pwntools icon indicating copy to clipboard operation
pwntools copied to clipboard

Published 20 hours ago verified publisher icon Gallopsled

exe.libc (ELF) always None for 32bit binaries

Open martinclauss opened this issue 4 years ago • 4 comments

Hello! :)

I encountered a problem with this code and a 32bit binary:

#!/usr/bin/python3

from pwn import *

# exploitme is a 32bit binary
exe = ELF("./exploitme", checksec=False)

# will abort due to libc being None
assert exe.libc

"""
output of ldd:

ldd exploitme
	linux-gate.so.1 (0xf7fa1000)
	libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7dab000)
	/lib/ld-linux.so.2 (0xf7fa3000)

"""

I tested it with multiple 32bit binaries... so maybe it's a problem with the bitness. 64bit binaries work just fine ;)

I attached the Python script and the 32bit binary: libc_none.zip

pwntools version is 4.3.1 (installed via pip install pwntools)

Thanks!

martinclauss avatar Feb 11 '21 06:02 martinclauss

I'd like to just note that the script attached Works On My Machine (wsl | pwntools 4.5.0dev)

152334H avatar Feb 12 '21 07:02 152334H

@152334H That's interesting. I also tried pwntools-4.5.0.dev0 with Fedora 32 and Kali Linux and the error stays the same... Seems that Microsoft has better support for pwntools :D Just kidding ;)

martinclauss avatar Feb 12 '21 09:02 martinclauss

Might be related to #1871; the simple test for the bug is running pwn shellcraft -r amd64.linux.cat /proc/self/maps on command line.

Arusekk avatar Apr 28 '21 22:04 Arusekk

Hello again :)

I just came across this issue again because I forgot about this bug ;)

Would it be possible to temporarily use some other shellcode for cat to avoid the sendfile problem? It would be nice to get access to the libs especially the path of libc. For example:

#!/usr/bin/env python3

from pwn import *

elf = context.binary = ELF("/test.bin", checksec=False)


def patch():
    from pwnlib.elf import maps

    assert context.arch == "amd64"

    filename = "/proc/self/maps"
    fd_out = 1

    cat_shellcode = shellcraft.open(filename)
    cat_shellcode += shellcraft.read("rax", "rsp", 0x1000)
    cat_shellcode += shellcraft.write(fd_out, "rsp", "rax")
    cat_shellcode += shellcraft.exit(0)

    maps.CAT_PROC_MAPS_EXIT[context.arch] = enhex(asm(cat_shellcode))


patch()

print(elf.libs)
print(elf.libc.path)

This example obviously just works for amd64 but could be adapted for other architectures as well.

So in the end it would just be a change to his line https://github.com/Gallopsled/pwntools/blob/ddeddd455e9e1f9c4cfd2e4deea437626f6d03ef/pwnlib/elf/elf.py#L778 where the above shellcode (different for each architecture) can be used.

What do you think? :)

martinclauss avatar Nov 11 '21 11:11 martinclauss

This was fixed in https://github.com/Gallopsled/pwntools/pull/1995

peace-maker avatar Jul 27 '23 21:07 peace-maker