Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add PR_SET_PTRACER to process and ssh.process #828

Merged
merged 24 commits into from
Jan 4, 2017
Merged

Add PR_SET_PTRACER to process and ssh.process #828

merged 24 commits into from
Jan 4, 2017

Conversation

zachriggle
Copy link
Member

@zachriggle zachriggle commented Dec 28, 2016
edited
Loading

Using PR_SET_PTRACER will avoid running into issues with debugging when kernel YAMA security settings are enabled.

These can be disabled locally, but require root access. This is a problem for both rootless Travis CI testing, and e.g. debugging Wargame processes.

PR_SET_PTRACER should have no negative functional effects, and only side-steps the YAMA mitigations (it does not permit any ptracer, UID/GID checks still apply, etc.).

This grants us the ability to do e.g. process.corefile on systems with YAMA enforcing, like Travis.

@zachriggle zachriggle self-assigned this Dec 28, 2016
@zachriggle
Copy link
Member Author

zachriggle commented Dec 28, 2016
edited
Loading

It looks like the core dumps generated by GDB do not contain all of the data, at least as can be seen from PyElfTools.

For example:

$ gcore $$
Saved corefile core.17366
$ readelf -a /proc/$$/exe | grep -i 'Entry point'
  Entry point address:               0x42020b
$ gdb -q --nh --nx /proc/$$/exe core.17366
(gdb) x/wx 0x42020b
0x42020b <_start>:      0x8949ed31
(gdb) q
$ python
>>> from pwn import *
>>> c=Core('core.17366')
>>> c.u32(0x42020b)
0
>>> seg = next(s for s in c.segments if s.header.p_vaddr <= 0x42020b and 0x42020b < s.header.p_vaddr + s.header.p_memsz)
>>> seg.header
Container({'p_memsz': 978944, 'p_flags': 5, 'p_offset': 7136, 'p_type': 'PT_LOAD', 'p_align': 1, 'p_paddr': 0, 'p_filesz': 0, 'p_vaddr': 4194304})
>>> seg.data()
''
>>> data = read(c.file.name)
>>> data[7136:7136+4]
'\x00\x00\x00\x00'

We can see that it looks like GDB is pulling the data directly from the original file.

$ strace -x -P /bin/bash gdb -q --batch --nh --nx --ex 'x/wx 0x42020b' /bin/bash core.17366
...
lseek(8, 131072, SEEK_SET)              = 131072
read(8, "\x0f\x85\x0c\xfc\xff\xff\x48\x8b\x3d\xbb\x8c\x2d\x00\xe8\x8e\xdc\xff\xff\x89\xc7\xe8\x57\xf2\x06\x00\x85\xc0\x0f\x85\xf1\xfb\xff"..., 4096) = 4096
0x42020b <_start>:      0x8949ed31

@zachriggle
Copy link
Member Author

This has to do with https://sourceware.org/bugzilla/show_bug.cgi?id=16092

@zachriggle zachriggle force-pushed the pr-set-ptracer branch 3 times, most recently from 24996f4 to cb7b2cf Compare January 3, 2017 21:23
@zachriggle zachriggle added this to the Someday milestone Jan 3, 2017
@zachriggle
Add PR_SET_PTRACER to initialization, and add doctests for process.le…
da7bd22 
…ak/corefile
@zachriggle
Add PR_SET_PTRACER to SSH processes
c9582f6
@zachriggle
Do not warn about YAMA if we dont need to
41be9a2
@zachriggle
Fix doctest to use raw strings
e093f3a
@zachriggle
Fix typo in doctest
cd45ecd
@zachriggle
Apparently GDB is not installed on Travis by default
a3aac27
@zachriggle
Add warning message to process("foo") vs process("./foo")
d312629
@zachriggle
Add gdb.corefile; make run_in_new_terminal return a PID
018f2f0
@zachriggle
Intentionally break doctest because I dont believe that it worked
30b8aba
@zachriggle
Fix codacy issues
0515e5d
@zachriggle
Fix gdb.attach return value
c6dd6b3
@zachriggle
Add missing import
c0aadc8
@zachriggle
Fix typo, use waitpid
9fa88a7
@zachriggle
Refactor some code into gdb.version / gdb.binary
b61ab53
@zachriggle
Permit GDB with multipart versions
957a757
@zachriggle
Fix repr() on Corefile
a9f2bdf
@zachriggle
Silence run-in-new-terminal message for gdb.corefile
cf9cd23
@zachriggle
Fix version number
0abdaac
@zachriggle
Remove Yama warning message entirely, it should no longer be necessary
a5c587a
@zachriggle
Version detection is hard. Regular expressions to the rescue!
65e908c
@zachriggle
Remove process.kill/stop/resume, those will be a different PR
e2590bd
TethysSvensson
TethysSvensson approved these changes Jan 3, 2017
View reviewed changes
Copy link
Contributor

@TethysSvensson TethysSvensson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While I haven't reviewed all of this in detail, it looks nice.

As long as you test it as well, as you deem feasible, you have my LGTM.

@zachriggle zachriggle merged commit cca9782 into Gallopsled:dev Jan 4, 2017
@zachriggle zachriggle deleted the pr-set-ptracer branch January 4, 2017 17:59
@zachriggle
Copy link
Member Author

Travis and Codacy passed, Coveralls failed. There's currently no tests for any of the GDB functionality, so that's fine.

@TethysSvensson TethysSvensson modified the milestones: 3.5.0, Someday Jan 10, 2017
@bet4it bet4it mentioned this pull request Mar 14, 2020
Merged
Kyle-Kyle pushed a commit to Kyle-Kyle/pwntools that referenced this pull request Apr 25, 2021
@kevinpark1217
In setup.sh, remove installation of python2 for apt (Gallopsled#828)
a9c43ed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TethysSvensson TethysSvensson TethysSvensson approved these changes

Assignees

@zachriggle zachriggle

Labels
enhancement
Projects
None yet
Milestone
3.5.0
Development

Successfully merging this pull request may close these issues.
2 participants
@zachriggle @TethysSvensson