Fix aslr command and file.get_file on QEMU targets

The ASLR command did not work properly on QEMU kernel targets: it read /proc/sys/kernel/randomize_va_space and then /proc/<pid>/personality on local filesystem which was wrong, and returned that it couldn't read personality. Now, this commit made so that: - the `pwndbg.file.get_file` will print a warning if it returns a local path on remote targets - the `check_aslr` was refactored: we don't run this on `new_objfile` or cache its result; the `pwndbg.vmmap.aslr` was also removed as it was never used - the `pwndbg.vmmap.check_aslr` and `aslr` command will now return info if we couldn't detect ASLR on QEMU targets
4 years ago · 69094409f5
parent 27506431e8
commit 69094409f5
4 changed files with 35 additions and 38 deletions
--- a/pwndbg/android.py
+++ b/pwndbg/android.py
@ -7,11 +7,15 @@ import pwndbg.events
 import pwndbg.file
 import pwndbg.memoize
 import pwndbg.remote
+import pwndbg.qemu


@pwndbg.memoize.reset_on_start
@pwndbg.memoize.reset_on_exit
 def is_android():
+    if pwndbg.qemu.is_qemu():
+        return False
+
    try:
        if pwndbg.file.get('/system/etc/hosts'):
            return True
--- a/pwndbg/commands/aslr.py
+++ b/pwndbg/commands/aslr.py
@ -30,9 +30,12 @@ def aslr(state=None):
            print("Change will take effect when the process restarts")

    aslr, method = pwndbg.vmmap.check_aslr()
-    status = message.off('OFF')

-    if aslr:
+    if aslr is True:
        status = message.on('ON')
+    elif aslr is False:
+        status = message.off('OFF')
+    else:
+        status = message.off('???')

    print("ASLR is %s (%s)" % (status, method))
--- a/pwndbg/file.py
+++ b/pwndbg/file.py
@ -29,18 +29,21 @@ def get_file(path):
    qemu_root = pwndbg.qemu.root()
    if qemu_root:
        return os.path.join(qemu_root, path)
-    elif pwndbg.remote.is_remote() and not pwndbg.qemu.is_qemu():
-        local_path = tempfile.mktemp(dir=pwndbg.symbol.remote_files_dir)
-        error      = None
-        try:
-            error = gdb.execute('remote get "%s" "%s"' % (path, local_path),
-                                 to_string=True)
-        except gdb.error as e:
-            error = e
-
-        if error:
-            raise OSError("Could not download remote file %r:\n" \
-                            "Error: %s" % (path, error))
+    elif pwndbg.remote.is_remote():
+        if not pwndbg.qemu.is_qemu():
+            local_path = tempfile.mktemp(dir=pwndbg.symbol.remote_files_dir)
+            error      = None
+            try:
+                error = gdb.execute('remote get "%s" "%s"' % (path, local_path),
+                                     to_string=True)
+            except gdb.error as e:
+                error = e
+
+            if error:
+                raise OSError("Could not download remote file %r:\n" \
+                                "Error: %s" % (path, error))
+        else:
+            print("[pwndbg warning]: pwndbg.file.get(%s) returns local path" % path)

    return local_path

--- a/pwndbg/vmmap.py
+++ b/pwndbg/vmmap.py
@ -425,31 +425,23 @@ def find_boundaries(addr, name='', min=0):

    return pwndbg.memory.Page(start, end-start, 4, 0, name)

-aslr = False
-
-@pwndbg.events.new_objfile
-@pwndbg.memoize.while_running
 def check_aslr():
-    vmmap = sys.modules[__name__]
-    vmmap.aslr = False
-
-    # Check to see if ASLR is disabled on the system.
-    # if not pwndbg.remote.is_remote():
-    system_aslr = True
-    data        = b''
+    """
+    Detects the ASLR status. Returns True, False or None.

+    None is returned when we can't detect ASLR.
+    """
    # QEMU does not support this concept.
-    if pwndbg.qemu.is_qemu_usermode():
-        return vmmap.aslr
+    if pwndbg.qemu.is_qemu():
+        return None, 'Could not detect ASLR on QEMU targets'

    # Systemwide ASLR is disabled
    try:
        data = pwndbg.file.get('/proc/sys/kernel/randomize_va_space')
        if b'0' in data:
-            vmmap.aslr = False
-            return vmmap.aslr, 'kernel.randomize_va_space == 0'
+            return False, 'kernel.randomize_va_space == 0'
    except Exception as e:
-        print("Could not check ASLR: Couldn't get randomize_va_space")
+        print("Could not check ASLR: can't read randomize_va_space")
        pass

    # Check the personality of the process
@ -457,11 +449,9 @@ def check_aslr():
        try:
            data = pwndbg.file.get('/proc/%i/personality' % pwndbg.proc.pid)
            personality = int(data, 16)
-            if personality & 0x40000 == 0:
-                vmmap.aslr = True
-            return vmmap.aslr, 'read status from process\' personality'
+            return (personality & 0x40000 == 0), 'read status from process\' personality'
        except:
-            print("Could not check ASLR: Couldn't get personality")
+            print("Could not check ASLR: can't read process' personality")
            pass

    # Just go with whatever GDB says it did.
@ -469,10 +459,7 @@ def check_aslr():
    # This should usually be identical to the above, but we may not have
    # access to procfs.
    output = gdb.execute('show disable-randomization', to_string=True)
-    if "is off." in output:
-        vmmap.aslr = True
-
-    return vmmap.aslr, 'show disable-randomization'
+    return ("is off." in output), 'show disable-randomization'

@pwndbg.events.cont
 def mark_pc_as_executable():