Fails to catch __libc_csu_init gadgets

Question

Fails to catch __libc_csu_init gadgets

zachriggle opened this issue 8 years ago · 2 comments

ROPgadget always seems to miss this sequence:

.text:00000000004005E6 48 8B 5C 24 08     mov     rbx, [rsp+8]
.text:00000000004005EB 48 8B 6C 24 10     mov     rbp, [rsp+10h]
.text:00000000004005F0 4C 8B 64 24 18     mov     r12, [rsp+18h]
.text:00000000004005F5 4C 8B 6C 24 20     mov     r13, [rsp+20h]
.text:00000000004005FA 4C 8B 74 24 28     mov     r14, [rsp+28h]
.text:00000000004005FF 4C 8B 7C 24 30     mov     r15, [rsp+30h]
.text:0000000000400604 48 83 C4 38        add     rsp, 38h
.text:0000000000400608 C3                 retn
.text:0000000000400608                __libc_csu_init endp

$ ROPgadget --binary unexploitable | grep 38
0x0000000000400605 : add esp, 0x38 ; ret
0x0000000000400604 : add rsp, 0x38 ; ret
0x0000000000400602 : and al, 0x30 ; add rsp, 0x38 ; ret
0x0000000000400600 : mov edi, dword ptr [rsp + 0x30] ; add rsp, 0x38 ; ret
0x00000000004005ff : mov r15, qword ptr [rsp + 0x30] ; add rsp, 0x38 ; ret
0x0000000000400538 : pop rbp ; mov edi, 0x600e48 ; jmp rax

Answer 1 · 2017-02-10T10:51:15.000Z

Go ahead for a PR :)

Answer 2 · 2022-02-14T03:15:52.000Z

I'm 5 years late.... (😬) but it works on rp in case you are interested :-D:

> rp-win-x64.exe --file z.bin --raw x64 --rop=10 | rg "mov rbx,"
0x0: mov rbx, qword [rsp+0x08] ; mov rbp, qword [rsp+0x10] ; mov r12, qword [rsp+0x18] ; mov r13, qword [rsp+0x20] ; mov r14, qword [rsp+0x28] ; mov r15, qword [rsp+0x30] ; add rsp, 0x38 ; ret ; \x48\x8b\x5c\x24\x08\x48\x8b\x6c\x24\x10\x4c\x8b\x64\x24\x18\x4c\x8b\x6c\x24\x20\x4c\x8b\x74\x24\x28\x4c\x8b\x7c\x24\x30\x48\x83\xc4\x38\xc3 (1 found)