Can't find the 'mov dword ptr [r32], r32' gadget

Question

Can't find the 'mov dword ptr [r32], r32' gadget

trp07 opened this issue 8 years ago · comments

Hello,
I tried using ROPgadget v5.4 on a pretty standard test file with a buffer overflow and I keep getting a "Can't find the 'mov dword ptr [r32], r32' gadget" message when I try to generate the ropchain.

Anyone else have a similar problem?

Here's the binary, compiled as: gcc -m32 -ggdb -fno-stack-protector rop1.c -o rop1

include <string.h>

static char _not_used = "/bin/sh";
void vuln(char * src)
{
char buff[32];
strcpy(buff, src);
}
int main(int argc, char *_argv)
{
if(argc >= 2)
vuln(argv[1]);
return 0;
}

Here's the ROPgadget output, using the command-line input: ROPgadget --binary rop1 --ropchain

Gadgets information

0x0804866f : adc al, 0x41 ; ret
0x080483e0 : add al, 0x24 ; sub al, 0xa0 ; add al, 8 ; call eax
0x0804841d : add al, 0x24 ; sub al, 0xa0 ; add al, 8 ; call edx
0x0804841b : add al, 0xc7 ; add al, 0x24 ; sub al, 0xa0 ; add al, 8 ; call edx
0x08048448 : add al, 8 ; add ecx, ecx ; ret
0x080483e4 : add al, 8 ; call eax
0x08048421 : add al, 8 ; call edx
0x080483c8 : add al, 8 ; cmp eax, 6 ; ja 0x80483d7 ; ret
0x080484cf : add byte ptr [eax], al ; add byte ptr [eax], al ; leave ; ret
0x080484d0 : add byte ptr [eax], al ; add cl, cl ; ret
0x0804830c : add byte ptr [eax], al ; add esp, 8 ; pop ebx ; ret
0x080484d1 : add byte ptr [eax], al ; leave ; ret
0x0804866c : add cl, byte ptr [eax + 0xe] ; adc al, 0x41 ; ret
0x080484d2 : add cl, cl ; ret
0x08048668 : add eax, 0x2300e4e ; dec eax ; push cs ; adc al, 0x41 ; ret
0x08048445 : add eax, 0x804a02c ; add ecx, ecx ; ret
0x08048402 : add eax, edx ; sar eax, 1 ; jne 0x804840f ; ret
0x0804844a : add ecx, ecx ; ret
0x08048539 : add esp, 0x1c ; pop ebx ; pop esi ; pop edi ; pop ebp ; ret
0x0804830e : add esp, 8 ; pop ebx ; ret
0x0804846a : and al, 0x10 ; lahf ; add al, 8 ; call eax
0x080483e1 : and al, 0x2c ; mov al, byte ptr [0xd0ff0804] ; leave ; ret
0x0804841e : and al, 0x2c ; mov al, byte ptr [0xd2ff0804] ; leave ; ret
0x0804841a : and al, 4 ; mov dword ptr [esp], 0x804a02c ; call edx
0x080482f4 : call 0x80483b6
0x080483e6 : call eax
0x08048423 : call edx
0x08048405 : clc ; jne 0x804840c ; ret
0x080483cb : clc ; push es ; ja 0x80483d4 ; ret
0x080483ca : cmp eax, 6 ; ja 0x80483d5 ; ret
0x0804866d : dec eax ; push cs ; adc al, 0x41 ; ret
0x08048494 : dec ecx ; ret
0x08048669 : dec esi ; push cs ; xor byte ptr [edx], al ; dec eax ; push cs ; adc al, 0x41 ; ret
0x08048538 : fild word ptr [ebx + 0x5e5b1cc4] ; pop edi ; pop ebp ; ret
0x080483dd : in al, dx ; sbb bh, al ; add al, 0x24 ; sub al, 0xa0 ; add al, 8 ; call eax
0x08048670 : inc ecx ; ret
0x080483cd : ja 0x80483d2 ; ret
0x08048406 : jne 0x804840b ; ret
0x08048537 : jne 0x8048521 ; add esp, 0x1c ; pop ebx ; pop esi ; pop edi ; pop ebp ; ret
