-
Notifications
You must be signed in to change notification settings - Fork 3
/
fgkaslr_gadgets.py
176 lines (150 loc) · 5.41 KB
/
fgkaslr_gadgets.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
import re
from elftools.elf.elffile import ELFFile
from pwn import *
KERNEL_ELF = None
elf = None
gadgets = []
functions = []
holes = []
class Gadget:
def __init__(self, addr, assembly, raw_bytes):
self.addr = addr
self.assembly = assembly
self.raw_bytes = raw_bytes
self.start_addr = addr
self.end_addr = addr + len(raw_bytes)
def is_overlap(self, hole):
if self.end_addr <= hole[0]:
return False
if self.start_addr >= hole[1]:
return False
return True
class Function:
def __init__(self, name, addr, size):
self.name = name
self.addr = addr
self.size = size
self.start_addr = addr
self.end_addr = addr + size
def get_func_info():
log.info("Trying to collect position-variant function information...")
for x in elf.sections:
if not x.name.startswith(".text."):
continue
func = Function(x.name[6:], x.header.sh_addr, len(x.data()))
functions.append(func)
log.success("%d position-variant functions collected!", len(functions))
def get_all_gadgets():
"""
search for all gadgets in the kernel .text section
translate virtual address and file offset back and forth so that fking ROPgadget won't eat up the memory of my computer
"""
log.info("Collecting all gadgets...")
#MIN_ADDR = 0xffffffff81000000
#MAX_ADDR = 0xffffffff81c00000
with open(KERNEL_ELF, "rb") as f:
elffile = ELFFile(f)
text = elffile.get_section_by_name(".text")
TEXT_START = text.header['sh_addr']
TEXT_END = TEXT_START + text.header['sh_size']
print("start: %#x" % TEXT_START)
print("end : %#x" % TEXT_END)
min_phys_off = elf.vaddr_to_offset(TEXT_START)
max_phys_off = elf.vaddr_to_offset(TEXT_END)
cmd = "ROPgadget --binary %s --rawArch=x86 --rawMode=64 --range %#x-%#x --dump --all" % (KERNEL_ELF, min_phys_off, max_phys_off)
output = subprocess.getoutput(cmd)
log.info("Parsing all gadgets...")
for line in output.splitlines():
if not line.startswith("0x"):
continue
# parse each gadget entry
res = re.match('(0x[0-f]+) : (.+) // (.*)', line)
assert res is not None
addr = elf.offset_to_vaddr(int(res.group(1), 16))
assembly = res.group(2)
raw_bytes = bytes.fromhex(res.group(3))
# create each gadget object
gadget = Gadget(addr, assembly, raw_bytes)
gadgets.append(gadget)
log.success("%d gadgets collected!", len(gadgets))
def filter_gadgets():
global gadgets
log.info("Filtering gadgets that overlap with position-variant functions...")
raw_gadgets = gadgets
gadgets = []
for idx, gadget in enumerate(raw_gadgets):
for hole in holes:
if gadget.is_overlap(hole):
break
else:
gadgets.append(gadget)
log.success("%d position-invariant gadgets collected!", len(gadgets))
def clean_gadgets():
# de-duplicate gadgets
seen = set()
new_gadgets = []
for gadget in gadgets:
if gadget.assembly in seen:
continue
new_gadgets.append(gadget)
seen.add(gadget.assembly)
# sort gadgets
new_gadgets.sort(key = lambda x: x.assembly)
log.success("%d unique position-invariant gadgets collected!", len(new_gadgets))
return new_gadgets
def show_gadgets():
for gadget in gadgets:
line = "%#x : %s" % (gadget.addr, gadget.assembly)
print(line)
def merge_holes():
log.info("Trying to reduce search complexity by merging holes...")
global holes
tmp_holes = []
for idx, func in enumerate(functions):
# determine the start of next function
if idx != len(functions) - 1:
next_start_addr = functions[idx+1].start_addr
else:
next_start_addr = func.end_addr
# check whether the function padding is interesting, if not, we include the padding
# in the hole to reduce search complexity
hole_start = func.start_addr
func_pad_len = next_start_addr-func.end_addr
func_padding = elf.read(func.end_addr, func_pad_len)
if func_padding == b'\x00' * func_pad_len:
hole_end = next_start_addr
else:
hole_end = func.end_addr
tmp_holes.append((hole_start, hole_end))
# merge holes to reduce search complexity
while True:
for idx in range(len(tmp_holes)-1):
hole = tmp_holes[idx]
next_hole = tmp_holes[idx+1]
if hole[1] != next_hole[0]:
continue
new_hole = (hole[0], next_hole[1])
tmp_holes[idx+1] = new_hole
tmp_holes.remove(hole)
break
else:
break
holes = tmp_holes
print(holes)
log.success("%d holes detected!", len(holes))
if __name__ == "__main__":
import argparse
import monkeyhex
parser = argparse.ArgumentParser(description='Script to find position-invariant gadgets in Linux kernels compiled with FG-KASLR',
usage="%(prog)s [options] <vmlinux_path>")
parser.add_argument('vmlinux_path', type=str,
help="path to vmlinux")
args = parser.parse_args()
KERNEL_ELF = args.vmlinux_path
elf = ELF(args.vmlinux_path)
get_func_info()
merge_holes()
get_all_gadgets()
filter_gadgets()
gadgets = clean_gadgets()
show_gadgets()