def test_cgc_se1_palindrome_raw():
b = os.path.join(bin_location, "tests/cgc/sc1_0b32aa01_01")
# test a valid palindrome
p = angr.Project(b)
p.simos.syscall_library.update(angr.SIM_LIBRARIES['cgcabi_tracer'])
trace, magic, crash_mode, crash_addr = do_trace(
p, 'tracer_cgc_se1_palindrome_raw_nocrash', 'racecar\n')
s = p.factory.tracer_state(input_content="racecar\n", magic_content=magic)
simgr = p.factory.simulation_manager(s,
save_unsat=True,
hierarchy=False,
save_unconstrained=crash_mode)
simgr.use_technique(
angr.exploration_techniques.CrashMonitor(trace=trace,
crash_mode=crash_mode,
crash_addr=crash_addr))
t = angr.exploration_techniques.Tracer(trace=trace)
simgr.use_technique(t)
simgr.use_technique(angr.exploration_techniques.Oppologist())
simgr.run()
# make sure the heap base is correct and hasn't been altered from the default
nose.tools.assert_true('traced' in simgr.stashes)
nose.tools.assert_equal(simgr.traced[0].cgc.allocation_base, 0xb8000000)
# make sure there is no crash state
nose.tools.assert_true('crashed' not in simgr.stashes)
# make sure angr modeled the correct output
stdout_dump = simgr.traced[0].posix.dumps(1)
nose.tools.assert_true(
stdout_dump.startswith("\nWelcome to Palindrome Finder\n\n"
"\tPlease enter a possible palindrome: "
"\t\tYes, that's a palindrome!\n\n"
"\tPlease enter a possible palindrome: "))
# make sure there were no 'Nope's from non-palindromes
nose.tools.assert_false("Nope" in stdout_dump)
# now test crashing input
trace, magic, crash_mode, crash_addr = do_trace(
p, 'tracer_cgc_se1_palindrome_raw_yescrash', 'A' * 129)
s = p.factory.tracer_state(input_content="A" * 129, magic_content=magic)
simgr = p.factory.simulation_manager(s,
save_unsat=True,
hierarchy=False,
save_unconstrained=crash_mode)
t = angr.exploration_techniques.Tracer(trace=trace)
c = angr.exploration_techniques.CrashMonitor(trace=trace,
crash_mode=crash_mode,
crash_addr=crash_addr)
simgr.use_technique(c)
simgr.use_technique(t)
simgr.use_technique(angr.exploration_techniques.Oppologist())
simgr.run()
nose.tools.assert_true('crashed' in simgr.stashes)
def tracer_cgc(filename,
test_name,
stdin,
copy_states=False,
follow_unsat=False):
p = angr.Project(filename)
p.simos.syscall_library.update(angr.SIM_LIBRARIES['cgcabi_tracer'])
trace, magic, crash_mode, crash_addr = do_trace(p, test_name, stdin)
s = p.factory.entry_state(mode='tracing',
stdin=angr.SimFileStream,
flag_page=magic)
s.preconstrainer.preconstrain_file(stdin, s.posix.stdin, True)
simgr = p.factory.simulation_manager(s,
hierarchy=False,
save_unconstrained=crash_mode)
t = angr.exploration_techniques.Tracer(trace,
crash_addr=crash_addr,
keep_predecessors=1,
copy_states=copy_states,
follow_unsat=follow_unsat)
simgr.use_technique(t)
simgr.use_technique(angr.exploration_techniques.Oppologist())
return simgr, t
def tracer_linux(filename,
test_name,
stdin,
add_options=None,
remove_options=None):
p = angr.Project(filename)
trace, _, crash_mode, crash_addr = do_trace(
p,
test_name,
stdin,
ld_linux=p.loader.linux_loader_object.binary,
library_path=set(
os.path.dirname(obj.binary) for obj in p.loader.all_elf_objects),
record_stdout=True,
)
s = p.factory.full_init_state(
mode="tracing",
stdin=angr.SimFileStream,
add_options=add_options,
remove_options=remove_options,
)
