Open OevreFlataeker opened 4 years ago
I think I just found the reason in rop.py
def __load(self):
"""Load all ROP gadgets for the selected ELF files"""
#
# We accept only instructions that look like these.
#
# - leave
# - pop reg
# - add $sp, value
# - ret
#
# Currently, ROPgadget does not detect multi-byte "C2" ret.
# https://github.com/JonathanSalwan/ROPgadget/issues/53
#
And further down the code is also the explicit filtering.
But why is this? Can it be changed? Why would I not want to have a larger/more complete list here?
Ultimately, the ROP autogeneration is limited in scope and capability. We chose to make it simple and reliable, rather than exposing additional ROP gadgets of unknown reliability to the user through the standard pwnlib.rop
library.
You're always free to add your own gadgets to the ROP.gadgets
instance, or invoke them directly via ROP.raw
. ROP.gadgets
is specifically a list of how to load various registers and consume stack space -- it's not intended to be an exhaustive tool. I recommend using ropper and ROPgadget if you need more flexibility.
We had a Summer of Code project that was intended to use symbolic execution to determine additional ROP gadgets, but it never landed in the mainline branch due to lack of time.
If you can provide a Pull Request that adds the needed smarts to the ROP module, they'd be much appreciated -- though I expect it will be a large undertaking.
@zachriggle Why not allow users to hook into the ROPgadget command ran and customize the gadgets returned, or at least allow the functionality to return everything and keep the default the same?
There's nothing stopping you from adding additional gadgets to
rop_instance.gadgets
, no need for hooks!
Alternately you can subclass ROP and do whatever you want.
Zach Riggle
On Thu, May 14, 2020 at 4:44 PM Marshall Hallenbeck < notifications@github.com> wrote:
@zachriggle https://github.com/zachriggle Why not allow users to hook into the ROPgadget command ran and customize the gadgets returned, or at least allow the functionality to return everything and keep the default the same?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Gallopsled/pwntools/issues/1492#issuecomment-628902587, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA3IGEFKILYCML3AINI2MDRRRQ4HANCNFSM4MRIXTDQ .
I am relatively new to pwntools and doing the ROPemporium challenges at the moment.
My pwntools has version 4.0.1
Besides pwntools I am using ropper to get my gadgets to solve the challenge. I wonder about a severe discrepancy in both tools:
pwntools always says "Loaded 11 cached gadgets"
Wheres ropper gives me:
-> Ropper finds 123 gadgets
Also the list in "gadgets" only contains pop elements but no other gadgets like mov, xchg, etc. Do I need to rebuild the cache or configure that pwntools should look more generic or something? These gadgets mentioned are explicitly built into the binary and should be found;
Found this past issue. Not sure whether it might be related? https://github.com/Gallopsled/pwntools/pull/1369