Exec format error on WSL

[xuing]

I met the "exec format error" on WSL.
These program
programs.zip

comes from pwnable.kr challenges.
bof(http://pwnable.kr/bin/bof) and flag(http://pwnable.kr/bin/flag)
when I run $file bof I get

bof: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=ed643dfe8d026b7238d3033b0d0bcc499504f273, not stripped

then when I run $file flag I get

flag: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped

But no matter which one I run, they are prompted

bash: ./flag: cannot execute binary file: Exec format error
bash: ./bof: cannot execute binary file: Exec format error

version Information

Microsoft Windows [Version10.0.15063]
Xuing 4.4.0-43-Microsoft #1-Microsoft Wed Dec 31 14:42:53 PST 2014 x86_64 GNU/Linux

if have some mistake,please forgive me.

Thanks

[sunjoong]

@xuing - For bof, that error is expected because WSL supports only 64bit binary. The interesting part is what for flag.

flag: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped

I don't understand how to compile like that. It should be...

flag: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.32, stripped

Is flag a linux excuatable binary? I mean.... can you run it in real linux system, not in WSL?

UPDATE: I don't know why @therealkenc deleted his comment, but from his comment, I noticed flag has no section. You can check it with "readelf -a flag".

[xuing]

@sunjoong The following is the echo of readelf -a flag, But I do not know where the focus is. I can't understand it well.

Then, I also can run flag in my real linux system.

Thank you.

ELF Header:
Magic: 7f 45 4c 46 02 01 01 03 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - GNU
ABI Version: 0
Type: EXEC (Executable file)
Machine: Advanced Micro Devices X86-64
Version: 0x1
Entry point address: 0x44a4f0
Start of program headers: 64 (bytes into file)
Start of section headers: 0 (bytes into file)
Flags: 0x0
Size of this header: 64 (bytes)
Size of program headers: 56 (bytes)
Number of program headers: 2
Size of section headers: 64 (bytes)
Number of section headers: 0
Section header string table index: 0

There are no sections in this file.

There are no sections to group in this file.

Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
LOAD 0x0000000000000000 0x0000000000400000 0x0000000000400000
0x000000000004ad04 0x000000000004ad04 R E 0x200000
LOAD 0x00000000000c62d8 0x00000000006c62d8 0x00000000006c62d8
0x0000000000000000 0x0000000000000000 RW 0x200000

There is no dynamic section in this file.

There are no relocations in this file.

The decoding of unwind sections for machine type Advanced Micro Devices X86-64 is not currently supported.

Dynamic symbol information is not available for displaying symbols.

No version information found in this file.

[sunjoong]

@xuing - Ah... the mention of sections has some history of deleted comments; I deleted a comment too after his. Hmm.... in short, I compiled a dummy code;

sunjoong@SUNJOONG-DESKTOP ~ $ cat a.c
int main () {}
sunjoong@SUNJOONG-DESKTOP ~ $ gcc -s -static a.c
sunjoong@SUNJOONG-DESKTOP ~ $ file a.out
a.out: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.32, stripped
sunjoong@SUNJOONG-DESKTOP ~ $

The a.out file has some sections like the figure of https://en.wikipedia.org/wiki/Executable_and_Linkable_Format .

And... you said you could run flag in real linux system. Then.... you could check with strace like "strace ./flag" in real linux system and in WSL.

Strace is a tool to debug the execution of a program in linux, and you were asked the result of it in the template of issues; You might see the line of "* Strace of the failing command, if applicable: (If <cmd> is failing, then run strace -o strace.txt -ff <cmd>, and post the strace.txt output here)" in the template when opennig this issue.

BTW, are you a student of KAIST? How to find that program? I have a curiosity how to compile it without "for GNU/Linux 2.6.32" or like that. If you be a member of that lab, you could ask them, I think.

[benhillis]

Is it possible this is a duplicate of #330?

[xuing]

@sunjoong thank you,
when I run strace ./flag on WSL,

strace: PTRACE_SETOPTIONS: Invalid argument

Is this the key point? Then I run it on Ubuntu.

execve("./flag", ["./flag"], [/* 22 vars */]) = 0
mmap(0x800000, 2959710, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, 0, 0) = 0x800000
readlink("/proc/self/exe", "/home/xpf/flag", 4096) = 14
mmap(0x400000, 2912256, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x400000
mmap(0x400000, 790878, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x400000
mprotect(0x400000, 790878, PROT_READ|PROT_EXEC) = 0
mmap(0x6c1000, 9968, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0xc1000) = 0x6c1000
mprotect(0x6c1000, 9968, PROT_READ|PROT_WRITE) = 0
mmap(0x6c4000, 8920, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x6c4000
munmap(0x801000, 2955614) = 0
uname({sysname="Linux", nodename="xpf-VirtualBox", ...}) = 0
brk(NULL) = 0x2221000
brk(0x22221c0) = 0x22221c0
arch_prctl(ARCH_SET_FS, 0x2221880) = 0
brk(0x22431c0) = 0x22431c0
brk(0x2244000) = 0x2244000
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f80a2914000
write(1, "I will malloc() and strcpy the f"..., 52) = 52
exit_group(0) = ?
+++ exited with 0 +++

Finally,I'm only a Chinese students with poor English, I'm learning pwn(Buffer overflow attack), These is the Website pwnable.kr practice programs. >_<
I think I should do practice in my real linux system.

Thanks again for your attention.

[xuing]

@benhillis ,Yes,you are right

[sunjoong]

@benhillis - Oh... what's that? objdump of flag is almost same to #330 (comment)!! It could be possible.

[sunjoong]

@benhillis @xuing - It is the same issue of #330.

root@SUNJOONG-DESKTOP:~# upx -d flag
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2013
UPX 3.91        Markus Oberhumer, Laszlo Molnar & John Reiser   Sep 30th 2013

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
    887219 <-    335288   37.79%  linux/ElfAMD   flag

Unpacked 1 file.
root@SUNJOONG-DESKTOP:~# ./flag
I will malloc() and strcpy the flag there. take it.
root@SUNJOONG-DESKTOP:~# file flag
flag: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.24, BuildID[sha1]=96ec4cc272aeb383bd9ed26c0d4ac0eb5db41b16, not stripped
root@SUNJOONG-DESKTOP:~#

[stehufntdev]

Thanks for reporting the issue. Closing this out as a duplicate of #330 so we can track it in one place.