Closed int0x80 closed 8 years ago
zachriggle
commented
8 years ago I was not able to reproduce the issue, but the stack traces were helpful enough that I think I resolved the issue on the dev branch. Please take a look and let me know! :)
int0x80
commented
8 years ago Thank you so much for the quick reply. There is a new exception that seems to be further down this time. The target is the same, and started the same way.
$ sudo chroot . ./qemu-mipsel-static -g 1234 /pwnable/Intro/stack_bof_01 AAAAHere is the new stack trace.
$ gdb
Loaded 92 commands. Type pwndbg for a list.
pwndbg> target remote 127.0.0.1:1234
Remote debugging using 127.0.0.1:1234
0x00000000 in ?? ()
Traceback (most recent call last):
File "/home/int0x80/tools/pwndbg/pwndbg/events.py", line 107, in caller
func()
File "/home/int0x80/tools/pwndbg/pwndbg/memoize.py", line 44, in __call__
value = self.func(*args, **kwargs)
File "/home/int0x80/tools/pwndbg/pwndbg/stack.py", line 76, in update
page = pwndbg.memory.Page(start, stop-start, 6 if not is_executable() else 7, 0, '[stack]')
File "/home/int0x80/tools/pwndbg/pwndbg/memoize.py", line 44, in __call__
value = self.func(*args, **kwargs)
File "/home/int0x80/tools/pwndbg/pwndbg/stack.py", line 122, in is_executable
ehdr = pwndbg.elf.exe()
File "/home/int0x80/tools/pwndbg/pwndbg/proc.py", line 60, in wrapper
return func(*a, **kw)
File "/home/int0x80/tools/pwndbg/pwndbg/memoize.py", line 44, in __call__
value = self.func(*args, **kwargs)
File "/home/int0x80/tools/pwndbg/pwndbg/elf.py", line 52, in exe
return load(entry())
File "/home/int0x80/tools/pwndbg/pwndbg/proc.py", line 60, in wrapper
return func(*a, **kw)
File "/home/int0x80/tools/pwndbg/pwndbg/memoize.py", line 44, in __call__
value = self.func(*args, **kwargs)
File "/home/int0x80/tools/pwndbg/pwndbg/elf.py", line 60, in entry
entry = pwndbg.auxv.get().AT_ENTRY
File "/home/int0x80/tools/pwndbg/pwndbg/memoize.py", line 44, in __call__
value = self.func(*args, **kwargs)
File "/home/int0x80/tools/pwndbg/pwndbg/auxv.py", line 103, in get
return use_info_auxv() or walk_stack() or AUXV()
File "/home/int0x80/tools/pwndbg/pwndbg/auxv.py", line 155, in walk_stack
auxv['AT_EXECFN'] = get_execfn()
File "/home/int0x80/tools/pwndbg/pwndbg/auxv.py", line 246, in get_execfn
while pwndbg.memory.byte(addr-1) == 0:
File "/home/int0x80/tools/pwndbg/pwndbg/memory.py", line 84, in byte
def byte(addr): return readtype(pwndbg.typeinfo.uchar, addr)
File "/home/int0x80/tools/pwndbg/pwndbg/memory.py", line 57, in readtype
return int(gdb.Value(addr).cast(gdb_type.pointer()).dereference())
gdb.MemoryError: Cannot access memory at address 0xffffffff
Python Exception <class 'gdb.MemoryError'> Cannot access memory at address 0xffffffff:
Traceback (most recent call last):
File "/home/int0x80/tools/pwndbg/pwndbg/events.py", line 107, in caller
func()
