+
if opts[:verbose]
|
111
|
+
ropbuilder.print_msg("#{gadget[:file]} gadget: %bld%grn#{gadget[:address]}%clr\n", color)
|
112
|
+
ropbuilder.print_msg("#{gadget[:disasm]}\n", color)
|
113
|
+
end
|
114
|
+
end
|
115
|
+
|
116
|
+
end
|
117
|
+
|
118
|
+
ropbuilder.print_msg("Found %bld%grn#{gadgets.count}%clr gadgets total\n\n", color)
|
119
|
+
end
|
120
|
+
|
121
|
+
if opts[:import]
|
122
|
+
|
123
|
+
ropbuilder = Rex::RopBuilder::RopCollect.new()
|
124
|
+
ropbuilder.print_msg("Importing gadgets from %bld%cya#{opts[:import]}\n", color)
|
125
|
+
gadgets = ropbuilder.import(opts[:import])
|
126
|
+
|
127
|
+
gadgets.each do |gadget|
|
128
|
+
ropbuilder.print_msg("gadget: %bld%cya#{gadget[:address]}%clr\n", color)
|
129
|
+
ropbuilder.print_msg(gadget[:disasm] + "\n", color)
|
130
|
+
end
|
131
|
+
|
132
|
+
ropbuilder.print_msg("Imported %grn#{gadgets.count}%clr gadgets\n", color)
|
133
|
+
end
|
134
|
+
|
135
|
+
if opts[:pattern]
|
136
|
+
matches = ropbuilder.pattern_search(opts[:pattern])
|
137
|
+
if opts[:verbose]
|
138
|
+
ropbuilder.print_msg("Found %grn#{matches.count}%clr matches\n", color)
|
139
|
+
end
|
140
|
+
end
|
141
|
+
|
142
|
+
if opts[:export]
|
143
|
+
ropbuilder.print_msg("Exporting %grn#{gadgets.count}%clr gadgets to %bld%cya#{opts[:export]}%clr\n", color)
|
144
|
+
csv = ropbuilder.to_csv(gadgets)
|
145
|
+
|
146
|
+
if csv.nil?
|
147
|
+
exit(1)
|
148
|
+
end
|
149
|
+
|
150
|
+
begin
|
151
|
+
fd = File.new(opts[:export], 'w')
|
152
|
+
fd.puts csv
|
153
|
+
fd.close
|
154
|
+
rescue
|
155
|
+
puts "Error writing #{opts[:export]} file"
|
156
|
+
exit(1)
|
157
|
+
end
|
158
|
+
ropbuilder.print_msg("%bld%redSuccess!%clr gadgets exported to %bld%cya#{opts[:export]}%clr\n", color)
|
159
|
+
end
|
data/bin/setup
ADDED
@@ -0,0 +1,275 @@
|
|
1
|
+
# -*- coding: binary -*-
|
2
|
+
require 'metasm'
|
3
|
+
require 'rex/compat'
|
4
|
+
require 'rex/text/table'
|
5
|
+
require 'rex/text/color'
|
6
|
+
|
7
|
+
module Rex
|
8
|
+
module RopBuilder
|
9
|
+
|
10
|
+
class RopBase
|
11
|
+
include Rex::Text::Color
|
12
|
+
def initialize()
|
13
|
+
@gadgets = []
|
14
|
+
end
|
15
|
+
|
16
|
+
def to_csv(gadgets = [])
|
17
|
+
if gadgets.empty? and @gadgets.nil? or @gadgets.empty?
|
18
|
+
print_error("No gadgets collected to convert to CSV format.")
|
19
|
+
return
|
20
|
+
end
|
21
|
+
|
22
|
+
# allow the users to import gadget collections from multiple files
|
23
|
+
if @gadgets.empty? or @gadgets.nil?
