Wip/dumb tracer #75

Kyle-Kyle · 2021-04-30T21:58:29Z

angr/archr#85
angr/angr#2627
angr/binaries#75
mechaphish/colorguard#10
angr/angrop#33

…zation

…cuted. wtf angrop.

…t have an associated loader object

…ew change breaks cgc stuff

Kyle-Kyle · 2021-04-30T22:10:30Z

too many changes.
in short:

rewrite crash.py to separate the concrete tracing and symbolic tracing part from the core Crash logic and name it CrashTracer. It describes how we interact with the target
add dumb tracer that allows us to do some stupid but effective dynamic tracing
add ret2libc technique that allows us to perform ret2libc attack, currently, what it does is call system with arbitrary command
revive call_shellcode
rewrite scripter to cleanly generate python scripts

rhelmot · 2021-05-07T07:35:55Z

rex/exploit/shellcodes/linux_mips32_dupsh.py

+            shellcode = shellcode.format(fd=self.fd)
+            bs = pwnlib.asm.asm(shellcode)
+            if self.check_shellcode_for_incompatible_chars(bs):
+                print(pwnlib.asm.disasm(bs))


do we have to use pwnlib for this? can we use keystone, which has shortcuts for use in archinfo?

so, the problem @Lukas-Dresel found was that some of the shellcodes we maintain never worked at all. It took him a lot of time to figure out why they didn't work. This concerns me because we only maintain a few shellcodes at this moment. And also, these shellcodes were written by hand for specific architectures and specific purposes.

If we want to extend the capability of rex in shellcode execution in the future, this hardcoded shellcode method will not work. We need an approach to automatically generate shellcode. The first thing that came to our mind was pwntools, its shellcraft module is designed for this purpose.

This will be the first step we include shellcraft in our exploit generation engine. If possible, I plan to use it to replace our current shellcode generation engine so we don't need to debug manually written shellcode.

And I do agree that pwntools is a messed up package that we should avoid as much as possible in our release because of its instability. But its capability of exploit generation is too powerful. What I suggest is we pin pwntools to a version that works with angr and we stick to it.

rex/crash_tracer/full_tracer.py

tests/test_shellcodes.py

ConnorNelson and others added 30 commits May 13, 2020 00:55

Add c scripter

85cc4c7

Add python scripter

fa3821d

Connect in scripter

24f3224

Add cmd to python template

6de574e

separate concrete tracing and symbolic tracing

7d6275c

build scaffolding for dumb tracer

2cdcf13

dumb tracer draft

ae3617c

identify crash address

264e277

input2state analysis

b1c987c

minor fix

88c8c32

support ret2libc when aslr is off

00903b8

minor fixes

b095c16

add support for exploiting overflow without initial stack pivoting

f720ef4

don't insert nullbyte in ropchain generation

8fb46ae

now rex can generate exploits

65b9402

add a JOP stub to help exploiting mips targets

8f53d27

deal with blankspace

6bfc34b

pickup runtime env before firing the target

e50d450

oops

b56581b

support archr Action for concrete tracing

3d792cc

cache_tuple and cache are the same thing

a36ea8d

initialize rop objects should be the last thing we do during initiali…

33dd2fc

…zation

make linter happy

d233237

backward compatibility

9d11170

handle cgc

d5674ed

cache libc gadgets as well

b67ad9c

fix some testcases

75d6ecf

use rop_cache when creating new Crash objects

6313f46

pylint. are you happy?

dc8c49d

damn it, the first angrop gadget may not be the first real gadget exe…

5cbdbba

…cuted. wtf angrop.

Lukas-Dresel and others added 19 commits March 1, 2021 14:29

gracefully handle the case without a corefile where the stack will no…

e43674b

…t have an associated loader object

use archr to tell os

2d51758

handle cases where there is no libc

2bb3d8a

we use send instead of send_all now

3c3bef5

make cgc stuff correctly constrain the symbolic data

a6a7bae

oops

f4b15d9

finally fixed the fucking cgc challenge response thingy

7831211

disable taint for now

318aae6

fix call_shellcode testcase

3882cbc

fix deprecated memory usage

e2b143d

fix use cgc stuff yet again

8feac6e

well, we need to handle fakecrash as well

7fcb06d

we don't need to close loader manually anymore

88abd03

hmm. disgusting. but I don't know how to fix it.

dccf6b9

make pylint happy batch 1

8e6eb6f

revert the use_crash_input patch in cgc_exploit because somehow the n…

c5ea64b

…ew change breaks cgc stuff

yet another attempt to fix challenge_response

ad892dd

make pylint happy batch2

bf3e518

make call_shellcode work again

c127ba1

Kyle-Kyle mentioned this pull request Apr 30, 2021

well. we are not limited to stdin now angr/angr#2627

Merged

twizmwazin mentioned this pull request May 3, 2021

update rop cache angr/binaries#75

Merged

Kyle-Kyle mentioned this pull request May 5, 2021

Wip/dumb tracer angr/archr#85

Merged

linting to trigger CI

22ffa68

Kyle-Kyle force-pushed the wip/dumb_tracer branch from f263553 to 22ffa68 Compare May 5, 2021 21:13

rhelmot reviewed May 7, 2021

View reviewed changes

Kyle-Kyle added 2 commits May 7, 2021 13:29

fix an embarrassing logging name issue in crash_tracer

d9b8beb

fix shellcode testcase

61c406a

rhelmot merged commit 3628781 into master May 11, 2021

rhelmot deleted the wip/dumb_tracer branch May 11, 2021 07:57

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Wip/dumb tracer #75

Wip/dumb tracer #75

Kyle-Kyle commented Apr 30, 2021 •

edited

Loading

Kyle-Kyle commented Apr 30, 2021

rhelmot May 7, 2021

Kyle-Kyle May 7, 2021

Wip/dumb tracer #75

Wip/dumb tracer #75

Conversation

Kyle-Kyle commented Apr 30, 2021 • edited Loading

Kyle-Kyle commented Apr 30, 2021

rhelmot May 7, 2021

Choose a reason for hiding this comment

Kyle-Kyle May 7, 2021

Choose a reason for hiding this comment

Kyle-Kyle commented Apr 30, 2021 •

edited

Loading