search

sashs / Ropper

Display information about files in different file formats and find gadgets to build rop chains for different architectures (x86/x86_64, ARM/ARM64, MIPS, PowerPC, SPARC64). For disassembly ropper uses the awesome Capstone Framework.
https://scoding.de/ropper
BSD 3-Clause "New" or "Revised" License
1.87k stars 206 forks source link

Badbytes doesn't check the ImageBase provided. #117

Closed lionaneesh closed 4 years ago

lionaneesh commented 4 years ago

The address of image base is not considered while filtering bad bytes. I will try to make a change for this.


$ ropper -f libc-2.15.so -I  0x5555e000 --badbytes "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfe"
[INFO] Load gadgets from cache
[LOAD] loading... 100%
[LOAD] filtering badbytes... 100%

Gadgets
=======

0 gadgets found

A gadget I found manually:

   0x555f3555:  pop    %edx
   0x555f3556:  xor    %eax,%eax
   0x555f3558:  pop    %edi
   0x555f3559:  ret

Ropper shows wrong output here.

sashs commented 4 years ago

Hi,

why do you think this is a wrong output? Ropper should not show that gadget because of 0x5f which is filtered by the badbytes setting.

sashs commented 4 years ago

Oh wait, I was wrong

sashs commented 4 years ago

Could you provide your libc. I've just checked it and ropper does find the right gadgets. Something else seems to be wrong. 

./Ropper.py -f test-binaries/ls-x86 -I 0x5555e000 --badbytes "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfe"      
[INFO] Load gadgets from cache
[LOAD] loading... 100%
[LOAD] filtering badbytes... 100%
[LOAD] removing double gadgets... 100%

Gadgets
=======

0x55562b22: aam 0x44; push es; or byte ptr [ebx + 0x5e5b2cc4], al; pop edi; pop ebp; ret; 
0x55566567: aam 0x44; push es; or byte ptr [ecx - 0x32f7b], cl; jmp dword ptr [ebp - 0x5f]; 
0x5557633d: adc al, 0x41; ret; 
0x55577264: adc al, 0x43; ret; 
....
0x55562246: leave; ret; 
0x55577563: pushal; add ch, byte ptr [esi + 0xa]; push cs; adc al, 0x41; ret; 
0x55562229: ret; 

640 gadgets found
lionaneesh commented 4 years ago

Yeah sure. Just a second. https://filetransfer.io/data-package/UUF9RiEr

lionaneesh commented 4 years ago

Is it fine if I try to make the change? I am trying to figure out whats wrong in lines[0][0] holding so huge values in my case. (inside Gadget, addressesContainsBytes)

sashs commented 4 years ago

I found the problem.

lionaneesh commented 4 years ago

What is it?

sashs commented 4 years ago

The newly set image base is used during the searching process and used for the offset calculation. I fixed it and I will push a fix later today.

If you want to look for gadgets now, clear the cache with ropper --clear-cache and start ropper once without setting the image base. After that it works since the gadgets are loaded from the cache.

lionaneesh commented 4 years ago

Hey did you push the change for this?

sashs commented 4 years ago

Yes, today.