示例#1
0
def test_KPRCA_00057():
    """
    This test requires pointing an arbitrary transmit using atoi at the flag
    """
    with open(os.path.join(tests_dir, "KPRCA_00057_crash")) as f:
        crash = f.read()

    # set up hooks
    format_infos = []
    format_infos.append(FormatInfoStrToInt(0x8049e90, "based_atoi_8", str_arg_num=0, base=8,
                       base_arg=None, allows_negative=False))
    format_infos.append(FormatInfoStrToInt(0x804b3b0, "strtol", str_arg_num=0, base=None,
                       base_arg=2, allows_negative=False))
    format_infos.append(FormatInfoStrToInt(0x804b160, "strtol", str_arg_num=0, base=None,
                       base_arg=2, allows_negative=False))
    format_infos.append(FormatInfoDontConstrain(0x8049e90, "fdprintf", 1))

    binary = os.path.join(bin_location, "tests/cgc/KPRCA_00057")
    crash = rex.Crash(binary, crash, format_infos=format_infos)

    nose.tools.assert_true(crash.one_of(Vulnerability.ARBITRARY_TRANSMIT))

    flag_leaks = list(crash.point_to_flag())

    nose.tools.assert_true(len(flag_leaks) >= 1)

    cg = colorguard.ColorGuard(binary, flag_leaks[0])
    cg.causes_leak()
    pov = cg.attempt_pov()

    nose.tools.assert_true(_do_pov_test(pov))
示例#2
0
 def symbol_to_format_info(addr, symbol):
     # picks the correct format info from a symbol
     if symbol.startswith("atoi"):
         allows_negative = "_no_signs" not in symbol
         return FormatInfoStrToInt(addr,
                                   symbol,
                                   str_arg_num=0,
                                   base=10,
                                   base_arg=None,
                                   allows_negative=allows_negative)
     if symbol.startswith("based_atoi"):
         allows_negative = "signed" in symbol
         return FormatInfoStrToInt(addr,
                                   symbol,
                                   str_arg_num=0,
                                   base=int(symbol.split("_")[-1]),
                                   base_arg=None,
                                   allows_negative=allows_negative)
     if symbol == "int2str" or symbol == "uint2str":
         return FormatInfoIntToStr(addr,
                                   symbol,
                                   int_arg_num=2,
                                   str_dst_num=0,
                                   base=10,
                                   base_arg=None)
     if symbol == "int2str_v2" or symbol == "uint2str_v2":
         return FormatInfoIntToStr(addr,
                                   symbol,
                                   int_arg_num=0,
                                   str_dst_num=1,
                                   base=10,
                                   base_arg=None)
     if symbol == "int2str_v3" or symbol == "uint2str_v3":
         return FormatInfoIntToStr(addr,
                                   symbol,
                                   int_arg_num=1,
                                   str_dst_num=0,
                                   base=10,
                                   base_arg=None)
     if symbol.startswith("strtol"):
         return FormatInfoStrToInt(addr,
                                   symbol,
                                   str_arg_num=0,
                                   base=None,
                                   base_arg=2,
                                   allows_negative=True)
     if symbol == "printf":
         return FormatInfoDontConstrain(addr, symbol, check_symbolic_arg=0)
     if symbol == "fdprintf":
         return FormatInfoDontConstrain(addr, symbol, check_symbolic_arg=1)
     return None
示例#3
0
def test_chall_resp_atoi():
    crash_input = '-435982256\n-439864843\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' \
                  'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' \
                  'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' \
                  'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' \
                  'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n'

    bin_path = bin_location + "/tests/i386/chall_resp_atoi"
    cfg_fast = angr.Project(bin_path).analyses.CFGFast()
    atoi_addr = cfg_fast.functions["atoi"].addr
    itoa_addr = cfg_fast.functions["itoa"].addr
    f1 = FormatInfoIntToStr(addr=itoa_addr,
                            func_name="itoa",
                            int_arg_num=1,
                            str_dst_num=0,
                            base=10,
                            base_arg=None)
    f2 = FormatInfoStrToInt(addr=atoi_addr,
                            func_name="atoi",
                            str_arg_num=0,
                            base=10,
                            base_arg=None,
                            allows_negative=True)
    crash = rex.Crash(bin_path, crash=crash_input, format_infos=[f1, f2])
    exploit_f = crash.exploit()
    for e in exploit_f.register_setters:
        nose.tools.assert_true(_do_pov_test(e))
    for e in exploit_f.leakers:
        nose.tools.assert_true(_do_pov_test(e))
示例#4
0
def test_cromu71():
    crash_input = 'feq\n &\x06\x00\x80\xee\xeen\nf\x00f_E_p\x00\x00\x80\x00q\n3&\x1b\x17/\x12\x1b\x1e]]]]]]]]]]]]]]]]]]]]\n\x1e\x7f\xffC^\n'

    binary = os.path.join(bin_location, "tests/cgc/CROMU_00071")

    # create format info for atoi
    format_infos = []
    format_infos.append(FormatInfoStrToInt(0x804C500, "based_atoi_signed_10", str_arg_num=0, base=10,
                                           base_arg=None, allows_negative=True))

    crash = rex.Crash(binary, crash_input)

    # let's generate some exploits for it
    arsenal = crash.exploit()

    # make sure it works
    nose.tools.assert_true(_do_pov_test(arsenal.best_type1))