|
24
|
+
@gadgets = gadgets
|
25
|
+
end
|
26
|
+
|
27
|
+
table = Rex::Text::Table.new(
|
28
|
+
'Header' => "#{@file} ROP Gadgets",
|
29
|
+
'Indent' => 1,
|
30
|
+
'Columns' =>
|
31
|
+
[
|
32
|
+
"Address",
|
33
|
+
"Raw",
|
34
|
+
"Disassembly",
|
35
|
+
])
|
36
|
+
|
37
|
+
@gadgets.each do |gadget|
|
38
|
+
table << [gadget[:address], gadget[:raw].unpack('H*')[0], gadget[:disasm].gsub(/\n/, ' | ')]
|
39
|
+
end
|
40
|
+
|
41
|
+
return table.to_csv
|
42
|
+
end
|
43
|
+
|
44
|
+
def import(file)
|
45
|
+
begin
|
46
|
+
data = File.new(file, 'r').read
|
47
|
+
rescue
|
48
|
+
print_error("Error reading #{file}")
|
49
|
+
return []
|
50
|
+
end
|
51
|
+
|
52
|
+
if data.empty? or data.nil?
|
53
|
+
return []
|
54
|
+
end
|
55
|
+
|
56
|
+
data.gsub!(/\"/, '')
|
57
|
+
data.gsub!("Address,Raw,Disassembly\n", '')
|
58
|
+
|
59
|
+
@gadgets = []
|
60
|
+
|
61
|
+
data.each_line do |line|
|
62
|
+
addr, raw, disasm = line.split(',', 3)
|
63
|
+
if addr.nil? or raw.nil? or disasm.nil?
|
64
|
+
print_error("Import file format corrupted")
|
65
|
+
return []
|
66
|
+
end
|
67
|
+
disasm.gsub!(/: /, ":\t")
|
68
|
+
disasm.gsub!(' | ', "\n")
|
69
|
+
raw = [raw].pack('H*')
|
70
|
+
@gadgets << {:file => file, :address => addr, :raw => raw, :disasm => disasm.chomp!}
|
71
|
+
end
|
72
|
+
@gadgets
|
73
|
+
end
|
74
|
+
|
75
|
+
def supports_color?
|
76
|
+
true
|
77
|
+
end
|
78
|
+
|
79
|
+
def print_error(msg = '')
|
80
|
+
print_msg("%bld%red[-]%clr #{msg}")
|
81
|
+
end
|
82
|
+
|
83
|
+
def print_msg(msg, color=true)
|
84
|
+
if color
|
85
|
+
msg = substitute_colors(msg)
|
86
|
+
end
|
87
|
+
puts msg
|
88
|
+
end
|
89
|
+
|
90
|
+
def print_status(msg = '')
|
91
|
+
print_msg("%bld%blu[*]%clr #{msg}")
|
92
|
+
end
|
93
|
+
end
|
94
|
+
|
95
|
+
class RopCollect < RopBase
|
96
|
+
def initialize(file="")
|
97
|
+
@file = file if not file.empty?
|
98
|
+
@bin = Metasm::AutoExe.decode_file(file) if not file.empty?
|
99
|
+
@disassembler = @bin.disassembler if not @bin.nil?
