angr / rex Goto Github PK

Shellphish's automated exploitation engine, originally created for the Cyber Grand Challenge.

License: BSD 2-Clause "Simplified" License

Python 98.28% Dockerfile 0.06% Makefile 0.06% C 0.40% Jinja 1.19% Shell 0.01%

rex's Introduction

Rex

At the moment rex offers a couple of features, crash triaging, crash exploration, and exploitation for certain kinds of crashes.

In the example below, we take a crashing input for legit_00003 discovered by AFL. The vulnerability is a simple buffer overflow on the stack, however, before the vulnerable function returns it calls memcpy with a destination parameter which was overwritten during the stack smash. While rex doesn't know how to exploit an arbitrary memcpy call (yet), it can be told to explore the crash until it finds an exploitation primitive which it knows how to exploit.

Exploit objects can take a crashing input and will attempt to turn it into an exploit which can set every register and leak data from an arbitrary address.

# triage a crash
>>> crash = rex.Crash("./legit_00003", b"\x00\x0b1\xc1\x00\x0c\xeb\xe4\xf1\xf1\x14\r\rM\r\xf3\x1b\r\r\r~\x7f\x1b\xe3\x0c`_222\r\rM\r\xf3\x1b\r\x7f\x002\x7f~\x7f\xe2\xff\x7f\xff\xff\x8b\xc7\xc9\x83\x8b\x0c\xeb\x80\x002\xac\xe2\xff\xff\x00t\x8bt\x8bt_o_\x00t\x8b\xc7\xdd\x83\xc2t~n~~\xac\xe2\xff\xff_k_\x00t\x8b\xc7\xdd\x83\xc2t~n~~\xac\xe2\xff\xff\x00t\x8bt\x8b\xac\xf1\x83\xc2t~c\x00\x00\x00~~\x7f\xe2\xff\xff\x00t\x9e\xac\xe2\xf1\xf2@\x83\xc3t")
>>> crash.crash_types
['write_what_where']
>>> crash.explorable()
True
# explore the crash by setting segfaulting pointers to sane values and re-tracing
>>> crash.explore()
# now we can see that we control instruction pointer
>>> crash.crash_types
'ip_overwrite'
# generate exploits based off of this crash
# it may take several minutes
>>> arsenal = crash.exploit()
# we generated a type 1 POV for every register
>>> len(arsenal.register_setters) # we generate one circumstantial register setter, one shellcode register setter
2
# and one Type 2 which can leak arbitrary memory
>>> len(arsenal.leakers)
1
# exploits are graded based on reliability, and what kind of defenses they can
# bypass, the two best exploits are put into the 'best_type1' and 'best_type2' attributes
>>> arsenal.best_type1.register
'ebp'
# exploits can be dumped in C, Python, or as a compiled POV
>>> arsenal.best_type2.dump_c('legit3_x.c')
>>> arsenal.best_type2.dump_python('legit3_x.py')
>>> arsenal.best_type2.dump_binary('legit3_x.pov')
# also POVs can be tested against a simulation of the CGC architecture
>>> arsenal.best_type1.test_binary()
True

Basic support of Linux ELF binaries also exists, exploits generated for ELF binaries will attempt to drop a shell.

rex's People

Contributors

Stargazers

Watchers

Forkers

terry2012 bannsec chubbymaggie h0wl lfthwjx lovesuae majinxin2003 epeius idkwim sececter b1gw00d shinsec siowcy ognz c-sto techlord-rce wan-yunpeng vulcanoio ht13 techronin artogn ismailbozkurt olivierh59500 leithon windhl arashall neurocinetics stacklikemind dongdongshe junejuly tyb0807 beraphin houcy alkali9 tiffanyb hawking2013 sploitamos holmeswww salomonisch eunchong sbambach subzeroking levinjimmy jvarg drewja xianghaohyman f0829 s-ex1t sangmoolee narutogit arunsigood threezerobravoteam tiedaoxiaotubie rakhithjk ouc-lk macdaliot bb33bb leonluffy zeph1912 tfrnghub re0x90 kyle-kyle yangshouguo ze4lfrog jonathanmreiter naveenselvan uisooshin qhnetspirit myeyes balbassam nbanmp xentrick seabreg xuacker hk4170 b-xiang kalier anhang512 dynamicdesignz r4b3rt freemanzyq 5l1v3r1 smityliu masterscott heapcrash devanstar1994 stevenlol fayozbek xtenex rmallof hartl3y94 14isnot40 int2ecall hoimd1212q gladiopeace iamjustachild ark-reactor backupart l3aalteshuva austinti

rex's Issues

`test_linux_network_stacksmash_64` is failing in CI

Description

test_linux_network_stacksmash_64 is failing in CI frequently for the past couple weeks.

Steps to reproduce the bug

No response

Environment

No response

Additional context

No response

`test_rex.test_reconstraining` fails non-deterministically

This test fails non-deterministically in CI. It is marked as slow to prevent it from incorrectly failing CI for pull requests, however a proper solution should be determined and applied so it can be re-enabled.

cannot import name TracerPoV

WARNING | 2018-11-21 12:25:05,282 | angr.analyses.disassembly_utils | Your version of capstone does not support MIPS instruction groups.
Traceback (most recent call last):
File "test_rex.py", line 8, in
import rex
File "/usr/local/lib/python2.7/dist-packages/rex/init.py", line 2, in
from rex.crash import Crash, QuickCrash, NonCrashingInput
File "/usr/local/lib/python2.7/dist-packages/rex/crash.py", line 14, in
from tracer import TracerPoV
ImportError: cannot import name TracerPoV

test_linux_stacksmash error

ERROR: test_ysg.test_linux_stacksmash
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/usr/local/lib/python3.5/dist-packages/nose/case.py", line 198, in runTest
    self.test(*self.arg)
  File "/home/ysg/WorkSpace/tracer/tests/test_ysg.py", line 37, in test_linux_stacksmash
    crash = rex.Crash(target, inp, fast_mode=True, rop_cache_path=os.path.join(cache_location, 'vuln_stacksmash'))
  File "/usr/local/lib/python3.5/dist-packages/rex/crash.py", line 94, in __init__
    self.project = self.angr_project_bow.fire()
  File "/usr/local/lib/python3.5/dist-packages/archr-8.18.10.5-py3.5.egg/archr/arsenal/angr_project.py", line 24, in fire
    _,_,_,self._mem_mapping = self.scout_bow.fire()
  File "/usr/local/lib/python3.5/dist-packages/archr-8.18.10.5-py3.5.egg/archr/arsenal/datascout.py", line 79, in fire
    with self.target.shellcode_context(asm_code=self.sendfile_shellcode("/proc/self/cmdline") + self.exit_shellcode(), aslr=aslr, **kwargs) as p:
  File "/usr/lib/python3.5/contextlib.py", line 59, in __enter__
    return next(self.gen)
  File "/usr/local/lib/python3.5/dist-packages/archr-8.18.10.5-py3.5.egg/archr/targets/__init__.py", line 375, in shellcode_context
    with self.replacement_context(self.target_path, hooked_binary, saved_contents=original_binary):
  File "/usr/lib/python3.5/contextlib.py", line 59, in __enter__
    return next(self.gen)
  File "/usr/local/lib/python3.5/dist-packages/archr-8.18.10.5-py3.5.egg/archr/targets/__init__.py", line 339, in replacement_context
    self.inject_contents({target_path: temp_contents})
  File "/usr/local/lib/python3.5/dist-packages/archr-8.18.10.5-py3.5.egg/archr/targets/__init__.py", line 247, in inject_contents
    self.inject_tarball("/", tarball_contents=f.read())
  File "/usr/local/lib/python3.5/dist-packages/archr-8.18.10.5-py3.5.egg/archr/targets/local_target.py", line 58, in inject_tarball
    t.extractall(path=target_path)
  File "/usr/lib/python3.5/tarfile.py", line 1996, in extractall
    numeric_owner=numeric_owner)
  File "/usr/lib/python3.5/tarfile.py", line 2038, in extract
    numeric_owner=numeric_owner)
  File "/usr/lib/python3.5/tarfile.py", line 2108, in _extract_member
    self.makefile(tarinfo, targetpath)
  File "/usr/lib/python3.5/tarfile.py", line 2148, in makefile
    with bltn_open(targetpath, "wb") as target:
OSError: [Errno 26] Text file busy: '/home/ysg/WorkSpace/tracer/tests/../../binaries/tests/i386/vuln_stacksmash'

Why this happened?

test error

I ran into a problem while running the given test cases——test_linux_stacksmash():
tracer.tracer.TracerMisfollowError: program did not behave correctly, expected only one path

Is it a code problem or is it my configuration problem?

Hoping for your reply, thanks.

AttributeError: module 'keystone' has no attribute 'KS_ARCH_X86'

Hello while trying to import rex I got this error

python Python 3.7.5
Parrot OS
Linux parrot 5.3.0-3parrot3-amd64 #1 SMP Parrot 5.3.9-3parrot3 (2019-11-23) x86_64 GNU/Linux

P.S. Sorry I haven't been responding. Life got in the way.

Run rex with DARPA CGC chanllenges

Hi when I tried to run rex with Darpr CGC challenges in linux(https://github.com/trailofbits/cb-multios), but I'm confused about the target setup.

If I run it with cgc os, the command is shown below:

with archr.targets.LocalTarget([path], target_os="cgc") as target:
    crash = rex.Crash(target, inp)

I got an error message is shown below:

archr.analyzers.qemu_tracer.QEMUTracerError: the target didn't crash inside qemu! Make sure you launch it correctly!

if I run it without target_os, the rex will keep running forever. Each time I interrupted the processing, the backtrace are all totally different.

