Homebrew Exploit Devolopment?

[gudenau]

Lets say I have a crash, and it just happens to lead to ROP. How would I go about finding gadgets, how would I get a dump; or make one from the cia/3ds?

 

[Gadorach]

2-6 years of university and unbreakable resolve

 

[WeedZ]

I recall smea posting pics of this weird pcboard contraption he made that he had soldered to the internals of the ds, so he could push commands, get ram info, not really sure. You want to talk to like smea, yellows8, yifanlu.. those dudes. They're the 733t h4x0rs.

 

[WulfyStylez]

Lets say I have a crash, and it just happens to lead to ROP. How would I go about finding gadgets, how would I get a dump; or make one from the cia/3ds?

You'd need a bug that specifically writes user-controlled data onto the stack in order to overwrite the return address for the function you're in and gain execution. Once you've pinpointed exactly where your data is getting written to, you'll know how to generally format your ROP. Knowing how much space to have between the beginning of whatever data you're dealing with and the start of your ROP can be a pain.
Before finding gadgets, you'll need to know the functions you're dealing with for your exploit. gspwn for basic code execution will work with GSP funcs, for example. You need functions to pop the registers needed for your goals (search for pop {whatever you need} and use that address) and occasionally memory load/store funcs (find regs being loaded from/stored to immediately before the return). When jumping to a full-blown function, make sure you're jumping after the function prologue, or you'll ruin the stack. Also keep an eye on thumb vs arm addresses. For stuff ending in bx lr instead of pop {pc}, you'll need to find a gadget/set of gadgets for setting lr first.
From there, ROP is pretty much just "writing the stack." You're doing some kinda-weird asm, basically.

 

[gudenau]

You'd need a bug that specifically writes user-controlled data onto the stack in order to overwrite the return address for the function you're in and gain execution. Once you've pinpointed exactly where your data is getting written to, you'll know how to generally format your ROP. Knowing how much space to have between the beginning of whatever data you're dealing with and the start of your ROP can be a pain.
Before finding gadgets, you'll need to know the functions you're dealing with for your exploit. gspwn for basic code execution will work with GSP funcs, for example. You need functions to pop the registers needed for your goals (search for pop {whatever you need} and use that address) and occasionally memory load/store funcs (find regs being loaded from/stored to immediately before the return). When jumping to a full-blown function, make sure you're jumping after the function prologue, or you'll ruin the stack. Also keep an eye on thumb vs arm addresses. For stuff ending in bx lr instead of pop {pc}, you'll need to find a gadget/set of gadgets for setting lr first.
From there, ROP is pretty much just "writing the stack." You're doing some kinda-weird asm, basically.

But how do I get memory for finding the gadgets?

 

[hippy dave]

You'd need a bug that specifically writes user-controlled data onto the stack in order to overwrite the return address for the function you're in and gain execution. Once you've pinpointed exactly where your data is getting written to, you'll know how to generally format your ROP. Knowing how much space to have between the beginning of whatever data you're dealing with and the start of your ROP can be a pain.
Before finding gadgets, you'll need to know the functions you're dealing with for your exploit. gspwn for basic code execution will work with GSP funcs, for example. You need functions to pop the registers needed for your goals (search for pop {whatever you need} and use that address) and occasionally memory load/store funcs (find regs being loaded from/stored to immediately before the return). When jumping to a full-blown function, make sure you're jumping after the function prologue, or you'll ruin the stack. Also keep an eye on thumb vs arm addresses. For stuff ending in bx lr instead of pop {pc}, you'll need to find a gadget/set of gadgets for setting lr first.
From there, ROP is pretty much just "writing the stack." You're doing some kinda-weird asm, basically.

So basically just keep hammering buttons until something happens, right?

 

[gudenau]

So basically just keep hammering buttons until something happens, right?