add ".plt.sec" to search section

[shift-crops]

Hi,
It is now necessary to load PLT symbols from ".plt.sec" as well.
ELFs built in this environment use ".plt.sec" instead of ".plt" by default.

Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/9/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none:hsa
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Ubuntu 9.3.0-10ubuntu2' --with-bugurl=file:///usr/share/doc/gcc-9/README.Bugs --enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++,gm2 --prefix=/usr --with-gcc-major-version-only --program-suffix=-9 --program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-plugin --enable-default-pie --with-system-zlib --with-target-system-zlib=auto --enable-objc-gc=auto --enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-offload-targets=nvptx-none,hsa --without-cuda-driver --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
Thread model: posix
gcc version 9.3.0 (Ubuntu 9.3.0-10ubuntu2)

I tested on Ubuntu 20.04

• Default

$ gcc test.c
$ objdump --no-show-raw-insn -M intel -j .plt -j .plt.sec -d a.out
a.out:     ファイル形式 elf64-x86-64

セクション .plt の逆アセンブル:

0000000000001020 <.plt>:
    1020:       push   QWORD PTR [rip+0x2f9a]        # 3fc0 <_GLOBAL_OFFSET_TABLE_+0x8>
    1026:       bnd jmp QWORD PTR [rip+0x2f9b]        # 3fc8 <_GLOBAL_OFFSET_TABLE_+0x10>
    102d:       nop    DWORD PTR [rax]
    1030:       endbr64 
    1034:       push   0x0
    1039:       bnd jmp 1020 <.plt>
    103f:       nop

セクション .plt.sec の逆アセンブル:

0000000000001050 <puts@plt>:
    1050:       endbr64 
    1054:       bnd jmp QWORD PTR [rip+0x2f75]        # 3fd0 <puts@GLIBC_2.2.5>
    105b:       nop    DWORD PTR [rax+rax*1+0x0]

• -fcf-protection=none

$ gcc test.c -fcf-protection=none
$ objdump --no-show-raw-insn -M intel -j .plt -d a.out
a.out:     ファイル形式 elf64-x86-64

セクション .plt の逆アセンブル:

0000000000001020 <.plt>:
    1020:       push   QWORD PTR [rip+0x2f9a]        # 3fc0 <_GLOBAL_OFFSET_TABLE_+0x8>
    1026:       jmp    QWORD PTR [rip+0x2f9c]        # 3fc8 <_GLOBAL_OFFSET_TABLE_+0x10>
    102c:       nop    DWORD PTR [rax+0x0]

0000000000001030 <puts@plt>:
    1030:       jmp    QWORD PTR [rip+0x2f9a]        # 3fd0 <puts@GLIBC_2.2.5>
    1036:       push   0x0
    103b:       jmp    1020 <.plt>

[Arusekk]

LGTM, could you provide compilation parameters for crafting a test case?

[shift-crops]

These commands craft test case.
test.c should have at least one libc function call.

• w/ .plt.sec

  • gcc test.c
  • gcc test.c -fcf-protection=full
  • gcc test.c -fcf-protection=branch

• w/o .plt.sec

  • gcc test.c -fcf-protection=return
  • gcc test.c -fcf-protection=none

[heapcrash]

Can you add the resulting binaries to pwnlib/data/elf so they get tested? Thanks!

It looks like the tests are automatically grabbed here:

        >>> path = pwnlib.data.elf.relro.path
        >>> for test in glob(os.path.join(path, 'test-*')):
        ...     e = ELF(test)
        ...     expected = os.path.basename(test).split('-')[2]
        ...     actual = str(e.relro).lower()
        ...     assert actual == expected
        """

They'll need to be named appropriately based on whether they have e.g. RELRO or writable GOT.

[shift-crops]

I named these test binaries -cfp because they derive from the -fcf-protection option.
If it's not appropriate, please change the name.

They should behave the same as the test binaries that were originally there.