def run(self, f_p): self.argument_types = {0: SimTypeFd()} self.return_type = SimTypeInt(32, True) fileno = angr.SIM_PROCEDURES['posix']['fileno'] fd = self.inline_call(fileno, f_p).ret_expr # let's get the memory back for the file we're interested in and find # the newline fp = self.state.posix.get_file(fd) pos = fp.pos max_str_len = self.state.libc.max_str_len # if there exists a limit on the file size, let's respect that, the # limit cannot be symbolic limit = max_str_len if fp.size is None else self.state.se.max_int( fp.size - pos) # limit will always be concrete, if it's zero we EOF'd if limit != 0: data = fp.read_from(1) data = data.zero_extend(32 - data.size()) else: data = -1 #EOF data = BVV(data, 32) return data
def run(self, fd): #pylint:disable=attribute-defined-outside-init self.argument_types = {0: SimTypeFd()} self.return_type = SimTypeLength(self.state.arch) return self.state.se.BVV(0, self.state.arch.bits)
def run(self, dst, size, file_ptr): self.argument_types = { 2: SimTypeFd(), 0: self.ty_ptr(SimTypeArray(SimTypeChar(), size)), 1: SimTypeLength(self.state.arch) } self.return_type = self.argument_types[0] # let's get the memory back for the file we're interested in and find the newline fd_offset = io_file_data_for_arch(self.state.arch)['fd'] fd = self.state.mem[file_ptr + fd_offset:].int.resolved simfd = self.state.posix.get_fd(fd) if simfd is None: return -1 data, real_size = simfd.read_data(size - 1) for i, byte in enumerate(data.chop(8)): self.state.solver.add( self.state.solver.If( i + 1 != real_size, byte != '\n', # if not last byte returned, not newline self.state.solver. Or( # otherwise one of the following must be true i + 2 == size, # we ran out of space, or byte == '\n' # it is a newline ))) self.state.memory.store(dst, data, size=real_size) self.state.memory.store(dst + real_size, '\0') return real_size
def run(self, f): self.argument_types = {0: self.ty_ptr(SimTypeTop())} self.return_type = SimTypeFd() # Get FILE struct io_file_data = io_file_data_for_arch(self.state.arch) # Get the file descriptor from FILE struct result = self.state.mem[f + io_file_data['fd']].int.resolved return result.sign_extend(self.arch.bits - len(result))
def run(self, fd, dst, length): self.argument_types = {0: SimTypeFd(), 1: self.ty_ptr(SimTypeArray(SimTypeChar(), length)), 2: SimTypeLength(self.state.arch)} self.return_type = SimTypeLength(self.state.arch) simfd = self.state.posix.get_fd(fd) if simfd is None: return -1 return simfd.read(dst, length)
def run(self, fd, dst, length): self.argument_types = { 0: SimTypeFd(), 1: self.ty_ptr(SimTypeArray(SimTypeChar(), length)), 2: SimTypeLength(self.state.arch) } self.return_type = SimTypeLength(self.state.arch) # TODO handle errors length = self.state.posix.read(fd, dst, length) return length
def run(self, f): self.argument_types = {0: self.ty_ptr(SimTypeTop())} self.return_type = SimTypeFd() # Get FILE struct io_file_data = io_file_data_for_arch(self.state.arch) # Get the file descriptor from FILE struct fd = self.state.se.any_int( self.state.memory.load( f + io_file_data['fd'], 4 * 8, # int endness=self.state.arch.memory_endness)) return fd
def run(self, stream, simfd=None): self.argument_types = {0: SimTypeFd()} self.return_type = SimTypeInt(32, True) if simfd is None: fileno = angr.SIM_PROCEDURES['posix']['fileno'] fd = self.inline_call(fileno, stream).ret_expr simfd = self.state.posix.get_fd(fd) if simfd is None: return -1 data, real_length, = simfd.read_data(1) return self.state.solver.If(real_length == 0, -1, data.zero_extend(self.state.arch.bits - 8))
def run(self, fd, dst, length): self.argument_types = { 0: SimTypeFd(), 1: self.ty_ptr(SimTypeArray(SimTypeChar(), length)), 2: SimTypeLength(self.state.arch) } self.return_type = SimTypeLength(self.state.arch) try: simfd = self.state.posix.get_fd(fd) if simfd is None: return -1 return simfd.read(dst, length) except angr.SimUnsatError: return self.state.se.Unconstrained('read', 32, uninitialized=False)
def run(self, p_addr, flags): self.argument_types = { 0: self.ty_ptr(SimTypeString()), 1: SimTypeInt(32, True) } self.return_type = SimTypeFd() strlen = angr.SIM_PROCEDURES['libc']['strlen'] p_strlen = self.inline_call(strlen, p_addr) p_expr = self.state.memory.load(p_addr, p_strlen.max_null_index, endness='Iend_BE') path = self.state.se.eval(p_expr, cast_to=str) fd = self.state.posix.open(path, flags) return fd
def run(self, p_addr, flags, mode=0644): # pylint:disable=unused-argument self.argument_types = {0: self.ty_ptr(SimTypeString()), 1: SimTypeInt(32, True)} self.return_type = SimTypeFd() strlen = angr.SIM_PROCEDURES['libc']['strlen'] p_strlen = self.inline_call(strlen, p_addr) p_expr = self.state.memory.load(p_addr, p_strlen.max_null_index, endness='Iend_BE') try: path = self.state.se.eval(p_expr, cast_to=str) fd = self.state.posix.open(path, flags) if fd is None: return -1 return fd except angr.SimUnsatError: return self.state.se.Unconstrained("open", 32, uninitialized=False)