The command is shown below:

with archr.targets.LocalTarget([path]) as target:
    crash = rex.Crash(target, inp)

The rex works well with your provided cgc example (e.g, legit_00003), please give me some comments about how to run rex with DARPA cgc challenges. Thank you!

Remove colorguard from test_rex.py

TypeError: fire_context() got an unexpected keyword argument 'channel'

Hello I get an error when trying to test a simple buffer overflow (to test rex). I'm trying to debug the issue.

crash = rex.Crash(tt, b"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")
WARNING | 2019-12-04 21:57:29,693 | cle.loader | The main binary is a position-independent executable. It is being loaded with a base address of 0x400000.
Traceback (most recent call last):
File "", line 1, in
File "/opt/rex/rex/crash.py", line 119, in init
self._work(pov_file, format_infos)
File "/opt/rex/rex/crash.py", line 565, in _work
format_infos=format_infos,
File "/opt/rex/rex/crash.py", line 612, in _trace
r = self.tracer_bow.fire(testcase=test_case, channel=channel, save_core=save_core)
File "/usr/local/lib/python3.7/dist-packages/archr/arsenal/init.py", line 50, in fire
with self.fire_context(*args, **kwargs) as flight:
File "/usr/lib/python3.7/contextlib.py", line 239, in helper
return _GeneratorContextManager(func, args, kwds)
File "/usr/lib/python3.7/contextlib.py", line 82, in init
self.gen = func(*args, **kwds)
TypeError: fire_context() got an unexpected keyword argument 'channel'

"list index out of range" for tracer

hi, I run rex with a simple stackoverflow sample, and I got error like this:

Traceback (most recent call last):
File "ctf.py", line 4, in
crash = rex.Crash('./test64', 'A'*1024)
File "/usr/local/lib/python2.7/dist-packages/rex/crash.py", line 114, in init
prev, crash_state = self._tracer.run(constrained_addrs)
File "/usr/local/lib/python2.7/dist-packages/tracer-0.1-py2.7.egg/tracer/tracer.py", line 508, in run
branches = self.next_branch()
File "/usr/local/lib/python2.7/dist-packages/tracer-0.1-py2.7.egg/tracer/tracer.py", line 271, in next_branch
while self._addr_in_plt(self.trace[self.bb_cnt]):
IndexError: list index out of range

Hope your attentions, thanks.

rex in linux

I want to use rex in linux, but I always get empty crash_types.
My example is very simple: using strcpy(buf, input) to cause stack overflow, which should generate ip_overwrite.
I doubt that the crash state is not exploit state. This problem bothers me few days, I hope you can help me out.

IndexError: list index out of range

I'm trying to use Rex for a simple exploitable program that I am compiling within the angr-dev docker image:

int main(void) {
	char buf[32];
	fgets(buf, 64, stdin);
	if (1 == 2) { return 0; }
	if (strncmp(buf, "hello there", strlen("hello there"))) { exit(1); }
	return 0;
}

My script looks something like this:

tt = archr.targets.LocalTarget(["./a.out"], target_arch='x86_64')
tt.target_arch                                                               
d = Driller("./a.out", b"A" * 500, b"\xff" * 65535)                          
new_inputs = d.drill()                                                       
solution = next(iter(new_inputs))
crash = rex.Crash(tt, crash=solution[1])

But when I run this, I get the following stack trace:

(angr) angr@9c390debe342:/mnt$ python3 script.py 
WARNING | 2019-12-23 22:23:00,032 | angr.engines.successors | Exit state has over 256 possible solutions. Likely unconstrained; skipping. <BV64 0 .. file_0_stdin_3e_138_8{UNINITIALIZED} .. file_0_stdin_3d_137_8{UNINITIALIZED} .. file_0_stdin_3c_136_8{UNINITIALIZED} .. file_0_stdin_3b_135_8{UNINITIALIZED} .. file_0_stdin_3a_134_8{UNINITIALIZED} .. file_0_stdin_39_133_8{UNINITIALIZED} .. file_0_stdin_38_132_8{UNINITIALIZED}>
WARNING | 2019-12-23 22:23:02,475 | cle.loader | <_io.BytesIO object at 0x7f3ded7b1f68>: base_addr was specified but the object is not PIC. specify force_rebase=True to override
WARNING | 2019-12-23 22:23:02,543 | cle.loader | <_io.BytesIO object at 0x7f3ded7b1e60>: base_addr was specified but the object is not PIC. specify force_rebase=True to override
WARNING | 2019-12-23 22:23:02,607 | cle.loader | <_io.BytesIO object at 0x7f3ded7b19e8>: base_addr was specified but the object is not PIC. specify force_rebase=True to override
WARNING | 2019-12-23 22:23:02,672 | cle.loader | <_io.BytesIO object at 0x7f3ded7b1990>: base_addr was specified but the object is not PIC. specify force_rebase=True to override
WARNING | 2019-12-23 22:23:07,473 | archr.arsenal.qemu_tracer | setting LD_BIND_NOW=1. This will have an effect on the environment.
Traceback (most recent call last):
  File "script.py", line 12, in <module>
    crash = rex.Crash(tt, crash=solution[1])
  File "/home/angr/.virtualenvs/angr/lib/python3.6/site-packages/rex/crash.py", line 119, in __init__
    self._work(pov_file, format_infos)
  File "/home/angr/.virtualenvs/angr/lib/python3.6/site-packages/rex/crash.py", line 565, in _work
    format_infos=format_infos,
  File "/home/angr/.virtualenvs/angr/lib/python3.6/site-packages/rex/crash.py", line 647, in _trace
    self.state = simgr.crashed[0]
IndexError: list index out of range
(angr) angr@9c390debe342:/mnt$

Steps to reproduce can be found here: https://github.com/RickyUlrich/rex-help-me-please

AttributeError: module 'sortedcontainers' has no attribute 'SortedKeyList'

Hello It's me again. So now i ran into another error running test_rex.py

Python version : python 3.7.5
OS : Parrot OS x86

Error :

Traceback (most recent call last):
File "test_explore.py", line 48, in
run_all()
File "test_explore.py", line 34, in run_all
all_functionsf
File "test_explore.py", line 21, in test_write_what_where_shadowstack
crash = rex.Crash(target, inp, rop_cache_path=os.path.join(cache_location, "write_what_where_shadow_stack"))
File "/usr/local/lib/python3.7/dist-packages/rex-0.2-py3.7.egg/rex/crash.py", line 105, in init
File "/usr/local/lib/python3.7/dist-packages/rex-0.2-py3.7.egg/rex/crash.py", line 511, in _initialize
File "/usr/local/lib/python3.7/dist-packages/archr/arsenal/angr_project.py", line 44, in fire
preloader = cle.Loader(the_binary, **preload_kwargs)
File "/usr/local/lib/python3.7/dist-packages/cle/loader.py", line 127, in init
self.initial_load_objects = self._internal_load(main_binary, *preload_libs, preloading=True)
File "/usr/local/lib/python3.7/dist-packages/cle/loader.py", line 646, in _internal_load
main_obj = self._load_object_isolated(main_spec)
File "/usr/local/lib/python3.7/dist-packages/cle/loader.py", line 749, in _load_object_isolated
return backend_cls(full_spec, is_main_bin=self.main_object is None, loader=self, **options)
File "/usr/local/lib/python3.7/dist-packages/cle/backends/cgc/cgc.py", line 28, in init
super(CGC, self).init(stream, *args, **kwargs)
File "/usr/local/lib/python3.7/dist-packages/cle/backends/elf/elf.py", line 33, in init
super(ELF, self).init(binary, **kwargs)
File "/usr/local/lib/python3.7/dist-packages/cle/backends/elf/metaelf.py", line 25, in init
super(MetaELF, self).init(*args, **kwargs)
File "/usr/local/lib/python3.7/dist-packages/cle/backends/init.py", line 96, in init
self.symbols = sortedcontainers.SortedKeyList(key=self._get_symbol_relative_addr)
AttributeError: module 'sortedcontainers' has no attribute 'SortedKeyList'

P.S. Thank you for reading.

KeyError: 'shellphish_qemu/bin'

Hi! I run the example you provided, but get KeyError : 'shellphish_qemu/bin'. What could be the problem?

In [1]: import rex                                                                                                                                                                                                 

In [2]: crash = rex.Crash("./legit_00003", b"\x00\x0b1\xc1\x00\x0c\xeb\xe4\xf1\xf1\x14\r\rM\r\xf3\x1b\r\r\r~\x7f\x1b\xe3\x0c`_222\r\rM\r\xf3\x1b\r\x7f\x002\x7f~\x7f\xe2\xff\x7f\xff\xff\x8b\xc7\xc9\x83\x8b\x0c\xe
   ...: b\x80\x002\xac\xe2\xff\xff\x00t\x8bt\x8bt_o_\x00t\x8b\xc7\xdd\x83\xc2t~n~~\xac\xe2\xff\xff_k_\x00t\x8b\xc7\xdd\x83\xc2t~n~~\xac\xe2\xff\xff\x00t\x8bt\x8b\xac\xf1\x83\xc2t~c\x00\x00\x00~~\x7f\xe2\xff\xff\
   ...: x00t\x9e\xac\xe2\xf1\xf2@\x83\xc3t")                                                                                                                                                                       
WARNING | 2018-12-20 15:01:41,188 | angr.engines.vex.engine | Executing symbolic code at 0xbaaab04c
WARNING | 2018-12-20 15:01:41,666 | angr.engines.vex.engine | Executing symbolic code at 0xbaaab112
---------------------------------------------------------------------------
KeyError                                  Traceback (most recent call last)
<ipython-input-2-bb2d345df134> in <module>
----> 1 crash = rex.Crash("./legit_00003", b"\x00\x0b1\xc1\x00\x0c\xeb\xe4\xf1\xf1\x14\r\rM\r\xf3\x1b\r\r\r~\x7f\x1b\xe3\x0c`_222\r\rM\r\xf3\x1b\r\x7f\x002\x7f~\x7f\xe2\xff\x7f\xff\xff\x8b\xc7\xc9\x83\x8b\x0c\xeb\x80\x002\xac\xe2\xff\xff\x00t\x8bt\x8bt_o_\x00t\x8b\xc7\xdd\x83\xc2t~n~~\xac\xe2\xff\xff_k_\x00t\x8b\xc7\xdd\x83\xc2t~n~~\xac\xe2\xff\xff\x00t\x8bt\x8b\xac\xf1\x83\xc2t~c\x00\x00\x00~~\x7f\xe2\xff\xff\x00t\x9e\xac\xe2\xf1\xf2@\x83\xc3t")

