You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
/*
Manul - test file
-------------------------------------
Maksim Shudrak <mshudrak@salesforce.com> <mxmssh@gmail.com>
Copyright 2019 Salesforce.com, inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <malloc.h>
#include <errno.h>
#include <unistd.h>
#include <stdint.h>
#include <signal.h>
#include <pthread.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
void LOG(const char *msg);
char *log_name = "/dev/shm/stage4.log";
static unsigned char *_buf = NULL;
static int branch_1(int in, char *_buf);
static int branch_2(char *buf);
void *ThreadMain(void *argv);
static void p1w(void *addr){
LOG("Yes, General!\n");
if( addr ) ((volatile void(*)())addr)();
}
void LOG2WIN(const char *msg) {
FILE *f = fopen("/dev/shm/WIN", "a");
fprintf(f, "%s", msg);
fclose(f);
}
void LOG(const char *msg) {
FILE *f = fopen(log_name, "a");
fprintf(f, "%s", msg);
fclose(f);
}
void *open_file(char *name) {
char *buf = NULL;
int size = 0;
FILE *fp = fopen(name, "rb");
if (!fp) {
printf("Couldn't open file specified %s", name);
return 0x00;
}
printf("Opening %s\n", name);
// obtain file size:
fseek(fp , 0 , SEEK_END);
size = ftell(fp);
rewind(fp);
// allocate memory to contain the whole file:
buf = (char*) malloc (sizeof(char ) * size);
if (buf == NULL) {LOG("Unable to read file"); exit (-1);}
// copy the file into the buffer:
fread(buf, 1, size, fp);
fclose(fp);
return buf;
}
int main(){
signal(SIGPIPE, SIG_IGN);
LOG("Initializing...\n");
int server = socket(PF_INET, SOCK_STREAM, 0);
if (server == -1)
{
printf("Could not create server socket: %d\n", errno);
return 2;
}
LOG("[+]Socket \n");
int retVal = 0;
int enable = 1;
if (setsockopt(server, SOL_SOCKET, SO_REUSEADDR, &enable, sizeof(enable)) != 0)
{
printf("Could not set SO_REUSEADDR: %d\n", errno);
retVal = 2;
goto end;
}
LOG("[+]Socket opts\n");
struct sockaddr_in addr = {0};
addr.sin_family = AF_INET;
addr.sin_port = htons(4444);
addr.sin_addr.s_addr = INADDR_ANY;
if (bind(server, (struct sockaddr*)&addr, sizeof(addr)) != 0)
{
printf("Could not bind: %d\n", errno);
retVal = 3;
goto end;
}
LOG("[+]Socket binded\n");
if (listen(server, 20) != 0)
{
printf("Could not listen: %d\n", errno);
retVal = 4;
goto end;
}
LOG("[+]Going to point of __noreturn :3\n");
while (1)
{
LOG("[I]main: loop prologue\n");
struct sockaddr_storage theirAddr = {0};
socklen_t len = sizeof(theirAddr);
int client = accept(server, (struct sockaddr*)&theirAddr, &len);
if (client == -1)
{
printf("Accept returned %d\n", errno);
continue;
}
pthread_t t;
if (pthread_create(&t, 0, &ThreadMain, (void*)(long)client) != 0)
{
printf("pthread_create returned %d\n", errno);
retVal = 5;
break;
}
LOG("[I]main: loop epilogue\n");
}
end:
close(server);
return retVal;
}
#define HELLO "Hello, Fuzz!\n"
void *ThreadMain(void *argv)
{
char name[0xff] = { 0x00 }, handshake[0xff] = { 0x00 },
*_buf = NULL;
size_t hssize = 0x00;
uint32_t resp = 0x00;
int fd = (int)(long)argv;
int ok = 0x00;
if ( fd < 0 ) goto fall;
strcat(handshake, HELLO);
strcat(handshake, "\xff\x44\x33\x33\x00");
hssize = strlen(handshake);
ok = send(fd, handshake, hssize, 0x00);
if(ok != hssize) goto fall;
ok = recv(fd, (void*)&resp, sizeof(resp), 0x00);
if(ok != sizeof(resp)) goto fall;
if(resp != 0x333344ff) goto fall;
