Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix attaching to a gdbserver with tuple gdb.attach(('0.0.0.0',12345)) #2291

Merged
merged 4 commits into from
Oct 28, 2024

Conversation

ckxckx
Copy link
Contributor

@ckxckx ckxckx commented Oct 31, 2023

fix for issues/2290

@Arusekk
Copy link
Member

Arusekk commented Oct 31, 2023

Alright, now I see the error is there. But the error is in a different place.

pidof((host, port)) is currently documented as finding a process that has connected to (host, port). But there is no one connected to the gdb server, so it returns nothing.

Your fix breaks all other use cases, the proper fix would be to change the pidof() functionality in GDB to use sock_match(target, None) instead of sock_match(None, target).

I think pwning servers is more common than pwning clients [citation needed™], so this logic can be inverted to find a process listening on (host,port) instead of the one connected to (host,port).
You will then need to fix the test of pidof (simply changing lport to rport should be enough).
CHANGELOG would be required then for sure.
@peace-maker WDYT, is that okay?

@ckxckx
Copy link
Contributor Author

ckxckx commented Oct 31, 2023

Actually, we meet this bug when we use gdb.attach to Qemu gdbstub ...

@peace-maker
Copy link
Member

This went under my radar for a while :D I've hit this too this weekend and I think it's fine to assume we're looking for the server providing the port instead of a client being connected to a port.

It seems the logic in net.sock_match need to be inverted too. Right now it always expects a remote socket and optionally a local socket. When we switch the proc.pidof parameters we'll always pass None as remote and will never match anything due to the check in line 269.

pwntools/pwnlib/util/net.py

Lines 262 to 273 in 5981c72

if local is not None:
local = sockinfos(local, fam, typ)
remote = sockinfos(remote, fam, typ)
def match(c):
laddrs = sockinfos(c.laddr, c.family, c.type)
raddrs = sockinfos(c.raddr, c.family, c.type)
if not (raddrs & remote):
return False
if local is None:
return True
return bool(laddrs & local)

@peace-maker peace-maker changed the title Patch for #issues/2290 : the result of target remote match is wrong when we attach gdb with "gdb.attach(('0.0.0.0',1234))" Fix attaching to a gdbserver with tuple gdb.attach(('0.0.0.0',12345)) Oct 26, 2024
@peace-maker peace-maker force-pushed the dev branch 9 times, most recently from 5e7276f to ddbdfc9 Compare October 28, 2024 19:54
Instead of returning the process which is connected to port 1234,
return the process which is listening on that port.
@peace-maker peace-maker merged commit 51cbdb4 into Gallopsled:dev Oct 28, 2024
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

the result of target remote match is wrong when we attach gdb with "gdb.attach(('0.0.0.0',1234))"
3 participants