Trouble building a ROP chain

Question

I am trying to exploit a small program. The program looks somewhat like this:

int func(void) {
    char text[100];
    scanf("%s", text);
    return 0;
}


int foo(unsigned short rand) {
    char RandomBuffer[rand];
    return func();
}


int main(int argc, char* args[]) {
srand(time(NULL));
    return foo(rand() % 1000);
}

I used ROPgadget to build a ROP chain. The tool finds a gadet which is needed for the attack:

 Gadget found: 0x8058fcc pop edx ; ret

My ROP chain starts like this:

p = ‘rnd padding’
p += pack('<I', 0x08058fcc) # pop edx ; ret

However when executing my exploit I get:

Stopped reason: SIGILL
0x08058fcc in _int_memalign ()

The EIP points to the address computed by ROPgadget but somehow it is not the correct command.

EIP: 0x8058fcc (<_int_memalign+108>:    lock mov eax,esi)

What am I missing?

Cheers

Answer 1

Without further analysis it is hard to determine the exact cause of this. One common issue is that running the application under a debugger changes the memory layout slightly and can be enough to break the exploit with/without a debugger attached. Have you tried running it without a debugger attached and then analysing the core dump?

However pop edx;ret shouldn't be overly difficult to find, either at another address or through a slightly longer gadget such as pop edx; pop eax; ret. Putting together a ROP chain is a puzzle and there is more than one way to do it.

Answer 2

You're likely missing PIE/ASLR, which makes the loader place your executable at a different address every time it's executed, which in turn means that your gadget will be at a different address every time. Look into your compiler if there's a way to disable it. Many gcc builds use -no-pie for example. If not, you may be able to disable ASLR for the entire environment. This is different in different flavours of Linux, but the most common way (I believe) is

sudo bash -c 'echo 0 > /proc/sys/kernel/randomize_va_space'