Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid ropchains: Arguments are all 0x00 #2

Closed
dobin opened this issue Aug 8, 2016 · 6 comments
Closed

Invalid ropchains: Arguments are all 0x00 #2

dobin opened this issue Aug 8, 2016 · 6 comments

Comments

@dobin
Copy link
Contributor

dobin commented Aug 8, 2016

angrop seems to correctly identify the rop gadgets, but all arguments for them are 0x0.

x64:

>>> import angr, angrop
>>> p = angr.Project("/bin/ls")
>>> rop = p.analyses.ROP()
>>> rop.find_gadgets()
>>> chain = rop.write_to_mem(0x080d6804, "/bin/sh\0")
>>> chain.print_payload_code()
chain = ""
chain += p64(0x40a418)  # mov eax, edx; pop rbx; pop rbp; ret 
chain += p64(0x0)
chain += p64(0x0)
chain += p64(0x41288a)  # push rax; std ; mov qword ptr [rbx + 0x18], rbp; pop rbx; pop rbp; pop r12; pop r13; pop r14; ret

x32 (xhttpd binary):

>>> chain.print_payload_code()
chain = ""
chain += p32(0x8063101) # pop edx; pop ecx; pop ebx; ret 
chain += p32(0x0)
chain += p32(0x0)
chain += p32(0x0)
chain += p32(0x8063216) # mov dword ptr [ecx], edx; pop ebp; ret 
chain += p32(0x0)


(gdb) x/5i 0x8063101
   0x8063101 <__lll_unlock_wake_private+33>:    pop    %edx
   0x8063102 <__lll_unlock_wake_private+34>:    pop    %ecx
   0x8063103 <__lll_unlock_wake_private+35>:    pop    %ebx
   0x8063104 <__lll_unlock_wake_private+36>:    ret    
   0x8063105:   nop

$ cat /etc/lsb-release 
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.1 LTS"
$ uname -a
Linux minime 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
$ 
$ sudo apt-get install libffi6 libffi6-dbg libffi-dev
$ sudo pip install pyvex claripy simuvex angr
$ sudo python setup.py install
@salls
Copy link
Member

salls commented Aug 8, 2016

Interesting. I wonder if it's something with the version of angr on pip. I will try testing with a clean install. @zardus can you push an angr update?

@dobin
Copy link
Contributor Author

dobin commented Aug 8, 2016
edited
Loading

My angr version:

$ pip list
...
angr (4.6.6.29)
angr-only-z3-custom (4.4.1.post4)
angrop (1.0)

@Manouchehri
Copy link
Contributor

Try using the Docker build, that usually works for me.

@dobin
Copy link
Contributor Author

dobin commented Aug 8, 2016

I tried it with virtualenv:

~/utils/ $ mkvirtualenv angr
(angr) ~/utils/$ pip install angr
(angr) ~/utils/angrop$ cd angrop/
(angr) ~/utils/angrop$ python setup.py install
(angr) ~/utils/angrop$ pip install -I --no-use-wheel capstone
(angr) ~/utils/angrop$ python
...

And with docker:

$ docker run -v /utils/:/home/angr/utils -it angr/angr
(angr)angr@626ed7641197:~$ cd utils/angrop
(angr)angr@626ed7641197:~/utils/angrop$ python setup.py install
(angr)angr@626ed7641197:~/utils/angrop$ python
...

Both produce the same results with the missing arguments in the ropchain.

@salls
Copy link
Member

salls commented Aug 9, 2016
edited
Loading

Ah I hadn't actually pushed to Github in a while :)
Just pushed the most up-to-date version
Should be fixed by salls@584c9ae

@dobin
Copy link
Contributor Author

dobin commented Aug 11, 2016

This explains it :-)

Working now for me after a git pull && python setup.py install.

@dobin dobin closed this as completed Aug 11, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dobin @salls @Manouchehri