AArch64 multi-ret gadgets

Question

AArch64 multi-ret gadgets

zachriggle opened this issue 7 years ago · comments

It seems that we should never see the following:

0x0000000000409328 : ldp x20, x19, [sp], #0x20 ; ret ; adrp x8, #0x52c000 ; add x8, x8, #0x1c0 ; add x8, x8, #0x10 ; str x8, [x1] ; ldr x8, [x0, #8] ; str x8, [x1, #8] ; ret

Note that there are two ret gadgets.

The full sequence per objdump is:

  409328:	f4 4f c2 a8 	ldp	x20, x19, [sp], #32
  40932c:	c0 03 5f d6 	ret
  409330:	08 09 00 f0 	adrp	x8, #1191936
  409334:	08 01 07 91 	add	x8, x8, #448
  409338:	08 41 00 91 	add	x8, x8, #16
  40933c:	28 00 00 f9 	str		x8, [x1]
  409340:	08 04 40 f9 	ldr	x8, [x0, #8]
  409344:	28 04 00 f9 	str	x8, [x1, #8]
  409348:	c0 03 5f d6 	ret

Jonathan Salwan · Answer 1 · Fri Feb 10 2017 23:51:03 GMT+0800 (China Standard Time)

Go ahead for a PR :)

Jonathan Salwan · Answer 2 · Fri Feb 10 2017 23:53:55 GMT+0800 (China Standard Time)

btw, i don't really maintain ropgadget since i'm on other projects now. So, if you want to be a maintainer, i'm ok with this :)

Zach Riggle · Answer 3 · Sat Feb 11 2017 00:32:39 GMT+0800 (China Standard Time)

Ah, bummer! Are you aware of any currently-maintained projects which offer similar functionality?

Jonathan Salwan · Answer 4 · Sat Feb 11 2017 00:37:50 GMT+0800 (China Standard Time)

Ropper by @sashs maybe ?

Zach Riggle · Answer 5 · Sat Feb 11 2017 02:33:05 GMT+0800 (China Standard Time)

I'll have to check it out. It's a bummer that it's GPLed though :(

Axel Souchet · Answer 6 · Mon Feb 14 2022 11:21:23 GMT+0800 (China Standard Time)

I am 5 years late... but fwiw i'm finally adding arm64 support to rp in 0vercl0k/rp#31:

>C:\work\codes\rp\src\build\RelWithDebInfo\rp-win-x64.exe --file z.bin --raw arm64 --rop=10
Trying to open 'z.bin'..
FileFormat: raw, Arch: ARM64

Wait a few seconds, rp++ is looking for gadgets (2 threads max)..
A total of 9 gadgets found.
0xc: add x8, x8, #0x1c0 ; add x8, x8, #0x10 ; str x8, [x1] ; ldr x8, [x0, #8] ; str x8, [x1, #8] ; ret  ; \x08\x01\x07\x91\x08\x41\x00\x91\x28\x00\x00\xf9\x08\x04\x40\xf9\x28\x04\x00\xf9\xc0\x03\x5f\xd6 (1 found)
0x18: ldr x8, [x0, #8] ; str x8, [x1, #8] ; ret  ; \x08\x04\x40\xf9\x28\x04\x00\xf9\xc0\x03\x5f\xd6 (1 found)
0x8: adrp x8, #0x123000 ; add x8, x8, #0x1c0 ; add x8, x8, #0x10 ; str x8, [x1] ; ldr x8, [x0, #8] ; str x8, [x1, #8] ; ret  ; \x08\x09\x00\xf0\x08\x01\x07\x91\x08\x41\x00\x91\x28\x00\x00\xf9\x08\x04\x40\xf9\x28\x04\x00\xf9\xc0\x03\x5f\xd6 (1 found)
0x10: add x8, x8, #0x10 ; str x8, [x1] ; ldr x8, [x0, #8] ; str x8, [x1, #8] ; ret  ; \x08\x41\x00\x91\x28\x00\x00\xf9\x08\x04\x40\xf9\x28\x04\x00\xf9\xc0\x03\x5f\xd6 (1 found)
0x14: str x8, [x1] ; ldr x8, [x0, #8] ; str x8, [x1, #8] ; ret  ; \x28\x00\x00\xf9\x08\x04\x40\xf9\x28\x04\x00\xf9\xc0\x03\x5f\xd6 (1 found)
0x1c: str x8, [x1, #8] ; ret  ; \x28\x04\x00\xf9\xc0\x03\x5f\xd6 (1 found)
0x4: ret  ; \xc0\x03\x5f\xd6 (1 found)
0x20: ret  ; \xc0\x03\x5f\xd6 (1 found)
0x0: ldp x20, x19, [sp], #0x20 ; ret  ; \xf4\x4f\xc2\xa8\xc0\x03\x5f\xd6 (1 found)

Cheers