0x0804846c : lahf ; add al, 8 ; call eax
0x080483e8 : leave ; ret
0x0804853a : les ebx, ptr [ebx + ebx*2] ; pop esi ; pop edi ; pop ebp ; ret
0x0804830f : les ecx, ptr [eax] ; pop ebx ; ret
0x08048447 : mov al, byte ptr [0xc9010804] ; ret
0x080483e3 : mov al, byte ptr [0xd0ff0804] ; leave ; ret
0x08048420 : mov al, byte ptr [0xd2ff0804] ; leave ; ret
0x080483c7 : mov al, byte ptr [0xf8830804] ; push es ; ja 0x80483d8 ; ret
0x08048444 : mov byte ptr [0x804a02c], 1 ; leave ; ret
0x0804855f : mov dword ptr [0x8300001a], eax ; les ecx, ptr [eax] ; pop ebx ; ret
0x08048468 : mov dword ptr [esp], 0x8049f10 ; call eax
0x080483df : mov dword ptr [esp], 0x804a02c ; call eax
0x0804841c : mov dword ptr [esp], 0x804a02c ; call edx
0x080484ce : mov eax, 0 ; leave ; ret
0x080483b0 : mov ebx, dword ptr [esp] ; ret
0x080483af : nop ; mov ebx, dword ptr [esp] ; ret
0x080483ad : nop ; nop ; mov ebx, dword ptr [esp] ; ret
0x080483ab : nop ; nop ; nop ; mov ebx, dword ptr [esp] ; ret
0x08048548 : nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; ret
0x08048549 : nop ; nop ; nop ; nop ; nop ; nop ; nop ; ret
0x0804854a : nop ; nop ; nop ; nop ; nop ; nop ; ret
0x0804854b : nop ; nop ; nop ; nop ; nop ; ret
0x0804854c : nop ; nop ; nop ; nop ; ret
0x0804854d : nop ; nop ; nop ; ret
0x0804854e : nop ; nop ; ret
0x0804854f : nop ; ret
0x080483e5 : or bh, bh ; ror cl, 1 ; ret
0x08048422 : or bh, bh ; ror cl, cl ; ret
0x080483c9 : or byte ptr [ebx + 0x17706f8], al ; ret
0x08048449 : or byte ptr [ecx], al ; leave ; ret
0x08048401 : pop ds ; add eax, edx ; sar eax, 1 ; jne 0x8048410 ; ret
0x0804853f : pop ebp ; ret
0x0804853c : pop ebx ; pop esi ; pop edi ; pop ebp ; ret
0x08048311 : pop ebx ; ret
0x0804853e : pop edi ; pop ebp ; ret
0x0804853d : pop esi ; pop edi ; pop ebp ; ret
0x0804866e : push cs ; adc al, 0x41 ; ret
0x0804866a : push cs ; xor byte ptr [edx], al ; dec eax ; push cs ; adc al, 0x41 ; ret
0x080484e5 : push ebx ; call 0x80483b7
0x080483cc : push es ; ja 0x80483d3 ; ret
0x080484e4 : push esi ; push ebx ; call 0x80483b8
0x08048403 : rcl cl, 1 ; clc ; jne 0x804840e ; ret
0x080482fa : ret
0x080483fe : ret 0xeac1
0x080483e7 : ror cl, 1 ; ret
0x08048424 : ror cl, cl ; ret
0x08048404 : sar eax, 1 ; jne 0x804840d ; ret
0x080483b1 : sbb al, 0x24 ; ret
0x0804853b : sbb al, 0x5b ; pop esi ; pop edi ; pop ebp ; ret
0x080483de : sbb bh, al ; add al, 0x24 ; sub al, 0xa0 ; add al, 8 ; call eax
0x080483ff : shr edx, 0x1f ; add eax, edx ; sar eax, 1 ; jne 0x8048412 ; ret
0x08048446 : sub al, 0xa0 ; add al, 8 ; add ecx, ecx ; ret
0x080483e2 : sub al, 0xa0 ; add al, 8 ; call eax
0x0804841f : sub al, 0xa0 ; add al, 8 ; call edx
0x080483c6 : sub al, 0xa0 ; add al, 8 ; cmp eax, 6 ; ja 0x80483d9 ; ret
0x080482f1 : sub esp, 8 ; call 0x80483b9
0x0804866b : xor byte ptr [edx], al ; dec eax ; push cs ; adc al, 0x41 ; ret

