diff options
Diffstat (limited to 'frida_mode/test/persistent_ret')
| -rw-r--r-- | frida_mode/test/persistent_ret/GNUmakefile | 51 | ||||
| -rwxr-xr-x | frida_mode/test/persistent_ret/get_symbol_addr.py | 36 | ||||
| -rw-r--r-- | frida_mode/test/persistent_ret/testinstr.c | 11 |
3 files changed, 54 insertions, 44 deletions
diff --git a/frida_mode/test/persistent_ret/GNUmakefile b/frida_mode/test/persistent_ret/GNUmakefile index adcacf5a..df48d065 100644 --- a/frida_mode/test/persistent_ret/GNUmakefile +++ b/frida_mode/test/persistent_ret/GNUmakefile @@ -22,31 +22,23 @@ ifeq "$(ARCH)" "i686" endif endif -GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/get_symbol_addr.sh - -ifeq "$(shell uname)" "Darwin" -TEST_BIN_LDFLAGS:=-Wl,-no_pie -endif - ARCH=$(shell uname -m) ifeq "$(ARCH)" "aarch64" - AFL_FRIDA_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TESTINSTBIN) main 0x0000aaaaaaaaa000) - AFL_FRIDA_PERSISTENT_RET=$(shell $(GET_SYMBOL_ADDR) $(TESTINSTBIN) slow 0x0000aaaaaaaaa000) + AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TESTINSTBIN) -s main -b 0x0000aaaaaaaaa000) + AFL_FRIDA_PERSISTENT_RET=$(shell $(PWD)get_symbol_addr.py -f $(TESTINSTBIN) -s slow -b 0x0000aaaaaaaaa000) endif ifeq "$(ARCH)" "x86_64" - AFL_FRIDA_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TESTINSTBIN) main 0x0000555555554000) - AFL_FRIDA_PERSISTENT_RET=$(shell $(GET_SYMBOL_ADDR) $(TESTINSTBIN) slow 0x0000555555554000) + AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TESTINSTBIN) -s main -b 0x0000555555554000) + AFL_FRIDA_PERSISTENT_RET=$(shell $(PWD)get_symbol_addr.py -f $(TESTINSTBIN) -s slow -b 0x0000555555554000) endif ifeq "$(ARCH)" "x86" - AFL_FRIDA_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TESTINSTBIN) main 0x56555000) - AFL_FRIDA_PERSISTENT_RET=$(shell $(GET_SYMBOL_ADDR) $(TESTINSTBIN) slow 0x56555000) + AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TESTINSTBIN) -s main -b 0x56555000) + AFL_FRIDA_PERSISTENT_RET=$(shell $(PWD)get_symbol_addr.py -f $(TESTINSTBIN) -s slow -b 0x56555000) endif -ifeq "$(shell uname)" "Darwin" -AFL_PRELOAD=/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation -endif +AFL_FRIDA_PERSISTENT_RETADDR_OFFSET:=0x50 .PHONY: all 32 clean qemu frida @@ -66,7 +58,7 @@ $(TESTINSTR_DATA_FILE): | $(TESTINSTR_DATA_DIR) echo -n "000" > $@ $(TESTINSTBIN): $(TESTINSTSRC) | $(BUILD_DIR) - $(CC) $(CFLAGS) $(LDFLAGS) $(TEST_BIN_LDFLAGS) -o $@ $< + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< clean: rm -rf $(BUILD_DIR) @@ -84,6 +76,7 @@ frida: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) frida_ret: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \ AFL_FRIDA_PERSISTENT_RET=$(AFL_FRIDA_PERSISTENT_RET) \ + AFL_FRIDA_PERSISTENT_RETADDR_OFFSET=$(AFL_FRIDA_PERSISTENT_RETADDR_OFFSET) \ $(ROOT)afl-fuzz \ -D \ -O \ @@ -92,39 +85,21 @@ frida_ret: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) -- \ $(TESTINSTBIN) @@ -frida_js: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) - AFL_PRELOAD=$(AFL_PRELOAD) \ - AFL_FRIDA_JS_SCRIPT=test.js \ - $(ROOT)afl-fuzz \ - -D \ - -O \ - -i $(TESTINSTR_DATA_DIR) \ - -o $(FRIDA_OUT) \ - -- \ - $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) - -debug: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) +debug: $(TESTINSTR_DATA_FILE) gdb \ --ex 'set environment AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR)' \ --ex 'set environment AFL_FRIDA_PERSISTENT_RET=$(AFL_FRIDA_PERSISTENT_RET)' \ + --ex 'set