def test_reconstraining():
"""
Test our ability to reconstrain
"""
crash_input = "101010101014431b371c3389313131301a73cc62516e491dd2f10bfa256e8c5577383b5dcf6bc645d295b4011493c0e5ed80ffffff0b7070c1ecc2f516a892f17abe0dd15eb17ff76624646f6f756d6590746174696f6eb770de07ed4352a3f8575ffc47e9aaa3c792f17abe0dd15eb17ff76624646f63756d877c26a90f839aa84386b0d86123f1ebb65586a794aef8355c3c252410bce1c41494adbe17ec7fd3f764b30fe3bb8187c7bd146462f5010000007f5713a610eda32f16a52226fb88fe0d2905ba2c98f48645786563757461626c652f6400631257e567ff227038ae0bb5242d61549eb9febc41cc0b347e7c7c7c7c7c7c7c7c7c7c7c7c7c7c997c7c7c73d6121b47383e2e72c363a4255a44bd17bec98097e8bd91cf27711ecf4edc02b6f031b170de07ed4352a310575ffc47e9aaa3c77ca565638510c0179e3911eb569ca90064cd2b48c977641ba395905373fd0b578175a210101014431b371c333700313130e7062cf5d2dd371b8cf2812fd823bd634f4240afba99bff3eee8494da1e7634bb4cf511771331b73cf16bb41aedd7c632d636763ede059ee4d9c6603d09fe58e25b36d8d40104b2e868be8e2f7fc446fd8ac83587f842ab06ab2f0b33afbd8bf47f7c29a1314d4b32af4b400026bec8650bfa7b0858c2ab155865318a80534f75b3384d8".replace(
"\n", "").decode("hex")
binary = os.path.join(bin_location, "tests/cgc/PIZZA_00003")
crash = rex.Crash(binary, crash_input)
cp = crash.copy()
ptfi = list(cp.point_to_flag())
nose.tools.assert_true(len(ptfi) >= 1)
cg = colorguard.ColorGuard(binary, ptfi[0])
x = cg.attempt_exploit()
nose.tools.assert_not_equals(x, None)
nose.tools.assert_true(_do_pov_test(x))
# test point to flag
nose.tools.assert_true(len(ptfi) >= 2)
cg = colorguard.ColorGuard(binary, ptfi[1])
x = cg.attempt_exploit()
nose.tools.assert_not_equals(x, None)
nose.tools.assert_true(_do_pov_test(x))
def test_reconstraining():
# Test our ability to reconstrain
crash_input = b'3\x89111' + b'0' + b'A' * 190 + b'1'
binary = os.path.join(bin_location, "tests/cgc/PIZZA_00003")
crash = rex.Crash(binary,
crash_input,
fast_mode=True,
rop_cache_path=os.path.join(cache_location,
'PIZZA_00003'))
ptfi = list(crash.point_to_flag())
nose.tools.assert_true(len(ptfi) >= 2)
# test point to flag #1
cg = colorguard.ColorGuard(binary, ptfi[0])
x = cg.attempt_exploit()
nose.tools.assert_not_equals(x, None)
nose.tools.assert_true(_do_pov_test(x))
# test point to flag #2
cg = colorguard.ColorGuard(binary, ptfi[1])
x = cg.attempt_exploit()
nose.tools.assert_not_equals(x, None)
nose.tools.assert_true(_do_pov_test(x))
def test_reconstraining():
# Test our ability to reconstrain
inp = b'3\x89111' + b'0' + b'A' * 190 + b'1'
path = os.path.join(bin_location, "tests/cgc/PIZZA_00003")
with archr.targets.LocalTarget([path], target_os='cgc') as target:
crash = rex.Crash(target,
inp,
fast_mode=True,
rop_cache_path=os.path.join(cache_location,
'PIZZA_00003'))
ptfi = list(crash.point_to_flag())
nose.tools.assert_true(len(ptfi) >= 2)
# test point to flag #1
cg = colorguard.ColorGuard(path, ptfi[0])
x = cg.attempt_exploit()
nose.tools.assert_not_equal(x, None)
nose.tools.assert_true(_do_pov_test(x))
# test point to flag #2
cg = colorguard.ColorGuard(path, ptfi[1])
x = cg.attempt_exploit()
nose.tools.assert_not_equal(x, None)
nose.tools.assert_true(_do_pov_test(x))
crash.project.loader.close()
def test_fast_avoid_solves():
cg = colorguard.ColorGuard(
os.path.join(bin_location, "tests/i386/chall_resp_leak2"), 'Zw\xd4V')
