I am working on exploiting an application on MIPS to further my knowledge of ROP chaining. The library I am trying to build a ROP chain is libuClibc-0.9.30.3.so. I found a gadget that I want to use using Ropper. The offset is marked to be, 0x0002a730 and the instructions that Ropper show are lw $v1, 0x1c($sp); lw $ra, 0x24($sp); nop; jr $ra; addiu $sp, $sp, 0x28; the way I understand it is, I add this offset address to the base address of libuClibc-0.9.30.3.so to get the actual instruction address. I ran cat /proc/<pid>/maps to find the base address of libuClibc-0.9.30.3.so as 0x2aab1000 I also ran the program numerous times listing show proc mappings in gdband found that this address doesn't appear to change between executions of the application. So I am assuming that this application doesn't utilize ASLR I also believe this to be true due to the fact that file doesn't say the program was compiled with PIE enabled. Additionally, jumping to the location at 0x2aab1000 + 0x0002a730 is consistently the same, which all points to this conclusion. However, the instruction that gets executed is not the instruction I am intending to have executed when the code jumps to the location. Any pointers for things to double check or potential issues with my logic are much appreciated.
Asked
Active
Viewed 145 times
0
joshu
- 101
- 3
1 Answers
0
Well, after talking to numerous people and playing around with Ghidra and a few top gadget finders. This appears to be a common occurrence and isn't actually surprising. I was able to find the gadget I was looking for through trial and error and calculating where the offset sent me relative to where I wanted to be.
joshu
- 101
- 3