When trying to run the nexus5 examples, such as CVE_2018_19860 Crash on Connect example, pwntools throws an error. I assume this error is caused by the linker treating a certain warning as an error in this version of binutils.
Hardware: Google Nexus5
Operating System: Linux 6.0.0-kali5-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.0.10-2kali1 (2022-12-06) x86_64 GNU/Linux
To Reproduce
sudo ./CVE_2018_19860_Crash_on_Connect.py
Output log from commands:
`$ sudo ./CVE_2018_19860_Crash_on_Connect.py
[] Found multiple adb devices
[] Connected to 0e5b1fa70c634e21
[] Chip identifier: 0x6109 (003.001.009)
[] Using fw_0x6109.py
[] Loaded firmware information for BCM4335C0.
[] Try to enable debugging on H4 (warning if not supported)...
[*] installing assembly patches to crash other device on connect requests...
There was an error running ['/usr/bin/arm-linux-gnueabi-ld', '--oformat=elf32-littlearm', '-EL', '-z', 'execstack', '-o', '/tmp/pwn-asm-f2z999on/step3', '/tmp/pwn-asm-f2z999on/step2', '--section-start=.shellcode=0x211800', '--entry=0x211800', '-z', 'max-page-size=4096', '-z', 'common-page-size=4096']:
It had this on stdout:
/usr/bin/arm-linux-gnueabi-ld: warning: /tmp/pwn-asm-f2z999on/step3 has a LOAD segment with RWX permissions
An error occurred while assembling:
1: .section .shellcode,"awx"
2: .global _start
3: .global __start
4: .p2align 2
5: _start:
6: __start:
7: .syntax unified
8: .arch armv7-a
9: .thumb
10: ldr r0, =table
11: bx lr
12: //dummy table entry
13: .align
14: table:
15: .byte 0x35 //nullsub1+1
16: .byte 0xAC
17: .byte 0x00
18: .byte 0x00
19: .byte 0x10 //length
20: .byte 0x00
21: .byte 0x00
22: .byte 0x00
Traceback (most recent call last):
File "/usr/local/lib/python3.10/dist-packages/pwnlib/asm.py", line 702, in asm
_run(linker + ldflags)
File "/usr/local/lib/python3.10/dist-packages/pwnlib/asm.py", line 397, in _run
log.error(msg, *args)
File "/usr/local/lib/python3.10/dist-packages/pwnlib/log.py", line 424, in error
raise PwnlibException(message % args)
pwnlib.exception.PwnlibException: There was an error running ['/usr/bin/arm-linux-gnueabi-ld', '--oformat=elf32-littlearm', '-EL', '-z', 'execstack', '-o', '/tmp/pwn-asm-f2z999on/step3', '/tmp/pwn-asm-f2z999on/step2', '--section-start=.shellcode=0x211800', '--entry=0x211800', '-z', 'max-page-size=4096', '-z', 'common-page-size=4096']:
It had this on stdout:
/usr/bin/arm-linux-gnueabi-ld: warning: /tmp/pwn-asm-f2z999on/step3 has a LOAD segment with RWX permissions
Traceback (most recent call last):
File "/home/zarich/internalblue/examples/nexus5/./CVE_2018_19860_Crash_on_Connect.py", line 123, in
code = asm(ASM_SNIPPET_LMP_00_LOOKUP, vma=ASM_LOCATION_LMP_00_LOOKUP)
File "/usr/local/lib/python3.10/dist-packages/pwnlib/context/init.py", line 1524, in setter
return function(*a, *kw)
File "/usr/local/lib/python3.10/dist-packages/pwnlib/asm.py", line 725, in asm
log.exception("An error occurred while assembling:\n%s" % lines)
File "/usr/local/lib/python3.10/dist-packages/pwnlib/asm.py", line 702, in asm
_run(linker + ldflags)
File "/usr/local/lib/python3.10/dist-packages/pwnlib/asm.py", line 397, in _run
log.error(msg, args)
File "/usr/local/lib/python3.10/dist-packages/pwnlib/log.py", line 424, in error
raise PwnlibException(message % args)
pwnlib.exception.PwnlibException: There was an error running ['/usr/bin/arm-linux-gnueabi-ld', '--oformat=elf32-littlearm', '-EL', '-z', 'execstack', '-o', '/tmp/pwn-asm-f2z999on/step3', '/tmp/pwn-asm-f2z999on/step2', '--section-start=.shellcode=0x211800', '--entry=0x211800', '-z', 'max-page-size=4096', '-z', 'common-page-size=4096']:
It had this on stdout:
/usr/bin/arm-linux-gnueabi-ld: warning: /tmp/pwn-asm-f2z999on/step3 has a LOAD segment with RWX permissions
`
Additional context
After some attempts to figure out the cause of the issue, I found a discussion of a similar error in another github repo.
The issue was attributed to the fact that binutils after 2.38 classifies this kind of behavior as an error and breaks the compilation, as addressed here:
When trying to run the nexus5 examples, such as CVE_2018_19860 Crash on Connect example, pwntools throws an error. I assume this error is caused by the linker treating a certain warning as an error in this version of binutils.
