def print_pc_overflow_msg(state, byte_s):
hists = state.history.bbl_addrs.hardcopy
paths, print_paths = ct.deal_history(state, hists)
pc_overflow_maps = state.globals['pc_overflow_maps']
limit = state.globals['limit']
if ct.cmp_path(paths, pc_overflow_maps, limit):
path_dir = {'pc_overflow_result': {}}
path_dir['pc_overflow_result']['over_num'] = hex(byte_s)
path_dir['pc_overflow_result']['stdin'] = str(state.posix.dumps(0))
path_dir['pc_overflow_result']['stdout'] = str(state.posix.dumps(1))
path_dir['pc_overflow_result']['chain'] = print_paths
if 'argv' in state.globals:
argv = state.globals['argv']
argv_ret = []
for x in argv:
# print(state.solver.eval(x,cast_to=bytes))
argv_ret.append(str(state.solver.eval(x, cast_to=bytes)))
path_dir['pc_overflow_result']['argv'] = argv_ret
fp = open("tmp.json", "a")
json_str = json.dumps(path_dir)
fp.write(json_str + "\n")
fp.close()
def Check_arbitrary_W(state):
action=reversed(state.history.actions.hardcopy)
for act in action:
if act.type=='mem' and act.action=='write' and check_addr_sym(state,act):
hists=state.history.bbl_addrs.hardcopy
paths,print_paths=ct.deal_history(state,hists)
arbitrary_write_paths=state.globals['arbitrary_write_paths']
limit=state.globals['limit']
if ct.cmp_path(paths,arbitrary_write_paths,limit):
path_dir={'arbitrary_W_result':{}}
path_dir['arbitrary_W_result']['stdin']=str(state.posix.dumps(0))
path_dir['arbitrary_W_result']['stdout']=str(state.posix.dumps(1))
path_dir['arbitrary_W_result']['chain']=print_paths
if 'argv'in state.globals:
argv=state.globals['argv']
argv_ret=[]
for x in argv:
argv_ret.append( str(state.solver.eval(x,cast_to=bytes)) )
path_dir['arbitrary_W_result']['argv']=argv_ret
fp=open("tmp.json","a")
json_str = json.dumps(path_dir)
fp.write(json_str+"\n")
fp.close()
break
def Check_UAF_W(state):
if "has_free" not in state.globals:
# before_free=[]
if "before_free" in state.globals:
before_free = state.globals["before_free"]
else:
state.globals["before_free"] = []
before_free = state.globals["before_free"]
action_now = reversed(state.history.actions.hardcopy)
for act in action_now:
if act not in before_free:
before_free.append(act)
else:
before_free = state.globals["before_free"]
action_now = reversed(state.history.actions.hardcopy)
action = [i for i in action_now if i not in before_free]
malloc_dir = state.globals["has_malloc"]
free_dir = state.globals["has_free"]
for act in action:
if act.type == 'mem' and act.action == 'write':
addr = check_addr(state, act)
if addr == 0:
print("error:", act.addr)
break
for f in free_dir:
if f == addr:
hists = state.history.bbl_addrs.hardcopy
paths, print_paths = ct.deal_history(state, hists)
uaf_write_paths = state.globals['uaf_write_paths']
limit = state.globals['limit']
if ct.cmp_path(paths, uaf_write_paths, limit):
path_dir = {'uaf_W_result': {}}
path_dir['uaf_W_result']['stdin'] = str(
state.posix.dumps(0))
path_dir['uaf_W_result']['stdout'] = str(
state.posix.dumps(1))
path_dir['uaf_W_result']['chain'] = print_paths
if 'argv' in state.globals:
argv = state.globals['argv']
argv_ret = []
for x in argv:
argv_ret.append(
str(state.solver.eval(x,
cast_to=bytes)))
path_dir['uaf_W_result']['argv'] = argv_ret
fp = open("tmp.json", "a")
json_str = json.dumps(path_dir)
fp.write(json_str + "\n")
fp.close()
state.globals["uaf_write"] = True
break
def print_sp_error_msg(state):
hists = state.history.bbl_addrs.hardcopy
error_in = state.posix.dumps(0)
paths, print_paths = ct.deal_history(state, hists)
sp_error_paths = state.globals['sp_error_paths']
limit = state.globals['limit']
if ct.cmp_path(paths, sp_error_paths, limit):
path_dir = {'sp_error_result': {}}
path_dir['sp_error_result']['stdin'] = str(state.posix.dumps(0))
path_dir['sp_error_result']['stdout'] = str(state.posix.dumps(1))
path_dir['sp_error_result']['chain'] = print_paths
if 'argv' in state.globals:
argv = state.globals['argv']
argv_ret = []
# print("[PC]inputs",len(argv),"args:")
for x in argv:
# print(state.solver.eval(x,cast_to=bytes))
argv_ret.append(str(state.solver.eval(x, cast_to=bytes)))
path_dir['sp_error_result']['argv'] = argv_ret
fp = open("tmp.json", "a")
json_str = json.dumps(path_dir)
fp.write(json_str + "\n")
fp.close()
state.regs.rip = state.solver.BVV(0xdeadbeef, 64)