genInstrX86.py: Add severals pop + ret combination

muzmu · Apr 11, 2013 · a260e4f · a260e4f
1 parent 97572e6
commit a260e4f
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 3 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,7 +1,8 @@
-ROPGadget v4.0.1 - X
+ROPGadget v4.0.1 - 11/04/2013
   - Update python3 to python2.
   - Add new script python to generate gadgets table 32 and 64 bits.
   - Update default syntax to Intel.
+  - genInstrX86.py: Add severals pop + ret combination
 
 ROPGadget v4.0.0 - 1/29/2013:
   - Addition of Windows PE file loading for gadget searching.

diff --git a/script/genInstrX86.py b/script/genInstrX86.py
@@ -23,8 +23,6 @@
 import sys
 import commands
 
-#TODO : Gen severals pop combinaison
-
 class genInstr():
 
     def __init__(self, arch='32'):
@@ -147,13 +145,47 @@ def assemble(self):
 
         return
 
+    def _getAllIns(self, ins):
+        l = []
+        for Intelins in self._IntelInsCompiled:
+            try:
+                if Intelins[1].split(' ')[0] == ins:
+                    l.append(Intelins)
+            except:
+                if Intelins[1] == ins:
+                    l.append(Intelins)
+
+        for Intelins in self._IntelBrCompiled:
+            try:
+                if Intelins[1].split(' ')[0] == ins:
+                    l.append(Intelins)
+            except:
+                if Intelins[1] == ins:
+                    l.append(Intelins)
+        return l
+
     def createGadgets(self):
+
+        # Gen severals pop combination
+        combi = []
+        ret = self._getAllIns('ret')
+        allPop = self._getAllIns('pop')
+        for pop1 in allPop:
+            for pop2 in allPop:
+                for pop3 in allPop:
+                    combi += [[pop1[0]+pop2[0]+pop3[0]+ret[0][0],
+                               pop1[1]+' ; '+pop2[1]+' ; '+pop3[1]+' ; '+ret[0][1],
+                               pop1[2]+' ; '+pop2[2]+' ; '+pop3[2]+' ; '+ret[0][2]]]
+        self._IntelX86GadgetsTable += combi
+
+        # Gen gadget with branch instruction
         for IntelBr in self._IntelBrCompiled:
             for IntelIns in self._IntelInsCompiled:
                 self._IntelX86GadgetsTable += [[IntelIns[0]+IntelBr[0],
                                                IntelIns[1]+' ; '+IntelBr[1],
                                                IntelIns[2]+' ; '+IntelBr[2]]]
 
+        # Gen gadget with interrupt instruction
         for IntelSyscall in self._IntelSyscallCompiled:
             self._IntelX86GadgetsTable += [[IntelSyscall[0],
                                             IntelSyscall[1],