search

Gallopsled / pwntools

CTF framework and exploit development library
http://pwntools.com
Other
11.99k stars 1.7k forks source link

pwn libcdb file fails if binary doesn't contain b'/bin/sh\x00' #2306

Closed xambroz closed 10 months ago

xambroz commented 10 months ago

Hello, the "pwn libcdb file /[something]" is crashing depending whether or not the binary contains the string b'/bin/sh\x00'.

This works:

$ pwn libcdb file /bin/bash
[*] bash
    BuildID:     e1da91a3e72343eb054c8c69a8d6b4240acb8b10
    MD5:         c33ad3a4937b1c186a8a1279bb31e702
    SHA1:        d07f822b462ecf5ae31f5ccf1c6657b7505afb3f
    SHA256:      a8334e823ce220c4a375e1d5f32fabc1bd47abb6810760ea4100415b55a097e4
    Symbols:
                         dup2 = 0x302b4
                       printf = not found
                         puts = 0x30024
                         read = 0x30494
                   str_bin_sh = 0x336ca
                       system = not found
                        write = 0x30134

This is crashing as search returns :

$ pwn libcdb file /bin/ls
[*] ls
    BuildID:     e2ca832f1c2112aea9d7b9bc639e97e873a6b516
    MD5:         df0e7216034340f844de8e3b3c37d32b
    SHA1:        0c5f47f25f4379690945f6e7eaa92e1999d0755d
    SHA256:      9379a0fa9ed1e0b4302c4a2c9b1254d3cd76a9048f0ead3c9e216a5082b536bf
    Symbols:
Traceback (most recent call last):
  File "/usr/bin/pwn", line 33, in <module>
    sys.exit(load_entry_point('pwntools==4.11.1', 'console_scripts', 'pwn')())
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/pwnlib/commandline/main.py", line 58, in main
    commands[args.command](args)
  File "/usr/lib/python3.12/site-packages/pwnlib/commandline/libcdb.py", line 236, in main
    synthetic_symbols = collect_synthetic_symbols(exe)
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/pwnlib/commandline/libcdb.py", line 180, in collect_synthetic_symbols
    exe.symbols['str_bin_sh'] = next(exe.search(b'/bin/sh\x00'))
                                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
StopIteration
Arusekk commented 10 months ago

libcdb file is meant to only be used on an instance of glibc's libc.so.6; this is not explicitly written anywhere, the error message could have been nicer, but I think is reasonable to assume that it only expects libc.