problem about call driller to do symbolic execution job in shellphuzz

[JsHuang]

I'm a little confused about how can shellphuzz call driller, I can not find anywhere import driller module .

Also, I encountered a problem about using shellpuzz to do drilling job, while testing a simple program, the fuzzer get stuck and drilling began. Hower, I got the error as below:

root@ubuntu:/home/jshuang/work/driller-tests/samples# shellphuzz -c 4 -d 4 -w ./afl-work -C   ./simple_over_flow

WARNING | 2018-01-08 00:51:21,524 | angr.analyses.disassembly_utils | Your verison of capstone does not

[*] Drilling...

[*] Creating fuzzer...

WARNING | 2018-01-08 00:51:22,115 | fuzzer.fuzzer | not forced

[*] Starting fuzzer...

['/usr/bin/afl-unix/afl-fuzz', '-i', '-', '-o', './afl-work/simple_over_flow/sync', '-m', '8G', '-Q', ', './simple_over_flow']
['/usr/bin/afl-unix/afl-fuzz', '-i', '-', '-o', './afl-work/simple_over_flow/sync', '-m', '8G', '-Q', 'simple_over_flow']
['/usr/bin/afl-unix/afl-fuzz', '-i', '-', '-o', './afl-work/simple_over_flow/sync', '-m', '8G', '-Q', 'simple_over_flow']
['/usr/bin/afl-unix/afl-fuzz', '-i', '-', '-o', './afl-work/simple_over_flow/sync', '-m', '8G', '-Q', 'simple_over_flow']

[*] Waiting for fuzzer completion (timeout: None, first_crash: True).

WARNING | 2018-01-08 00:52:52,154 | local_callback | Driller stuck callback triggered!

WARNING | 2018-01-08 00:52:52,160 | local_callback | starting drilling of simple_over_flow, id:000000,o

WARNING | 2018-01-08 00:52:54,138 | angr.analyses.disassembly_utils | Your verison of capstone does not

Traceback (most recent call last):

  File "/usr/local/lib/python2.7/dist-packages/driller/local_callback.py", line 5, in <module>

    import driller #pylint:disable=relative-import,unused-import

  File "/usr/local/lib/python2.7/dist-packages/driller/driller.py", line 11, in <module>

    from . import config

ValueError: Attempted relative import in non-package

('', None)

[zardus]

Are you using the docker container (docker pull shellphish/mechaphish; docker run -it shellphish/mechaphish)? If not, please try this inside the docker container. If that works, check out the dockerfile (https://github.com/mechaphish/setup/blob/master/Dockerfile) to see how driller should be installed.

[JsHuang]

@zardus Thanks, in the container driller works, but it seems driller can not generate inputs for non cgc binaries, is that right?

[zardus]

There are various issues with proper environment modeling in angr, that hampers driller's operation on non-CGC binaries. Extremely simple ones should work, but anything that uses some syscall not modeled by angr (or a summarized library function that's incorrectly summarized) will fail.

[JsHuang]

there is no input testcase parameter in shellphuzz , did the initial input for calling afl is auto constructed by itself?

[kburova]

There are various issues with proper environment modeling in angr, that hampers driller's operation on non-CGC binaries. Extremely simple ones should work, but anything that uses some syscall not modeled by angr (or a summarized library function that's incorrectly summarized) will fail.

Was the issue with environment modeling in angr resolved? No matter what non-cgc binaries I pass to shellphuzz it always outputs one or another error happening in angr/exploration_techniques/tracer.py. I was trying it on super simple 10 line buggy program and on binaries from LAVA paper.

Thanks.

[rhelmot]

It is a forever-ongoing problem. We are slowly chipping away at the issues but we are a three-person team, after all.