Bad chain produced by write_to_mem

[divergentdave]

I'm trying to build a ROP chain for this binary, and there seems to be a problem with register usage in the chain built by write_to_mem(). If I run the following snippet, I get the chain below.

import angr, angrop
p = angr.Project("start")
rop = p.analyses.ROP()
rop.find_gadgets()
shellcode = "\x31\xc0\x99\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
shellcode_location = 0x6cc000
chain = rop.write_to_mem(shellcode_location, shellcode)
chain.print_payload_code()

chain = ""
chain += p64(0x443775)  # pop r10; ret 
chain += p64(0x732f2f685099c031)
chain += p64(0x410900)  # pop r15; ret 
chain += p64(0x6cc008)
chain += p64(0x4325fe)  # mov qword ptr [rdi - 8], rdx; ret 
chain += p64(0x443775)  # pop r10; ret 
chain += p64(0xe3896e69622f6868)
chain += p64(0x410900)  # pop r15; ret 
chain += p64(0x6cc010)
chain += p64(0x4325fe)  # mov qword ptr [rdi - 8], rdx; ret 
chain += p64(0x443775)  # pop r10; ret 
chain += p64(0x80cd0bb0e1895350)
chain += p64(0x410900)  # pop r15; ret 
chain += p64(0x6cc018)
chain += p64(0x4325fe)  # mov qword ptr [rdi - 8], rdx; ret 

The pop gadgets are setting r10 and r15, but the mov gadget is using rdi and rdx, thus it fails to write the desired buffer, instead corrupting some other memory.

[github-actions[bot]]

This issue has been marked as stale because it has no recent activity. Please comment or add the pinned tag to prevent this issue from being closed.

[github-actions[bot]]

This issue has been closed due to inactivity.