Skip to content

Commit

Permalink
allow longer timeout for chain generation
Browse files Browse the repository at this point in the history
  • Loading branch information
Kyle-Kyle committed Mar 30, 2024
1 parent 05fa3f8 commit 24b9d1d
Showing 1 changed file with 7 additions and 4 deletions.
11 changes: 7 additions & 4 deletions rex/exploit/techniques/ret2libc.py
Original file line number Diff line number Diff line change
Expand Up @@ -108,8 +108,9 @@ def _write_cmd_str(self, cmd_str):

# add constraints
l.debug("Applying all the constraints, fingers crossed...")
chain_mem = self.crash.state.memory.load(chain_addr, len(chain.payload_str()))
chain_bvv = self.crash.state.solver.BVV(chain.payload_str())
payload = chain.payload_str(timeout=len(chain._values)*2)
chain_mem = self.crash.state.memory.load(chain_addr, len(payload))
chain_bvv = self.crash.state.solver.BVV(payload)
self.crash.state.add_constraints(chain_mem == chain_bvv)

# windup
Expand All @@ -131,14 +132,16 @@ def _invoke_system(self, system_addr, cmd_addr):

# add the constraint to the state that the chain must exist at the address
chain_mem = self.crash.state.memory.load(chain_addr, chain.payload_len)
self.crash.state.add_constraints(chain_mem == self.crash.state.solver.BVV(chain.payload_str()))
payload = chain.payload_str(timeout=len(chain._values)*2)
self.crash.state.add_constraints(chain_mem == self.crash.state.solver.BVV(payload))
return

# mips does some weird shit, we need to handle it separately
chain = self.libc_rop.set_regs(a0=cmd_addr)
chain, chain_addr = self._ip_overwrite_with_chain(chain, state=self.crash.state, rop=self.libc_rop)
chain_mem = self.crash.state.memory.load(chain_addr, chain.payload_len)
self.crash.state.add_constraints(chain_mem == self.crash.state.solver.BVV(chain.payload_str()))
payload = chain.payload_str(timeout=len(chain._values)*2)
self.crash.state.add_constraints(chain_mem == self.crash.state.solver.BVV(payload))
self._windup_to_unconstrained_successor()

# list all potential JOP gadgets
Expand Down

0 comments on commit 24b9d1d

Please sign in to comment.