search

shellphish / driller

Driller: augmenting AFL with symbolic execution!
BSD 2-Clause "Simplified" License
891 stars 162 forks source link

AngrTracerError: Trace does not seem to contain object initializers for <ELF Object libutil-2.31.so, maps [0x500000:0x50410f]>. Do you want to have a Tracer(aslr=False)? #91

Open SpaceMoehre opened 3 years ago

SpaceMoehre commented 3 years ago

I'm trying to improve LiveOverflow's current sudo fuzzing series, by adding driller to the project. Since the Baron SameEdit vulnerability is triggered by using sudoedit, driller shall add 'edit' to the afl queue but sadly i get an error. I created a Dockerfile so you can easily recreate my current state:

FROM aflplusplus/aflplusplus
ARG DEBIAN_FRONTEND=noninteractive
RUN useradd -ms /bin/bash user
RUN apt-get update && apt-get install -yq build-essential gcc-multilib debootstrap debian-archive-keyring libtool-bin bison python3 python3-pip virtualenv git python3-dev automake lsb-release xxd
RUN virtualenv -ppython3 /opt/venv
RUN /opt/venv/bin/pip install git+https://github.com/angr/archinfo
RUN /opt/venv/bin/pip install cle
RUN /opt/venv/bin/pip install git+https://github.com/angr/claripy
RUN /opt/venv/bin/pip install angr
RUN /opt/venv/bin/pip install git+https://github.com/angr/tracer
RUN /opt/venv/bin/pip install git+https://github.com/shellphish/driller
RUN cd / && git clone https://github.com/SpaceMoehre/sudofuzz
WORKDIR /sudofuzz
RUN make clean && ./configure --disable-shared && make && make install
RUN mkdir /tmp/in && mkdir /tmp/out && echo 'init' > /tmp/in/seed
CMD afl-fuzz -Q -i /tmp/in -o /tmp/out -M fuzzer-master ./src/sudo

For some reason i get errors when trying to install cle, angr via git+https, because of versioning...

build and run:

docker build - < Dockerfile
docker run -it <image id>

This will start the afl-fuzzer in qemu mode. in a second terminal i try to run my driller script:

source /opt/venv/bin/activate
python run_driller.py src/sudo /tmp/out/fuzzer-master

This results in the following error:

Drilling input: b'!!\x05\xff\xff\x05!\x1f!!!!!!!!!!!!\t!!!!#'
WARNING | 2021-07-13 15:44:22,153 | cle.loader | The main binary is a position-independent executable. It is being loaded with a base address of 0x400000.
WARNING | 2021-07-13 15:44:26,890 | cle.loader | The main binary is a position-independent executable. It is being loaded with a base address of 0x400000.
Traceback (most recent call last):
  File "run_driller.py", line 70, in <module>
    main()
  File "run_driller.py", line 57, in main
    for _, new_input in Driller(binary, seed, fuzzer_bitmap).drill_generator():
  File "/opt/venv/lib/python3.8/site-packages/driller/driller_main.py", line 101, in drill_generator
    for i in self._drill_input():
  File "/opt/venv/lib/python3.8/site-packages/driller/driller_main.py", line 131, in _drill_input
    simgr.use_technique(t)
  File "/opt/venv/lib/python3.8/site-packages/angr/sim_manager.py", line 189, in use_technique
    tech.setup(self)
  File "/opt/venv/lib/python3.8/site-packages/angr/exploration_techniques/tracer.py", line 261, in setup
    self._identify_aslr_slides()
  File "/opt/venv/lib/python3.8/site-packages/angr/exploration_techniques/tracer.py", line 229, in _identify_aslr_slides
    raise AngrTracerError("Trace does not seem to contain object initializers for %s. Do you want to have a Tracer(aslr=False)?" % obj)
angr.errors.AngrTracerError: Trace does not seem to contain object initializers for <ELF Object libutil-2.31.so, maps [0x500000:0x50410f]>. Do you want to have a Tracer(aslr=False)?

I tested a few things and turns out the libutil used by qemu and driller pointed to the same file and aflplusplus does not appear to be the problem, manually set aslr=False in the tracer.py and disabled aslr but the error persists.

xiaozhouqi commented 1 year ago

Do you solver this problem? I have met problem same to this.