Gadgets from non-executable pages returned

[k4lizen]

I was doing this challenge: https://2020.ctf.link/assets/files/kernel-rop-bf9c106d45917343.tar.xz
and the gadget 0xffffffff8246dc83: push rax; ret; is returned for the extracted vmlinux. I used it in a ROP chain and got
[ 2.990604] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
so the gadget is stored in a NX page. Without the gadget, the script works and there is no error.

Its hard to tell which gadgets are in NX pages just by looking at the addresses, since there are hundereds / thousands of duplicates in the kernel image, there should be some way to filter them out.

[Ben-Lichtman]

The easy workaround to this is to filter by address ranges.

Is there an easy way to determine which pages are executable otherwise?

[k4lizen]

pwntools may have something like that, I know it fetches some information about an elf by patching it to read /proc/self/maps and running it once. Not sure if that would work on the kernel though which is my usecase.
This may be interesting:

• https://docs.pwntools.com/en/stable/elf/elf.html#pwnlib.elf.elf.ELF.get_segment_for_address
• https://docs.pwntools.com/en/stable/elf/elf.html#pwnlib.elf.elf.ELF.executable_segments
• https://docs.pwntools.com/en/dev/elf/elf.html#pwnlib.elf.elf.ELF.maps

The easy workaround to this is to filter by address ranges.

But how do I know which address ranges are executable? By debugging the kernel? I haven't tried filtering by looking at the memory mappings but it sounds non-trivial