Skip to content

Commit

Permalink
update rex to angr-simuvex merge changes
Browse files Browse the repository at this point in the history
  • Loading branch information
@zardus
zardus committed Jun 13, 2017
1 parent c963437 commit e426c33
Show file tree
Hide file tree
Showing 8 changed files with 44 additions and 48 deletions.
1 change: 0 additions & 1 deletion requirements.txt
View file
@@ -1,5 +1,4 @@
angr
simuvex
tracer
angrop
compilerex
Expand Down
6 changes: 3 additions & 3 deletions rex/crash.py
View file
Expand Up @@ -12,7 +12,7 @@
from .trace_additions import ChallRespInfo, ZenPlugin
from rex.exploit import CannotExploit, CannotExplore, ExploitFactory, CGCExploitFactory
from rex.vulnerability import Vulnerability
from simuvex import SimMemoryError, s_options as so
from angr import sim_options as so


class NonCrashingInput(Exception):
Expand Down Expand Up @@ -737,7 +737,7 @@ def _quick_triage(self, binary, crash):
l.debug("ip appears to be uncontrolled")
return pc, Vulnerability.UNCONTROLLED_IP_OVERWRITE

except SimMemoryError:
except angr.SimMemoryError:
ip_overwritten = True

if ip_overwritten:
Expand Down Expand Up @@ -797,7 +797,7 @@ def _quick_triage(self, binary, crash):
l.debug("write attempt at a read-only page, assuming uncontrolled")
return pc, Vulnerability.UNCONTROLLED_WRITE

except SimMemoryError:
except angr.SimMemoryError:
pass

elif a.action == 'read':
Expand Down
8 changes: 4 additions & 4 deletions rex/exploit/exploit.py
View file
@@ -1,5 +1,5 @@
import os
import simuvex
import angr
import logging

from textwrap import dedent
Expand Down Expand Up @@ -67,7 +67,7 @@ def _write_script(self):

last_action = None
for a in path.actions.hardcopy + self.crash.added_actions:
if not isinstance(a, simuvex.SimActionData) or \
if not isinstance(a, angr.state_plugins.SimActionData) or \
not (a.type.startswith('file_/dev/stdin') or a.type.startswith('file_/dev/stdout')):
continue

Expand Down Expand Up @@ -117,7 +117,7 @@ def pov(self):
s = self.exploit_state

for a in path.actions:
if not isinstance(a, simuvex.SimActionData) or \
if not isinstance(a, angr.state_plugins.SimActionData) or \
not (a.type.startswith('file_/dev/stdin') or a.type.startswith('file_/dev/stdout')):
continue

Expand Down Expand Up @@ -164,7 +164,7 @@ def _windup_state(self, state, path=None, to_syscall=False):
'''

if path is None:
state.options.add(simuvex.o.BYPASS_UNSUPPORTED_SYSCALL)
state.options.add(angr.options.BYPASS_UNSUPPORTED_SYSCALL)
path = self.project.factory.path(state=state)

if path.errored:
Expand Down
1 change: 1 addition & 0 deletions rex/exploit/exploit_factory.py
View file
Expand Up @@ -5,6 +5,7 @@

import logging
l = logging.getLogger("rex.exploit.exploit_factory")
l.setLevel('DEBUG')

class ExploitFactory(object):
'''
Expand Down
4 changes: 2 additions & 2 deletions rex/exploit/technique.py
View file
@@ -1,5 +1,5 @@
import angr
import logging
import simuvex
from rex.exploit import CannotExploit
from angrop.errors import RopException

Expand Down Expand Up @@ -474,7 +474,7 @@ def _ip_overwrite_with_chain(self, chain, state=None, assert_next_ip_controlled=

try:
cbvv = state.se.BVV(chain_cp.payload_str())
except simuvex.SimUnsatError:
except angr.SimUnsatError:
# it's completely possibly that the values we need need in the chain can't exist due to
# constraints on memory, for example if we need the value '1' to exist in our chain, when
# our chain enter the process memory space with a 'strcpy', '1' cannot exist because its
Expand Down
30 changes: 14 additions & 16 deletions rex/exploit/techniques/explore_for_exploit.py
View file
Expand Up @@ -3,12 +3,10 @@
import rex.exploit.cgc.type2.cgc_type2_general
from rex import Vulnerability
from rex.exploit import CannotExploit
from rex.exploit.cgc import CGCType1CircumstantialExploit
from ..technique import Technique

import claripy
import simuvex
from simuvex import SimStatePlugin, SimMemoryError
import angr


l = logging.getLogger("rex.exploit.techniques.explore_for_exploit")
Expand Down Expand Up @@ -59,12 +57,12 @@ def __init__(self, addr, goal_start=None, goal_end=None):
# todo what about shadow stack and 2 writes? or 1 write but other things to attack like a leak?
# todo what about finding how to go from ip control to more control, ie what gadget works

class SimAddressTracker(SimStatePlugin):
class SimAddressTracker(angr.state_plugins.SimStatePlugin):
"""
This state plugin keeps track of the reads and writes to symbolic addresses
"""
def __init__(self):
SimStatePlugin.__init__(self)
angr.state_plugins.SimStatePlugin.__init__(self)

# data
self.writes = []
Expand Down Expand Up @@ -219,7 +217,7 @@ def is_writable_and_mapped(addr, state):
return (permissions & 2) != 0
except KeyError:
return False
except SimMemoryError:
except angr.SimMemoryError:
return False

@staticmethod
Expand Down Expand Up @@ -435,7 +433,7 @@ def attack(self, path, write_addrs, initial_state):
t = 0
# todo wtf do I do about unicorn. Maybe only track branches with a symbolic guard??
try:
initial_state.options.discard(simuvex.o.UNICORN)
initial_state.options.discard(angr.options.UNICORN)
except AttributeError:
pass

Expand Down Expand Up @@ -555,35 +553,35 @@ def apply(self, **kwargs):
start_state = initial_state.copy()
start_state.release_plugin("zen_plugin")
start_state.release_plugin("chall_resp_info")
start_state.options.discard(simuvex.o.CGC_ZERO_FILL_UNCONSTRAINED_MEMORY)
start_state.options.add(simuvex.o.TRACK_JMP_ACTIONS)
start_state.options.discard(angr.options.CGC_ZERO_FILL_UNCONSTRAINED_MEMORY)
start_state.options.add(angr.options.TRACK_JMP_ACTIONS)
# start_state.inspect.b(
# 'address_concretization',
# simuvex.BP_BEFORE,
# angr.BP_BEFORE,
# action=self.addr_concretization)

# set some breakpoints
start_state.inspect.b(
'mem_write',
simuvex.BP_BEFORE,
angr.BP_BEFORE,
action=self.mem_write_hook
)

start_state.inspect.b(
'mem_read',
simuvex.BP_AFTER,
angr.BP_AFTER,
action=self.mem_read_hook_after
)

start_state.inspect.b(
'exit',
simuvex.BP_BEFORE,
angr.BP_BEFORE,
action=self.exit_hook
)

start_state.inspect.b(
'syscall',
simuvex.BP_BEFORE,
angr.BP_BEFORE,
action=self.syscall_hook
)

Expand All @@ -594,12 +592,12 @@ def apply(self, **kwargs):

# todo wtf do I do about unicorn. Maybe only track branches with a symbolic guard??
try:
start_state.options.discard(simuvex.o.UNICORN)
start_state.options.discard(angr.options.UNICORN)
except AttributeError:
pass

# remove lazy solves
start_state.options.discard(simuvex.o.LAZY_SOLVES)
start_state.options.discard(angr.options.LAZY_SOLVES)

# add the plugin
start_state.register_plugin("address_tracker", SimAddressTracker())
Expand Down
41 changes: 20 additions & 21 deletions rex/trace_additions.py
View file
@@ -1,14 +1,13 @@
from simuvex import SimStatePlugin
import simuvex
import angr
import claripy
from simuvex import SimMemoryError

import string
import logging
l = logging.getLogger("rex.trace_additions")
l.setLevel("DEBUG")


#pylint:disable=pointless-string-statement
"""
This file contains objects to track additional information during a trace or
modify symbolic variables during a trace.
Expand Down Expand Up @@ -59,9 +58,9 @@ def copy(self):
return out

def compute(self, state):
self.input_val = simuvex.s_cc.SimCCCdecl(state.arch).arg(state, self.str_arg_num)
self.input_val = angr.calling_conventions.SimCCCdecl(state.arch).arg(state, self.str_arg_num)
if self.base_arg is not None:
self.input_base = state.se.any_int(simuvex.s_cc.SimCCCdecl(state.arch).arg(state, self.base_arg))
self.input_base = state.se.any_int(angr.calling_conventions.SimCCCdecl(state.arch).arg(state, self.base_arg))
if self.input_base == 0:
self.input_base = 16
else:
Expand Down Expand Up @@ -95,14 +94,14 @@ def copy(self):
return out