nose.tools.assert_true(cg.causes_leak())
pov = cg.attempt_pov()
nose.tools.assert_true(pov.test_binary())
def break_KPRCA_00057(): # L284
# This test requires pointing an arbitrary transmit using atoi at the flag
with open(os.path.join(tests_dir, "KPRCA_00057_crash"), 'rb') as f:
crash = f.read()
# set up hooks
format_infos = []
format_infos.append(FormatInfoStrToInt(0x8049e90, "based_atoi_8", str_arg_num=0, base=8,
base_arg=None, allows_negative=False))
format_infos.append(FormatInfoStrToInt(0x804b3b0, "strtol", str_arg_num=0, base=None,
base_arg=2, allows_negative=False))
format_infos.append(FormatInfoStrToInt(0x804b160, "strtol", str_arg_num=0, base=None,
base_arg=2, allows_negative=False))
format_infos.append(FormatInfoDontConstrain(0x8049e90, "fdprintf", 1))
binary = os.path.join(bin_location, "tests/cgc/KPRCA_00057")
crash = rex.Crash(binary, crash, format_infos=format_infos, rop_cache_path=os.path.join(cache_location, 'KPRCA_00057_crash'))
nose.tools.assert_true(crash.one_of(Vulnerability.ARBITRARY_TRANSMIT))
flag_leaks = list(crash.point_to_flag())
nose.tools.assert_true(len(flag_leaks) >= 1)
cg = colorguard.ColorGuard(binary, flag_leaks[0])
cg.causes_leak()
pov = cg.attempt_pov()
nose.tools.assert_true(_do_pov_test(pov))
def test_simple_chall_resp():
cg = colorguard.ColorGuard(
os.path.join(bin_location, "tests/i386/CUSTM_00022"),
'\xa0\x9d\x9a\x35AA')
nose.tools.assert_true(cg.causes_leak())
pov = cg.attempt_pov()
nose.tools.assert_true(pov.test_binary())
def test_simple_leak5():
"""
Test detection of a leak where individual bits of the flag are leaked out
"""
cg = colorguard.ColorGuard(os.path.join(bin_location, 'tests/i386/simple_leak5'), '\x00' * 0x20)
pov = cg.attempt_exploit()
nose.tools.assert_not_equal(pov, None)
nose.tools.assert_true(pov.test_binary())
def test_simple_leak4():
"""
Test detection of a leak where bytes leaked through different calls to transmit and operations are done to those bytes.
"""
cg = colorguard.ColorGuard(os.path.join(bin_location, 'tests/i386/simple_leak4'), 'foobar')
pov = cg.attempt_exploit()
nose.tools.assert_not_equal(pov, None)
nose.tools.assert_true(pov.test_binary())
def test_simple_leak2():
"""
Test detection of a leak where multiple arithmetic operations are performed on flag page data.
"""
cg = colorguard.ColorGuard(os.path.join(bin_location, 'tests/i386/simple_leak2'), 'foobar')
pov = cg.attempt_exploit()
nose.tools.assert_not_equal(pov, None)
nose.tools.assert_true(pov.test_binary())
def test_atoi_leaking():
"""
Test the ability to exploit a dumb leak of hex encoded flag data.
"""
cg = colorguard.ColorGuard(os.path.join(bin_location, "tests/i386/atoi_leak"), "foobar")
nose.tools.assert_true(cg.causes_dumb_leak())
pov = cg.attempt_exploit()
nose.tools.assert_true(pov.test_binary())
def test_dumb_leaking():
"""
Test the ability to quickly exploit really simple leaks.
"""
cg = colorguard.ColorGuard(os.path.join(bin_location, "tests/i386/random_flag"), "foobar")
nose.tools.assert_true(cg.causes_dumb_leak())
pov = cg.attempt_dumb_pov()
nose.tools.assert_true(pov.test_binary())
def test_concrete_difference_filtering():
"""
Test the ability to filter inputs which cause no output difference when ran concretely.