~/virtenvs/angr/lib/python3.6/site-packages/rex/crash.py in __init__(self, binary, crash, pov_file, aslr, constrained_addrs, crash_state, prev_path, hooks, format_infos, rop_cache_tuple, use_rop, fast_mode, explore_steps, angrop_object, argv, concrete_fs, chroot, rop_cache_path, trace_timeout, input_type, port, use_crash_input, tracer_args, initial_state)
    135             # optimized crash check
    136             if self.os == 'cgc':
--> 137                 if not tracer.QEMURunner(binary, input=self.crash, **tracer_args).crash_mode:
    138                     if not tracer.QEMURunner(binary, input=self.crash, report_bad_args=True, **tracer_args).crash_mode:
    139                         l.warning("input did not cause a crash")

~/virtenvs/angr/lib/python3.6/site-packages/tracer-0.1-py3.6.egg/tracer/qemu_runner.py in __init__(self, binary, input, project, record_trace, record_stdout, record_magic, record_core, seed, memory_limit, bitflip, report_bad_args, use_tiny_core, max_size, qemu, argv, library_path, ld_linux, trace_log_limit, trace_timeout, exec_func)
    142         self.trace_log_limit = trace_log_limit
    143         self.trace_timeout = trace_timeout
--> 144         self.sanity_check()
    145 
    146         l.debug("Accumulating basic block trace...")

~/virtenvs/angr/lib/python3.6/site-packages/tracer-0.1-py3.6.egg/tracer/qemu_runner.py in sanity_check(self)
    172 
    173     def sanity_check(self):
--> 174         self._check_binary()
    175         self._check_qemu_install()
    176 

~/virtenvs/angr/lib/python3.6/site-packages/tracer-0.1-py3.6.egg/tracer/qemu_runner.py in _check_binary(self)
    194 
    195         # try to find the install base
--> 196         self._check_qemu_install()
    197 
    198     def _check_qemu_install(self):

~/virtenvs/angr/lib/python3.6/site-packages/tracer-0.1-py3.6.egg/tracer/qemu_runner.py in _check_qemu_install(self)
    210                 l.warning("Problem accessing forced %s. Using our default %s.", self._trace_source_path, self.trace_source)
    211 
--> 212             self._trace_source_path = shellphish_qemu.qemu_path(self.trace_source)
    213 
    214             if not os.access(self._trace_source_path, os.X_OK):

~/virtenvs/angr/lib/python3.6/site-packages/shellphish_qemu-0.9.10-py3.6.egg/shellphish_qemu/__init__.py in qemu_path(platform)
     10         '%s' % platform,
     11     ):
---> 12         path = os.path.join(qemu_base(), basename)
     13         if os.path.isfile(path):
     14             return path

~/virtenvs/angr/lib/python3.6/site-packages/shellphish_qemu-0.9.10-py3.6.egg/shellphish_qemu/__init__.py in qemu_base()
     17 
     18 def qemu_base():
---> 19     return pkg_resources.resource_filename('shellphish_qemu', 'bin')
     20 
     21 def qemu_list():

~/virtenvs/angr/lib/python3.6/site-packages/pkg_resources/__init__.py in resource_filename(self, package_or_requirement, resource_name)
   1135         """Return a true filesystem path for specified resource"""
   1136         return get_provider(package_or_requirement).get_resource_filename(
-> 1137             self, resource_name
   1138         )
   1139 

~/virtenvs/angr/lib/python3.6/site-packages/pkg_resources/__init__.py in get_resource_filename(self, manager, resource_name)
   1644             for name in eagers:
   1645                 self._extract_resource(manager, self._eager_to_zip(name))
-> 1646         return self._extract_resource(manager, zip_path)
   1647 
   1648     @staticmethod

~/virtenvs/angr/lib/python3.6/site-packages/pkg_resources/__init__.py in _extract_resource(self, manager, zip_path)
   1665             return os.path.dirname(last)
   1666 
-> 1667         timestamp, size = self._get_date_and_size(self.zipinfo[zip_path])
   1668 
   1669         if not WRITE_SUPPORT:

KeyError: 'shellphish_qemu/bin'
```
`

ValueError: The 'rex' package was not installed in a way that PackageLoader understands.

Environment

OS: Ubuntu 21.04.4 LTS
python3: 3.8.10

Problem Description

I cloned rex, ran python3 setup.py install --user, and manually installed the following dependencies:

povsim (v9.2.1)
cle (v9.2.1)
claripy (v9.2.1)
archer (v9.2.1)
ailment (v9.2.1)
angr/tracer (master 4fe840c).

I finally got rex to install.

Using /home/aesophor/.local/lib/python3.8/site-packages
Finished processing dependencies for rex==0.2

However, running rex triggers the following exceptions (jinja2?)
I'm not sure what to do next to get rex to run. Here's the error message I got:

/home/aesophor/Code/rex [git::master] [aesophor@aesophor-vm] [13:59]
> python3 tests/test_explore.py
Traceback (most recent call last):
  File "tests/test_explore.py", line 4, in <module>
    import rex
  File "/home/aesophor/.local/lib/python3.8/site-packages/rex/__init__.py", line 2, in <module>
    from rex.crash import Crash, NonCrashingInput
  File "/home/aesophor/.local/lib/python3.8/site-packages/rex/crash.py", line 20, in <module>
    from .exploit import CannotExploit, CannotExplore, ExploitFactory, CGCExploitFactory
  File "/home/aesophor/.local/lib/python3.8/site-packages/rex/exploit/__init__.py", line 4, in <module>
    from .exploit import Exploit, ExploitException
  File "/home/aesophor/.local/lib/python3.8/site-packages/rex/exploit/exploit.py", line 12, in <module>
    from ..scripter import Scripter
  File "/home/aesophor/.local/lib/python3.8/site-packages/rex/scripter/__init__.py", line 10, in <module>
    loader=jinja2.PackageLoader('rex', 'scripter/templates'),
  File "/home/aesophor/.local/lib/python3.8/site-packages/jinja2/loaders.py", line 319, in __init__
    raise ValueError(
ValueError: The 'rex' package was not installed in a way that PackageLoader understands.

Thanks in advance!

angr.exploration_techniques.tracer.TracerDesyncError: BUG! Please investigate the claim in the comment above me

Hello (It's me again!!!). So No I'm getting this error (put what's left of my sanity here). I believe this has something to do with libc.6.so (hope i spelled that right).

Story time:

So I'm used to finding vulnerabilities the "old fashion way" were you would stare at a debugger and examine the code flow. However to make my life simpler I started researching ways on who to find vulnerabilities easier. I always heard of fuzzing, but never for a binary, AFL, or shellphuzz (which from my knowledge uses AFL and driller). Now I've spent two days (school got in the way). Trying to figure out some errors. Finally got shellphuzz to work. OR so I though. This error still comes up, and even in rex (not the same exact error, but for the same reason I believe). I would really like some help on this. THX

P.S. Sorry If I'm giving you all a hard time. Just trying to help if possible, and get used to fuzzing with a variaty of tools. I've done my research on you all, and congrats at the DARPA.

P.S.S Thank you for helping me in the past.

The error :

angr.exploration_techniques.tracer.TracerDesyncError: BUG! Please investigate the claim in the comment above me

The FULL Error :

Traceback (most recent call last):
File "/opt/fuzzer/driller/local_callback.py", line 122, in
for new_input in d.drill_generator():
File "/opt/fuzzer/shellphuzz_venv3/lib/python3.7/site-packages/driller/driller_main.py", line 101, in drill_generator
for i in self._drill_input():
File "/opt/fuzzer/shellphuzz_venv3/lib/python3.7/site-packages/driller/driller_main.py", line 141, in _drill_input
simgr.step()
File "/opt/fuzzer/shellphuzz_venv3/lib/python3.7/site-packages/angr/misc/hookset.py", line 75, in call
result = current_hook(self.func.self, *args, **kwargs)
File "/opt/fuzzer/shellphuzz_venv3/lib/python3.7/site-packages/angr/exploration_techniques/driller_core.py", line 39, in step
simgr.step(stash=stash, **kwargs)
File "/opt/fuzzer/shellphuzz_venv3/lib/python3.7/site-packages/angr/misc/hookset.py", line 75, in call
result = current_hook(self.func.self, *args, **kwargs)
File "/opt/fuzzer/shellphuzz_venv3/lib/python3.7/site-packages/angr/exploration_techniques/tracer.py", line 225, in step
return simgr.step(stash=stash, **kwargs)
File "/opt/fuzzer/shellphuzz_venv3/lib/python3.7/site-packages/angr/misc/hookset.py", line 80, in call
return self.func(*args, **kwargs)
File "/opt/fuzzer/shellphuzz_venv3/lib/python3.7/site-packages/angr/sim_manager.py", line 344, in step
successors = self.step_state(state, successor_func=successor_func, **run_args)
File "/opt/fuzzer/shellphuzz_venv3/lib/python3.7/site-packages/angr/misc/hookset.py", line 75, in call
result = current_hook(self.func.self, *args, **kwargs)
File "/opt/fuzzer/shellphuzz_venv3/lib/python3.7/site-packages/angr/exploration_techniques/tracer.py", line 275, in step_state
self._update_state_tracking(succs[0])
File "/opt/fuzzer/shellphuzz_venv3/lib/python3.7/site-packages/angr/exploration_techniques/tracer.py", line 386, in _update_state_tracking
deviating_trace_idx=idx)
angr.exploration_techniques.tracer.TracerDesyncError: BUG! Please investigate the claim in the comment above me
(b'', None)

P.S. I am running this in a Python3 virtual environment

'module' object has no attribute 'Tracer'

Hi, I run rex and meet the blow problem:

#---------------------------------------------------------------------------------------

crash=rex.Crash('./test','a'*1024)
Traceback (most recent call last):
File "", line 1, in
File "/usr/local/lib/python2.7/dist-packages/rex/crash.py", line 108, in init
self._tracer = tracer.Tracer(binary, input=self.crash, pov_file=self.pov_file, resiliency=False,
AttributeError: 'module' object has no attribute 'Tracer'

#---------------------------------------------------------------------------------------
I install tracer according to 2 methods:

pip install tracer ( tracer 0.3.2)
it clone https://github.com/angr/tracer & python setup.py install

Please help me, thanks !

Maybe something wrong in rex/rex/crash.py

After installation(everything is up-to-date) I run the test case, and got the following error.

crash = rex.Crash("./legit_00003", "\x00\x0b1\xc1\x00\x0c\xeb\xe4\xf1\xf1\x14\r\
   ...: rM\r\xf3\x1b\r\r\r~\x7f\x1b\xe3\x0c`_222\r\rM\r\xf3\x1b\r\x7f\x002\x7f~\x7f\xe2\
   ...: xff\x7f\xff\xff\x8b\xc7\xc9\x83\x8b\x0c\xeb\x80\x002\xac\xe2\xff\xff\x00t\x8bt\x
   ...: 8bt_o_\x00t\x8b\xc7\xdd\x83\xc2t~n~~\xac\xe2\xff\xff_k_\x00t\x8b\xc7\xdd\x83\xc2
   ...: t~n~~\xac\xe2\xff\xff\x00t\x8bt\x8b\xac\xf1\x83\xc2t~c\x00\x00\x00~~\x7f\xe2\xff
   ...: \xff\x00t\x9e\xac\xe2\xf1\xf2@\x83\xc3t")

/home/angr/rex/rex/crash.py in __init__(self, binary, crash, pov_file, aslr, constrained_addrs, crash_state, prev_path, hooks, format_infos, rop_cache_tuple, use_rop, explore_steps, angrop_object)
    101             if self.project.loader.main_object.os == 'cgc':
    102
--> 103                 if not tracer.Runner(binary, input=self.crash).crash_mode:
    104                     if not tracer.Runner(binary, input=self.crash, report_bad_args=True).crash_mode:
    105                         l.warning("input did not cause a crash")

AttributeError: 'module' object has no attribute 'Runner'

FileNotFoundError

Hi, I meet a strange file not found error when I run crash.explore(), I got the error message as below:

FileNotFoundError: [Errno 2] No such file or directory: '/tmp/archr_local_izpf8ivx/shellphish_qemu/fire': '/tmp/archr_local_izpf8ivx/shellphish_qemu/fire'

I'm confused about this error since I successfully run the legit_00003 example. My experiment file is attached, and the hex input is shown below:
NRFIN_00078.zip

inp = bytes.fromhex("69cd6e1affffffffff0101010101010101ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff")

I hope to hear from you soon. Thanks!

lazy solves

I'm finding that in many larger examples of crash tracing, having LAZY_SOLVES enabled causes a state explosion. I see inside rex there are add and remove options being fed to tracer.

Suggest one of the following:

Remove LAZY_SOLVES by default in this
Make add and remove params argument for rex.Crash init

about legit_00003

can you please tell me how do you implement legit_00003 ? I cannot find a appropriate example to test rex.

Rex import errors

Rex appears to have archr as a dependency that is not listed in the setup.py

Python 3.7.3 (default, Mar 26 2019, 21:43:19)
Type 'copyright', 'credits' or 'license' for more information
IPython 7.5.0 -- An enhanced Interactive Python. Type '?' for help.

In [1]: import rex
---------------------------------------------------------------------------
ModuleNotFoundError                       Traceback (most recent call last)
<ipython-input-1-2d2ff60b434a> in <module>
----> 1 import rex

~/Projects/rex/rex/__init__.py in <module>
      1 from rex.vulnerability import Vulnerability
----> 2 from rex.crash import Crash, NonCrashingInput
      3 from rex.exploit import Exploit, CannotExploit, CannotExplore

~/Projects/rex/rex/crash.py in <module>
     13 from angr.storage.file import SimFileStream
     14 from angr.exploration_techniques.tracer import TracingMode
---> 15 import archr
     16 from tracer import TracerPoV, TinyCore
     17

ModuleNotFoundError: No module named 'archr'

In [2]:
Do you really want to exit ([y]/n)? y

After installing archr in the same virtual env, I've ran into another import error with a dependency of tracer.

Python 3.7.3 (default, Mar 26 2019, 21:43:19)
Type 'copyright', 'credits' or 'license' for more information
IPython 7.5.0 -- An enhanced Interactive Python. Type '?' for help.

In [1]: import rex
---------------------------------------------------------------------------
ModuleNotFoundError                       Traceback (most recent call last)
<ipython-input-1-2d2ff60b434a> in <module>
----> 1 import rex

~/Projects/rex/rex/__init__.py in <module>
      1 from rex.vulnerability import Vulnerability
----> 2 from rex.crash import Crash, NonCrashingInput
