Gadget address for vmlinux ELF x86_64 off by 0x200000
See original GitHub issueI’m not convinced #107 was entirely resolved by e0f704faaa05b537fbb678df7c4e3a172918f63d. The same section.offset
code pattern is in use in a few places, and I recently ran into this issue using RopperService.searchInstructions
on Ropper 1.13.5.
Note discrepancy below of 0x200000L
between the gadgets returned by RopperService.searchInstructions
versus the gadgets returned by CLI with the --instructions
flag.
It’s possible that the discrepancy is due to Python environment, but the sanity check implies otherwise.
test@ubuntu-16-04-x64:~/Desktop/Ropper$ git diff ropper/rop.py
diff --git a/ropper/rop.py b/ropper/rop.py
index e176009..fa2fda9 100644
--- a/ropper/rop.py
+++ b/ropper/rop.py
@@ -216,6 +216,7 @@ class Ropper(object):
toReturn = []
code = bytearray(section.bytes)
offset = section.offset
+ print("sanity check - we are using this lib file")
for match in re.finditer(opcode, code):
opcodeGadget = Gadget(binary.checksum, section.name, binary.arch)
test@ubuntu-16-04-x64:~/Desktop/Ropper$ python3 -m ropper --file /home/test/Desktop/vmlinux --instructions 'mov rdi, rax ; pop rbx ; mov rax, rdi ; pop r12 ; pop rbp ; ret'
sanity check - we are using this lib file
sanity check - we are using this lib file
Instructions
============
0xffffffff8117d5d7: mov rdi, rax; pop rbx; mov rax, rdi; pop r12; pop rbp; ret;
1 gadgets found
test@ubuntu-16-04-x64:~/Desktop/Ropper$ python3 ./sample.py
sanity check - we are using this lib file
0xffffffff8137d5d7: mov rdi, rax; pop rbx; mov rax, rdi; pop r12; pop rbp; ret;
test@ubuntu-16-04-x64:~/Desktop/Ropper$ python -c "print(hex(0xffffffff8137d5d7 - 0xffffffff8117d5d7))"
0x200000L
test@ubuntu-16-04-x64:~/Desktop/Ropper$ cat sample.py
#!/usr/bin/env python3
import ropper
from ropper import RopperService
# not all options need to be given
options = {
'color' : True,
'badbytes': '00',
'all' : True,
'type' : 'all',
'detailed' : False
}
rs = RopperService(options)
f = '/home/test/Desktop/vmlinux'
rs.addFile('vmlinux', bytes=open(f, 'rb').read(), raw=True, arch='x86_64')
code = 'mov rdi, rax ; pop rbx ; mov rax, rdi ; pop r12 ; pop rbp ; ret'
rs.setImageBaseFor(name='vmlinux', imagebase=0xffffffff81000000)
gadgets_dict = rs.searchInstructions(code=code, name='vmlinux')
for file, gadgets in gadgets_dict.items():
for g in gadgets:
print(g)
test@ubuntu-16-04-x64:~/Desktop/Ropper$ python3 -m ropper -v
Version: Ropper 1.13.5
Author: Sascha Schirra
Website: http://scoding.de/ropper
test@ubuntu-16-04-x64:~/Desktop/Ropper$
Issue Analytics
- State:
- Created 4 years ago
- Comments:9 (5 by maintainers)
Top Results From Across the Web
Wrong gadget address for a vmlinux ELF x86_64 #107 - GitHub
Ropper returns invalid addresses for the gadget, compared to IDA and qemu. ... Gadget address for vmlinux ELF x86_64 off by 0x200000 #125....
Read more >[PATCH v8 00/14] Function Granular KASLR - kernel
Load time The boot kernel was modified to parse the vmlinux elf file ... (16 bytes for x86_64), the number of bits in...
Read more >Linux Kernel ROP - Ropping your way to # (Part 1) | SpiderLabs
Using the x86_64 calling convention, the first argument to a function is passed ... We need the ELF (vmlinux) image to extract gadgets...
Read more >Issues - Ropper - sashs - Geeks
Cannot Find some Gadgets because of disassemble error ! ... Show addresses along with symbols ... Gadget address for vmlinux ELF x86_64 off...
Read more >Linux kernel ROP learning - Programmer All
ROP chain(x86_64):. Rop_chain. 4. Prepare Gadget (use extract-vmlinux to extract elf image, ROPgadget to find gadget):. 1)sudo file /boot/vmlinuz*.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
No, this issue can be closed, since this is an issue of the filebytes lib and not of ropper.
Hey,
you are right. I will check that again