ok = send(fd, "\x01", sizeof(char), 0x00);
if(ok != sizeof(char)) goto fall;
ok = recv(fd, name, 0xff-1, 0x00);
if(ok <= 0x00) goto fall;
name[ok] = 0x00;
{
_buf = open_file(name);
if( _buf && _buf[0] == 0x01 )
p1w( (void*)(long)branch_1(_buf[1], &(_buf[2])) );
if( malloc_usable_size(_buf) ){
memset( _buf, 0x41, malloc_usable_size(_buf) );
free( _buf );
}
}
send(fd, "\x02", sizeof(char), 0x00);
fall:
close(fd);
return 0x00;
}
static int branch_1(int in, char *_buf){
int ret;
LOG2WIN("Wiiiin");
printf("in=%d, buf=%s\n",in,_buf);
if( in % 0xae != 0x00 )
ret = 0x00;
if( in % 17 == 0x00 )
if( _buf )
ret = branch_2( _buf );
return ret;
}
static int branch_2(char *buf){
if( !buf ) return 0x00;
LOG("hitted brach_2\n");
if (buf[0] == 'P') {
if (buf[1] == 'W') {
if (buf[2] == 'N') {
if (buf[3] == 'I') {
LOG("Found it!\n");
return 0xdeadbeef;
}
}
}
}
return 0x00;
}
At the moment my goal is to make qemu work with runtime instrumentation as I need.
I want make somehow to fuzz without forks, or, maybe, even with forks, but don't restart whole server binary every time. How should I do this? Is it even possible?
attempt 1:
export AFL_QEMU_DEBUG_MAPS=1
### config (probably invalid) with forkloop in main
### 0x00000000000015fe <+431>: lea rax,[rip+0xb47] # 0x214c
#export AFL_QEMU_PERSISTENT_RETADDR_OFFSET=0xb8
#export AFL_QEMU_SNAPSHOT=0x40000015fe
### 0x000000000000165b <+524>: jmp 0x15fe <main+431>
#export AFL_QEMU_PERSISTENT_RET=0x400000165b
### config (probably invalid) with forkloop in main
# Yes, it loops infinity in main between start--end, don't allow to pass thread func
attempt 2:
### config (probably valid) with forkloop From MAIN to Thread ret
#export AFL_QEMU_PERSISTENT_RETADDR_OFFSET=0xb0
#export AFL_QEMU_SNAPSHOT=0x4000001687
export AFL_QEMU_PERSISTENT_ADDR=0x4000001687
export AFL_QEMU_PERSISTENT_GPR=1
export AFL_QEMU_PERSISTENT_MEM=0/1 #both checked, but I prefer 0 to catch UAF and UIU
export AFL_QEMU_PERSISTENT_EXITS=0/0 #both checked
### 0x00000000000019ed <+741>: ret ; ThreadMain ret
export AFL_QEMU_PERSISTENT_RET=0x40000019ed
### config (probably valid) with forkloop From MAIN to Thread ret
export QEMU_GDB=1337
So, it's seems that main thread don't return from kernel-space from systemcall accept()
while qemu redirect second thread to the main() code? Can somebody advice me, please?
How should I deal with cases like this one?
Thanks!
The text was updated successfully, but these errors were encountered:
kotee4ko
changed the title
How to deal with Thrads?
How to deal with Therads?
Aug 13, 2021
kotee4ko
changed the title
How to deal with Therads?
How to deal with threads?
Aug 13, 2021
Hi. I'm trying to solve small smoke-test which i write myself.
Asm:
Souce:
At the moment my goal is to make qemu work with runtime instrumentation as I need.
I want make somehow to fuzz without forks, or, maybe, even with forks, but don't restart whole server binary every time. How should I do this? Is it even possible?
attempt 1:
attempt 2:
result:
So, it's seems that main thread don't return from kernel-space from systemcall accept()
while qemu redirect second thread to the main() code? Can somebody advice me, please?
How should I deal with cases like this one?
Thanks!
The text was updated successfully, but these errors were encountered: