针对angr提供的练习题,现在进行求解15_angr_arbitrary_read,它也是关于hook输入的问题,需要使用angr求解出正确密码。但是需要提供排除地址以减少路径求解时间。
具体代码如下所示
import angr
import claripy
import sys
def main(argv):
path_to_binary = argv[1]
project = angr.Project(path_to_binary,auto_load_libs=False)
initial_state = project.factory.entry_state()
class ReplacementScanf(angr.SimProcedure):
def run(self, format_string, addr0, addr1):
scanf0 = claripy.BVS('scanf0', 32)
scanf1 = claripy.BVS('scanf1', 160)
for char in scanf1.chop(bits=8):
self.state.add_constraints(char >='A' , char <= 'Z')
scanf0_address = addr0
self.state.memory.store(scanf0_address, scanf0, endness=project.arch.memory_endness)
scanf1_address = addr1
self.state.memory.store(scanf1_address, scanf1, endness=project.arch.memory_endness)
self.state.globals['solution0'] = scanf0
self.state.globals['solution1'] = scanf1
scanf_symbol = '__isoc99_scanf' # :string
project.hook_symbol(scanf_symbol, ReplacementScanf())
def check_puts(state):
puts_parameter = state.memory.load(state.regs.esp+4, 4, endness=project.arch.memory_endness)
if state.solver.symbolic(puts_parameter):
good_job_string_address = 0x594e4257 # :integer, probably hexadecimal
is_vulnerable_expression = good_job_string_address==puts_parameter # :boolean bitvector expression
copied_state = state.copy()
copied_state.add_constraints(is_vulnerable_expression)
if copied_state.satisfiable():
state.add_constraints(is_vulnerable_expression)
return True
else:
return False
else: # not state.se.symbolic(???)
return False
simulation = project.factory.simgr(initial_state)
def is_successful(state):
puts_address = 0x8048370
if state.addr == puts_address:
return check_puts(state)
else:
# We have not yet found a call to puts; we should continue!
return False
simulation.explore(find=is_successful)
if simulation.found:
solution_state = simulation.found[0]
stored_solutions0=solution_state.globals['solution0']
stored_solutions1=solution_state.globals['solution1']
solution0 = solution_state.solver.eval(stored_solutions0)
solution1 = solution_state.solver.eval(stored_solutions1,cast_to=bytes)
print('solution are {0},{1}'.format(solution0,solution1))
else:
raise Exception('Could not find the solution')
if __name__ == '__main__':
main(sys.argv)
下面验证实验结果
执行刚刚写好的程序,保存为scaffold15.py,并将其与15_angr_arbitrary_read放于同一文件夹中,具体如下图所示。
再执行15_angr_arbitrary_read,然后需要我们输入angr刚刚求解出的密码,结果如下
然而,参考其他求解代码,他们得到‘Good Job’,而在本人虚拟机中运行,结果均为‘Segmentation falut’,不知什么原因,如果有哪个小伙伴知道,欢迎告知原因。