Exemplo n.º 1
0
    def run_test(self,
                 filename,
                 patches,
                 set_oep=None,
                 inputvalue=None,
                 expected_output=None,
                 expected_returnCode=None,
                 try_without_cfg=True):
        filepath = os.path.join(self.bin_location, filename)
        pipe = subprocess.PIPE

        with patcherex.utils.tempdir() as td:
            tmp_file = os.path.join(td, "patched")
            backend = DetourBackend(filepath, try_without_cfg=try_without_cfg)
            backend.apply_patches(patches)
            if set_oep:
                backend.set_oep(backend.name_map[set_oep])
            backend.save(tmp_file)
            p = subprocess.Popen([
                self.qemu_location, "-L", "/usr/mips64-linux-gnuabi64",
                tmp_file
            ],
                                 stdin=pipe,
                                 stdout=pipe,
                                 stderr=pipe)
            res = p.communicate(inputvalue)
            if expected_output:
                self.assertEqual(res[0], expected_output)
            if expected_returnCode:
                self.assertEqual(p.returncode, expected_returnCode)
            return backend
Exemplo n.º 2
0
    def generate_medium_detour_binary(self, test_bin=True):
        try:
            nr = NetworkRules()
            backend = DetourBackend(self.infile)
            patches = []

            patches.extend(IndirectCFI(self.infile, backend).get_patches())
            patches.extend(
                TransmitProtection(self.infile, backend).get_patches())
            patches.extend(ShiftStack(self.infile, backend).get_patches())
            patches.extend(Adversarial(self.infile, backend).get_patches())
            patches.extend(Backdoor(self.infile, backend).get_patches())
            # patches.extend(NxStack(self.infile,backend).get_patches())
            patches.extend(
                MallocExtPatcher(self.infile, backend).get_patches())
            patches.extend(
                StackRetEncryption(self.infile, backend).get_patches())
            patches.extend(
                UninitializedPatcher(self.infile, backend).get_patches())
            patches.extend(
                NoFlagPrintfPatcher(self.infile, backend).get_patches())

            backend.apply_patches(patches)
            final_content = backend.get_final_content()
            if test_bin:
                test_bin_with_qemu(self.infile, final_content)
            res = (final_content, "")
        except PatcherexError, e:
            traceback.print_exc(e)
            res = (None, None)
Exemplo n.º 3
0
    def test_conflicting_symbols(self):
        filepath = os.path.join(self.bin_location, "printf_nopie")

        patches = []
        backend = DetourBackend(filepath)
        patches.append(AddRODataPatch(b"0123456789abcdef", "aaa"))
        patches.append(AddRODataPatch(b"\n", "aaa"))
        exc = False
        try:
            backend.apply_patches(patches)
        except ValueError:
            exc = True
        self.assertTrue(exc)

        patches = []
        backend = DetourBackend(filepath)
        patches.append(AddRODataPatch(b"0123456789abcdef", "aaa"))
        added_code = '''
            nop
        '''
        patches.append(AddCodePatch(added_code, "aaa"))
        exc = False
        try:
            backend.apply_patches(patches)
        except ValueError:
            exc = True
        self.assertTrue(exc)
Exemplo n.º 4
0
    def run_test(self,
                 file,
                 patches,
                 set_oep=None,
                 inputs=None,
                 expected_output=None,
                 expected_returnCode=None):
        filepath = os.path.join(self.bin_location, file)
        pipe = subprocess.PIPE

        with patcherex.utils.tempdir() as td:
            tmp_file = os.path.join(td, "patched")
            backend = DetourBackend(filepath)
            backend.apply_patches(patches)
            if set_oep:
                backend.set_oep(backend.name_map[set_oep])
            backend.save(tmp_file)
            p = subprocess.Popen([tmp_file],
                                 stdin=pipe,
                                 stdout=pipe,
                                 stderr=pipe)
            res = p.communicate(inputs)
            if expected_output:
                self.assertEqual(res[0], expected_output)
            if expected_returnCode:
                self.assertEqual(p.returncode, expected_returnCode)
            return backend
Exemplo n.º 5
0
 def generate_fidget_bitflip_binary(self):
     nr = NetworkRules()
     midfile = self.infile + '.fidget' + str(random.randrange(0, 1000))
     fidget_it(self.infile, midfile)
     backend = DetourBackend(midfile)
     cp = Bitflip(midfile, backend)
     patches1 = cp.get_patches()
     backend.apply_patches(patches1)
     return (backend.get_final_content(), nr.get_bitflip_rule())
Exemplo n.º 6
0
 def execute(self, patches, binary, output_expected=None):
     with patcherex.utils.tempdir() as td:
         tmp_file = os.path.join(td, "patched")
         #backend operations
         backend = DetourBackend(self.binary_path + binary)
         backend.apply_patches(patches)
         backend.save(tmp_file)
         #run the patched binary
         pipe = subprocess.PIPE
         p = subprocess.Popen([tmp_file],
                              stdin=pipe,
                              stdout=pipe,
                              stderr=pipe)
         res = p.communicate()
         #check the results
         self.assertEqual(res[0], output_expected)
Exemplo n.º 7
0
    def generate_medium_lief_detour_binary(self, test_bin=True):
        try:
            backend = DetourBackend(self.infile)
            patches = []

            patches.extend(
                StackRetEncryption(self.infile, backend).get_patches())

            backend.apply_patches(patches)
            final_content = backend.get_final_content()
            if test_bin:
                test_bin_with_qemu(self.infile, final_content)
            res = (final_content, "")
        except PatcherexError, e:
            traceback.print_exc(e)
            res = (None, None)
Exemplo n.º 8
0
typedef = '''
typedef unsigned short uint16_t;
typedef unsigned char uint8_t;
'''
transmit_code = '''
void rx_brake_routine( uint8_t buff[], void *bumper ){
	uint16_t speed_value;  
	uint8_t brake_switch;

	speed_value  = (buff[3] << 8) + buff[2];
	brake_switch = (buff[4] & 0b00001100) >> 2;
	((uint8_t*)bumper)[5] = (brake_switch) ? 1 : 0;

	if ( ((uint8_t*)bumper)[5] ) {
		if ((speed_value > 0) && ( !((uint8_t*)bumper)[4]) ){ 
			((uint8_t*)bumper)[6] = 1;
		}
	}
	else {
	    ((uint8_t*)bumper)[6] = 0;
		((uint8_t*)bumper)[4] = 0;
	}
}
'''

transmit_code = typedef + transmit_code.replace("\n", " ")

patches.append(ReplaceFunctionPatch(0x400cc4, 0x84, transmit_code))
backend.apply_patches(patches)
backend.save(args.patched)