utds3lab / multiverse Goto Github PK
View Code? Open in Web Editor NEWA static binary rewriter that does not use heuristics
License: GNU Lesser General Public License v3.0
multiverse's People
Contributors
Stargazers
Watchers
Forkers
techlord-rce chubbymaggie gavz fuzzamos ufwt osuseclab kevinkoo001 mewbak olivierh59500 longjohncoder explife0011 fcccode risa243 formaldet wonderzdh kennethadammiller ckxckx arminvakil cherry-wb aaltinay imulmul lzufalcon baumane tongzhongkai wliuxingxiangyu lookuptables daejin1592 suncongxd clairehyq suzumiya7mi ru0ch3n gmh5225 n1omultiverse's Issues
Can't find x86_popgm
Please consider...
chmod 755 x64_popgm x86_popgm x64_populate_gm x86_populate_gm
...and...
ehsmeng@dell7520:/mnt/torture/3pp/multiverse$ git diff x86_runtime.py
diff --git a/x86_runtime.py b/x86_runtime.py
index 28500d1..0d446b8 100644
--- a/x86_runtime.py
+++ b/x86_runtime.py
@@ -1,4 +1,6 @@
from x86_assembler import _asm,asm
+import os
+import sys
class X86Runtime(object):
def __init__(self,context):
@@ -262,7 +264,7 @@ class X86Runtime(object):
ret
'''
popgmbytes = asm(call_popgm%(self.context.global_sysinfo+4))
- with open('x86_%s' % self.context.popgm) as f:
+ with open(os.path.dirname(os.path.realpath(sys.argv[0])) + os.sep + 'x86_%s' % self.context.popgm) as f:
popgmbytes+=f.read()
return popgmbytes
...due to...
...
self.context.global_sysinfo = self.context.global_lookup + self.context.popgm_offset + len(self.runtime.get_popgm_code())
File "/mnt/torture/3pp/multiverse/x86_runtime.py", line 266, in get_popgm_code
with open(os.getcwd() + os.sep + 'x86_%s' % self.context.popgm) as f:
IOError: [Errno 2] No such file or directory: '/home/ehsmeng/t/asm1/x86_popgm'
My Ubuntu 18 confused about 32" binaries
Would you please consider this?
ehsmeng@dell7520:/mnt/torture/3pp/multiverse$ git diff x86_assembler.py
diff --git a/x86_assembler.py b/x86_assembler.py
index 3571864..63b8471 100644
--- a/x86_assembler.py
+++ b/x86_assembler.py
@@ -1,5 +1,5 @@
import pwn
-pwn.context(os='linux',arch='i386')
+pwn.context(os='linux',arch='i386',bits=32)
import re
import struct
Must compile with -fno-stack-protector
Hi
When I try to run make in my machine, it give a error
gcc -o x86_populate_gm -m32 -Wall -nostdlib -fno-toplevel-reorder -masm=intel -O1 x86_populate_gm.c
/usr/bin/ld: /tmp/ccRO7Xsn.o: in function `_start':
x86_populate_gm.c:(.text+0xba): undefined reference to `__stack_chk_fail_local'
/usr/bin/ld: /tmp/ccRO7Xsn.o: in function `process_maps':
x86_populate_gm.c:(.text+0x286): undefined reference to `__stack_chk_fail_local'
/usr/bin/ld: x86_populate_gm: hidden symbol `__stack_chk_fail_local' isn't defined
My OS is Manjaro 18.1.5
My GCC is GCC 9.2.0
I must add no-stack-protector flag to pass compile. Is it common case?
Build/run on Ubuntu20.04
Hi,
I'm able to build multiverse on Ubuntu20.04 in a Docker image with the following Dockerfile:
FROM ubuntu:20.04
SHELL ["/bin/bash", "-c"]
# Install apt packages
RUN export DEBIAN_FRONTEND=noninteractive
RUN ln -fs /usr/share/zoneinfo/America/New_York /etc/localtime
RUN apt-get -y update && \
apt-get -y install autoconf build-essential gcc-multilib g++-multilib \
git curl python-is-python2
RUN curl https://bootstrap.pypa.io/pip/2.7/get-pip.py --output get-pip.py
RUN python2 get-pip.py
RUN pip2 install pwntools pyelftools pathlib2
# Clone and build
RUN git clone https://github.com/utds3lab/multiverse.git
RUN git clone https://github.com/baumane/capstone.git /multiverse/capstone
RUN git clone https://github.com/schieb/ELFManip.git /multiverse/ELFManip
WORKDIR /multiverse/ELFManip
RUN python setup.py install
WORKDIR /multiverse/capstone
RUN make
WORKDIR /multiverse/capstone/bindings/python
RUN make install
WORKDIR /multiverse
RUN makehowever, when I go to run multiverse as specified in the README I get the following error.
root@fcb76c818f7d:/multiverse# ./multiverse.py --execonly --arch x86-64 simplest64
Found .text
Writing ONLY main binary, without support for rewritten .so files
Base address: 0x1000
Generating mapping...
