Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PoC examples broken by new version of binutils, warnings processed as errors #67

Open
KamicDemon opened this issue Dec 22, 2022 · 0 comments

Comments

@KamicDemon
Copy link

KamicDemon commented Dec 22, 2022

When trying to run the nexus5 examples, such as CVE_2018_19860 Crash on Connect example, pwntools throws an error. I assume this error is caused by the linker treating a certain warning as an error in this version of binutils.

Hardware: Google Nexus5
Operating System: Linux 6.0.0-kali5-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.0.10-2kali1 (2022-12-06) x86_64 GNU/Linux

To Reproduce
sudo ./CVE_2018_19860_Crash_on_Connect.py

Output log from commands:

`$ sudo ./CVE_2018_19860_Crash_on_Connect.py
[] Found multiple adb devices
[
] Connected to 0e5b1fa70c634e21
[] Chip identifier: 0x6109 (003.001.009)
[
] Using fw_0x6109.py
[] Loaded firmware information for BCM4335C0.
[
] Try to enable debugging on H4 (warning if not supported)...
[*] installing assembly patches to crash other device on connect requests...
There was an error running ['/usr/bin/arm-linux-gnueabi-ld', '--oformat=elf32-littlearm', '-EL', '-z', 'execstack', '-o', '/tmp/pwn-asm-f2z999on/step3', '/tmp/pwn-asm-f2z999on/step2', '--section-start=.shellcode=0x211800', '--entry=0x211800', '-z', 'max-page-size=4096', '-z', 'common-page-size=4096']:
It had this on stdout:
/usr/bin/arm-linux-gnueabi-ld: warning: /tmp/pwn-asm-f2z999on/step3 has a LOAD segment with RWX permissions

An error occurred while assembling:
1: .section .shellcode,"awx"
2: .global _start
3: .global __start
4: .p2align 2
5: _start:
6: __start:
7: .syntax unified
8: .arch armv7-a
9: .thumb
10: ldr r0, =table
11: bx lr
12: //dummy table entry
13: .align
14: table:
15: .byte 0x35 //nullsub1+1
16: .byte 0xAC
17: .byte 0x00
18: .byte 0x00
19: .byte 0x10 //length
20: .byte 0x00
21: .byte 0x00
22: .byte 0x00
Traceback (most recent call last):
File "/usr/local/lib/python3.10/dist-packages/pwnlib/asm.py", line 702, in asm
_run(linker + ldflags)
File "/usr/local/lib/python3.10/dist-packages/pwnlib/asm.py", line 397, in _run
log.error(msg, *args)
File "/usr/local/lib/python3.10/dist-packages/pwnlib/log.py", line 424, in error
raise PwnlibException(message % args)
pwnlib.exception.PwnlibException: There was an error running ['/usr/bin/arm-linux-gnueabi-ld', '--oformat=elf32-littlearm', '-EL', '-z', 'execstack', '-o', '/tmp/pwn-asm-f2z999on/step3', '/tmp/pwn-asm-f2z999on/step2', '--section-start=.shellcode=0x211800', '--entry=0x211800', '-z', 'max-page-size=4096', '-z', 'common-page-size=4096']:
It had this on stdout:
/usr/bin/arm-linux-gnueabi-ld: warning: /tmp/pwn-asm-f2z999on/step3 has a LOAD segment with RWX permissions

Traceback (most recent call last):
File "/home/zarich/internalblue/examples/nexus5/./CVE_2018_19860_Crash_on_Connect.py", line 123, in
code = asm(ASM_SNIPPET_LMP_00_LOOKUP, vma=ASM_LOCATION_LMP_00_LOOKUP)
File "/usr/local/lib/python3.10/dist-packages/pwnlib/context/init.py", line 1524, in setter
return function(*a, **kw)
File "/usr/local/lib/python3.10/dist-packages/pwnlib/asm.py", line 725, in asm
log.exception("An error occurred while assembling:\n%s" % lines)
File "/usr/local/lib/python3.10/dist-packages/pwnlib/asm.py", line 702, in asm
_run(linker + ldflags)
File "/usr/local/lib/python3.10/dist-packages/pwnlib/asm.py", line 397, in _run
log.error(msg, *args)
File "/usr/local/lib/python3.10/dist-packages/pwnlib/log.py", line 424, in error
raise PwnlibException(message % args)
pwnlib.exception.PwnlibException: There was an error running ['/usr/bin/arm-linux-gnueabi-ld', '--oformat=elf32-littlearm', '-EL', '-z', 'execstack', '-o', '/tmp/pwn-asm-f2z999on/step3', '/tmp/pwn-asm-f2z999on/step2', '--section-start=.shellcode=0x211800', '--entry=0x211800', '-z', 'max-page-size=4096', '-z', 'common-page-size=4096']:
It had this on stdout:
/usr/bin/arm-linux-gnueabi-ld: warning: /tmp/pwn-asm-f2z999on/step3 has a LOAD segment with RWX permissions
`

Additional context

After some attempts to figure out the cause of the issue, I found a discussion of a similar error in another github repo.

OP-TEE/optee_os#5471

The issue was attributed to the fact that binutils after 2.38 classifies this kind of behavior as an error and breaks the compilation, as addressed here:

OP-TEE/optee_os#5474

Adding the following flag to line 700 in pwnlib/asm.py solved the problem for me.

'--no-warn-rwx-segments'

This probably would better be classified a pwntools issue but I'm reporting it here since this is the context I found it in.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant