def find_stack_msg(limit=None):
# 执行一遍漏洞
p = Process(target=find_stack_repeat, args=(limit, )) #
p.start()
p.join(limit_time)
if p.is_alive():
print("[-] runing over limit time,kill it")
log.WrLog("[-] runing over limit time,kill it")
p.terminate()
p.join()
fp = None
try:
fp = open("stack.json", "r+")
except:
log.WrLog("find nothing in stack overflow vulnerability!")
print("find nothing in stack overflow vulnerability!")
return
bp_overflow_result = []
pc_overflow_result = []
while True:
str_line = fp.readline()
if str_line:
# print(bytes(str_line,"utf-8"))
json_str = json.loads(str_line)
# print(type(json_str))
for k in json_str:
if k == "bp_overflow_result":
bp_overflow_result.append(json_str["bp_overflow_result"])
if k == "pc_overflow_result":
pc_overflow_result.append(json_str["pc_overflow_result"])
else:
break
fp.seek(0)
# fp.truncate()
fp.close()
# os.system("rm tmp.json")
log.WrLog("\n[+]===has found" +
str(len(bp_overflow_result))) + "stack overflow to BP==="
print("\n[+]===has found", len(bp_overflow_result),
"stack overflow to BP===")
path_msg(bp_overflow_result, "bp_overflow_result")
print("\n[+]===has found", len(pc_overflow_result),
"stack overflow to PC===")
path_msg(pc_overflow_result, "pc_overflow_result")
def path_msg(inlist, type):
for indir in inlist:
print("\n------------------------", type, "------------------------")
if "over_num" in indir:
strt = "[over bytes]:" + str(indir["over_num"])
log.WrLog(strt)
print(strt)
if "stdout" in indir:
strt = "[stdout]:" + str(indir["stdout"])
log.WrLog(strt)
print(strt)
if "stdin" in indir:
strt = "[stdin]:" + str(indir["stdin"])
log.WrLog(strt)
print(strt)
if "chain" in indir:
strt = "[jump chain]:" + str(indir["chain"])
log.WrLog(strt)
print(strt)
if "argv" in indir:
strt = "[argv]:" + str(indir["argv"])
log.WrLog(strt)
print(strt)
print()
def ReadNum(json):
fp = None
num = 0
try:
fp = open(json, "r+")
while True:
str_line = fp.readline()
if str_line:
num = num + 1
else:
break
return num
except:
#print("find nothing in error regs vulnerability!")
log.WrLog("find nothing in error regs vulnerability!")
return 0
def main():
print("[+] the msg of target program:")
os.system("checksec {}".format(filename))
sleep(1)
start = timeit.default_timer()
pool = multiprocessing.Pool(processes=5)
pool.apply_async(find_stack_overflow)
pool.apply_async(find_arbitrary)
pool.apply_async(find_error_regs)
pool.apply_async(find_format)
pool.apply_async(find_heap_vul)
# pool.apply_async(main)
pool.close()
pool.join()
end = timeit.default_timer()
TaskTime = end - start
log.WrLog()