A couple of issues related to ragg2

[adwait1-g]

Environment

$ date
Tue Aug  9 09:39:30 IST 2022
$ r2 -v
radare2 5.7.7 28613 @ linux-x86-64 git.2.0.1-12317-g977d1ade8
commit: 977d1ade8ade28fe1c72e5b20058c8adbe9e405b build: 2022-08-09__09:03:41
$ uname -ms
Linux x86_64

Description

Issue 1: 'c' type shellcode not working

Consider the following C program:

$ cat code5.c
int main()
{
	return 0;
}

Generate 'c' type shellcode.

$ cat code5
const char cstr[27] = ""\
  "\xeb\x0efffff.\x0f\x1f\x84\x00\x00\x00\x00\x001\xc0\xc7D$\xfc"\
  "\x00\x00\x00\x00\xc3";

Converting it into a C program and see if the above shellcode is working or not,

$ cat code5.c.c
int main()
{
	const char cstr[27] = ""\                                                       
  "\xeb\x0efffff.\x0f\x1f\x84\x00\x00\x00\x00\x001\xc0\xc7D$\xfc"\              
  "\x00\x00\x00\x00\xc3";
	
	void (*func)() = cstr;
	func();
	
	return 0;
}
dell@adwi:~/Documents/projects/r2/ragg2-doc$ gcc code5.c.c -o code5.c.elf -zexecstack

Run it.

$ ./code5.c.elf
Segmentation fault (core dumped)

A peak into the issue.

$ ./code5.c.elf
Segmentation fault (core dumped)
$ gdb -q code5.c.elf
Reading symbols from code5.c.elf...(no debugging symbols found)...done.
gdb-peda$ run
Starting program: /home/dell/Documents/projects/r2/ragg2-doc/code5.c.elf 

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x0 
RCX: 0x5555555546f0 (<__libc_csu_init>:	push   r15)
RDX: 0x7fffffffd6d0 --> 0x841f0f2effeb 
RSI: 0x7fffffffd7e8 --> 0x7fffffffdbf3 ("/home/dell/Documents/projects/r2/ragg2-doc/code5.c.elf")
RDI: 0x1 
RBP: 0x7fffffffd700 --> 0x5555555546f0 (<__libc_csu_init>:	push   r15)
RSP: 0x7fffffffd6b8 --> 0x5555555546ca (<main+96>:	mov    eax,0x0)
RIP: 0x7fffffffd6d1 --> 0x841f0f2eff 
R8 : 0x7ffff7dced80 --> 0x0 
R9 : 0x7ffff7dced80 --> 0x0 
R10: 0x2 
R11: 0x3 
R12: 0x555555554560 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffd7e0 --> 0x1 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
=> 0x7fffffffd6d1:	jmp    FWORD PTR [rsi]
   0x7fffffffd6d3:	nop    DWORD PTR [rax+rax*1+0x1000000]
   0x7fffffffd6db:	sar    BYTE PTR [rbp+0x24],0xfc
   0x7fffffffd6df:	add    BYTE PTR [rax],al
                                                              JUMP is NOT taken
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd6b8 --> 0x5555555546ca (<main+96>:	mov    eax,0x0)
0008| 0x7fffffffd6c0 --> 0x1 
0016| 0x7fffffffd6c8 --> 0x7fffffffd6d0 --> 0x841f0f2effeb 
0024| 0x7fffffffd6d0 --> 0x841f0f2effeb 
0032| 0x7fffffffd6d8 --> 0xfc247dc0010000 
0040| 0x7fffffffd6e0 --> 0xc3000000 
0048| 0x7fffffffd6e8 --> 0x555555000000 ('')
0056| 0x7fffffffd6f0 --> 0x7fffffffd7e0 --> 0x1 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007fffffffd6d1 in ?? ()

Test

I believe the best way to check is to see if there is difference between a simple ragg2 code5.c output and ragg2 -O -f c output. In this case, there is a mismatch in the final shellcode generated.

The following is output of ragg2 code5.c.

eb0e66666666662e0f1f84000000000031c0c74424fc00000000c3

The following is the compiled code (Once the above C program is compiled).

$ ndisasm -b 64 ./code5.mc
00000000  EBFF              jmp short 0x1
00000002  2E0F1F8400000000  nop dword [cs:rax+rax+0x1000000]
         -01
0000000B  C07D24FC          sar byte [rbp+0x24],byte 0xfc
0000000F  0000              add [rax],al
00000011  0000              add [rax],al
00000013  C3                ret

The code present in the C program is not similar to the original code.

Issue 2: PE executables not generated on Linux-x64

$ cat code1.c
int main() {
  write (1,"Hello!\n",7);
  exit(0);
}

Compile it,

$ ragg2 -o code1.pe -f pe ./code1.c
'clang' -fPIC -fPIE -pie -fpic -m64 -fno-stack-protector -nostdinc -include '/usr/local/include/libr/sflib'/'linux-x86-64'/sflib.h -z execstack -fomit-frame-pointer -finline-functions -fno-zero-initialized-in-bss -o './code1.c.tmp' -S './code1.c'

clang: warning: -z execstack: 'linker' input unused [-Wunused-command-line-argument]
clang: warning: argument unused during compilation: '-pie' [-Wunused-command-line-argument]
In file included from <built-in>:1:
/usr/local/include/libr/sflib/linux-x86-64/sflib.h:93:89: warning: declaration of 'struct rusage' will not be visible outside of this function [-Wvisibility]
static inline _sfsyscall4(pid_t, wait4, pid_t, pid, int *, status, int, options, struct rusage *, rusage)
                                                                                        ^
/usr/local/include/libr/sflib/linux-x86-64/sflib.h:97:58: warning: declaration of 'struct sembuf' will not be visible outside of this function [-Wvisibility]
static inline _sfsyscall3(int, semop, int, semid, struct sembuf *, sops, unsigned, nsops)
                                                         ^
2 warnings generated.
'clang' -fPIC -fPIE -pie -fpic -m64 -nostdlib -o './code1.c.o' './code1.c.s'
/usr/bin/ld: warning: cannot find entry symbol _start; defaulting to 00000000000001f0
rabin2 -o './code1.c.text' -O d/S/'.text' './code1.c.o'

$ ls -l code1.pe
-rwxr-xr-x 1 dell dell 0 Aug  9 09:48 code1.pe

But mach0 is being generated(and ofcourse elf).

Will work on these issues + add if I find any other.

Thanks,
Adwaith