1.4.0 Dogd upgrade and config changes

+ ~/.vagd was moved to ~/.local/share/vagd
+ Dogd now supports Entrypoint overwrite
+ improved Dogd chaching (for symbols)
+ update template to improve --libs

Author: gfelber

.gitignore

@@ -1,4 +1,5 @@
 venv
+env
 .idea
 .vagrant
 Vagrantfile
@@ -11,3 +12,6 @@ sysroot/
 .vagd
 __pycache__/
 _build
+test/exploit.py
+test/flag
+test/libs

README.md

@@ -4,24 +4,22 @@
 
 VirtuAlization GDb integrations in pwntools
 
-
-
 ## Installation
 
 ```bash
 pip install vagd
 ```
+
 or from repo with
+
 ```bash
 git clone https://github.com/gfelber/vagd
 pip install ./vagd/
 ```
 
-
-
 ## Usage
 
-+ `vagd template [OPTIONS] [BINARY] [IP] [PORT]` to generate a template, list OPTIONS with help `-h`
+- `vagd template [OPTIONS] [BINARY] [IP] [PORT]` to generate a template, list OPTIONS with help `-h`
 
 ```python
 #!/usr/bin/env python
@@ -30,7 +28,7 @@ from pwn import *
 IP = ''         # remote IP
 PORT = 0        # remote PORT
 BINARY = ''     # PATH to local binary e.g. ./chal
-ARGS = []       # ARGS supplied to binary 
+ARGS = []       # ARGS supplied to binary
 ENV = {}        # ENVs supplied to binary
 # GDB SCRIPT, executed at start of GDB session (set breakpoint here)
 GDB = f"""
@@ -51,7 +49,7 @@ def get_target(**kw):
 
     from vagd import Dogd, Qegd, Shgd
     if not vm:
-        # Docker 
+        # Docker
         vm = Dogd(exe.path, image="ubuntu:jammy", ex=True, fast=True)
         # or Qemu
         vm = Qegd(exe.path, img="https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img", ex=True, fast=True)
@@ -65,7 +63,7 @@ t = get_target()
 t.interactive()
 ```
 
-+ `vagd info BINARY` to print info about binary
+- `vagd info BINARY` to print info about binary
 
 ```bash
 # run as process in VM
@@ -78,13 +76,9 @@ t.interactive()
 
 I recommend using [pwndbg](https://github.com/pwndbg/pwndbg).
 
- 
-
 ## Files
 
-All created files ares stored in the local `./.vagd/` directory. Additional large files (e.g. cloudimages) are stored in the home directory `~/.vagd/` or handled by tools themselfs (e.g. Docker).
-
-
+All created files ares stored in the local `./.vagd/` directory. Additional large files (e.g. cloudimages) are stored in the home directory `~/.share/local/vagd/` or handled by tools themselfs (e.g. Docker).
 
 ## CLI
 
@@ -105,20 +99,14 @@ vagd scp [OPTIONS] SOURCE [TARGET]
 vagd clean [OPTIONS]
 ```
 
-
-
 ## [Documentation](https://vagd.gfelber.dev)
 
-
-
 ## Boxes
 
 A listed of known working Boxes can be found in the [Documentation](http://vagd.gfelber.dev/autoapi/vagd/box/index.html#module-vagd.box).
 Other images might also work but currently only distributions that use `apt` and alpine for Docker are supported.
 This limitation may be circumvented by creating a target yourself (with the dependencies gdbserver, python, openssh) and creating a ssh connection via Shgd.
 