|
100
|
+
if @disassembler
|
101
|
+
@disassembler.cpu = Metasm::Ia32.new('386_common')
|
102
|
+
end
|
103
|
+
super()
|
104
|
+
end
|
105
|
+
|
106
|
+
def collect(depth, pattern)
|
107
|
+
matches = []
|
108
|
+
gadgets = []
|
109
|
+
|
110
|
+
# find matches by scanning for the pattern
|
111
|
+
matches = @disassembler.pattern_scan(pattern)
|
112
|
+
if @bin.kind_of?(Metasm::PE)
|
113
|
+
@bin.sections.each do |section|
|
114
|
+
next if section.characteristics.include? 'MEM_EXECUTE'
|
115
|
+
# delete matches if the address is outside the virtual address space
|
116
|
+
matches.delete_if do |ea|
|
117
|
+
va = section.virtaddr + @bin.optheader.image_base
|
118
|
+
ea >= va and ea < va + section.virtsize
|
119
|
+
end
|
120
|
+
end
|
121
|
+
elsif @bin.kind_of?(Metasm::ELF)
|
122
|
+
@bin.segments.each do |seg|
|
123
|
+
next if seg.flags.include? 'X'
|
124
|
+
matches.delete_if do |ea|
|
125
|
+
ea >= seg.vaddr and ea < seg.vaddr + seg.memsz
|
126
|
+
end
|
127
|
+
end
|
128
|
+
elsif @bin.kind_of?(Metasm::MachO)
|
129
|
+
@bin.segments.each do |seg|
|
130
|
+
next if seg.initprot.include? 'EXECUTE'
|
131
|
+
matches.delete_if do |ea|
|
132
|
+
ea >= seg.virtaddr and ea < seg.virtaddr + seg.filesize
|
133
|
+
end
|
134
|
+
end
|
135
|
+
end
|
136
|
+
|
137
|
+
gadgets = process_gadgets(matches, depth)
|
138
|
+
gadgets.each do |gadget|
|
139
|
+
@gadgets << gadget
|
140
|
+
end
|
141
|
+
gadgets
|
142
|
+
end
|
143
|
+
|
144
|
+
def pattern_search(pattern)
|
145
|
+
p = Regexp.new("(" + pattern + ")")
|
146
|
+
matches = []
|
147
|
+
|
148
|
+
@gadgets.each do |gadget|
|
149
|
+
disasm = ""
|
150
|
+
addrs = []
|
151
|
+
|
152
|
+
gadget[:disasm].each_line do |line|
|
153
|
+
addr, asm = line.split("\t", 2)
|
154
|
+
addrs << addr
|
155
|
+
disasm << asm
|
156
|
+
end
|
157
|
+
|
158
|
+
if gadget[:raw] =~ p or gadget[:disasm] =~ p or disasm =~ p
|
159
|
+
matches << {:gadget => gadget, :disasm => disasm, :addrs => addrs}
|
160
|
+
end
|
161
|
+
end
|
162
|
+
matches.each do |match|
|
163
|
+
print_status("gadget with address: %bld%cya#{match[:gadget][:address]}%clr matched")
|
164
|
+
color_pattern(match[:gadget], match[:disasm], match[:addrs], p)
|
165
|
+
end
|
166
|
+
matches
|
167
|
+
end
|
168
|
+
|
169
|
+
def color_pattern(gadget, disasm, addrs, p)
|
170
|
+
idx = disasm.index(p)
|
171
|
+
if idx.nil?
|
172
|
+
print_msg(gadget[:disasm])
|
173
|
+
return
|
174
|
+
end
|
175
|
+
|
176
|
+
disasm = disasm.insert(idx, "%bld%grn")
|
177
|
+
|
178
|
+
asm = ""
|
179
|
+
cnt = 0
|
180
|
+
colors = false
|
181
|
+
disasm.each_line do |line|
|
182
|
+
# if we find this then we are in the matching area
|
183
|
+
if line.index(/\%bld\%grn/)
|
184
|
+
colors = true
|
185
|
+
end
|
186
|
+
asm << "%clr" + addrs[cnt] + "\t"
|
187
|
+
|
188
|
+
# color the remaining parts of the gadget
|
189
|
+
if colors and line.index("%bld%grn").nil?
