How to use archr - 10 common examples
To help you get started, we’ve selected a few archr examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
angr / archr / archr / arsenal / datascout.py View on Github 
import logging
l = logging.getLogger("archr.arsenal.datascout")
from ..errors import ArchrError
from . import Bow
# Keystone engine 0.9.2 (incorrectly) defaults to radix 16. so we'd better off only using 0x-prefixed integers from now.
# See the related PR: https://github.com/keystone-engine/keystone/pull/382
# and the related issue: https://github.com/keystone-engine/keystone/issues/436
class DataScoutBow(Bow):
"""
Grabs the environment and auxiliary vector from the target.
"""
REQUIRED_ARROW = "shellphish_qemu"
def _encode_bytes(self, s):
def _encode_name(bits):
w = bits // 8 # word size
n = ["0"] + [s[i:i + w].ljust(w, "\0")[::-1].encode('utf-8').hex() for i in range(0, len(s), w)][::-1]
return n
if self.target.target_arch == 'x86_64':
encoded_name = _encode_name(64)
return "".join("mov rax, 0x%s; push rax; " % word for word in encoded_name)def test_entrypoint_false(self):
with archr.targets.DockerImageTarget('archr-test:entrypoint-false').build().start() as t:
p = t.run_command()
p.wait()
assert p.returncode == 1def test_local_hook(self):
# copy out /bin/false, because we can't overwrite it obviously
tf = tempfile.mktemp()
shutil.copy("/bin/false", tf)
with archr.targets.LocalTarget([tf]).build().start() as t:
assert t.run_command().wait() == 1
with t.shellcode_context(asm_code="mov rax, 0x3c; mov rdi, 0x2a; syscall") as p:
assert p.wait() == 42
assert t.run_command().wait() == 1
os.unlink(tf)def test_local_true(self):
with archr.targets.LocalTarget(["/bin/true"]).build().start() as t:
p = t.run_command()
p.wait()
assert p.returncode == 0def test_reconstraining():
# Test our ability to reconstrain
inp = b'3\x89111'+b'0'+b'A'*190+b'1'
path = os.path.join(bin_location, "tests/cgc/PIZZA_00003")
with archr.targets.LocalTarget([path], target_os='cgc') as target:
crash = rex.Crash(target, inp, fast_mode=True, rop_cache_path=os.path.join(cache_location, 'PIZZA_00003'))
ptfi = list(crash.point_to_flag())
nose.tools.assert_true(len(ptfi) >= 2)
# test point to flag #1
cg = colorguard.ColorGuard(path, ptfi[0])
x = cg.attempt_exploit()
nose.tools.assert_not_equal(x, None)
nose.tools.assert_true(_do_pov_test(x))
# test point to flag #2
cg = colorguard.ColorGuard(path, ptfi[1])
x = cg.attempt_exploit()
nose.tools.assert_not_equal(x, None)
nose.tools.assert_true(_do_pov_test(x))def test_cromu71():
inp = b'3&\x1b\x17/\x12\x1b\x1e]]]]]]]]]]]]]]]]]]]]\n\x1e\x7f\xffC^\n'
path = os.path.join(bin_location, "tests/cgc/simplified_CROMU_00071")
# create format info for atoi
format_infos = []
format_infos.append(FormatInfoStrToInt(0x804C500, "based_atoi_signed_10", str_arg_num=0, base=10,
base_arg=None, allows_negative=True))
with archr.targets.LocalTarget([path], target_os='cgc') as target:
crash = rex.Crash(target, inp, fast_mode=True, rop_cache_path=os.path.join(cache_location, 'simplified_CROMU_00071'))
# let's generate some exploits for it
arsenal = crash.exploit(blacklist_techniques={'rop_set_register', 'rop_leak_memory'})
crash.project.loader.close()
# make sure it works
nose.tools.assert_true(_do_pov_test(arsenal.best_type1))def test_write_what_where_shadowstack():
# Test that our write what where exploit can leak, and works in the presence of a shadowstack
inp = b"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n"
path = os.path.join(bin_location, "tests/cgc/write_what_where_shadow_stack")
with archr.targets.LocalTarget([path], target_os='cgc') as target:
crash = rex.Crash(target, inp, rop_cache_path=os.path.join(cache_location, "write_what_where_shadow_stack"))
arsenal = crash.exploit()
crash.project.loader.close()
exploit = arsenal.best_type2
nose.tools.assert_true(exploit.test_binary())def test_local_crasher(self):
with archr.targets.LocalTarget([os.path.join(os.path.dirname(__file__), "dockers", "crasher", "crasher")]).build().start() as t:
p = t.run_command()
p.wait()
assert p.returncode == -11def test_boolector_solving():
# Test boolector's ability to generate the correct values at pov runtime.
inp = b"A" * 64 * 4
path = os.path.join(bin_location, "tests/cgc/add_payload")
with archr.targets.LocalTarget([path], target_os='cgc') as target:
crash = rex.Crash(target, inp, fast_mode=True, rop_cache_path=os.path.join(cache_location, 'add_payload'))
arsenal = crash.exploit(blacklist_techniques={'rop_leak_memory'})
crash.project.loader.close()
nose.tools.assert_true(len(arsenal.register_setters) >= 3)
nose.tools.assert_true(len(arsenal.leakers) >= 1)
for reg_setter in arsenal.register_setters:
nose.tools.assert_true(_do_pov_test(reg_setter))
for leaker in arsenal.leakers:
nose.tools.assert_true(_do_pov_test(leaker))def test_netcat_network_local():
with archr.targets.LocalTarget("socat tcp-l:1337,reuseaddr exec:cat".split(), tcp_ports=[1337]).build().start() as t:
netcat_checks(t)
Popular archr functions
- archr._angr_available
- archr.arsenal
- archr.arsenal.angrProjectBow
- archr.arsenal.angrStateBow
- archr.arsenal.Bow
- archr.arsenal.ContextBow
- archr.arsenal.DataScoutBow
- archr.arsenal.GDBServerBow
- archr.arsenal.LTraceAttachBow
- archr.arsenal.LTraceBow
- archr.arsenal.MemoryMapBow
- archr.arsenal.NetCatBow
- archr.arsenal.QEMUTracerBow
- archr.arsenal.RRTracerBow
- archr.arsenal.STraceAttachBow
- archr.errors.ArchrError
- archr.targets
- archr.targets.DockerImageTarget
- archr.targets.LocalTarget
- archr.utils.lib_dependencies