diff options
| author | Malfurious <m@lfurio.us> | 2023-03-18 21:21:44 -0400 |
|---|---|---|
| committer | dusoleil <howcansocksbereal@gmail.com> | 2023-03-19 04:19:21 -0400 |
| commit | 31ef0e9a7a67ba3c361e72d279ae84b9285fb470 (patch) | |
| tree | 6e78769b81f1c2e98ae68e02415103e56d903e66 | |
| parent | 205f828bd669772ee319595fa6792953f0abd327 (diff) | |
| download | sploit-31ef0e9a7a67ba3c361e72d279ae84b9285fb470.tar.gz sploit-31ef0e9a7a67ba3c361e72d279ae84b9285fb470.zip | |
rev: Normalize the reported offset of found gadgets
ROP gadgets returned through search from the r2 API will now always
contain a file-relative offset, even if they come from a non-pic binary
using a fixed baddr.
However, gadgets returned through the ELF API will be mapped according
to the ELF's Symtbl. This ensures the correct offset is returned
following a library leak, and allows the user to always safely insert an
ELF-returned gadget into that ELF's Symtbl without issue.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
| -rw-r--r-- | sploit/rev/elf.py | 4 | ||||
| -rw-r--r-- | sploit/rev/r2.py | 3 |
2 files changed, 4 insertions, 3 deletions
diff --git a/sploit/rev/elf.py b/sploit/rev/elf.py index 990cfde..28cd08d 100644 --- a/sploit/rev/elf.py +++ b/sploit/rev/elf.py @@ -198,8 +198,8 @@ class ELF: cont (bool): If true, this function will return all of the assembly past the found gadget up to the next return point. """ - return r2.rop_gadgets(self.path, *regexes, cont=cont) + return [ self.sym[g] for g in r2.rop_gadgets(self.path, *regexes, cont=cont) ] def gadget(self, *regexes): """Returns the first gadget found that matches the given regex list.""" - return r2.rop_gadget(self.path, *regexes) + return self.sym[r2.rop_gadget(self.path, *regexes)] diff --git a/sploit/rev/r2.py b/sploit/rev/r2.py index 24ab1f8..7101f07 100644 --- a/sploit/rev/r2.py +++ b/sploit/rev/r2.py @@ -80,6 +80,7 @@ def rop_gadgets(binary, *regexes, cont=False): ilog(f"Searching {binary} for {'; '.join(regexes)} gadgets with r2...") gadgets = rop_json(binary) results = [] + base = int(get_bin_info(binary).baddr, 0) for gadget in gadgets: opcodes = gadget['opcodes'] @@ -90,7 +91,7 @@ def rop_gadgets(binary, *regexes, cont=False): size = end_idx - idx regexes_use = (regexes + (".*",) * size) if cont else regexes - offset = opcodes[idx]['offset'] + offset = opcodes[idx]['offset'] - base matches = [] for regex in regexes_use: |