def find_stack_msg(limit=None): # 执行一遍漏洞 p = Process(target=find_stack_repeat, args=(limit, )) # p.start() p.join(limit_time) if p.is_alive(): print("[-] runing over limit time,kill it") log.WrLog("[-] runing over limit time,kill it") p.terminate() p.join() fp = None try: fp = open("stack.json", "r+") except: log.WrLog("find nothing in stack overflow vulnerability!") print("find nothing in stack overflow vulnerability!") return bp_overflow_result = [] pc_overflow_result = [] while True: str_line = fp.readline() if str_line: # print(bytes(str_line,"utf-8")) json_str = json.loads(str_line) # print(type(json_str)) for k in json_str: if k == "bp_overflow_result": bp_overflow_result.append(json_str["bp_overflow_result"]) if k == "pc_overflow_result": pc_overflow_result.append(json_str["pc_overflow_result"]) else: break fp.seek(0) # fp.truncate() fp.close() # os.system("rm tmp.json") log.WrLog("\n[+]===has found" + str(len(bp_overflow_result))) + "stack overflow to BP===" print("\n[+]===has found", len(bp_overflow_result), "stack overflow to BP===") path_msg(bp_overflow_result, "bp_overflow_result") print("\n[+]===has found", len(pc_overflow_result), "stack overflow to PC===") path_msg(pc_overflow_result, "pc_overflow_result")
def path_msg(inlist, type): for indir in inlist: print("\n------------------------", type, "------------------------") if "over_num" in indir: strt = "[over bytes]:" + str(indir["over_num"]) log.WrLog(strt) print(strt) if "stdout" in indir: strt = "[stdout]:" + str(indir["stdout"]) log.WrLog(strt) print(strt) if "stdin" in indir: strt = "[stdin]:" + str(indir["stdin"]) log.WrLog(strt) print(strt) if "chain" in indir: strt = "[jump chain]:" + str(indir["chain"]) log.WrLog(strt) print(strt) if "argv" in indir: strt = "[argv]:" + str(indir["argv"]) log.WrLog(strt) print(strt) print()
def ReadNum(json): fp = None num = 0 try: fp = open(json, "r+") while True: str_line = fp.readline() if str_line: num = num + 1 else: break return num except: #print("find nothing in error regs vulnerability!") log.WrLog("find nothing in error regs vulnerability!") return 0
def main(): print("[+] the msg of target program:") os.system("checksec {}".format(filename)) sleep(1) start = timeit.default_timer() pool = multiprocessing.Pool(processes=5) pool.apply_async(find_stack_overflow) pool.apply_async(find_arbitrary) pool.apply_async(find_error_regs) pool.apply_async(find_format) pool.apply_async(find_heap_vul) # pool.apply_async(main) pool.close() pool.join() end = timeit.default_timer() TaskTime = end - start log.WrLog()