Run rex with DARPA CGC chanllenges

[yh570]

Hi when I tried to run rex with Darpr CGC challenges in linux(https://github.com/trailofbits/cb-multios), but I'm confused about the target setup.

If I run it with cgc os, the command is shown below:

with archr.targets.LocalTarget([path], target_os="cgc") as target:
    crash = rex.Crash(target, inp)

I got an error message is shown below:

archr.analyzers.qemu_tracer.QEMUTracerError: the target didn't crash inside qemu! Make sure you launch it correctly!

if I run it without target_os, the rex will keep running forever. Each time I interrupted the processing, the backtrace are all totally different.

The command is shown below:

with archr.targets.LocalTarget([path]) as target:
    crash = rex.Crash(target, inp)

The rex works well with your provided cgc example (e.g, legit_00003), please give me some comments about how to run rex with DARPA cgc challenges. Thank you!

[ltfish]

I don't think we've seriously tried to use cb-multios (which are CGC binaries re-compiled targeting Linux). You can run Rex on original CGC binaries (with DECREE-OS as the targeting OS) directly. Shellphish-qemu supports emulating CGC binaries under Linux.

[yh570]

I don't think we've seriously tried to use cb-multios (which are CGC binaries re-compiled targeting Linux). You can run Rex on original CGC binaries (with DECREE-OS as the targeting OS) directly. Shellphish-qemu supports emulating CGC binaries under Linux.

Hi, thank you for your reply. I tried to use https://github.com/GrammaTech/cgc-cbs but it meets the same issue: archr.analyzers.qemu_tracer.QEMUTracerError: the target didn't crash inside qemu! Make sure you launch it correctly!. Then I'm trying to use a virtual machine and Vagrant to build Decree. I'm still working on that. But I'm not very sure this is what's your mean. It looks like I can run CGC binary directly with rex in Linux. However, I can't find CGC binary online, where the original sample site https://github.com/CyberGrandChallenge/samples requires to install in Decree OS.

Please let me know my understanding is correct or not. In addition, please let me know if you know where I can directly download CGC binaries. Thank you.

[yh570]

I also tried to use https://github.com/zardus/cgc-bins which are the compiled binaries, but I got the same issue as following:

archr.analyzers.qemu_tracer.QEMUTracerError: the target didn't crash inside qemu! Make sure you launch it correctly!
command: /tmp/archr_local_2b40m3qi/shellphish_qemu/fire /tmp/archr_local_2b40m3qi/shellphish_qemu/shellphish-qemu-cgc-tracer -C /tmp/tracer_target_nliyi4oz -d exec -D /tmp/tracer-kczpv90j.trace -magicdump /tmp/tracer-kczpv90j.magic -m 8G -- /home/yh570/driller/darpa/bin/cgc-bins/all_unpatched/CROMU_00019

[yh570]

Hi, I am still confused about this issue. I tried to use CROMU_00019 as the target which is mentioned in your paper. My commands for testing is following:

>>> path = "/home/yh570/driller/darpa/bin/cgc-bins/all_unpatched/CROMU_00019"
>>> inp = b'71db10261c\n\x70\x00\x00\x00````````````````````````````````````````````````````````````````````````````````````````````````````````````````'
>>> with archr.targets.LocalTarget([path], target_os='cgc') as target:
...     crash = rex.Crash(target, inp)
... 
Traceback (most recent call last):
  File "<stdin>", line 2, in <module>
  File "/home/yh570/driller/rex/angr-dev/rex/rex/crash.py", line 612, in __init__
    self._initialize()
  File "/home/yh570/driller/rex/angr-dev/rex/rex/crash.py", line 994, in _initialize
    self.concrete_trace()
  File "/home/yh570/driller/rex/angr-dev/rex/rex/crash.py", line 406, in concrete_trace
    taint=taint)
  File "/home/yh570/driller/rex/angr-dev/rex/rex/crash_tracer/full_tracer.py", line 17, in concrete_trace
    pre_fire_hook=pre_fire_hook, delay=delay, actions=actions, taint=taint)
  File "/home/yh570/driller/rex/angr-dev/archr/archr/analyzers/__init__.py", line 71, in fire
    self._fire_testcase(flight, channel=channel)
  File "/usr/lib/python3.7/contextlib.py", line 119, in __exit__
    next(self.gen)
  File "/home/yh570/driller/rex/angr-dev/archr/archr/analyzers/qemu_tracer.py", line 143, in fire_context
    "command: %s" % ' '.join(target_cmd))
archr.analyzers.qemu_tracer.QEMUTracerError: the target didn't crash inside qemu! Make sure you launch it correctly!
command: /tmp/archr_local_rygn8t1f/shellphish_qemu/fire /tmp/archr_local_rygn8t1f/shellphish_qemu/shellphish-qemu-cgc-tracer -C /tmp/tracer_target_uvy_jijk -d exec -D /tmp/tracer-ekan58uq.trace -magicdump /tmp/tracer-ekan58uq.magic -m 8G -- /home/yh570/driller/darpa/bin/cgc-bins/all_unpatched/CROMU_00019
>>> 

