コード例 #1
0
ファイル: test_lseek.py プロジェクト: yuzeming/angr 
    def test_lseek_cur(self):
        state = SimState(arch="AMD64", mode="symbolic")

        # This could be any number above 2 really
        fd = 3

        # Create a file
        state.fs.insert('/tmp/qwer', SimFile(name='qwer', size=100))
        assert fd == state.posix.open(b'/tmp/qwer', 2)

        # Part 1

        # Add 12
        current_pos = lseek(state,[fd,12,SEEK_CUR]).ret_expr
        current_pos = state.solver.eval(current_pos)

        # We should be at the start
        assert current_pos == 12

        # Part 2

        # Remove 3
        current_pos = lseek(state,[fd,-3,SEEK_CUR]).ret_expr
        current_pos = state.solver.eval(current_pos)

        # We should be at the start
        assert current_pos == 9
コード例 #2
0
ファイル: test_lseek.py プロジェクト: yuzeming/angr 
    def test_lseek_end(self):
        state = SimState(arch="AMD64", mode="symbolic")

        fd = 3

        # Create a file
        state.fs.insert('/tmp/qwer', SimFile(name='qwer', size=16))
        assert fd == state.posix.open(b'/tmp/qwer', 2)

        # Part 1

        # Add 5
        current_pos = lseek(state,[fd,0,SEEK_END]).ret_expr
        current_pos = state.solver.eval(current_pos)

        # We should be at the end + offset
        assert current_pos == 16

        # Part 2

        # Minus 6. End of file never actually changed
        current_pos = lseek(state,[fd,-6,SEEK_END]).ret_expr
        current_pos = state.solver.eval(current_pos)

        # We should be at the end + offset
        assert current_pos == 10
コード例 #3
0
ファイル: test_posix.py プロジェクト: yuzeming/angr 
def test_file_seek():

    # TODO: Make this test more complete

    state = SimState(arch="AMD64", mode='symbolic')

    # Normal seeking
    fd = state.posix.open(b"test1", 1)
    simfd = state.posix.get_fd(fd)
    simfd.seek(0, 'start')
    assert state.solver.is_true(simfd.tell() == 0)
    state.posix.close(fd)

    # TODO: test case: seek cannot go beyond the file size or current file pos

    # seek should not work for stdin/stdout/stderr
    assert state.solver.is_false(state.posix.get_fd(0).seek(0))
    assert state.solver.is_false(state.posix.get_fd(1).seek(0))
    assert state.solver.is_false(state.posix.get_fd(2).seek(0))

    # Seek from the end
    state.fs.insert('test2', SimFile(name='qwer', size=20))
    fd = state.posix.open(b"test2", 1)
    simfd = state.posix.get_fd(fd)
    simfd.seek(0, 'end')
    assert state.solver.is_true(simfd.tell() == 20)
    state.posix.close(fd)

    # seek to a symbolic position (whence symbolic end)
    fd = state.posix.open(b"unknown_size", 1)
    simfd = state.posix.get_fd(fd)
    real_end = state.fs.get("unknown_size").size
    simfd.seek(0, 'end')
    assert real_end is simfd.tell()
    state.posix.close(fd)
コード例 #4
0
ファイル: test_pwrite_pread.py プロジェクト: ohyeah521/angr-1 
def test_pwrite():
    pwrite = SIM_PROCEDURES['posix']['pwrite64']()

    state = SimState(arch="AMD64", mode='symbolic')
    simfile = SimFile('concrete_file', content='hello world!\n')
    state.fs.insert('test', simfile)
    fd = state.posix.open(b"test", 1)

    buf_addr = 0xd0000000
    state.memory.store(buf_addr, b'test!')
    pwrite.execute(state, arguments=[fd, buf_addr, 5, 6])

    simfd = state.posix.get_fd(fd)
    simfd.seek(0)
    res = 0xc0000000
    simfd.read(res, 13)
    data = state.solver.eval(state.mem[res].string.resolved, cast_to=bytes)

    nose.tools.assert_true(data == b'hello test!!\n')

    state.posix.close(fd)
コード例 #5
0
ファイル: test_pwrite_pread.py プロジェクト: ohyeah521/angr-1 
def test_pread():
    pwrite = SIM_PROCEDURES['posix']['pread64']()

    state = SimState(arch="AMD64", mode='symbolic')
    simfile = SimFile('concrete_file', content='hello world!\n')
    state.fs.insert('test', simfile)
    fd = state.posix.open(b"test", 1)

    buf1_addr = 0xd0000000
    buf2_addr = 0xd0001000
    pwrite.execute(state, arguments=[fd, buf1_addr, 6, 6])
    pwrite.execute(state, arguments=[fd, buf2_addr, 5, 0])

    data1 = state.solver.eval(state.mem[buf1_addr].string.resolved,
                              cast_to=bytes)
    data2 = state.solver.eval(state.mem[buf2_addr].string.resolved,
                              cast_to=bytes)

    nose.tools.assert_true(data1 == b'world!')
    nose.tools.assert_true(data2 == b'hello')

    state.posix.close(fd)
コード例 #6
0
ファイル: test_lseek.py プロジェクト: yuzeming/angr 
    def test_lseek_set(self):
        state = SimState(arch="AMD64", mode="symbolic")

        # This could be any number above 2 really
        fd = 3

        # Create a file
        state.fs.insert('/tmp/qwer', SimFile(name='qwer', size=100))
        assert fd == state.posix.open(b'/tmp/qwer', 2)

        # Part 1

        # Seek to the top of the file
        current_pos = lseek(state,[fd,0,SEEK_SET]).ret_expr
        current_pos = state.solver.eval(current_pos)

        # We should be at the start
        assert current_pos == 0

        # Part 2

        # Seek to the top of the file
        current_pos = lseek(state,[fd,8,SEEK_SET]).ret_expr
        current_pos = state.solver.eval(current_pos)

        # We should be at the start
        assert current_pos == 8

        # Part 3

        # Seek to the top of the file
        current_pos = lseek(state,[fd,3,SEEK_SET]).ret_expr
        current_pos = state.solver.eval(current_pos)

        # We should be at the start
        assert current_pos == 3
コード例 #7
0
main_addr = 0x804850b

proj = angr.Project('./simple')

#st = proj.factory.entry_state(add_options=angr.options.unicorn)
#st = proj.factory.full_init_state(args=['./simple'], add_options=angr.options.unicorn)
#st = proj.factory.entry_state(args = ['./simple'])
#entry_state = proj.factory.blank_state(addr=main_addr)

# range(8) - sets a boundary for input length
bytes_list = [claripy.BVS('byte_%d' % i, 8) for i in range(8)]
bytes_ast = claripy.Concat(*bytes_list)

#state = proj.factory.entry_state(addr = main_addr, stdin=SimFile('/dev/stdin', content=bytes_ast))
state = proj.factory.entry_state(
    stdin=SimFile('/dev/stdin', content=bytes_ast))

# setting constraint for first input character to be equals to 'z'
state.add_constraints(bytes_list[0] == claripy.BVV(0x7a, 8))

# setting constraint for all input characters to be printable
#for byte in bytes_list:
#   state.add_constraints(byte >= claripy.BVV(0x20, 8))
#   state.add_constraints(byte <= claripy.BVV(0x7e, 8))

sim_mngr = proj.factory.simgr(state)
sim_mngr.explore(find=goal_addr, avoid=invalid_addr)

if len(sim_mngr.found) > 0:
    found = sim_mngr.found[0]
    flag = found.state.posix.dumps(0).strip('\0\n')