      3 from rex.exploit import Exploit, CannotExploit, CannotExplore

~/Projects/rex/rex/crash.py in <module>
     14 from angr.exploration_techniques.tracer import TracingMode
     15 import archr
---> 16 from tracer import TracerPoV, TinyCore
     17
     18 from .exploit import CannotExploit, CannotExplore, ExploitFactory, CGCExploitFactory

ModuleNotFoundError: No module named 'tracer'

Steps to reproduce:

install angr-dev with ./setup.sh -s -e angr
clone rex and python setup.py install
Try to import rex using python or ipython
Clone and setup archr to get the second issue.

KeyError: <ExternObject Object cle##externs, maps [0x9000000:0x9008000]>

Hello，I got the error when testing. How can I fix this question? Thanks! (Ubuntu 16.04 64bit)

/home/r0mm/.virtualenvs/angr/lib/python3.5/site-packages/shellphish_qemu/bin/shellphish-qemu-linux-i386
---------------------------------------------------------------------------
KeyError                                  Traceback (most recent call last)
<ipython-input-4-351d91301e2f> in <module>
----> 1 c = rex.Crash("./test",b"aaaaaaaaaaaaaaa")

~/.virtualenvs/angr/lib/python3.5/site-packages/rex/crash.py in __init__(self, binary, crash, pov_file, aslr, constrained_addrs, crash_state, prev_path, hooks, format_infos, rop_cache_tuple, use_rop, fast_mode, explore_steps, angrop_object, argv, concrete_fs, chroot, rop_cache_path, trace_timeout, input_type, port, use_crash_input, tracer_args, initial_state)
    231                 ZenPlugin.prep_tracer(s)
    232 
--> 233             simgr.run()
    234 
    235             # if there was no crash we'll have to use the previous path's state

~/.virtualenvs/angr/lib/python3.5/site-packages/angr/sim_manager.py in run(self, stash, n, until, **kwargs)
    258         for _ in (itertools.count() if n is None else range(0, n)):
    259             if not self.complete() and self._stashes[stash]:
--> 260                 self.step(stash=stash, **kwargs)
    261                 if not (until and until(self)):
    262                     continue

~/.virtualenvs/angr/lib/python3.5/site-packages/angr/misc/hookset.py in __call__(self, *args, **kwargs)
     73             current_hook = self.pending.pop()
     74             try:
---> 75                 result = current_hook(self.func.__self__, *args, **kwargs)
     76             finally:
     77                 self.pending.append(current_hook)

~/.virtualenvs/angr/lib/python3.5/site-packages/angr/exploration_techniques/tracer.py in step(self, simgr, stash, **kwargs)
    101     def step(self, simgr, stash='active', **kwargs):
    102         simgr.drop(stash='missed')
--> 103         return simgr.step(stash=stash, **kwargs)
    104 
    105     def step_state(self, simgr, state, **kwargs):

~/.virtualenvs/angr/lib/python3.5/site-packages/angr/misc/hookset.py in __call__(self, *args, **kwargs)
     78             return result
     79         else:
---> 80             return self.func(*args, **kwargs)

~/.virtualenvs/angr/lib/python3.5/site-packages/angr/sim_manager.py in step(self, stash, n, selector_func, step_func, successor_func, until, filter_func, **run_args)
    342 
    343             pre_errored = len(self._errored)
--> 344             successors = self.step_state(state, successor_func=successor_func, **run_args)
    345 
    346             # handle degenerate stepping cases here. desired behavior:

~/.virtualenvs/angr/lib/python3.5/site-packages/angr/misc/hookset.py in __call__(self, *args, **kwargs)
     73             current_hook = self.pending.pop()
     74             try:
---> 75                 result = current_hook(self.func.__self__, *args, **kwargs)
     76             finally:
     77                 self.pending.append(current_hook)

~/.virtualenvs/angr/lib/python3.5/site-packages/angr/exploration_techniques/tracer.py in step_state(self, simgr, state, **kwargs)
    115         # follow the trace
    116         if len(succs) == 1:
--> 117             self._update_state_tracking(succs[0])
    118         elif len(succs) == 0:
    119             raise Exception("All states disappeared!")

~/.virtualenvs/angr/lib/python3.5/site-packages/angr/exploration_techniques/tracer.py in _update_state_tracking(self, state)
    188             if proc.is_continuation:
    189                 orig_addr = self.project.loader.find_symbol(proc.display_name).rebased_addr
--> 190                 orig_trace_addr = orig_addr + self._aslr_slides[self.project.loader.find_object_containing(orig_addr)]
    191                 if 0 <= self._trace[idx + 1] - orig_trace_addr <= 0x10000:
    192                     # this is fine. we do nothing and then next round it'll get handled by the is_hooked(state.history.addr) case

KeyError: <ExternObject Object cle##externs, maps [0x9000000:0x9008000]>

archr.errors.ArchrError: expected 1 core file but found 0

when i test a memcpy file, it has a problem

WARNING | 2020-04-12 03:12:43,981 | cle.loader | The main binary is a position-independent executable. It is being loaded with a base address of 0x400000.
Traceback (most recent call last):
File "test.py", line 12, in
crash = rex.Crash(tg, b"\x61\x62\x63\x64\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61")
File "/home/angr/angr-dev/rex/rex/crash.py", line 119, in init
self._work(pov_file, format_infos)
File "/home/angr/angr-dev/rex/rex/crash.py", line 565, in _work
format_infos=format_infos,
File "/home/angr/angr-dev/rex/rex/crash.py", line 612, in _trace
r = self.tracer_bow.fire(testcase=test_case, channel=channel, save_core=save_core)
File "/home/angr/angr-dev/archr/archr/arsenal/init.py", line 58, in fire
raise ValueError("invalid testcase type %s" % type(testcase))
File "/usr/lib/python3.6/contextlib.py", line 88, in exit
next(self.gen)
File "/home/angr/angr-dev/archr/archr/arsenal/qemu_tracer.py", line 100, in fire_context
raise ArchrError("expected 1 core file but found %d" % len(target_cores))
archr.errors.ArchrError: expected 1 core file but found 0

AttributeError: 'str' object has no attribute 'inject_path'

Hello shellphish I am having an error attempt to crash a program using the crashing input from AFL.

The error being :

AttributeError: 'str' object has no attribute 'inject_path'

Here is the full output :

Traceback (most recent call last):
File "", line 1, in
File "/opt/angr-dev/rex/rex/crash.py", line 79, in init
self.tracer_bow = tracer_bow if tracer_bow is not None else archr.arsenal.QEMUTracerBow(self.target)
File "/opt/angr-dev/archr/archr/arsenal/qemu_tracer.py", line 41, in init
super().init(target, **kwargs)
File "/opt/angr-dev/archr/archr/arsenal/init.py", line 23, in init
self.nock()
File "/opt/angr-dev/archr/archr/arsenal/init.py", line 31, in nock
self.target.inject_path(b, os.path.join(self.target.tmpwd, self.REQUIRED_ARROW))
AttributeError: 'str' object has no attribute 'inject_path'

P.S. Thx For working on this project

example

I run the example you provided, but the first command is wrong :
104 if not tracer.Runner(binary, input=self.crash, report_bad_args=True).crash_mode:
105 l.warning("input did not cause a crash")
--> 106 raise NonCrashingInput
107
108 self._tracer = tracer.Tracer(binary, input=self.crash, pov_file=self.pov_file, resiliency=False,

NonCrashingInput:
Could you please tell why?

TracerMisfollowError multiple paths

When running rex on an input that I know to cause control of eip, I receive an error about tracer misfollowing. The example binary is a recent IceCTF one (attached). The vulnerability is a use-after-free where a pointer can be overwritten to gain execution.

The command is:

crash = rex.Crash("./drumpf","1\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n4294967295\n3\n2\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n4294967295\n4\n")

drumpf.zip

EDIT: Error is "TracerMisfollowError: program did not behave correctly, expected only one path"

How to use call_shellcode.py

Hello, I run the test function 'test_linux_stacksmash_64()' in test_rex.py. It successfully generate the exploit script called 'call_shellcode.py'.
But I don't know how to config the HOST and PORT parameter, and how to run the target program.
I would appreciate it if you could give me a hint.

AngrTracerError: Could not step to the first address of the trace - simgr is empty

I'm doing a test on a compiled CGC binary and REX, well Archr, is not getting the trace working thus preventing a crash from being generated.

My script is as follows. I know that input causes a segfault on the attached binary.

import ipdb
import archr
import rex

def test_palindrome_x86():
    inp = b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'

    binary = './Palindrome2'

    with archr.targets.LocalTarget([binary], target_arch='i386') as target:
        crash = rex.Crash(target, inp, fast_mode=True, aslr=False)
        if (crash.exploitable):
            print("exploitable")
        else:
            print("unexploitable")
        ipdb.set_trace()

if __name__ == '__main__':
    test_palindrome_x86()

The Traceback of the call is as follows:

ERROR   | 2021-09-22 18:42:11,701 | angr.simos.simos | Resolver at 0x3ffea170 failed to resolve! (multivalued)
Traceback (most recent call last):
  File "/home/gh0s1/test_rex_palindrome.py", line 20, in <module>
    test_palindrome_x86()
  File "/home/gh0s1//test_rex_palindrome.py", line 12, in test_palindrome_x86
    crash = rex.Crash(target, inp, fast_mode=True, aslr=False)
  File "/home/gh0s1/Documents/angr-dev/rex/rex/crash.py", line 621, in __init__
    self._work()
  File "/home/gh0s1/Documents/angr-dev/rex/rex/crash.py", line 1004, in _work
    self.symbolic_trace()
  File "/home/gh0s1/Documents/angr-dev/rex/rex/crash.py", line 438, in symbolic_trace
    simgr.use_technique(self._t)
  File "/home/gh0s1/Documents/angr-dev/angr/angr/sim_manager.py", line 189, in use_technique
    tech.setup(self)
  File "/home/gh0s1/Documents/angr-dev/angr/angr/exploration_techniques/tracer.py", line 269, in setup
