Beispiel #1
0
 def test_function_eq(self):
     func_name = 'cFunction'
     cfunc_impl = Function(func_name, ['int', 'int', 'int'])
     cfunc1 = Function(func_name, [1, 2, 3])
     res = cfunc1 == cfunc_impl and hash(cfunc1) == hash(cfunc_impl)
     res2 = cfunc_impl == cfunc1
     self.assertTrue(res and res2, 'The equality of Function and CFuncImpl is not working properly!')
Beispiel #2
0
 def _read_remaining_stub(self, imp_stub):
     ''' Turn remaining `ImpStub`s into a Function and store it in the `MethodCall` '''
     imp_stub_name = imp_stub.get_imp()
     function = Function(imp_stub_name)
     # use heuristic from `AssignmentMatchingSystem` to determine the number of arguments for the function
     arguments = self.get_memory().get_arguments_from_asm_heuristic()
     function.set_func_arguments(arguments)
     self._store_function(function)
Beispiel #3
0
 def test_is_exploitable_log_func(self):
     ''' Test the method `mc_is_exploitable_log_func` '''
     msg_send = MsgSend(ObjcClass('NSString'), [Selector('stringWithFormat:', [MethodSelectorArgument('arg1')])])
     exploitable_func = Function('NSLog', [msg_send])
     res = mc_is_exploitable_log_func(exploitable_func)
     print 'is exploitable: %s = %s' % (exploitable_func, res)
     
     exploitable_printf = Function('printf', [StackVar('var_216')])
     res2 = mc_is_exploitable_log_func(exploitable_printf)
     print 'is exploitable: %s = %s' % (exploitable_printf, res2)
     
     exploitable_printf2 = Function('printf', [MethodSelectorArgument('arg1')])
     res3 = mc_is_exploitable_log_func(exploitable_printf2)
     print 'is exploitable: %s = %s' % (exploitable_printf2, res3)
     
     self.assertTrue(all((res, res2, res3)), 'The method `mc_is_exploitable_log_func` is not working properly!')
Beispiel #4
0
 def test_mc_sel_via_nsselector_from_string(self):
     ''' Test the `mc_sel_via_nsselector_from_string` function '''
     sel_to_load = 'setAllowsAnyHTTPSCertificate:forHost'
     function = Function('NSSelectorFromString', [NSString(sel_to_load)])
     res = mc_sel_via_nsselector_from_string(function, 'setAllowsAnyHTTPSCertificate')
     print '%s loads selector: %s = %s' % (function, sel_to_load, res) 
     self.assertTrue(res, 'The method `mc_sel_via_nsselector_from_string` is not working properly!')
Beispiel #5
0
 def _read_formatstring_log(self, imp):
     ''' Read an NSLog `ImpStub` and add it to the `MethodCall. 
     
     Parameters
     ----------
     imp: Imp
     
     Raises
     ------
     CpuCouldNotReadLogFuncException
         if the NSLog could not be read 
         
