1

I am studying ROP on Arm64, I posted my thread here Return Oriented Programming on ARM (64-bit)

However a new/separate issue about choosing rop gadgets has arisen which requires the opening of a new thread. So to sum up i am studying ROP vulnerability on ARM 64 bit and i am trying to test it using a very simple c code (attached to the previous thread). I'am using ropper tool in order to search for gadgets to build my rop chain. But when i overflow the pc with the address of the gadget i got this within gdb:

[!] Cannot disassemble from $PC
[!] Cannot access memory at address 0x8f8

stopped 0x8f8 in ?? ()

I overflow the pc with 0x00000000000008f8 gadget but it can't be the actual address loaded in memory. Here the list of rop gadgets that i have got by using ropper:

0x0000000000000858: add x0, sp, #0x10; bl #0x6e0; nop; ldp x29, x30, [sp], #0x60; ret; 
0x0000000000000828: add x0, x0, #0x930; bl #0x6c0; nop; ldp x29, x30, [sp], #0x20; ret; 
0x0000000000000688: add x16, x16, #0; br x17; 
0x00000000000006a8: add x16, x16, #0x10; br x17; 
0x00000000000006b8: add x16, x16, #0x18; br x17; 
0x00000000000006c8: add x16, x16, #0x20; br x17; 
0x00000000000006d8: add x16, x16, #0x28; br x17; 
0x00000000000006e8: add x16, x16, #0x30; br x17; 
0x000000000000066c: add x16, x16, #0xff8; br x17; 
0x0000000000000698: add x16, x16, #8; br x17; 
0x00000000000008e0: add x19, x19, #1; mov x1, x23; mov w0, w22; blr x3; 
0x0000000000000824: adrp x0, #0; add x0, x0, #0x930; bl #0x6c0; nop; ldp x29, x30, [sp], #0x20; ret; 
0x0000000000000728: adrp x0, #0x10000; ldr x0, [x0, #0xfc8]; cbz x0, #0x738; b #0x6a0; ret; 
0x0000000000000758: adrp x1, #0x10000; ldr x1, [x1, #0xfb8]; cbz x1, #0x76c; mov x16, x1; br x16; 
0x0000000000000758: adrp x1, #0x10000; ldr x1, [x1, #0xfb8]; cbz x1, #0x76c; mov x16, x1; br x16; ret; 
0x0000000000000664: adrp x16, #0x10000; ldr x17, [x16, #0xff8]; add x16, x16, #0xff8; br x17; 
0x00000000000006a0: adrp x16, #0x11000; ldr x17, [x16, #0x10]; add x16, x16, #0x10; br x17; 
0x00000000000006b0: adrp x16, #0x11000; ldr x17, [x16, #0x18]; add x16, x16, #0x18; br x17; 
0x00000000000006c0: adrp x16, #0x11000; ldr x17, [x16, #0x20]; add x16, x16, #0x20; br x17; 
0x00000000000006d0: adrp x16, #0x11000; ldr x17, [x16, #0x28]; add x16, x16, #0x28; br x17; 
0x00000000000006e0: adrp x16, #0x11000; ldr x17, [x16, #0x30]; add x16, x16, #0x30; br x17; 
0x0000000000000690: adrp x16, #0x11000; ldr x17, [x16, #8]; add x16, x16, #8; br x17; 
0x0000000000000680: adrp x16, #0x11000; ldr x17, [x16]; add x16, x16, #0; br x17; 
0x0000000000000794: adrp x2, #0x10000; ldr x2, [x2, #0xfe0]; cbz x2, #0x7a8; mov x16, x2; br x16;                                                                           
0x0000000000000794: adrp x2, #0x10000; ldr x2, [x2, #0xfe0]; cbz x2, #0x7a8; mov x16, x2; br x16; ret;                                                                      
0x0000000000000734: b #0x6a0; ret; 
0x0000000000000754: b.eq #0x76c; adrp x1, #0x10000; ldr x1, [x1, #0xfb8]; cbz x1, #0x76c; mov x16, x1; br x16;                                                              
0x00000000000008f4: b.ne #0x8d8; ldp x19, x20, [sp, #0x10]; ldp x21, x22, [sp, #0x20]; ldp x23, x24, [sp, #0x30]; ldp x29, x30, [sp], #0x40; ret;                           
0x0000000000000724: bl #0x6b0; adrp x0, #0x10000; ldr x0, [x0, #0xfc8]; cbz x0, #0x738; b #0x6a0; ret;                                                                      
0x000000000000082c: bl #0x6c0; nop; ldp x29, x30, [sp], #0x20; ret; 
0x0000000000000854: bl #0x6d0; add x0, sp, #0x10; bl #0x6e0; nop; ldp x29, x30, [sp], #0x60; ret;                                                                           
0x000000000000085c: bl #0x6e0; nop; ldp x29, x30, [sp], #0x60; ret; 
0x0000000000000648: bl #0x728; ldp x29, x30, [sp], #0x10; ret; 
0x00000000000007e0: bl #0x740; movz w0, #0x1; strb w0, [x19, #0x48]; ldr x19, [sp, #0x10]; ldp x29, x30, [sp], #0x20; ret;                                                  
0x000000000000087c: bl #0x83c; movz w0, #0; ldp x29, x30, [sp], #0x20; ret; 
0x00000000000008ec: blr x3; 
0x0000000000000768: br x16; 
0x0000000000000768: br x16; ret; 
0x0000000000000670: br x17; 
0x0000000000000730: cbz x0, #0x738; b #0x6a0; ret; 
0x0000000000000760: cbz x1, #0x76c; mov x16, x1; br x16; 
0x0000000000000760: cbz x1, #0x76c; mov x16, x1; br x16; ret; 