"""
payload = "313131313131313131313131313131310a".decode('hex')
cg = colorguard.ColorGuard(os.path.join(bin_location, "tests/cgc/CROMU_00070"), payload)
nose.tools.assert_false(cg.causes_leak())
nose.tools.assert_true(cg._no_concrete_difference)
def test_simple_leak1():
"""
Test detection of one of the simplest possible leaks.
"""
cg = colorguard.ColorGuard(os.path.join(bin_location, 'tests/i386/simple_leak1'), 'foobar')
pov = cg.attempt_exploit()
nose.tools.assert_not_equal(pov, None)
nose.tools.assert_true(pov.test_binary())
def test_choose_leak():
"""
Test colorguard choosing the correct flag page bytes must be reversed.
"""
cg = colorguard.ColorGuard(os.path.join(bin_location, 'tests/i386/choose_leak'), 'foobar')
pov = cg.attempt_exploit()
nose.tools.assert_not_equal(pov, None)
nose.tools.assert_true(pov.test_binary())
def test_caching():
"""
Test the at-receive local caching.
"""
payload = "320a310a0100000005000000330a330a340a".decode('hex')
cg1 = colorguard.ColorGuard(
os.path.join(bin_location, 'tests/cgc/PIZZA_00001'), payload)
# of course run the thing and makes sure it works
nose.tools.assert_true(cg1.causes_leak())
cg2 = colorguard.ColorGuard(
os.path.join(bin_location, 'tests/cgc/PIZZA_00001'), payload)
# and insure the cache-loaded version still works
nose.tools.assert_true(cg2.causes_leak())
pov = cg2.attempt_pov()
nose.tools.assert_true(pov.test_binary())
def test_big_leak():
"""
Test detection of a leak where 0x8000 concrete bytes are written to stdout before a the secret is leaked.
This used to cause a bug because of limits placed on how much data could be loaded from a SymbolicMemoryRegion.
"""
cg = colorguard.ColorGuard(os.path.join(bin_location, 'tests/i386/big_leak'), 'foobar')
pov = cg.attempt_exploit()
nose.tools.assert_not_equal(pov, None)
nose.tools.assert_true(pov.test_binary())
def test_fast_avoid_solves():
logging.getLogger("angr.state_plugins.preconstrainer").setLevel("DEBUG")
logging.getLogger("angr.simos").setLevel("DEBUG")
logging.getLogger("angr.exploration_techniques.tracer").setLevel("DEBUG")
logging.getLogger("angr.exploration_techniques.crash_monitor").setLevel(
"DEBUG")
cg = colorguard.ColorGuard(
os.path.join(bin_location, "tests/i386/chall_resp_leak2"), 'Zw\xd4V')
nose.tools.assert_true(cg.causes_leak())
pov = cg.attempt_pov()
nose.tools.assert_true(pov.test_binary())
def test_cromu_00070_caching():
"""
Test exploitation of CROMU_00070 given an input which causes a leak. Then test that we can do it again restoring
from the cache.
"""
for _ in range(2):
payload = "06000006020a00000000000000000000000c030c00000100e1f505000000000000eb".decode('hex')
cg = colorguard.ColorGuard(os.path.join(bin_location, "tests/cgc/CROMU_00070"), payload)
pov = cg.attempt_exploit()
nose.tools.assert_not_equal(pov, None)
nose.tools.assert_true(pov.test_binary())
def test_leak_no_exit():
"""
Test the handling of leaks where the payload does not cause an exit of the binary.
"""
# this payload cause a leak but the exit condition in QEMU does not represent the
# the PoV's running environment accurately
payload = "320a330a".decode('hex')
cg = colorguard.ColorGuard(os.path.join(bin_location, 'tests/cgc/PIZZA_00001'), payload)
pov = cg.attempt_exploit()
nose.tools.assert_not_equal(pov, None)
nose.tools.assert_true(pov.test_binary())
def test_double_leak():
"""
Test detection of a leak where the same bytes are leaked twice. Once they are leaked in a reversable operation,
the second time they are leaked the operation is not reversible.
This should test the ability for colorguard to only choose attempting to reverse the the operation which we know
is reversable.