s.preconstrainer.preconstrain_file(stdin, s.posix.stdin, True)
simgr = p.factory.simulation_manager(s,
hierarchy=False,
save_unconstrained=crash_mode)
t = angr.exploration_techniques.Tracer(trace, crash_addr=crash_addr)
simgr.use_technique(t)
simgr.use_technique(angr.exploration_techniques.Oppologist())
return simgr, t
def test_simprocs():
binary = os.path.join(bin_location, "tests/i386/driller_simproc")
memcmp = angr.SIM_PROCEDURES['libc']['memcmp']()
input_str = 'A' * 0x80
p = angr.Project(binary)
trace, magic, crash_mode, crash_addr = do_trace(p, 'driller_core_simprocs',
input_str)
p.hook(0x8048200, memcmp)
p._simos.syscall_library.update(angr.SIM_LIBRARIES['cgcabi_tracer'])
s = p.factory.tracer_state(input_content=input_str, magic_content=magic)
simgr = p.factory.simgr(s,
save_unsat=True,
hierarchy=False,
save_unconstrained=crash_mode)
t = angr.exploration_techniques.Tracer(trace=trace)
c = angr.exploration_techniques.CrashMonitor(trace=trace,
crash_mode=crash_mode,
crash_addr=crash_addr)
d = angr.exploration_techniques.DrillerCore(trace)
simgr.use_technique(c)
simgr.use_technique(t)
simgr.use_technique(angr.exploration_techniques.Oppologist())
simgr.use_technique(d)
simgr.run()
nose.tools.assert_true('diverted' in simgr.stashes)
def test_cgc():
binary = os.path.join(bin_location, "tests/cgc/sc1_0b32aa01_01")
input_str = 'AAAA'
# Initialize the tracer.
p = angr.Project(binary)
trace, magic, crash_mode, crash_addr = do_trace(p, 'driller_core_cgc',
input_str)
p._simos.syscall_library.update(angr.SIM_LIBRARIES['cgcabi_tracer'])
s = p.factory.tracer_state(input_content=input_str, magic_content=magic)
simgr = p.factory.simgr(s,
save_unsat=True,
hierarchy=False,
save_unconstrained=crash_mode)
t = angr.exploration_techniques.Tracer(trace=trace)
c = angr.exploration_techniques.CrashMonitor(trace=trace,
crash_mode=crash_mode,
crash_addr=crash_addr)
d = angr.exploration_techniques.DrillerCore(trace)
simgr.use_technique(c)
simgr.use_technique(t)
simgr.use_technique(angr.exploration_techniques.Oppologist())
simgr.use_technique(d)
simgr.run()
nose.tools.assert_true('diverted' in simgr.stashes)
def test_crash_addr_detection():
b = os.path.join(bin_location, "tests/i386/call_symbolic")
p = angr.Project(b)
p.simos.syscall_library.update(angr.SIM_LIBRARIES['cgcabi_tracer'])
trace, magic, crash_mode, crash_addr = do_trace(
p, 'tracer_crash_addr_detection', 'A' * 700)
s = p.factory.tracer_state(input_content="A" * 700, magic_content=magic)
simgr = p.factory.simulation_manager(s,
save_unsat=True,
hierarchy=False,
save_unconstrained=crash_mode)
t = angr.exploration_techniques.Tracer(trace=trace)
c = angr.exploration_techniques.CrashMonitor(trace=trace,
crash_mode=crash_mode,
crash_addr=crash_addr)
simgr.use_technique(c)
simgr.use_technique(t)
simgr.use_technique(angr.exploration_techniques.Oppologist())
simgr.run()
nose.tools.assert_true('crashed' in simgr.stashes)
nose.tools.assert_true(simgr.crashed[0].se.symbolic(
simgr.crashed[0].regs.ip))
def test_allocation_base_continuity():
correct_out = 'prepare for a challenge\nb7fff000\nb7ffe000\nb7ffd000\nb7ffc000\nb7ffb000\nb7ffa000\nb7ff9000\nb7ff8000\nb7ff7000\nb7ff6000\nb7ff5000\nb7ff4000\nb7ff3000\nb7ff2000\nb7ff1000\nb7ff0000\nb7fef000\nb7fee000\nb7fed000\nb7fec000\ndeallocating b7ffa000\na: b7ffb000\nb: b7fff000\nc: b7ff5000\nd: b7feb000\ne: b7fe8000\ne: b7fa8000\na: b7ffe000\nb: b7ffd000\nc: b7ff7000\nd: b7ff6000\ne: b7ff3000\ne: b7f68000\nallocate: 3\na: b7fef000\n'
