def main(): args = parse_arguments() m = Manticore(args.programs[0], args.programs[1:]) m.policy = args.policy m.args = args if args.data: m.concrete_data = args.data if args.workspace: m.workspace = args.workspace if args.profile: m.should_profile = args.profile if args.dumpafter != 0: m.dumpafter = args.dumpafter if args.maxstorage != 0: m.maxstorage = args.maxstorage if args.maxstates != 0: m.maxstates = args.maxstates if args.coverage: m.coverage_file = args.coverage if args.names is not None: m.apply_model_hooks(args.names) if args.env: for entry in args.env: name, val = entry[0].split('=') m.env_add(name, val) if args.files: for file in args.files: m.add_symbolic_file(file) if args.assertions: m.load_assertions(args.assertions) m.verbosity = args.v m.run(args.procs, args.timeout)
def mcore_calloc(filename, call, seed=None): #FASTBINS m = Manticore(filename) if seed: m.concrete_data = seed @m.hook(0x555555554000 + call) def fastbin_hook(state): cpu = state.cpu state.add(cpu.RDI * cpu.RSI <= 0x80) rdi = state.solve_one(cpu.read_register("RDI")) rsi = state.solve_one(cpu.read_register("RSI")) print "Fastbin with calloc(%d, %d)" % (rdi, rsi) fastbins.append(call) m.terminate() #m.verbosity = 2 m.workers = 8 m.run() #SMALL BINS m = Manticore(filename) if seed: m.concrete_data = seed @m.hook(0x555555554000 + call) def fastbin_hook(state): cpu = state.cpu state.add(cpu.RSI >= 0x80) state.add(cpu.RSI <= 0x400) rdi = state.solve_one(cpu.read_register("RDI")) rsi = state.solve_one(cpu.read_register("RSI")) print "Smallbins with calloc(%d, %d)" % (rdi, rsi) fastbins.append(call) m.terminate() m.verbosity = 2 m.workers = 8 m.run() exit(1) #LARGE BINS m = Manticore(filename) if seed: m.concrete_data = seed @m.hook(0x555555554000 + call) def fastbin_hook(state): cpu = state.cpu state.add(cpu.RSI >= 0x400) state.add(cpu.RSI <= 0x4000) rdi = state.solve_one(cpu.read_register("RDI")) rsi = state.solve_one(cpu.read_register("RSI")) print "Largebins with calloc(%d, %d)" % (rdi, rsi) fastbins.append(call) m.terminate() #m.verbosity = 2 m.workers = 8 m.run() #LARGE BINS m = Manticore(filename) if seed: m.concrete_data = seed @m.hook(0x555555554000 + call) def fastbin_hook(state): cpu = state.cpu state.add(cpu.RDI * cpu.RSI >= 0x400) state.add(cpu.RDI * cpu.RSI <= 0x4000) rdi = state.solve_one(cpu.read_register("RDI")) rsi = state.solve_one(cpu.read_register("RSI")) print "MMAPbins with calloc(%d, %d)" % (rdi, rsi) fastbins.append(call) m.terminate() #m.verbosity = 2 m.workers = 8 m.run()
from manticore import Manticore def fixme(): raise Exception("Fill in the blanks!") # Let's initialize the manticore control object m = Manticore('multiple-styles') # First, let's give it some fake data for the input. Anything the same size as # the real flag should work fine! m.concrete_data = "infiltrate miami!" # Now we're going to want to execute a few different hooks and share data, so # let's use the m.context dict to keep our solution in m.context['solution'] = '' # Now we want to hook that compare instruction that controls the main loop. # Where is it again? @m.hook(fixme()) def solve(state): # Our actual flag should have something to do with AL at this point, let's # just read it out real quick flag_byte = state.cpu.AL - fixme() m.context['solution'] += chr(flag_byte) # But how can we make the comparison pass? There are a couple solutions here fixme() # play with these numbers! m.verbosity = 0
def mcore_calloc(filename, call, seed = None): #FASTBINS m = Manticore(filename) if seed: m.concrete_data = seed @m.hook(0x555555554000+call) def fastbin_hook(state): cpu = state.cpu state.add(cpu.RDI * cpu.RSI <= 0x80) rdi = state.solve_one(cpu.read_register("RDI")) rsi = state.solve_one(cpu.read_register("RSI")) print "Fastbin with calloc(%d, %d)" % (rdi, rsi) fastbins.append(call) m.terminate() #m.verbosity = 2 m.workers = 8 m.run() #SMALL BINS m = Manticore(filename) if seed: m.concrete_data = seed @m.hook(0x555555554000+call) def fastbin_hook(state): cpu = state.cpu state.add(cpu.RSI >= 0x80) state.add(cpu.RSI <= 0x400) rdi = state.solve_one(cpu.read_register("RDI")) rsi = state.solve_one(cpu.read_register("RSI")) print "Smallbins with calloc(%d, %d)" % (rdi, rsi) fastbins.append(call) m.terminate() m.verbosity = 2 m.workers = 8 m.run() exit(1) #LARGE BINS m = Manticore(filename) if seed: m.concrete_data = seed @m.hook(0x555555554000+call) def fastbin_hook(state): cpu = state.cpu state.add(cpu.RSI >= 0x400) state.add(cpu.RSI <= 0x4000) rdi = state.solve_one(cpu.read_register("RDI")) rsi = state.solve_one(cpu.read_register("RSI")) print "Largebins with calloc(%d, %d)" % (rdi, rsi) fastbins.append(call) m.terminate() #m.verbosity = 2 m.workers = 8 m.run() #LARGE BINS m = Manticore(filename) if seed: m.concrete_data = seed @m.hook(0x555555554000+call) def fastbin_hook(state): cpu = state.cpu state.add(cpu.RDI * cpu.RSI >= 0x400) state.add(cpu.RDI * cpu.RSI <= 0x4000) rdi = state.solve_one(cpu.read_register("RDI")) rsi = state.solve_one(cpu.read_register("RSI")) print "MMAPbins with calloc(%d, %d)" % (rdi, rsi) fastbins.append(call) m.terminate() #m.verbosity = 2 m.workers = 8 m.run()