"""
payload = "320a310a0100000005000000330a330a340a".decode('hex')
cg = colorguard.ColorGuard(os.path.join(bin_location, 'tests/cgc/PIZZA_00001'), payload)
pov = cg.attempt_exploit()
nose.tools.assert_not_equal(pov, None)
nose.tools.assert_true(pov.test_binary())
def _do_arbitrary_transmit_test_for(binary):
crash_input = "A" * 0x24
binary = os.path.join(bin_location, binary)
crash = rex.Crash(binary, crash_input)
zp = crash.state.get_plugin("zen_plugin")
nose.tools.assert_true(len(zp.controlled_transmits) == 1)
flag_leaks = list(crash.point_to_flag())
nose.tools.assert_true(len(flag_leaks) >= 1)
for ptfi in flag_leaks:
try:
cg = colorguard.ColorGuard(binary, ptfi)
nose.tools.assert_true(cg.causes_leak())
pov = cg.attempt_exploit()
nose.tools.assert_true(pov.test_binary())
except rex.CannotExploit:
raise Exception("should be exploitable")
def break_controlled_printf():#L90
# Test ability to turn controlled format string into Type 2 POV.
crash = "%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%X%x%sAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
binary = os.path.join(bin_location, "tests/i386/controlled_printf")
crash = rex.Crash(binary, crash, rop_cache_path=os.path.join(cache_location, 'controlled_printf'))
nose.tools.assert_true(crash.one_of(Vulnerability.ARBITRARY_READ))
flag_leaks = list(crash.point_to_flag())
nose.tools.assert_true(len(flag_leaks) >= 1)
cg = colorguard.ColorGuard(binary, flag_leaks[0])
nose.tools.assert_true(cg.causes_leak())
pov = cg.attempt_pov()
nose.tools.assert_true(_do_pov_test(pov, enable_randomness=False))
def _do_arbitrary_transmit_test_for(binary):
inp = b"A"*0x24
path = os.path.join(bin_location, binary)
with archr.targets.LocalTarget([path], target_os='cgc') as target:
crash = rex.Crash(target, inp, fast_mode=True, rop_cache_path=os.path.join(cache_location, os.path.basename(binary)))
zp = crash.state.get_plugin("zen_plugin")
nose.tools.assert_true(len(zp.controlled_transmits) == 1)
flag_leaks = list(crash.point_to_flag())
nose.tools.assert_true(len(flag_leaks) >= 1)
for ptfi in flag_leaks:
cg = colorguard.ColorGuard(path, ptfi)
nose.tools.assert_true(cg.causes_leak())
pov = cg.attempt_exploit()
nose.tools.assert_true(pov.test_binary())
crash.project.loader.close()
def _run(self, job):
"""Run colorguard on a testcase in an attempt to find leaks."""
if self._cs.is_multi_cbn:
LOG.warning(
"Colorguard scheduled on multicb, this is not yet supported")
return
LOG.debug("Invoking colorguard on challenge %s, job %s", self._cs.name,
job.id)
self._colorguard = colorguard.ColorGuard(self._cbn.path,
str(job.input_blob))
exploit = self._colorguard.attempt_exploit()
if exploit is not None:
LOG.info("Job %d's testcase causes a leak of the flag page",
job.id)
e = Exploit.create(cs=self._cs,
job=self._job,
pov_type="type2",
method=exploit.method_name,
blob=exploit.dump_binary(),
c_code=exploit.dump_c())
e.reliability = self._get_pov_score(exploit)
LOG.info("Binary POV passed %d / 10 simulation tests",
e.reliability * 10)
e.save()
else:
LOG.debug("Unable to find leak or generate exploit for testcase")
if not job.payload['crash']:
LOG.debug("Marking test %s as by colorguard traced",
job.payload['id'])
t = Test.get(id=job.payload['id'])
t.colorguard_traced = True
t.save()
def _do_pov_test(pov, enable_randomness=True):
"""
Test a POV
"""
for _ in range(10):
if pov.test_binary(enable_randomness=enable_randomness):
return True
return False
crash = "%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%X%x%sAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
binary = os.path.join(bin_location, "tests/i386/controlled_printf")
pov_fuzzer = pov_fuzzing.Type2CrashFuzzer(binary, crash)
assert any(pov_fuzzer.test_binary() for _ in range(10))
assert pov_fuzzer.exploitable()
assert pov_fuzzer.dumpable()
cg = colorguard.ColorGuard(binary, pov_fuzzer.get_leaking_payload())
nose.tools.assert_true(cg.causes_leak())
pov = cg.attempt_pov()
nose.tools.assert_true(_do_pov_test(pov, enable_randomness=False))