b = os.path.join(bin_location, "tests/i386/cgc_allocations")
p = angr.Project(b)
p.simos.syscall_library.update(angr.SIM_LIBRARIES['cgcabi_tracer'])
trace, magic, crash_mode, crash_addr = do_trace(
p, 'tracer_allocation_base_continuity', '')
s = p.factory.tracer_state(input_content="", magic_content=magic)
simgr = p.factory.simulation_manager(s,
save_unsat=True,
hierarchy=False,
save_unconstrained=crash_mode)
t = angr.exploration_techniques.Tracer(trace=trace)
c = angr.exploration_techniques.CrashMonitor(trace=trace,
crash_mode=crash_mode,
crash_addr=crash_addr)
simgr.use_technique(c)
simgr.use_technique(t)
simgr.use_technique(angr.exploration_techniques.Oppologist())
simgr.run()
nose.tools.assert_equal(simgr.traced[0].posix.dumps(1), correct_out)
def test_recursion():
blob = "00aadd114000000000000000200000001d0000000005000000aadd2a1100001d0000000001e8030000aadd21118611b3b3b3b3b3e3b1b1b1adb1b1b1b1b1b1118611981d8611".decode(
'hex')
fname = os.path.join(os.path.dirname(__file__),
"../../binaries/tests/cgc/NRFIN_00075")
p = angr.Project(fname)
trace, magic, crash_mode, crash_addr = do_trace(p, 'tracer_recursion',
blob)
p.simos.syscall_library.update(angr.SIM_LIBRARIES['cgcabi_tracer'])
s = p.factory.tracer_state(input_content=blob, magic_content=magic)
simgr = p.factory.simulation_manager(s,
save_unsat=True,
hierarchy=False,
save_unconstrained=crash_mode)
t = angr.exploration_techniques.Tracer(trace=trace)
c = angr.exploration_techniques.CrashMonitor(trace=trace,
crash_mode=crash_mode,
crash_addr=crash_addr)
simgr.use_technique(c)
simgr.use_technique(t)
simgr.use_technique(angr.exploration_techniques.Oppologist())
simgr.run()
crash_path = t.predecessors[-1]
crash_state = simgr.one_crashed
nose.tools.assert_not_equal(crash_path, None)
nose.tools.assert_not_equal(crash_state, None)
def test_manual_recursion():
b = os.path.join(bin_location, "tests/cgc", "CROMU_00071")
blob = open(os.path.join(bin_location, 'tests_data/', 'crash2731')).read()
p = angr.Project(b)
trace, magic, crash_mode, crash_addr = do_trace(p,
'tracer_manual_recursion',
blob)
p.simos.syscall_library.update(angr.SIM_LIBRARIES['cgcabi_tracer'])
s = p.factory.tracer_state(input_content=blob, magic_content=magic)
simgr = p.factory.simulation_manager(s,
save_unsat=True,
hierarchy=False,
save_unconstrained=crash_mode)
simgr.use_technique(
angr.exploration_techniques.CrashMonitor(trace=trace,
crash_mode=crash_mode,
crash_addr=crash_addr))
t = angr.exploration_techniques.Tracer(trace=trace)
simgr.use_technique(t)
simgr.use_technique(angr.exploration_techniques.Oppologist())
simgr.run()
crash_path = t.predecessors[-1]
crash_state = simgr.one_crashed
nose.tools.assert_not_equal(crash_path, None)
nose.tools.assert_not_equal(crash_state, None)
def test_symbolic_sized_receives():
b = os.path.join(bin_location, "tests/cgc/CROMU_00070")
p = angr.Project(b)
p.simos.syscall_library.update(angr.SIM_LIBRARIES['cgcabi_tracer'])
trace, magic, crash_mode, crash_addr = do_trace(
p, 'tracer_symbolic_sized_receives', 'hello')
s = p.factory.tracer_state(input_content="hello", magic_content=magic)
simgr = p.factory.simulation_manager(s,