def run(self, stream, simfd=None): self.argument_types = {0: SimTypeFd()} self.return_type = SimTypeInt(32, True) if simfd is None: fileno = angr.SIM_PROCEDURES['posix']['fileno'] fd = self.inline_call(fileno, stream).ret_expr try: simfd = self.state.posix.get_fd(fd) except angr.SimUnsatError: # XXX: fileno may return symbolic value return self.state.se.Unconstrained("fgetc_char", 32, uninitialized=False) if simfd is None: return -1 data, real_length, = simfd.read_data(1) return self.state.solver.If(real_length == 0, -1, data.zero_extend(24))
def run(self, stream, simfile=None): self.argument_types = {0: SimTypeFd()} self.return_type = SimTypeInt(32, True) if simfile is None: fileno = angr.SIM_PROCEDURES['posix']['fileno'] fd = self.inline_call(fileno, stream).ret_expr simfile = self.state.posix.get_file(fd) pos = simfile.pos limit = 1 if simfile.size is None else self.state.se.max_int(simfile.size - pos) if limit != 0: data = simfile.read_from(1) data = data.zero_extend(self.state.arch.bits - len(data)) else: data = -1 #EOF data = self.state.solver.BVV(data, self.state.arch.bits) return data
def run(self, p_addr, flags, mode): # pylint:disable=unused-argument self.argument_types = { 0: self.ty_ptr(SimTypeString()), 1: SimTypeInt(32, True) } self.return_type = SimTypeFd() strlen = angr.SIM_PROCEDURES['libc']['strlen'] p_strlen = self.inline_call(strlen, p_addr) p_expr = self.state.memory.load(p_addr, p_strlen.max_null_index, endness='Iend_BE') path = self.state.solver.eval(p_expr, cast_to=bytes) fd = self.state.posix.open(path, flags) if fd is None: return -1 return fd
def run(self, f): self.argument_types = {0: self.ty_ptr(SimTypeTop())} self.return_type = SimTypeFd() # Get FILE struct io_file_data = io_file_data_for_arch(self.state.arch) try: # Get the file descriptor from FILE struct fd = self.state.se.eval( self.state.memory.load( f + io_file_data['fd'], 4 * 8, # int endness=self.state.arch.memory_endness)) return fd except angr.SimUnsatError: # XXX: hase -> resymbolic return self.state.se.Unconstrained("fileno_fd", 32, uninitialized=False)
def run(self, fd, dst, length): self.argument_types = { 0: SimTypeFd(), 1: self.ty_ptr(SimTypeArray(SimTypeChar(), length)), 2: SimTypeLength(self.state.arch) } self.return_type = SimTypeLength(self.state.arch) # TODO handle errors length = self.state.posix.read(fd, dst, length) filename = self.state.posix.get_file(fd) #filter read passwd file if (filename.name.find('passwd') != -1 or 1): print filename.name + ' !!!' #print "test!!!!" fff = open('/data/find_read.flag', 'w') fff.close() write_file('read file name: ' + filename.name + '\n') return length
def run(self, dst, size, file_ptr): self.argument_types = { 2: SimTypeFd(), 0: self.ty_ptr(SimTypeArray(SimTypeChar(), size)), 1: SimTypeLength(self.state.arch) } self.return_type = self.argument_types[0] # some sensible limits for the new line search max_symbolic_bytes = self.state.libc.buf_symbolic_bytes max_str_len = self.state.libc.max_str_len # let's get the memory back for the file we're interested in and find the newline fd_offset = io_file_data_for_arch(self.state.arch)['fd'] fd = self.state.mem[file_ptr + fd_offset:].int.resolved fp = self.state.posix.get_file(fd) pos = fp.pos mem = fp.content # if there exists a limit on the file size, let's respect that, the limit cannot be symbolic limit = max_str_len if fp.size is None else self.state.se.max_int( fp.size - pos) # limit will always be concrete, if it's zero we EOF'd if limit != 0: # XXX max_str_len is small, might not be suitable for tracing! # measure up to the newline of size - 1 r, c, i = mem.find(pos, self.state.se.BVV('\n'), limit, max_symbolic_bytes=max_symbolic_bytes) else: r = 0 c = [] # XXX: this is a HACK to determine if r is 0 because there is a newline at the first index or # if r is 0 because there cannot be any newline errored = False if not self.state.se.satisfiable(extra_constraints=(r > 0, )): errored = True if self.state.se.solution(mem.load(0, 1), self.state.se.BVV('\n')): errored = False # make sure we only read up to size - 1 read_size = self.state.se.If(size == 0, 0, size - 1) # if file can EOF (ie not completely symbolic) if fp.size is not None: read_size = self.state.se.If(limit < read_size, limit, read_size) # now if find errored then there cannot exist a newline in the file, otherwise this logic checks out if not errored: newline_d = self.state.se.If(r == 0, r, r - pos + 1) distance = self.state.se.If(read_size < newline_d, read_size, newline_d) else: distance = read_size # read in up to the newline ret = self.inline_call(angr.SIM_PROCEDURES['posix']['read'], fd, dst, distance).ret_expr # in case there's no newline c = self.state.se.Or(ret == read_size, *c) self.state.add_constraints(c) # otherwise we take care of the newline case # now write the terminating null byte, should be placed after the newline which is also stored self.state.memory.store(dst + distance, self.state.se.BVV(0, 8)) inner_case = self.state.se.If(self.state.se.And(fp.pos == 0, ret == 0), 0, dst) return self.state.se.If(size == 0, 0, inner_case)