Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detect invalid gadgets #140

Draft
wants to merge 7 commits into
base: master
Choose a base branch
from
Draft

Detect invalid gadgets #140

wants to merge 7 commits into from

Conversation

STKFLT
Copy link

@STKFLT STKFLT commented Feb 27, 2021
edited
Loading

Some gadgets that Ropper would generate would have an ARM 'pop {..., pc}' instruction or an x86 'ret' instruction in the middle because the instruction happen to land in the previous 'n' instructions of the gadget.

This pull requests detects these and removes all previous instructions from the currently built gadget because it is impossible to execute the full gadget without invoking it as two separate gadgets.

e.g.

0x00015568 (0x00015569): pop {r4, r5, pc}; nop; teq.w r0, #0; itt eq; moveq r1, #0; bxeq lr;

becomes

0x0001556a (0x0001556b): nop; teq.w r0, #0; itt eq; moveq r1, #0; bxeq lr;

There are definitely still ways this could be improved. Mainly determining if any JOP style gadgets should also trigger a reset of the gadget. My first thoughts for arm/x86 are that bl/call should not be included because it is possible to return to the gadget after a call, whereas unconditional bx/jmp should because it's impossible for execution to return on it's own

@STKFLT STKFLT marked this pull request as draft February 27, 2021 20:29
@sashs
Copy link
Owner

sashs commented Apr 25, 2021

Hi,

why is that gadget a problem?
0x00015568 (0x00015569): pop {r4, r5, pc}; nop; teq.w r0, #0; itt eq; moveq r1, #0; bxeq lr;

I do not think, that this gadget is invalid. You can use that gadget, with the first instruction.
pop something into r4 and r5 and pop the address of the next instruction of that gadget into pc. Sure, you could to that by using 2 gadgets in that case. However, I decided to not remove those gadgets, since you can use some of them in very rare cases.

Nevertheless, both parts of that gadgets are included in the gadget collection, since the first part is a gadget which will be found and the second part as well.

@Veryyes
Copy link

Veryyes commented Apr 26, 2021

pop something into r4 and r5 and pop the address of the next instruction of that gadget into pc. Sure, you could to that by using 2 gadgets in that case. However, I decided to not remove those gadgets, since you can use some of them in very rare cases.

I think its more useful to split this detected gadget into two separate gadgets which is what this PR is trying to do. The only practical time that series of instructions is executed is when a payload is setup to execute the pop and then the nop as two separate gadgets. Splitting them up is more useful to so a user so they can see the address of the second gadget

@sashs
Copy link
Owner

sashs commented Apr 28, 2021

Both parts of that gadget are part of the gadget collection, so it is not necessary to split this gadget.

@sashs
Copy link
Owner

sashs commented Apr 28, 2021

Few years ago I removed all those gadgets, however, I decided to change that again, since I needed one of those removed gadgets. Unfortunately, I cannot remember which gadget it was, otherwise I could show you an example

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@STKFLT @sashs @Veryyes