save_unsat=True,
hierarchy=False,
save_unconstrained=crash_mode)
t = angr.exploration_techniques.Tracer(trace=trace)
c = angr.exploration_techniques.CrashMonitor(trace=trace,
crash_mode=crash_mode,
crash_addr=crash_addr)
simgr.use_technique(c)
simgr.use_technique(t)
simgr.use_technique(angr.exploration_techniques.Oppologist())
simgr.run()
nose.tools.assert_true('crashed' not in simgr.stashes)
nose.tools.assert_true('traced' in simgr.stashes)
trace, magic, crash_mode, crash_addr = do_trace(
p, 'tracer_symbolic_sized_receives_nulls', '\0' * 20)
s = p.factory.tracer_state(input_content="\x00" * 20)
simgr = p.factory.simulation_manager(s,
save_unsat=True,
hierarchy=False,
save_unconstrained=crash_mode)
t = angr.exploration_techniques.Tracer(trace=trace)
c = angr.exploration_techniques.CrashMonitor(trace=trace,
crash_mode=crash_mode,
crash_addr=crash_addr)
simgr.use_technique(c)
simgr.use_technique(t)
simgr.use_technique(angr.exploration_techniques.Oppologist())
simgr.run()
nose.tools.assert_true('crashed' not in simgr.stashes)
nose.tools.assert_true('traced' in simgr.stashes)
def test_cache_stall():
# test a valid palindrome
b = os.path.join(bin_location, "tests/cgc/CROMU_00071")
blob = "0c0c492a53acacacacacacacacacacacacac000100800a0b690e0aef6503697d660a0059e20afc0a0a332f7d66660a0059e20afc0a0a332f7fffffff16fb1616162516161616161616166a7dffffff7b0e0a0a6603697d660a0059e21c".decode(
'hex')
p = angr.Project(b)
trace, magic, crash_mode, crash_addr = do_trace(p, 'tracer_cache_stall',
blob)
p.simos.syscall_library.update(angr.SIM_LIBRARIES['cgcabi_tracer'])
s = p.factory.tracer_state(input_content=blob, magic_content=magic)
simgr = p.factory.simulation_manager(s,
save_unsat=True,
hierarchy=False,
save_unconstrained=crash_mode)
simgr.use_technique(
angr.exploration_techniques.CrashMonitor(trace=trace,
crash_mode=crash_mode,
crash_addr=crash_addr))
t = angr.exploration_techniques.Tracer(trace=trace)
simgr.use_technique(t)
simgr.use_technique(angr.exploration_techniques.Oppologist())
ZenPlugin.prep_tracer(s)
simgr.run()
crash_path = t.predecessors[-1]
crash_state = simgr.crashed[0]
nose.tools.assert_not_equal(crash_path, None)
nose.tools.assert_not_equal(crash_state, None)
# load it again
s = p.factory.tracer_state(input_content=blob, magic_content=magic)
simgr = p.factory.simulation_manager(s,
save_unsat=True,
hierarchy=False,
save_unconstrained=crash_mode)
simgr.use_technique(
angr.exploration_techniques.CrashMonitor(trace=trace,
crash_mode=crash_mode,
crash_addr=crash_addr))
t = angr.exploration_techniques.Tracer(trace=trace)
simgr.use_technique(t)
simgr.use_technique(angr.exploration_techniques.Oppologist())
ZenPlugin.prep_tracer(s)
simgr.run()
crash_path = t.predecessors[-1]
crash_state = simgr.one_crashed
nose.tools.assert_not_equal(crash_path, None)
nose.tools.assert_not_equal(crash_state, None)
def tracer_linux(filename, test_name, stdin):
p = angr.Project(filename)
trace, _, crash_mode, crash_addr = do_trace(p, test_name, stdin)
s = p.factory.entry_state(mode='tracing', stdin=angr.SimFileStream)
s.preconstrainer.preconstrain_file(stdin, s.posix.stdin, True)
simgr = p.factory.simulation_manager(s, save_unsat=True, hierarchy=False, save_unconstrained=crash_mode)
t = angr.exploration_techniques.Tracer(trace)
