针对angr提供的练习题,现在进行求解16_angr_arbitrary_write,它也是关于hook输入的问题,需要使用angr求解出正确密码。但是需要提供排除地址以减少路径求解时间。
具体代码如下所示
import angr
import claripy
import sys
def main(argv):
path_to_binary = argv[1]
project = angr.Project(path_to_binary)
initial_state = project.factory.entry_state()
#使用hook替换__isoc99_scanf函数
class ReplacementScanf(angr.SimProcedure):
# Hint: scanf("%u %20s")
def run(self, format_string, p1,p2):
scanf0 = claripy.BVS('scanf0', 32)
scanf1 = claripy.BVS('scanf1', 20*8)
for char in scanf1.chop(bits=8):
self.state.add_constraints(char >= 'A', char <= 'Z')
scanf0_address = p1
self.state.memory.store(scanf0_address, scanf0, endness=project.arch.memory_endness)
scanf1_address = p2
self.state.memory.store(scanf1_address, scanf1, endness=project.arch.memory_endness)
self.state.globals['solutions'] = (scanf0,scanf1)
scanf_symbol = '__isoc99_scanf' # :string
project.hook_symbol(scanf_symbol, ReplacementScanf())
#检查strncpy函数
def check_strncpy(state):
# The stack will look as follows:
# ... ________________
# esp + 15 -> /
# esp + 14 -> | param2 |
# esp + 13 -> | len |
# esp + 12 -> ________________/
# esp + 11 -> /
# esp + 10 -> | param1 |
# esp + 9 -> | src |
# esp + 8 -> ________________/
# esp + 7 -> /
# esp + 6 -> | param0 |
# esp + 5 -> | dest |
# esp + 4 -> ________________/
# esp + 3 -> /
# esp + 2 -> | return |
# esp + 1 -> | address |
# esp -> ________________/
#利用memory.load方法提取参数内容
strncpy_src = state.memory.load(state.regs.esp+8,4,endness=project.arch.memory_endness)
strncpy_dest = state.memory.load(state.regs.esp+4,4,endness=project.arch.memory_endness)
strncpy_len = state.memory.load(state.regs.esp+12,4,endness=project.arch.memory_endness)
#使用memory.load方法把src真正的内容提取出来
src_contents = state.memory.load(strncpy_src,strncpy_len)
#判断src_contents及strncpy_dest是否为symbolic
if state.se.symbolic(src_contents) and state.se.symbolic(strncpy_dest):
password_string = 'NDYNWEUJ' # :string
buffer_address = 0x57584344 # :integer, probably in hexadecimal
does_src_hold_password = src_contents[-1:-64] == password_string
does_dest_equal_buffer_address = strncpy_dest ==buffer_address
# 判定strncpy_dest是否为password_buffe的地址
if state.satisfiable(extra_constraints=(does_src_hold_password, does_dest_equal_buffer_address)):
state.add_constraints(does_src_hold_password, does_dest_equal_buffer_address)
return True
else:
return False
else: # not state.se.symbolic(???)
return False
simulation = project.factory.simgr(initial_state)
def is_successful(state):
strncpy_address = 0x08048410
if state.addr == strncpy_address:
return check_strncpy(state)
else:
return False
simulation.explore(find=is_successful)
if simulation.found:
solution_state = simulation.found[0]
stored_solution0 , stored_solution1 = solution_state.globals['solutions']
solution0=solution_state.solver.eval(stored_solution0)
solution1=solution_state.solver.eval(stored_solution1,cast_to=bytes)
print('solutions are {0},{1}'.format(solution0,solution1))
else:
raise Exception('Could not find the solution')
if __name__ == '__main__':
main(sys.argv)
要想得到正确的输出,需要检查strncpy函数,此函数地址为0x08048410,即strncpy_address=0x08048410。
此strncpy函数接收3个输入,分别取出strncpy_src、strncpy_dest和strncpy_len这三个参数。
需要判断src_contents及strncpy_dest,此时需要用到strncmp函数,此函数接收‘NDYNWEUJ’及passwork_buffer,分别将src_contents[-1:-64]、strncpy_dest与‘DVTBOGZL’、0x57584344 进行比较,若相等则返回True。
下面验证实验结果
执行刚刚写好的程序,保存为scaffold16.py,并将其与16_angr_arbitrary_write放于同一文件夹中,具体如下图所示。
再执行16_angr_arbitrary_write,然后需要我们输入angr刚刚求解出的密码,结果如下
然而,参考其他求解代码,他们得到‘Good Job’,而在本人虚拟机中运行,结果均为‘Segmentation falut’,不知什么原因,如果有哪个小伙伴知道,欢迎告知原因。