     Returns
     -------
     is NSLog
     '''
     if isinstance(imp, ImpStub):
         is_formatstring_log = imp.is_format_string_log()
         log_func_name = imp.imp
         formatstring_log = None
         if is_formatstring_log:
             format_string_args = []
             # check if fst arg is `FormatString` and resolve the other arguments
             try:
                 formatstring_log_string = self.get_current_destination(
                     objc_msgSend_stret=False)
                 format_string_args = [formatstring_log_string]
                 if isinstance(formatstring_log_string, str):
                     formatstring_log_string = NSString(
                         formatstring_log_string)
                 elif isinstance(formatstring_log_string, Arguments):
                     try:
                         formatstring_log_string.fill_from_cpu(self)
                     except (FormatStringOverLoadedException,
                             FormatStringUnderLoadedException) as e:
                         log.exception(e)
                 # fst arg is no format string -> use heuristic for number of arguments
                 elif not isinstance(formatstring_log_string,
                                     (NSString, CString)):
                     # use heuristic from `AssignmentMatchingSystem` to determine the number of arguments for the function
                     format_string_args = self.get_memory(
                     ).get_arguments_from_asm_heuristic()
                     # fill args that can fill themselves from cpu
                     for arg in format_string_args:
                         if isinstance(arg, Arguments):
                             arg.fill_from_cpu(self)
                 formatstring_log = Function(log_func_name,
                                             format_string_args)
                 self._store_function(formatstring_log)
             except CpuCouldNotGetDestination as e:
                 raise CpuCouldNotReadLogFuncException(
                     self, log_func_name, '%s\n%s' %
                     (formatstring_log, e)), None, sys.exc_info()[2]
         return is_formatstring_log
     return False
Beispiel #6
0
 def parse_own_c_method_called(asmline):
     re_own_c_method_call_match = regexp.compiled_vre(regexp.RE_OWN_C_METHOD_CALLED).search(asmline)
     if re_own_c_method_call_match:
         func_name = re_own_c_method_call_match.group(regexp.RE_OWN_C_METHOD_BASE_GR_NAME)
         func_args_str = re_own_c_method_call_match.group(regexp.RE_OWN_C_METHOD_BASE_GR_ARGS)
         if func_args_str is not None:
             func_args_list = re_own_c_method_call_match.group(regexp.RE_OWN_C_METHOD_BASE_GR_ARGS).split(', ')
         else:
             func_args_list = []                
         return Function(func_name, func_args_list)
     return None
Beispiel #7
0
 def test_contains_imp_got(self):
     ''' Test the `mc_contains_imp_got` method '''
     imp_got_to_search = 'NSStreamSocketSecurityLevelNone'
     args = [ImpGot(imp_got_to_search), ImpGot('NSStreamSocketSecurityLevel')]
     msg_send = MsgSend(ObjcClass("NSOutputStream"), [Selector('setProperty:forKey:', arguments = args)])
     res = mc_contains_imp_got(msg_send, imp_got_to_search)
     print '%s\n has %s: %s' % (msg_send, imp_got_to_search, res)
     
     imp_got_to_search = 'kSBXProfileNoWrite'
     c_func = Function('sandbox_init', func_arguments = [ImpGot('kSBXProfileNoWrite')])
     res2 = mc_contains_imp_got(c_func, imp_got_to_search)
     print '%s\n has %s: %s' % (c_func, imp_got_to_search, res)
     
     self.assertTrue(res and res2, 'Method `mc_contains_imp_got` not working properly!')
Beispiel #8
0
 def parse_c_method_name(asmline):
     '''
     Check if is `RE_SUB` or `RE_C_METHOD` and return the appropriate name if available.
     Otherwise None.
     
     Returns
     -------
     Function
         if `RE_C_METHOD` matches
     Sub
         if `RE_SUB` matches
     '''
     re_sub_match = regexp.compiled_vre(regexp.RE_SUB).search(asmline)
     if re_sub_match:
         return Sub(re_sub_match.group(regexp.RE_SUB_GR_SUBNAME))
     re_c_method_match = regexp.compiled_vre(regexp.RE_C_METHOD).search(asmline)
     if re_c_method_match:
         return Function(re_c_method_match.group(regexp.RE_C_METHOD_GR_NAME))
     return None
Beispiel #9
0
 def __hash__(self):
     return hash((Function.__hash__(self), self.class_of_func))
Beispiel #10
0
 def __eq__(self, other):
     if isinstance(other, ClassFunc):
         return self is other or (Function.__eq__(self, other) and self.class_of_func == other.class_of_func)
     return False
Beispiel #11
0
 def __str__(self):
     return '%s.%s' % (self.get_class_of_func(), Function.__str__(self))
Beispiel #12
0
 def __init__(self, class_of_func, function, func_arguments, is_static = False):
     Function.__init__(self, function, func_arguments, is_static = is_static)
     self.__class_of_func = class_of_func