|
190
|
+
asm << "%bld%grn" + line
|
191
|
+
else
|
192
|
+
asm << line
|
193
|
+
end
|
194
|
+
|
195
|
+
cnt += 1
|
196
|
+
end
|
197
|
+
asm << "%clr\n"
|
198
|
+
print_msg(asm)
|
199
|
+
end
|
200
|
+
|
201
|
+
def process_gadgets(rets, num)
|
202
|
+
ret = {}
|
203
|
+
gadgets = []
|
204
|
+
tmp = []
|
205
|
+
rets.each do |ea|
|
206
|
+
insn = @disassembler.disassemble_instruction(ea)
|
207
|
+
next if not insn
|
208
|
+
|
209
|
+
xtra = insn.bin_length
|
210
|
+
|
211
|
+
num.downto(0) do |x|
|
212
|
+
addr = ea - x
|
213
|
+
|
214
|
+
# get the disassembled instruction at this address
|
215
|
+
di = @disassembler.disassemble_instruction(addr)
|
216
|
+
|
217
|
+
# skip invalid instructions
|
218
|
+
next if not di
|
219
|
+
next if di.opcode.props[:setip]
|
220
|
+
next if di.opcode.props[:stopexec]
|
221
|
+
|
222
|
+
# get raw bytes
|
223
|
+
buf = @disassembler.read_raw_data(addr, x + xtra)
|
224
|
+
|
225
|
+
|
226
|
+
# make sure disassembling forward leads to our instruction
|
227
|
+
next if not ends_with_addr(buf, addr, ea)
|
228
|
+
|
229
|
+
dasm = ""
|
230
|
+
while addr <= ea
|
231
|
+
di = @disassembler.disassemble_instruction(addr)
|
232
|
+
dasm << ("0x%08x:\t" % addr) + di.instruction.to_s + "\n"
|
233
|
+
addr = addr + di.bin_length
|
234
|
+
end
|
235
|
+
|
236
|
+
if not tmp.include?(ea)
|
237
|
+
tmp << ea
|
238
|
+
else
|
239
|
+
next
|
240
|
+
end
|
241
|
+
|
242
|
+
# otherwise, we create a new tailchunk and add it to the list
|
243
|
+
ret = {:file => @file, :address => ("0x%08x" % (ea - x)), :raw => buf, :disasm => dasm}
|
244
|
+
gadgets << ret
|
245
|
+
end
|
246
|
+
end
|
247
|
+
gadgets
|
248
|
+
end
|
249
|
+
|
250
|
+
private
|
251
|
+
def ends_with_addr(raw, base, addr)
|
252
|
+
dasm2 = Metasm::Shellcode.decode(raw, @disassembler.cpu).disassembler
|
253
|
+
offset = 0
|
254
|
+
while ((di = dasm2.disassemble_instruction(offset)))
|
255
|
+
return true if (base + offset) == addr
|
256
|
+
return false if di.opcode.props[:setip]
|
257
|
+
return false if di.opcode.props[:stopexec]
|
258
|
+
offset = di.next_addr
|
259
|
+
end
|
260
|
+
false
|
261
|
+
end
|
262
|
+
|
263
|
+
def raw_instructions(raw)
|
264
|
+
insns = []
|
265
|
+
d2 = Metasm::Shellcode.decode(raw, @disassembler.cpu).disassembler
|
266
|
+
addr = 0
|
267
|
+
while ((di = d2.disassemble_instruction(addr)))
|
268
|
+
insns << di.instruction
|
269
|
+
addr = di.next_addr
|
270
|
+
end
|
271
|
+
insns
|
272
|
+
end
|
273
|
+
end
|
274
|
+
end
|
275
|
+
end
|
@@ -0,0 +1,29 @@
|
|
1
|
+
# coding: utf-8
|
2
|
+
lib = File.expand_path('../lib', __FILE__)
|
3
|
+
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
4
|
+
