Fixes #538 - breakrva on symlink targets #539
Conversation
Fixes a bug with `breakrva` and `brva` commands and adds some more explanation on how certain things works: * `info auxv` or to be more specific: AUXV's `ET_EXECFN` holds path to the executable, but if it is a symlink, it is not dereferenced * because of that we need to call `readlink` in `get_exe_name` in pie.py
| @@ -245,7 +245,7 @@ def walk_stack2(offset=0): | |||
|
|
|||
| return auxv | |||
|
|
|||
| def get_execfn(): | |||
| def _get_execfn(): | |||
There was a problem hiding this comment.
I renamed this as this function is internal to the file and should not be used outside.
| # On the other hand, the vmmap, if taken from /proc/pid/maps will contain | ||
| # the absolute and real path of the binary (after symlinks). | ||
| # And so we have to read this path here. | ||
| real_path = pwndbg.file.readlink(path) |
There was a problem hiding this comment.
The pwndbg.file.readlink should work on local, remote, qemu etc. See https://github.com/pwndbg/pwndbg/blob/dev/pwndbg/file.py#L68-L74
There was a problem hiding this comment.
We might also just be able to read /proc/self/exe, versus using AT_EXECFN. I think the only reason we don't do that is for QEMU, since it can't emulate what we see.
Perhaps we should check for QEMU first, and just use /proc/self/exe otherwise?
|
TODO / FIXME for me:
|
|
Just tested this locally on a symlinked binary, and it works for me. Ideally we should test this on QEMU and remote too, but assuming the |
| # On the other hand, the vmmap, if taken from /proc/pid/maps will contain | ||
| # the absolute and real path of the binary (after symlinks). | ||
| # And so we have to read this path here. | ||
| real_path = pwndbg.file.readlink(path) |
There was a problem hiding this comment.
We might also just be able to read /proc/self/exe, versus using AT_EXECFN. I think the only reason we don't do that is for QEMU, since it can't emulate what we see.
Perhaps we should check for QEMU first, and just use /proc/self/exe otherwise?
|
@zachriggle lol, a test on qemu launched with Without pwndbg: With pwndbg there is no memory page for the binary in |
|
@zachriggle any hint how to debug PIE binaries with qemu? :| |
|
The horrible handling of PIE is one of my greatest frustrations with gdb as opposed to windows debuggers. |
|
@ecx86 That's probably a lot of work. It would be nice to research qemu more and see if we can do sth with rebasing in there. Maybe they rebase binary to the same address each time? [wishful thinking, heh] |
|
Rebasing isnt a good option because it makes the address space unrealistic
if PIE and ASLR are on.
…On Tue, Oct 16, 2018 at 04:02 Disconnect3d ***@***.***> wrote:
@ecx86 <https://github.com/ecx86> That's probably a lot of work. It would
be nice to research qemu more and see if we can do sth with rebasing in
there... :\
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#539 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/APrQvVrTG7wuO_nMmfyeYHKRFcjA6R2Uks5ulZJ8gaJpZM4XPMys>
.
|
|
@ecx86 What do you mean by unrealistic address space? Why? Oh, I meant, that we need to be able to find out the address the code will reside in. |
|
For example, when developing an exploit, if the target system uses PIE and
ASLR, some people prefer to keep PIE and ASLR on during debugging to avoid
making bad assumptions.
…On Tue, Oct 16, 2018 at 12:07 ecx dev ***@***.***> wrote:
Rebasing isnt a good option because it makes the address space unrealistic
if PIE and ASLR are on.
On Tue, Oct 16, 2018 at 04:02 Disconnect3d ***@***.***>
wrote:
> @ecx86 <https://github.com/ecx86> That's probably a lot of work. It
> would be nice to research qemu more and see if we can do sth with rebasing
> in there... :\
>
> —
> You are receiving this because you were mentioned.
>
>
> Reply to this email directly, view it on GitHub
> <#539 (comment)>, or mute
> the thread
> <https://github.com/notifications/unsubscribe-auth/APrQvVrTG7wuO_nMmfyeYHKRFcjA6R2Uks5ulZJ8gaJpZM4XPMys>
> .
>
|
|
@ecx86 Oh I totally understand that point. Still, you usually test without ASLR and just make your exploit not assume this. However yeah, there might be situations where u need aslr/pie as you want to check out if your (partial) brute force works. Anyway, I would rather accept a case where we disable ASLR to make things easier for pwndbg on qemu.. 🤕 I asked on qemu irc whether it is possible to find out the address that qemu will put the binary on. |
|
Note to self or anyone who is willing to help: look through #168 - maybe we can get the image base address (after aslr randomization) from there? |
|
Merged as it stayed here for so long. Not sure if things could be done better, we may find it out in the future if this or similar things pops out. |
Fixes a bug with
breakrvaandbrvacommands reported in #538 and adds some moreexplanation on how certain things works:
info auxvor to be more specific: AUXV'sET_EXECFNholds path tothe executable, but if it is a symlink, it is not dereferenced
readlinkinget_exe_namein pie.py