ROP on MIPS Doesn’t Land Where Calculated
I am working on exploiting an application on MIPS to further my knowledge of ROP chaining. The library I am trying to build a ROP chain is libuClibc-0.9.30.3.so. I found a gadget that I want to use using Ropper. The offset is marked to be, 0x0002a730 and the instructions that Ropper show are lw $v1, 0x1c($sp); lw $ra, 0x24($sp); nop; jr $ra; addiu $sp, $sp, 0x28; the way I understand it is, I add this offset address to the base address of libuClibc-0.9.30.3.so to get the actual instruction address. I ran cat /proc/<pid>/maps to find the base address of libuClibc-0.9.30.3.so as 0x2aab1000 I also ran the program numerous times listing show proc mappings in gdband found that this address doesn't appear to change between executions of the application. So I am assuming that this application doesn't utilize ASLR I also believe this to be true due to the fact that file doesn't say the program was compiled with PIE enabled. Additionally, jumping to the location at 0x2aab1000 + 0x0002a730 is consistently the same, which all points to this conclusion. However, the instruction that gets executed is not the instruction I am intending to have executed when the code jumps to the location. Any pointers for things to double check or potential issues with my logic are much appreciated.
