Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AArch64 multi-ret gadgets #108

Open
zachriggle opened this issue Feb 10, 2017 · 6 comments
Open

AArch64 multi-ret gadgets #108

zachriggle opened this issue Feb 10, 2017 · 6 comments

Comments

@zachriggle
Copy link
Contributor

It seems that we should never see the following:

0x0000000000409328 : ldp x20, x19, [sp], #0x20 ; ret ; adrp x8, #0x52c000 ; add x8, x8, #0x1c0 ; add x8, x8, #0x10 ; str x8, [x1] ; ldr x8, [x0, #8] ; str x8, [x1, #8] ; ret

Note that there are two ret gadgets.

The full sequence per objdump is:

  409328:	f4 4f c2 a8 	ldp	x20, x19, [sp], #32
  40932c:	c0 03 5f d6 	ret
  409330:	08 09 00 f0 	adrp	x8, #1191936
  409334:	08 01 07 91 	add	x8, x8, #448
  409338:	08 41 00 91 	add	x8, x8, #16
  40933c:	28 00 00 f9 	str		x8, [x1]
  409340:	08 04 40 f9 	ldr	x8, [x0, #8]
  409344:	28 04 00 f9 	str	x8, [x1, #8]
  409348:	c0 03 5f d6 	ret
@JonathanSalwan
Copy link
Owner

Go ahead for a PR :)

@JonathanSalwan
Copy link
Owner

btw, i don't really maintain ropgadget since i'm on other projects now. So, if you want to be a maintainer, i'm ok with this :)

@zachriggle
Copy link
Contributor Author

Ah, bummer! Are you aware of any currently-maintained projects which offer similar functionality?

@JonathanSalwan
Copy link
Owner

Ropper by @sashs maybe ?

@zachriggle
Copy link
Contributor Author

I'll have to check it out. It's a bummer that it's GPLed though :(

@0vercl0k
Copy link

0vercl0k commented Feb 14, 2022
edited

I am 5 years late... but fwiw i'm finally adding arm64 support to rp in 0vercl0k/rp#31:

>C:\work\codes\rp\src\build\RelWithDebInfo\rp-win-x64.exe --file z.bin --raw arm64 --rop=10
Trying to open 'z.bin'..
FileFormat: raw, Arch: ARM64

Wait a few seconds, rp++ is looking for gadgets (2 threads max)..
A total of 9 gadgets found.
0xc: add x8, x8, #0x1c0 ; add x8, x8, #0x10 ; str x8, [x1] ; ldr x8, [x0, #8] ; str x8, [x1, #8] ; ret  ; \x08\x01\x07\x91\x08\x41\x00\x91\x28\x00\x00\xf9\x08\x04\x40\xf9\x28\x04\x00\xf9\xc0\x03\x5f\xd6 (1 found)
0x18: ldr x8, [x0, #8] ; str x8, [x1, #8] ; ret  ; \x08\x04\x40\xf9\x28\x04\x00\xf9\xc0\x03\x5f\xd6 (1 found)
0x8: adrp x8, #0x123000 ; add x8, x8, #0x1c0 ; add x8, x8, #0x10 ; str x8, [x1] ; ldr x8, [x0, #8] ; str x8, [x1, #8] ; ret  ; \x08\x09\x00\xf0\x08\x01\x07\x91\x08\x41\x00\x91\x28\x00\x00\xf9\x08\x04\x40\xf9\x28\x04\x00\xf9\xc0\x03\x5f\xd6 (1 found)
0x10: add x8, x8, #0x10 ; str x8, [x1] ; ldr x8, [x0, #8] ; str x8, [x1, #8] ; ret  ; \x08\x41\x00\x91\x28\x00\x00\xf9\x08\x04\x40\xf9\x28\x04\x00\xf9\xc0\x03\x5f\xd6 (1 found)
0x14: str x8, [x1] ; ldr x8, [x0, #8] ; str x8, [x1, #8] ; ret  ; \x28\x00\x00\xf9\x08\x04\x40\xf9\x28\x04\x00\xf9\xc0\x03\x5f\xd6 (1 found)
0x1c: str x8, [x1, #8] ; ret  ; \x28\x04\x00\xf9\xc0\x03\x5f\xd6 (1 found)
0x4: ret  ; \xc0\x03\x5f\xd6 (1 found)
0x20: ret  ; \xc0\x03\x5f\xd6 (1 found)
0x0: ldp x20, x19, [sp], #0x20 ; ret  ; \xf4\x4f\xc2\xa8\xc0\x03\x5f\xd6 (1 found)

Cheers

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zachriggle @JonathanSalwan @0vercl0k