Giters

JonathanSalwan / ROPgadget

This tool lets you search your gadgets on your binaries to facilitate your ROP exploitation. ROPgadget supports ELF, PE and Mach-O format on x86, x64, ARM, ARM64, PowerPC, SPARC, MIPS, RISC-V 64, and RISC-V Compressed architectures.

Home Page:http://www.shell-storm.org/project/ROPgadget/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

syscall gadgets missed for x86-64

tezeb opened this issue · comments

commented

During recent Hitcon Quals, I've noticed that gadgets ending with syscall are not found. It does not work even with version 5.4 which is supposed to support it(#66).

$ ROPgadget --version
Version:        ROPgadget v5.4
Author:         Jonathan Salwan
Author page:    https://twitter.com/JonathanSalwan
Project page:   http://shell-storm.org/project/ROPgadget/
$ ROPgadget --binary vdso.dump | grep syscall
$

Running objump on the binary:

$ objdump -Mintel -D vdso.dump | grep -B 1 syscall
b5b:   b8 e4 00 00 00          mov    eax,0xe4
b60:   0f 05                   syscall 
--
edb:   4c 89 df                mov    rdi,r11
ede:   0f 05                   syscall 
$

It does not work regardless of Elf/raw mode.
Attached is vdso.so (base64 encoded):

vdso.b64.txt

commented

I think this is because syscall isn't considered a jump, so only syscall-ret gadgets are detected. This should be fixed because syscalls don't always return.