Starting disassembly...
Disassembly 0% complete...
Disassembly 10% complete...
Disassembly 20% complete...
Disassembly 30% complete...
Disassembly 40% complete...
Disassembly 50% complete...
Disassembly 60% complete...
Disassembly 70% complete...
Disassembly 80% complete...
Disassembly 90% complete...
Disassembly 100% complete...
final offset for mapping is: 0xbee
Generating new code...
Starting disassembly...
Disassembly 0% complete...
Disassembly 10% complete...
Disassembly 20% complete...
Disassembly 30% complete...
Disassembly 40% complete...
Disassembly 50% complete...
Disassembly 60% complete...
Disassembly 70% complete...
Disassembly 80% complete...
Disassembly 90% complete...
Disassembly 100% complete...
Traceback (most recent call last):
File "./multiverse.py", line 317, in <module>
rewriter.rewrite(args.filename,args.arch)
File "./multiverse.py", line 192, in rewrite
newbytes = mapper.gen_newcode(mapping)
File "/multiverse/brute_force_mapper.py", line 132, in gen_newcode
newbytes+=self.runtime.get_auxvec_code(mapping[self.entry])
KeyError: 4192
root@fcb76c818f7d:/multiverse#
Is multiverse expected to run on Ubuntu20.04? Can you shed any light as to what is going wrong here?
Thanks!
is the shadow stack implementation available?
I read the paper: Superset Disassembly: Statically Rewriting x86 Binaries Without Heuristics. And I found the shadow stack implementation example (mentioned in security applications section) really interesting. Is this available in open source by any chance, if not could you please make it available? Thanks so much! It will be really helpful in my research.
p.s.: I am a phd candidate and sec researcher @ university of kansas.
Insert instruction in the binary
Could this tool insert some instruction for example nop in the specific addresses without any other unnecessary modification of the binary? Could you show some example code?
I am using capstone-3.0.4 on ubuntu 18.04. After installing all the required tools needed for running multiverse, I got the following message during disassembly.
./multiverse.py --execonly --arch x86-64 simplest64 Found .text Writing ONLY main binary, without support for rewritten .so files Base address: 0x0 Generating mapping... Starting disassembly... Disassembly 0% complete... Traceback (most recent call last): File "./multiverse.py", line 317, in <module> rewriter.rewrite(args.filename,args.arch) File "./multiverse.py", line 191, in rewrite mapping = mapper.gen_mapping() File "/home/adhav/Downloads/multiverse-master/brute_force_mapper.py", line 53, in gen_mapping newins = self.translator.translate_one(ins,None) #In this pass, the mapping is incomplete File "/home/adhav/Downloads/multiverse-master/x64_translator.py", line 144, in translate_one code = asm( '%s %s' % (ins.mnemonic, self.replace_rip(ins,mapping,len(ins.bytes) ) ) ) File "/home/adhav/Downloads/multiverse-master/x64_translator.py", line 84, in replace_rip disp_size = ins._detail.arch.x86.encoding.disp_size File "/usr/local/lib/python2.7/dist-packages/capstone/__init__.py", line 675, in __getattr__ raise AttributeError(name) AttributeError: _detail
Binary execution goes wrong
When the warning "WARNING elfmanip._update_phdr_entry :: problem finding LOAD segment containing new phdr location" happens in the rewriting procedure, the rewrited binary will not work well.
Error: operand type mismatch for `pop', when trying to rewrite /usr/bin/true (64-bit)
On rev b90ffd6, the following error is output when running python2 ./multiverse.py /usr/bin/true
I've uploaded a copy of the true command to https://ufile.io/nyh9c
EDIT: note, the above download link is only valid for 30 days.
Found .text
binary does not contain plt
Writing as main binary
Base address: 0x0
Generating mapping...
Starting disassembly...
Disassembly 0% complete...
[ERROR] There was an error running ['/usr/bin/as', '-64', '-o', '/tmp/pwn-asm-u2XtGd/step2', '/tmp/pwn-asm-u2XtGd/step1']:
It had the exitcode 1.
