qiling
qiling copied to clipboard
qilingframework
run ./addressNat_overflow.sh to crash to generate snapshot.bin
When I am trying to run addressNat_overflow.sh in order to crash to generate snapshot.bin, I got HTTP/1.1 404 Not Found How i can solve this issue?
/qiling/examples/fuzzing/tenda_ac15$./addressNat_overflow.sh`
- TCP_NODELAY set
- Connected to localhost (127.0.0.1) port 80 (#0)
POST /goform/addressNat HTTP/1.1 Host: localhost User-Agent: curl/7.68.0 Accept: / Referer: http://localhost:80/samba.html Cookie: password=1234 X-Requested-With: XMLHttpRequest Content-Type:application/x-www-form-urlencoded Content-Length: 25
- upload completely sent off: 25 out of 25 bytes
- Mark bundle as not supporting multiuse < HTTP/1.1 404 Not Found < Date: Thu, 16 Dec 2021 13:34:10 GMT < Server: Apache/2.4.41 (Ubuntu) < Content-Length: 271 < Content-Type: text/html; charset=iso-8859-1 <
Not Found
The requested URL was not found on this server.
Apache/2.4.41 (Ubuntu) Server at localhost Port 80 * Connection #0 to host localhost left intact
Note that if I used port 8080 it gave me connection refused.
/qiling/examples/fuzzing/tenda_ac15$ ./addressNat_overflow.sh
- Trying 127.0.0.1:8080...
- TCP_NODELAY set
- connect to 127.0.0.1 port 8080 failed: Connection refused
- Failed to connect to localhost port 8080: Connection refused
- Closing connection 0 curl: (7) Failed to connect to localhost port 8080: Connection refused
@KA2010 According to your log, it seemed that the http service wasn't up. Also, I guess your qiling version is not up to data.
From your side, you can:
- update the qiling version (pull from dev)
- update the unicorn to the latest (
pip3 install -U unicorn=2.0.0rc5).
Then you may try the example again.
@cq674350529 thanks I appreciate your replay, I did what you suggest but the issue still same.
@KA2010 Can you give some more information? Such as,
- partial output of
git loginqilingrepository, -
pip3 list | grep unicorn, - the output of the
python saver_tendaac15_httpd.py.
/qiling$ git log commit bace0ea355338a07d1a9a4555397c03dbf4c7028 (HEAD -> master, origin/dev) Merge: b79b0e7f 134909fd Author: Wu ChenXu [email protected] Date: Sun Dec 26 17:21:42 2021 +0800
Merge pull request #1044 from ucgJhe/dev
qdb: Bug fix
commit 134909fd56cbb64b28a2796ce9fa5f28e3f39ff7 Author: ucgJhe [email protected] Date: Thu Dec 16 02:35:21 2021 -0800
remove redundant operation
commit 2c002d06830113f4afc4f5aa49adf4e9f7caf061 Author: ucgJhe [email protected] Date: Thu Dec 16 02:25:48 2021 -0800
fix #1042
commit a718921ee26011a76b25853f793686ebc5c5c5e3 Author: ucgJhe [email protected] Date: Wed Dec 15 22:44:56 2021 -0800 :...skipping... commit bace0ea355338a07d1a9a4555397c03dbf4c7028 (HEAD -> master, origin/dev) Merge: b79b0e7f 134909fd Author: Wu ChenXu [email protected] Date: Sun Dec 26 17:21:42 2021 +0800
Merge pull request #1044 from ucgJhe/dev
qdb: Bug fix
commit 134909fd56cbb64b28a2796ce9fa5f28e3f39ff7 Author: ucgJhe [email protected] Date: Thu Dec 16 02:35:21 2021 -0800
remove redundant operation
commit 2c002d06830113f4afc4f5aa49adf4e9f7caf061 Author: ucgJhe [email protected] Date: Thu Dec 16 02:25:48 2021 -0800
fix #1042
~/qiling$ pip3 list | grep unicorn /usr/lib/python3/dist-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead from cryptography.utils import int_from_bytes /usr/lib/python3/dist-packages/secretstorage/util.py:19: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead from cryptography.utils import int_from_bytes unicorn 2.0.0rc5 unicornafl 2.0.0
