search

Boyan-MILANOV / ropium

ROPium is a tool that helps you building ROP exploits by finding and chaining gadgets together
382 stars 41 forks source link

Invalid memory address dereference in find() #32

Closed AiDaiP closed 3 years ago

AiDaiP commented 4 years ago

An issue was discovered in ROPium 3.1. An invalid memory address dereference was discovered in find(). The vulnerability causes a segmentation fault and application crash.

POC

aidai@ubuntu:~/Desktop$ ropium

ROPium - v3.1

(ropium)> find                                                                  

    [!] You must load a binary before finding ropchains

(ropium)> load -a X64 aidai                                                     

    [!] Skipped: aidai (file doesn't exist)

(ropium)> find                                                                  
Segmentation fault (core dumped)
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
─────────────────────────────────[ REGISTERS ]──────────────────────────────────
 RAX  0x7
 RBX  0x1e26bf0 —▸ 0x1e105b0 —▸ 0x7f58fe11a900 —▸ 0x7f58fde45b90 ◂— mov    rax, qword ptr [rip + 0x2d50f9]
 RCX  0x0
 RDX  0x9
 RDI  0x1e26bf0 —▸ 0x1e105b0 —▸ 0x7f58fe11a900 —▸ 0x7f58fde45b90 ◂— mov    rax, qword ptr [rip + 0x2d50f9]
 RSI  0x0
 R8   0x2
 R9   0x0
 R10  0x100
 R11  0x7ffdeddde370 —▸ 0x7ffdeddde380 —▸ 0x1ecbee0 ◂— add    byte ptr [rax], al
 R12  0x1c509e0 ◂— add    byte ptr [rax], al
 R13  0x7ffdeddde640 ◂— 0x0
 R14  0x9
 R15  0x1c50a10 ◂— add    dword ptr [rax], eax
 RBP  0x1c509e0 ◂— add    byte ptr [rax], al
 RSP  0x7ffdeddde608 —▸ 0x7f58fdec0145 ◂— test   al, al
 RIP  0x7f58fdeb5c40 ◂— mov    ecx, dword ptr [rsi]
───────────────────────────────────[ DISASM ]───────────────────────────────────
 ► 0x7f58fdeb5c40    mov    ecx, dword ptr [rsi]
   0x7f58fdeb5c42    mov    eax, 1
   0x7f58fdeb5c47    cmp    ecx, 0x13
   0x7f58fdeb5c4a    je     0x7f58fdeb5c53
    ↓
   0x7f58fdeb5c53    ret    

   0x7f58fdeb5c55    nop    dword ptr [rax]
   0x7f58fdeb5c58    sub    edx, 7
   0x7f58fdeb5c5b    cmp    edx, 1
   0x7f58fdeb5c5e    setbe  al
   0x7f58fdeb5c61    ret    

   0x7f58fdeb5c62    nop    dword ptr [rax]
───────────────────────────────────[ STACK ]────────────────────────────────────
00:0000│ rsp  0x7ffdeddde608 —▸ 0x7f58fdec0145 ◂— test   al, al
01:0008│      0x7ffdeddde610 —▸ 0x7f58fa641950 ◂— or     dword ptr [rax], eax /* '\t' */
02:0010│      0x7ffdeddde618 ◂— 0x2fa629d68
03:0018│      0x7ffdeddde620 ◂— 0x0
... ↓
06:0030│      0x7ffdeddde638 ◂— 0x56056b
07:0038│ r13  0x7ffdeddde640 ◂— 0x0
─────────────────────────────────[ BACKTRACE ]──────────────────────────────────
 ► f 0     7f58fdeb5c40
   f 1     7f58fdec0145
   f 2     7f58fa641950
   f 3        2fa629d68
   f 4                0
────────────────────────────────────────────────────────────────────────────────
Boyan-MILANOV commented 3 years ago

Hey, thanks for reporting the issue. I was away for quite some time but the bug is fixed now :)