search

sashs / Ropper

Display information about files in different file formats and find gadgets to build rop chains for different architectures (x86/x86_64, ARM/ARM64, MIPS, PowerPC, SPARC64). For disassembly ropper uses the awesome Capstone Framework.
https://scoding.de/ropper
BSD 3-Clause "New" or "Revised" License
1.84k stars 206 forks source link

bug ropchain generation breaks history commands #42

Closed iz0n closed 8 years ago

iz0n commented 8 years ago

Hi again Sashs, I hope you are having a nice day :)

When generating a ropchain, then checking history command (UP keypress) once, then returning back (DOWN keypress), the history command will contain a broken command instead of a blank one. Example: (a.dll/PE/x86)> ropchain virtualprotect address=0x123456

[INFO] Ropchain Generator for VirtualProtect:

[INFO] eax 0x90909090 ecx old protection (writable addr) edx 0x40 (RWE) ebx size esp address ebp return address (jmp esp) esi pointer to VirtualProtect edi ret (rop nop)

[INFO] Try to create gadget to fill esi with content of IAT address: 0x123456 [INFO] Try to create chain which fills registers without delete content of previous filled registers [*] Try permuation 3 / 720 [INFO] Look for pushad gadget [INFO] generating rop chain

!/usr/bin/env python

Generated by ropper ropchain generator

from struct import pack [...removed...] rop = '' [...removed...] rop += shellcode

print(rop)

[INFO] rop chain generated! (a.dll/PE/x86)> ropchain vi

The "ropchain vi" was obtained after pressing "UP" then "DOWN" keys :)

Have fun,

sashs commented 8 years ago

Hey,

this is not really a bug of ropper. Ropper uses the Cmd module of python. The history functionality is implemented in this module. The history isn't broken, only the part of the command is not deleted there, if it is a long command.

cheers Sascha