Headline
CVE-2021-45761: Invalid memory address dereference in find() · Issue #32 · Boyan-MILANOV/ropium
ROPium v3.1 was discovered to contain an invalid memory address dereference via the find() function.
An issue was discovered in ROPium 3.1. An invalid memory address dereference was discovered in find(). The vulnerability causes a segmentation fault and application crash.
POC
aidai@ubuntu:~/Desktop$ ropium
ROPium - v3.1
(ropium)> find
[!] You must load a binary before finding ropchains
(ropium)> load -a X64 aidai
[!] Skipped: aidai (file doesn't exist)
(ropium)> find
Segmentation fault (core dumped)
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
─────────────────────────────────[ REGISTERS ]──────────────────────────────────
RAX 0x7
RBX 0x1e26bf0 —▸ 0x1e105b0 —▸ 0x7f58fe11a900 —▸ 0x7f58fde45b90 ◂— mov rax, qword ptr [rip + 0x2d50f9]
RCX 0x0
RDX 0x9
RDI 0x1e26bf0 —▸ 0x1e105b0 —▸ 0x7f58fe11a900 —▸ 0x7f58fde45b90 ◂— mov rax, qword ptr [rip + 0x2d50f9]
RSI 0x0
R8 0x2
R9 0x0
R10 0x100
R11 0x7ffdeddde370 —▸ 0x7ffdeddde380 —▸ 0x1ecbee0 ◂— add byte ptr [rax], al
R12 0x1c509e0 ◂— add byte ptr [rax], al
R13 0x7ffdeddde640 ◂— 0x0
R14 0x9
R15 0x1c50a10 ◂— add dword ptr [rax], eax
RBP 0x1c509e0 ◂— add byte ptr [rax], al
RSP 0x7ffdeddde608 —▸ 0x7f58fdec0145 ◂— test al, al
RIP 0x7f58fdeb5c40 ◂— mov ecx, dword ptr [rsi]
───────────────────────────────────[ DISASM ]───────────────────────────────────
► 0x7f58fdeb5c40 mov ecx, dword ptr [rsi]
0x7f58fdeb5c42 mov eax, 1
0x7f58fdeb5c47 cmp ecx, 0x13
0x7f58fdeb5c4a je 0x7f58fdeb5c53
↓
0x7f58fdeb5c53 ret
0x7f58fdeb5c55 nop dword ptr [rax]
0x7f58fdeb5c58 sub edx, 7
0x7f58fdeb5c5b cmp edx, 1
0x7f58fdeb5c5e setbe al
0x7f58fdeb5c61 ret
0x7f58fdeb5c62 nop dword ptr [rax]
───────────────────────────────────[ STACK ]────────────────────────────────────
00:0000│ rsp 0x7ffdeddde608 —▸ 0x7f58fdec0145 ◂— test al, al
01:0008│ 0x7ffdeddde610 —▸ 0x7f58fa641950 ◂— or dword ptr [rax], eax /* '\t' */
02:0010│ 0x7ffdeddde618 ◂— 0x2fa629d68
03:0018│ 0x7ffdeddde620 ◂— 0x0
... ↓
06:0030│ 0x7ffdeddde638 ◂— 0x56056b
07:0038│ r13 0x7ffdeddde640 ◂— 0x0
─────────────────────────────────[ BACKTRACE ]──────────────────────────────────
► f 0 7f58fdeb5c40
f 1 7f58fdec0145
f 2 7f58fa641950
f 3 2fa629d68
f 4 0
────────────────────────────────────────────────────────────────────────────────