Nan ZoE <zoen...@gmail.com> wrote: > In comparison, a more straightforward example is the "as" program. The ROP > payload > <https://anonymous.4open.science/r/roptest-benchmark-00F7/rop_example/openbsd-73/as.bin.script> > for > this program is relatively simple, and it can also achieve the ROP target > of calling execve("/bin/sh", 0, 0).
In this dynamically linked program, how do you find the VERY SPECIFIC "syscall" instruction inside _sys_execve inside per-boot-unique libc.so.* which is mapped at a random address by ld.so everytime you run it, and then how you ensure that specific address is in the ROP sequence in the stack? You cannot point at an arbitrary "syscall" instruction. It must be precisely that instruction, due to pinsyscall(2) use. You do this offline, ahead of time? You cannot do it at runtime, because you cannot explore the text-segment because it is non-readable, unless your machine is old and lacks PKU. I suspect you have disabled additional mitigations, and are not mentioning those requirements. That's not testing OpenBSD. That's testing against your own fork of OpenBSD.