0x0000000000000790: cbz x1, #0x7a8; adrp x2, #0x10000; ldr x2, [x2, #0xfe0]; cbz x2, #0x7a8; mov x16, x2; br x16;                                                           
0x000000000000079c: cbz x2, #0x7a8; mov x16, x2; br x16; 
0x000000000000079c: cbz x2, #0x7a8; mov x16, x2; br x16; ret; 
0x00000000000008f8: ldp x19, x20, [sp, #0x10]; ldp x21, x22, [sp, #0x20]; ldp x23, x24, [sp, #0x30]; ldp x29, x30, [sp], #0x40; ret;                                        
0x00000000000008fc: ldp x21, x22, [sp, #0x20]; ldp x23, x24, [sp, #0x30]; ldp x29, x30, [sp], #0x40; ret;                                                                   
0x0000000000000900: ldp x23, x24, [sp, #0x30]; ldp x29, x30, [sp], #0x40; ret; 
0x000000000000064c: ldp x29, x30, [sp], #0x10; ret; 
0x00000000000007f0: ldp x29, x30, [sp], #0x20; ret; 
0x0000000000000904: ldp x29, x30, [sp], #0x40; ret; 
0x0000000000000864: ldp x29, x30, [sp], #0x60; ret; 
0x000000000000072c: ldr x0, [x0, #0xfc8]; cbz x0, #0x738; b #0x6a0; ret; 
0x000000000000075c: ldr x1, [x1, #0xfb8]; cbz x1, #0x76c; mov x16, x1; br x16; 
0x000000000000075c: ldr x1, [x1, #0xfb8]; cbz x1, #0x76c; mov x16, x1; br x16; ret; 
0x00000000000006a4: ldr x17, [x16, #0x10]; add x16, x16, #0x10; br x17; 
0x00000000000006b4: ldr x17, [x16, #0x18]; add x16, x16, #0x18; br x17; 
0x00000000000006c4: ldr x17, [x16, #0x20]; add x16, x16, #0x20; br x17; 
0x00000000000006d4: ldr x17, [x16, #0x28]; add x16, x16, #0x28; br x17; 
0x00000000000006e4: ldr x17, [x16, #0x30]; add x16, x16, #0x30; br x17; 
0x0000000000000668: ldr x17, [x16, #0xff8]; add x16, x16, #0xff8; br x17; 
0x0000000000000694: ldr x17, [x16, #8]; add x16, x16, #8; br x17; 
0x0000000000000684: ldr x17, [x16]; add x16, x16, #0; br x17; 
0x00000000000007ec: ldr x19, [sp, #0x10]; ldp x29, x30, [sp], #0x20; ret; 
0x0000000000000798: ldr x2, [x2, #0xfe0]; cbz x2, #0x7a8; mov x16, x2; br x16; 
0x0000000000000798: ldr x2, [x2, #0xfe0]; cbz x2, #0x7a8; mov x16, x2; br x16; ret; 
0x00000000000008d8: ldr x3, [x21, x19, lsl #3]; mov x2, x24; add x19, x19, #1; mov x1, x23; mov w0, w22; blr x3;                                                            
0x00000000000008e8: mov w0, w22; blr x3; 
0x00000000000008e4: mov x1, x23; mov w0, w22; blr x3; 
0x0000000000000764: mov x16, x1; br x16; 
0x0000000000000764: mov x16, x1; br x16; ret; 
0x00000000000007a0: mov x16, x2; br x16; 
0x00000000000007a0: mov x16, x2; br x16; ret; 
0x00000000000008dc: mov x2, x24; add x19, x19, #1; mov x1, x23; mov w0, w22; blr x3; 
0x0000000000000644: mov x29, sp; bl #0x728; ldp x29, x30, [sp], #0x10; ret; 
0x0000000000000918: mov x29, sp; ldp x29, x30, [sp], #0x10; ret; 
0x0000000000000880: movz w0, #0; ldp x29, x30, [sp], #0x20; ret; 
0x00000000000007e4: movz w0, #0x1; strb w0, [x19, #0x48]; ldr x19, [sp, #0x10]; ldp x29, x30, [sp], #0x20; ret;                                                             
0x0000000000000660: stp x16, x30, [sp, #-0x10]!; adrp x16, #0x10000; ldr x17, [x16, #0xff8]; add x16, x16, #0xff8; br x17;                                                  
0x0000000000000640: stp x29, x30, [sp, #-0x10]!; mov x29, sp; bl #0x728; ldp x29, x30, [sp], #0x10; ret;                                                                    
0x0000000000000914: stp x29, x30, [sp, #-0x10]!; mov x29, sp; ldp x29, x30, [sp], #0x10; ret;                                                                               
0x0000000000000874: str w0, [sp, #0x1c]; str x1, [sp, #0x10]; bl #0x83c; movz w0, #0; ldp x29, x30, [sp], #0x20; ret;                                                       
0x0000000000000878: str x1, [sp, #0x10]; bl #0x83c; movz w0, #0; ldp x29, x30, [sp], #0x20; ret;                                                                            
0x00000000000007e8: strb w0, [x19, #0x48]; ldr x19, [sp, #0x10]; ldp x29, x30, [sp], #0x20; ret;                                                                            
0x000000000000067c: nop; adrp x16, #0x11000; ldr x17, [x16]; add x16, x16, #0; br x17;                                                                                      
0x0000000000000830: nop; ldp x29, x30, [sp], #0x20; ret; 
0x0000000000000860: nop; ldp x29, x30, [sp], #0x60; ret; 
0x0000000000000678: nop; nop; adrp x16, #0x11000; ldr x17, [x16]; add x16, x16, #0; br x17; 
0x000000000000090c: nop; ret; 
0x0000000000000650: ret;