def compute(self, state):
self.input_val = simuvex.s_cc.SimCCCdecl(state.arch).arg(state, self.int_arg_num)
self.input_val = angr.calling_conventions.SimCCCdecl(state.arch).arg(state, self.int_arg_num)
if self.base_arg is not None:
self.input_base = state.se.any_int(simuvex.s_cc.SimCCCdecl(state.arch).arg(state, self.base_arg))
self.input_base = state.se.any_int(angr.calling_conventions.SimCCCdecl(state.arch).arg(state, self.base_arg))
if self.input_base == 0:
self.input_base = 16
else:
self.input_base = self.base
self.str_dst_addr = simuvex.s_cc.SimCCCdecl(state.arch).arg(state, self.str_dst_num)
self.str_dst_addr = angr.calling_conventions.SimCCCdecl(state.arch).arg(state, self.str_dst_num)

def get_type(self):
return "IntToStr"
Expand Down Expand Up @@ -151,7 +150,7 @@ def generic_info_hook(state):
format_info = chall_resp_plugin.format_infos[addr].copy()
if format_info.get_type() == "DontConstrain":
arg_num = format_info.check_symbolic_arg
arg = simuvex.s_cc.SimCCCdecl(state.arch).arg(state, arg_num)
arg = angr.calling_conventions.SimCCCdecl(state.arch).arg(state, arg_num)
if state.mem[arg].string.resolved.symbolic:
l.warning("symbolic arg not hooking")
return
Expand Down Expand Up @@ -297,16 +296,16 @@ def constraint_hook(state):

# here we prevent adding constraints if there's a pending thing
chall_resp_plugin = state.get_plugin("chall_resp_info")
if chall_resp_plugin.pending_info is not None and simuvex.o.REPLACEMENT_SOLVER in state.options:
if chall_resp_plugin.pending_info is not None and angr.options.REPLACEMENT_SOLVER in state.options:
state.inspect.added_constraints = []


class ChallRespInfo(SimStatePlugin):
class ChallRespInfo(angr.state_plugins.SimStatePlugin):
"""
This state plugin keeps track of the reads and writes to symbolic addresses
"""
def __init__(self):
SimStatePlugin.__init__(self)
angr.state_plugins.SimStatePlugin.__init__(self)
# for each constraint we check what the max stdin it has and how much stdout we have
self.stdin_min_stdout_constraints = {}
self.stdin_min_stdout_reads = {}
Expand Down Expand Up @@ -477,7 +476,7 @@ def atoi_dumps(state, require_same_length=True):
stdin = state.posix.get_file(0).content.load(0, pos)
vars_to_solve.append(stdin)

for s_var, int_var in chall_resp_plugin.str_to_int_pairs:
for _, int_var in chall_resp_plugin.str_to_int_pairs:
vars_to_solve.append(int_var)

if require_same_length:
Expand Down Expand Up @@ -538,17 +537,17 @@ def prep_tracer(tracer, format_infos=None):
state = path.state
state.inspect.b(
'exit',
simuvex.BP_BEFORE,
angr.BP_BEFORE,
action=exit_hook
)
state.inspect.b(
'syscall',
simuvex.BP_AFTER,
angr.BP_AFTER,
action=syscall_hook
)
state.inspect.b(
'constraints',
simuvex.BP_BEFORE,
angr.BP_BEFORE,
action=constraint_hook
)

Expand Down Expand Up @@ -634,9 +633,9 @@ def zen_register_write(state):
state.inspect.reg_write_expr = new_expr


class ZenPlugin(SimStatePlugin):
class ZenPlugin(angr.state_plugins.SimStatePlugin):
def __init__(self, max_depth=13):
SimStatePlugin.__init__(self)
angr.state_plugins.SimStatePlugin.__init__(self)
# dict from cache key to asts
self.replacements = dict()
# dict from zen vars to the depth
Expand Down Expand Up @@ -725,7 +724,7 @@ def analyze_transmit(self, state, buf):
fd = state.se.any_int(state.regs.ebx)
try:
state.memory.permissions(state.se.any_int(buf))
except SimMemoryError:
except angr.SimMemoryError:
l.warning("detected possible arbitary transmit to fd %d", fd)
if fd == 0 or fd == 1:
self.controlled_transmits.append((state.copy(), buf))
Expand All @@ -742,12 +741,12 @@ def prep_tracer(tracer):
state.register_plugin("zen_plugin", zen_plugin)
state.inspect.b(
'reg_write',
simuvex.BP_BEFORE,
angr.BP_BEFORE,
action=zen_register_write
)
state.inspect.b(
'mem_write',
simuvex.BP_BEFORE,
angr.BP_BEFORE,
action=zen_memory_write
)

Expand Down
1 change: 0 additions & 1 deletion setup.py
View file
Expand Up @@ -19,7 +19,6 @@
install_requires=[
'angr',
'povsim',
'simuvex',
'tracer',
'angrop',
'compilerex',
Expand Down

0 comments on commit e426c33

Please sign in to comment.