Ropper icon indicating copy to clipboard operation
Ropper copied to clipboard
verified publisher icon sashs

Detect invalid gadgets

Open STKFLT opened this issue 4 years ago • 4 comments

Some gadgets that Ropper would generate would have an ARM 'pop {..., pc}' instruction or an x86 'ret' instruction in the middle because the instruction happen to land in the previous 'n' instructions of the gadget.

This pull requests detects these and removes all previous instructions from the currently built gadget because it is impossible to execute the full gadget without invoking it as two separate gadgets.

e.g.

0x00015568 (0x00015569): pop {r4, r5, pc}; nop; teq.w r0, #0; itt eq; moveq r1, #0; bxeq lr;

becomes

0x0001556a (0x0001556b): nop; teq.w r0, #0; itt eq; moveq r1, #0; bxeq lr;

There are definitely still ways this could be improved. Mainly determining if any JOP style gadgets should also trigger a reset of the gadget. My first thoughts for arm/x86 are that bl/call should not be included because it is possible to return to the gadget after a call, whereas unconditional bx/jmp should because it's impossible for execution to return on it's own

STKFLT avatar Feb 27 '21 15:02 STKFLT

Hi,

why is that gadget a problem? 0x00015568 (0x00015569): pop {r4, r5, pc}; nop; teq.w r0, #0; itt eq; moveq r1, #0; bxeq lr;

I do not think, that this gadget is invalid. You can use that gadget, with the first instruction. pop something into r4 and r5 and pop the address of the next instruction of that gadget into pc. Sure, you could to that by using 2 gadgets in that case. However, I decided to not remove those gadgets, since you can use some of them in very rare cases.

Nevertheless, both parts of that gadgets are included in the gadget collection, since the first part is a gadget which will be found and the second part as well.

sashs avatar Apr 25 '21 10:04 sashs

pop something into r4 and r5 and pop the address of the next instruction of that gadget into pc. Sure, you could to that by using 2 gadgets in that case. However, I decided to not remove those gadgets, since you can use some of them in very rare cases.

I think its more useful to split this detected gadget into two separate gadgets which is what this PR is trying to do. The only practical time that series of instructions is executed is when a payload is setup to execute the pop and then the nop as two separate gadgets. Splitting them up is more useful to so a user so they can see the address of the second gadget

Veryyes avatar Apr 26 '21 17:04 Veryyes

Both parts of that gadget are part of the gadget collection, so it is not necessary to split this gadget.

sashs avatar Apr 28 '21 07:04 sashs

Few years ago I removed all those gadgets, however, I decided to change that again, since I needed one of those removed gadgets. Unfortunately, I cannot remember which gadget it was, otherwise I could show you an example

sashs avatar Apr 28 '21 07:04 sashs