In particular i am interested in both 0x00000000000008f8 and 0x00000000000008d8 gadgets.

Elf file type is DYN (Shared object file) Entry point 0x6f0 There are 9 program headers, starting at offset 64

The output of the command readelf -l to find the base address of ELF file is:

Program Headers:
  Type           Offset             VirtAddr           PhysAddr
                 FileSiz            MemSiz              Flags  Align
  PHDR           0x0000000000000040 0x0000000000000040 0x0000000000000040
                 0x00000000000001f8 0x00000000000001f8  R      0x8
  INTERP         0x0000000000000238 0x0000000000000238 0x0000000000000238
                 0x000000000000001b 0x000000000000001b  R      0x1
      [Requesting program interpreter: /lib/ld-linux-aarch64.so.1]
  LOAD           0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000000adc 0x0000000000000adc  R E    0x10000
  LOAD           0x0000000000000db8 0x0000000000010db8 0x0000000000010db8
                 0x0000000000000290 0x0000000000000298  RW     0x10000
  DYNAMIC        0x0000000000000dc8 0x0000000000010dc8 0x0000000000010dc8
                 0x00000000000001e0 0x00000000000001e0  RW     0x8
  NOTE           0x0000000000000254 0x0000000000000254 0x0000000000000254
                 0x0000000000000044 0x0000000000000044  R      0x4
  GNU_EH_FRAME   0x0000000000000960 0x0000000000000960 0x0000000000000960
                 0x0000000000000054 0x0000000000000054  R      0x4
  GNU_STACK      0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000000000 0x0000000000000000  RW     0x10
  GNU_RELRO      0x0000000000000db8 0x0000000000010db8 0x0000000000010db8
                 0x0000000000000248 0x0000000000000248  R      0x1

