search

Boyan-MILANOV / ropium

ROPium is a tool that helps you building ROP exploits by finding and chaining gadgets together
350 stars 40 forks source link

AttributeError: Cond instance has no attribute 'replaceMemAcc' #8

Closed JoeyJiao closed 5 years ago

JoeyJiao commented 5 years ago

I'm facing below error when load vmlinux, any idea?

File "/home/jiangenj/.local/bin/ROPGenerator", line 4, in import('pkg_resources').run_script('ropgenerator==1.1', 'ROPGenerator') File "/home/jiangenj/.local/lib/python2.7/site-packages/pkg_resources/init.py", line 664, in run_script self.require(requires)[0].run_script(script_name, ns) File "/home/jiangenj/.local/lib/python2.7/site-packages/pkg_resources/init.py", line 1444, in run_script exec(code, namespace, namespace) File "/home/jiangenj/.local/lib/python2.7/site-packages/ropgenerator-1.1-py2.7.egg/EGG-INFO/scripts/ROPGenerator", line 5, in Main.main() File "/home/jiangenj/.local/lib/python2.7/site-packages/ropgenerator-1.1-py2.7.egg/ropgenerator/Main.py", line 66, in main load(args[1:]) File "/home/jiangenj/.local/lib/python2.7/site-packages/ropgenerator-1.1-py2.7.egg/ropgenerator/Load.py", line 193, in load build(gadgetList) File "/home/jiangenj/.local/lib/python2.7/site-packages/ropgenerator-1.1-py2.7.egg/ropgenerator/Database.py", line 565, in build gadget = Gadget([addr], raw) File "/home/jiangenj/.local/lib/python2.7/site-packages/ropgenerator-1.1-py2.7.egg/ropgenerator/Gadget.py", line 75, in init self.semantics = self.graph.getSemantics() File "/home/jiangenj/.local/lib/python2.7/site-packages/ropgenerator-1.1-py2.7.egg/ropgenerator/Graph.py", line 122, in getSemantics node.getSemantics( semantics, self ) File "/home/jiangenj/.local/lib/python2.7/site-packages/ropgenerator-1.1-py2.7.egg/ropgenerator/Graph.py", line 255, in getSemantics res += [SPair(p.expr.replaceMemAcc(a.label, pair.expr), Cond(CT.AND, p.cond,pair.cond)) for p in resPrec ] File "/home/jiangenj/.local/lib/python2.7/site-packages/ropgenerator-1.1-py2.7.egg/ropgenerator/Expressions.py", line 855, in replaceMemAcc return Convert( self.size, self.args[0].replaceMemAcc( addr, expr ), self.signed) File "/home/jiangenj/.local/lib/python2.7/site-packages/ropgenerator-1.1-py2.7.egg/ropgenerator/Expressions.py", line 490, in replaceMemAcc newArgs = [arg.replaceMemAcc( addr, expr ) for arg in self.args] File "/home/jiangenj/.local/lib/python2.7/site-packages/ropgenerator-1.1-py2.7.egg/ropgenerator/Expressions.py", line 855, in replaceMemAcc return Convert( self.size, self.args[0].replaceMemAcc( addr, expr ), self.signed) File "/home/jiangenj/.local/lib/python2.7/site-packages/ropgenerator-1.1-py2.7.egg/ropgenerator/Expressions.py", line 490, in replaceMemAcc newArgs = [arg.replaceMemAcc( addr, expr ) for arg in self.args] File "/home/jiangenj/.local/lib/python2.7/site-packages/ropgenerator-1.1-py2.7.egg/ropgenerator/Expressions.py", line 490, in replaceMemAcc newArgs = [arg.replaceMemAcc( addr, expr ) for arg in self.args] File "/home/jiangenj/.local/lib/python2.7/site-packages/ropgenerator-1.1-py2.7.egg/ropgenerator/Expressions.py", line 855, in replaceMemAcc return Convert( self.size, self.args[0].replaceMemAcc( addr, expr ), self.signed) File "/home/jiangenj/.local/lib/python2.7/site-packages/ropgenerator-1.1-py2.7.egg/ropgenerator/Expressions.py", line 855, in replaceMemAcc return Convert( self.size, self.args[0].replaceMemAcc( addr, expr ), self.signed) File "/home/jiangenj/.local/lib/python2.7/site-packages/ropgenerator-1.1-py2.7.egg/ropgenerator/Expressions.py", line 855, in replaceMemAcc return Convert( self.size, self.args[0].replaceMemAcc( addr, expr ), self.signed) File "/home/jiangenj/.local/lib/python2.7/site-packages/ropgenerator-1.1-py2.7.egg/ropgenerator/Expressions.py", line 490, in replaceMemAcc newArgs = [arg.replaceMemAcc( addr, expr ) for arg in self.args] File "/home/jiangenj/.local/lib/python2.7/site-packages/ropgenerator-1.1-py2.7.egg/ropgenerator/Expressions.py", line 1177, in replaceMemAcc return ITE( self.cond.replaceMemAcc(addr,expr), self.iftrue.replaceMemAcc(addr,expr), self.iffalse.replaceMemAcc(addr,expr)) AttributeError: Cond instance has no attribute 'replaceMemAcc' Alarm clock

JoeyJiao commented 5 years ago

Fixed in https://github.com/Boyan-MILANOV/ropgenerator/pull/9

Boyan-MILANOV commented 5 years ago

Hey thanks for reporting this issue :)

It seems that I forgot to implement the replaceMemAcc() function for the "Cond" class, but strangely it hasn't been needed in all the tests I ran and it's the first time I see this error.

Your fixes in #9 solve this by removing the call to replaceMemAcc(). It's a temporary fix and that avoids the crash, but it's semantically incorrect and might cause the tool to misbehave or build wrong ropchains. The correct solution is to implement the missing function. It's not difficult and I'll do it as soon as possible ;)