    raise AngrTracerError("Could not step to the first address of the trace - simgr is empty")
angr.errors.AngrTracerError: Could not step to the first address of the trace - simgr is empty

I tried to set a breakpoint at that location in archr but haven't been able to figure out why the trace isn't matching.

Thanks in advanced

cai i find any document for using the rex

I am fresh man in AEG, please provide a document for the project or tell me a url to know how rex works.

Failure to use shellphish-qemu-linux-x86_64 for a 32-bit ELF on a 64-bit host

https://github.com/shellphish/shellphish-qemu/issues/22

Failed to run + issues installing

Hey,

I made an virtualenv and ran setup.py - got a few issues related to it failing to install modules from the github links.

After getting those installed i hit an error with the wrong tracer being installed.

I removed that tracer and fixed it by installing the correct tracer.

Now I can import rex but get an error when calling rex.Crash()

script snippet

crash = rex.Crash('./speedrun-004', crashData)
#crash = rex.Crash('/home/user/ws/fuzz_prac/speedrun-004', crashData) # same error
crash = rex.Crash(tt, crashData)

crash

(venv) user:~/ws/fuzz_prac$ python3 rexTest.py 
WARNING | 2021-01-17 21:34:04,131 | cle.loader | <_io.BytesIO object at 0x7f6f21b68360>: base_addr was specified but the object is not PIC. specify force_rebase=True to override
Traceback (most recent call last):
  File "rexTest.py", line 13, in <module>
    crash = rex.Crash(tt, crashData)
  File "/opt/rex/venv/lib/python3.8/site-packages/rex-0.2-py3.8.egg/rex/crash.py", line 105, in __init__
  File "/opt/rex/venv/lib/python3.8/site-packages/rex-0.2-py3.8.egg/rex/crash.py", line 511, in _initialize
  File "/opt/rex/venv/lib/python3.8/site-packages/archr-8.20.9.2-py3.8.egg/archr/arsenal/angr_project.py", line 48, in fire
    _,_,_,self._mem_mapping = self.scout_bow.fire()
  File "/opt/rex/venv/lib/python3.8/site-packages/archr-8.20.9.2-py3.8.egg/archr/arsenal/datascout.py", line 123, in fire
    raise ArchrError("DataScout failed to get argv from the target process.\n"
archr.errors.ArchrError: DataScout failed to get argv from the target process.
stdout: b''
stderr: b''
Exception ignored in: <function Target.__del__ at 0x7f6f23a42c10>
Traceback (most recent call last):
  File "/opt/rex/venv/lib/python3.8/site-packages/archr-8.20.9.2-py3.8.egg/archr/targets/__init__.py", line 177, in __del__
  File "/opt/rex/venv/lib/python3.8/site-packages/archr-8.20.9.2-py3.8.egg/archr/targets/local_target.py", line 53, in remove
  File "/opt/rex/venv/lib/python3.8/site-packages/archr-8.20.9.2-py3.8.egg/archr/targets/__init__.py", line 76, in remove
AttributeError: 'NoneType' object has no attribute 'suppress'
(venv) user:~/ws/fuzz_prac$ python3 rexTest.py 
Traceback (most recent call last):
  File "rexTest.py", line 12, in <module>
    crash = rex.Crash('/home/user/ws/fuzz_prac/speedrun-004', crashData)
  File "/opt/rex/venv/lib/python3.8/site-packages/rex-0.2-py3.8.egg/rex/crash.py", line 78, in __init__
  File "/opt/rex/venv/lib/python3.8/site-packages/archr-8.20.9.2-py3.8.egg/archr/arsenal/qemu_tracer.py", line 43, in __init__
    super().__init__(target, **kwargs)
  File "/opt/rex/venv/lib/python3.8/site-packages/archr-8.20.9.2-py3.8.egg/archr/arsenal/__init__.py", line 20, in __init__
    self.nock()
  File "/opt/rex/venv/lib/python3.8/site-packages/archr-8.20.9.2-py3.8.egg/archr/arsenal/__init__.py", line 28, in nock
    self.target.inject_path(b, os.path.join(self.target.tmpwd, self.REQUIRED_ARROW))
AttributeError: 'str' object has no attribute 'inject_path'

import to note that I get a very similiar error if I try to call Crash using an archr object instead:

script snippet

tt = archr.targets.LocalTarget(['/home/user/ws/fuzz_prac/speedrun-004'])
crash = rex.Crash(tt, crashData)

crash

(venv) user:~/ws/fuzz_prac$ python3 rexTest.py 
WARNING | 2021-01-17 21:40:03,712 | cle.loader | <_io.BytesIO object at 0x7f0712a83360>: base_addr was specified but the object is not PIC. specify force_rebase=True to override
Traceback (most recent call last):
  File "rexTest.py", line 11, in <module>
    crash = rex.Crash(tt, crashData)
  File "/opt/rex/venv/lib/python3.8/site-packages/rex-0.2-py3.8.egg/rex/crash.py", line 105, in __init__
  File "/opt/rex/venv/lib/python3.8/site-packages/rex-0.2-py3.8.egg/rex/crash.py", line 511, in _initialize
  File "/opt/rex/venv/lib/python3.8/site-packages/archr-8.20.9.2-py3.8.egg/archr/arsenal/angr_project.py", line 48, in fire
    _,_,_,self._mem_mapping = self.scout_bow.fire()
  File "/opt/rex/venv/lib/python3.8/site-packages/archr-8.20.9.2-py3.8.egg/archr/arsenal/datascout.py", line 123, in fire
    raise ArchrError("DataScout failed to get argv from the target process.\n"
archr.errors.ArchrError: DataScout failed to get argv from the target process.
stdout: b''
stderr: b''
Exception ignored in: <function Target.__del__ at 0x7f071495dc10>
Traceback (most recent call last):
  File "/opt/rex/venv/lib/python3.8/site-packages/archr-8.20.9.2-py3.8.egg/archr/targets/__init__.py", line 177, in __del__
  File "/opt/rex/venv/lib/python3.8/site-packages/archr-8.20.9.2-py3.8.egg/archr/targets/local_target.py", line 53, in remove
  File "/opt/rex/venv/lib/python3.8/site-packages/archr-8.20.9.2-py3.8.egg/archr/targets/__init__.py", line 76, in remove
AttributeError: 'NoneType' object has no attribute 'suppress'

No module named 'archr.analyzers'

Hi, I met a problem when I import rex in python. I successfully install rex with pip install ., but I got an error message whish is shown below:

>>> import rex
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/yh570/driller/vir/lib/python3.7/site-packages/rex/__init__.py", line 2, in <module>
    from rex.crash import Crash, NonCrashingInput
  File "/home/yh570/driller/vir/lib/python3.7/site-packages/rex/crash.py", line 18, in <module>
    from archr.analyzers.angr_state import SimArchrProcMount
ModuleNotFoundError: No module named 'archr.analyzers'

I checked archr which is correctly installed, but it looks like it's not the correct package which rex requires, I'm confused about this situation, please give me some advice about this problem. Thank you.

Installation Guide

Getting rex set up is still somewhat rough, should we add an install guide here or stick with https://github.com/mechaphish/mecha-docs? Either way, it should be linked to in the REAME.md.

(re: email from @Owlz)

Hey David,

Not a VM specifically for it. I do recall having many-a-issue on it. Two things, the first is the correct (or at least required at the time) order of installing packages to get it to install:

https://github.com/shellphish/shellphish-qemu.git

https://github.com/mechaphish/povsim.git

https://github.com/salls/angrop.git

https://github.com/mechaphish/compilerex.git

https://github.com/shellphish/rex.git

https://github.com/angr/tracer

https://github.com/shellphish/shellphish-afl.git

The second, I have a bash script that will install/compile all of Mechaphish reliably. This would probably be overkill for what you're asking, but you can likely remove unwanted components from the install line and it should still give you a working rex copy. It basically boils down to these two lines (with some bash in-between):

sudo apt-get update
sudo apt-get install -y virtualenvwrapper python2.7-dev build-essential sudo libxml2-dev libxslt1-dev git libffi-dev cmake libreadline-dev libtool debootstrap debian-archive-keyring libglib2.0-dev libpixman-1-dev libpq-dev python-dev libc6:i386 libncurses5:i386 libstdc++6:i386 zlib1g:i386 pkg-config zlib1g-dev libtool libtool-bin wget automake autoconf coreutils bison libacl1-dev qemu-user qemu-kvm socat postgresql-client nasm binutils-multiarch llvm clang

git clone https://github.com/angr/angr-dev.git $MechaPhishDIR

cd $MechaPhishDIR

./setup.sh -p mechaphish -r https://github.com/shellphish -r https://github.com/mechaphish -r https://github.com/salls -D
ana idalink cooldict mulpyplexer monkeyhex superstruct
shellphish-afl shellphish-qemu capstone unicorn peewee
archinfo vex pyvex cle claripy simuvex angr angr-management angr-doc
binaries identifier fidget angrop tracer fuzzer driller
compilerex povsim rex farnsworth patcherex colorguard
common-utils network_poll_creator patch_performance
worker meister ambassador scriba virtual-competition manual-interaction

ImportError: cannot import name 'TracerPoV' from 'tracer'

Was trying to run one of the examples to ensure everything works correctly, and ended up getting this error

Traceback (most recent call last):
File "test_explore.py", line 6, in
import rex
File "", line 259, in load_module
File "/usr/local/lib/python3.8/dist-packages/rex-0.2-py3.8.egg/rex/init.py", line 2, in
File "", line 259, in load_module
File "/usr/local/lib/python3.8/dist-packages/rex-0.2-py3.8.egg/rex/crash.py", line 16, in
ImportError: cannot import name 'TracerPoV' from 'tracer' (/usr/local/lib/python3.8/dist-packages/tracer-0.3.2-py3.8.egg/tracer.py)

P.S. Thank you volunteers for working on the angr projects. Hope this lifts some spirits.

`test_rex.test_reconstraining` is failing in CI

Description

Traceback (most recent call last):
  File "/__w/rex/rex/build/src/rex/tests/test_rex.py", line 405, in test_reconstraining
    assert _do_pov_test(x)
AssertionError

Steps to reproduce the bug

Run CI

Environment

Additional context

No response

`test_rr_broken.py` is breaking all test cases

The test cases don't pass (in part) because of the newly added test_rr_broken.py.

The major problem is that this test case hangs and no others are executed (my guess is that it's because rr is not installed on the travis environment, as I can replicate this same behavior on my machine).

https://travis-ci.org/shellphish/rex/builds/521542046?utm_source=github_status&utm_medium=notification

Should update Sample Code, because of archr ？

