Project

General

Profile

Actions
Copy link

Bug #14928

closed

[BUG] Segmentation fault | Fiddle with Windows APIs

Added by KINGSABRI (KING SABRI) over 6 years ago. Updated over 6 years ago.

Status:
Rejected
Assignee:
-
Target version:
-
ruby -v:
2.5.1p57
Backport:
2.3: UNKNOWN, 2.4: UNKNOWN, 2.5: UNKNOWN
[ruby-core:88035]

Description

Hello guys
I need help in Fiddle it's really missing documentation and examples

I have the following code (https://gist.github.com/KINGSABRI/1871e748b51b6ef5c8f61a49a909b8c3)
The full error is right down the code
I'm trying to call Windows APIs and inject a raw code (shellcode) to run it directly in the memory
I don't know if this error is a Ruby bug or there's an issue in my code

OS: Windows 10 - 32bit
Ruby version: 2.5.1p57

A python version above each line.
I'm really shocked that I needed more than 29 lines to deal with C libraries for my case which is converting a 6-lines of python script!. I believe there's a better way using the standard library, it shouldn't be that bad

Note: I don't want to use any external gems

Thanks

https://gist.github.com/KINGSABRI/1871e748b51b6ef5c8f61a49a909b8c3

Actions
Copy link
 #1 [ruby-core:88046]

Updated by nobu (Nobuyoshi Nakada) over 6 years ago

  • Status changed from Open to Feedback

This is a bug in your code, not ruby's.

rtl_move_memory.call(ptr.to_i, buf.size.to_i, shellcode_calc.size.to_i)

The second argument of RtlMoveMemory is source pointer, not the size.
And, buf is an array of single char string objects, you can't call RtlMoveMemory on it.
Copy from shellcode_calc.

Actions
Copy link
 #2

Updated by nobu (Nobuyoshi Nakada) over 6 years ago

  • Status changed from Feedback to Rejected
Actions
Copy link
 #3 [ruby-core:88048]

Updated by KINGSABRI (KING SABRI) over 6 years ago

The second argument of RtlMoveMemory is source pointer, not the size.
And, buf is an array of single char string objects, you can't call RtlMoveMemory on it.

While troubleshooting, I tried to allocate a memory, returns a pointer as the following:

buf = Pointer.malloc(Fiddle::SIZEOF_CHAR * shellcode.size, Fiddle::Pointer[shellcode.bytes.pack('C*')])
=> #<Fiddle::Pointer:0x02f4fae0 ptr=0x02c807e0 size=110 free=0x0299ef10>

Then I used it the RtlMoveMemeory function

Function.new(kernel32['RtlMoveMemory'], [4, 2, 4], 4).call(ptr, buf, shellcode.size)

Still getting the same error

ruby 2.5.1p57 (2018-03-29 revision 63029) [i386-mingw32]

-- Control frame information -----------------------------------------------
c:0003 p:---- s:0018 e:000017 CFUNC  :call
c:0002 p:0332 s:0011 E:001cf4 EVAL   ./ruby2shellcode-2.rb:66 [FINISH]
c:0001 p:0000 s:0003 E:001d58 (none) [FINISH]

-- Ruby level backtrace information ----------------------------------------
./ruby2shellcode-2.rb:66:in `<main>'
./ruby2shellcode-2.rb:66:in `call'

-- C level backtrace information -------------------------------------------
C:\Windows\SYSTEM32\ntdll.dll(KiFastSystemCallRet+0x0) [0x770f38b0]
C:\Windows\System32\KERNELBASE.dll(WaitForSingleObject+0x12) [0x73f621b2]
C:\Ruby25\bin\msvcrt-ruby250.dll(rb_print_backtrace+0x40) [0x62a8aa60]
C:\Windows\SYSTEM32\ntdll.dll(WinSqmEventWrite+0x144cb) [0x7711a48b]

-- Other runtime information -----------------------------------------------

* Loaded script: ./ruby2shellcode-2.rb

* Loaded features:

    0 enumerator.so
    1 thread.rb
    2 rational.so
    3 complex.so
    4 C:/Ruby25/lib/ruby/2.5.0/i386-mingw32/enc/encdb.so
    5 C:/Ruby25/lib/ruby/2.5.0/i386-mingw32/enc/trans/transdb.so
    6 C:/Ruby25/lib/ruby/2.5.0/i386-mingw32/enc/windows_1252.so
    7 C:/Ruby25/lib/ruby/2.5.0/i386-mingw32/rbconfig.rb
    8 C:/Ruby25/lib/ruby/2.5.0/rubygems/compatibility.rb
    9 C:/Ruby25/lib/ruby/2.5.0/rubygems/defaults.rb
   10 C:/Ruby25/lib/ruby/2.5.0/rubygems/deprecate.rb
   11 C:/Ruby25/lib/ruby/2.5.0/rubygems/errors.rb
   12 C:/Ruby25/lib/ruby/2.5.0/rubygems/version.rb
   13 C:/Ruby25/lib/ruby/2.5.0/rubygems/requirement.rb
   14 C:/Ruby25/lib/ruby/2.5.0/rubygems/platform.rb
   15 C:/Ruby25/lib/ruby/2.5.0/rubygems/basic_specification.rb
   16 C:/Ruby25/lib/ruby/2.5.0/rubygems/stub_specification.rb
   17 C:/Ruby25/lib/ruby/2.5.0/rubygems/util/list.rb
   18 C:/Ruby25/lib/ruby/2.5.0/i386-mingw32/stringio.so
   19 C:/Ruby25/lib/ruby/2.5.0/uri/rfc2396_parser.rb
   20 C:/Ruby25/lib/ruby/2.5.0/uri/rfc3986_parser.rb
   21 C:/Ruby25/lib/ruby/2.5.0/uri/common.rb
   22 C:/Ruby25/lib/ruby/2.5.0/uri/generic.rb
   23 C:/Ruby25/lib/ruby/2.5.0/uri/ftp.rb
   24 C:/Ruby25/lib/ruby/2.5.0/uri/http.rb
   25 C:/Ruby25/lib/ruby/2.5.0/uri/https.rb
   26 C:/Ruby25/lib/ruby/2.5.0/uri/ldap.rb
   27 C:/Ruby25/lib/ruby/2.5.0/uri/ldaps.rb
   28 C:/Ruby25/lib/ruby/2.5.0/uri/mailto.rb
   29 C:/Ruby25/lib/ruby/2.5.0/uri.rb
   30 C:/Ruby25/lib/ruby/2.5.0/rubygems/specification.rb
   31 C:/Ruby25/lib/ruby/2.5.0/rubygems/exceptions.rb
   32 C:/Ruby25/lib/ruby/site_ruby/2.5.0/ruby_installer/runtime/singleton.rb
   33 C:/Ruby25/lib/ruby/site_ruby/2.5.0/ruby_installer/runtime.rb
   34 C:/Ruby25/lib/ruby/site_ruby/2.5.0/ruby_installer/runtime/msys2_installation.rb
   35 C:/Ruby25/lib/ruby/2.5.0/i386-mingw32/fiddle.so
   36 C:/Ruby25/lib/ruby/2.5.0/fiddle/function.rb
   37 C:/Ruby25/lib/ruby/2.5.0/fiddle/closure.rb
   38 C:/Ruby25/lib/ruby/2.5.0/fiddle.rb
   39 C:/Ruby25/lib/ruby/site_ruby/2.5.0/ruby_installer/runtime/dll_directory.rb
   40 C:/Ruby25/lib/ruby/2.5.0/i386-mingw32/enc/utf_16le.so
   41 C:/Ruby25/lib/ruby/2.5.0/i386-mingw32/enc/trans/utf_16_32.so
   42 C:/Ruby25/lib/ruby/2.5.0/rubygems/defaults/operating_system.rb
   43 C:/Ruby25/lib/ruby/2.5.0/rubygems/dependency.rb
   44 C:/Ruby25/lib/ruby/2.5.0/rubygems/core_ext/kernel_gem.rb
   45 C:/Ruby25/lib/ruby/2.5.0/monitor.rb
   46 C:/Ruby25/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb
   47 C:/Ruby25/lib/ruby/2.5.0/rubygems.rb
   48 C:/Ruby25/lib/ruby/2.5.0/rubygems/path_support.rb
   49 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/version.rb
   50 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/core_ext/name_error.rb
   51 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/levenshtein.rb
   52 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/jaro_winkler.rb
   53 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checker.rb
   54 C:/Ruby25/lib/ruby/2.5.0/delegate.rb
   55 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checkers/name_error_checkers/class_name_checker.rb
   56 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checkers/name_error_checkers/variable_name_checker.rb
   57 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checkers/name_error_checkers.rb
   58 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checkers/method_name_checker.rb
   59 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checkers/key_error_checker.rb
   60 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checkers/null_checker.rb
   61 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/formatters/plain_formatter.rb
   62 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean.rb
   63 C:/Ruby25/lib/ruby/2.5.0/fiddle/value.rb
   64 C:/Ruby25/lib/ruby/2.5.0/fiddle/pack.rb
   65 C:/Ruby25/lib/ruby/2.5.0/fiddle/struct.rb
   66 C:/Ruby25/lib/ruby/2.5.0/fiddle/cparser.rb
   67 C:/Ruby25/lib/ruby/2.5.0/fiddle/import.rb
   68 C:/Ruby25/lib/ruby/2.5.0/fiddle/types.rb

[NOTE]
You may have encountered a bug in the Ruby interpreter or extension libraries.
Bug reports are welcome.
For details: http://www.ruby-lang.org/bugreport.html


This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

There is something missing, How would I troubleshoot fiddle errors, since most errors are segmentation fault, while dealing with memeory?

Actions
Copy link

Also available in: Atom PDF

Like0
Like0Like0Like0