Practical Binary Analysis by Dennis Andriesse

Author:Dennis Andriesse
Language: eng
Format: epub, azw3, pdf
Publisher: Penguin Random House LLC (Publisher Services)
Published: 2019-12-22T16:00:00+00:00

Running the Gadget Finder

The command line interface for the gadget finder is the same as for the disassembly tools. Listing 8-12 shows what the output should look like.

Listing 8-12: Example output of the ROP scanner

$ ./capstone_gadget_finder /bin/ls | head -n 10

adc byte ptr [r8], r8b; ret [ 0x40b5ac ]

adc byte ptr [rax - 0x77], cl; ret [ 0x40eb10 ]

adc byte ptr [rax], al; ret [ 0x40b5ad ]

adc byte ptr [rbp - 0x14], dh; xor eax, eax; ret [ 0x412f42 ]

adc byte ptr [rcx + 0x39], cl; ret [ 0x40eb8c ]

adc eax, 0x5c415d5b; ret [ 0x4096d7 0x409747 ]

add al, 0x5b; ret [ 0x41254b ]

add al, 0xf3; ret [ 0x404d8b ]

add al, ch; ret [ 0x406697 ]

add bl, dh; ret ; xor eax, eax; ret [ 0x40b4cf ]

Each line of output shows a gadget string, followed by the addresses where this gadget is found. For instance, there’s an add al, ch; ret gadget at address 0x406697, which you could use in a ROP payload to add the al and ch registers together. Having an overview of the available gadgets like this helps a lot in selecting suitable ROP gadgets to use when crafting a ROP payload for use in an exploit.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.