~/rex/crash.py in init(self, target, crash, pov_file, aslr, constrained_addrs, hooks, format_infos, tracer_bow, explore_steps, input_type, port, use_crash_input, checkpoint_path, rop_cache_tuple, use_rop, fast_mode, angrop_object, rop_cache_path, prev_path, crash_state, initial_state)
84 self.target_port = port
85 self.crash = crash
---> 86 self.tracer_bow = tracer_bow if tracer_bow is not None else archr.arsenal.QEMUTracerBow(self.target)
87
88 if self.explore_steps > 10:

~/archr/arsenal/qemu_tracer.py in init(self, target, timeout, ld_linux, library_path, seed)
41
42 def init(self, target, timeout=10, ld_linux=None, library_path=None, seed=None):
---> 43 super().init(target)
44 self.timeout = timeout
45 self.ld_linux = ld_linux

~/archr/arsenal/init.py in init(self, target)
14 """
15 self.target = target
---> 16 self.nock()
17
18 def nock(self):

~/archr/arsenal/init.py in nock(self)
22 if self.REQUIRED_ARROW:
23 with arrows.bundle(self.REQUIRED_ARROW) as b:
---> 24 self.target.inject_path(b, "/tmp/%s" % self.REQUIRED_ARROW)
25 if self.REQUIRED_BINARY:
26 with arrows.bundle_binary(self.REQUIRED_BINARY) as b:

AttributeError: 'str' object has no attribute 'inject_path'

Module has no object Tracer

Attempting to triage, I find that I get this error when I run Crash:

In [10]: crash = rex.Crash("./a.out",s.posix.dumps(0))
ROP: 100% ||||||||||||||||||||||||||||||||||||||||||| Time: 0:00:00 309.83  B/s
---------------------------------------------------------------------------
AttributeError                            Traceback (most recent call last)
<ipython-input-10-d5738d6de2e8> in <module>()
----> 1 crash = rex.Crash("./a.out",s.posix.dumps(0))

/home/user/.virtualenvs/angr/local/lib/python2.7/site-packages/rex/crash.pyc in __init__(self, binary, crash, pov_file, aslr, constrained_addrs, crash_state, prev_path, hooks, format_infos, rop_cache_tuple, use_rop, explore_steps, angrop_object)
    106                         raise NonCrashingInput
    107 
--> 108             self._tracer = tracer.Tracer(binary, input=self.crash, pov_file=self.pov_file, resiliency=False,
    109                                          hooks=self.hooks, add_options=add_options, remove_options=remove_options)
    110             ChallRespInfo.prep_tracer(self._tracer, format_infos)

AttributeError: 'module' object has no attribute 'Tracer'

Checking out "tracer" in ipython, I cannot find a "Tracer" method either. The tracer being used appears to be:
~/.virtualenvs/angr/local/lib/python2.7/site-packages/tracer.py

got an unexpected keyword argument 'aslr'

Was attempting to do a basic buffer overflow. Unfortunately, it appears that at crash time rex is requesting aslr from the Tracer exploration technique, and I guess that's not a thing.

In [29]: c = rex.Crash(t, b"2\n" + b"A"*128 + b"\ny\n")
WARNING | 2020-11-24 00:53:00,657 | cle.loader | The main binary is a position-independent executable. It is being loaded with a base address of 0x400000.
---------------------------------------------------------------------------
TypeError                                 Traceback (most recent call last)
<ipython-input-29-9ab3d3b8081b> in <module>
----> 1 c = rex.Crash(t, b"2\n" + b"A"*128 + b"\ny\n")

~/angr-dev/rex/rex/crash.py in __init__(self, target, crash, pov_file, aslr, constrained_addrs, hooks, format_infos, tracer_bow, explore_steps, input_type, port, use_crash_input, checkpoint_path, crash_state, prev_state, rop_cache_tuple, use_rop, fast_mode, angrop_object, rop_cache_path)
    117 
    118         # Work
--> 119         self._work(pov_file, format_infos)
    120 
    121     #

~/angr-dev/rex/rex/crash.py in _work(self, pov_file, format_infos)
    562             self._preconstraining_input_data = None
    563             self._has_preconstrained = False
--> 564             self._trace(pov_file=pov_file,
    565                         format_infos=format_infos,
    566                         )

~/angr-dev/rex/rex/crash.py in _trace(self, pov_file, format_infos)
    634         # since we have already grabbed mapping info through datascoutbow in angr_project_bow, we can assume
    635         # there are no aslr slides
--> 636         self._t = r.tracer_technique(keep_predecessors=2, copy_states=False, mode=TracingMode.Strict, aslr=False)
    637         simgr.use_technique(self._t)
    638         simgr.use_technique(angr.exploration_techniques.Oppologist())

~/angr-dev/archr/archr/arsenal/qemu_tracer.py in tracer_technique(self, **kwargs)
     32 
     33     def tracer_technique(self, **kwargs):
---> 34         return angr.exploration_techniques.Tracer(self.trace, crash_addr=self.crash_address, **kwargs)
     35 
     36 _trace_old_re = re.compile(br'Trace (.*) \[(?P<addr>.*)\].*')

TypeError: __init__() got an unexpected keyword argument 'aslr'

what is archr

import archr failed and I can not found suitable package to install, what should I do

TypeError: 'NoneType' object is not iterable

Version

system OS: Ubuntu 14.04.5 LTS 64bit
angr: 7.8.8.1
rex: 0.2
tracer: 0.1

Problem

I recently installed rex via https://github.com/shellphish/rex/issues/5
However, problems occur when using rex
Please help me find a solution...

Typed Commands in iPython

In [1]: import rex
WARNING | 2018-08-08 06:15:44,320 | angr.analyses.disassembly_utils | Your version of capstone does not support MIPS instruction groups.

In [2]: crash = rex.Crash("./test", "A"*200 + "\n")

The binary "test" crashes when type A*200

Error Message

WARNING | 2018-08-08 06:16:10,453 | angr.exploration_techniques.explorer | Using unicorn with find/avoid conditions that are a lambda (not a number, set, tuple or list)
WARNING | 2018-08-08 06:16:10,453 | angr.exploration_techniques.explorer | Unicorn may step over states that match the condition (find or avoid) without stopping.
---------------------------------------------------------------------------
TypeError                                 Traceback (most recent call last)
<ipython-input-2-f1b0cb84a7af> in <module>()
----> 1 crash = rex.Crash("./test", "A"*200 + "\n")

/home/lsm/angr-dev/angr/lib/python2.7/site-packages/rex/crash.pyc in __init__(self, binary, crash, pov_file, aslr, constrained_addrs, crash_state, prev_path, hooks, format_infos, rop_cache_tuple, use_rop, explore_steps, angrop_object, argv)
    164             s = simgr.one_active
    165             ChallRespInfo.prep_tracer(s, format_infos)
--> 166             ZenPlugin.prep_tracer(s)
    167 
    168             simgr.run()

/home/lsm/angr-dev/angr/lib/python2.7/site-packages/angr/state_plugins/trace_additions.pyc in prep_tracer(state)
    749         # setup the byte dict
    750         byte_dict = zen_plugin.byte_dict
--> 751         for i, b in enumerate(state.cgc.flag_bytes):
    752             var = list(b.variables)[0]
    753             byte_dict[var] = {i}

TypeError: 'NoneType' object is not iterable

Merge povsim functionality into rex

We're hoping to reduce the number of repos included in the integrated angr CI. povsim was identified as a repo to remove as it is not part of the angr project. We should migrate whatever functionality is needed to this repository to eliminate the dependency.

The min and max solution of symbolic memory are equal

symbolic_mem_problem.zip
The uploaded binary will crash with the crash file as input, and the IP will be overwritten with 0x61616161, it is clear that IP can be control at crash time.
When I tried to use rex to auto-exploit this simple vulnerable binary, It could tell "detected ip overwrite vulnerability" successfully, however,when I arrived crash_state,there were something unexpected as follows:

memory_control
{2147417936: 120}
self.crash.state.memory.load(2147417936,4)
<BV32 file_/dev/stdin_84_0_0_8 .. file_/dev/stdin_84_1_1_8 .. file_/dev/stdin_84_2_2_8 .. file_/dev/stdin_84_3_3_8>
self.crash.state.memory.load(2147417936,4).symbolic
True
self.crash.state.se.min(self.crash.state.memory.load(2147417936,4))
1633771873
self.crash.state.se.max(self.crash.state.memory.load(2147417936,4))
1633771873

As you can see, the value of memory_control can only be hex(1633771873) == 0x61616161, however, 0x61616161 comes from input file, which means memory_control should has a large solution range.

32-bit weird epilogue issue

Consider the following:

#include <unistd.h>

int main(int argc, char ** argv)
{
        char foo[8];
        read(0, foo, 512);
}

When compiled with gcc -m32 -fno-stack-protector bp.c, this produces the following for main:

0804840b <main>:
 804840b:       8d 4c 24 04             lea    ecx,[esp+0x4]
 804840f:       83 e4 f0                and    esp,0xfffffff0
 8048412:       ff 71 fc                push   DWORD PTR [ecx-0x4]
 8048415:       55                      push   ebp
 8048416:       89 e5                   mov    ebp,esp
 8048418:       51                      push   ecx
 8048419:       83 ec 14                sub    esp,0x14
 804841c:       83 ec 04                sub    esp,0x4
 804841f:       68 00 02 00 00          push   0x200
 8048424:       8d 45 f0                lea    eax,[ebp-0x10]
 8048427:       50                      push   eax
 8048428:       6a 00                   push   0x0
 804842a:       e8 b1 fe ff ff          call   80482e0 <read@plt>
 804842f:       83 c4 10                add    esp,0x10
 8048432:       b8 00 00 00 00          mov    eax,0x0
 8048437:       8b 4d fc                mov    ecx,DWORD PTR [ebp-0x4]
 804843a:       c9                      leave  
 804843b:       8d 61 fc                lea    esp,[ecx-0x4]
 804843e:       c3                      ret    
 804843f:       90                      nop

Currently, we just detect this as a bp_overwrite, but shouldn't it be an ip_overwrite as well?

FileNotFoundError

when i tried to run test_rex.py script i got the problem "FileNotFoundError: [Errno 2] No such file or directory: '/home/ysg/WorkSpace/AEG/rex/tests/../../binaries/tests/i386/arbitrary_transmit'", can you provide the test binary file ?

error when ran the sample code

