Merge branch 'dev'

CHANGELOG

@@ -1,14 +1,41 @@
+ROPGadget v4.0.1 - 11/04/2013
+  - Update python3 to python2.
+  - Add new script python to generate gadgets table 32 and 64 bits.
+  - Update default syntax to Intel.
+  - genInstrX86.py: Add severals pop + ret combination
+
 ROPGadget v4.0.0 - 1/29/2013:
   - Addition of Windows PE file loading for gadget searching.
   - Addition of detection of shared libraries and improved code gen for them.
   - Improved algorithm for scanning executable based on maps.
   - Addition of 64 bit linux support for ROP exploit generation.
   - Addition of 64 bit support for ROP gadget searching.
   - generation of execve ROP exploits with arbitrary argument vectors.
-  - payload generation in PHP, C and Perl as well as improved generation for 
+  - payload generation in PHP, C and Perl as well as improved generation for
     python.
   - color disable/enable switch.
   - improved user friendliness.
   - vastly increased ROP searching speed.
   - Code restructuring for easing addition of new architectures/platforms.
   - general refacoring and code friendiness.
+
+ROPGadget v3.4.1:
+  - Bug Fix in module importsc with intel syntax
+
+ROPGadget v3.4.0:
+  - Feature - Support Att and intel syntax
+
+ROPGadget v3.3.4:
+  - Bug Fix - Fake positive (github issue)
+
+ROPGadget v3.3.3:
+  - Bug Fix in the supported architecures. (src/check_arch_supported.c)
+
+ROPGadget v3.3.2:
+  - Bug Fix (Buffer Overflow - src/check_bind_mode.c)
+
+ROPGadget v3.3.1:
+  - Segmentation Fault fixed, on compilation x86 64 bits (src/varop.c)
+
+ROPGadget v3.3:
+  - New Core and news features.

Makefile

@@ -1,8 +1,7 @@
 ##
-## RopGadget - Release v4.0.0
+## RopGadget 
 ## Allan Wirth - http://allanwirth.com/
 ## Jonathan Salwan - http://twitter.com/JonathanSalwan
-## 2013-1-4
 ##
 ## This program is free software; you can redistribute it and/or modify
 ## it under the terms of the GNU General Public License as published by
@@ -19,20 +18,21 @@
 ## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 ##
 
-DEBUG   = no
-RM      = rm -f
-INCLUDE = -I./includes -I./libs/libpe
-SRC_DIR = ./src
-LIBS_DIR = ./libs
-NAME    = ROPgadget
-D = -D_BSD_SOURCE -D_POSIX_SOURCE
+DEBUG           = no
+RM              = rm -f
+INCLUDE         = -I./includes -I./libs/libpe
+SRC_DIR         = ./src
+LIBS_DIR        = ./libs
+SCRIPT_DIR      = ./script
+NAME            = ROPgadget
+D               = -D_BSD_SOURCE -D_POSIX_SOURCE
 
 ifeq ($(DEBUG),yes)
-    CFLAGS   	= -g3 -ggdb -Wextra -Wall $(D) $(INCLUDE)
-    CC 		= gcc
+    CFLAGS      = -g3 -ggdb -Wextra -Wall $(D) $(INCLUDE)
+    CC          = gcc
 else
-    CFLAGS = -W -Wall -Wextra -ansi -pedantic $(D) $(INCLUDE) -O2 -ggdb
-    CC 		= gcc
+    CFLAGS      = -W -Wall -Wextra -ansi -pedantic $(D) $(INCLUDE) -O2 -ggdb
+    CC          = gcc
 endif
 
 CFLAGS += -std=c99
@@ -74,9 +74,10 @@ install:
 	 install -D -m 755 ./$(NAME) /usr/bin/$(NAME)
 
 clean:
-	 $(RM) $(OBJ) $(NAME) 
+	 $(RM) $(OBJ) $(NAME)
 
 cleanall: clean
+	$(RM) $(SRC_DIR)/x8632/gadgets.c
 	$(RM) $(SRC_DIR)/x8664/gadgets.c
 
 fclean:  clean
@@ -86,5 +87,9 @@ re:	 fclean all
 
 .PHONY:  re fclean clean install all
 
-$(SRC_DIR)/x8664/gadgets.c: script/makex64gadgets.py
-	$< > $@
+$(SRC_DIR)/x8632/gadgets.c: $(SCRIPT_DIR)/genInstrX86.py
+	$< 32 > $@
+
+$(SRC_DIR)/x8664/gadgets.c: $(SCRIPT_DIR)/genInstrX86.py
+	$< 64 > $@
+

