GithubHelp home page GithubHelp logo

ropchain's Issues

Fix some bugs

Fix some bug

  1. Delete the gadgets start with ret
  2. long gadget -> build more redundant gadget
  3. ret; ret gadgets because of badbyte strcat()

Fix Bug "double free"

*** glibc detected *** ./ropchain: double free or corruption (!prev): 0x08a72780 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x75b12)[0xb75c7b12]
./libropchain.so(rop_chain_list_free+0x5b)[0xb770f905]
./libropchain.so(rop_chain_execve+0xd0)[0xb770e505]
./libropchain.so(rop_chain+0x130)[0xb770ddec]
./ropchain[0x80489e5]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xb756b4d3]
./ropchain[0x8048731]

Gadgets instruments Statistics

$ ls -l test
-rwxrwxr-x 1 hwchen18546 hwchen18546 752336 Aug 5 17:07 test

$ ./ropchain test | sort -n | uniq -c -w 1

Gadget find = 14716
4496 2 0x0804812a: xchg eax, ecx ; ret
4286 3 0x08048127: fcom qword ptr [ecx + 0x3a] ; ...
3036 4 0x08048126: in eax, dx ; fcom qword ...
1765 5 0x080483cf: lock pop ebx ; pop esi ; pop edi ; ...
954 6 0x080483ce: mov eax, esi ; pop ebx ; pop esi ; ...
177 7 0x0804859e: hlt ; mov eax, ebx ; pop ebx ; pop esi ; ...
2 8 0x0805775a: nop ; nop ; nop ; nop ; nop ; nop ...

$ ls -l /usr/bin/net.samba3
-rwxr-xr-x 1 root root 8893156 Apr 16 2013 /usr/bin/net.samba3

$ ./ropchain /usr/bin/net.samba3 | sort -n | uniq -c -w 1

Gadget find = 135269
37522 2 0x08048504: fild dword ptr...
42712 3 0x0804856a: dec eax ; sbb eax,...
27342 4 0x080485fa: add byte ptr [edx], ...
18013 5 0x08048707: rol byte ptr [eax], 1 ; ...
8023 6 0x08048706: and al, al ; ..
1644 7 0x08052497: mov fs, edi ; ..
12 8 0x0810ff2b: int3 ; pop es ; ..
1 9 0x0875e690: inc edx ; inc edx ; inc edx ;..

Bug record: Stack smashing when parse some file

/usr/bin/net.samba3 -> 135k gadgets not crack.
However, some files size and gadgets less than that stack smashing.
This bug starts from commit "Fix bugs - Parse large binary file causing crash"
We can make such a conclusion. Bug is not cause by chain, tree, args, regexp

$ ./ropchain /usr/bin/mysql -p 0
Gadget find = 34302
*** stack smashing detected ***: ./ropchain terminated
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x45)[0xb76a2bc5]
/lib/i386-linux-gnu/libc.so.6(+0x104b7a)[0xb76a2b7a]
./libropchain.so(+0x2564)[0xb775a564]
./libropchain.so(rop_parse_gadgets+0x4d8)[0xb77591f1]
./libropchain.so(rop_chain+0x117)[0xb7758cc3]
./ropchain[0x80489d9]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xb75b74d3]
./ropchain[0x8048731]
======= Memory map: ========
08048000-08049000 r-xp 00000000 08:01 1052425 /home/hwchen18546/ropchain/ropchain/ropchain
08049000-0804a000 r--p 00001000 08:01 1052425 /home/hwchen18546/ropchain/ropchain/ropchain
0804a000-0804b000 rw-p 00002000 08:01 1052425 /home/hwchen18546/ropchain/ropchain/ropchain
08d0a000-0c22a000 rw-p 00000000 00:00 0 [heap]
b7019000-b7035000 r-xp 00000000 08:01 394136 /lib/i386-linux-gnu/libgcc_s.so.1
b7035000-b7036000 r--p 0001b000 08:01 394136 /lib/i386-linux-gnu/libgcc_s.so.1
b7036000-b7037000 rw-p 0001c000 08:01 394136 /lib/i386-linux-gnu/libgcc_s.so.1
b7047000-b736e000 rw-p 00000000 00:00 0
b736e000-b749a000 r-xp 00000000 08:01 5828 /usr/lib/libcapstone.so.2
b749a000-b749b000 ---p 0012c000 08:01 5828 /usr/lib/libcapstone.so.2
b749b000-b74c5000 r--p 0012c000 08:01 5828 /usr/lib/libcapstone.so.2
b74c5000-b759d000 rw-p 00156000 08:01 5828 /usr/lib/libcapstone.so.2
b759d000-b759e000 rw-p 00000000 00:00 0
b759e000-b7742000 r-xp 00000000 08:01 423162 /lib/i386-linux-gnu/libc-2.15.so
b7742000-b7744000 r--p 001a4000 08:01 423162 /lib/i386-linux-gnu/libc-2.15.so
b7744000-b7745000 rw-p 001a6000 08:01 423162 /lib/i386-linux-gnu/libc-2.15.so
b7745000-b7748000 rw-p 00000000 00:00 0
b7755000-b7758000 rw-p 00000000 00:00 0
b7758000-b775b000 r-xp 00000000 08:01 1052138 /home/hwchen18546/ropchain/ropchain/libropchain.so
b775b000-b775c000 r--p 00002000 08:01 1052138 /home/hwchen18546/ropchain/ropchain/libropchain.so
b775c000-b775d000 rw-p 00003000 08:01 1052138 /home/hwchen18546/ropchain/ropchain/libropchain.so
b775d000-b775f000 rw-p 00000000 00:00 0
b775f000-b7760000 r-xp 00000000 00:00 0 [vdso]
b7760000-b7780000 r-xp 00000000 08:01 408888 /lib/i386-linux-gnu/ld-2.15.so
b7780000-b7781000 r--p 0001f000 08:01 408888 /lib/i386-linux-gnu/ld-2.15.so
b7781000-b7782000 rw-p 00020000 08:01 408888 /lib/i386-linux-gnu/ld-2.15.so
bf8d6000-bf8f7000 rw-p 00000000 00:00 0 [stack]
Aborted (core dumped)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.