def run(self, f_p):
self.argument_types = {0: SimTypeFd()}
self.return_type = SimTypeInt(32, True)
fileno = angr.SIM_PROCEDURES['posix']['fileno']
fd = self.inline_call(fileno, f_p).ret_expr
# let's get the memory back for the file we're interested in and find
# the newline
fp = self.state.posix.get_file(fd)
pos = fp.pos
max_str_len = self.state.libc.max_str_len
# if there exists a limit on the file size, let's respect that, the
# limit cannot be symbolic
limit = max_str_len if fp.size is None else self.state.se.max_int(
fp.size - pos)
# limit will always be concrete, if it's zero we EOF'd
if limit != 0:
data = fp.read_from(1)
data = data.zero_extend(32 - data.size())
else:
data = -1 #EOF
data = BVV(data, 32)
return data
def run(self, fd):
#pylint:disable=attribute-defined-outside-init
self.argument_types = {0: SimTypeFd()}
self.return_type = SimTypeLength(self.state.arch)
return self.state.se.BVV(0, self.state.arch.bits)
def run(self, dst, size, file_ptr):
self.argument_types = {
2: SimTypeFd(),
0: self.ty_ptr(SimTypeArray(SimTypeChar(), size)),
1: SimTypeLength(self.state.arch)
}
self.return_type = self.argument_types[0]
# let's get the memory back for the file we're interested in and find the newline
fd_offset = io_file_data_for_arch(self.state.arch)['fd']
fd = self.state.mem[file_ptr + fd_offset:].int.resolved
simfd = self.state.posix.get_fd(fd)
if simfd is None:
return -1
data, real_size = simfd.read_data(size - 1)
for i, byte in enumerate(data.chop(8)):
self.state.solver.add(
self.state.solver.If(
i + 1 != real_size,
byte != '\n', # if not last byte returned, not newline
self.state.solver.
Or( # otherwise one of the following must be true
i + 2 == size, # we ran out of space, or
byte == '\n' # it is a newline
)))
self.state.memory.store(dst, data, size=real_size)
self.state.memory.store(dst + real_size, '\0')
return real_size
def run(self, f):
self.argument_types = {0: self.ty_ptr(SimTypeTop())}
self.return_type = SimTypeFd()
# Get FILE struct
io_file_data = io_file_data_for_arch(self.state.arch)
# Get the file descriptor from FILE struct
result = self.state.mem[f + io_file_data['fd']].int.resolved
return result.sign_extend(self.arch.bits - len(result))
def run(self, fd, dst, length):
self.argument_types = {0: SimTypeFd(),
1: self.ty_ptr(SimTypeArray(SimTypeChar(), length)),
2: SimTypeLength(self.state.arch)}
self.return_type = SimTypeLength(self.state.arch)
simfd = self.state.posix.get_fd(fd)
if simfd is None:
return -1
return simfd.read(dst, length)
def run(self, fd, dst, length):
self.argument_types = {
0: SimTypeFd(),
1: self.ty_ptr(SimTypeArray(SimTypeChar(), length)),
2: SimTypeLength(self.state.arch)
}
self.return_type = SimTypeLength(self.state.arch)
# TODO handle errors
length = self.state.posix.read(fd, dst, length)
return length
def run(self, f):
self.argument_types = {0: self.ty_ptr(SimTypeTop())}
self.return_type = SimTypeFd()
# Get FILE struct
io_file_data = io_file_data_for_arch(self.state.arch)
# Get the file descriptor from FILE struct
fd = self.state.se.any_int(
self.state.memory.load(
f + io_file_data['fd'],
4 * 8, # int
endness=self.state.arch.memory_endness))
return fd
def run(self, stream, simfd=None):
self.argument_types = {0: SimTypeFd()}
self.return_type = SimTypeInt(32, True)
if simfd is None:
fileno = angr.SIM_PROCEDURES['posix']['fileno']
fd = self.inline_call(fileno, stream).ret_expr
simfd = self.state.posix.get_fd(fd)
if simfd is None:
return -1
data, real_length, = simfd.read_data(1)
return self.state.solver.If(real_length == 0, -1,
data.zero_extend(self.state.arch.bits - 8))
def run(self, fd, dst, length):
self.argument_types = {
0: SimTypeFd(),
1: self.ty_ptr(SimTypeArray(SimTypeChar(), length)),
2: SimTypeLength(self.state.arch)
}