File "/home/int0x80/tools/pwndbg/pwndbg/memoize.py", line 44, in __call__
value = self.func(*args, **kwargs)
File "/home/int0x80/tools/pwndbg/pwndbg/stack.py", line 122, in is_executable
ehdr = pwndbg.elf.exe()
File "/home/int0x80/tools/pwndbg/pwndbg/proc.py", line 60, in wrapper
return func(*a, **kw)
File "/home/int0x80/tools/pwndbg/pwndbg/memoize.py", line 44, in __call__
value = self.func(*args, **kwargs)
File "/home/int0x80/tools/pwndbg/pwndbg/elf.py", line 52, in exe
return load(entry())
File "/home/int0x80/tools/pwndbg/pwndbg/proc.py", line 60, in wrapper
return func(*a, **kw)
File "/home/int0x80/tools/pwndbg/pwndbg/memoize.py", line 44, in __call__
value = self.func(*args, **kwargs)
File "/home/int0x80/tools/pwndbg/pwndbg/elf.py", line 60, in entry
entry = pwndbg.auxv.get().AT_ENTRY
File "/home/int0x80/tools/pwndbg/pwndbg/memoize.py", line 44, in __call__
value = self.func(*args, **kwargs)
File "/home/int0x80/tools/pwndbg/pwndbg/auxv.py", line 103, in get
return use_info_auxv() or walk_stack() or AUXV()
File "/home/int0x80/tools/pwndbg/pwndbg/auxv.py", line 155, in walk_stack
auxv['AT_EXECFN'] = get_execfn()
File "/home/int0x80/tools/pwndbg/pwndbg/auxv.py", line 246, in get_execfn
while pwndbg.memory.byte(addr-1) == 0:
File "/home/int0x80/tools/pwndbg/pwndbg/memory.py", line 84, in byte
def byte(addr): return readtype(pwndbg.typeinfo.uchar, addr)
File "/home/int0x80/tools/pwndbg/pwndbg/memory.py", line 57, in readtype
return int(gdb.Value(addr).cast(gdb_type.pointer()).dereference())
gdb.MemoryError: Cannot access memory at address 0xffffffff
Python Exception <class 'gdb.MemoryError'> Cannot access memory at address 0xffffffff:
Traceback (most recent call last):
File "/home/int0x80/tools/pwndbg/pwndbg/events.py", line 107, in caller
func()
File "/home/int0x80/tools/pwndbg/pwndbg/memoize.py", line 44, in __call__
value = self.func(*args, **kwargs)
File "/home/int0x80/tools/pwndbg/pwndbg/symbol.py", line 215, in add_main_exe_to_symbols
exe = pwndbg.elf.exe()
File "/home/int0x80/tools/pwndbg/pwndbg/proc.py", line 60, in wrapper
return func(*a, **kw)
File "/home/int0x80/tools/pwndbg/pwndbg/memoize.py", line 44, in __call__
value = self.func(*args, **kwargs)
File "/home/int0x80/tools/pwndbg/pwndbg/elf.py", line 52, in exe
return load(entry())
File "/home/int0x80/tools/pwndbg/pwndbg/proc.py", line 60, in wrapper
return func(*a, **kw)
File "/home/int0x80/tools/pwndbg/pwndbg/memoize.py", line 44, in __call__
value = self.func(*args, **kwargs)
File "/home/int0x80/tools/pwndbg/pwndbg/elf.py", line 60, in entry
entry = pwndbg.auxv.get().AT_ENTRY
File "/home/int0x80/tools/pwndbg/pwndbg/memoize.py", line 44, in __call__
value = self.func(*args, **kwargs)
File "/home/int0x80/tools/pwndbg/pwndbg/auxv.py", line 103, in get
return use_info_auxv() or walk_stack() or AUXV()
File "/home/int0x80/tools/pwndbg/pwndbg/auxv.py", line 155, in walk_stack
