Add ARM execve chain support and a ret2libc spawn_shell generator (x86/x86_64/ARM)

README.md

@@ -117,7 +117,8 @@ Usage
       SPARC [SPARC64]
 
     available rop chain generators:
-      execve (execve[=<cmd>], default /bin/sh) [Linux x86, x86_64]
+      execve (execve[=<cmd>], default /bin/sh) [Linux x86, x86_64, ARM]
+      spawn_shell (spawn_shell[ cmd=<path>][ address=<system>]), ret2libc system, writes cmd to .bss if absent [Linux x86, x86_64, ARM]
       mprotect  (mprotect=<address>:<size>) [Linux x86, x86_64]
       virtualprotect (virtualprotect=<address iat vp>:<size>) [Windows x86]
 

ropper/arch.py

@@ -389,11 +389,33 @@ def _initGadgets(self):
         super(ArchitectureArm, self)._initGadgets()
         self._endings[gadget.GadgetType.ROP] = [(b"[\x00-\xff][\x80-\xff][\x10-\x1e\x30-\x3e\x50-\x5e\x70-\x7e\x90-\x9e\xb0-\xbe\xd0-\xde\xf0-\xfe][\xe8\xe9]", 4), # pop {[reg]*,pc}, ldm [reg], {*,pc}
             (b"\x04\xf0\x9d\xe4", 4) # pop {pc}
-        ] 
+        ]
         self._endings[gadget.GadgetType.JOP] = [(b'[\x10-\x1e]\xff\x2f\xe1', 4), # bx <reg>
                                                 (b'[\x30-\x3e]\xff\x2f\xe1', 4), # blx <reg>
                                                 (b'[\x00-\x0f]\xf0\xa0\xe1', 4), # mov pc, <reg>
                                                 (b'\x00\x80\xbd\xe8', 4)] # ldm sp! ,{pc}
+        self._endings[gadget.GadgetType.SYS] = [(b'\x00\x00\x00\xef', 4)] # svc 0
+
+    def _initCategories(self):
+        # Minimal categories needed for the execve ropchain generator.
+        # LOAD_REG matches only single-instruction multi-register pops that
+        # write pc (the gadget's own dispatch). `dst` captures the entire
+        # register list as text; the chain generator parses it.
+        self._categories = {
+            gadget.Category.LOAD_REG : (
+                (r'^pop \{(?P<dst>[^}]*\bpc)\}$',
+                 r'^ldm(?:ia|fd)? sp!, \{(?P<dst>[^}]*\bpc)\}$'),
+                ('push','bl','blx','b ','bx','svc','str')),
+            gadget.Category.WRITE_MEM : (
+                (r'^str (?P<src>\w{2,4}), \[(?P<dst>\w{2,4})\]$',),
+                ('push','bl','blx','b ','bx','svc')),
+            gadget.Category.LOAD_MEM : (
+                (r'^ldr (?P<dst>\w{2,4}), \[(?P<src>\w{2,4})\]$',),
+                ('push','bl','blx','b ','bx','svc','str')),
+            gadget.Category.SYSCALL : (
+                (r'^svc #?0(?:x0+)?$',),
+                ('push','bl','blx','b ','bx')),
+        }
 
 
 class ArchitectureArmBE(ArchitectureArm):
@@ -414,6 +436,7 @@ def _initEndianess(self, endianess):
                                                 (b'\xe1\x2f\xff[\x30-\x3e]', 4), # blx <reg>
                                                 (b'\xe1\xa0\xf0[\x00-\x0f]', 4), # mov pc, <reg>
                                                 (b'\xe8\xdb\x80\x01', 4)] # ldm sp! ,{pc}
+        self._endings[gadget.GadgetType.SYS] = [(b'\xef\x00\x00\x00', 4)] # svc 0
 
 class ArchitectureArmThumb(Architecture):
 

ropper/console.py

@@ -450,6 +450,8 @@ def __printExamples(self):
   {0} --file /bin/ls --type jop
   {0} --file /bin/ls --chain execve
   {0} --file /bin/ls --chain "execve cmd=/bin/sh" --badbytes 000a0d
+  {0} --file /bin/ls --chain spawn_shell
+  {0} --file /bin/ls --chain "spawn_shell address=0xf7c4d3e0"
   {0} --file /bin/ls --chain "mprotect address=0xbfdff000 size=0x21000"
   {0} --file /bin/ls /lib/libc.so.6 --console
 
@@ -932,7 +934,7 @@ def do_ropchain(self, text):
 
     def help_ropchain(self):
         self.__printHelpText('ropchain <generator>[ argname=arg[ argname=arg...]]',
-                             'uses the given generator and create a ropchain with args\n\nAvailable generators:\nexecve\nargs: cmd (optional)\navailable: x86, x86_64\nOS: linux\n\nmprotect\nargs: address, size\navailable: x86, x86_64\nOS: linux\n\nvirtualprotect\nargs: address (IAT)(optional)\navailable: x86\nOS: Windows\n\nExamples:\nropchain execve\nropchain mprotect address=0xbfff0000 size=0x21000')
+                             'uses the given generator and create a ropchain with args\n\nAvailable generators:\nexecve\nargs: cmd (optional), address (optional)\navailable: x86, x86_64, ARM\nOS: linux\n\nspawn_shell\ncalls libc system(cmd), default cmd /bin/sh (ret2libc); writes cmd into .bss when it is not already present in the binary\nargs: cmd (optional path), address (libc system, optional), string (&cmd, optional)\navailable: x86, x86_64, ARM\nOS: linux\n\nmprotect\nargs: address, size\navailable: x86, x86_64\nOS: linux\n\nvirtualprotect\nargs: address (IAT)(optional)\navailable: x86\nOS: Windows\n\nExamples:\nropchain execve\nropchain spawn_shell\nropchain spawn_shell address=0xf7c4d3e0\nropchain mprotect address=0xbfff0000 size=0x21000')
 
     def do_quit(self, text):
         exit(0)

ropper/options.py

@@ -69,7 +69,8 @@ def _createArgParser(self):
   SPARC [SPARC64]
 
 available rop chain generators:
-  execve (execve[=<cmd>], default /bin/sh) [Linux x86, x86_64]
+  execve (execve[=<cmd>], default /bin/sh) [Linux x86, x86_64, ARM]
+  spawn_shell (spawn_shell[ cmd=<path>][ address=<system>]), ret2libc system, writes cmd to .bss if absent [Linux x86, x86_64, ARM]
   mprotect  (mprotect address=0xdeadbeef size=0x10000) [Linux x86, x86_64]
   virtualprotect (virtualprotect address=0xdeadbeef) [Windows x86]
 """)

ropper/ropchain/arch/__init__.py

@@ -27,3 +27,4 @@
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 from ropper.ropchain.arch.ropchainx86 import *
 from ropper.ropchain.arch.ropchainx86_64 import *
+from ropper.ropchain.arch.ropchainarm import *