Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid memory address dereference in find() #32

Closed
AiDaiP opened this issue Jul 2, 2020 · 1 comment
Closed

Invalid memory address dereference in find() #32

AiDaiP opened this issue Jul 2, 2020 · 1 comment

Comments

@AiDaiP
Copy link

AiDaiP commented Jul 2, 2020

An issue was discovered in ROPium 3.1. An invalid memory address dereference was discovered in find(). The vulnerability causes a segmentation fault and application crash.

POC

aidai@ubuntu:~/Desktop$ ropium

ROPium - v3.1

(ropium)> find                                                                  

	[!] You must load a binary before finding ropchains

(ropium)> load -a X64 aidai                                                     

	[!] Skipped: aidai (file doesn't exist)

(ropium)> find                                                                  
Segmentation fault (core dumped)

LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
─────────────────────────────────[ REGISTERS ]──────────────────────────────────
 RAX  0x7
 RBX  0x1e26bf0 —▸ 0x1e105b0 —▸ 0x7f58fe11a900 —▸ 0x7f58fde45b90 ◂— mov    rax, qword ptr [rip + 0x2d50f9]
 RCX  0x0
 RDX  0x9
 RDI  0x1e26bf0 —▸ 0x1e105b0 —▸ 0x7f58fe11a900 —▸ 0x7f58fde45b90 ◂— mov    rax, qword ptr [rip + 0x2d50f9]
 RSI  0x0
 R8   0x2
 R9   0x0
 R10  0x100
 R11  0x7ffdeddde370 —▸ 0x7ffdeddde380 —▸ 0x1ecbee0 ◂— add    byte ptr [rax], al
 R12  0x1c509e0 ◂— add    byte ptr [rax], al
 R13  0x7ffdeddde640 ◂— 0x0
 R14  0x9
 R15  0x1c50a10 ◂— add    dword ptr [rax], eax
 RBP  0x1c509e0 ◂— add    byte ptr [rax], al
 RSP  0x7ffdeddde608 —▸ 0x7f58fdec0145 ◂— test   al, al
 RIP  0x7f58fdeb5c40 ◂— mov    ecx, dword ptr [rsi]
───────────────────────────────────[ DISASM ]───────────────────────────────────
 ► 0x7f58fdeb5c40    mov    ecx, dword ptr [rsi]
   0x7f58fdeb5c42    mov    eax, 1
   0x7f58fdeb5c47    cmp    ecx, 0x13
   0x7f58fdeb5c4a    je     0x7f58fdeb5c53
    ↓
   0x7f58fdeb5c53    ret    
 
   0x7f58fdeb5c55    nop    dword ptr [rax]
   0x7f58fdeb5c58    sub    edx, 7
   0x7f58fdeb5c5b    cmp    edx, 1
   0x7f58fdeb5c5e    setbe  al
   0x7f58fdeb5c61    ret    
 
   0x7f58fdeb5c62    nop    dword ptr [rax]
───────────────────────────────────[ STACK ]────────────────────────────────────
00:0000│ rsp  0x7ffdeddde608 —▸ 0x7f58fdec0145 ◂— test   al, al
01:0008│      0x7ffdeddde610 —▸ 0x7f58fa641950 ◂— or     dword ptr [rax], eax /* '\t' */
02:0010│      0x7ffdeddde618 ◂— 0x2fa629d68
03:0018│      0x7ffdeddde620 ◂— 0x0
... ↓
06:0030│      0x7ffdeddde638 ◂— 0x56056b
07:0038│ r13  0x7ffdeddde640 ◂— 0x0
─────────────────────────────────[ BACKTRACE ]──────────────────────────────────
 ► f 0     7f58fdeb5c40
   f 1     7f58fdec0145
   f 2     7f58fa641950
   f 3        2fa629d68
   f 4                0
────────────────────────────────────────────────────────────────────────────────
@Boyan-MILANOV
Copy link
Owner

Hey, thanks for reporting the issue. I was away for quite some time but the bug is fixed now :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Boyan-MILANOV @AiDaiP