auxv['AT_EXECFN'] = get_execfn()
File "/home/int0x80/tools/pwndbg/pwndbg/auxv.py", line 246, in get_execfn
while pwndbg.memory.byte(addr-1) == 0:
File "/home/int0x80/tools/pwndbg/pwndbg/memory.py", line 84, in byte
def byte(addr): return readtype(pwndbg.typeinfo.uchar, addr)
File "/home/int0x80/tools/pwndbg/pwndbg/memory.py", line 57, in readtype
return int(gdb.Value(addr).cast(gdb_type.pointer()).dereference())
gdb.MemoryError: Cannot access memory at address 0xffffffff
Python Exception <class 'gdb.MemoryError'> Cannot access memory at address 0xffffffff:
Traceback (most recent call last):
File "/home/int0x80/tools/pwndbg/pwndbg/events.py", line 107, in caller
func()
File "/home/int0x80/tools/pwndbg/pwndbg/memoize.py", line 44, in __call__
value = self.func(*args, **kwargs)
File "/home/int0x80/tools/pwndbg/pwndbg/vmmap.py", line 39, in get
pages.extend(info_auxv())
File "/home/int0x80/tools/pwndbg/pwndbg/memoize.py", line 44, in __call__
value = self.func(*args, **kwargs)
File "/home/int0x80/tools/pwndbg/pwndbg/vmmap.py", line 303, in info_auxv
auxv = pwndbg.auxv.get()
File "/home/int0x80/tools/pwndbg/pwndbg/memoize.py", line 44, in __call__
value = self.func(*args, **kwargs)
File "/home/int0x80/tools/pwndbg/pwndbg/auxv.py", line 103, in get
return use_info_auxv() or walk_stack() or AUXV()
File "/home/int0x80/tools/pwndbg/pwndbg/auxv.py", line 155, in walk_stack
auxv['AT_EXECFN'] = get_execfn()
File "/home/int0x80/tools/pwndbg/pwndbg/auxv.py", line 246, in get_execfn
while pwndbg.memory.byte(addr-1) == 0:
File "/home/int0x80/tools/pwndbg/pwndbg/memory.py", line 84, in byte
def byte(addr): return readtype(pwndbg.typeinfo.uchar, addr)
File "/home/int0x80/tools/pwndbg/pwndbg/memory.py", line 57, in readtype
return int(gdb.Value(addr).cast(gdb_type.pointer()).dereference())
gdb.MemoryError: Cannot access memory at address 0xffffffff
Python Exception <class 'gdb.MemoryError'> Cannot access memory at address 0xffffffff: Here's my branch process:
$ git pull
Already up-to-date.
$ git checkout dev
Branch dev set up to track remote branch dev from origin.
Switched to a new branch 'dev'
$ git pull
Already up-to-date.I also tried a fresh clone with:
git clone https://github.com/zachriggle/pwndbg --branch dev --single-branchI also just realized the version for gdb might have been helpful, as well.
pwndbg> show version
GNU gdb (Ubuntu 7.11-0ubuntu1) 7.11Thanks again for your help in resolving this issue. I'm happy to help test new patches :)
zachriggle
commented
8 years ago Pushed two more commits, give it a go :)
int0x80
commented
8 years ago I think we're getting there -- got a new error this time. Same target with the same initialization.
$ sudo chroot . ./qemu-mipsel-static -g 1234 /pwnable/Intro/stack_bof_01 AAAAThe stack trace in pwndbg on the dev branch.
$ gdb
Loaded 92 commands. Type pwndbg for a list.
