From 01aa693d8feb446d6cf669c123071fff13d46a07 Mon Sep 17 00:00:00 2001 From: Alex-Costin Puflene Date: Mon, 24 Jun 2024 02:29:52 +0300 Subject: [PATCH] Fixes timeout decorator issues and radare2 parsing problems --- zeratool_lib/formatDetector.py | 6 +++--- zeratool_lib/formatExploiter.py | 6 +++--- zeratool_lib/overflowDetector.py | 6 +++--- zeratool_lib/overflowExploitSender.py | 12 +++++++++++- zeratool_lib/overflowExploiter.py | 13 +++++++++++-- zeratool_lib/overflowRemoteLeaker.py | 2 +- 6 files changed, 32 insertions(+), 13 deletions(-) diff --git a/zeratool_lib/formatDetector.py b/zeratool_lib/formatDetector.py index 8c0fe2d..22334cc 100644 --- a/zeratool_lib/formatDetector.py +++ b/zeratool_lib/formatDetector.py @@ -56,11 +56,11 @@ def checkFormat(binary_name, inputType): # Lame way to do a timeout try: - @timeout_decorator.timeout(1200) + @timeout_decorator.timeout(1200, use_signals=False) def exploreBinary(simgr): - simgr.explore(find=lambda s: "type" in s.globals) + return simgr.explore(find=lambda s: "type" in s.globals) - exploreBinary(simgr) + simgr = exploreBinary(simgr) if "found" in simgr.stashes and len(simgr.found): end_state = simgr.found[0] run_environ["type"] = end_state.globals["type"] diff --git a/zeratool_lib/formatExploiter.py b/zeratool_lib/formatExploiter.py index cd83772..241c88b 100644 --- a/zeratool_lib/formatExploiter.py +++ b/zeratool_lib/formatExploiter.py @@ -158,11 +158,11 @@ def rediscoverAndExploit(binary_name, properties, stack_position, leak_format): # Lame way to do a timeout try: - @timeout_decorator.timeout(1200) + @timeout_decorator.timeout(1200, use_signals=False) def exploreBinary(simgr): - simgr.explore(find=lambda s: "type" in s.globals) + return simgr.explore(find=lambda s: "type" in s.globals) - exploreBinary(simgr) + simgr = exploreBinary(simgr) if "found" in simgr.stashes and len(simgr.found): end_state = simgr.found[0] run_environ["type"] = end_state.globals["type"] diff --git a/zeratool_lib/overflowDetector.py b/zeratool_lib/overflowDetector.py index 6d71200..6dd2ced 100644 --- a/zeratool_lib/overflowDetector.py +++ b/zeratool_lib/overflowDetector.py @@ -49,13 +49,13 @@ def checkOverflow(binary_name, inputType): # Lame way to do a timeout try: - @timeout_decorator.timeout(120) + @timeout_decorator.timeout(120, use_signals=False) def exploreBinary(simgr): - simgr.explore( + return simgr.explore( find=lambda s: "type" in s.globals, step_func=overflow_detect_filter ) - exploreBinary(simgr) + simgr = exploreBinary(simgr) if "found" in simgr.stashes and len(simgr.found): end_state = simgr.found[0] run_environ["type"] = end_state.globals["type"] diff --git a/zeratool_lib/overflowExploitSender.py b/zeratool_lib/overflowExploitSender.py index 6622f54..8e32943 100644 --- a/zeratool_lib/overflowExploitSender.py +++ b/zeratool_lib/overflowExploitSender.py @@ -1,4 +1,6 @@ import logging +import os +import stat from overflowExploiter import exploitOverflow from pwn import ELF, gdb, process, u32, u64 @@ -14,8 +16,16 @@ def sendExploit( ): send_results = {} + radare2_binary_name = "/radare2_binary" + fin = open(binary_name, "rb") + fout = open(radare2_binary_name, "wb") + fout.write(fin.read()) + fin.close() + fout.close() + os.chmod(radare2_binary_name, stat.S_IRWXU | stat.S_IRWXG | stat.S_IRWXO) + # Create local process - proc = process(binary_name) + proc = process(radare2_binary_name) if debug: gdb.attach( proc, diff --git a/zeratool_lib/overflowExploiter.py b/zeratool_lib/overflowExploiter.py index 0be6868..8478f6a 100644 --- a/zeratool_lib/overflowExploiter.py +++ b/zeratool_lib/overflowExploiter.py @@ -1,5 +1,6 @@ import logging import os +import stat import angr import claripy @@ -54,6 +55,14 @@ def getOneGadget(properties): def exploitOverflow(binary_name, properties, inputType): + radare2_binary_name = "/radare2_binary" + fin = open(binary_name, "rb") + fout = open(radare2_binary_name, "wb") + fout.write(fin.read()) + fin.close() + fout.close() + os.chmod(radare2_binary_name, stat.S_IRWXU | stat.S_IRWXG | stat.S_IRWXO) + run_environ = properties["pwn_type"].get("results", {}) run_environ["type"] = run_environ.get("type", None) @@ -104,7 +113,7 @@ def exploitOverflow(binary_name, properties, inputType): if inputType == "STDIN": entry_addr = p.loader.main_object.entry if not has_pie: - reg_values = getRegValues(binary_name, entry_addr) + reg_values = getRegValues(radare2_binary_name, entry_addr) state = p.factory.full_init_state( args=argv, add_options=extras, @@ -146,7 +155,7 @@ def exploitOverflow(binary_name, properties, inputType): simgr.explore(find=lambda s: "type" in s.globals, step_func=step_func) try: - @timeout_decorator.timeout(1200) + @timeout_decorator.timeout(1200, use_signals=False) def exploreBinary(simgr): simgr.explore(find=lambda s: "type" in s.globals, step_func=step_func) diff --git a/zeratool_lib/overflowRemoteLeaker.py b/zeratool_lib/overflowRemoteLeaker.py index 7641d02..8b11319 100644 --- a/zeratool_lib/overflowRemoteLeaker.py +++ b/zeratool_lib/overflowRemoteLeaker.py @@ -69,7 +69,7 @@ def leak_remote_functions(binary_name, properties, inputType): # Lame way to do a timeout try: - @timeout_decorator.timeout(1200) + @timeout_decorator.timeout(1200, use_signals=False) def exploreBinary(simgr): simgr.explore( find=lambda s: "libc" in s.globals, step_func=leak_remote_libc_functions