require 'rex/rop_builder/version'
|
5
|
+
|
6
|
+
Gem::Specification.new do |spec|
|
7
|
+
spec.name = "rex-rop_builder"
|
8
|
+
spec.version = Rex::RopBuilder::VERSION
|
9
|
+
spec.authors = ["David Maloney"]
|
10
|
+
spec.email = ["DMaloney@rapid7.com"]
|
11
|
+
|
12
|
+
spec.summary = %q{Ruby Exploitation(Rex) Library for building ROP chains.}
|
13
|
+
spec.homepage = "https://github.com/rapid7/rex-rop_builder"
|
14
|
+
|
15
|
+
|
16
|
+
|
17
|
+
spec.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
|
18
|
+
spec.bindir = "bin"
|
19
|
+
spec.executables = ["msfrop"]
|
20
|
+
spec.require_paths = ["lib"]
|
21
|
+
|
22
|
+
spec.add_development_dependency "bundler", "~> 1.12"
|
23
|
+
spec.add_development_dependency "rake", "~> 10.0"
|
24
|
+
spec.add_development_dependency "rspec", "~> 3.0"
|
25
|
+
|
26
|
+
spec.add_runtime_dependency "metasm"
|
27
|
+
spec.add_runtime_dependency "rex-core"
|
28
|
+
spec.add_runtime_dependency "rex-text"
|
29
|
+
end
|
metadata
ADDED
@@ -0,0 +1,219 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: rex-rop_builder
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 0.1.0
|
5
|
+
platform: ruby
|
6
|
+
authors:
|
7
|
+
- David Maloney
|
8
|
+
autorequire:
|
9
|
+
bindir: bin
|
10
|
+
cert_chain:
|
11
|
+
- |
|
12
|
+
-----BEGIN CERTIFICATE-----
|
13
|
+
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
|
14
|
+
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
|
15
|
+
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
|
16
|
+
MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
|
17
|
+
YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
|
18
|
+
aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
|
19
|
+
jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
|
20
|
+
xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
|
21
|
+
1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
|
22
|
+
snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
|
23
|
+
U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
|
24
|
+
9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
|
25
|
+
BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
|
26
|
+
AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
|
27
|
+
yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
|
28
|
+
38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
|
29
|
+
AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
|
30
|
+
DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
|
31
|
+
HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
|
32
|
+
-----END CERTIFICATE-----
|
33
|
+
- |
|
34
|
+
-----BEGIN CERTIFICATE-----
|
35
|
+
MIIEKDCCAxCgAwIBAgILBAAAAAABL07hNVwwDQYJKoZIhvcNAQEFBQAwVzELMAkG
|
36