pwndbg> target remote 127.0.0.1:1234
Remote debugging using 127.0.0.1:1234
0x00000000 in ?? ()
Traceback (most recent call last):
File "/home/int0x80/tools/pwndbg/pwndbg/events.py", line 107, in caller
func()
File "/home/int0x80/tools/pwndbg/pwndbg/memoize.py", line 44, in __call__
value = self.func(*args, **kwargs)
File "/home/int0x80/tools/pwndbg/pwndbg/stack.py", line 76, in update
page = pwndbg.memory.Page(start, stop-start, 6 if not is_executable() else 7, 0, '[stack]')
File "/home/int0x80/tools/pwndbg/pwndbg/memoize.py", line 44, in __call__
value = self.func(*args, **kwargs)
File "/home/int0x80/tools/pwndbg/pwndbg/stack.py", line 122, in is_executable
ehdr = pwndbg.elf.exe()
File "/home/int0x80/tools/pwndbg/pwndbg/proc.py", line 60, in wrapper
return func(*a, **kw)
File "/home/int0x80/tools/pwndbg/pwndbg/memoize.py", line 44, in __call__
value = self.func(*args, **kwargs)
File "/home/int0x80/tools/pwndbg/pwndbg/elf.py", line 52, in exe
return load(entry())
File "/home/int0x80/tools/pwndbg/pwndbg/proc.py", line 60, in wrapper
return func(*a, **kw)
File "/home/int0x80/tools/pwndbg/pwndbg/memoize.py", line 44, in __call__
value = self.func(*args, **kwargs)
File "/home/int0x80/tools/pwndbg/pwndbg/elf.py", line 60, in entry
entry = pwndbg.auxv.get().AT_ENTRY
AttributeError: 'dict' object has no attribute 'AT_ENTRY'
Python Exception <class 'AttributeError'> 'dict' object has no attribute 'AT_ENTRY':
Traceback (most recent call last):
File "/home/int0x80/tools/pwndbg/pwndbg/events.py", line 107, in caller
func()
File "/home/int0x80/tools/pwndbg/pwndbg/memoize.py", line 44, in __call__
value = self.func(*args, **kwargs)
File "/home/int0x80/tools/pwndbg/pwndbg/stack.py", line 122, in is_executable
ehdr = pwndbg.elf.exe()
File "/home/int0x80/tools/pwndbg/pwndbg/proc.py", line 60, in wrapper
return func(*a, **kw)
File "/home/int0x80/tools/pwndbg/pwndbg/memoize.py", line 44, in __call__
value = self.func(*args, **kwargs)
File "/home/int0x80/tools/pwndbg/pwndbg/elf.py", line 52, in exe
return load(entry())
File "/home/int0x80/tools/pwndbg/pwndbg/proc.py", line 60, in wrapper
return func(*a, **kw)
File "/home/int0x80/tools/pwndbg/pwndbg/memoize.py", line 44, in __call__
value = self.func(*args, **kwargs)
File "/home/int0x80/tools/pwndbg/pwndbg/elf.py", line 60, in entry
entry = pwndbg.auxv.get().AT_ENTRY
AttributeError: 'dict' object has no attribute 'AT_ENTRY'
Python Exception <class 'AttributeError'> 'dict' object has no attribute 'AT_ENTRY':
Traceback (most recent call last):
File "/home/int0x80/tools/pwndbg/pwndbg/events.py", line 107, in caller
func()
File "/home/int0x80/tools/pwndbg/pwndbg/memoize.py", line 44, in __call__
value = self.func(*args, **kwargs)
File "/home/int0x80/tools/pwndbg/pwndbg/symbol.py", line 215, in add_main_exe_to_symbols
exe = pwndbg.elf.exe()
File "/home/int0x80/tools/pwndbg/pwndbg/proc.py", line 60, in wrapper
return func(*a, **kw)
File "/home/int0x80/tools/pwndbg/pwndbg/memoize.py", line 44, in __call__
value = self.func(*args, **kwargs)
File "/home/int0x80/tools/pwndbg/pwndbg/elf.py", line 52, in exe
return load(entry())
File "/home/int0x80/tools/pwndbg/pwndbg/proc.py", line 60, in wrapper
return func(*a, **kw)
File "/home/int0x80/tools/pwndbg/pwndbg/memoize.py", line 44, in __call__
value = self.func(*args, **kwargs)
File "/home/int0x80/tools/pwndbg/pwndbg/elf.py", line 60, in entry
entry = pwndbg.auxv.get().AT_ENTRY
AttributeError: 'dict' object has no attribute 'AT_ENTRY'
Python Exception <class 'AttributeError'> 'dict' object has no attribute 'AT_ENTRY':
Traceback (most recent call last):
File "/home/int0x80/tools/pwndbg/pwndbg/events.py", line 107, in caller
func()
File "/home/int0x80/tools/pwndbg/pwndbg/memoize.py", line 44, in __call__
value = self.func(*args, **kwargs)
File "/home/int0x80/tools/pwndbg/pwndbg/vmmap.py", line 39, in get
pages.extend(info_auxv())
File "/home/int0x80/tools/pwndbg/pwndbg/memoize.py", line 44, in __call__
value = self.func(*args, **kwargs)
File "/home/int0x80/tools/pwndbg/pwndbg/vmmap.py", line 309, in info_auxv
exe_name = auxv.AT_EXECFN or 'main.exe'
AttributeError: 'dict' object has no attribute 'AT_EXECFN'
Python Exception <class 'AttributeError'> 'dict' object has no attribute 'AT_EXECFN': This was my update to grab your commits.
