Wrong implementation in rop.migrate()

[bruce30262]

here's how pwntools create the ROP chain for stack migration (using the leave ; ret gadget):

    elif pop_bp and leave and len(pop_bp.regs) == 1:
        self.raw(pop_bp)
        self.raw(next_base - 4) # <-- what about x64 binary ?
        self.raw(leave)

As you can see it set the bp register to next_base-4, then use the leave;ret gadget to migrate the stack to next_base. This work in x86 binaries, but not in x64 binaries ( would have to be self.raw(next_base-8) not self.raw(next_base - 4) )

[zachriggle]

99% of the ROP functionality only works on amd64.

If you make this change locally (to next_base - context.bytes), does the pivot actually work?

[bruce30262]

I found this bug when I was doing a CTF challenge, which I need to do stack migration in a x64 binary.
If I use the original function (rop.migrate(buf)), it will migrate the stack to the wrong address, causing the exploit crash the program. I ended up writing my own function to make the exploit work, something like:

def migrate(buf):
    rop.raw(pop_rbp)
    rop.raw(buf-0x8)
    rop.raw(leave)

So yes I think if we change it to next_base - context.bytes if will migrate the stack to the right position ( at least for x86 & x64 binary )