search

Gallopsled / pwntools

CTF framework and exploit development library
http://pwntools.com
Other
11.74k stars 1.67k forks source link

ELF Disassembly failed on `em_x86_x64` architecture #2365

Closed k4lizen closed 4 months ago

k4lizen commented 4 months ago

I am writing a script to detect some offsets in libc versions. For this I am using the https://github.com/niklasb/libc-database. For a non-trivial amount of libc files I get the error at the bottom. Some of the versions are:

libc6-x32_2.26-0ubuntu2.1_i386.so
libc6-x32_2.23-0ubuntu3_amd64.so
libc6-x32_2.34-0ubuntu3_i386.so
libc6-x32_2.35-0ubuntu3_i386.so

I am using ELF() and .disasm(). It seems the detected arch on some of these is em_x86_64. I have trouble finding out what that means exactly, is it the same as x86_x64/amd64 and the dissasembly would work? If not, could support be added i.e. can/should I pull a feature request?

Just the Exception

Traceback (most recent call last):                                                                                                                                                                                            
  File "/usr/lib/python3/dist-packages/pwnlib/context/__init__.py", line 788, in arch                                                                                                                                         
    defaults = self.architectures[arch]                                                                                                                                                                                       
               ~~~~~~~~~~~~~~~~~~^^^^^^                                                                                                                                                                                       
KeyError: 'em_x86_64'                                                                                                                                                                                                         

During handling of the above exception, another exception occurred:                                                                                                                                                           

Traceback (most recent call last):                                                                                                                                                                                            
  File "/opt/fmtstr_getlibc/calc_offsets.py", line 107, in <module>                                                                                                                                                           
    offset = calc_offset(files[ind])                                                                                                                                                                                          
             ^^^^^^^^^^^^^^^^^^^^^^^                                                                                                                                                                                          
  File "/opt/fmtstr_getlibc/calc_offsets.py", line 57, in calc_offset            
    init_first_disass = libc.disasm(__libc_init_first.address, 200) # __libc_init_first.size is 0x1 for some reason                                                                                                           
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/pwnlib/elf/elf.py", line 1518, in disasm                                                                                                                                               
    return disasm(self.read(address, n_bytes), vma=address, arch=arch, endian=self.endian)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                                                                                                                                    
  File "/usr/lib/python3/dist-packages/pwnlib/context/__init__.py", line 1567, in setter               
    with context.local(**{k:kw.pop(k) for k,v in tuple(kw.items()) if isinstance(getattr(ContextType, k, None), property)}):                                                                                                  
  File "/usr/lib/python3/dist-packages/pwnlib/context/__init__.py", line 537, in __enter__
    self.update(**{k:v for k,v in kwargs.items() if v is not None})                                                                                                                                                           
  File "/usr/lib/python3/dist-packages/pwnlib/context/__init__.py", line 498, in update
    setattr(self,k,v)                                                                                                                                                                                                         
  File "/usr/lib/python3/dist-packages/pwnlib/context/__init__.py", line 176, in fset
    self._tls[name] = validator(self, val)                                                                                                                                                                                    
                      ^^^^^^^^^^^^^^^^^^^^                                                                            
  File "/usr/lib/python3/dist-packages/pwnlib/context/__init__.py", line 790, in arch                                                                                                                                         
    raise AttributeError('AttributeError: arch must be one of %r' % sorted(self.architectures))
AttributeError: AttributeError: arch must be one of ['aarch64', 'alpha', 'amd64', 'arm', 'avr', 'cris', 'i386', 'ia64', 'm68k', 'mips', 'mips64', 'msp430', 'none', 'powerpc', 'powerpc64', 'riscv32', 'riscv64', 's390', 'spa
rc', 'sparc64', 'thumb', 'vax']