|
+
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
|
37
|
+
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xMTA0MTMxMDAw
|
38
|
+
MDBaFw0xOTA0MTMxMDAwMDBaMFExCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
|
39
|
+
YWxTaWduIG52LXNhMScwJQYDVQQDEx5HbG9iYWxTaWduIENvZGVTaWduaW5nIENB
|
40
|
+
IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyTxTnEL7XJnKr
|
41
|
+
NpfvU79ChF5Y0Yoo/ENGb34oRFALdV0A1zwKRJ4gaqT3RUo3YKNuPxL6bfq2RsNq
|
42
|
+
o7gMJygCVyjRUPdhOVW4w+ElhlI8vwUd17Oa+JokMUnVoqni05GrPjxz7/Yp8cg1
|
43
|
+
0DB7f06SpQaPh+LO9cFjZqwYaSrBXrta6G6V/zuAYp2Zx8cvZtX9YhqCVVrG+kB3
|
44
|
+
jskwPBvw8jW4bFmc/enWyrRAHvcEytFnqXTjpQhU2YM1O46MIwx1tt6GSp4aPgpQ
|
45
|
+
STic0qiQv5j6yIwrJxF+KvvO3qmuOJMi+qbs+1xhdsNE1swMfi9tBoCidEC7tx/0
|
46
|
+
O9dzVB/zAgMBAAGjgfowgfcwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
|
47
|
+
Af8CAQAwHQYDVR0OBBYEFAhu2Lacir/tPtfDdF3MgB+oL1B6MEcGA1UdIARAMD4w
|
48
|
+
PAYEVR0gADA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNv
|
49
|
+
bS9yZXBvc2l0b3J5LzAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmdsb2Jh
|
50
|
+
bHNpZ24ubmV0L3Jvb3QuY3JsMBMGA1UdJQQMMAoGCCsGAQUFBwMDMB8GA1UdIwQY
|
51
|
+
MBaAFGB7ZhpFDZfKiVAvfQTNNKj//P1LMA0GCSqGSIb3DQEBBQUAA4IBAQAiXMXd
|
52
|
+
PfQLcNjj9efFjgkBu7GWNlxaB63HqERJUSV6rg2kGTuSnM+5Qia7O2yX58fOEW1o
|
53
|
+
kdqNbfFTTVQ4jGHzyIJ2ab6BMgsxw2zJniAKWC/wSP5+SAeq10NYlHNUBDGpeA07
|
54
|
+
jLBwwT1+170vKsPi9Y8MkNxrpci+aF5dbfh40r5JlR4VeAiR+zTIvoStvODG3Rjb
|
55
|
+
88rwe8IUPBi4A7qVPiEeP2Bpen9qA56NSvnwKCwwhF7sJnJCsW3LZMMSjNaES2dB
|
56
|
+
fLEDF3gJ462otpYtpH6AA0+I98FrWkYVzSwZi9hwnOUtSYhgcqikGVJwQ17a1kYD
|
57
|
+
sGgOJO9K9gslJO8k
|
58
|
+
-----END CERTIFICATE-----
|
59
|
+
- |
|
60
|
+
-----BEGIN CERTIFICATE-----
|
61
|
+
MIIEyjCCA7KgAwIBAgISESEyE8rNriS4+1dc8jOHEUL8MA0GCSqGSIb3DQEBBQUA
|
62
|
+
MFExCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMScwJQYD
|
63
|
+
VQQDEx5HbG9iYWxTaWduIENvZGVTaWduaW5nIENBIC0gRzIwHhcNMTMxMDExMTUx
|
64
|
+
NTM4WhcNMTYxMDExMTUxNTM4WjBgMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFz
|
65
|
+
c2FjaHVzZXR0czEPMA0GA1UEBxMGQm9zdG9uMRMwEQYDVQQKEwpSYXBpZDcgTExD
|
66
|
+
MRMwEQYDVQQDEwpSYXBpZDcgTExDMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
|
67
|
+
CgKCAQEAhD//7+739c69hssg0mD6CXgf2JkuWTcU81dgD7aKcoEPqU8e1FseBvDW
|
68
|
+
/Q5fNK2H2NgHV/Msn18zXuK0PkaJXqj/vDsuKB3Hq0BiR2AwyDdEw8K5MK5bgQc2
|
69
|
+
tmcVtEAejRoy1Uv5UyfaAYAxG6zsma3buV1fjnEAC3VouRg4+EX/f65H/a6srntK
|
70
|
+
5Etp3D71k2f0oUl8dOqOmSsRJQQ5zSs4ktDvpjAmsvzoA+1svceLYU95mvQsIw2T
|
71
|
+
edpmibGMwGw/HmgV+YWBgF5UGvax6zbC2i6DF2YHnDfkNb8/1MEIaxOTAbJTazTK
|
72
|
+
8laCQOyay6L1BNPQKjZBgOge8LZq1wIDAQABo4IBizCCAYcwDgYDVR0PAQH/BAQD
|
73
|
+
AgeAMEwGA1UdIARFMEMwQQYJKwYBBAGgMgEyMDQwMgYIKwYBBQUHAgEWJmh0dHBz
