Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ssh_process.elf can return incorrect ELF, when ssh_process.executable is included in the ssh cache path #1047

Closed
cpupower opened this issue Oct 8, 2017 · 1 comment
Closed

ssh_process.elf can return incorrect ELF, when ssh_process.executable is included in the ssh cache path #1047

cpupower opened this issue Oct 8, 2017 · 1 comment
Labels
bug Hacktoberfest

Comments

@cpupower
Copy link
Contributor

cpupower commented Oct 8, 2017

When getting the target process' ELF using the ssh_process.elf property, a wrong ELF is returned, when the path of the target binary on the remote system is included in the path of the local cache:

Example:
target.libs() returns:

{'/somepath/target/target1/somehost.org/lib32/libc.so.6': 4158791680, 
 '/somepath/target/target1/somehost.org/target/target1': 0, 
 '/somepath/target/target1/somehost.org/lib/ld-linux.so.2': 4160602112}

while target.executable is /target/target1.
So /target/target1 is included in the cache path.

Therefore the condition evaluates to true (just checks whether the string is contained):

pwntools/pwnlib/tubes/ssh.py

Lines 343 to 345 in df7c1fe

for lib in libs:
if self.executable in lib:
return pwnlib.elf.elf.ELF(lib)

Maybe the condition should check

lib.endswith(self.executable)

instead. However I am not 100% sure, whether this covers all cases.
@zachriggle
Copy link
Member

zachriggle commented Oct 8, 2017
edited
Loading

Good catch!

I'm not sure how to resolve this perfectly, since it's also possible for a binary to rely on another ELF with the same basename. In the meantime, using basename is probably as good as we can do -- would you mind submitting a pull request? ❤️

Thanks!

@zachriggle zachriggle added the bug label Oct 8, 2017
zachriggle added a commit to zachriggle/pwntools that referenced this issue Oct 23, 2017
@zachriggle
Fix path checking in ssh_process.corefile for edge cases
6c04230 
Fixes Gallopsled#1047
@zachriggle zachriggle mentioned this issue Oct 23, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Hacktoberfest
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zachriggle @cpupower