Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Library fix #1911

Closed
wants to merge 2 commits into from
Closed

Library fix #1911

wants to merge 2 commits into from

Conversation

clubby789
Copy link
Contributor

@clubby789 clubby789 commented Jun 2, 2021
edited
Loading

This is a (partial) fix for #1871. Executing the ELF with this environment flag causes it to instead print the loaded object files. This is the approach used by ldd. However, it has the disadvantage of not returning all the mappings of procfs (i.e. heap, stack, the binary itself).

@clubby789
Use LD_TRACE_LOADED_OBJECTS in order to detect libraries used by an…
2ba3230 
… ELF

This is a (partial) fix for Gallopsled#1871. Executing the ELF with this environment flag causes it to instead print the loaded object files. This is the approach used by `ldd`. However, it has the disadvantage of not returning *all* the mappings of procfs (i.e. heap, stack, the binary itself).
@clubby789
Changelog
de520fb
@clubby789 clubby789 marked this pull request as draft June 2, 2021 23:03
@clubby789 clubby789 marked this pull request as ready for review June 2, 2021 23:06
@Arusekk
Copy link
Member

Arusekk commented Jun 8, 2021

The 'more correct' solution would be to upgrade the shellcode, like in the discussion in #1871. Otherwise, it looks well.

@heapcrash
Copy link
Collaborator

heapcrash commented Jun 8, 2021
edited
Loading

Another issue with LD_TRACE_LOADED_OBJECTS is that it only works with the GNU linker, ld.so. If you're on Android which uses crazy_linker, it won't work. Same is expected for most BSDs (though even then, procfs is not on by default).

Edit: Looks like musl ldd also does not support this flag.

@clubby789
Copy link
Contributor Author

What about checking for the kernel version, as well as GNU ldd being present?

@Arusekk
Copy link
Member

Arusekk commented Jun 8, 2021

Not really, I think the proper fix is to emit correct shellcode that cats /proc/self/maps, but does it portably, and then it will just work without next workarounds. The only bad news is that every architecture needs a separate shellcode.

@peace-maker
Copy link
Member

They can be added one after the other though when people need them? E.g. I'd be fine drafting some shellcode for x86, but don't want to commit to writing something for all supported architectures.

@Arusekk
Copy link
Member

Arusekk commented Jun 8, 2021

Yes, @peace-maker is correct. A different shellcraft.amd64.linux.cat implementation is enough for now. FYI the common amd64 (i386 too) shellcraft convention is to have a socket in ebp by default, and the opened fd in eax.

@Arusekk
Copy link
Member

Arusekk commented Feb 1, 2022

Obsoleted by #1995

@Arusekk Arusekk closed this Feb 1, 2022
@clubby789 clubby789 deleted the library-fix branch February 1, 2022 15:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@clubby789 @Arusekk @heapcrash @peace-maker