Can't find the 'pop ecx' instruction

Question

Can't find the 'pop ecx' instruction

opened this issue 4 years ago · comments

Hello,
I tried using ROPgadget v6.3 on a test file with a buffer overflow and I keep getting a "Can't find the 'pop ecx' instruction" message when I try to generate the ropchain.

Anyone else has a similar problem?

Here's my code, compiled as "gcc -static test.c -o test"
test.txt

Here's the ROPgadget output, using the command-line input: ROPgadget --binary test --ropchain> ropS
Gadgets information >> ropS.txt

Here's ROP chain output

ROP chain generation

Step 1 -- Write-what-where gadgets

[+] Gadget found: 0x805875a mov dword ptr [edx], eax ; ret
[+] Gadget found: 0x805ed9e pop edx ; pop ebx ; pop esi ; ret
[+] Gadget found: 0x8052a24 pop eax ; ret
[+] Gadget found: 0x804f7e0 xor eax, eax ; ret
Step 2 -- Init syscall number gadgets

[+] Gadget found: 0x804f7e0 xor eax, eax ; ret
[+] Gadget found: 0x807feea inc eax ; ret
Step 3 -- Init syscall arguments gadgets

[+] Gadget found: 0x804901e pop ebx ; ret
[-] Can't find the 'pop ecx' instruction

Alexey Vishnyakov · Answer 1 · Thu Dec 03 2020 18:17:06 GMT+0800 (China Standard Time)

ROPgadget chains gadgets quite straightforward. It searches for exact pop ecx ; ret that is not contained in your binary. ROPgadget is mostly about searching gadgets. You can check out more advanced ROP chain generating tools. These tools can be found in Section 17 (Experimental tools comparison) in this paper.

Alexey Vishnyakov · Answer 2 · Thu Dec 03 2020 18:25:33 GMT+0800 (China Standard Time)

Also, you'd better start with overflow via memcpy. If overflow is performed via strcpy, you should consider bad chars ('\0' which stops copying). Most open source ROP chain generation tools partially implement bad chars support. They remove gadgets with bad chars in addresses, but leave them in values loaded from stack. For instance, string "/bin/sh\x00".