angr:python-based binary analysis framework-vulnerability warning-the black bar safety net

2016-12-03T00:00:00
ID MYHACK58:62201681750
Type myhack58
Reporter desword
Modified 2016-12-03T00:00:00

Description

  1. Foreword Take a look at this Integrated Framework in binary code analysis of the CTF, to solve what the problem it, here is the git are listed in the solution to the CTF game: ! ! Wherein, HackCon 2016 - angry-reverser takes 31 min, SecurityFest 2016 – it takes 20s, Defcamp CTF Qualification 2015 - Reversing 100 and Reversing 200, almost all do not manual intervention can be automated to complete the analysis. So the guards of the function, is not to be cardiac? Is simply CTF binary weapon. Below I will introduce this magical tool angr in. Note: this article only as an example of the effect, the deeper the tool usage and source code analysis will be in subsequent updates.) In the binary code to find and exploit vulnerabilities is a very challenging job, it's challenging mainly in that the manual is difficult to directly see the binary code of the data structure, control flow information, etc. angr is a python-based binary vulnerability analysis framework, it will previous a variety of analytical techniques integrated in, facilitate follow-up of security researchers. It is possible to perform dynamic symbolic execution analysis, such as KLEE and Mayhem, but also can be a variety of static analysis. Recently in many of the safety top will the S&P, USENIX Security, CCS are seen with the use of symbolic execution in this framework, The after the intend to organize into a topic to introduce their use and advantages and disadvantages. The project Github: https://github.com/angr/angr 1. angr brief process 1 will the binary program is loaded angr analysis system 2 the binaries into a middleware language, intermediate representation, IR 3 the IR language into the idiom meaning a strong form of expression, for example, this app did what, rather than what it is. 4, to perform further analysis, for example, complete or partial, static analysis, dependency analysis, program block, the program space of the symbolic execution to explore the mining overflow vulnerability, some for the above way of binding. 2. angr installation Theoretically angr currently supports linux, windows, MAC multiple platforms. However support the best or linux platform. Under the Windows platform due to the associated reliance on the library file more difficult to install, and therefore not recommended on windows installation. Linux The recommended is 14. 04 ubuntu, 16 and 12 version will appear different problems. The first is in accordance with the dependent libraries, this is generally nothing issue:

sudo apt-get install python-dev libffi-dev build-essential virtualenvwrapper virtualenvwrapper is a python virtual environment, using this is the main reason for angr will for libz3 or libVEX produce the modified, in order to prevent the already-installed library changes and the impact to the TO THE after other program use, the use of a python virtual machine environment is a good choice. Next is the formal installation, first create a new python virtual environment:

mkvirutalenv angr Then using pip to install:

pip install angr Some of the pit: 1. In the new virtual machine environment angr in python, import angr, appears ImportError: No module named decorator of this error, installed directly.

pip install decorator There are some other pits in the angr of gitbook inside there, can be downloaded from here After the installation is complete, go into the virtual python environment, you can load the angr database: $ mkvirtualenv angr (angr) $ python >> import angr Under Linux angr-dev script to install There is a simple installation, just pull the github: https://github.com/angr/angr-dev Directly in the root directory to run this shell script, you can automatically configure the virtualenv environment, install the angr library:

./ setup.sh -i-e angr Then you can through the following way to start the angr $workon angr (angr)$ipython >>import angr MAC OS The first step is also dependent on the library:

pip install-I --no-use-wheel angr-only-z3-custom Over is install:

pip install angr windows windows the following is not tested, but there is a site someone has already collected the relevant information: https://github.com/Owlz/angr-Windows 3. angr simple example This simple example illustrates angr usage. Sample program from: https://github.com/angr/angr-doc/tree/master/examples/fauxware The following is a vulnerability of the sample program code:

include

include

include

include

include

char sneaky = "SOSNEAKY"; int authenticate(char username, char password) { char stored_pw[9]; stored_pw[8] = 0; int pwfile; // evil back d00r if (strcmp(password, sneaky) == 0) return 1; pwfile = open(username, O_RDONLY); read(pwfile, stored_pw, 8); if (strcmp(password, stored_pw) == 0) return 1; return 0; } int accepted() { printf("Welcome to the admin console, trusted user!\ n"); } int rejected() { printf("Go away!"); exit(1); } int main(int argc, char *argv) { char username[9]; char password[9]; int authed; username[8] = 0; password[8] = 0; printf("Username: \n"); read(0, username, 8); read(0, &authed, 1); printf("Password: \n"); read(0, password, 8); read(0, &authed, 1); authed = authenticate(username, password);

[1] [2] next