Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider the content of argv array as constraints #120

Closed
david942j opened this issue Jun 16, 2020 · 2 comments
Closed

Consider the content of argv array as constraints #120

david942j opened this issue Jun 16, 2020 · 2 comments
Labels
enhancement help wanted

Comments

@david942j
Copy link
Owner

david942j commented Jun 16, 2020
edited
Loading

Checked on glibc 2.31, https://gitlab.com/david942j/libcdb/blob/master/libc/libc6_2.31-0ubuntu10_amd64/lib/x86_64-linux-gnu/libc-2.31.so

   e6df7:       48 8d 05 ac 07 0d 00    lea    rax,[rip+0xd07ac]        # 1b75aa <_libc_intl_domainname@@GLIBC_2.2.5+0x1a5>
   e6dfe:       49 89 e3                mov    r11,rsp
   e6e01:       4c 8d 55 b0             lea    r10,[rbp-0x50]
   e6e05:       48 89 45 b0             mov    QWORD PTR [rbp-0x50],rax
   e6e09:       48 8b 45 98             mov    rax,QWORD PTR [rbp-0x68]
   e6e0d:       48 89 45 b8             mov    QWORD PTR [rbp-0x48],rax
   e6e11:       e9 25 ff ff ff          jmp    e6d3b <execvpe@@GLIBC_2.11+0x46b>
<...>
   e6d3b:       49 c7 42 10 00 00 00 00         mov    QWORD PTR [r10+0x10],0x0
   e6d43:       4c 89 e2                mov    rdx,r12
   e6d46:       4c 89 d6                mov    rsi,r10
   e6d49:       48 8d 3d 5a 08 0d 00    lea    rdi,[rip+0xd085a]        # 1b75aa <_libc_intl_domainname@@GLIBC_2.2.5+0x1a5>
   e6d50:       4c 89 5d 88             mov    QWORD PTR [rbp-0x78],r11
   e6d54:       e8 67 f4 ff ff          call   e61c0 <execve@@GLIBC_2.2.5>

It calls execve("/bin/sh", rbp-0x50, r12), the "array" of rbp-0x50 is { "/bin/sh", [rbp-0x68], 0 }, which is a valid one gadget with [rbp-0x68] == NULL as the constraint. (and rbp-0x50 has to be writable)
@david942j david942j changed the title Consider the content of argv array as the constraint Consider the content of argv array with constraints Jun 16, 2020
@david942j david942j changed the title Consider the content of argv array with constraints Consider the content of argv array as constraints Jun 16, 2020
@martinradev
Copy link

Similar situation:
0x7ffff7a72374 <do_system+964> mov rax, qword ptr [rip + 0x363b2d] <0x7ffff7a72374>
0x7ffff7a7237b <do_system+971> lea rdi, [rip + 0x122066]
0x7ffff7a72382 <do_system+978> lea rsi, [rsp + 0x30]
0x7ffff7a72387 <do_system+983> mov dword ptr [rip + 0x36612f], 0 <0x7ffff7dd84c0>
0x7ffff7a72391 <do_system+993> mov dword ptr [rip + 0x366129], 0 <0x7ffff7dd84c4>
0x7ffff7a7239b <do_system+1003> mov rdx, qword ptr [rax]
0x7ffff7a7239e <do_system+1006> call execve

The tool conservatively sets that [rsp + 0x30] == NULL must hold, but [rsp + 0x30] = 0x0000555555554dd1 (valid ptr) and [rsp + 0x38] = NULL which is a valid case for a one gadget.

Thanks for noting this and adding it as an improvement.

@lebr0nli lebr0nli mentioned this issue Jul 8, 2023
Merged
@david942j
Copy link
Owner Author

Closed by #206

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@david942j @martinradev