Skip to content
This repository has been archived by the owner on Apr 28, 2023. It is now read-only.

insomnihack_aeg example fails #44

Closed
symeonp opened this issue Apr 16, 2016 · 7 comments
Closed

insomnihack_aeg example fails #44

symeonp opened this issue Apr 16, 2016 · 7 comments

Comments

@symeonp
Copy link
Contributor

symeonp commented Apr 16, 2016

Hi, when trying to execute the insomnihack example am getting this error:

(angr)symeon@ubuntu:~/angr/angr-dev/angr-doc/examples/insomnihack_aeg$ python simple_aeg.py demo_bin
Warning: FastBinaryTree not available, using Python version BinaryTree.
Warning: FastAVLTree not available, using Python version AVLTree.
Warning: FastRBTree not available, using Python version RBTree.
INFO    | 2016-04-16 13:44:03,850 | insomnihack.simple_aeg | looking for vulnerability in 'demo_bin'
INFO    | 2016-04-16 13:44:20,116 | insomnihack.simple_aeg | found some unconstrained paths, checking exploitability
INFO    | 2016-04-16 13:45:23,301 | insomnihack.simple_aeg | found some unconstrained paths, checking exploitability
INFO    | 2016-04-16 13:45:25,248 | insomnihack.simple_aeg | found some unconstrained paths, checking exploitability
INFO    | 2016-04-16 13:45:25,251 | insomnihack.simple_aeg | found a path which looks exploitable
INFO    | 2016-04-16 13:45:25,251 | insomnihack.simple_aeg | attempting to create exploit based off path
INFO    | 2016-04-16 13:45:25,251 | insomnihack.simple_aeg | found symbolic buffer at 0xc0000c20
INFO    | 2016-04-16 13:45:25,260 | insomnihack.simple_aeg | found buffer for shellcode, completing exploit
INFO    | 2016-04-16 13:45:25,261 | insomnihack.simple_aeg | pointing pc towards shellcode buffer
Traceback (most recent call last):
  File "simple_aeg.py", line 116, in <module>
    sys.exit(main(sys.argv[1]))
  File "simple_aeg.py", line 108, in main
    f.write(ep.state.posix.dumps(0))
  File "/home/symeon/angr/angr-dev/simuvex/simuvex/plugins/posix.py", line 372, in dumps
    return self.state.se.any_str(self.get_file(fd).all_bytes())
  File "/home/symeon/angr/angr-dev/simuvex/simuvex/plugins/solver.py", line 297, in any_str
    ans = self.any_n_str(e, 1, extra_constraints=extra_constraints)
  File "/home/symeon/angr/angr-dev/simuvex/simuvex/plugins/solver.py", line 306, in any_n_str
    return list(self.any_n_str_iter(e, n, extra_constraints=extra_constraints, exact=exact))
  File "/home/symeon/angr/angr-dev/simuvex/simuvex/plugins/solver.py", line 302, in any_n_str_iter
    for s in self.eval(e, n, extra_constraints=extra_constraints, exact=exact):
  File "/home/symeon/angr/angr-dev/simuvex/simuvex/plugins/solver.py", line 73, in autoed_f
    return ast_stripping_op(f, self, *args, **kwargs)
  File "/home/symeon/angr/angr-dev/simuvex/simuvex/plugins/solver.py", line 43, in ast_stripping_op
    r = _actual_ast_stripping_op(f, *args, **kwargs)
  File "/home/symeon/angr/angr-dev/simuvex/simuvex/s_action_object.py", line 36, in ast_stripping_op
    return f(*new_args, **new_kwargs)
  File "/home/symeon/angr/angr-dev/simuvex/simuvex/plugins/solver.py", line 80, in wrapped_f
    return f(self, *args, **kwargs)
  File "/home/symeon/angr/angr-dev/simuvex/simuvex/plugins/solver.py", line 244, in eval
    return self._solver.eval(e, n, extra_constraints=self._adjust_constraint_list(extra_constraints), exact=exact)
  File "/home/symeon/angr/angr-dev/claripy/claripy/frontends/caching_frontend.py", line 344, in eval
    self._eval(e, n_lacking, extra_constraints=solver_extra_constraints, exact=exact, cache=cache)
  File "/home/symeon/angr/angr-dev/claripy/claripy/frontends/full_frontend.py", line 89, in _eval
    raise UnsatError('unsat')
simuvex.s_errors.SimUnsatError: ('Got an unsat result', <class 'claripy.errors.UnsatError'>, UnsatError('unsat',))

Am I missing something? Does it work for you? Thanks.
@zardus
Copy link
Member

zardus commented Apr 28, 2016

Hey symeonp, I've recreated the problem, but we've been traveling so we haven't had a chance to look into the cause. The current plan is to fix it (of course!) and to add it to our CI so it doesn't break again.

@symeonp
Copy link
Contributor Author

symeonp commented Apr 28, 2016

Hey zardus, thanks for the feedback, good to know that you were able to reproduce it!
No worries, I just wanted to make sure that there is nothing wrong with my angr, other than
that looks really cool example that's why I wanted to play with it.
Cheers!

@esanfelix esanfelix mentioned this issue May 25, 2016
Merged
@ltfish
Copy link
Member

ltfish commented May 26, 2016

@esanfelix IT IS REALLY AWESOME THAT YOU CAN FIX THIS ISSUE!

@symeonp The AEG example should be working now. Try it out!

@ltfish ltfish closed this as completed May 26, 2016
@symeonp
Copy link
Contributor Author

symeonp commented May 26, 2016

This is brilliant, thanks Nicks for the example and Eloi for the patch!

@zodiac-zodiac
Copy link

zodiac-zodiac commented Sep 20, 2021
edited
Loading

This is not working for me ( os Kali 64)

rhelmot added a commit that referenced this issue Sep 30, 2021
@rhelmot
un-harden insomnihack_aeg example binary; see #44
76fda7e
@rhelmot
Copy link
Member

rhelmot commented Sep 30, 2021

I've pushed a fix. It seems sometime in the last 4 years linux has gotten a bit better about hardening, so I un-hardened it.

@zodiac-zodiac
Copy link

Great, thank you @rhelmot !

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@symeonp @rhelmot @zardus @ltfish @zodiac-zodiac