search

angr / angrop

BSD 2-Clause "Simplified" License
606 stars 71 forks source link

add_to_mem causes angrop.errors.RopException: Does not get to a single unconstrained successor #76

Closed astewart-bah closed 9 months ago

astewart-bah commented 9 months ago

Description

When testing ubuntu i386 libc for add_to_mem, I get the following error:

Traceback (most recent call last):
  File "test.py", line 61, in <module>
    rop.add_to_mem(0xdeadbeef, 0x62a000)
  File "lib/python3.10/site-packages/angrop/chain_builder/__init__.py", line 76, in add_to_mem
    return self._mem_changer.add_to_mem(addr, value, data_size=data_size)
  File "lib/python3.10/site-packages/angrop/chain_builder/mem_changer.py", line 82, in add_to_mem
    state = chain2.exec()
  File "lib/python3.10/site-packages/angrop/rop_chain.py", line 182, in exec
    return rop_utils.step_to_unconstrained_successor(self._p, state, max_steps=max_steps,
  File "lib/python3.10/site-packages/angrop/rop_utils.py", line 224, in step_to_unconstrained_successor
    return step_to_unconstrained_successor(project, succ.flat_successors[0],
  File "lib/python3.10/site-packages/angrop/rop_utils.py", line 224, in step_to_unconstrained_successor
    return step_to_unconstrained_successor(project, succ.flat_successors[0],
  File "lib/python3.10/site-packages/angrop/rop_utils.py", line 219, in step_to_unconstrained_successor
    raise RopException("Does not get to a single successor")
angrop.errors.RopException: Does not get to a single successor

Steps to reproduce the bug

Attached is zip file. Unzip and run start_test.sh. issue_76.zip

Environment

No response

Additional context

No response

Kyle-Kyle commented 9 months ago 
[ins] In [28]: chain.print_payload_code()
code_base = 0x0
chain = b""
chain += p32(code_base + 0x15219f)  # mov eax, edx; pop ebx; pop edi; ret 
chain += p32(code_base + 0x22a000)
chain += p32(0xdeadbeec)
chain += p32(code_base + 0x183d4f)  # pop es; add dword ptr [edi + 3], ebx; sbb al, 0x8b; notrack jmp ebx

The issue is caused by ebx. Basically, the <next pc> value is constrained in this case, which is not great. I'll see what I can do to mitigate this. And this is probably common in other chains as well.

Kyle-Kyle commented 9 months ago

I don't have a perfect solution right now. The monkey patch is to add a retry-loop to add_to_mem: https://github.com/angr/angrop/pull/78/commits/c42ed67d655441427c8a180c41b64ac313240ee7 (just like what we do in other builders)

Kyle-Kyle commented 9 months ago

Should be fixed by https://github.com/angr/angrop/pull/78 And the test case is integrated into CI.