$ git pull
remote: Counting objects: 8, done.
remote: Compressing objects: 100% (8/8), done.
remote: Total 8 (delta 3), reused 0 (delta 0), pack-reused 0
Unpacking objects: 100% (8/8), done.
From https://github.com/zachriggle/pwndbg
68ab121..38656c9 dev -> origin/dev
Updating 68ab121..38656c9
Fast-forward
pwndbg/auxv.py | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)Once more :)
int0x80
commented
8 years ago More progress :) Here is the run after the latest git pull.
pwndbg> target remote 127.0.0.1:1234
Remote debugging using 127.0.0.1:1234
0x00000000 in ?? ()
Traceback (most recent call last):
File "/home/int0x80/tools/pwndbg/pwndbg/events.py", line 107, in caller
func()
File "/home/int0x80/tools/pwndbg/pwndbg/memoize.py", line 44, in __call__
value = self.func(*args, **kwargs)
File "/home/int0x80/tools/pwndbg/pwndbg/stack.py", line 76, in update
page = pwndbg.memory.Page(start, stop-start, 6 if not is_executable() else 7, 0, '[stack]')
File "/home/int0x80/tools/pwndbg/pwndbg/memoize.py", line 44, in __call__
value = self.func(*args, **kwargs)
File "/home/int0x80/tools/pwndbg/pwndbg/stack.py", line 122, in is_executable
ehdr = pwndbg.elf.exe()
File "/home/int0x80/tools/pwndbg/pwndbg/proc.py", line 60, in wrapper
return func(*a, **kw)
File "/home/int0x80/tools/pwndbg/pwndbg/memoize.py", line 44, in __call__
value = self.func(*args, **kwargs)
File "/home/int0x80/tools/pwndbg/pwndbg/elf.py", line 52, in exe
return load(entry())
File "/home/int0x80/tools/pwndbg/pwndbg/elf.py", line 89, in load
return get_ehdr(pointer)[1]
File "/home/int0x80/tools/pwndbg/pwndbg/elf.py", line 121, in get_ehdr
base = pwndbg.memory.page_align(pointer)
File "/home/int0x80/tools/pwndbg/pwndbg/memory.py", line 122, in page_align
def page_align(address): return round_down(address, PAGE_SIZE)
File "/home/int0x80/tools/pwndbg/pwndbg/memory.py", line 116, in round_down
return address & ~(align-1)
TypeError: unsupported operand type(s) for &: 'NoneType' and 'int'
Python Exception <class 'TypeError'> unsupported operand type(s) for &: 'NoneType' and 'int':
Traceback (most recent call last):
File "/home/int0x80/tools/pwndbg/pwndbg/events.py", line 107, in caller
func()
File "/home/int0x80/tools/pwndbg/pwndbg/memoize.py", line 44, in __call__
value = self.func(*args, **kwargs)
File "/home/int0x80/tools/pwndbg/pwndbg/stack.py", line 122, in is_executable
ehdr = pwndbg.elf.exe()
File "/home/int0x80/tools/pwndbg/pwndbg/proc.py", line 60, in wrapper
return func(*a, **kw)
File "/home/int0x80/tools/pwndbg/pwndbg/memoize.py", line 44, in __call__
value = self.func(*args, **kwargs)
File "/home/int0x80/tools/pwndbg/pwndbg/elf.py", line 52, in exe
return load(entry())
File "/home/int0x80/tools/pwndbg/pwndbg/elf.py", line 89, in load
return get_ehdr(pointer)[1]
File "/home/int0x80/tools/pwndbg/pwndbg/elf.py", line 121, in get_ehdr
base = pwndbg.memory.page_align(pointer)
File "/home/int0x80/tools/pwndbg/pwndbg/memory.py", line 122, in page_align
def page_align(address): return round_down(address, PAGE_SIZE)