-
-
 ## Troubleshooting
 
 ### background processes
@@ -135,9 +123,7 @@ files on the virtual instance are never overwritten this has performance reason
 
 ### gdb performance
 
-Using gdbserver and gdb to index libraries can be very slow. Therefore an experimental feature is available that mounts libraries locally: `Dogd(..., ex=True, fast=True)` 
-
-
+Using gdbserver and gdb to index libraries can be very slow. Therefore an experimental feature is available that mounts libraries locally: `Dogd(..., ex=True, fast=True)`
 
 ## Future plans
 

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "vagd"
-version = "1.3.10"
+version = "1.4.0"
 authors = [{ name = "0x6fe1be2" }]
 description = "VirtuAlization GDb integrations in pwntools"
 readme = "README.md"

src/vagd/cli.py

@@ -109,24 +109,26 @@ def template(
     aliasesPath = templatePath + "/res/aliases.txt"
     templatePath += '/res/template.txt'
     multi = False
+
     if not any((dogd, qegd, vagd, shgd)):
         dogd = qegd = True
 
     if sum((dogd, qegd, vagd, shgd)) > 1:
         multi = True
 
-
     env = {}
+
     if libc:
         files.append(libc)
-        env['LD_PRELOAD'] = os.path.basename(libc)
 
     dependencies = []
     vms = []
     args = dict()
 
     if libs:
         args['libs'] = True
+        if not libc:
+          libc = './libs/libc.so.6'
 
     if files:
         args['files'] = '[' + ','.join(f"'{file}'" for file in files) + ']'
@@ -146,14 +148,10 @@ def template(
     with open(aliasesPath, 'r') as aliases_file:
         aliases = aliases_file.read()
 
-
-    if libc and libs:
-        err_console.print("using --libs and --libc, uncomment libc after init")
-
     with (open(templatePath, 'r') as templateFile):
         for line in templateFile.readlines():
 
-            if libc and not libs and line.startswith('# libc'):
+            if libc and line.startswith('# libc'):
                 templateChunks.append(line[2:])
             else:
                 templateChunks.append(line)

src/vagd/res/template.txt

@@ -13,15 +13,27 @@ set follow-fork-mode parent
 c"""
 
 context.binary = exe = ELF(BINARY, checksec=False)
-# libc = ELF('{libc}', checksec=False)
 context.aslr = {aslr}
 
 {aliases}
 
-vm = None
-def get_target(**kw) -> tubes.tube:
+def setup():
   global vm
+  if args.REMOTE or {is_local}:
+    return
+
+  try:
+    from vagd import {dependencies}, Box # only load vagd if needed
+  except:
+    log.error("Failed to import vagd, either run locally using LOCAL or install it")
+  if not vm:
+    {vms}
+  if vm.is_new:
+    log.info("new vagd instance") # additional setup here
+
 
+vm = None
+def get_target(**kw) -> tubes.tube:
   if args.REMOTE:
     # context.log_level = 'debug'
     return remote(IP, PORT)
@@ -31,16 +43,11 @@ def get_target(**kw) -> tubes.tube:
       return gdb.debug([BINARY] + ARGS, env=ENV, gdbscript=GDB, **kw)
     return process([BINARY] + ARGS, env=ENV, **kw)
 
-  try:
-    from vagd import {dependencies}, Box # only load vagd if needed
-  except:
-    log.error("Failed to import vagd, either run locally using LOCAL or install it")
-  if not vm:
-    {vms}
-  if vm.is_new:
-    log.info("new vagd instance") # additional setup here
   return vm.start(argv=ARGS, env=ENV, gdbscript=GDB, **kw)
 
+setup()
+
+# libc = ELF('{libc}', checksec=False)
 
 t = get_target()
 

src/vagd/templates.py

@@ -11,9 +11,12 @@
 
 DOCKER_TEMPLATE = '''FROM {image}
 
+USER root
+
 # install packages
-RUN apt-get update && \\
-    NEEDRESTART_MODE=a apt-get install -y {packages}
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt-get update
+RUN apt-get install -y {packages}
 
 # init user and ssh
 EXPOSE 22
@@ -29,15 +32,18 @@
 USER root
 RUN mkdir -p /run/sshd && \\
     chmod 755 /run/sshd
-    
-    
+
+ENTRYPOINT []
+
 CMD /usr/sbin/sshd; \\
     while true; do sleep 1m; done
 '''
 
 # TODO: proper template generation for alpine
 DOCKER_ALPINE_TEMPLATE = '''FROM {image}
 
+USER root
+
 # install packages
 RUN apk update
 RUN apk add --no-cache python3
@@ -66,6 +72,7 @@
 RUN mkdir -p /run/sshd && \
     chmod 755 /run/sshd
 