c = angr.exploration_techniques.CrashMonitor(trace=trace, crash_addr=crash_addr)
if crash_mode:
simgr.use_technique(c)
simgr.use_technique(t)
simgr.use_technique(angr.exploration_techniques.Oppologist())
return simgr, t
def tracer_cgc(filename, test_name, stdin):
p = angr.Project(filename)
p.simos.syscall_library.update(angr.SIM_LIBRARIES['cgcabi_tracer'])
trace, magic, crash_mode, crash_addr = do_trace(p, test_name, stdin)
s = p.factory.entry_state(mode='tracing', stdin=angr.SimFileStream, flag_page=magic)
s.preconstrainer.preconstrain_file(stdin, s.posix.stdin, True)
simgr = p.factory.simulation_manager(s, save_unsat=True, hierarchy=False, save_unconstrained=crash_mode)
t = angr.exploration_techniques.Tracer(trace)
c = angr.exploration_techniques.CrashMonitor(trace=trace, crash_addr=crash_addr)
if crash_mode:
simgr.use_technique(c)
simgr.use_technique(t)
simgr.use_technique(angr.exploration_techniques.Oppologist())
return simgr, t
def test_fauxware():
b = os.path.join(bin_location, "tests/x86_64/fauxware")
p = angr.Project(b)
trace, magic, crash_mode, crash_addr = do_trace(p, 'tracer_fauxware', 'A')
s = p.factory.tracer_state(input_content="A", magic_content=magic)
simgr = p.factory.simulation_manager(s, save_unsat=True, hierarchy=False, save_unconstrained=crash_mode)
t = angr.exploration_techniques.Tracer(trace=trace)
c = angr.exploration_techniques.CrashMonitor(trace=trace,
crash_mode=crash_mode,
crash_addr=crash_addr)
simgr.use_technique(c)
simgr.use_technique(t)
simgr.use_technique(angr.exploration_techniques.Oppologist())
simgr.run()
nose.tools.assert_true('traced' in simgr.stashes)
def tracer_linux(filename, test_name, stdin):
p = angr.Project(filename)
trace, _, crash_mode, crash_addr = do_trace(p, test_name, stdin)
s = p.factory.entry_state(mode='tracing', stdin=angr.SimFileStream)
s.preconstrainer.preconstrain_file(stdin, s.posix.stdin, True)
simgr = p.factory.simulation_manager(s,
save_unsat=True,
hierarchy=False,
save_unconstrained=crash_mode)
t = angr.exploration_techniques.Tracer(trace)
c = angr.exploration_techniques.CrashMonitor(trace=trace,
crash_addr=crash_addr)
if crash_mode:
simgr.use_technique(c)
simgr.use_technique(t)
simgr.use_technique(angr.exploration_techniques.Oppologist())
return simgr, t
def tracer_cgc(filename,
test_name,
stdin,
copy_states=False,
follow_unsat=False,
read_strategies=None,
write_strategies=None,
add_options=None,
remove_options=None,
syscall_data=None):
p = angr.Project(filename)
p.simos.syscall_library.update(angr.SIM_LIBRARIES["cgcabi_tracer"])
trace, magic, crash_mode, crash_addr = do_trace(p, test_name, stdin)
s = p.factory.entry_state(mode="tracing",
stdin=angr.SimFileStream,
flag_page=magic,
add_options=add_options,
remove_options=remove_options)
if read_strategies is not None:
s.memory.read_strategies = read_strategies
if write_strategies is not None:
s.memory.write_strategies = write_strategies
s.preconstrainer.preconstrain_file(stdin, s.posix.stdin, True)
simgr = p.factory.simulation_manager(s,
hierarchy=False,
save_unconstrained=crash_mode)
t = angr.exploration_techniques.Tracer(
trace,
crash_addr=crash_addr,
keep_predecessors=1,
copy_states=copy_states,
follow_unsat=follow_unsat,
syscall_data=syscall_data,
)
simgr.use_technique(t)
simgr.use_technique(angr.exploration_techniques.Oppologist())
return simgr, t