File "/home/int0x80/tools/pwndbg/pwndbg/memory.py", line 116, in round_down
return address & ~(align-1)
TypeError: unsupported operand type(s) for &: 'NoneType' and 'int'
Python Exception <class 'TypeError'> unsupported operand type(s) for &: 'NoneType' and 'int':
Traceback (most recent call last):
File "/home/int0x80/tools/pwndbg/pwndbg/events.py", line 107, in caller
func()
File "/home/int0x80/tools/pwndbg/pwndbg/memoize.py", line 44, in __call__
value = self.func(*args, **kwargs)
File "/home/int0x80/tools/pwndbg/pwndbg/symbol.py", line 215, in add_main_exe_to_symbols
exe = pwndbg.elf.exe()
File "/home/int0x80/tools/pwndbg/pwndbg/proc.py", line 60, in wrapper
return func(*a, **kw)
File "/home/int0x80/tools/pwndbg/pwndbg/memoize.py", line 44, in __call__
value = self.func(*args, **kwargs)
File "/home/int0x80/tools/pwndbg/pwndbg/elf.py", line 52, in exe
return load(entry())
File "/home/int0x80/tools/pwndbg/pwndbg/elf.py", line 89, in load
return get_ehdr(pointer)[1]
File "/home/int0x80/tools/pwndbg/pwndbg/elf.py", line 121, in get_ehdr
base = pwndbg.memory.page_align(pointer)
File "/home/int0x80/tools/pwndbg/pwndbg/memory.py", line 122, in page_align
def page_align(address): return round_down(address, PAGE_SIZE)
File "/home/int0x80/tools/pwndbg/pwndbg/memory.py", line 116, in round_down
return address & ~(align-1)
TypeError: unsupported operand type(s) for &: 'NoneType' and 'int'
Python Exception <class 'TypeError'> unsupported operand type(s) for &: 'NoneType' and 'int':
Traceback (most recent call last):
File "/home/int0x80/tools/pwndbg/pwndbg/events.py", line 107, in caller
func()
File "/home/int0x80/tools/pwndbg/pwndbg/memoize.py", line 44, in __call__
value = self.func(*args, **kwargs)
File "/home/int0x80/tools/pwndbg/pwndbg/stack.py", line 76, in update
page = pwndbg.memory.Page(start, stop-start, 6 if not is_executable() else 7, 0, '[stack]')
File "/home/int0x80/tools/pwndbg/pwndbg/memoize.py", line 44, in __call__
value = self.func(*args, **kwargs)
File "/home/int0x80/tools/pwndbg/pwndbg/stack.py", line 122, in is_executable
ehdr = pwndbg.elf.exe()
File "/home/int0x80/tools/pwndbg/pwndbg/proc.py", line 60, in wrapper
return func(*a, **kw)
File "/home/int0x80/tools/pwndbg/pwndbg/memoize.py", line 44, in __call__
value = self.func(*args, **kwargs)
File "/home/int0x80/tools/pwndbg/pwndbg/elf.py", line 52, in exe
return load(entry())
File "/home/int0x80/tools/pwndbg/pwndbg/elf.py", line 89, in load
return get_ehdr(pointer)[1]
File "/home/int0x80/tools/pwndbg/pwndbg/elf.py", line 121, in get_ehdr
base = pwndbg.memory.page_align(pointer)
File "/home/int0x80/tools/pwndbg/pwndbg/memory.py", line 122, in page_align
def page_align(address): return round_down(address, PAGE_SIZE)
File "/home/int0x80/tools/pwndbg/pwndbg/memory.py", line 116, in round_down
return address & ~(align-1)
TypeError: unsupported operand type(s) for &: 'NoneType' and 'int'
Python Exception <class 'TypeError'> unsupported operand type(s) for &: 'NoneType' and 'int': What version of QEMU are you using?