|
74
|
+
Oi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAkGA1UdEwQCMAAwEwYD
|
75
|
+
VR0lBAwwCgYIKwYBBQUHAwMwPgYDVR0fBDcwNTAzoDGgL4YtaHR0cDovL2NybC5n
|
76
|
+
bG9iYWxzaWduLmNvbS9ncy9nc2NvZGVzaWduZzIuY3JsMIGGBggrBgEFBQcBAQR6
|
77
|
+
MHgwQAYIKwYBBQUHMAKGNGh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2Fj
|
78
|
+
ZXJ0L2dzY29kZXNpZ25nMi5jcnQwNAYIKwYBBQUHMAGGKGh0dHA6Ly9vY3NwMi5n
|
79
|
+
bG9iYWxzaWduLmNvbS9nc2NvZGVzaWduZzIwHQYDVR0OBBYEFE536JwFx9SpaEi3
|
80
|
+
w8pcq2GRFA5BMB8GA1UdIwQYMBaAFAhu2Lacir/tPtfDdF3MgB+oL1B6MA0GCSqG
|
81
|
+
SIb3DQEBBQUAA4IBAQAGpGXHtFLjTTivV+xQPwtZhfPuJ7f+VGTMSAAYWmfzyHXM
|
82
|
+
YMFYUWJzSFcuVR2YfxtbS45P7U5Qopd7jBQ0Ygk5h2a+B5nE4+UlhHj665d0zpYM
|
83
|
+
1eWndMaO6WBOYnqtNyi8Dqqc1foKZDNHEDggYhGso7OIBunup+N4sPL9PwQ3eYe6
|
84
|
+
mUu8z0E4GXYViaMPOFkqaYnoYgf2L+7L5zKYT4h/NE/P7kj7EbduHgy/v/aAIrNl
|
85
|
+
2SpuQH+SWteq3NXkAmFEEqvLJQ4sbptZt8OP8ghL3pVAvZNFmww/YVszSkShSzcg
|
86
|
+
QdihYCSEL2drS2cFd50jBeq71sxUtxbv82DUa2b+
|
87
|
+
-----END CERTIFICATE-----
|
88
|
+
date: 2016-09-12 00:00:00.000000000 Z
|
89
|
+
dependencies:
|
90
|
+
- !ruby/object:Gem::Dependency
|
91
|
+
name: bundler
|
92
|
+
requirement: !ruby/object:Gem::Requirement
|
93
|
+
requirements:
|
94
|
+
- - "~>"
|
95
|
+
- !ruby/object:Gem::Version
|
96
|
+
version: '1.12'
|
97
|
+
type: :development
|
98
|
+
prerelease: false
|
99
|
+
version_requirements: !ruby/object:Gem::Requirement
|
100
|
+
requirements:
|
101
|
+
- - "~>"
|
102
|
+
- !ruby/object:Gem::Version
|
103
|
+
version: '1.12'
|
104
|
+
- !ruby/object:Gem::Dependency
|
105
|
+
name: rake
|
106
|
+
requirement: !ruby/object:Gem::Requirement
|
107
|
+
requirements:
|
108
|
+
- - "~>"
|
109
|
+
- !ruby/object:Gem::Version
|
110
|
+
version: '10.0'
|
111
|
+
type: :development
|
112
|
+
prerelease: false
|
113
|
+
version_requirements: !ruby/object:Gem::Requirement
|
114
|
+
requirements:
|
115
|
+
- - "~>"
|
116
|
+
- !ruby/object:Gem::Version
|
117
|
+
version: '10.0'
|
118
|
+
- !ruby/object:Gem::Dependency
|
119
|
+
name: rspec
|
120
|
+
requirement: !ruby/object:Gem::Requirement
|
121
|
+
requirements:
|
122
|
+
- - "~>"
|
123
|
+
- !ruby/object:Gem::Version
|
124
|
+
version: '3.0'
|
125
|
+
type: :development
|
126
|
+
prerelease: false
|
127
|
+
version_requirements: !ruby/object:Gem::Requirement
|
128
|
+
requirements:
|
129
|
+
- - "~>"
|
130
|
+
- !ruby/object:Gem::Version
|
131
|
+
version: '3.0'
|
132
|
+
- !ruby/object:Gem::Dependency
|
133
|
+
name: metasm
|
134
|
+
requirement: !ruby/object:Gem::Requirement
|
135
|
+
requirements:
|
136
|
+
- - ">="
|
137
|
+
- !ruby/object:Gem::Version
|
138
|
+
version: '0'
|
139
|
+
type: :runtime
|