environment AFL_FRIDA_PERSISTENT_RETADDR_OFFSET=$(AFL_FRIDA_PERSISTENT_RETADDR_OFFSET)' \ --ex 'set environment AFL_FRIDA_PERSISTENT_DEBUG=1' \ --ex 'set environment AFL_DEBUG_CHILD=1' \ --ex 'set environment LD_PRELOAD=$(ROOT)afl-frida-trace.so' \ --ex 'set disassembly-flavor intel' \ --args $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) -debug_js: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) - gdb \ - --ex 'set environment AFL_FRIDA_JS_SCRIPT=test.js' \ - --ex 'set environment AFL_FRIDA_PERSISTENT_DEBUG=1' \ - --ex 'set environment AFL_DEBUG_CHILD=1' \ - --ex 'set environment LD_PRELOAD=$(ROOT)afl-frida-trace.so' \ - --ex 'set disassembly-flavor intel' \ - --args $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) - -run: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) +run: $(TESTINSTR_DATA_FILE) AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \ AFL_FRIDA_PERSISTENT_RET=$(AFL_FRIDA_PERSISTENT_RET) \ + AFL_FRIDA_PERSISTENT_RETADDR_OFFSET=$(AFL_FRIDA_PERSISTENT_RETADDR_OFFSET) \ AFL_DEBUG_CHILD=1 \ LD_PRELOAD=$(ROOT)afl-frida-trace.so \ $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) diff --git a/frida_mode/test/persistent_ret/get_symbol_addr.py b/frida_mode/test/persistent_ret/get_symbol_addr.py new file mode 100755 index 00000000..1c46e010 --- /dev/null +++ b/frida_mode/test/persistent_ret/get_symbol_addr.py @@ -0,0 +1,36 @@ +#!/usr/bin/python3 +import argparse +from elftools.elf.elffile import ELFFile + +def process_file(file, symbol, base): + with open(file, 'rb') as f: + elf = ELFFile(f) + symtab = elf.get_section_by_name('.symtab') + mains = symtab.get_symbol_by_name(symbol) + if len(mains) != 1: + print ("Failed to find main") + return 1 + + main_addr = mains[0]['st_value'] + main = base + main_addr + print ("0x%016x" % main) + return 0 + +def hex_value(x): + return int(x, 16) + +def main(): + parser = argparse.ArgumentParser(description='Process some integers.') + parser.add_argument('-f', '--file', dest='file', type=str, + help='elf file name', required=True) + parser.add_argument('-s', '--symbol', dest='symbol', type=str, + help='symbol name', required=True) + parser.add_argument('-b', '--base', dest='base', type=hex_value, + help='elf base address', required=True) + + args = parser.parse_args() + return process_file (args.file, args.symbol, args.base) + +if __name__ == "__main__": + ret = main() + exit(ret) diff --git a/frida_mode/test/persistent_ret/testinstr.c b/frida_mode/test/persistent_ret/testinstr.c index 42e3519a..6cb88a50 100644 --- a/frida_mode/test/persistent_ret/testinstr.c +++ b/frida_mode/test/persistent_ret/testinstr.c @@ -17,14 +17,13 @@ #include <unistd.h> #ifdef __APPLE__ - #define MAIN_SECTION + #define TESTINSTR_SECTION #else - #define MAIN_SECTION __attribute__((section(".main"))) + #define TESTINSTR_SECTION __attribute__((section(".testinstr"))) #endif -void LLVMFuzzerTestOneInput(char *buf, int len) { +void testinstr(char *buf, int len) { - printf (">>> LLVMFuzzerTestOneInput >>>\n"); if (len < 1) return; buf[len] = 0; @@ -44,7 +43,7 @@ void slow() { } -MAIN_SECTION int main(int argc, char **argv) { +TESTINSTR_SECTION int main(int argc, char **argv) { char * file; int fd = -1; @@ -102,7 +101,7 @@ MAIN_SECTION int main(int argc, char **argv) { dprintf(STDERR_FILENO, "Running: %s: (%zd bytes)\n", file, n_read); - LLVMFuzzerTestOneInput(buf, len); + testinstr(buf, len); dprintf(STDERR_FILENO, "Done: %s: (%zd bytes)\n", file, n_read); slow(); |