However, I still get the same error. The binary is compiled with decree.

Another issue is with Palindrome, which works but can't be explorable. The code and result are shown below:

>>> path = "/home/yh570/driller/darpa/bin/cgc-bins/all_unpatched/CADET_00001"
>>> inp = bytes.fromhex("0affffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff")
>>> with archr.targets.LocalTarget([path], target_os='cgc') as target:
...     crash = rex.Crash(target, inp)
... 
ERROR   | 2022-01-20 19:12:43,831 | archr.analyzers.qemu_tracer | Unexpected status line from qemu tracer. Cannot get the last read marker to set taint_fd. Please make sure you are using the latest shellphish-qemu.
WARNING | 2022-01-20 19:12:47,608 | angr.sim_state | Unused keyword arguments passed to SimState: concrete_fs chroot args env cwd
WARNING | 2022-01-20 19:13:15,778 | angr.engines.successors | Exit state has over 256 possible solutions. Likely unconstrained; skipping. <BV32 aeg_input_default_5c_79953_8 .. aeg_input_default_5b_79952_8 .. aeg_input_default_5a_79951_8 .. aeg_input_default_59_79950_8>
>>> crash.crash_types
['ip_overwrite']
>>> crash.explorable()
False
>>> 

I hope to hear from you soon. Thanks!

[rhelmot]

Unfortunately, we don't have the time or energy to be able to support rex in the way you're asking for. If you want it to work you'll have to be ready to debug it pretty extensively by yourself.

[ltfish]

Hi, I am still confused about this issue. I tried to use CROMU_00019 as the target which is mentioned in your paper. My commands for testing is following:

Run CROMU_00019 with crashing input. You seem to be using an input case that does not crash the binary. You don't need Rex to test whether your input crashes the binary or not. You can test it by piping your input to the binary directly.

Another issue is with Palindrome, which works but can't be explorable.

Why must it be explorable?

[yh570]

Hi sorry for the late reply. It's a messy month for me. @ltfish the crash input for CROMU_00019 is extracted from POV of casino games: https://raw.githubusercontent.com/lungetech/cgc-challenge-corpus/master/CROMU_00019/pov/POV_00003.xml

If I understand the POV correctly, the input is extracted from lines with <write echo="ascii"><data>. I tested the program with commands echo -en '71db10261c\n\x70\x00\x00\x00````````````````````````````````````````````````````````````````````````````````````````````````````````````````' | ./Casino_Games

The program will stop responding (I tested it in Linux) but will not raise the error message. Please let me know if I made a mistake in generating the crash input from this POV.

Thank you.

Update: I just tested the program without pipe, when entering '71db10261c' for the user name, I can get the message Access Granted. However, when using rex with crash input b'71db10261c', b'71db10261c\n' or b'71db10261c\x0a', I still get the error message the target didn't crash inside qemu or no corefile was created!

[github-actions[bot]]

This issue has been marked as stale because it has no recent activity. Please comment or add the pinned tag to prevent this issue from being closed.

[github-actions[bot]]

This issue has been closed due to inactivity.