driller icon indicating copy to clipboard operation
driller copied to clipboard

Published 20 hours ago verified publisher icon shellphish

Exception: Internal error: cannot translate address

Open likaiam opened this issue 2 years ago • 6 comments

I was using driller to hybrid fuzz sqlite(a database program),but seemly it can not used to database program and raise Exception("Internal error: cannot translate address").The following is the stacktrace: Drilling input: b"CREATE TABLE v0 ( v1 INTEGER ) ; SELECT v1 FROM v0 WHERE v1 = 'v0' AND ( v1 = 8 OR v1 =9223372036854775808 ) ORDER BY v1 ; SELECT v1, sum ( v1 ) OVER( PARTITION BY v1 ORDER BY v1 ) FROM v0 ; " WARNING | 2022-12-19 13:43:46,883 | pyvex.lifting.gym.x86_spotter | The generalized AAM instruction is not supported by VEX, and is handled specially by pyvex. It has no flag handling at present. See pyvex/lifting/gym/x86_spotter.py for details WARNING | 2022-12-19 13:43:47,228 | cle.backends.tls | The provided object has an invalid tls_data_size. Skip TLS loading. WARNING | 2022-12-19 13:43:49,888 | cle.backends.tls | The provided object has an invalid tls_data_size. Skip TLS loading. Traceback (most recent call last): File "run_driller.py", line 70, in main() File "run_driller.py", line 56, in main for _, new_input in Driller(binary, seed, fuzzer_bitmap).drill_generator(): File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/driller/driller_main.py", line 101, in drill_generator for i in self._drill_input(): File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/driller/driller_main.py", line 143, in _drill_input simgr.step() File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/misc/hookset.py", line 90, in call result = current_hook(self.func.self, *args, **kwargs) File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/driller_core.py", line 39, in step simgr.step(stash=stash, **kwargs) File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/misc/hookset.py", line 90, in call result = current_hook(self.func.self, *args, **kwargs) File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/tracer.py", line 343, in step return simgr.step(stash=stash, syscall_data=self._syscall_data, fd_bytes=self._fd_bytes, **kwargs) File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/misc/hookset.py", line 90, in call result = current_hook(self.func.self, *args, **kwargs) File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/suggestions.py", line 41, in step simgr.step(stash=stash, **kwargs) File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/misc/hookset.py", line 95, in call return self.func(*args, **kwargs) File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/sim_manager.py", line 407, in step successors = self.step_state(state, successor_func=successor_func, error_list=error_list, **run_args) File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/misc/hookset.py", line 90, in call result = current_hook(self.func.self, *args, **kwargs) File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/tracer.py", line 406, in step_state self._update_state_tracking(succs[0]) File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/tracer.py", line 574, in _update_state_tracking self._sync_return(state, idx) File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/tracer.py", line 890, in _sync_return return self._sync(state, idx, ret_addr) File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/tracer.py", line 893, in _sync addr_translated = self._translate_state_addr(addr) File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/tracer.py", line 640, in _translate_state_addr raise Exception("Internal error: cannot translate address") Exception: Internal error: cannot translate address

likaiam avatar Dec 23 '22 12:12 likaiam

This is the script calling Driller.

import errno import os import os.path import sys import time from driller import Driller def save_input(content, dest_dir, count): """Saves a new input to a file where AFL can find it. File will be named id:XXXXXX,driller (where XXXXXX is the current value of count) and placed in dest_dir. """ name = 'id:%06d,driller' % count with open(os.path.join(dest_dir, name), 'w') as destfile: destfile.write(content) def main(): if len(sys.argv) != 3: print('Usage: %s <fuzzer_output_dir>' % sys.argv[0]) sys.exit(1) _, binary, fuzzer_dir = sys.argv # Figure out directories and inputs with open(os.path.join(fuzzer_dir, 'fuzz_bitmap'),"rb") as bitmap_file: fuzzer_bitmap = bitmap_file.read() source_dir = os.path.join(fuzzer_dir, 'queueDrill') dest_dir = os.path.join(fuzzer_dir, 'queue') # Make sure destination exists try: os.makedirs(dest_dir) except os.error as e: if e.errno != errno.EEXIST: raise seen = set() # Keeps track of source files already drilled count = len(os.listdir(dest_dir)) # Helps us name outputs correctly # Repeat forever in case AFL finds something new while True: # Go through all of the files AFL has generated, but only once each for source_name in os.listdir(source_dir): if source_name in seen or not source_name.startswith('id:'): continue seen.add(source_name) with open(os.path.join(source_dir, source_name)) as seedfile: seed = seedfile.read() print('Drilling input: %s' % seed) for _, new_input in Driller(binary, seed, fuzzer_bitmap).drill_generator(): save_input(new_input, dest_dir, count) count += 1 # Try a larger input too because Driller won't do it for you seed = seed + '0000' print('Drilling input: %s' % seed) for _, new_input in Driller(binary, seed, fuzzer_bitmap).drill_generator(): save_input(new_input, dest_dir, count) count += 1 time.sleep(10) if name == 'main': main()

likaiam avatar Dec 23 '22 12:12 likaiam

And I also used the docker https://hub.docker.com/r/zjuchenyuan/driller. When I tried to hybrid fuzz Mp3Gain(the example program),it works.However,when I tried to fuzz sqlite(a database program),it reported the follwoing errors.I don't konw whether Driller(Angr) can be used to database program. image

likaiam avatar Dec 23 '22 12:12 likaiam

Again,

  • there's nothing special about "database programs" that makes angr unable to fuzz them. there must be something else wrong
  • please attach the exact binary you're analyzing

rhelmot avatar Dec 23 '22 12:12 rhelmot

sqlite3.zip this is the binary in the zip

likaiam avatar Dec 23 '22 12:12 likaiam

Expect reply.Thank you very much.

likaiam avatar Dec 25 '22 12:12 likaiam

Please be patient. Today is Christmas and nobody is working.

rhelmot avatar Dec 25 '22 18:12 rhelmot