self.return_type = SimTypeLength(self.state.arch)
try:
simfd = self.state.posix.get_fd(fd)
if simfd is None:
return -1
return simfd.read(dst, length)
except angr.SimUnsatError:
return self.state.se.Unconstrained('read', 32, uninitialized=False)
def run(self, p_addr, flags):
self.argument_types = {
0: self.ty_ptr(SimTypeString()),
1: SimTypeInt(32, True)
}
self.return_type = SimTypeFd()
strlen = angr.SIM_PROCEDURES['libc']['strlen']
p_strlen = self.inline_call(strlen, p_addr)
p_expr = self.state.memory.load(p_addr,
p_strlen.max_null_index,
endness='Iend_BE')
path = self.state.se.eval(p_expr, cast_to=str)
fd = self.state.posix.open(path, flags)
return fd
def run(self, p_addr, flags, mode=0644): # pylint:disable=unused-argument
self.argument_types = {0: self.ty_ptr(SimTypeString()),
1: SimTypeInt(32, True)}
self.return_type = SimTypeFd()
strlen = angr.SIM_PROCEDURES['libc']['strlen']
p_strlen = self.inline_call(strlen, p_addr)
p_expr = self.state.memory.load(p_addr, p_strlen.max_null_index, endness='Iend_BE')
try:
path = self.state.se.eval(p_expr, cast_to=str)
fd = self.state.posix.open(path, flags)
if fd is None:
return -1
return fd
except angr.SimUnsatError:
return self.state.se.Unconstrained("open", 32, uninitialized=False)
def run(self, stream, simfd=None):
self.argument_types = {0: SimTypeFd()}
self.return_type = SimTypeInt(32, True)
if simfd is None:
fileno = angr.SIM_PROCEDURES['posix']['fileno']
fd = self.inline_call(fileno, stream).ret_expr
try:
simfd = self.state.posix.get_fd(fd)
except angr.SimUnsatError:
# XXX: fileno may return symbolic value
return self.state.se.Unconstrained("fgetc_char", 32, uninitialized=False)
if simfd is None:
return -1
data, real_length, = simfd.read_data(1)
return self.state.solver.If(real_length == 0, -1, data.zero_extend(24))
def run(self, stream, simfile=None):
self.argument_types = {0: SimTypeFd()}
self.return_type = SimTypeInt(32, True)
if simfile is None:
fileno = angr.SIM_PROCEDURES['posix']['fileno']
fd = self.inline_call(fileno, stream).ret_expr
simfile = self.state.posix.get_file(fd)
pos = simfile.pos
limit = 1 if simfile.size is None else self.state.se.max_int(simfile.size - pos)
if limit != 0:
data = simfile.read_from(1)
data = data.zero_extend(self.state.arch.bits - len(data))
else:
data = -1 #EOF
data = self.state.solver.BVV(data, self.state.arch.bits)
return data
def run(self, p_addr, flags, mode): # pylint:disable=unused-argument
self.argument_types = {
0: self.ty_ptr(SimTypeString()),
1: SimTypeInt(32, True)
}
self.return_type = SimTypeFd()
strlen = angr.SIM_PROCEDURES['libc']['strlen']
p_strlen = self.inline_call(strlen, p_addr)
p_expr = self.state.memory.load(p_addr,
p_strlen.max_null_index,
endness='Iend_BE')
path = self.state.solver.eval(p_expr, cast_to=bytes)
fd = self.state.posix.open(path, flags)
if fd is None:
return -1
return fd
def run(self, f):
self.argument_types = {0: self.ty_ptr(SimTypeTop())}
self.return_type = SimTypeFd()
# Get FILE struct
io_file_data = io_file_data_for_arch(self.state.arch)
try:
# Get the file descriptor from FILE struct
fd = self.state.se.eval(
self.state.memory.load(
f + io_file_data['fd'],
4 * 8, # int
endness=self.state.arch.memory_endness))
return fd
except angr.SimUnsatError:
# XXX: hase -> resymbolic
return self.state.se.Unconstrained("fileno_fd",
32,
uninitialized=False)
def run(self, fd, dst, length):
self.argument_types = {
0: SimTypeFd(),
1: self.ty_ptr(SimTypeArray(SimTypeChar(), length)),
2: SimTypeLength(self.state.arch)
}
self.return_type = SimTypeLength(self.state.arch)
# TODO handle errors
length = self.state.posix.read(fd, dst, length)
filename = self.state.posix.get_file(fd)
#filter read passwd file
if (filename.name.find('passwd') != -1 or 1):
print filename.name + ' !!!'
