search

sashs / Ropper

Display information about files in different file formats and find gadgets to build rop chains for different architectures (x86/x86_64, ARM/ARM64, MIPS, PowerPC, SPARC64). For disassembly ropper uses the awesome Capstone Framework.
https://scoding.de/ropper
BSD 3-Clause "New" or "Revised" License
1.87k stars 206 forks source link

Badbytes option crash #112

Closed SweetVishnya closed 5 years ago

SweetVishnya commented 5 years ago

Ubuntu 18.04

ropper --file /bin/ls --chain "execve cmd=/bin/sh" --badbytes 000a0d
[INFO] Load gadgets from cache
[LOAD] loading... 100%
[LOAD] filtering badbytes... 100%

[INFO] ROPchain Generator for syscall execve:

[INFO] 
write command into data section
rax 0xb
rdi address to cmd
rsi address to null
rdx address to null

[INFO] Cannot create gadget: writewhatwhere

[INFO] Use 0x4141414141414141 as command address. Please replace that value.

[INFO] Try to create chain which fills registers without delete content of previous filled registers
[*] Try permuation 1 / 1
[INFO] 

[INFO] Look for syscall gadget

[INFO] No syscall gadget found!

[INFO] Look for syscall opcode
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/ropper/console.py", line 360, in __generateChain
    chain = self.__rs.createRopChain(generator, str(self.currentFile.arch) ,options)
  File "/usr/local/lib/python2.7/dist-packages/ropper/service.py", line 775, in createRopChain
    return generator.create(options)
  File "/usr/local/lib/python2.7/dist-packages/ropper/ropchain/arch/ropchainx86_64.py", line 719, in create
    chain_tmp += self._createOpcode('0f05')
  File "/usr/local/lib/python2.7/dist-packages/ropper/ropchain/arch/ropchainx86_64.py", line 609, in _createOpcode
    return self._printRopInstruction(gadget)
  File "/usr/local/lib/python2.7/dist-packages/ropper/ropchain/arch/ropchainx86_64.py", line 176, in _printRopInstruction
    toReturn = ('rop += rebase_%d(%s) # %s\n' % (self._usedBinaries.index((gadget.fileName, gadget.section)),toHex(gadget.lines[0][0],8), gadget.simpleString()))
ValueError: ('0d06f9724af41b13cdacea133530b9129a48450230feef9632d53d5bbb837c8c', u'LOAD') is not in list

[ERROR] Please report this error on https://github.com/sashs/ropper
[ERROR] Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/ropper/console.py", line 62, in cmd
    func(self, text)
  File "/usr/local/lib/python2.7/dist-packages/ropper/console.py", line 499, in __handleOptions
    self.__generateChain(options.chain)
  File "/usr/local/lib/python2.7/dist-packages/ropper/console.py", line 377, in __generateChain
    raise e
ValueError: ('0d06f9724af41b13cdacea133530b9129a48450230feef9632d53d5bbb837c8c', u'LOAD') is not in list
sashs commented 5 years ago

Hi,

thank you. It is indirect the badbytes option. It is because it tries to create a chain with an empty gadget list. Missing validation checks. :)

sashs commented 5 years ago

Fixed.