Merge pull request #106 from angr/feat/pivot

comply with the changes in angrop
angr · Feb 13, 2024 · 7dace9f · 7dace9f
2 parents bdeb7a7 + 1a931e7
commit 7dace9f
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 7 deletions.
diff --git a/rex/exploit/technique.py b/rex/exploit/technique.py
@@ -497,18 +497,14 @@ def _ip_overwrite_with_chain(self, chain, state=None, assert_next_ip_controlled=
 
             # okay we have a symbolic region which fits and is above sp
             # can we pivot there?
-            for gadget in rop.gadgets:
+            for gadget in rop.rop_gadgets:
                 # let's make sure the gadget is sane
 
                 # TODO: consult state before throwing out a gadget, some of these memory
                 # accesses might be acceptable
                 if len(gadget.mem_changes + gadget.mem_writes + gadget.mem_reads) > 0:
                     continue
 
-                if gadget.bp_moves_to_sp:
-                    # it'd better not touch sp
-                    continue
-
                 # FIXME: this assumption is very wrong
                 # if we assume all gadgets end in a 'ret' so we can subtract 4 (wordsize) from stack_change
                 # as we're not interested in the ret's effect on stack movement, because when the

diff --git a/rex/exploit/techniques/ret2libc.py b/rex/exploit/techniques/ret2libc.py
@@ -142,7 +142,7 @@ def _invoke_system(self, system_addr, cmd_addr):
         self._windup_to_unconstrained_successor()
 
         # list all potential JOP gadgets
-        gadgets = [g for g in self.libc_rop.gadgets if g.gadget_type == "jump"
+        gadgets = [g for g in self.libc_rop.rop_gadgets if g.gadget_type == "jump"
                    and g.jump_reg == 't9' and g.pc_reg != 't9']
 
         # filter out gadgets that touches a0
@@ -154,7 +154,7 @@ def _invoke_system(self, system_addr, cmd_addr):
         set_reg_gadget = None
         for jop_gadget in gadgets:
             pc_reg = jop_gadget.pc_reg
-            gadgets2 = [g for g in self.libc_rop.gadgets if pc_reg in g.popped_regs]
+            gadgets2 = [g for g in self.libc_rop.rop_gadgets if pc_reg in g.popped_regs]
             # we need to filter out reads and writes to avoid SIGSEGV from them with invalid addresses
             gadgets3 = [g for g in gadgets2 if 'a0' not in g.changed_regs and not g.mem_reads and not g.mem_writes]
             if gadgets3: