Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fails to catch __libc_csu_init gadgets #103

Open
zachriggle opened this issue Jan 29, 2017 · 2 comments
Open

Fails to catch __libc_csu_init gadgets #103

zachriggle opened this issue Jan 29, 2017 · 2 comments

Comments

@zachriggle
Copy link
Contributor

zachriggle commented Jan 29, 2017

ROPgadget always seems to miss this sequence:

.text:00000000004005E6 48 8B 5C 24 08     mov     rbx, [rsp+8]
.text:00000000004005EB 48 8B 6C 24 10     mov     rbp, [rsp+10h]
.text:00000000004005F0 4C 8B 64 24 18     mov     r12, [rsp+18h]
.text:00000000004005F5 4C 8B 6C 24 20     mov     r13, [rsp+20h]
.text:00000000004005FA 4C 8B 74 24 28     mov     r14, [rsp+28h]
.text:00000000004005FF 4C 8B 7C 24 30     mov     r15, [rsp+30h]
.text:0000000000400604 48 83 C4 38        add     rsp, 38h
.text:0000000000400608 C3                 retn
.text:0000000000400608                __libc_csu_init endp
$ ROPgadget --binary unexploitable | grep 38
0x0000000000400605 : add esp, 0x38 ; ret
0x0000000000400604 : add rsp, 0x38 ; ret
0x0000000000400602 : and al, 0x30 ; add rsp, 0x38 ; ret
0x0000000000400600 : mov edi, dword ptr [rsp + 0x30] ; add rsp, 0x38 ; ret
0x00000000004005ff : mov r15, qword ptr [rsp + 0x30] ; add rsp, 0x38 ; ret
0x0000000000400538 : pop rbp ; mov edi, 0x600e48 ; jmp rax
@JonathanSalwan
Copy link
Owner

Go ahead for a PR :)

@0vercl0k
Copy link

I'm 5 years late.... (😬) but it works on rp in case you are interested :-D:

> rp-win-x64.exe --file z.bin --raw x64 --rop=10 | rg "mov rbx,"
0x0: mov rbx, qword [rsp+0x08] ; mov rbp, qword [rsp+0x10] ; mov r12, qword [rsp+0x18] ; mov r13, qword [rsp+0x20] ; mov r14, qword [rsp+0x28] ; mov r15, qword [rsp+0x30] ; add rsp, 0x38 ; ret ; \x48\x8b\x5c\x24\x08\x48\x8b\x6c\x24\x10\x4c\x8b\x64\x24\x18\x4c\x8b\x6c\x24\x20\x4c\x8b\x74\x24\x28\x4c\x8b\x7c\x24\x30\x48\x83\xc4\x38\xc3 (1 found)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants