Skip to content

Add new ROP feature: relative stack offset#2583

Open
CsomePro wants to merge 4 commits intoGallopsled:devfrom
CsomePro:dev
Open

Add new ROP feature: relative stack offset#2583
CsomePro wants to merge 4 commits intoGallopsled:devfrom
CsomePro:dev

Conversation

@CsomePro
Copy link

@CsomePro CsomePro commented May 24, 2025

Add new ROP feature: relative stack offset

Sometimes, the ROP needs to be set using the relative offset position on the stack.

This is a temporary solution.

rop = ROP(elf)
rop.rbp = len(rop.chain()) + 8 + offset

But sometimes errors occur.

rop = ROP(elf)
rop.call("open", [b"file", 0])
rop.rbp = len(rop.chain()) + 8 + offset

Because of the existence of AppendedArgument, arguments will be placed at the end of the stack.

len(rop.chain()) will not be the correct offset from base to the current slot.

Therefore, I added a class StackRelative and added the processing logic for StackRelative in the ROP.build function

class StackRelative(Unresolved):
    def __init__(self, offset):
        self.offset = offset
    
    def resolve(self, base):
        return base + self.offset
        ...
        elif isinstance(slot, StackRelative):
            address = slot.resolve(slot_address)
            stack[i] = address
            stack.describe(self.describe(address), slot_address)
        ...

At this point we can use this to solve the above example.

rop = ROP(elf)
rop.call("open", [b"file", 0])
rop.rbp = StackRelative(offset)

@peace-maker
Copy link
Member

peace-maker commented May 28, 2025

Nice, can you please add a test to the ROP class itself or the module at the top which verifies this works as expected? You can look at the other tests which use ELF.from_assembly to setup a test binary with required gadgets manually. That way other users can learn about the existence of this new feature too.

@CsomePro
Copy link
Author

CsomePro commented May 29, 2025

I added the StackRelative test at the top of rop.py. And this test error seems to be a problem with the libcdb module.

@peace-maker
Copy link
Member

peace-maker commented May 30, 2025

This reminds me of labels for flat as proposed in #1026 #1063 but the ROP class is a different space. I don't think that label concept is really applicable for rop chains?

peace-maker
peace-maker requested changes May 30, 2025
View reviewed changes
@CsomePro
Copy link
Author

CsomePro commented May 31, 2025
edited
Loading

This reminds me of labels for flat as proposed in #1026 #1063 but the ROP class is a different space. I don't think that label concept is really applicable for rop chains?

I am also thinking about this question. If I want to set an address precisely to the front or back of a gadget or data during ROP writing, due to the encapsulation of some ROP layouts, how should I do this? Since the length of the data after the gadget is uncertain, it seems difficult to achieve this requirement.

@CsomePro CsomePro requested a review from peace-maker June 6, 2025 16:00
@CsomePro
Copy link
Author

CsomePro commented Jul 17, 2025

The document is complete and can be reviewed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@peace-maker peace-maker Awaiting requested review from peace-maker

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@CsomePro @peace-maker