Disabling Consistency Checks

[Eric Neblock]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/03/2014 07:11 PM, Paul Pluzhnikov wrote:
> On Wed, Dec 3, 2014 at 3:39 PM, Eric Neblock <c_eric@sbcglobal.net> wrote:
> 
>> On 12/02/2014 09:26 PM, Carlos O'Donell wrote:
>>> On 12/02/2014 09:52 AM, Eric Neblock wrote:
>>>>   Inconsistency detected by ld.so: ../elf/dl-runtime.c: 79: _dl_fixup:
>>>> Assertion `((reloc->r_info) & 0xffffffff) == 7' failed!
>>>
>>> This means you corrupted memory and the relocation for the PLT
>>> slot is not a PLT relocation.
>>>
> ...
>> I am using ptrace; however, the method I'm using is:
>>
>>  ptrace(PTRACE_POKETEXT, PID, ADDR_TO_BREAK_AT, (ORIG_INSTRUCTION &
>> 0xFFFFFFFFFFFFFF00) | 0xCC)
> 
> Since this corrupts PLT relocation, your method of finding out
> ADDR_TO_BREAK_AT is likely incorrect.
> 
> You may want to disable ASLR, then print the ADDR_TO_BREAK_AT, then use GDB
> and find out what that address actually points to (gdb "info symbol 0xNNNN"
> command), as well is where the breakpoint should have been "break foo"
> then "info break".
> 
> 
Thanks! I completely forgot about return-to-libc attacks.

I'm actually doing this in a very hackish way. Instead of using BFD, I'm
calling `objdump`, feeding that into a pipe, and then reading the pipe
for "malloc@plt" or whatever function I need.

So when using gdb, everything matches to where it needs to be; however,
even after disabling ASLR, the same error still comes up.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBAgAGBQJUg2rbAAoJEKnJ+4MkCuMTJM4H/i7UaJ1okjm7xRkZGDfHpupY
HliP3bMXtsp97t+OETzESNNniRqEozFPrbfT3+iNwmLDvkeE7t1B8PyC+TuoWkvk
7uL2t5PTsasZvkfzC5stXGExxUUAs6hTXcDJ473MJQBjOdmtEGFSp08GMBds+tMR
GwG53uelnwnU/VC70kzoDVV2lW3QPKsenQeXlqwnQtYb+g4Aqlas8fTVxzTPl4C8
PkFt+dZ1NYsCWuTtjU3beNcLGchdx8trYY+kd7jp4Z2Z3YXF4VkqzI+LJbLbCwof
GdKAp0aXzPHmZdxisdWO3tdYnfPF5EfDiei5zUNsun4O5oFFNrL+OIIYCTePXAQ=
=g3zt
-----END PGP SIGNATURE-----