Unique gadgets found: 96

ROP chain generation

Step 1 -- Write-what-where gadgets

[-] Can't find the 'mov dword ptr [r32], r32' gadget

Tim Phillips · Answer 1 · Wed Apr 06 2016 19:22:47 GMT+0800 (China Standard Time)

it also might be worth noting that the example c-code used is from a video on ROP that used ROPgadget. I'm assuming it should have worked since it worked in the video. Thanks for the help.

Jonathan Salwan · Answer 2 · Wed Apr 06 2016 19:32:01 GMT+0800 (China Standard Time)

Anyone else have a similar problem?

Everybody who try to find gadgets on a small binary. To build the payload we need specific gadgets, if there is no gadget there is no trivial payload (that's what the error tries to explain). You need a mov dword ptr [r32], r32 gadget and as you can see on your output, there is no mov m, r.

gcc -m32 -ggdb -fno-stack-protector rop1.c -o rop1

If you need more gadgets for your tests, compile with -static.

it also might be worth noting that the example c-code used is from a video on
ROP that used ROPgadget. I'm assuming it should have worked since it worked in the video.

What video?

Cheers,

Tim Phillips · Answer 3 · Wed Apr 06 2016 20:46:36 GMT+0800 (China Standard Time)

Thanks for the response. Below is the video link. The demo using ROPgadget starts at about 1:10:00 into the video. If you have time to watch it, any thoughts as to why it worked for him, vice for myself? It didn't show how he compiled the program. Later this afternoon I'll try using the -static flag.
[https://www.youtube.com/watch?v=1xFxJuT0SQM]

Thanks for the help. It's greatly appreciated.

Jonathan Salwan · Answer 4 · Wed Apr 06 2016 21:38:02 GMT+0800 (China Standard Time)

This is working because there is the mov m, r gadget. Take a look his output.

Tim Phillips · Answer 5 · Wed Apr 06 2016 22:34:20 GMT+0800 (China Standard Time)

Yes, it worked for him, but the same program doesn't work when I try it. Perhaps there's a problem with the way I compiled it. When I did the disassembly in gdb, I had the same assembly as he did though. Does the -static flag link more libraries into the code? Maybe not using it limited the types of gadgets I could find. But, I think my output found more gadgets than his did.

Or perhaps I did something incorrect with installing ROPgadget. It seems to work fine on the test binaries that you have. I'm definitely going to work more on it a bit later this afternoon.

Thanks a lot for the response. It's very helpful.

Jonathan Salwan · Answer 6 · Thu Apr 07 2016 00:18:19 GMT+0800 (China Standard Time)

Yes, it worked for him, but the same program doesn't work when I try it. Perhaps there's a problem with the way I compiled it.

When you compile a binary, each binary is different according to the flags, optimizations, compiler version, etc etc. That's why you don't find the same gadgets than someone else.

Does the -static flag link more libraries into the code?

yes, this flag includes external libs into your binary.

Maybe not using it limited the types of gadgets I could find.

yes

But, I think my output found more gadgets than his did.

The size doesn't matter ;) (\protect)

Or perhaps I did something incorrect with installing ROPgadget.

nop

It seems to work fine on the test binaries that you have.

That's was planned :)

Tim Phillips · Answer 7 · Thu Apr 07 2016 00:19:42 GMT+0800 (China Standard Time)

Cool. thanks for the response. I'll try it again later today and post back the results.

Tim Phillips · Answer 8 · Thu Apr 07 2016 03:57:53 GMT+0800 (China Standard Time)

Hello,
I just recompiled it as follows:
gcc -m32 -ggdb -static -fno-stack-protector rop1.c -o rop1

The ropchain option works now. Thanks for the help!