#print "test!!!!"
fff = open('/data/find_read.flag', 'w')
fff.close()
write_file('read file name: ' + filename.name + '\n')
return length
def run(self, dst, size, file_ptr):
self.argument_types = {
2: SimTypeFd(),
0: self.ty_ptr(SimTypeArray(SimTypeChar(), size)),
1: SimTypeLength(self.state.arch)
}
self.return_type = self.argument_types[0]
# some sensible limits for the new line search
max_symbolic_bytes = self.state.libc.buf_symbolic_bytes
max_str_len = self.state.libc.max_str_len
# let's get the memory back for the file we're interested in and find the newline
fd_offset = io_file_data_for_arch(self.state.arch)['fd']
fd = self.state.mem[file_ptr + fd_offset:].int.resolved
fp = self.state.posix.get_file(fd)
pos = fp.pos
mem = fp.content
# if there exists a limit on the file size, let's respect that, the limit cannot be symbolic
limit = max_str_len if fp.size is None else self.state.se.max_int(
fp.size - pos)
# limit will always be concrete, if it's zero we EOF'd
if limit != 0:
# XXX max_str_len is small, might not be suitable for tracing!
# measure up to the newline of size - 1
r, c, i = mem.find(pos,
self.state.se.BVV('\n'),
limit,
max_symbolic_bytes=max_symbolic_bytes)
else:
r = 0
c = []
# XXX: this is a HACK to determine if r is 0 because there is a newline at the first index or
# if r is 0 because there cannot be any newline
errored = False
if not self.state.se.satisfiable(extra_constraints=(r > 0, )):
errored = True
if self.state.se.solution(mem.load(0, 1), self.state.se.BVV('\n')):
errored = False
# make sure we only read up to size - 1
read_size = self.state.se.If(size == 0, 0, size - 1)
# if file can EOF (ie not completely symbolic)
if fp.size is not None:
read_size = self.state.se.If(limit < read_size, limit, read_size)
# now if find errored then there cannot exist a newline in the file, otherwise this logic checks out
if not errored:
newline_d = self.state.se.If(r == 0, r, r - pos + 1)
distance = self.state.se.If(read_size < newline_d, read_size,
newline_d)
else:
distance = read_size
# read in up to the newline
ret = self.inline_call(angr.SIM_PROCEDURES['posix']['read'], fd, dst,
distance).ret_expr
# in case there's no newline
c = self.state.se.Or(ret == read_size, *c)
self.state.add_constraints(c)
# otherwise we take care of the newline case
# now write the terminating null byte, should be placed after the newline which is also stored
self.state.memory.store(dst + distance, self.state.se.BVV(0, 8))
inner_case = self.state.se.If(self.state.se.And(fp.pos == 0, ret == 0),
0, dst)
return self.state.se.If(size == 0, 0, inner_case)