In [1]: import rex                                                                                                                                                                       

In [2]: crash = rex.Crash("./legit_00003", b"\x00\x0b1\xc1\x00\x0c\xeb\xe4\xf1\xf1\x14\r\rM\r\xf3\x1b\r\r\r~\x7f\x1b\xe3\x0c`_222\r\rM\r\xf3\x1b\r\x7f\x002\x7f~\x7f\xe2\xff\x7f\xff\xff\
   ...: x8b\xc7\xc9\x83\x8b\x0c\xeb\x80\x002\xac\xe2\xff\xff\x00t\x8bt\x8bt_o_\x00t\x8b\xc7\xdd\x83\xc2t~n~~\xac\xe2\xff\xff_k_\x00t\x8b\xc7\xdd\x83\xc2t~n~~\xac\xe2\xff\xff\x00t\x8bt\x
   ...: 8b\xac\xf1\x83\xc2t~c\x00\x00\x00~~\x7f\xe2\xff\xff\x00t\x9e\xac\xe2\xf1\xf2@\x83\xc3t")                                                                                         
Traceback (most recent call last):
  File "<string>", line 1, in <module>
ImportError: No module named shellphish_qemu
ldd: /bin: not regular file
ldd: /boot: not regular file
ldd: /cdrom: not regular file
ldd: /dev: not regular file
ldd: /etc: not regular file
ldd: /home: not regular file
ldd: /lib: not regular file
ldd: /lib32: not regular file
ldd: /lib64: not regular file
ldd: /libx32: not regular file
ldd: /lost+found: not regular file
ldd: /media: not regular file
ldd: /mnt: not regular file
ldd: /opt: not regular file
ldd: /proc: not regular file
ldd: /root: not regular file
ldd: /run: not regular file
ldd: /sbin: not regular file
ldd: /snap: not regular file
ldd: /srv: not regular file
ldd: /sys: not regular file
ldd: /tmp: not regular file
ldd: /usr: not regular file
ldd: /var: not regular file
ldd: /shellphish-qemu-cgc-base: No such file or directory
cp: omitting directory '/bin'
cp: omitting directory '/boot'
cp: omitting directory '/cdrom'
cp: omitting directory '/dev'
cp: omitting directory '/etc'
cp: omitting directory '/home'
cp: omitting directory '/lib'
cp: omitting directory '/lib32'
cp: omitting directory '/lib64'
cp: omitting directory '/libx32'
cp: omitting directory '/lost+found'
cp: omitting directory '/media'
cp: omitting directory '/mnt'
cp: omitting directory '/opt'
cp: omitting directory '/proc'
cp: omitting directory '/root'
cp: omitting directory '/run'
cp: omitting directory '/sbin'
cp: omitting directory '/snap'
cp: omitting directory '/srv'
cp: omitting directory '/sys'
cp: omitting directory '/tmp'
cp: omitting directory '/usr'
cp: omitting directory '/var'
---------------------------------------------------------------------------
AttributeError                            Traceback (most recent call last)
<ipython-input-2-bb2d345df134> in <module>
----> 1 crash = rex.Crash("./legit_00003", b"\x00\x0b1\xc1\x00\x0c\xeb\xe4\xf1\xf1\x14\r\rM\r\xf3\x1b\r\r\r~\x7f\x1b\xe3\x0c`_222\r\rM\r\xf3\x1b\r\x7f\x002\x7f~\x7f\xe2\xff\x7f\xff\xff\x8b\xc7\xc9\x83\x8b\x0c\xeb\x80\x002\xac\xe2\xff\xff\x00t\x8bt\x8bt_o_\x00t\x8b\xc7\xdd\x83\xc2t~n~~\xac\xe2\xff\xff_k_\x00t\x8b\xc7\xdd\x83\xc2t~n~~\xac\xe2\xff\xff\x00t\x8bt\x8b\xac\xf1\x83\xc2t~c\x00\x00\x00~~\x7f\xe2\xff\xff\x00t\x9e\xac\xe2\xf1\xf2@\x83\xc3t")

~/WorkSpace/AEG/rex/rex/crash.py in __init__(self, target, crash, pov_file, aslr, constrained_addrs, hooks, format_infos, tracer_bow, explore_steps, input_type, port, use_crash_input, checkpoint_path, rop_cache_tuple, use_rop, fast_mode, angrop_object, rop_cache_path, prev_path, crash_state, initial_state)
     84         self.target_port = port
     85         self.crash = crash
---> 86         self.tracer_bow = tracer_bow if tracer_bow is not None else archr.arsenal.QEMUTracerBow(self.target)
     87 
     88         if self.explore_steps > 10:

/usr/local/lib/python3.5/dist-packages/archr-8.18.10.5-py3.5.egg/archr/arsenal/qemu_tracer.py in __init__(self, target, timeout, ld_linux, library_path, seed)
     41 
     42     def __init__(self, target, timeout=10, ld_linux=None, library_path=None, seed=None):
---> 43         super().__init__(target)
     44         self.timeout = timeout
     45         self.ld_linux = ld_linux

/usr/local/lib/python3.5/dist-packages/archr-8.18.10.5-py3.5.egg/archr/arsenal/__init__.py in __init__(self, target)
     14         """
     15         self.target = target
---> 16         self.nock()
     17 
     18     def nock(self):

/usr/local/lib/python3.5/dist-packages/archr-8.18.10.5-py3.5.egg/archr/arsenal/__init__.py in nock(self)
     22         if self.REQUIRED_ARROW:
     23             with arrows.bundle(self.REQUIRED_ARROW) as b:
---> 24                 self.target.inject_path(b, "/tmp/%s" % self.REQUIRED_ARROW)
     25         if self.REQUIRED_BINARY:
     26             with arrows.bundle_binary(self.REQUIRED_BINARY) as b:

AttributeError: 'str' object has no attribute 'inject_path'

i have installed shellphish_qemu with `pip3 install shellphish_qemu

Legit_00003 exploit not working

I have been trying to run the example in the README and it behaves as expected until calling test_binary when it returns False rather then True. If I run the exploit using cb-test it reports a mismatch in the expected and actual IP and register.

I am using rex v0.2 and angr v7.8.2.1 and have changed the call to tracer_state in crash.py to full_init_state because the former no longer exists. I'm not sure of this was the right thing to do.

Any help you can give would be useful, thanks.

archr.errors.ArchrError: DataScout failed to get argv from the target process.

Hello I'm getting an error when trying to test this on a simple buffer overflow. The error being

archr.errors.ArchrError: DataScout failed to get argv from the target process.

The full error Being :

WARNING | 2019-10-24 16:33:32,882 | cle.loader | The main binary is a position-independent executable. It is being loaded with a base address of 0x400000.
Traceback (most recent call last):
File "rex_find_exploit.py", line 7, in
crash = rex.Crash(target, inp, use_crash_input=True)
File "/opt/fuzzer/shellphuzz_venv3/lib/python3.7/site-packages/rex/crash.py", line 106, in init
self._initialize(angrop_object, rop_cache_path, checkpoint_path, crash_state, prev_state)
File "/opt/fuzzer/shellphuzz_venv3/lib/python3.7/site-packages/rex/crash.py", line 512, in initialize
self.project = self.angr_project_bow.fire()
File "/opt/fuzzer/shellphuzz_venv3/lib/python3.7/site-packages/archr/arsenal/angr_project.py", line 48, in fire
,,,self._mem_mapping = self.scout_bow.fire()
File "/opt/fuzzer/shellphuzz_venv3/lib/python3.7/site-packages/archr/arsenal/datascout.py", line 122, in fire
"stdout: %s\nstderr: %s" % (arg_str, stderr))
archr.errors.ArchrError: DataScout failed to get argv from the target process.
stdout: b''
stderr: b''

c_templates dependency

Hey,

Trying to import rex, i get a dependency issue:

In [1]: import rex
---------------------------------------------------------------------------
ImportError                               Traceback (most recent call last)
<ipython-input-1-e841dd4a92c3> in <module>()
----> 1 import rex

/home/user/.virtualenvs/angr/local/lib/python2.7/site-packages/rex/__init__.py in <module>()
      1 from rex.vulnerability import Vulnerability
----> 2 from rex.crash import Crash, QuickCrash, NonCrashingInput
      3 from rex.exploit import Exploit, CannotExploit, CannotExplore

/home/user/.virtualenvs/angr/local/lib/python2.7/site-packages/rex/crash.py in <module>()
     11 import operator
     12 from .trace_additions import ChallRespInfo, ZenPlugin
---> 13 from rex.exploit import CannotExploit, CannotExplore, ExploitFactory, CGCExploitFactory
     14 from rex.vulnerability import Vulnerability
     15 from simuvex import SimMemoryError, s_options as so

/home/user/.virtualenvs/angr/local/lib/python2.7/site-packages/rex/exploit/__init__.py in <module>()
      3 from .shellcode_factory import ShellcodeFactory
      4 from .exploit import Exploit, ExploitException
----> 5 from .exploit_factory import ExploitFactory
      6 from .cgc_exploit_factory import CGCExploitFactory
      7 from .techniques import Techniques

/home/user/.virtualenvs/angr/local/lib/python2.7/site-packages/rex/exploit/exploit_factory.py in <module>()
     58                 l.debug("technique failed: %s", e.message)
     59 
---> 60 from .techniques import Techniques

/home/user/.virtualenvs/angr/local/lib/python2.7/site-packages/rex/exploit/techniques/__init__.py in <module>()
      8 from ..technique import Technique
      9 
---> 10 from .rop_set_register import RopSetRegister
     11 from .shellcode_set_register import ShellcodeSetRegister
     12 from .circumstantial_set_register import CircumstantialSetRegister

/home/user/.virtualenvs/angr/local/lib/python2.7/site-packages/rex/exploit/techniques/rop_set_register.py in <module>()
      4 from rex import Vulnerability
      5 from rex.exploit import CannotExploit
----> 6 from ..cgc import CGCType1RopExploit
      7 from ..technique import Technique
      8 

/home/user/.virtualenvs/angr/local/lib/python2.7/site-packages/rex/exploit/cgc/__init__.py in <module>()
----> 1 from .cgc_type1_exploit import CGCType1Exploit
      2 from .cgc_type2_exploit import CGCType2Exploit
      3 from .cgc_exploit import CGCExploit
      4 from .type1 import CGCType1RopExploit, CGCType1ShellcodeExploit, CGCType1CircumstantialExploit
      5 from .type2 import CGCType2RopExploit, CGCType2ShellcodeExploit

/home/user/.virtualenvs/angr/local/lib/python2.7/site-packages/rex/exploit/cgc/cgc_type1_exploit.py in <module>()
      8 import tempfile
      9 from .cgc_exploit import CGCExploit
---> 10 from .c_templates import c_template_type1
     11 
     12 import logging

ImportError: No module named c_templates

I have no idea where c_templates is.

angr / rex Goto Github PK

rex's Introduction

Rex

rex's People

Contributors

Stargazers

Watchers

Forkers

rex's Issues

Description

Steps to reproduce the bug

Environment

Additional context

Environment

Problem Description

script snippet

crash

script snippet

crash

Description

Steps to reproduce the bug

Environment

Additional context

Version

Problem

Typed Commands in iPython

Error Message

Recommend Projects

Recommend Topics

Recommend Org