sqlab / ropchain Goto Github PK
View Code? Open in Web Editor NEWA x86 systematic ROP payload generation
ropchain's People
Contributors
Stargazers
Watchers
Forkers
lancechentw terry2012 cherry-wb chubbymaggie sigma-random tempbottle ye-yong-chi gitcollect albb0920 hwchen18546 techlord-rce ykankaya xuchen201810ropchain's Issues
Fix some bugs
Fix some bug
- Delete the gadgets start with ret
- long gadget -> build more redundant gadget
- ret; ret gadgets because of badbyte strcat()
Fix Bug "double free"
*** glibc detected *** ./ropchain: double free or corruption (!prev): 0x08a72780 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x75b12)[0xb75c7b12]
./libropchain.so(rop_chain_list_free+0x5b)[0xb770f905]
./libropchain.so(rop_chain_execve+0xd0)[0xb770e505]
./libropchain.so(rop_chain+0x130)[0xb770ddec]
./ropchain[0x80489e5]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xb756b4d3]
./ropchain[0x8048731]
Gadgets instruments Statistics
$ ls -l test
-rwxrwxr-x 1 hwchen18546 hwchen18546 752336 Aug 5 17:07 test
$ ./ropchain test | sort -n | uniq -c -w 1
Gadget find = 14716
4496 2 0x0804812a: xchg eax, ecx ; ret
4286 3 0x08048127: fcom qword ptr [ecx + 0x3a] ; ...
3036 4 0x08048126: in eax, dx ; fcom qword ...
1765 5 0x080483cf: lock pop ebx ; pop esi ; pop edi ; ...
954 6 0x080483ce: mov eax, esi ; pop ebx ; pop esi ; ...
177 7 0x0804859e: hlt ; mov eax, ebx ; pop ebx ; pop esi ; ...
2 8 0x0805775a: nop ; nop ; nop ; nop ; nop ; nop ...
$ ls -l /usr/bin/net.samba3
-rwxr-xr-x 1 root root 8893156 Apr 16 2013 /usr/bin/net.samba3
$ ./ropchain /usr/bin/net.samba3 | sort -n | uniq -c -w 1
Gadget find = 135269
37522 2 0x08048504: fild dword ptr...
42712 3 0x0804856a: dec eax ; sbb eax,...
27342 4 0x080485fa: add byte ptr [edx], ...
18013 5 0x08048707: rol byte ptr [eax], 1 ; ...
8023 6 0x08048706: and al, al ; ..
1644 7 0x08052497: mov fs, edi ; ..
12 8 0x0810ff2b: int3 ; pop es ; ..
1 9 0x0875e690: inc edx ; inc edx ; inc edx ;..
Bug record: Stack smashing when parse some file
/usr/bin/net.samba3 -> 135k gadgets not crack.
However, some files size and gadgets less than that stack smashing.
This bug starts from commit "Fix bugs - Parse large binary file causing crash"
We can make such a conclusion. Bug is not cause by chain, tree, args, regexp
$ ./ropchain /usr/bin/mysql -p 0
Gadget find = 34302
*** stack smashing detected ***: ./ropchain terminated
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x45)[0xb76a2bc5]
/lib/i386-linux-gnu/libc.so.6(+0x104b7a)[0xb76a2b7a]
./libropchain.so(+0x2564)[0xb775a564]
./libropchain.so(rop_parse_gadgets+0x4d8)[0xb77591f1]
./libropchain.so(rop_chain+0x117)[0xb7758cc3]
./ropchain[0x80489d9]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xb75b74d3]
./ropchain[0x8048731]
======= Memory map: ========
08048000-08049000 r-xp 00000000 08:01 1052425 /home/hwchen18546/ropchain/ropchain/ropchain
08049000-0804a000 r--p 00001000 08:01 1052425 /home/hwchen18546/ropchain/ropchain/ropchain
0804a000-0804b000 rw-p 00002000 08:01 1052425 /home/hwchen18546/ropchain/ropchain/ropchain
08d0a000-0c22a000 rw-p 00000000 00:00 0 [heap]
b7019000-b7035000 r-xp 00000000 08:01 394136 /lib/i386-linux-gnu/libgcc_s.so.1
b7035000-b7036000 r--p 0001b000 08:01 394136 /lib/i386-linux-gnu/libgcc_s.so.1
b7036000-b7037000 rw-p 0001c000 08:01 394136 /lib/i386-linux-gnu/libgcc_s.so.1
b7047000-b736e000 rw-p 00000000 00:00 0
b736e000-b749a000 r-xp 00000000 08:01 5828 /usr/lib/libcapstone.so.2
b749a000-b749b000 ---p 0012c000 08:01 5828 /usr/lib/libcapstone.so.2
b749b000-b74c5000 r--p 0012c000 08:01 5828 /usr/lib/libcapstone.so.2
b74c5000-b759d000 rw-p 00156000 08:01 5828 /usr/lib/libcapstone.so.2
b759d000-b759e000 rw-p 00000000 00:00 0
b759e000-b7742000 r-xp 00000000 08:01 423162 /lib/i386-linux-gnu/libc-2.15.so
b7742000-b7744000 r--p 001a4000 08:01 423162 /lib/i386-linux-gnu/libc-2.15.so
b7744000-b7745000 rw-p 001a6000 08:01 423162 /lib/i386-linux-gnu/libc-2.15.so
b7745000-b7748000 rw-p 00000000 00:00 0
b7755000-b7758000 rw-p 00000000 00:00 0
b7758000-b775b000 r-xp 00000000 08:01 1052138 /home/hwchen18546/ropchain/ropchain/libropchain.so
b775b000-b775c000 r--p 00002000 08:01 1052138 /home/hwchen18546/ropchain/ropchain/libropchain.so
b775c000-b775d000 rw-p 00003000 08:01 1052138 /home/hwchen18546/ropchain/ropchain/libropchain.so
b775d000-b775f000 rw-p 00000000 00:00 0
b775f000-b7760000 r-xp 00000000 00:00 0 [vdso]
b7760000-b7780000 r-xp 00000000 08:01 408888 /lib/i386-linux-gnu/ld-2.15.so
b7780000-b7781000 r--p 0001f000 08:01 408888 /lib/i386-linux-gnu/ld-2.15.so
b7781000-b7782000 rw-p 00020000 08:01 408888 /lib/i386-linux-gnu/ld-2.15.so
bf8d6000-bf8f7000 rw-p 00000000 00:00 0 [stack]
Aborted (core dumped)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.