The whole Debug Output

└─# python calc_offsets.py DEBUG LOG_FILE=log.txt                                                                                                                                                                                           
Getting LIBCS                                                                                                                                                                                                                               
Getting offsets and writing to tmp_offsets.txt                                                                                                                                                                                              
1/564( libc6_2.23-0ubuntu3_i386.so ):                       [DEBUG] /usr/bin/x86_64-linux-gnu-objcopy -I binary -O elf32-i386 -B i386 --set-section-flags .data=code --rename-section .data=.text -w -N * /tmp/pwn-disasm-5jprvo2m/step1 /tm
p/pwn-disasm-5jprvo2m/step2                                                                                                                                                                                                                 
[DEBUG] /usr/bin/x86_64-linux-gnu-objdump -Mintel -w -d --adjust-vma 99232 -b elf32-i386 /tmp/pwn-disasm-5jprvo2m/step2                                                                                                                     
couldnt find exit call                                                                                                                                                                                                                      
2/564( libc6-amd64_2.8~20080505-0ubuntu7_i386.so ):         [DEBUG] /usr/bin/x86_64-linux-gnu-objcopy -I binary -O elf64-x86-64 -B i386:x86-64 --set-section-flags .data=code --rename-section .data=.text -w -N * /tmp/pwn-disasm-84w0w25l/
step1 /tmp/pwn-disasm-84w0w25l/step2                                                                                                                                                                                                        
[DEBUG] /usr/bin/x86_64-linux-gnu-objdump -Mintel -w -d --adjust-vma 123216 -b elf64-x86-64 /tmp/pwn-disasm-84w0w25l/step2                                                                                                                  
couldnt find exit call                                                                                                                                                                                                                      
3/564( libc6_2.3.5-1ubuntu12.5.10.1_i386_2.so ):            [DEBUG] /usr/bin/x86_64-linux-gnu-objcopy -I binary -O elf32-i386 -B i386 --set-section-flags .data=code --rename-section .data=.text -w -N * /tmp/pwn-disasm-4wpudpgf/step1 /tm
p/pwn-disasm-4wpudpgf/step2                                
[DEBUG] /usr/bin/x86_64-linux-gnu-objdump -Mintel -w -d --adjust-vma 85472 -b elf32-i386 /tmp/pwn-disasm-4wpudpgf/step2                                                                                                                     
couldnt find exit call                                     
4/564( libc6_2.28-0ubuntu1_i386.so ):                       [DEBUG] /usr/bin/x86_64-linux-gnu-objcopy -I binary -O elf32-i386 -B i386 --set-section-flags .data=code --rename-section .data=.text -w -N * /tmp/pwn-disasm-dh2e0sdo/step1 /tm
p/pwn-disasm-dh2e0sdo/step2                                
[DEBUG] /usr/bin/x86_64-linux-gnu-objdump -Mintel -w -d --adjust-vma 108736 -b elf32-i386 /tmp/pwn-disasm-dh2e0sdo/step2                                                                                                                    
couldnt find exit call                                     
5/564( libc6_2.36-0ubuntu4_i386.so ):                       [DEBUG] /usr/bin/x86_64-linux-gnu-objcopy -I binary -O elf32-i386 -B i386 --set-section-flags .data=code --rename-section .data=.text -w -N * /tmp/pwn-disasm-3ldd92hy/step1 /tm
p/pwn-disasm-3ldd92hy/step2                                
[DEBUG] /usr/bin/x86_64-linux-gnu-objdump -Mintel -w -d --adjust-vma 127840 -b elf32-i386 /tmp/pwn-disasm-3ldd92hy/step2                                                                                                                    
couldnt find main call in  2  lines before exit call       
6/564( libc6-amd64_2.36-9+deb12u4_i386.so ):                [DEBUG] /usr/bin/x86_64-linux-gnu-objcopy -I binary -O elf64-x86-64 -B i386:x86-64 --set-section-flags .data=code --rename-section .data=.text -w -N * /tmp/pwn-disasm-m0rpngx0/
step1 /tmp/pwn-disasm-m0rpngx0/step2                       
[DEBUG] /usr/bin/x86_64-linux-gnu-objdump -Mintel -w -d --adjust-vma 160192 -b elf64-x86-64 /tmp/pwn-disasm-m0rpngx0/step2                                                                                                                  
                                                            FOUND offset: 0x2724a                                     
7/564( libc6_2.10.1-0ubuntu15_i386.so ):                    [DEBUG] /usr/bin/x86_64-linux-gnu-objcopy -I binary -O elf32-i386 -B i386 --set-section-flags .data=code --rename-section .data=.text -w -N * /tmp/pwn-disasm-nr5i16qu/step1 /tm
p/pwn-disasm-nr5i16qu/step2                                
[DEBUG] /usr/bin/x86_64-linux-gnu-objdump -Mintel -w -d --adjust-vma 92576 -b elf32-i386 /tmp/pwn-disasm-nr5i16qu/step2                                                                                                                     
couldnt find exit call                                     
8/564( libc6-x32_2.26-0ubuntu2.1_i386.so ):                 [!] Could not populate PLT: AttributeError: arch must be one of ['aarch64', 'alpha', 'amd64', 'arm', 'avr', 'cris', 'i386', 'ia64', 'm68k', 'mips', 'mips64', 'msp430', 'none', 
'powerpc', 'powerpc64', 'riscv32', 'riscv64', 's390', 'sparc', 'sparc64', 'thumb', 'vax']                             
Traceback (most recent call last):                         
  File "/usr/lib/python3/dist-packages/pwnlib/context/__init__.py", line 788, in arch                                 
    defaults = self.architectures[arch]                    
               ~~~~~~~~~~~~~~~~~~^^^^^^                    
KeyError: 'em_x86_64'                                      

