search

angr / rex

Shellphish's automated exploitation engine, originally created for the Cyber Grand Challenge.
BSD 2-Clause "Simplified" License
635 stars 102 forks source link

KeyError: <ExternObject Object cle##externs, maps [0x9000000:0x9008000]> #34

Closed Ma5ker closed 2 years ago

Ma5ker commented 5 years ago

Hello,I got the error when testing. How can I fix this question? Thanks! (Ubuntu 16.04 64bit)

/home/r0mm/.virtualenvs/angr/lib/python3.5/site-packages/shellphish_qemu/bin/shellphish-qemu-linux-i386
---------------------------------------------------------------------------
KeyError                                  Traceback (most recent call last)
<ipython-input-4-351d91301e2f> in <module>
----> 1 c = rex.Crash("./test",b"aaaaaaaaaaaaaaa")

~/.virtualenvs/angr/lib/python3.5/site-packages/rex/crash.py in __init__(self, binary, crash, pov_file, aslr, constrained_addrs, crash_state, prev_path, hooks, format_infos, rop_cache_tuple, use_rop, fast_mode, explore_steps, angrop_object, argv, concrete_fs, chroot, rop_cache_path, trace_timeout, input_type, port, use_crash_input, tracer_args, initial_state)
    231                 ZenPlugin.prep_tracer(s)
    232 
--> 233             simgr.run()
    234 
    235             # if there was no crash we'll have to use the previous path's state

~/.virtualenvs/angr/lib/python3.5/site-packages/angr/sim_manager.py in run(self, stash, n, until, **kwargs)
    258         for _ in (itertools.count() if n is None else range(0, n)):
    259             if not self.complete() and self._stashes[stash]:
--> 260                 self.step(stash=stash, **kwargs)
    261                 if not (until and until(self)):
    262                     continue

~/.virtualenvs/angr/lib/python3.5/site-packages/angr/misc/hookset.py in __call__(self, *args, **kwargs)
     73             current_hook = self.pending.pop()
     74             try:
---> 75                 result = current_hook(self.func.__self__, *args, **kwargs)
     76             finally:
     77                 self.pending.append(current_hook)

~/.virtualenvs/angr/lib/python3.5/site-packages/angr/exploration_techniques/tracer.py in step(self, simgr, stash, **kwargs)
    101     def step(self, simgr, stash='active', **kwargs):
    102         simgr.drop(stash='missed')
--> 103         return simgr.step(stash=stash, **kwargs)
    104 
    105     def step_state(self, simgr, state, **kwargs):

~/.virtualenvs/angr/lib/python3.5/site-packages/angr/misc/hookset.py in __call__(self, *args, **kwargs)
     78             return result
     79         else:
---> 80             return self.func(*args, **kwargs)

~/.virtualenvs/angr/lib/python3.5/site-packages/angr/sim_manager.py in step(self, stash, n, selector_func, step_func, successor_func, until, filter_func, **run_args)
    342 
    343             pre_errored = len(self._errored)
--> 344             successors = self.step_state(state, successor_func=successor_func, **run_args)
    345 
    346             # handle degenerate stepping cases here. desired behavior:

~/.virtualenvs/angr/lib/python3.5/site-packages/angr/misc/hookset.py in __call__(self, *args, **kwargs)
     73             current_hook = self.pending.pop()
     74             try:
---> 75                 result = current_hook(self.func.__self__, *args, **kwargs)
     76             finally:
     77                 self.pending.append(current_hook)

~/.virtualenvs/angr/lib/python3.5/site-packages/angr/exploration_techniques/tracer.py in step_state(self, simgr, state, **kwargs)
    115         # follow the trace
    116         if len(succs) == 1:
--> 117             self._update_state_tracking(succs[0])
    118         elif len(succs) == 0:
    119             raise Exception("All states disappeared!")

~/.virtualenvs/angr/lib/python3.5/site-packages/angr/exploration_techniques/tracer.py in _update_state_tracking(self, state)
    188             if proc.is_continuation:
    189                 orig_addr = self.project.loader.find_symbol(proc.display_name).rebased_addr
--> 190                 orig_trace_addr = orig_addr + self._aslr_slides[self.project.loader.find_object_containing(orig_addr)]
    191                 if 0 <= self._trace[idx + 1] - orig_trace_addr <= 0x10000:
    192                     # this is fine. we do nothing and then next round it'll get handled by the is_hooked(state.history.addr) case

KeyError: <ExternObject Object cle##externs, maps [0x9000000:0x9008000]>
zardus commented 5 years ago

rex got broken again.. We'll try to look at this over the next few weeks to get it fixed up.

