Giters

zardus / preeny

Some helpful preload libraries for pwning stuff.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

desock question

RnmX opened this issue · comments

commented

Hello,

first of all thank you for your code! I tried desock with test file provided in the repo and it works well. Then I moved onto a target I'm currently fuzzing (Abyss Web Server) and I'm facing some issues now. When I run desock like this:

PREENY_INFO=1 PREENY_ERROR=1 PREENY_DEBUG=1 LD_PRELOAD=x86_64-linux-gnu/desock.so /opt/abyssws/abyssws-x64

This is an output I receive:

Abyss Web Server X1 (v 2.12.1)
Copyright (C) Aprelium - 2001-2019

Error: to 507)
Error: from 0)
Error: 508
Error: 0
Error: fd 507
Error: 0
Error: 508
Error: to 1)
Error: Request

Powered by Abyss Web Server X1
Copyright © Aprelium - 2001-2019

+++ wrote 468 bytes to 1 (had read from 507)
+++ shutting down desock...
+++ ... shutdown complete!

Do you have any idea what could go wrong here? I would expect to see "Intercepted socket()!" among first output messages but here I'm getting errors right away.

Thanks a lot!

commented

Hmm.. Those error messages are coming from abyss, so it's hard to say. Web servers can do some crazy things to mess with sockets, some of which might be interfering with preeny. It's hard to guess specifically what.

Some steps forward that come to mind:

  1. Try desock_dup instead of desock. Depending on how the server is implemented, it might work.
  2. Run abyss with ltrace and try to figure out what it does that makes it goes haywire with preeny. It'll be some socket operation that preeny doesn't intercept, probably.
  3. I don't know what abyss does internally, but if it talks to itself over sockets (some things do this, though all that comes readily to mind are CTF challenges), it'll go completely crazy.
commented

Hello Zardus,

thank you very much for fast reply!

I tried with desock_dup as well but unfortunately Abyss won't boot properly:

PREENY_INFO=1 PREENY_ERROR=1 PREENY_DEBUG=1 LD_PRELOAD=x86_64-linux-gnu/desock_dup.so /opt/abyssws/abyssws-x64
--- Disabling dup from 3 to 0
--- Disabling dup from 6 to 1

I guess you are right with point number 2 - probably some woodoo going on with sockets. I did reverse engineering on windows binary and I saw some odd stuff there :) So I might do some RE on linux binary and see if it is the same.

If I manage to come up with working solution I will update this issue to hopefully help others facing simillar issue.

Thanks a lot.