hwchen18546
commented
9 years ago Before Error $ x/8x $ebp-16 0xbffff288: 0xb7fc3440 0xb7fd9ff4 0x00000000 0x00000000 0xbffff298: 0xbffff2c8 0xb7fd78d8 0xb78c6008 0x0032522c
After $ x/8x $ebp-16 0xbffff288: 0x00746572 0xb7fd9ff4 0x00000000 0x00000000 0xbffff298: 0xbffff2c8 0xb7fd78d8 0xb78c6008 0x0032522c
0xbffff288 stack guard cover 0x00746572 ('ret')
GDB $ watch *0xbffff288 Old value = 0xb7fc3440 New value = 0xb7fc3400 rop_print_gadgets (binary=0xb78c6008 "\177ELF\001\001\001", binary_len=0x32522c) at rop.c:42 41 total_gadget++; 42 for (k = 0; k < j; k++)
Old value = 0xb7fc3400 New value = 0x746572 rop_print_gadgets (binary=0xb78c6008 "\177ELF\001\001\001", binary_len=0x32522c) at rop.c:50 49 strcat(gadget_string, "ret"); 50 printf("0x0%x:\t%s\n", text_address + i, gadget_string);
gadget_string over define MaxGadgetLen 200 commit 1e714aed3aca8c7f394824bdd5c07b37152706ee Fix bug: gadget_string cover canary stack smashing
/usr/bin/net.samba3 -> 135k gadgets not crack. However, some files size and gadgets less than that stack smashing. This bug starts from commit "Fix bugs - Parse large binary file causing crash" We can make such a conclusion. Bug is not cause by chain, tree, args, regexp
$ ./ropchain /usr/bin/mysql -p 0 Gadget find = 34302 * stack smashing detected *: ./ropchain terminated ======= Backtrace: ========= /lib/i386-linux-gnu/libc.so.6(fortify_fail+0x45)[0xb76a2bc5] /lib/i386-linux-gnu/libc.so.6(+0x104b7a)[0xb76a2b7a] ./libropchain.so(+0x2564)[0xb775a564] ./libropchain.so(rop_parse_gadgets+0x4d8)[0xb77591f1] ./libropchain.so(rop_chain+0x117)[0xb7758cc3] ./ropchain[0x80489d9] /lib/i386-linux-gnu/libc.so.6(libc_start_main+0xf3)[0xb75b74d3] ./ropchain[0x8048731] ======= Memory map: ======== 08048000-08049000 r-xp 00000000 08:01 1052425 /home/hwchen18546/ropchain/ropchain/ropchain 08049000-0804a000 r--p 00001000 08:01 1052425 /home/hwchen18546/ropchain/ropchain/ropchain 0804a000-0804b000 rw-p 00002000 08:01 1052425 /home/hwchen18546/ropchain/ropchain/ropchain 08d0a000-0c22a000 rw-p 00000000 00:00 0 [heap] b7019000-b7035000 r-xp 00000000 08:01 394136 /lib/i386-linux-gnu/libgcc_s.so.1 b7035000-b7036000 r--p 0001b000 08:01 394136 /lib/i386-linux-gnu/libgcc_s.so.1 b7036000-b7037000 rw-p 0001c000 08:01 394136 /lib/i386-linux-gnu/libgcc_s.so.1 b7047000-b736e000 rw-p 00000000 00:00 0 b736e000-b749a000 r-xp 00000000 08:01 5828 /usr/lib/libcapstone.so.2 b749a000-b749b000 ---p 0012c000 08:01 5828 /usr/lib/libcapstone.so.2 b749b000-b74c5000 r--p 0012c000 08:01 5828 /usr/lib/libcapstone.so.2 b74c5000-b759d000 rw-p 00156000 08:01 5828 /usr/lib/libcapstone.so.2 b759d000-b759e000 rw-p 00000000 00:00 0 b759e000-b7742000 r-xp 00000000 08:01 423162 /lib/i386-linux-gnu/libc-2.15.so b7742000-b7744000 r--p 001a4000 08:01 423162 /lib/i386-linux-gnu/libc-2.15.so b7744000-b7745000 rw-p 001a6000 08:01 423162 /lib/i386-linux-gnu/libc-2.15.so b7745000-b7748000 rw-p 00000000 00:00 0 b7755000-b7758000 rw-p 00000000 00:00 0 b7758000-b775b000 r-xp 00000000 08:01 1052138 /home/hwchen18546/ropchain/ropchain/libropchain.so b775b000-b775c000 r--p 00002000 08:01 1052138 /home/hwchen18546/ropchain/ropchain/libropchain.so b775c000-b775d000 rw-p 00003000 08:01 1052138 /home/hwchen18546/ropchain/ropchain/libropchain.so b775d000-b775f000 rw-p 00000000 00:00 0 b775f000-b7760000 r-xp 00000000 00:00 0 [vdso] b7760000-b7780000 r-xp 00000000 08:01 408888 /lib/i386-linux-gnu/ld-2.15.so b7780000-b7781000 r--p 0001f000 08:01 408888 /lib/i386-linux-gnu/ld-2.15.so b7781000-b7782000 rw-p 00020000 08:01 408888 /lib/i386-linux-gnu/ld-2.15.so bf8d6000-bf8f7000 rw-p 00000000 00:00 0 [stack] Aborted (core dumped)