Can you provide a copy of the binary (and your chroot)? For what it's worth, you don't need to chroot with qemu-user. You can just do e.g. qemu-mipsel -L .
These are indeed cases that aren't handled, but they are also cases that should never be possible.
Specifically, this most recent one is occurring because Pwndbg cannot find the main executable.
int0x80
commented
8 years ago QEMU was installed with apt via the qemu-user-static package.
$ qemu-mipsel-static -version
qemu-mipsel version 2.5.0 (Debian 1:2.5+dfsg-5ubuntu10.2), Copyright (c) 2003-2008 Fabrice BellardHere is a copy of the target, extracted from the DVRF image and uploaded to Google Drive https://drive.google.com/open?id=0BzEOIRgNADuqVG9lbEdJMURHMlU
zachriggle
commented
8 years ago Nevermind, I see that DVRF provides a bin file with a squashfs inside it.
$ md5sum pwnable/Intro/*
457b1fd420f1e18cfeb450ee89a874a1 pwnable/Intro/heap_overflow_01
bd8b5474cd68757938e9d4ad93dc0d89 pwnable/Intro/README
1f13ccb3e0d377e2aec268fd4f5cb313 pwnable/Intro/stack_bof_01
d691606a475703258bcc7fb315b8d53f pwnable/Intro/uaf_01As an example of what I meant earlier, with no need for chroot or sudo:
$ qemu-mipsel -L . pwnable/Intro/stack_bof_01
Usage: stack_bof_01 <argument>
-By b1ack0wlNext we can run the binary:
$ qemu-mipsel-static -L . -g 11111 pwnable/Intro/stack_bof_01 AAAA$ gdb-multiarch
Loaded 92 commands. Type pwndbg for a list.
pwndbg> set endian little
The target is assumed to be little endian
pwndbg> set architecture mips
The target architecture is assumed to be mips
pwndbg> target remote 127.0.0.1:11111
Remote debugging using 127.0.0.1:11111
0x767b9a80 in ?? ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
[----------------------------------------------------REGISTERS----------------------------------------------------]
V0 0x0
V1 0x0
A0 0x0
A1 0x0
A2 0x0
A3 0x0
T0 0x0
T1 0x0
T2 0x0
T3 0x0
T4 0x0
T5 0x0
T6 0x0
T7 0x0
T8 0x0
T9 0x0
S0 0x0
S1 0x0
S2 0x0
S3 0x0
S4 0x0
S5 0x0
S6 0x0
S7 0x0
S8 0x0
FP 0x0
SP 0x76ffe7a0 <-- 0x2
PC 0x767b9a80 <-- 0x3e0c821
[------------------------------------------------------CODE-------------------------------------------------------]
=> 0x767b9a80 move $t9, $ra
0x767b9a84 bal 0x767b9a8c
0x767b9a88 nop
0x767b9a8c lui $gp, 5
0x767b9a90 addiu $gp, $gp, -0x3a7c
0x767b9a94 addu $gp, $gp, $ra
0x767b9a98 move $ra, $t9
0x767b9a9c lw $a0, -0x7fe8($gp)
0x767b9aa0 sw $a0, -0x7ff0($gp)
0x767b9aa4 move $a0, $sp
0x767b9aa8 addiu $sp, $sp, -0x10
[------------------------------------------------------STACK------------------------------------------------------]
00:0000| sp 0x76ffe7a0 <-- 0x2
01:0004| 0x76ffe7a4 --> 0x76ffe9bf <-- 'pwnable/Intro/stack_b...'
