Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix ret2csu with PIE binaries #2158

Merged
merged 5 commits into from
Jul 17, 2023
Merged

Fix ret2csu with PIE binaries #2158

merged 5 commits into from
Jul 17, 2023

Conversation

Jakub259
Copy link
Contributor

@Jakub259 Jakub259 commented Jan 14, 2023
edited
Loading

Pwntools Pull Request

Please provide a high-level explanation of what this pull request is for.

Fix indentation to enable use of ret2csu with pie ELFs

Reproduction

Save to script.py

from pwn import *

context.clear(binary=pwnlib.data.elf.get("./attachments/chall"))
rop = ROP(context.binary)
rop.ret2csu(0,1,2,3,4,5,6,7,8,9)
print(rop.dump())

Run with stable pwntools

wget https://idekctf-challenges.storage.googleapis.com/uploads/14d19059835451f069fc575d8b2b9818a1fc2e5c254fc1c36218e6220d29bdb1/typop.tar
tar xf typop.tar
python3 script.py

Output:

...
[ERROR] No non-library binaries in [elfs]
Traceback (most recent call last):
  File "/var/home/user/pwntools/1.py", line 5, in <module>
    rop.ret2csu(0,1,2,3,4,5,6,7,8,9)
  File "/var/home/user/pwntools/pwnlib/rop/rop.py", line 1533, in ret2csu
    log.error('No non-library binaries in [elfs]')
  File "/var/home/user/pwntools/pwnlib/log.py", line 439, in error
    raise PwnlibException(message % args)
pwnlib.exception.PwnlibException: No non-library binaries in [elfs]
...

Fix

Run script again with indentation in pwntools library fixed

python3 script.py

Output:
script prints ropchain dump.

Testing

Pull Requests that introduce new code should try to add doctests for that code. See [TESTING.md][testing] for more information.

n/a - I am not introducing new code

Target Branch

Depending on what the PR is for, it needs to target a different branch.

  • stable | Bug fixes that affect the current stable branch

@Arusekk
Copy link
Member

Arusekk commented Jan 14, 2023

This is not correct in all cases. We need to find any ELF with __libc_csu_init, preferably not a library.

@peace-maker
Copy link
Member

Your change would raise the exception on the first binary in the list of binaries passed to the ROP constructor that doesn't have a __libc_csu_init. The correct fix would be to move the else: block down to the if-else chain checking the nonpie and csu variables and remove the if elf.pie: check around it I think.

Do you want to work on that?

@peace-maker
Copy link
Member

@Arusekk what do you think of this fix?

@peace-maker peace-maker changed the title fix indentation Fix ret2csu with PIE binaries Jul 9, 2023
@Arusekk Arusekk added the rop Return Oriented Programming manipulation routines label Jul 9, 2023
@Arusekk
Copy link
Member

Arusekk commented Jul 15, 2023

This is a good idea, but it does not work, as you can see in the test log.

@peace-maker
Copy link
Member

Oh, nonpie is never assigned. That assignment should be above the if? Do you want to fix it?

That code looks like an oversight after some refactoring🙈

@Arusekk Arusekk enabled auto-merge (squash) July 17, 2023 10:01
@Arusekk Arusekk merged commit d679252 into Gallopsled:stable Jul 17, 2023
7 of 8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
rop Return Oriented Programming manipulation routines
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Jakub259 @Arusekk @peace-maker