Giters

ChrisTheCoolHut / Zeratool

Automatic Exploit Generation (AEG) and remote flag capture for exploitable CTF problems

Repository from Github https://github.comChrisTheCoolHut/ZeratoolRepository from Github https://github.comChrisTheCoolHut/Zeratool

Can not detect vulnerability caused by gets()

0xdd96 opened this issue · comments

commented

When I test Zeratool on my own bin which includes a bof vulnerability caused by gets(), it can not detect it.
I am not familiar with symbolic execution. I debug it and find that gets() can not cause an unconstrained state.
Is there any other way to solve this problem?
The core code is shown below.

.text:080484FD                 public func1
.text:080484FD func1           proc near               ; CODE XREF: main+35�p
.text:080484FD
.text:080484FD s               = byte ptr -0Ch
.text:080484FD
.text:080484FD                 push    ebp
.text:080484FE                 mov     ebp, esp
.text:08048500                 sub     esp, 18h
.text:08048503                 sub     esp, 0Ch
.text:08048506                 lea     eax, [ebp+s]
.text:08048509                 push    eax             ; s
.text:0804850A                 call    _gets
.text:0804850F                 add     esp, 10h
.text:08048512                 nop
.text:08048513                 leave
.text:08048514                 retn
.text:08048514 func1           endp
commented

You've found a bug in angr! angr/angr#1166

This has been known for a little while, but you're right it's frustrating. So I'll see if I can have gets get hooked with something semantically similar, but gets marked as unconstrained by angr.