8000
Skip to content

Keep gadgets when setting registers via setattr/call#1891

Merged
heapcrash merged 2 commits intoGallopsled:devfrom
hackedd:rop-call-keep-gadgets
Jun 19, 2021
Merged

Keep gadgets when setting registers via setattr/call#1891
heapcrash merged 2 commits intoGallopsled:devfrom
hackedd:rop-call-keep-gadgets

Conversation

@hackedd
Copy link
Copy Markdown
Contributor
@hackedd hackedd commented May 17, 2021

Adding the gadgets to the chain (instead of their address) generates slightly better descriptions when the gadget corresponds to a symbol (and avoids having to go through unresolve).

To take the example from the doctest in __call__:

    >>> context.clear(arch='amd64')
    >>> assembly = 'pop rax; pop rdi; pop rsi; ret; pop rax; ret;'
    >>> e = ELF.from_assembly(assembly)
    >>> r = ROP(e)
    >>> r(rax=0xdead, rdi=0xbeef, rsi=0xcafe)
    >>> print(r.dump())
    0x0000:       0x10000000 pop rax; pop rdi; pop rsi; ret
    0x0008:           0xdead
    0x0010:           0xbeef
    0x0018:           0xcafe

The first item in the chain previously had no description, because there is an unnamed symbol with that address.

@heapcrash
Copy link
Copy Markdown
Collaborator
heapcrash commented May 17, 2021
edited
Loading

Cool stuff! Mind updating CHANGELOG.md (in the dev section) and then we can merge this?

Also what is this magic r(rax=0xdead, rdi=0xbeef, rsi=0xcafe) syntax. I don't remember ever seeing that before, but it's really great!

@hackedd hackedd force-pushed the rop-call-keep-gadgets branch from cb4bb76 to ca64151 Compare May 21, 2021 08:52
@hackedd
Copy link
Copy Markdown
Contributor Author
hackedd commented Jun 3, 2021

Is there anything else that needs to be done to merge this?

@hackedd hackedd force-pushed the rop-call-keep-gadgets branch from ca64151 to 2816928 Compare June 3, 2021 11:44
@heapcrash
Copy link
Copy Markdown
Collaborator
heapcrash commented Jun 19, 2021

It would be nic 8000 e if we had describe slots for each value, so we knew which registers were being populated in each slot.

That said, that can be saved for the future.

@heapcrash heapcrash merged commit 35260c4 into Gallopsled:dev Jun 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Arusekk Arusekk Arusekk approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hackedd @heapcrash @Arusekk
0