Empty crash log

[dukecat0]

Hello,

When I was trying to run the same command in the screenshot in README, I got the following output:

./bin/crashmon ./malloc_abort
0000 [ crashmon - ant4g0nist ] 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2023-11-22 19:49:29.946 crashmon[39092:129496] timeout: 60
target: malloc_abort
Process pid: 39093
0000 [ Crash Context ] 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000 [ crash saved to ./crashlogs//exploitable_(null)/(null)/f822cddcce657d860890757d89ccd6152e81414c765345d323455cbf3434931f ] 0000000000000000000000000

Besides, the crash log is empty. Are there any possible reasons for this?

[ant4g0nist]

Hey,

Crashmon depends on lisa.py for figuring out exploitability. Did you download lisa.py and manage to load it in lldb?

Please let me know if the issue persists after that.

Cheers,
Chai

[dukecat0]

Did you download lisa.py and manage to load it in lldb?

I can confirm that it was loaded in lldb:

$ lldb
(lisa:>) 

However, the crash log is still empty.

[ant4g0nist]

Sorry for the delay.

The issue was that lisa.py path was hardcoded and the lisa.py from github.com/ant4g0nist/lisa.py repo is a little different from lisa.py from this repo. The exploitable command is modified in this repo to return the output as json to be parsed by crashmon.

This commit should fix this issue.

CW_LISA_PY=~/lisa.py/lisa.py •/bin/crashmon tests/binaries/crashexec

Please try it out and let me know if it works for you.

[dukecat0]

After running cp crashmon/lisa.py ~/lisa.py, I think the command should be CW_LISA_PY=~/lisa.py ./bin/crashmon tests/binaries/crashexec instead?

[ant4g0nist]

yes

[dukecat0]

Looks like it still doesn't work. I've tried the new instruction on both my local machine and Github Action.

The only evidence I've noticed that is this line: [ crash saved to ./crashlogs//exploitable_(null)/(null)/f822cddcce657d860890757d89ccd6152e81414c765345d323455cbf3434931f ].

In the image you provided, it looks like there should be values returned by lisa.py instead of (null)?

[ant4g0nist]

Did you pull in the new changes?

[dukecat0]

Yes

[ant4g0nist]

Can you show me output of these:

lldb) command script import ~/lisa.py
lldb) target create tests/binaries/crashexec
lldb) run

and when it crashes in: run

lldb) exploitable

[dukecat0]

The final output is this:

AttributeError: module 'capstone' has no attribute 'CS_ARCH_ARM64'. Did you mean: 'CS_ARCH_ARM'?

I had issues when installing capstone on M1 mac, so I needed to compile from sources and it looks like they replaced CS_ARCH_ARM64 with CS_ARCH_AARCH64 in this commit.

[dukecat0]

After modifying lisa.py, it can output this:

(lisa:>) exploitable
crash_code              : EXC_ARM_DA_ALIGN
crash_desc              : Alignment Fault
av_on_branch            : True
av_null_deref           : False
av_badbeef              : False
is_recursion            : False
av_type                 : exec
av_address              : 51515151
stack_suspicious        : False
av_is_exploitable       : True
exploit_reason          : Trying to execute a bad address, this is a potentially exploitable issue
disassembly             : blr   x8 => x8=51515151; 
{"crash_code": "EXC_ARM_DA_ALIGN", "crash_desc": "Alignment Fault", "av_on_branch": "True", "av_null_deref": "False", "av_badbeef": "False", "is_recursion": "False", "av_type": "exec", "av_address": "51515151", "stack_suspicious": "False", "av_is_exploitable": "True", "exploit_reason": "Trying to execute a bad address, this is a potentially exploitable issue", "disassembly": "blr\tx8 => x8=51515151; ", "thread_info": "* thread #1, queue = \u001b[32m'com.apple.main-thread'\u001b[0m, stop reason = \u001b[31mEXC_BAD_ACCESS (code=257, address=0x51515151)\u001b[0m\n  * frame #0: \u001b[33m0x0000000051515151\u001b[0m\n    frame #1: \u001b[33m0x0000000100003f90\u001b[0m crashexec`main + 44\n    frame #2: \u001b[33m0x0000000189f010e0\u001b[0m dyld`start + 2360\n"}

However, the output from crashmon is still empty:

$ CW_LISA_PY=~/lisa.py ./bin/crashmon tests/binaries/crashexec
0000 [ crashmon - ant4g0nist ] 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2023-11-25 23:56:52.624 crashmon[75646:3588965] timeout: 60
target: crashexec
Process pid: 75647
0000 [ Crash Context ] 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000 [ crash saved to ./crashlogs//exploitable_(null)/(null)/66b5db772d3197842356b65a4392e1d682fd882a1e54b9d7b237e1c48eaabb42 ] 00000000

[ant4g0nist]

That's weird. Cause it's working fine on both my macs. Can you try adding a NSLog(@"_exploitable_json: %@", _exploitable_json); in crashmon.mm after line 511 and recompile and run?

[dukecat0]

This is the output:

$ CW_LISA_PY=~/lisa.py ./bin/crashmon tests/binaries/abort
0000 [ crashmon - ant4g0nist ] 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2023-11-26 00:34:54.007 crashmon[3573:3685731] timeout: 60
target: abort
Process pid: 3588
0000 [ Crash Context ] 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2023-11-26 00:34:55.069 crashmon[3573:3685731] _exploitable_json: 
0000 [ crash saved to ./crashlogs//exploitable_(null)/(null)/dfe4260cf38c78ac56cbdc245cb0bb3a3592f22b67378ec8a57f15c63f8b7fbf ] 0000000000

I can try to go through the code to see which part may cause the issue tmr.

[ant4g0nist]

_exploitable_json is empty. The line before that runs the exploitable command from lisa.py and reads the json printed by the command.

So, issue might be mainly one of these 2:

• lisa.py is not getting loaded for you some reason inside crashmon
• exploitable command is failing to run

Sorry, I cannot debug this as on my side, as it's working on 2 different macs.

[dukecat0]

Thanks for putting your time and effort into this! I'll let you know if I have any new discoveries.