Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gdb.debug() - exe parameter is not respected #1273

Closed
elklepo opened this issue Feb 20, 2019 · 3 comments · Fixed by #2233
Closed

gdb.debug() - exe parameter is not respected #1273

elklepo opened this issue Feb 20, 2019 · 3 comments · Fixed by #2233
Labels
help-wanted

Comments

@elklepo
Copy link

elklepo commented Feb 20, 2019

Given executable:

$ cat main.c
int main()
{
    while(1);
}
$ gcc main.c -o a.out

I'd like to run and debug this binary with modified argv[0]. First, I've tried:

from pwn import *
t = process(executable='./a.out', argv=['fake_argv[0]', 'argv[1]'])
gdb.attach(p)
t.interactive()

and everything works great - argv[0] is properly replaced in process.

Due to process of real binary I want to debug ends before gdb.attach() has time to be called I tried to use gdb.debug():

from pwn import *
t = gdb.debug(exe='./a.out', args=['fake_argv[0]', 'argv[1]'])
t.interactive()

but I get error:

Traceback (most recent call last):
File "./exp.py", line 4, in
t = gdb.debug(exe='./a.out', args=['fake_argv[0]', 'argv[1]'])
File "/usr/local/lib/python2.7/dist-packages/pwnlib/context/init.py", line 1395, in setter
return function(*a, **kw)
File "/usr/local/lib/python2.7/dist-packages/pwnlib/gdb.py", line 454, in debug
port = _gdbserver_port(gdbserver, ssh)
File "/usr/local/lib/python2.7/dist-packages/pwnlib/gdb.py", line 258, in _gdbserver_port
gdbserver.pid = int(process_created.split()[-1], 0)
ValueError: invalid literal for int() with base 0: 'found'

Further investigation showed that gdb.debug() still tries to execute binary form args[0], in this example "fake_argv[0]". It seems that exe parameter is not respected.

I need some kind of temporary solution while this issue occurs - is there any option to yield process created with process() to attach to it before this process starts execution?
giladreti added a commit to giladreti/pwntools that referenced this issue Jan 26, 2022
@giladreti
support argv overwriting in gdbserver
1243af8 
before this commit, it was not was possible to specify `argv[0]` using `gdb.debug`, nor run the program with `argc = 0` (see for example Gallopsled#1273)

this commit adds support for specifying both `argv` and `exe`, thus allowing further customization of the provided arguments.
giladreti added a commit to giladreti/pwntools that referenced this issue Jan 26, 2022
@giladreti
Update gdb.py
29b7ecf 
before this commit, it was not was possible to specify `argv[0]` using `gdb.debug`, nor run the program with `argc = 0` (see for example Gallopsled#1273)

this commit adds support for specifying both `argv` and `exe`, thus allowing further customization of the provided arguments.
giladreti added a commit to giladreti/pwntools that referenced this issue Jan 26, 2022
@giladreti
Update gdb.py
b9bb255 
before this commit, it was not was possible to specify `argv[0]` using `gdb.debug`, nor run the program with `argc = 0` (see for example Gallopsled#1273)

this commit adds support for specifying both `argv` and `exe`, thus allowing further customization of the provided arguments.
This was referenced Jan 26, 2022
Closed
Closed
@goreil
Copy link
Contributor

goreil commented Jul 7, 2023

What is the issue with Pull request #2024?

If noone is working on it I have a few ideas that I want to test.

@peace-maker
Copy link
Member

I think it doesn't keep the environment variables in the specified order for python versions not keeping the insert order on dicts from Arusekk's comment, but lets discuss this in that PR please. If @giladreti doesn't have time to work on it anymore, you're more than welcome to open your own PR!

@giladreti
Copy link

I don't think I will have time to work on it anytime soon. I do agree with the response on my PR that we should probably use the same process customization method as with normal exec's (via a python script exec'ing our program at the end), as it will give us more feature support for free.

goreil added a commit to goreil/pwntools that referenced this issue Jul 8, 2023
@goreil
Issue Gallopsled#1273, make gdb.debug() respect exe param
70663f1 
This feature currently only works for context.native, i.e
for LOCAL debugging on 'i386' or 'amd64'

Implementation Challenges and solution:
1. `gdbserver` has no immediate support for manipulating argv[0]
    * Use the `--wrapper` flag, to execve the binary
    * Note that it must be an execve and not an fork+execve, since
      otherwise gdbserver doesn't attach
2. In python3 `os.execve` doesn't allow empty argv[0].
    * Use `ctypes` to effectively call the execve function from Libc via
      python
    * `_generate_execve_script` generates this script and stores in a
      temp file
    * `gdbserver --wrapper python script.py -- dummy` to call it
goreil added a commit to goreil/pwntools that referenced this issue Jul 8, 2023
@goreil
Issue Gallopsled#1273, make gdb.debug() respect exe param
307b2ec 
This feature currently only works for context.native, i.e
for LOCAL debugging on 'i386' or 'amd64'

Implementation Challenges and solution:
1. `gdbserver` has no immediate support for manipulating argv[0]
    * Use the `--wrapper` flag, to execve the binary
    * Note that it must be an execve and not an fork+execve, since
      otherwise gdbserver doesn't attach
2. In python3 `os.execve` doesn't allow empty argv[0].
    * Use `ctypes` to effectively call the execve function from Libc via
      python
    * `_generate_execve_script` generates this script and stores in a
      temp file
    * `gdbserver --wrapper python script.py -- dummy` to call it
@goreil goreil mentioned this issue Jul 8, 2023
Closed
goreil added a commit to goreil/pwntools that referenced this issue Jul 8, 2023
@goreil
Issue Gallopsled#1273, make gdb.debug() respect exe param
ad5ce74 
This feature currently only works for context.native, i.e
for LOCAL debugging on 'i386' or 'amd64'

Implementation Challenges and solution:
1. `gdbserver` has no immediate support for manipulating argv[0]
    * Use the `--wrapper` flag, to execve the binary
    * Note that it must be an execve and not an fork+execve, since
      otherwise gdbserver doesn't attach
2. In python3 `os.execve` doesn't allow empty argv[0].
    * Use `ctypes` to effectively call the execve function from Libc via
      python
    * `_generate_execve_script` generates this script and stores in a
      temp file
    * `gdbserver --wrapper python script.py -- dummy` to call it
This was referenced Jul 12, 2023
Closed
Merged
@Arusekk Arusekk linked a pull request Jul 24, 2023 that will close this issue
Bugfix gdb.debug: exe parameter now respected #2233
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help-wanted
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bugfix gdb.debug: exe parameter now respected goreil/pwntools
5 participants
@zachriggle @peace-maker @elklepo @giladreti @goreil