Ma5ker commented 5 years ago

thx

rhelmot commented 5 years ago

At first glance here it kind of looks like the problem is that not all the libraries necessary to run the binary are loaded. Of course, things should work correctly otherwise, but that could be a quick fix for you until we can get around to this.

Ma5ker commented 5 years ago

Thx. You are right, the error above has disappeared after installing some libs, but another error occurred.

/home/r0mm/.virtualenvs/angr/lib/python3.5/site-packages/shellphish_qemu/bin/shellphish-qemu-linux-i386
ERROR   | 2019-01-23 09:48:02,167 | angr.exploration_techniques.oppologist | Original block hit an unsupported error
---------------------------------------------------------------------------
KeyError                                  Traceback (most recent call last)
<ipython-input-6-b6df280df077> in <module>
----> 1 crash = rex.Crash("./test1",b"aaaaaaaaaaaaaaa")

~/.virtualenvs/angr/lib/python3.5/site-packages/rex/crash.py in __init__(self, binary, crash, pov_file, aslr, constrained_addrs, crash_state, prev_path, hooks, format_infos, rop_cache_tuple, use_rop, fast_mode, explore_steps, angrop_object, argv, concrete_fs, chroot, rop_cache_path, trace_timeout, input_type, port, use_crash_input, tracer_args, initial_state)
    231                 ZenPlugin.prep_tracer(s)
    232 
--> 233             simgr.run()
    234 
    235             # if there was no crash we'll have to use the previous path's state

~/.virtualenvs/angr/lib/python3.5/site-packages/angr/sim_manager.py in run(self, stash, n, until, **kwargs)
    258         for _ in (itertools.count() if n is None else range(0, n)):
    259             if not self.complete() and self._stashes[stash]:
--> 260                 self.step(stash=stash, **kwargs)
    261                 if not (until and until(self)):
    262                     continue

~/.virtualenvs/angr/lib/python3.5/site-packages/angr/misc/hookset.py in __call__(self, *args, **kwargs)
     73             current_hook = self.pending.pop()
     74             try:
---> 75                 result = current_hook(self.func.__self__, *args, **kwargs)
     76             finally:
     77                 self.pending.append(current_hook)

~/.virtualenvs/angr/lib/python3.5/site-packages/angr/exploration_techniques/tracer.py in step(self, simgr, stash, **kwargs)
    101     def step(self, simgr, stash='active', **kwargs):
    102         simgr.drop(stash='missed')
--> 103         return simgr.step(stash=stash, **kwargs)
    104 
    105     def step_state(self, simgr, state, **kwargs):

~/.virtualenvs/angr/lib/python3.5/site-packages/angr/misc/hookset.py in __call__(self, *args, **kwargs)
     78             return result
     79         else:
---> 80             return self.func(*args, **kwargs)

~/.virtualenvs/angr/lib/python3.5/site-packages/angr/sim_manager.py in step(self, stash, n, selector_func, step_func, successor_func, until, filter_func, **run_args)
    342 
    343             pre_errored = len(self._errored)
--> 344             successors = self.step_state(state, successor_func=successor_func, **run_args)
    345 
    346             # handle degenerate stepping cases here. desired behavior:

~/.virtualenvs/angr/lib/python3.5/site-packages/angr/misc/hookset.py in __call__(self, *args, **kwargs)
     73             current_hook = self.pending.pop()
     74             try:
---> 75                 result = current_hook(self.func.__self__, *args, **kwargs)
     76             finally:
     77                 self.pending.append(current_hook)

~/.virtualenvs/angr/lib/python3.5/site-packages/angr/exploration_techniques/tracer.py in step_state(self, simgr, state, **kwargs)
    111         stops = set(kwargs.pop('extra_stop_points', ())) | {self._trace[-1]}
    112         succs_dict = simgr.step_state(state, extra_stop_points=stops, **kwargs)
--> 113         succs = succs_dict[None]
    114 
    115         # follow the trace

KeyError: None
rhelmot commented 5 years ago

What is the content of succs_dict during the crash?

github-actions[bot] commented 2 years ago

This issue has been marked as stale because it has no recent activity. Please comment or add the pinned tag to prevent this issue from being closed.

github-actions[bot] commented 2 years ago

This issue has been closed due to inactivity.