$python3 saver_tendaac15_httpd.py [+] 0x776b6308: ioctl(fd = 0x3, cmd = 0x8915, arg = 0x7ff3cd04) = -0x1 (EPERM) [+] [+] Received Interupt: 2 Hooked Interupt: 2 [+] 0x776b5670: close(fd = 0x3) = 0x0 [+] [+] Received Interupt: 2 Hooked Interupt: 2 [+] 0x776b7d68: rt_sigaction(signum = 0x11, act = 0x0, oldact = 0x7ff3cd14) = 0x0 [+] [+] Received Interupt: 2 Hooked Interupt: 2 [+] 0x776b79d8: rt_sigprocmask(how = 0x0, nset = 0x7ff3cd28, oset = 0x7ff3cd28, sigsetsize = 0x8) = 0x0 [+] [+] Received Interupt: 2 Hooked Interupt: 2 [+] 0x776b6890: nanosleep(req = 0x7ff3cd30, rem = 0x7ff3cd30) = 0x0 [+] [+] Received Interupt: 2 Hooked Interupt: 2 [+] Convert emu_socket_type SOCK_DGRAM:2 to host platform based socket_type SOCK_DGRAM:2 [+] socket(AF_INET, SOCK_DGRAM, 0) = 3 [+] 0x776f1fb4: socket(domain = 0x2, type = 0x2, protocol = 0x0) = 0x3 [+] [+] Received Interupt: 2 Hooked Interupt: 2 [+] 0x776b6308: ioctl(fd = 0x3, cmd = 0x8915, arg = 0x7ff3cd04) = -0x1 (EPERM) [+] [+] Received Interupt: 2 Hooked Interupt: 2 [+] 0x776b5670: close(fd = 0x3) = 0x0 [+] [+] Received Interupt: 2 Hooked Interupt: 2 [+] 0x776b7d68: rt_sigaction(signum = 0x11, act = 0x0, oldact = 0x7ff3cd14) = 0x0 [+] [+] Received Interupt: 2 Hooked Interupt: 2 [+] 0x776b79d8: rt_sigprocmask(how = 0x0, nset = 0x7ff3cd28, oset = 0x7ff3cd28, sigsetsize = 0x8) = 0x0 [+] [+] Received Interupt: 2 Hooked Interupt: 2 [+] 0x776b6890: nanosleep(req = 0x7ff3cd30, rem = 0x7ff3cd30) = 0x0 [+] [+] Received Interupt: 2 Hooked Interupt: 2 [+] Convert emu_socket_type SOCK_DGRAM:2 to host platform based socket_type SOCK_DGRAM:2 [+] socket(AF_INET, SOCK_DGRAM, 0) = 3 [+] 0x776f1fb4: socket(domain = 0x2, type = 0x2, protocol = 0x0) = 0x3 [+] [+] Received Interupt: 2 Hooked Interupt: 2 [+] 0x776b6308: ioctl(fd = 0x3, cmd = 0x8915, arg = 0x7ff3cd04) = -0x1 (EPERM) [+] [+] Received Interupt: 2 Hooked Interupt: 2 [+] 0x776b5670: close(fd = 0x3) = 0x0 note that this is just piece of output
@KA2010 According to the above log, the http service wasn't up because the failure of ioctl(fd = 0x3, cmd = 0x8915, arg = 0x7ff3cd04), which is used to get ip address. Since your qiling version is up to date, it should have fixed this issue.
Another suggestion: try to insert import ipdb; ipdb.set_trace() before line 83, and debug it to figure out why the following code fails.
https://github.com/qilingframework/qiling/blob/bace0ea355338a07d1a9a4555397c03dbf4c7028/qiling/os/posix/syscall/ioctl.py#L81-L89
Or share your script saver_tendaac15_httpd.py.
my script for saver_tendaac15_httpd.py same as author scripts I did not change it yet.
Here are the related outputs in my env, and the http service is up. Can't reproduced your problem in my env.
~/qiling/examples/fuzzing/tenda_ac15$ ls
addressNat_overflow.sh fuzz_tendaac15_httpd.py README.md saver_tendaac15_httpd.py
afl_inputs fuzz_tendaac15_httpd.sh rootfs
~/qiling/examples/fuzzing/tenda_ac15$ ls ./rootfs/
bin cfg dev etc etc_ro home init lib mnt proc root sbin sys tmp usr var webroot
~/qiling/examples/fuzzing/tenda_ac15$ python3 saver_tendaac15_httpd.py
init_core_dump 1816: rlim_cur = 0, rlim_max = -1
init_core_dump 1825: open core dump success
sh: can't create /proc/sys/kernel/core_pattern: nonexistent directory
init_core_dump 1834: rlim_cur = 5242880, rlim_max = 5242880
Yes:
****** WeLoveLinux******
Welcome to ...
Traceback (most recent call last):
File "~/qiling/qiling/os/posix/syscall/socket.py", line 99, in ql_syscall_socket
ql.os.fd[idx] = ql_socket.open(socket_domain, socket_type, socket_protocol, (socket.SOL_SOCKET, socket.SO_REUSEADDR, 1))
File "~/qiling/qiling/os/posix/filestruct.py", line 38, in open
s = socket.socket(socket_domain, socket_type, socket_protocol)
File "/usr/lib/python3.8/socket.py", line 231, in __init__
_socket.socket.__init__(self, family, type, proto, fileno)
OSError: [Errno 93] Protocol not supported
create socket fail -1
sh: can't create /etc/httpd.pid: nonexistent directory
sh: can't create /proc/sys/net/ipv4/tcp_timestamps: nonexistent directory
[httpd][debug]----------------------------webs.c,157
httpd listen ip = 127.0.0.1 port = 80
webs: Listening for HTTP requests at address 127.0.0.1
I appreciate your replay, i did not get as your output might the http service isn't up.
Close for now.
We updated the codebase for Qiling and Unicorn since this issue being posted.
Feel free to try the latest version.