From 8b92a40e19c1a90a31e7514de1c90f0cf558a62a Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Wed, 22 Jan 2020 02:08:30 +0100 Subject: c example now uses persistent mode --- unicorn_mode/samples/c/a.out | Bin 17184 -> 0 bytes unicorn_mode/samples/c/harness.c | 43 +++++++++++++++++++----- unicorn_mode/samples/c/persistent_target.c | 39 +++++++++++++++++++++ unicorn_mode/samples/c/persistent_target_x86_64 | Bin 0 -> 16544 bytes unicorn_mode/samples/c/simple_target.c | 34 ------------------- 5 files changed, 73 insertions(+), 43 deletions(-) delete mode 100644 unicorn_mode/samples/c/a.out create mode 100644 unicorn_mode/samples/c/persistent_target.c create mode 100644 unicorn_mode/samples/c/persistent_target_x86_64 delete mode 100644 unicorn_mode/samples/c/simple_target.c diff --git a/unicorn_mode/samples/c/a.out b/unicorn_mode/samples/c/a.out deleted file mode 100644 index 176c25e1..00000000 Binary files a/unicorn_mode/samples/c/a.out and /dev/null differ diff --git a/unicorn_mode/samples/c/harness.c b/unicorn_mode/samples/c/harness.c index 4239b222..2529c46e 100644 --- a/unicorn_mode/samples/c/harness.c +++ b/unicorn_mode/samples/c/harness.c @@ -29,13 +29,13 @@ #include // Path to the file containing the binary to emulate -#define BINARY_FILE ("simple_target_x86_64") +#define BINARY_FILE ("persistent_target_x86_64") // Memory map for the code to be tested // Arbitrary address where code to test will be loaded static const int64_t BASE_ADDRESS = 0x100000; -static const int64_t CODE_ADDRESS = 0x101119; -static const int64_t END_ADDRESS = 0x1011d7; +static const int64_t CODE_ADDRESS = 0x101139; +static const int64_t END_ADDRESS = 0x10120d; // Address of the stack (Some random address again) static const int64_t STACK_ADDRESS = (((int64_t) 0x01) << 58); // Size of the stack (arbitrarily chosen, just make it big enough) @@ -52,15 +52,33 @@ static const int64_t ALIGNMENT = 0x1000; // In our special case, we emulate main(), so argc is needed. static const uint64_t EMULATED_ARGC = 2; +// The return from our fake strlen +static size_t current_input_len = 0; + static void hook_block(uc_engine *uc, uint64_t address, uint32_t size, void *user_data) { printf(">>> Tracing basic block at 0x%"PRIx64 ", block size = 0x%x\n", address, size); } -static void hook_code(uc_engine *uc, uint64_t address, uint32_t size, void *user_data) -{ +static void hook_code(uc_engine *uc, uint64_t address, uint32_t size, void *user_data) { printf(">>> Tracing instruction at 0x%"PRIx64 ", instruction size = 0x%x\n", address, size); } +/* +The sample uses strlen, since we don't have a loader or libc, we'll fake it. +We know the strlen will return the lenght of argv[1] that we just planted. +It will be a lot faster than an actual strlen for this specific purpose. +*/ +static void hook_strlen(uc_engine *uc, uint64_t address, uint32_t size, void *user_data) { + //Hook + //116b: e8 c0 fe ff ff call 1030 + // We place the return at RAX + //printf("Strlen hook at addr 0x%lx (size: 0x%x), result: %ld\n", address, size, current_input_len); + uc_reg_write(uc, UC_X86_REG_RAX, ¤t_input_len); + // We skip the actual call by updating RIP + uint64_t next_addr = address + size; + uc_reg_write(uc, UC_X86_REG_RIP, &next_addr); +} + /* Unicorn page needs to be 0x1000 aligned, apparently */ static uint64_t pad(uint64_t size) { if (size % ALIGNMENT == 0) return size; @@ -107,8 +125,6 @@ static bool place_input_callback( // Test input too short or too long, ignore this testcase return false; } - // We need a valid c string, make sure it never goes out of bounds. - input[input_len-1] = '\0'; // For persistent mode, we have to set up stack and memory each time. uc_reg_write(uc, UC_X86_REG_RIP, &CODE_ADDRESS); // Set the instruction pointer back @@ -116,10 +132,14 @@ static bool place_input_callback( uc_reg_write(uc, UC_X86_REG_RSI, &INPUT_LOCATION); // argv uc_reg_write(uc, UC_X86_REG_RDI, &EMULATED_ARGC); // argc == 2 - // Make sure the input is 0 terminated. - //input[input_len-1] = '\0'; + // We need a valid c string, make sure it never goes out of bounds. + input[input_len-1] = '\0'; // Write the testcase to unicorn. uc_mem_write(uc, INPUT_LOCATION + INPUT_OFFSET, input, input_len); + + // store input_len for the faux strlen hook + current_input_len = input_len; + return true; } @@ -211,6 +231,11 @@ int main(int argc, char **argv, char **envp) { uc_hook_add(uc, &hooks[1], UC_HOOK_CODE, hook_code, NULL, BASE_ADDRESS, BASE_ADDRESS + len - 1); } + // Add our strlen hook (for this specific testcase only) + int strlen_hook_pos = BASE_ADDRESS + 0x116b; + uc_hook strlen_hook; + uc_hook_add(uc, &strlen_hook, UC_HOOK_CODE, hook_strlen, NULL, strlen_hook_pos, strlen_hook_pos); + printf("Starting to fuzz :)\n"); fflush(stdout); diff --git a/unicorn_mode/samples/c/persistent_target.c b/unicorn_mode/samples/c/persistent_target.c new file mode 100644 index 00000000..5b866f86 --- /dev/null +++ b/unicorn_mode/samples/c/persistent_target.c @@ -0,0 +1,39 @@ +/* + * Sample target file to test afl-unicorn fuzzing capabilities. + * This is a very trivial example that will crash pretty easily + * in several different exciting ways. + * + * Input is assumed to come from a buffer located at DATA_ADDRESS + * (0x00300000), so make sure that your Unicorn emulation of this + * puts user data there. + * + * Written by Nathan Voss + * Adapted by Lukas Seidel + */ +#include +#include + + +int main(int argc, char** argv) { + if (argc < 2) return -1; + + char *data_buf = argv[1]; + uint64_t data_len = strlen(data_buf); + if (data_len < 20) return -2; + + for (; data_len --> 0 ;) { + if (data_len >= 18) continue; + if (data_len > 2 && data_len < 18) { + ((char *)data_len)[(uint64_t)data_buf] = data_buf[data_len + 1]; + } else if (data_buf[9] == 0x90 && data_buf[10] != 0x00 && data_buf[11] == 0x90) { + // Cause a crash if data[10] is not zero, but [9] and [11] are zero + unsigned char invalid_read = *(unsigned char *) 0x00000000; + } + } + if (data_buf[0] > 0x10 && data_buf[0] < 0x20 && data_buf[1] > data_buf[2]) { + // Cause an 'invalid read' crash if (0x10 < data[0] < 0x20) and data[1] > data[2] + unsigned char invalid_read = *(unsigned char *) 0x00000000; + } + + return 0; +} diff --git a/unicorn_mode/samples/c/persistent_target_x86_64 b/unicorn_mode/samples/c/persistent_target_x86_64 new file mode 100644 index 00000000..22e04357 Binary files /dev/null and b/unicorn_mode/samples/c/persistent_target_x86_64 differ diff --git a/unicorn_mode/samples/c/simple_target.c b/unicorn_mode/samples/c/simple_target.c deleted file mode 100644 index dbf10911..00000000 --- a/unicorn_mode/samples/c/simple_target.c +++ /dev/null @@ -1,34 +0,0 @@ -/* - * Sample target file to test afl-unicorn fuzzing capabilities. - * This is a very trivial example that will crash pretty easily - * in several different exciting ways. - * - * Input is assumed to come from a buffer located at DATA_ADDRESS - * (0x00300000), so make sure that your Unicorn emulation of this - * puts user data there. - * - * Written by Nathan Voss - * Adapted by Lukas Seidel - */ - - -int main(int argc, char** argv) { - if(argc < 2){ - return -1; - } - - char *data_buf = argv[1]; - - if (data_buf[20] != 0) { - // Cause an 'invalid read' crash if data[0..3] == '\x01\x02\x03\x04' - unsigned char invalid_read = *(unsigned char *) 0x00000000; - } else if (data_buf[0] > 0x10 && data_buf[0] < 0x20 && data_buf[1] > data_buf[2]) { - // Cause an 'invalid read' crash if (0x10 < data[0] < 0x20) and data[1] > data[2] - unsigned char invalid_read = *(unsigned char *) 0x00000000; - } else if (data_buf[9] == 0x00 && data_buf[10] != 0x00 && data_buf[11] == 0x00) { - // Cause a crash if data[10] is not zero, but [9] and [11] are zero - unsigned char invalid_read = *(unsigned char *) 0x00000000; - } - - return 0; -} -- cgit 1.4.1