140
|
+
prerelease: false
|
141
|
+
version_requirements: !ruby/object:Gem::Requirement
|
142
|
+
requirements:
|
143
|
+
- - ">="
|
144
|
+
- !ruby/object:Gem::Version
|
145
|
+
version: '0'
|
146
|
+
- !ruby/object:Gem::Dependency
|
147
|
+
name: rex-core
|
148
|
+
requirement: !ruby/object:Gem::Requirement
|
149
|
+
requirements:
|
150
|
+
- - ">="
|
151
|
+
- !ruby/object:Gem::Version
|
152
|
+
version: '0'
|
153
|
+
type: :runtime
|
154
|
+
prerelease: false
|
155
|
+
version_requirements: !ruby/object:Gem::Requirement
|
156
|
+
requirements:
|
157
|
+
- - ">="
|
158
|
+
- !ruby/object:Gem::Version
|
159
|
+
version: '0'
|
160
|
+
- !ruby/object:Gem::Dependency
|
161
|
+
name: rex-text
|
162
|
+
requirement: !ruby/object:Gem::Requirement
|
163
|
+
requirements:
|
164
|
+
- - ">="
|
165
|
+
- !ruby/object:Gem::Version
|
166
|
+
version: '0'
|
167
|
+
type: :runtime
|
168
|
+
prerelease: false
|
169
|
+
version_requirements: !ruby/object:Gem::Requirement
|
170
|
+
requirements:
|
171
|
+
- - ">="
|
172
|
+
- !ruby/object:Gem::Version
|
173
|
+
version: '0'
|
174
|
+
description:
|
175
|
+
email:
|
176
|
+
- DMaloney@rapid7.com
|
177
|
+
executables:
|
178
|
+
- msfrop
|
179
|
+
extensions: []
|
180
|
+
extra_rdoc_files: []
|
181
|
+
files:
|
182
|
+
- ".gitignore"
|
183
|
+
- ".rspec"
|
184
|
+
- ".travis.yml"
|
185
|
+
- CODE_OF_CONDUCT.md
|
186
|
+
- Gemfile
|
187
|
+
- README.md
|
188
|
+
- Rakefile
|
189
|
+
- bin/console
|
190
|
+
- bin/msfrop
|
191
|
+
- bin/setup
|
192
|
+
- lib/rex/rop_builder.rb
|
193
|
+
- lib/rex/rop_builder/rop.rb
|
194
|
+
- lib/rex/rop_builder/version.rb
|
195
|
+
- rex-rop_builder.gemspec
|
196
|
+
homepage: https://github.com/rapid7/rex-rop_builder
|
197
|
+
licenses: []
|
198
|
+
metadata: {}
|
199
|
+
post_install_message:
|
200
|
+
rdoc_options: []
|
201
|
+
require_paths:
|
202
|
+
- lib
|
203
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
204
|
+
requirements:
|
205
|
+
- - ">="
|
206
|
+
- !ruby/object:Gem::Version
|
207
|
+
version: '0'
|
208
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
209
|
+
requirements:
|
210
|
+
- - ">="
|
211
|
+
- !ruby/object:Gem::Version
|
212
|
+
version: '0'
|
213
|
+
requirements: []
|
214
|
+
rubyforge_project:
|
215
|
+
rubygems_version: 2.4.8
|
216
|
+
signing_key:
|
217
|
+
specification_version: 4
|
218
|
+
summary: Ruby Exploitation(Rex) Library for building ROP chains.
|
219
|
+
test_files: []
|
metadata.gz.sig
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
3��l�����xj��ၳ�\;�L�V����8<Z�4�Ï� s�Jzi]��|k�{켭�s�ӈ``�P�`�� H��C�Tg��q@?̎�ޓG�&�K�e]�@�^��u���\J6ӯ���4�a�;�k7'/0�-c7K��v�T�*ÎR�N��7Z�h$v=5$_��n���t���P]%�kN���k��a��I.W$ț�ϑ�
|