search

sashs / Ropper

Display information about files in different file formats and find gadgets to build rop chains for different architectures (x86/x86_64, ARM/ARM64, MIPS, PowerPC, SPARC64). For disassembly ropper uses the awesome Capstone Framework.
https://scoding.de/ropper
BSD 3-Clause "New" or "Revised" License
1.87k stars 206 forks source link

Wrong gadget address for a vmlinux ELF x86_64 #107

Closed XVilka closed 5 years ago

XVilka commented 5 years ago

Ropper returns invalid addresses for the gadget, compared to IDA and qemu. See the result of qemu + gdb: image And in IDA Pro: image While ropper returns this address: image

See the 0x200000 address difference. Also see that LOAD0 segment starts from 0x200000 as well,

vmlinux.zip

sashs commented 5 years ago

Oh, thank you. I will check that.

sashs commented 5 years ago

I've found to problem. The image base calculation is wrong, at least for vmlinux. I need to think about how to solve it. For normal ELF files it works to calculate the vaddr - fileoffset. But this does not work here.

Here the calculations with the executable segments: 0xffffffff81000000 - 0x0000000000200000 = 0xffffffff80e00000 0xffffffff826db000 - 0x0000000001adb000 = 0xffffffff80c00000

The gadget is found in the last segment, but ropper use 0xffffffff80e00000 as the imagebase and adds this to the offset of the gadget. Therefore, there is the difference of 0x200000.

sashs commented 5 years ago

I pushed a fix. It should work now.

sashs commented 5 years ago

I will close this issue.