Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add_ko_file_search_support #2496

Open
wants to merge 8 commits into
base: dev
Choose a base branch
from

Conversation

zt20xx
Copy link
Contributor

@zt20xx zt20xx commented Oct 27, 2024

There are so many parts related to the elf header, so I just put it at the end of the search function, which would be awesome if you had a better way to handle it.

┌──(zt㉿pwntools)-[~/study/kernel/test-config]
└─$ cat t.py && python t.py
from pwn import ELF,asm
test=ELF("./rop.ko")
test_ret=test.search(asm("ret"))
print(hex(test_ret.__next__()))
print(hex(test_ret.__next__()))
print(hex(test_ret.__next__()))
print(hex(test_ret.__next__()))

[*] '/home/zt/study/kernel/test-config/rop.ko'
    Arch:       amd64-64-little
    RELRO:      No RELRO
    Stack:      No canary found
    NX:         NX enabled
    PIE:        No PIE (0x0)
    Stripped:   No
    Debuginfo:  Yes
0x13
0x33
0x5d
0x7a

┌──(zt㉿pwntools)-[~/study/kernel/test-config]
└─$ objdump -d ./rop.ko|grep 'ret'
  13:   c3                      ret
  33:   c3                      ret
  5d:   c3                      ret
  7a:   c3                      ret

@peace-maker
Copy link
Member

Can you uplaod a test file where this is necessary? It looks like you're dealing with kernel modules?

@zt20xx
Copy link
Contributor Author

zt20xx commented Oct 29, 2024

Can you uplaod a test file where this is necessary? It looks like you're dealing with kernel modules?

Yes, I build it with v4.19.322.
rop.zip

@Arusekk
Copy link
Member

Arusekk commented Nov 7, 2024

Great job! I never thought of Linux modules to be honest.

IMO if this is to be useful, it should handle writable and executable as well.

Note that relocatable object files in general lack segments, but contain some sections, and all sections are offset from zero. I believe Linux modules are the only relocatable ELFs where searching is useful for hacking, so hardcoding its linking behaviour seems right (e.g. if .rodata always comes right after .text, followed by .data, aligned to one page), but it should be noted what are the absolute offsets, why, and how it uses self.address.

@zt20xx
Copy link
Contributor Author

zt20xx commented Nov 16, 2024

I think it is useful now
https://gist.github.com/zt20xx/1dfbd4927d2381b7e2382570bf8d086e
rop.zip

text ret : 0xffffffffc0000013
0xdeadbeef : 0xffffffffc0002000
0xdead : 0xffffffffc0002002
note GUN : 0xffffffffc000100c
note linux : 0xffffffffc0001030
rodata kernel-module : 0xffffffffc000104d
rodata abcd : 0xffffffffc0001099

[ 3.126233] test_data_addr :ffffffffc0002000
[ 3.130211] test_data_value:00000000deadbeef
[ 3.133158] test_rodata:ffffffffc0001099
[ 3.136035] test_rodata:abcd
(gdb) x/i 0xffffffffc0000013
0xffffffffc0000013 <backdoor+19>: ret
(gdb) x/s 0xffffffffc000100c
0xffffffffc000100c: "GNU"
(gdb) x/s 0xffffffffc0001030
0xffffffffc0001030: "Linux"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants