Update requirements.txt

[vaq130]

Fixing null pointer dereference. https://www.cve.org/CVERecord?id=CVE-2022-29694

[williballenthin]

im a little hesitant to merge this due to a major version upgrade in the key dependency that provides the emulator. its actually really neat that the tests pass, so maybe everything is working as expected. should this warrant a new major version release of speakeasy? i'd welcome input from any/everyone.

[cecio]

I tried to run the Speakasy version with the proposed change on my project (REW-sploit) and running the test suite I see some Segmentation Fault during emulation. I didn't investigated them (just run the test suite), so may be it's a problem on my side. I'll have a deeper look into that in the next days and I'll post the result here if you are interested. At least yes, I think it should require a new Speakeasy version.

[cecio]

I did some initial investigation and it looks the issue is not on my side. This is what I see when running speakeasy command with the current release on Unicorn 1 and a little shellcode:

>>> speakeasy -r -t samples/payload_tcp_rc4_64.bin -a amd64
* exec: shellcode
0x110a: 'kernel32.LoadLibraryA("ws2_32")' -> 0x78c00000
0x111b: 'ws2_32.WSAStartup(0x101, 0x1203e08)' -> 0x0
0x113b: 'ws2_32.WSASocketA("AF_INET", "SOCK_STREAM", 0x0, 0x0, 0x0, 0x0)' -> 0x4
0x1150: 'ws2_32.connect(0x4, "10.25.44.1:4444", 0x10)' -> 0x0
0x1177: 'ws2_32.recv(0x4, 0x1203d60, 0x4, 0x0)' -> 0x4
0x11ad: 'kernel32.VirtualAlloc(0x0, 0xd3a205a8, 0x1000, "PAGE_EXECUTE_READWRITE")' -> 0x1a7492000
0x11ce: 'ws2_32.recv(0x4, 0x1a7492100, 0xd3a205a8, 0x0)' -> 0x8
0x11ce: 'ws2_32.recv(0x4, 0x1a7492108, 0xd3a205a0, 0x0)' -> 0x0
0x11ce: 'ws2_32.recv(0x4, 0x1a7492108, 0xd3a205a0, 0x0)' -> 0x0

Same command run with the "new" Unicorn 2:

>>> speakeasy -r -t samples/payload_tcp_rc4_64.bin -a amd64
* exec: shellcode
0x110a: 'kernel32.LoadLibraryA("ws2_32")' -> 0x78c00000
0x111b: 'ws2_32.WSAStartup(0x101, 0x1203e08)' -> 0x0
0x113b: 'ws2_32.WSASocketA("AF_INET", "SOCK_STREAM", 0x0, 0x0, 0x0, 0x0)' -> 0x4
0x1150: 'ws2_32.connect(0x4, "10.25.44.1:4444", 0x10)' -> 0x0
0x1177: 'ws2_32.recv(0x4, 0x1203d60, 0x4, 0x0)' -> 0x4
0x11ad: 'kernel32.VirtualAlloc(0x0, 0xd3a205a8, 0x1000, "PAGE_EXECUTE_READWRITE")' -> 0x1a7492000
* Finished emulating

As you can see the emulation stops just after the VirtualAlloc, which is exactly where I see the Segmentation Fault when using Speakeasy in REW-sploit. Probably here the exception are not printed out, but emulation stops before the end (the recv part is not reached at all).

I'll try to dig deeper and see if I can isolate the issue.

[williballenthin]

thanks @cecio!

i think its fair to conclude there are updates to unicorn in v2.0 that would require changes within speakeasy. since its a core dependency with a major version bump we should also do a substantial version bump of speakeasy, too. lets leave this for another day, especially when there are some good motivations to update unicorn (granted null pointer dereference is bad; does it affect speakeasy?).

[cecio]

yes, I agree with you. I tried to dig into the issue seen with new Unicorn version: I think the problem is in some way related to the management of the memory protection flags, but I was not able to narrow down the root cause yet. If I'll discover something I'll keep you posted. Thanks