Fixes timeout decorator issues and radare2 parsing problems

open-crs · Jun 23, 2024 · 01aa693 · 01aa693
1 parent 4d2ca42
commit 01aa693
Show file tree

Hide file tree

Showing 6 changed files with 32 additions and 13 deletions.
diff --git a/zeratool_lib/formatDetector.py b/zeratool_lib/formatDetector.py
@@ -56,11 +56,11 @@ def checkFormat(binary_name, inputType):
     # Lame way to do a timeout
     try:
 
-        @timeout_decorator.timeout(1200)
+        @timeout_decorator.timeout(1200, use_signals=False)
         def exploreBinary(simgr):
-            simgr.explore(find=lambda s: "type" in s.globals)
+            return simgr.explore(find=lambda s: "type" in s.globals)
 
-        exploreBinary(simgr)
+        simgr = exploreBinary(simgr)
         if "found" in simgr.stashes and len(simgr.found):
             end_state = simgr.found[0]
             run_environ["type"] = end_state.globals["type"]

diff --git a/zeratool_lib/formatExploiter.py b/zeratool_lib/formatExploiter.py
@@ -158,11 +158,11 @@ def rediscoverAndExploit(binary_name, properties, stack_position, leak_format):
     # Lame way to do a timeout
     try:
 
-        @timeout_decorator.timeout(1200)
+        @timeout_decorator.timeout(1200, use_signals=False)
         def exploreBinary(simgr):
-            simgr.explore(find=lambda s: "type" in s.globals)
+            return simgr.explore(find=lambda s: "type" in s.globals)
 
-        exploreBinary(simgr)
+        simgr = exploreBinary(simgr)
         if "found" in simgr.stashes and len(simgr.found):
             end_state = simgr.found[0]
             run_environ["type"] = end_state.globals["type"]

diff --git a/zeratool_lib/overflowDetector.py b/zeratool_lib/overflowDetector.py
@@ -49,13 +49,13 @@ def checkOverflow(binary_name, inputType):
     # Lame way to do a timeout
     try:
 
-        @timeout_decorator.timeout(120)
+        @timeout_decorator.timeout(120, use_signals=False)
         def exploreBinary(simgr):
-            simgr.explore(
+            return simgr.explore(
                 find=lambda s: "type" in s.globals, step_func=overflow_detect_filter
             )
 
-        exploreBinary(simgr)
+        simgr = exploreBinary(simgr)
         if "found" in simgr.stashes and len(simgr.found):
             end_state = simgr.found[0]
             run_environ["type"] = end_state.globals["type"]

diff --git a/zeratool_lib/overflowExploitSender.py b/zeratool_lib/overflowExploitSender.py
@@ -1,4 +1,6 @@
 import logging
+import os
+import stat
 
 from overflowExploiter import exploitOverflow
 from pwn import ELF, gdb, process, u32, u64
@@ -14,8 +16,16 @@ def sendExploit(
 ):
     send_results = {}
 
+    radare2_binary_name = "/radare2_binary"
+    fin = open(binary_name, "rb")
+    fout = open(radare2_binary_name, "wb")
+    fout.write(fin.read())
+    fin.close()
+    fout.close()
+    os.chmod(radare2_binary_name, stat.S_IRWXU | stat.S_IRWXG | stat.S_IRWXO)
+
     # Create local process
-    proc = process(binary_name)
+    proc = process(radare2_binary_name)
     if debug:
         gdb.attach(
             proc,

diff --git a/zeratool_lib/overflowExploiter.py b/zeratool_lib/overflowExploiter.py
@@ -1,5 +1,6 @@
 import logging
 import os
+import stat
 
 import angr
 import claripy
@@ -54,6 +55,14 @@ def getOneGadget(properties):
 
 def exploitOverflow(binary_name, properties, inputType):
 
+    radare2_binary_name = "/radare2_binary"
+    fin = open(binary_name, "rb")
+    fout = open(radare2_binary_name, "wb")
+    fout.write(fin.read())
+    fin.close()
+    fout.close()
+    os.chmod(radare2_binary_name, stat.S_IRWXU | stat.S_IRWXG | stat.S_IRWXO)
+
     run_environ = properties["pwn_type"].get("results", {})
     run_environ["type"] = run_environ.get("type", None)
 
@@ -104,7 +113,7 @@ def exploitOverflow(binary_name, properties, inputType):
     if inputType == "STDIN":
         entry_addr = p.loader.main_object.entry
         if not has_pie:
-            reg_values = getRegValues(binary_name, entry_addr)
+            reg_values = getRegValues(radare2_binary_name, entry_addr)
         state = p.factory.full_init_state(
             args=argv,
             add_options=extras,
@@ -146,7 +155,7 @@ def exploitOverflow(binary_name, properties, inputType):
     simgr.explore(find=lambda s: "type" in s.globals, step_func=step_func)
     try:
 
-        @timeout_decorator.timeout(1200)
+        @timeout_decorator.timeout(1200, use_signals=False)
         def exploreBinary(simgr):
             simgr.explore(find=lambda s: "type" in s.globals, step_func=step_func)
 

diff --git a/zeratool_lib/overflowRemoteLeaker.py b/zeratool_lib/overflowRemoteLeaker.py
@@ -69,7 +69,7 @@ def leak_remote_functions(binary_name, properties, inputType):
     # Lame way to do a timeout
     try:
 
-        @timeout_decorator.timeout(1200)
+        @timeout_decorator.timeout(1200, use_signals=False)
         def exploreBinary(simgr):
             simgr.explore(
                 find=lambda s: "libc" in s.globals, step_func=leak_remote_libc_functions