README.md

@@ -1,8 +1,8 @@
 ROPgadget Tool
 ==============
 
-This tool lets you search your gadgets on your binaries (ELF format) to 
-facilitate your ROP exploitation. Since version 3.0, ROPgadget has a 
+This tool lets you search your gadgets on your binaries (ELF format) to
+facilitate your ROP exploitation. Since version 3.0, ROPgadget has a
 auto-roper for build your payload automatically with the gadgets found.
 
 Major new features recently added:
@@ -12,7 +12,7 @@ Major new features recently added:
   - Addition of Windows PE file loading for gadget searching.
   - Addition of detection of shared libraries and improved code gen for them.
   - generation of execve ROP exploits with arbitrary argument vectors.
-  - payload generation in PHP, C and Perl as well as improved generation for 
+  - payload generation in PHP, C and Perl as well as improved generation for
     python.
   - color disable/enable switch.
   - improved user friendliness.
@@ -37,8 +37,7 @@ Authors / Contributors
 Build
 -----
 
-Run `make` you idiot. You're going to need python3 for the 64bit gadget 
-generation.
+Run `make` you idiot. You're going to need python3. This is required.
 
 Usage
 -----
@@ -49,64 +48,64 @@ Most likely what you are going to want is to simply run:
 
     $ ROPGadget <smashable binary>
 
-A list of interesting gadgets will be printed out to stderr, and if 
-possible, a standard execve /bin/sh rop payload will be generated and 
+A list of interesting gadgets will be printed out to stderr, and if
+possible, a standard execve /bin/sh rop payload will be generated and
 printed to stdout.
 
-If you are not satisfied with the standard /bin/sh payload, you can 
-specify additional command line arguments to ROPGadget, which will 
+If you are not satisfied with the standard /bin/sh payload, you can
+specify additional command line arguments to ROPGadget, which will
 become the argument vector to use in the payload generation step:
 
     $ ROPGadget <smashable binary> /bin/echo "I 4m 4 1337 h4x0r!!!"
 
 ### Custom
 
-If there are a lot of instructions found, you can use the -filter and 
--only options to trim down the output. The -filter option will ignore 
-any instructions that contain the passed string. The -only argument 
-will only display instructions that match the string provided. Both can 
-be specified multiple times, although I'm not entirely convinced this 
+If there are a lot of instructions found, you can use the -filter and
+-only options to trim down the output. The -filter option will ignore
+any instructions that contain the passed string. The -only argument
+will only display instructions that match the string provided. Both can
+be specified multiple times, although I'm not entirely convinced this
 is useful.
 
-If you are building your own ROP payload, and you need instructions 
-that are not included in the default output, the options you are going 
-to be interested in are -asm and -opcode. -opcode lets you specify a 
-hex opcode (in the format \x90\x90) on the command line to search for. 
--asm is the same, except that it will assemble the provided argument 
-and search for it (not keep in mind the -att and -intel flags to be 
+If you are building your own ROP payload, and you need instructions
+that are not included in the default output, the options you are going
+to be interested in are -asm and -opcode. -opcode lets you specify a
+hex opcode (in the format \x90\x90) on the command line to search for.
+-asm is the same, except that it will assemble the provided argument
+and search for it (not keep in mind the -att and -intel flags to be
 sure to specify the syntax mode you are using!).
 
-If for some reason you want to search for strings in the binary, you 
-can use the -string option. This will search the readable sections of 
-the binary for the string provided. If you put any question marks in 
+If for some reason you want to search for strings in the binary, you
+can use the -string option. This will search the readable sections of
+the binary for the string provided. If you put any question marks in
 the string these will be treated as wildcards.
 
 ### Misc
 
-Misc options you might care about are -color and -nocolor, which will 
-force/disable the use of color output, respectively (note that when a 
+Misc options you might care about are -color and -nocolor, which will
+force/disable the use of color output, respectively (note that when a
 non-terminal device is detected, the output is by default not in color).
 
-The -limit flag lets you specify the maximum number of matches that 
-will be searched for. The -map flag lets you limit the search to a 
+The -limit flag lets you specify the maximum number of matches that
+will be searched for. The -map flag lets you limit the search to a
 specific memory range.
 
