Corefile fault_addr on amd64 #1018

zachriggle · 2017-09-01T20:40:53Z

When doing ROP on amd64, the fault_addr of the generated corefile is zero.

This is a little bit confusing, because the fault address is not zero, it's whatever is on the top of the stack (e.g. faaagaaa).

This is extra confusing because i386 behaves how we would expect.

I suggest the following change which should make things function the way we'd expect.

try:
  if core.arch == 'amd64' and core.fault_addr == 0 and core.read(core.pc, 1) == '\xc3':
    core.fault_addr = core.unpack(core.sp)
except Exception:
  pass

The text was updated successfully, but these errors were encountered:

zachriggle · 2017-09-01T20:42:00Z

The context / impetus for this is the challenges in ROP Emporium are provided in both architectures, and it should be possible to have a single exploit script that works for either.

Currently, this is the biggest hiccup, aside from limitations of pwnlib.rop.rop.ROP.setRegisters requiring super basic gadgets.

bennofs · 2017-09-13T17:05:46Z

What's the \xc3 magic constant there?

zachriggle · 2017-09-14T02:02:33Z

It is a ret instruction.

zachriggle · 2017-10-12T16:54:02Z

Fixed in #1031

zachriggle added the enhancement label Sep 1, 2017

zachriggle self-assigned this Sep 1, 2017

zachriggle closed this as completed Oct 12, 2017

zachriggle modified the milestones: 3.10.0, 3.11.0 Oct 12, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Corefile fault_addr on amd64 #1018

Corefile fault_addr on amd64 #1018

zachriggle commented Sep 1, 2017

zachriggle commented Sep 1, 2017

bennofs commented Sep 13, 2017

zachriggle commented Sep 14, 2017

zachriggle commented Oct 12, 2017

Corefile fault_addr on amd64 #1018

Corefile fault_addr on amd64 #1018

Comments

zachriggle commented Sep 1, 2017

zachriggle commented Sep 1, 2017

bennofs commented Sep 13, 2017

zachriggle commented Sep 14, 2017

zachriggle commented Oct 12, 2017