search

angr / angr-targets

This repository contains the currently implemented angr concrete targets.
32 stars 9 forks source link

remove_breakpoint requested but target is EXITED #30

Closed h311d1n3r closed 11 months ago

h311d1n3r commented 1 year ago

Description

Hi, When I try running the following script :

import claripy
import angr
import logging
import avatar2
import subprocess
from angr_targets import AvatarGDBConcreteTarget
from IPython import embed

#logging.getLogger('angr').setLevel('ERROR')

base_addr = 0x0
GDB_SERVER_IP = "127.0.0.1"
GDB_SERVER_PORT = 1234
bin_path = "./test"
nb_chars = 32
bp_addr = 0x11e9

avatar_gdb = AvatarGDBConcreteTarget(avatar2.archs.x86.X86_64, GDB_SERVER_IP, GDB_SERVER_PORT)
project = angr.Project(bin_path,main_opts={'base_addr':base_addr},concrete_target=avatar_gdb,use_sim_procedures=True)

state = project.factory.entry_state() #stdin='A'*(nb_chars-1)+'\n'

state.options.add(angr.options.SYMBION_SYNC_CLE)
state.options.add(angr.options.SYMBION_KEEP_STUBS_ON_SYNC)

simgr = project.factory.simgr(state)
simgr.use_technique(angr.exploration_techniques.Symbion(find=[bp_addr]))
concrete_res = simgr.run()
bp_state = concrete_res.stashes['found'][0]
print(bp_state)

embed()

the process seems to exit before reaching my "breakpoint". Here is the complete error trace :


File "/home/helldiner/Cyber/Projects/Angr Tests/solve.py", line 28, in <module>
    concrete_res = simgr.run()
  File "/usr/local/lib/python3.10/dist-packages/angr/sim_manager.py", line 345, in run
    self.step(stash=stash, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/angr/misc/hookset.py", line 96, in __call__
    result = current_hook(self.func.__self__, *args, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/angr/exploration_techniques/symbion.py", line 54, in step
    return simgr.step(stash=stash, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/angr/misc/hookset.py", line 96, in __call__
    result = current_hook(self.func.__self__, *args, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/angr/exploration_techniques/suggestions.py", line 43, in step
    simgr.step(stash=stash, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/angr/misc/hookset.py", line 101, in __call__
    return self.func(*args, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/angr/sim_manager.py", line 454, in step
    successors = self.step_state(state, successor_func=successor_func, error_list=error_list, **run_args)
  File "/usr/local/lib/python3.10/dist-packages/angr/misc/hookset.py", line 96, in __call__
    result = current_hook(self.func.__self__, *args, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/angr/exploration_techniques/symbion.py", line 58, in step_state
    ss = self.successors(
  File "/usr/local/lib/python3.10/dist-packages/angr/exploration_techniques/__init__.py", line 109, in successors
    return simgr.successors(state, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/angr/sim_manager.py", line 545, in successors
    return self._project.factory.successors(state, **run_args)
  File "/usr/local/lib/python3.10/dist-packages/angr/factory.py", line 76, in successors
    return engine.process(*args, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/angr/engines/engine.py", line 163, in process
    self.process_successors(self.successors, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/angr/engines/concrete.py", line 53, in process_successors
    self.to_engine(new_state, extra_stop_points, memory_concretize, register_concretize, timeout)
  File "/usr/local/lib/python3.10/dist-packages/angr/engines/concrete.py", line 144, in to_engine
    self.target.remove_breakpoint(stop_point)
  File "/usr/local/lib/python3.10/dist-packages/angr_targets/targets/avatar_gdb.py", line 110, in remove_breakpoint
    res = self.target.remove_breakpoint(address, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/avatar2/watchmen.py", line 78, in watchtrigger
    ret = func(self, *args, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/avatar2/targets/target.py", line 33, in check
    raise Exception("%s() requested but Target is %s" %
Exception: remove_breakpoint() requested but Target is EXITED```

Note : The breakpoint is in my main function and I have to start gdbserver in another terminal because it won't expose my process without root rights for some reason.

### Steps to reproduce the bug

_No response_

### Environment

_No response_

### Additional context

_No response_
degrigis commented 1 year ago

Hey there! Are you sure you can actually hit that breakpoint (0x11e9) with the input given to the program?

h311d1n3r commented 1 year ago

Yes, I'm pretty sure 👍 I tried setting the breakpoint almost everywhere (also tried before the fgets taking input)

h311d1n3r commented 1 year ago

Also, when running test "test_concrete_not_packed_elf64.py" on the angr docker image, I get the following error trace :

(angr) angr@78a39cee8109:~/angr-dev/angr-targets/tests$ python3 test_concrete_not_packed_elf64.py
CRITICAL | 2023-08-24 20:38:00,075 | avatar.targets.GDBTarget0.GDBResponseListener | Catched unknown async message: {'type': 'notify', 'message': 'breakpoint-deleted', 'payload': {'id': '1'}, 'token': None, 'stream': 'stdout'}
2023-08-24 20:38:00,075 | avatar.targets.GDBTarget0.GDBResponseListener.CRITICAL | Catched unknown async message: {'type': 'notify', 'message': 'breakpoint-deleted', 'payload': {'id': '1'}, 'token': None, 'stream': 'stdout'}
CRITICAL | 2023-08-24 20:38:01,232 | avatar.targets.GDBTarget0.GDBResponseListener | Catched unknown async message: {'type': 'notify', 'message': 'breakpoint-deleted', 'payload': {'id': '2'}, 'token': None, 'stream': 'stdout'}
2023-08-24 20:38:01,232 | avatar.targets.GDBTarget0.GDBResponseListener.CRITICAL | Catched unknown async message: {'type': 'notify', 'message': 'breakpoint-deleted', 'payload': {'id': '2'}, 'token': None, 'stream': 'stdout'}
CRITICAL | 2023-08-24 20:38:02,233 | avatar.targets.GDBTarget0.GDBResponseListener | Catched unknown async message: {'type': 'notify', 'message': 'breakpoint-deleted', 'payload': {'id': '3'}, 'token': None, 'stream': 'stdout'}
2023-08-24 20:38:02,233 | avatar.targets.GDBTarget0.GDBResponseListener.CRITICAL | Catched unknown async message: {'type': 'notify', 'message': 'breakpoint-deleted', 'payload': {'id': '3'}, 'token': None, 'stream': 'stdout'}
h311d1n3r commented 12 months ago

Okay, I solved my issue. In fact, you can't specify a base address to your angr project when using Symbion (at the moment) because GDB and Angr won't be synchronized on that point. What I did was disabling ASLR and dumping mapped addresses from GDB. Also, I couldn't manage to specify an input (in stdin) so what I did was reaching the libc read function in a first concrete execution, then modify the state as the read function would and resume the process in a second execution. Anyway, thanks for the great project ;)

degrigis commented 11 months ago

Perfect, glad you figured it out :)