-The -att and -intel syntax flags let you choose which assembly syntax 
+The -att and -intel syntax flags let you choose which assembly syntax
 to use. The default is AT&T syntax.
 
-The -phpsyn, -perlsyn, -csyn, and -pysyn flags let you choose the 
+The -phpsyn, -perlsyn, -csyn, and -pysyn flags let you choose the
 format the exploit is generated in. The default is python syntax.
 
-The -bind option is pretty useless. It is equivalent to padding a 
+The -bind option is pretty useless. It is equivalent to padding a
 netcat /bin/sh bind handler as the argv.
 
-The -importsc option doesn't work very well because it requires having 
-a writable, mapped, executable segment, which mostly doesn't happen. If 
-it does, and you are using it, be sure that your shellcode doesn't have 
-any NUL bytes in it, because this will cause the output to have NUL 
+The -importsc option doesn't work very well because it requires having
+a writable, mapped, executable segment, which mostly doesn't happen. If
+it does, and you are using it, be sure that your shellcode doesn't have
+any NUL bytes in it, because this will cause the output to have NUL
 bytes in it.
 
-When generating ROPs for 64 bit, you are almost guarenteed to have NUL 
+When generating ROPs for 64 bit, you are almost guarenteed to have NUL
 bytes in the output. There isn't really anything I can do about this.
 
 Future
@@ -121,8 +120,11 @@ Features I would like to add in the future are:
 Bugs/Patches/Contact
 --------------------
 
-Please report bugs, submit pull requests, etc. on github at 
-https://github.com/JonathanSalwan/ROPgadget
+Please report bugs, submit pull requests, etc. on github at https://github.com/JonathanSalwan/ROPgadget
+or by mail ropgadget TA shell-storm TOD org
+
+The offical page is on shee-storm.org at
+http://shell-storm.org/project/ROPgadget/
 
 License
 -------

includes/ropgadget.h

@@ -1,8 +1,7 @@
 /*
-** RopGadget - Release v4.0.0
+** RopGadget
 ** Allan Wirth - http://allanwirth.com/
 ** Jonathan Salwan - http://twitter.com/JonathanSalwan
-** 2013-1-20
 **
 ** This program is free software; you can redistribute it and/or modify
 ** it under the terms of the GNU General Public License as published by
@@ -28,6 +27,7 @@
 #include <string.h>
 #include <wchar.h>
 #include <ctype.h>
+#include <inttypes.h>
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/mman.h>
@@ -36,7 +36,7 @@
 #include <elf.h>
 #include <stdio.h>
 
-#define ROPGADGET_VERSION "Ropgadget v4.0.0"
+#define ROPGADGET_VERSION "Ropgadget v4.0.1"
 
 /* colors */
 #define _BLUE        "\033[94m"
@@ -52,8 +52,8 @@
 typedef Elf64_Addr Address;
 typedef Elf64_Off Offset;
 typedef uint64_t Size;
-#define ADDR_FORMAT "0x%.*lx"
-#define SIZE_FORMAT "0x%.*lu"
+#define ADDR_FORMAT "0x%.*"PRIx64
+#define SIZE_FORMAT "%.*"PRIu64
 
 #define ADDR_WIDTH ((binary->processor == PROCESSOR_X8632)?8:16)
 #define SIZE_WIDTH ADDR_WIDTH
@@ -206,6 +206,12 @@ typedef struct s_depend
   struct s_depend *next;
 } t_depend;
 
+enum e_where {
+  BEFORE,
+  AFTER,
+  TOTAL
+};
+
 /* Represents an entire binary loaded into memory */
 typedef struct s_binary
 {
@@ -327,6 +333,14 @@ t_asm  	                *search_instruction(t_asm *, char *);
 int                     match(const char *, const char *);
 int                     match2(const unsigned char *, const unsigned char *, size_t);
 
+/* pop info */
+#define how_many_pop(g) how_many_pop_x(g, NULL, TOTAL)
+#define how_many_pop_before(g, i) how_many_pop_x(g, i, BEFORE)
+#define how_many_pop_after(g, i) how_many_pop_x(g, i, AFTER)
+size_t how_many_pop_x(const char *gadget, const char *pop_reg, enum e_where w);
+
+
+
 /* combo_ropmaker */
 int                     combo_ropmaker(char **, t_asm *, t_gadget **);
 void                    sc_print_pre_init(void);