+ENTRYPOINT []
 
 CMD /usr/sbin/sshd; \
     while true; do sleep 1m; done

src/vagd/virts/dogd.py

@@ -29,7 +29,7 @@ class Dogd(Shgd):
 
         vagd ssh
         # or
-        ssh -o "StrictHostKeyChecking=no" -i ~/.vagd/keyfile -p $(cut .vagd/docker.lock -d":" -f 2) vagd@0.0.0.0
+        ssh -o "StrictHostKeyChecking=no" -i ~/.share/local/vagd/keyfile -p $(cut .vagd/docker.lock -d":" -f 2) vagd@0.0.0.0
 
     | connect with docker exec
 
@@ -47,7 +47,7 @@ class Dogd(Shgd):
 
     | Docker containers are automatically removed after they stop
     | Docker images need to be manually removed from docker
-    | Dockerfiles are stored in home directory to allow caching ~/.vagd/docker/<image>/Dockerfile
+    | Dockerfiles are stored in home directory to allow caching ~/.share/local/vagd/docker/<image>/Dockerfile
 
     .. code-block:: bash
 
@@ -67,6 +67,7 @@ class Dogd(Shgd):
     _gdbsrvport: int
     _ex: bool
     _forward: Dict[str, int]
+    _symbols: bool
 
     TYPE = 'dogd'
     DOCKERHOME = Pwngd.HOME_DIR + "docker/"
@@ -117,12 +118,19 @@ def _build_image(self):
         helper.info('building docker image')
         hash = self._image.find('@')
         if hash != -1:
-            tag = self._image[:hash]
+            tag = self._image[:hash].replace(':', '_')
             # add first 8 characters of hash
             tag += self._image[self._image.rfind(':'):][:8]
         else:
             tag = self._image
 
+        if self._symbols:
+            if ':' not in tag:
+                tag += ':'
+            else:
+              tag += '_'
+            tag += 'symbols'
+
         return self._client.images.build(path=os.path.dirname(self._dockerfile), tag=f'vagd/{tag}')[0]
 
     def _vm_create(self):
@@ -206,6 +214,7 @@ def __init__(self,
         self._user = user
         self._forward = forward
         self._ex = ex
+        self._symbols = symbols
         if self._isalpine and not self._ex:
             helper.error("Docker alpine images requires experimental features")
         if self._forward is None:

src/vagd/virts/pwngd.py

@@ -27,7 +27,7 @@ class Pwngd(ABC):
     :param ex: if experimental features should be enabled
     """
     LOCAL_DIR = './.vagd/'
-    HOME_DIR = os.path.expanduser('~/.vagd/')
+    HOME_DIR = os.path.expanduser('~/.local/share/vagd/')
     SYSROOT = LOCAL_DIR + 'sysroot/'
     LOCKFILE = LOCAL_DIR + 'vagd.lock'
     SYSROOT_LIB = SYSROOT + 'lib/'

src/vagd/virts/qegd.py

@@ -38,7 +38,7 @@ class Qegd(Shgd):
 
         vagd ssh
         # or
-        ssh -o "StrictHostKeyChecking=no" -i ~/.vagd/keyfile -p $(cat .vagd/qemu.lock) ubuntu@0.0.0.0
+        ssh -o "StrictHostKeyChecking=no" -i ~/.share/local/vagd/keyfile -p $(cat .vagd/qemu.lock) ubuntu@0.0.0.0
 
     | Kill from cmd:
 
@@ -48,7 +48,7 @@ class Qegd(Shgd):
         # or
         kill $(pgrep qemu)
 
-    | Qemu images are cached in the home directory: :code:`~/.vagd/qemu-imgs/`
+    | Qemu images are cached in the home directory: :code:`~/.share/local/vagd/qemu-imgs/`
     |
     | current used images are stored in the local directory: :code:`./.vagd/current.img`
     | These should be deleted automatically, but if a machine gets improperly stopped

test/vagd

@@ -0,0 +1 @@
+../src/vagd