 Section to Segment mapping:
  Segment Sections...
   00     
   01     .interp 
   02     .interp .note.gnu.build-id .note.ABI-tag .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame 
   03     .init_array .fini_array .dynamic .got .got.plt .data .bss 
   04     .dynamic 
   05     .note.gnu.build-id .note.ABI-tag 
   06     .eh_frame_hdr 
   07     
   08     .init_array .fini_array .dynamic .got

and the output of the info proc mappings in gdb is:

  Start Addr           End Addr       Size     Offset objfile
0x5555555000       0x5555556000     0x1000        0x0 path_to _binary/binary_name
0x5555565000       0x5555566000     0x1000        0x0 path_to _binary/binary_name
0x5555566000       0x5555567000     0x1000     0x1000 path_to _binary/binary_name
0x7ff7e44000       0x7ff7fa1000   0x15d000        0x0 /usr/lib/aarch64-linux-gnu/libc-2.31.so
0x7ff7fa1000       0x7ff7fb1000    0x10000   0x15d000 /usr/lib/aarch64-linux-gnu/libc-2.31.so
0x7ff7fb1000       0x7ff7fb4000     0x3000   0x15d000 /usr/lib/aarch64-linux-gnu/libc-2.31.so
0x7ff7fb4000       0x7ff7fb7000     0x3000   0x160000 /usr/lib/aarch64-linux-gnu/libc-2.31.so
0x7ff7fb7000       0x7ff7fba000     0x3000        0x0 
0x7ff7fcc000       0x7ff7fed000    0x21000        0x0 /usr/lib/aarch64-linux-gnu/ld-2.31.so
0x7ff7ff9000       0x7ff7ffb000     0x2000        0x0 
0x7ff7ffb000       0x7ff7ffc000     0x1000        0x0 [vvar]
0x7ff7ffc000       0x7ff7ffd000     0x1000        0x0 [vdso]
0x7ff7ffd000       0x7ff7ffe000     0x1000    0x21000 /usr/lib/aarch64-linux-gnu/ld-2.31.so
0x7ff7ffe000       0x7ff8000000     0x2000    0x22000 /usr/lib/aarch64-linux-gnu/ld-2.31.so
0x7ffffdf000       0x8000000000    0x21000        0x0 [stack]

How can i find out where the gadgets are actually loaded in memory ? Is that the issue ? What ropper is reporting ?

Sp00nc3
  • 87
  • 1
  • 8
  • Does this answer your question? [GDB: Listing all mapped memory regions for a crashed process](https://stackoverflow.com/questions/5691193/gdb-listing-all-mapped-memory-regions-for-a-crashed-process) – Siguza Jun 13 '21 at 13:47
  • @Siguza Thank you for your answer. Following the thread you have linked I am able to see the mapped address spaces within gdb but how can i find rop gadgets ? – Sp00nc3 Jun 13 '21 at 14:03
  • You need to find the segment base address in the static file (see [this](https://stackoverflow.com/a/18355441/2302862)), and then your gadgets should have the same offset in either map. – Siguza Jun 13 '21 at 14:11
  • @Siguza I edited the main question with the output of the command `$ readelf -l` – Sp00nc3 Jun 13 '21 at 14:23
  • @Siguza Following [link](https://stackoverflow.com/questions/18296276/base-address-of-elf/18355441#18355441) the first (lowest) LOAD segment's virtual address is the default load base of the file. but i got 0x0000000000000000 – Sp00nc3 Jun 13 '21 at 14:26
  • Could you add the output of `info proc mappings` in gdb to your question too? – Siguza Jun 13 '21 at 14:36
  • @Siguza i did it – Sp00nc3 Jun 13 '21 at 14:41

1 Answers1

1

Your gadget is at 0x55555558f8.

Ropper shows the addresses of gadgets the way the ELF header describes the memory layout of the binary. According to that header:

  • The file contents 0x0-0xadc are to be mapped as r-x at address 0x0.
  • The file contents 0xdb8-0x1048 are to be mapped as rw- at address 0x10db8.

Account for page boundaries and you get one page mapping file offset 0x0 to address 0x0 as executable and two pages mapping file offset 0x0 to address 0x10000 as writeable.

From your GDB dump, these mappings are created at 0x5555555000 and 0x5555565000 in the live process, respectively.

Siguza
  • 21,155
  • 6
  • 52
  • 89