pop ds; ret gadgets are not properly handled.

[astewart-bah]

Description

angrop assumes that "pop ds; ret;" gadgets are acceptable for shifting 8 bytes on the stack. This is a bad assumption, and causes failed chains.

The below is the output of the included example scripts.

Since a "pop ds; ret;" gadget appeared early in the binary, it appears to be the default gadget for shifting 8 bytes on the stack.
This is the result of rop.shift(8):
code_base = 0x0
chain = b""
chain += p32(code_base + 0x11fd)	# pop ds; ret 
chain += p32(0x0)




Now when we try to build a chain for a function call that only takes 1 argument, the stack needs to shift 8 bytes to clean up the argument off of the stack.
This chain calls close(0) followed by exit(0):
code_base = 0x0
chain = b""
chain += p32(code_base + 0x1060)	# close@plt
chain += p32(code_base + 0x11fd)	# pop ds; ret 
chain += p32(0x0)
chain += p32(code_base + 0x1050)	# exit@plt
chain += p32(code_base + 0x11fd)	# pop ds; ret 
chain += p32(0x0)


The chain will fail. There is a cheat to see this failure by uncommenting the call to show_failure_scenario() in test.c.

Steps to reproduce the bug

angrop_issue_pop_ds.zip

Attached is a zip file. Unzip and run ./start.sh.

This will build the included binary, init a python venv, install angr and angrop, and run the example python scrip. This will print out the above description.

Environment

Tested on ubuntu 22.04 with pyhton 3.10.

Additional context

No response

[Kyle-Kyle]

I encountered this as well and thought I already fixed it. But apparently I haven't. Looking into it.

[Kyle-Kyle]

the patch can be found at #99

[Kyle-Kyle]

should be fixed by the patch