It had this on stdout:
/tmp/pwn-asm-u2XtGd/step1: Assembler messages:
/tmp/pwn-asm-u2XtGd/step1:7: Error: operand type mismatch for `pop'
[ERROR] An error occurred while assembling:
1: .section .shellcode,"awx"
2: .global _start
3: .global __start
4: _start:
5: __start:
6: .intel_syntax noprefix
7: pop eax
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/pwnlib/asm.py", line 665, in asm
_run(assembler + ['-o', step2, step1])
File "/usr/lib/python2.7/site-packages/pwnlib/asm.py", line 383, in _run
log.error(msg)
File "/usr/lib/python2.7/site-packages/pwnlib/log.py", line 417, in error
raise PwnlibException(message % args)
PwnlibException: There was an error running ['/usr/bin/as', '-64', '-o', '/tmp/pwn-asm-u2XtGd/step2', '/tmp/pwn-asm-u2XtGd/step1']:
It had the exitcode 1.
It had this on stdout:
/tmp/pwn-asm-u2XtGd/step1: Assembler messages:
/tmp/pwn-asm-u2XtGd/step1:7: Error: operand type mismatch for `pop'
Traceback (most recent call last):
File "./multiverse.py", line 317, in <module>
rewriter.rewrite(args.filename,args.arch)
File "./multiverse.py", line 191, in rewrite
mapping = mapper.gen_mapping()
File "/home/u/Desktop/go/src/github.com/mewbak/multiverse/brute_force_mapper.py", line 53, in gen_mapping
newins = self.translator.translate_one(ins,None) #In this pass, the mapping is incomplete
File "/home/u/Desktop/go/src/github.com/mewbak/multiverse/x86_translator.py", line 24, in translate_one
return self.translate_ret(ins,mapping)
File "/home/u/Desktop/go/src/github.com/mewbak/multiverse/x86_translator.py", line 64, in translate_ret
code = asm(template_before)
File "/home/u/Desktop/go/src/github.com/mewbak/multiverse/x86_assembler.py", line 119, in asm
code+=_asm(line)
File "/home/u/Desktop/go/src/github.com/mewbak/multiverse/x86_assembler.py", line 28, in _asm
code = pwn.asm(text)
File "/usr/lib/python2.7/site-packages/pwnlib/context/__init__.py", line 1392, in setter
return function(*a)
File "/usr/lib/python2.7/site-packages/pwnlib/asm.py", line 710, in asm
log.exception("An error occurred while assembling:\n%s" % lines)
File "/usr/lib/python2.7/site-packages/pwnlib/asm.py", line 665, in asm
_run(assembler + ['-o', step2, step1])
File "/usr/lib/python2.7/site-packages/pwnlib/asm.py", line 383, in _run
log.error(msg)
File "/usr/lib/python2.7/site-packages/pwnlib/log.py", line 417, in error
raise PwnlibException(message % args)
pwnlib.exception.PwnlibException: There was an error running ['/usr/bin/as', '-64', '-o', '/tmp/pwn-asm-u2XtGd/step2', '/tmp/pwn-asm-u2XtGd/step1']:
It had the exitcode 1.
It had this on stdout:
/tmp/pwn-asm-u2XtGd/step1: Assembler messages:
/tmp/pwn-asm-u2XtGd/step1:7: Error: operand type mismatch for `pop'
Disassembly error
I am using capstone-3.0.4 and pwn-1.0 (installed with typical pip) on Ubuntu 16.04.
After a series of necessary tools for running multiverse, I got the following message during disassembly.
$ python multiverse.py --execonly --arch x86-64 simplest64
Found .text
Writing ONLY main binary, without support for rewritten .so files
Base address: 0x400000
Generating mapping...
Starting disassembly...
Disassembly 0% complete...
Traceback (most recent call last):
File "multiverse.py", line 317, in <module>
rewriter.rewrite(args.filename,args.arch)
File "multiverse.py", line 191, in rewrite
mapping = mapper.gen_mapping()
File "/home/hykoo/multiverse/brute_force_mapper.py", line 53, in gen_mapping
newins = self.translator.translate_one(ins,None) #In this pass, the mapping is incomplete
File "/home/hykoo/multiverse/x64_translator.py", line 144, in translate_one
code = asm( '%s %s' % (ins.mnemonic, self.replace_rip(ins,mapping,len(ins.bytes) ) ) )
File "/home/hykoo/multiverse/x64_translator.py", line 84, in replace_rip
disp_size = ins._detail.arch.x86.encoding.disp_size
Thanks for the tool release!
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.