search

angr / rex

Shellphish's automated exploitation engine, originally created for the Cyber Grand Challenge.
BSD 2-Clause "Simplified" License
636 stars 102 forks source link

Should update Sample Code, because of archr ? #41

Closed Ma3k4H3d closed 5 years ago

Ma3k4H3d commented 5 years ago

~/rex/crash.py in init(self, target, crash, pov_file, aslr, constrained_addrs, hooks, format_infos, tracer_bow, explore_steps, input_type, port, use_crash_input, checkpoint_path, rop_cache_tuple, use_rop, fast_mode, angrop_object, rop_cache_path, prev_path, crash_state, initial_state) 84 self.target_port = port 85 self.crash = crash ---> 86 self.tracer_bow = tracer_bow if tracer_bow is not None else archr.arsenal.QEMUTracerBow(self.target) 87 88 if self.explore_steps > 10:

~/archr/arsenal/qemu_tracer.py in init(self, target, timeout, ld_linux, library_path, seed) 41 42 def init(self, target, timeout=10, ld_linux=None, library_path=None, seed=None): ---> 43 super().init(target) 44 self.timeout = timeout 45 self.ld_linux = ld_linux

~/archr/arsenal/init.py in init(self, target) 14 """ 15 self.target = target ---> 16 self.nock() 17 18 def nock(self):

~/archr/arsenal/init.py in nock(self) 22 if self.REQUIRED_ARROW: 23 with arrows.bundle(self.REQUIRED_ARROW) as b: ---> 24 self.target.inject_path(b, "/tmp/%s" % self.REQUIRED_ARROW) 25 if self.REQUIRED_BINARY: 26 with arrows.bundle_binary(self.REQUIRED_BINARY) as b:

AttributeError: 'str' object has no attribute 'inject_path'

suhyeonjin commented 5 years ago

how to solve this error??
"'str' object has no attribute 'inject_path'"

rex import is very well. but i try to rex.Crash("bin", b"input") then i got that error;;

twizmwazin commented 5 years ago

@suhyeonjin rex.Crash takes an archr target, not a binary name.

suhyeonjin commented 5 years ago

@suhyeonjin rex.Crash takes an archr target, not a binary name.

Oh.. really? There example parameter 'legit00001' is not binary? How to check binary from my crash input ??

twizmwazin commented 5 years ago

I'm going off of the documentation here: https://github.com/shellphish/rex/blob/master/rex/crash.py#L36 If you're new to archr, you can find that here: https://github.com/angr/archr Basically the idea is you make a "target" for archr, which could just be a local binary, see archr/targets/local_target.py in the archr repo. You can then pass that target to rex. This abstraction allows more flexibility for rex, specifically allowing it to work on binaries and docker containers alike.

Yuuoniy commented 4 years ago

I'm going off of the documentation here: https://github.com/shellphish/rex/blob/master/rex/crash.py#L36 If you're new to archr, you can find that here: https://github.com/angr/archr Basically the idea is you make a "target" for archr, which could just be a local binary, see archr/targets/local_target.py in the archr repo. You can then pass that target to rex. This abstraction allows more flexibility for rex, specifically allowing it to work on binaries and docker containers alike.

hi, @twizmwazin. I've tried to pass the archr local target to rex(in the following way), and I occured a new problem:

>>>t = archr.targets.LocalTarget(["./legit_00003"]).build()
>>> crash = rex.Crash(t, b"\x00\x0b1\xc1\x00\x0c\xeb\xe4\xf1\xf1\x14\r\rM\r\xf3\x1b\r\r\r~\x7f\x1b\xe3\x0c`_222\r\rM\r\xf3\x1b\r\x7f\x002\x7f~\x7f\xe2\xff\x7f\xff\xff\x8b\xc7\xc9\x83\x8b\x0c\xeb\x80\x002\xac\xe2\xff\xff\x00t\x8bt\x8bt_o_\x00t\x8b\xc7\xdd\x83\xc2t~n~~\xac\xe2\xff\xff_k_\x00t\x8b\xc7\xdd\x83\xc2t~n~~\xac\xe2\xff\xff\x00t\x8bt\x8b\xac\xf1\x83\xc2t~c\x00\x00\x00~~\x7f\xe2\xff\xff\x00t\x9e\xac\xe2\xf1\xf2@\x83\xc3t")
WARNING | 2019-11-25 10:57:06,411 | cle.loader | <cle.patched_stream.PatchedStream object at 0x7f39d5d5d358>: base_addr was specified but the object is not PIC. specify force_rebase=True to override
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/angr/angr-dev/rex/rex/crash.py", line 105, in __init__
    self._initialize(angrop_object, rop_cache_path, checkpoint_path, crash_state, prev_state)
  File "/home/angr/angr-dev/rex/rex/crash.py", line 511, in _initialize
    self.project = self.angr_project_bow.fire()
  File "/home/angr/angr-dev/archr/archr/arsenal/angr_project.py", line 47, in fire
    _,_,_,self._mem_mapping = self.scout_bow.fire()
  File "/home/angr/angr-dev/archr/archr/arsenal/datascout.py", line 119, in fire
    aslr=aslr, **kwargs) as p:
  File "/usr/lib/python3.6/contextlib.py", line 81, in __enter__
    return next(self.gen)
  File "/home/angr/angr-dev/archr/archr/targets/__init__.py", line 455, in shellcode_context
    hooked_binary = hook_entry(original_binary, asm_code=asm_code, bin_code=bin_code)
  File "/home/angr/angr-dev/archr/archr/utils.py", line 42, in hook_entry
    main_bin.write(b.main_object.arch.asm(asm_code) if asm_code else bin_code)
  File "/home/angr/angr-dev/archinfo/archinfo/arch.py", line 444, in asm
    encoding, _ = ks.asm(string, addr, as_bytes) # pylint: disable=too-many-function-args
  File "/home/angr/.virtualenvs/angr/lib/python3.6/site-packages/keystone/keystone.py", line 213, in asm
    raise KsError(errno, stat_count.value)
keystone.keystone.KsError: Invalid operand (KS_ERR_ASM_INVALIDOPERAND)

I have no idea, am I wrong when using archr or rex? couldn't you help me with this?

paullj1 commented 4 years ago

Having the same exact problem. Were you ever able to solve this?