problem about call driller to do symbolic execution job in shellphuzz
JsHuang opened this issue · 6 comments
I'm a little confused about how can shellphuzz call driller, I can not find anywhere import driller module .
Also, I encountered a problem about using shellpuzz to do drilling job, while testing a simple program, the fuzzer get stuck and drilling began. Hower, I got the error as below:
root@ubuntu:/home/jshuang/work/driller-tests/samples# shellphuzz -c 4 -d 4 -w ./afl-work -C ./simple_over_flow
WARNING | 2018-01-08 00:51:21,524 | angr.analyses.disassembly_utils | Your verison of capstone does not
[*] Drilling...
[*] Creating fuzzer...
WARNING | 2018-01-08 00:51:22,115 | fuzzer.fuzzer | not forced
[*] Starting fuzzer...
['/usr/bin/afl-unix/afl-fuzz', '-i', '-', '-o', './afl-work/simple_over_flow/sync', '-m', '8G', '-Q', ', './simple_over_flow']
['/usr/bin/afl-unix/afl-fuzz', '-i', '-', '-o', './afl-work/simple_over_flow/sync', '-m', '8G', '-Q', 'simple_over_flow']
['/usr/bin/afl-unix/afl-fuzz', '-i', '-', '-o', './afl-work/simple_over_flow/sync', '-m', '8G', '-Q', 'simple_over_flow']
['/usr/bin/afl-unix/afl-fuzz', '-i', '-', '-o', './afl-work/simple_over_flow/sync', '-m', '8G', '-Q', 'simple_over_flow']
[*] Waiting for fuzzer completion (timeout: None, first_crash: True).
WARNING | 2018-01-08 00:52:52,154 | local_callback | Driller stuck callback triggered!
WARNING | 2018-01-08 00:52:52,160 | local_callback | starting drilling of simple_over_flow, id:000000,o
WARNING | 2018-01-08 00:52:54,138 | angr.analyses.disassembly_utils | Your verison of capstone does not
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/driller/local_callback.py", line 5, in <module>
import driller #pylint:disable=relative-import,unused-import
File "/usr/local/lib/python2.7/dist-packages/driller/driller.py", line 11, in <module>
from . import config
ValueError: Attempted relative import in non-package
('', None)
Are you using the docker container (docker pull shellphish/mechaphish; docker run -it shellphish/mechaphish)? If not, please try this inside the docker container. If that works, check out the dockerfile (https://github.com/mechaphish/setup/blob/master/Dockerfile) to see how driller should be installed.
@zardus Thanks, in the container driller works, but it seems driller can not generate inputs for non cgc binaries, is that right?
There are various issues with proper environment modeling in angr, that hampers driller's operation on non-CGC binaries. Extremely simple ones should work, but anything that uses some syscall not modeled by angr (or a summarized library function that's incorrectly summarized) will fail.
there is no input testcase parameter in shellphuzz , did the initial input for calling afl is auto constructed by itself?
There are various issues with proper environment modeling in angr, that hampers driller's operation on non-CGC binaries. Extremely simple ones should work, but anything that uses some syscall not modeled by angr (or a summarized library function that's incorrectly summarized) will fail.
Was the issue with environment modeling in angr resolved? No matter what non-cgc binaries I pass to shellphuzz it always outputs one or another error happening in angr/exploration_techniques/tracer.py. I was trying it on super simple 10 line buggy program and on binaries from LAVA paper.
Thanks.
It is a forever-ongoing problem. We are slowly chipping away at the issues but we are a three-person team, after all.