Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ROP: fix ROP(ELF(exe)).leave is None in some ELF #2506

Merged
merged 5 commits into from
Feb 18, 2025
Merged

ROP: fix ROP(ELF(exe)).leave is None in some ELF #2506

merged 5 commits into from
Feb 18, 2025

Conversation

RocketMaDev
Copy link
Contributor

@RocketMaDev RocketMaDev commented Dec 13, 2024
edited
Loading

Conclusion

When libc has gadgets like pop rsp; pop rbp; ret; and leave; ret;, ROP(ELF(libc)).leave is None. Added a specific order "leav" to filter out the former case.

Analysis

# pwnlib/rop.py#L1410 __load()
                    sp_move += 9999999999
                    regs += frame_regs
# the 'leave' has a very high move and owns regs ['?sp', '?bp']

# pwnlib/rop.py#L1421 __load()
        leave = self.search(regs=frame_regs, order='regs')
        if leave and leave.regs != frame_regs:
            leave = None
        self.leave = leave
# when initializing ROP object, `leave` attribute is searched via regs ['?sp', '?bp']

# pwnlib/rop.py#L1476 search(move, regs, order)
            'regs': lambda g: (len(g.regs), g.move, g.address),
# with `order == 'regs'`, gadgets are sorted first by number of regs involved,
# then by their move

# pwnlib/rop.py#L1481 search(move, regs, order)
            result = min(matches, key=key)
# when returning gadget, always choose the closest match

However, when gadgets to filter contain both Gadget(0x26211, ['pop rsp', 'pop rbp', 'ret'], ['rsp', 'rbp'], 0x18) and Gadget(0x2556a, ['leave', 'ret'], ['rbp', 'rsp'], 0x2540be407),
the former one is chosen as it has the same len(g.regs) == 2 as the latter one and has a smaller move. When return back to __load, because leave.regs == ['rsp', 'rbp'] and leave.regs != ['rbp', rsp'], so self.leave is None.

The libc I test is 2.39-0ubuntu8_amd64

POC:

from pwn import *
context.arch = 'amd64'
gadgets = ROP(ELF('libc.so.6'))
print(gadgets.leave)

@RocketMaDev
ROP: fix self.leave is None in some libc
834d581 
When `pop rbp; pop rsp; ret;` exists in libc, it is chosen instead of
`leave`. Add a specific `order` to filter out the former one.
@RocketMaDev
add changelog for Gallopsled#2506
bc8a126
@RocketMaDev RocketMaDev changed the title ROP: fix ROP(ELF(exe)).leave is None in some ELF ROP: fix ROP(ELF(exe)).leave is None in some ELF Dec 13, 2024
@Arusekk
Copy link
Member

Arusekk commented Dec 18, 2024

Thank you for the fix! I think a more correct solution would be to add move 999999 and migrated flag to pop rsp as well. Can you check if it works?

@RocketMaDev
Copy link
Contributor Author

Oh, you're right. Since pop rsp; pop rbp; ret; takes 0x18 bytes, so it will choose leave instead without my solution.

But what if the user wish to match pop rsp; pop rbp; ret?

@peace-maker peace-maker added the rop Return Oriented Programming manipulation routines label Dec 18, 2024
@Arusekk
Copy link
Member

Arusekk commented Dec 24, 2024

I think the last one would be very rare. I don't think pop rsp would be directly followed by anything sensible except for ret. I also think we can exclude pop rsp during preliminary gadget filtering altogther for simplicity.

@RocketMaDev
Copy link
Contributor Author

I don't think pop rsp would be directly followed by anything sensible except for ret.

However, in my case, pop rsp is followed by pop rbp.

Take a look at my latest solution.

@RocketMaDev RocketMaDev mentioned this pull request Feb 3, 2025
Draft
@peace-maker
Copy link
Member

Can you merge latest dev into this branch to move the changelog entry to 5.0.0 please?

Thank you for all your contributions and continuous effort!

@peace-maker peace-maker merged commit 636b3b2 into Gallopsled:dev Feb 18, 2025
15 checks passed
@RocketMaDev RocketMaDev deleted the rop branch February 19, 2025 02:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Arusekk Arusekk Arusekk approved these changes

Assignees
No one assigned
Labels
rop Return Oriented Programming manipulation routines
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@RocketMaDev @Arusekk @peace-maker