Hardware: Google Nexus5 Operating System: Linux 6.0.0-kali5-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.0.10-2kali1 (2022-12-06) x86_64 GNU/Linux
To Reproduce sudo ./CVE_2018_19860_Crash_on_Connect.py
Output log from commands:
`$ sudo ./CVE_2018_19860_Crash_on_Connect.py [] Found multiple adb devices [] Connected to 0e5b1fa70c634e21 [] Chip identifier: 0x6109 (003.001.009) [] Using fw_0x6109.py [] Loaded firmware information for BCM4335C0. [] Try to enable debugging on H4 (warning if not supported)... [*] installing assembly patches to crash other device on connect requests... There was an error running ['/usr/bin/arm-linux-gnueabi-ld', '--oformat=elf32-littlearm', '-EL', '-z', 'execstack', '-o', '/tmp/pwn-asm-f2z999on/step3', '/tmp/pwn-asm-f2z999on/step2', '--section-start=.shellcode=0x211800', '--entry=0x211800', '-z', 'max-page-size=4096', '-z', 'common-page-size=4096']: It had this on stdout: /usr/bin/arm-linux-gnueabi-ld: warning: /tmp/pwn-asm-f2z999on/step3 has a LOAD segment with RWX permissions
An error occurred while assembling: 1: .section .shellcode,"awx" 2: .global _start 3: .global __start 4: .p2align 2 5: _start: 6: __start: 7: .syntax unified 8: .arch armv7-a 9: .thumb 10: ldr r0, =table 11: bx lr 12: //dummy table entry 13: .align 14: table: 15: .byte 0x35 //nullsub1+1 16: .byte 0xAC 17: .byte 0x00 18: .byte 0x00 19: .byte 0x10 //length
20: .byte 0x00 21: .byte 0x00 22: .byte 0x00 Traceback (most recent call last): File "/usr/local/lib/python3.10/dist-packages/pwnlib/asm.py", line 702, in asm _run(linker + ldflags) File "/usr/local/lib/python3.10/dist-packages/pwnlib/asm.py", line 397, in _run log.error(msg, *args) File "/usr/local/lib/python3.10/dist-packages/pwnlib/log.py", line 424, in error raise PwnlibException(message % args) pwnlib.exception.PwnlibException: There was an error running ['/usr/bin/arm-linux-gnueabi-ld', '--oformat=elf32-littlearm', '-EL', '-z', 'execstack', '-o', '/tmp/pwn-asm-f2z999on/step3', '/tmp/pwn-asm-f2z999on/step2', '--section-start=.shellcode=0x211800', '--entry=0x211800', '-z', 'max-page-size=4096', '-z', 'common-page-size=4096']: It had this on stdout: /usr/bin/arm-linux-gnueabi-ld: warning: /tmp/pwn-asm-f2z999on/step3 has a LOAD segment with RWX permissions
Traceback (most recent call last): File "/home/zarich/internalblue/examples/nexus5/./CVE_2018_19860_Crash_on_Connect.py", line 123, in
code = asm(ASM_SNIPPET_LMP_00_LOOKUP, vma=ASM_LOCATION_LMP_00_LOOKUP)
File "/usr/local/lib/python3.10/dist-packages/pwnlib/context/init.py", line 1524, in setter
return function(*a, *kw)
File "/usr/local/lib/python3.10/dist-packages/pwnlib/asm.py", line 725, in asm
log.exception("An error occurred while assembling:\n%s" % lines)
File "/usr/local/lib/python3.10/dist-packages/pwnlib/asm.py", line 702, in asm
_run(linker + ldflags)
File "/usr/local/lib/python3.10/dist-packages/pwnlib/asm.py", line 397, in _run
log.error(msg, args)
File "/usr/local/lib/python3.10/dist-packages/pwnlib/log.py", line 424, in error
raise PwnlibException(message % args)
pwnlib.exception.PwnlibException: There was an error running ['/usr/bin/arm-linux-gnueabi-ld', '--oformat=elf32-littlearm', '-EL', '-z', 'execstack', '-o', '/tmp/pwn-asm-f2z999on/step3', '/tmp/pwn-asm-f2z999on/step2', '--section-start=.shellcode=0x211800', '--entry=0x211800', '-z', 'max-page-size=4096', '-z', 'common-page-size=4096']:
It had this on stdout:
/usr/bin/arm-linux-gnueabi-ld: warning: /tmp/pwn-asm-f2z999on/step3 has a LOAD segment with RWX permissions
`
Additional context
After some attempts to figure out the cause of the issue, I found a discussion of a similar error in another github repo.
https://github.com/OP-TEE/optee_os/issues/5471
The issue was attributed to the fact that binutils after 2.38 classifies this kind of behavior as an error and breaks the compilation, as addressed here:
https://github.com/OP-TEE/optee_os/pull/5474
Adding the following flag to line 700 in pwnlib/asm.py solved the problem for me.
'--no-warn-rwx-segments'
This probably would better be classified a pwntools issue but I'm reporting it here since this is the context I found it in.