02:0008| 0x76ffe7a8 --> 0x76ffe9da <-- 'AAAA'
03:000c| 0x76ffe7ac <-- 0x0
04:0010| 0x76ffe7b0 --> 0x76ffe9df <-- 'PS1=$ '
05:0014| 0x76ffe7b4 --> 0x76ffe9e6 <-- 'QEMU_LD_PREFIX=/home/...'
06:0018| 0x76ffe7b8 --> 0x76ffea2f <-- 'MANSECT=2:3:3p:1:1p:8...'
07:001c| 0x76ffe7bc --> 0x76ffea5f <-- 'ACK_COLOR_MATCH=under...'
[----------------------------------------------------BACKTRACE----------------------------------------------------]
> f 0 767b9a80
pwndbg> Everything works for me :-S
zachriggle
commented
8 years ago I expect that the issue is that you are not telling gdb that it's a MIPS binary, so it's attempting to read i386 registers and getting 0 for $sp and 0 for $pc etc.
You need to tell GDB what the foreign architecture is.
I recommend using gdb-multiarch, which has MIPS support -- however, you still need to explicitly tell it.
If you use Binjitsu, this all works automagically. Note that you'll need to use the latest version as of five minutes ago, since I fixed a MIPS-related bug.
$ export QEMU_LD_PREFIX=$PWD
$ ipython
>>> context.binary = './pwnable/Intro/stack_bof_01'
[*] '/home/user/_DVRF_v03.bin?raw=true.extracted/squashfs-root/pwnable/Intro/stack_bof_01'
Arch: mips-32-little
RELRO: No RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE
>>> io = gdb.debug([context.binary.path, 'AAAA'], log_level='debug')
[x] Starting program '/usr/bin/qemu-mipsel-static' argv=['qemu-mipsel-static', '-g', '59853', '/home/user/_DVRF_v03.bin?raw=true.extracted/squashfs-root/pwnable/Intro/stack_bof_01', 'AAAA']
[+] Starting program '/usr/bin/qemu-mipsel-static' argv=['qemu-mipsel-static', '-g', '59853', '/home/user/_DVRF_v03.bin?raw=true.extracted/squashfs-root/pwnable/Intro/stack_bof_01', 'AAAA'] : Done
[DEBUG] Wrote gdb script to '/tmp/user/pwnBt_Upe.gdb'
set endian little
set architecture mips
target remote 127.0.0.1:59853
[*] running in new terminal: gdb-multiarch -x "/tmp/user/pwnBt_Upe.gdb" ; rm "/tmp/user/pwnBt_Upe.gdb"
[DEBUG] Launching a new terminal: ['/usr/bin/x-terminal-emulator', '-e', 'gdb-multiarch -x "/tmp/user/pwnBt_Upe.gdb" ; rm "/tmp/user/pwnBt_Upe.gdb"']Hah, you're right. I did have one run with a hiccup:
pwndbg> set endian little
The target is assumed to be little endian
pwndbg> set architecture mips
The target architecture is assumed to be mips
pwndbg> target remote 127.0.0.1:1234
Remote debugging using 127.0.0.1:1234
0x767b9a80 in ?? ()
Traceback (most recent call last):
File "/home/int0x80/tools/pwndbg/pwndbg/events.py", line 107, in caller
func()
...But now it seems to be working. Notice in the run above that we're at 0x767b9a80 instead of the previous value of 0x00000000. Either way it seems to be working now.
I've updated my install of Binjitsu so should be good to go. Thanks so much for all your help.
Thanks for all your work on this project. I'm having trouble attaching to a process suspended by QEMU with a gdb stub. The specific target is the
stack_bof_01binary in the DVRF project. The DVRF setup process was followed as per the Getting Started blog post; while thepwndbgsetup process was followed as per @ctfhacker's EpicTreasureet_setup.sh.The target is started as follows:
When attaching with gdb,
auxv.pyraises aTypeErrorexception.If I wrap the offending lines with a simple
tryandexcept, like soI receive a different set of errors:
Not sure whether it's helpful, but here is some diagnostic info about my VM.
Please let me know how I can help further in debugging this issue.