ROPchain successfully generates but SIGSEGV on execution
Cryptomancerx opened this issue · 3 comments
I'm having a weird issue with ROPgadget's ROPchain feature where it works perfectly on a compiled binary that I generated some time ago under forgotten circumstances, but fails to work on the exact same source code and compiled in I think the same way. In both cases the ROP chain is successfully generated. In the old binary (1old) I get the shell just fine. In the new binary (1new) I get a SIGSEGV error just before starting to execute the ROP chain. I know my offset to EIP is correct. Both binaries are being executed in the exact same way. The attached zip file contains the source code, old and new binaries, and the generated ROP chains for each. The screenshot contains a shot of the SIGSEGV error on the new binary.
Edit - Forgot to mention that the binaries are statically-linked and that ASLR is disabled.
It looks like it's trying to jump to the stack and it's hitting my padding, but I don't understand why it would do that only in the new binary given that it's the same source code.
0xbffff54b looks like a stack address with certainly NX enabled.
NX is enabled on both binaries, including the one that successfully executes the ROP chain.
Regardless I tried recompiling the binary with -z execstack and I have the same issue. It should not be hitting the stack at all. And notice that the value at that address is 0x41414145 or AAAA+4 which means it's hitting my padding. I know I have the right offset to EIP as I said, so this should not happen.