During handling of the above exception, another exception occurred:                                                                                                                                                           

Traceback (most recent call last):                                                                                                                                                                                            
  File "/opt/fmtstr_getlibc/calc_offsets.py", line 107, in <module>                                                                                                                                                           
    offset = calc_offset(files[ind])                                                                                                                                                                                          
             ^^^^^^^^^^^^^^^^^^^^^^^                                                                                                                                                                                          
  File "/opt/fmtstr_getlibc/calc_offsets.py", line 57, in calc_offset            
    init_first_disass = libc.disasm(__libc_init_first.address, 200) # __libc_init_first.size is 0x1 for some reason                                                                                                           
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/pwnlib/elf/elf.py", line 1518, in disasm                                                                                                                                               
    return disasm(self.read(address, n_bytes), vma=address, arch=arch, endian=self.endian)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                                                                                                                                    
  File "/usr/lib/python3/dist-packages/pwnlib/context/__init__.py", line 1567, in setter               
    with context.local(**{k:kw.pop(k) for k,v in tuple(kw.items()) if isinstance(getattr(ContextType, k, None), property)}):                                                                                                  
  File "/usr/lib/python3/dist-packages/pwnlib/context/__init__.py", line 537, in __enter__
    self.update(**{k:v for k,v in kwargs.items() if v is not None})                                                                                                                                                           
  File "/usr/lib/python3/dist-packages/pwnlib/context/__init__.py", line 498, in update
    setattr(self,k,v)                                                                                                                                                                                                         
  File "/usr/lib/python3/dist-packages/pwnlib/context/__init__.py", line 176, in fset
    self._tls[name] = validator(self, val)                                                                                                                                                                                    
                      ^^^^^^^^^^^^^^^^^^^^                                                                            
  File "/usr/lib/python3/dist-packages/pwnlib/context/__init__.py", line 790, in arch                                                                                                                                         
    raise AttributeError('AttributeError: arch must be one of %r' % sorted(self.architectures))
AttributeError: AttributeError: arch must be one of ['aarch64', 'alpha', 'amd64', 'arm', 'avr', 'cris', 'i386', 'ia64', 'm68k', 'mips', 'mips64', 'msp430', 'none', 'powerpc', 'powerpc64', 'riscv32', 'riscv64', 's390', 'spa
rc', 'sparc64', 'thumb', 'vax']
peace-maker commented 4 months ago

Try updating to the beta 4.13, it should be fixed in #2305

pip install --pre --upgrade pwntools

k4lizen commented 4 months ago

Seems to work now, thanks!