Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x86-64 "syscall ret" gadgets missed with version 5.7+ #145

Closed
langer69 opened this issue Jul 29, 2019 · 2 comments
Closed

x86-64 "syscall ret" gadgets missed with version 5.7+ #145

langer69 opened this issue Jul 29, 2019 · 2 comments

Comments

@langer69
Copy link

When I'm working on the binary below, I found that ROPgadget missed a gadget like syscall;ret.

  • disassembly of address 0x40019B
0x40019B:    0F 05    syscall
0x40019D:    F3 C3    rep ret
  • version 5.7 and above
$ ROPgadget --version
Version:        ROPgadget v5.8
Author:         Jonathan Salwan
Author page:    https://twitter.com/JonathanSalwan
Project page:   http://shell-storm.org/project/ROPgadget/

$ ROPgadget --binary ./binary | grep syscall
0x000000000040013b : adc ebx, eax ; mov eax, 1 ; syscall
0x0000000000400140 : add byte ptr [rax], al ; syscall
0x000000000040012e : add byte ptr [rax], al ; xor eax, eax ; syscall
0x000000000040013e : add dword ptr [rax], eax ; add byte ptr [rax], al ; syscall
0x000000000040014b : add ebx, eax ; xor edi, edi ; mov eax, 0xe7 ; syscall
0x0000000000400199 : loope 0x400170 ; syscall
0x000000000040014f : mov eax, 0xe7 ; syscall
0x000000000040013d : mov eax, 1 ; syscall
0x0000000000400150 : out 0, eax ; add byte ptr [rax], al ; syscall
0x0000000000400196 : sbb dword ptr [rax - 0x47], ecx ; loope 0x400173 ; syscall
0x0000000000400195 : sbb dword ptr es:[rax - 0x47], ecx ; loope 0x400174 ; syscall
0x0000000000400132 : syscall
0x0000000000400130 : xor eax, eax ; syscall
0x000000000040014d : xor edi, edi ; mov eax, 0xe7 ; syscall

$ ROPgadget --binary ./binary --range 0x40019B-0x40019F
Gadgets information
============================================================
0x000000000040019e : ret
0x000000000040019b : syscall
  • version 5.4
$ ROPgadget --version
Version:        ROPgadget v5.4
Author:         Jonathan Salwan
Author page:    https://twitter.com/JonathanSalwan
Project page:   http://shell-storm.org/project/ROPgadget/

$ROPgadget --binary ./binary | grep syscall
0x0000000000400199 : loope 0x400173 ; syscall ; ret
0x0000000000400196 : sbb dword ptr [rax - 0x47], ecx ; loope 0x400176 ; syscall ; ret0x0000000000400195 : sbb dword ptr es:[rax - 0x47], ecx ; loope 0x400177 ; syscall ; ret
0x000000000040019b : syscall ; ret

Which makes me confused. -_-||
binary.txt
@nurmukhametov
Copy link
Contributor

Use option --multibr

=> ./ROPgadget.py --binary=./binary.txt --multibr | grep 40019b
0x000000000040019b : syscall ; ret

@langer69 langer69 reopened this Jul 30, 2019
@langer69
Copy link
Author

Thanks, I've learned how to use this option.

@152334H 152334H mentioned this issue Sep 19, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nurmukhametov @langer69