Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add convenient exploit for _IO_wide_data #2442

Draft
wants to merge 7 commits into
base: dev
Choose a base branch
from

Conversation

RocketMaDev
Copy link

After glibc 2.35, one of exploitable paths is FSOP, utilizing unchecked vtable for _IO_wide_data. This PR brings related structures in Python and convenient methods to create out-of-box payload.

WIP.

pwnlib/file/filepointer.py Outdated Show resolved Hide resolved
@peace-maker
Copy link
Member

We should keep a proxy pwnlib/filepointer.py which just reexports the new pwnlib/file/filepointer.py for backwards compatibility.

@RocketMaDev
Copy link
Author

Oh I see. In case someone use pwntools in library mode right? Should I just write from pwnlib.file.filepointer import * in the proxy file?

@RocketMaDev RocketMaDev requested a review from Arusekk August 20, 2024 10:29
@RocketMaDev
Copy link
Author

Since I work on an old branch, should I update my branch with rebase when I'm done and write down the changelog?

@RocketMaDev
Copy link
Author

How to meet the doctest requirement both in Python 2 and Python 3? bytes's repr behavior is different between 2 versions...

@Arusekk
Copy link
Member

Arusekk commented Aug 20, 2024

I believe the latest failure is not about bytes' repr, but rather about bytes constructor from array. You can use bytearray, which works the same across both, and cast that to bytes later, like: bytes(bytarray(L)). You can also stick with the bytearray, as it is more convenient to work with anyway.

The documentation should be py3-native (or even py3-only). Back when porting to py3, I implemented a custom doctest comparator for py2 that should accept enough py3 to pass the tests successfully.

@RocketMaDev
Copy link
Author

So do you mean that I should replace [0] * maxlen with bytearray(maxlen)?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants