Open ValekoZ opened 3 months ago
v4.13.0beta0
The _lookup method returns PLT entries when a binary is provided, and GOT entries when no binary is provided. I guess the expected result is to return a PLT entry in every case?
_lookup
In test.c:
test.c
#include <stdio.h> #include <unistd.h> int main() { void *addr; printf("main @ %p\n", main); while (1) { puts("addr:"); scanf("%p", &addr); write(1, addr, 0x100); puts("END"); puts("END"); } }
In poc.py:
poc.py
#!/bin/env python3 from pwn import * context.binary = exe = ELF("./test") io = process("./test") io.recvuntil(b" @ ") main = int(io.recvline(keepends=False).strip().decode(), 16) info(f"main @ {main:#x}") exe.address = main - exe.sym['main'] @MemLeak def leak(addr): io.sendlineafter(b"addr:\n", f"{addr:#x}".encode()) return io.recvuntil(b"END\nEND\n", drop=True) dynelf = DynELF(leak, main) assert dynelf._lookup(b'printf') == exe.got.printf dynelf = DynELF(leak, main, elf=exe) assert dynelf._lookup(b'printf') == exe.plt.printf
See #1933, not yet very supported
Pwntools version
v4.13.0beta0
Issue
The
_lookup
method returns PLT entries when a binary is provided, and GOT entries when no binary is provided. I guess the expected result is to return a PLT entry in every case?Repro
In
test.c
:In
poc.py
: