Project

General

Profile

Actions
Copy link

Bug #14928

closed

[BUG] Segmentation fault | Fiddle with Windows APIs

Bug #14928: [BUG] Segmentation fault | Fiddle with Windows APIs

Added by KINGSABRI (KING SABRI) over 7 years ago. Updated over 7 years ago.

Status:
Rejected
Assignee:
-
Target version:
-
ruby -v:
2.5.1p57
Backport:
2.3: UNKNOWN, 2.4: UNKNOWN, 2.5: UNKNOWN
[ruby-core:88035]

Description

Hello guys
I need help in Fiddle it's really missing documentation and examples

I have the following code (https://gist.github.com/KINGSABRI/1871e748b51b6ef5c8f61a49a909b8c3)
The full error is right down the code
I'm trying to call Windows APIs and inject a raw code (shellcode) to run it directly in the memory
I don't know if this error is a Ruby bug or there's an issue in my code

OS: Windows 10 - 32bit
Ruby version: 2.5.1p57

A python version above each line.
I'm really shocked that I needed more than 29 lines to deal with C libraries for my case which is converting a 6-lines of python script!. I believe there's a better way using the standard library, it shouldn't be that bad

Note: I don't want to use any external gems

Thanks

https://gist.github.com/KINGSABRI/1871e748b51b6ef5c8f61a49a909b8c3

Updated by nobu (Nobuyoshi Nakada) over 7 years ago Actions
Copy link
 #1 [ruby-core:88046]

  • Status changed from Open to Feedback

This is a bug in your code, not ruby's.

rtl_move_memory.call(ptr.to_i, buf.size.to_i, shellcode_calc.size.to_i)

The second argument of RtlMoveMemory is source pointer, not the size.
And, buf is an array of single char string objects, you can't call RtlMoveMemory on it.
Copy from shellcode_calc.

Updated by nobu (Nobuyoshi Nakada) over 7 years ago Actions
Copy link
 #2

  • Status changed from Feedback to Rejected

Updated by KINGSABRI (KING SABRI) over 7 years ago Actions
Copy link
 #3 [ruby-core:88048]

The second argument of RtlMoveMemory is source pointer, not the size.
And, buf is an array of single char string objects, you can't call RtlMoveMemory on it.

While troubleshooting, I tried to allocate a memory, returns a pointer as the following:

buf = Pointer.malloc(Fiddle::SIZEOF_CHAR * shellcode.size, Fiddle::Pointer[shellcode.bytes.pack('C*')])
=> #<Fiddle::Pointer:0x02f4fae0 ptr=0x02c807e0 size=110 free=0x0299ef10>

Then I used it the RtlMoveMemeory function

Function.new(kernel32['RtlMoveMemory'], [4, 2, 4], 4).call(ptr, buf, shellcode.size)

Still getting the same error

ruby 2.5.1p57 (2018-03-29 revision 63029) [i386-mingw32]

-- Control frame information -----------------------------------------------
c:0003 p:---- s:0018 e:000017 CFUNC  :call
c:0002 p:0332 s:0011 E:001cf4 EVAL   ./ruby2shellcode-2.rb:66 [FINISH]
c:0001 p:0000 s:0003 E:001d58 (none) [FINISH]

-- Ruby level backtrace information ----------------------------------------
./ruby2shellcode-2.rb:66:in `<main>'
./ruby2shellcode-2.rb:66:in `call'

-- C level backtrace information -------------------------------------------
C:\Windows\SYSTEM32\ntdll.dll(KiFastSystemCallRet+0x0) [0x770f38b0]
C:\Windows\System32\KERNELBASE.dll(WaitForSingleObject+0x12) [0x73f621b2]
C:\Ruby25\bin\msvcrt-ruby250.dll(rb_print_backtrace+0x40) [0x62a8aa60]
C:\Windows\SYSTEM32\ntdll.dll(WinSqmEventWrite+0x144cb) [0x7711a48b]

-- Other runtime information -----------------------------------------------

* Loaded script: ./ruby2shellcode-2.rb

* Loaded features:

    0 enumerator.so
    1 thread.rb
    2 rational.so
    3 complex.so
    4 C:/Ruby25/lib/ruby/2.5.0/i386-mingw32/enc/encdb.so
    5 C:/Ruby25/lib/ruby/2.5.0/i386-mingw32/enc/trans/transdb.so
    6 C:/Ruby25/lib/ruby/2.5.0/i386-mingw32/enc/windows_1252.so
    7 C:/Ruby25/lib/ruby/2.5.0/i386-mingw32/rbconfig.rb
    8 C:/Ruby25/lib/ruby/2.5.0/rubygems/compatibility.rb
    9 C:/Ruby25/lib/ruby/2.5.0/rubygems/defaults.rb
   10 C:/Ruby25/lib/ruby/2.5.0/rubygems/deprecate.rb
   11 C:/Ruby25/lib/ruby/2.5.0/rubygems/errors.rb
   12 C:/Ruby25/lib/ruby/2.5.0/rubygems/version.rb
   13 C:/Ruby25/lib/ruby/2.5.0/rubygems/requirement.rb
   14 C:/Ruby25/lib/ruby/2.5.0/rubygems/platform.rb
   15 C:/Ruby25/lib/ruby/2.5.0/rubygems/basic_specification.rb
   16 C:/Ruby25/lib/ruby/2.5.0/rubygems/stub_specification.rb
   17 C:/Ruby25/lib/ruby/2.5.0/rubygems/util/list.rb
   18 C:/Ruby25/lib/ruby/2.5.0/i386-mingw32/stringio.so
   19 C:/Ruby25/lib/ruby/2.5.0/uri/rfc2396_parser.rb
   20 C:/Ruby25/lib/ruby/2.5.0/uri/rfc3986_parser.rb
   21 C:/Ruby25/lib/ruby/2.5.0/uri/common.rb
   22 C:/Ruby25/lib/ruby/2.5.0/uri/generic.rb
   23 C:/Ruby25/lib/ruby/2.5.0/uri/ftp.rb
   24 C:/Ruby25/lib/ruby/2.5.0/uri/http.rb
   25 C:/Ruby25/lib/ruby/2.5.0/uri/https.rb
   26 C:/Ruby25/lib/ruby/2.5.0/uri/ldap.rb
   27 C:/Ruby25/lib/ruby/2.5.0/uri/ldaps.rb
   28 C:/Ruby25/lib/ruby/2.5.0/uri/mailto.rb
   29 C:/Ruby25/lib/ruby/2.5.0/uri.rb
   30 C:/Ruby25/lib/ruby/2.5.0/rubygems/specification.rb
   31 C:/Ruby25/lib/ruby/2.5.0/rubygems/exceptions.rb
   32 C:/Ruby25/lib/ruby/site_ruby/2.5.0/ruby_installer/runtime/singleton.rb
   33 C:/Ruby25/lib/ruby/site_ruby/2.5.0/ruby_installer/runtime.rb
   34 C:/Ruby25/lib/ruby/site_ruby/2.5.0/ruby_installer/runtime/msys2_installation.rb
   35 C:/Ruby25/lib/ruby/2.5.0/i386-mingw32/fiddle.so
   36 C:/Ruby25/lib/ruby/2.5.0/fiddle/function.rb
   37 C:/Ruby25/lib/ruby/2.5.0/fiddle/closure.rb
   38 C:/Ruby25/lib/ruby/2.5.0/fiddle.rb
   39 C:/Ruby25/lib/ruby/site_ruby/2.5.0/ruby_installer/runtime/dll_directory.rb
   40 C:/Ruby25/lib/ruby/2.5.0/i386-mingw32/enc/utf_16le.so
   41 C:/Ruby25/lib/ruby/2.5.0/i386-mingw32/enc/trans/utf_16_32.so
   42 C:/Ruby25/lib/ruby/2.5.0/rubygems/defaults/operating_system.rb
   43 C:/Ruby25/lib/ruby/2.5.0/rubygems/dependency.rb
   44 C:/Ruby25/lib/ruby/2.5.0/rubygems/core_ext/kernel_gem.rb
   45 C:/Ruby25/lib/ruby/2.5.0/monitor.rb
   46 C:/Ruby25/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb
   47 C:/Ruby25/lib/ruby/2.5.0/rubygems.rb
   48 C:/Ruby25/lib/ruby/2.5.0/rubygems/path_support.rb
   49 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/version.rb
   50 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/core_ext/name_error.rb
   51 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/levenshtein.rb
   52 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/jaro_winkler.rb
   53 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checker.rb
   54 C:/Ruby25/lib/ruby/2.5.0/delegate.rb
   55 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checkers/name_error_checkers/class_name_checker.rb
   56 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checkers/name_error_checkers/variable_name_checker.rb
   57 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checkers/name_error_checkers.rb
   58 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checkers/method_name_checker.rb
   59 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checkers/key_error_checker.rb
   60 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checkers/null_checker.rb
   61 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/formatters/plain_formatter.rb
   62 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean.rb
   63 C:/Ruby25/lib/ruby/2.5.0/fiddle/value.rb
   64 C:/Ruby25/lib/ruby/2.5.0/fiddle/pack.rb
   65 C:/Ruby25/lib/ruby/2.5.0/fiddle/struct.rb
   66 C:/Ruby25/lib/ruby/2.5.0/fiddle/cparser.rb
   67 C:/Ruby25/lib/ruby/2.5.0/fiddle/import.rb
   68 C:/Ruby25/lib/ruby/2.5.0/fiddle/types.rb

[NOTE]
You may have encountered a bug in the Ruby interpreter or extension libraries.
Bug reports are welcome.
For details: http://www.ruby-lang.org/bugreport.html


This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

There is something missing, How would I troubleshoot fiddle errors, since most errors are segmentation fault, while dealing with memeory?

Actions
Copy link

Also available in: PDF Atom