├── .gitignore ├── AbsDomStridedInterval.cpp ├── AbsDomStridedInterval.h ├── AbsRegion.cpp ├── AbsRegion.h ├── AbsState.h ├── AbstractDomain.h ├── AbstractInterpreter.h ├── BUGS ├── BUGS-EXCERPT ├── COPYING ├── CompilerPortability.h ├── Context.h ├── Counted.h ├── HashFunctions.cpp ├── HashFunctions.h ├── InterProcCFG.cc ├── InterProcCFG.h ├── Makefile ├── MemMap.h ├── PinDisasm.cc ├── PinDisasm.h ├── RBNode.h ├── RBTest.cpp ├── README ├── README.pintracer ├── Rand.cpp ├── Rand.h ├── RedBlackTree.h ├── RegionTest.cpp ├── Registers.cpp ├── Registers.h ├── StridedIntervalTest.cpp ├── Utilities.cpp ├── Utilities.h ├── VSAInterpreter.h ├── ValSet.h ├── analyze ├── argv_readparam.cc ├── argv_readparam.h ├── bourdoncle_wto.h ├── build-fresh-1404-32.sh ├── build-prereqs-1604-umn-cs.sh ├── callgraph.cc ├── callgraph.h ├── callstack.h ├── cfg.cc ├── cfg.h ├── cfg └── README ├── cfg_fuzzball.ml ├── cfgfromtrace.cc ├── cfgs.idl ├── cfgs_for_ocaml.cc ├── cfgs_for_ocaml.h ├── cfgs_test.ml ├── count-coverage.cc ├── countfpfn.sh ├── dataflow.cc ├── dataflow.h ├── debug.h ├── dietlibc.patch ├── dietlibc_funcs.h ├── fpfn.sh ├── func.cc ├── func.h ├── graph.h ├── influence.h ├── instr.cc ├── instr.h ├── path-length-test.cc ├── pintracer.cc ├── prog.h ├── run-fuzzball.pl ├── serialize.cc ├── serialize.h ├── slice.py ├── small-examples ├── hello-nolibc ├── hello-nolibc.c ├── mini-start.S ├── rot13char-overflow-nolibc └── rot13char-overflow-nolibc.c ├── static.cc ├── tabulate-fuzzball-coverage.pl ├── tabulate-fuzzball-results.pl ├── trace.cc ├── trace.h ├── trace.sh ├── types.h ├── vineir.cc ├── vulapps ├── Makefile ├── README ├── bind │ ├── b1 │ │ ├── 2010-11-04.cmd │ │ ├── 2010-11-05-cfg-dir.cmd │ │ ├── Makefile │ │ ├── create_msg_file.c │ │ ├── my-resolv.c │ │ ├── ns_defs.h │ │ ├── nxt-bad-myresolv-mylibc-diet-svn │ │ ├── nxt-bad-nojt │ │ ├── nxt-bad.c │ │ ├── nxt-ok.c │ │ ├── run.sh │ │ ├── testcase │ │ ├── testcase.exploit │ │ └── testcase.init │ ├── b2 │ │ ├── 2010-11-08-cfg-guide.cmd │ │ ├── 2010-11-08.cmd │ │ ├── Makefile │ │ ├── create_msg_file.c │ │ ├── create_sig.c │ │ ├── ns_defs.h │ │ ├── run.sh │ │ ├── sig-bad-diet-svn │ │ ├── sig-bad-nojt │ │ ├── sig-bad.c │ │ ├── sig-ok.c │ │ ├── test.c │ │ ├── testcase │ │ ├── testcase.exploit │ │ └── testcase.init │ ├── b3 │ │ ├── 2010-11-10.cmd │ │ ├── 2010-11-11.cmd │ │ ├── Makefile │ │ ├── b3.in │ │ ├── create_iquery.c │ │ ├── iquery-bad-diet-svn │ │ ├── iquery-bad.c │ │ ├── iquery-file.exploit │ │ ├── iquery-file.init │ │ ├── iquery-ok.c │ │ ├── run.sh │ │ ├── testcase │ │ └── testcase.init │ └── b4 │ │ ├── 2010-11-11-guided.cmd │ │ ├── 2010-11-11.cmd │ │ ├── Makefile │ │ ├── address_file │ │ ├── address_file.bak │ │ ├── create_address_file.c │ │ ├── my-named.h │ │ ├── ns-lookup-bad.c │ │ ├── ns-lookup-ok.c │ │ ├── nsl-bad-diet-svn │ │ ├── run.sh │ │ ├── testcase │ │ ├── testcase.exploit │ │ └── testcase.init ├── compute-bad-locations.sh ├── my-libc.c ├── runAll.pl ├── sendmail │ ├── s1 │ │ ├── 2010-11-06.cmd │ │ ├── 2010-11-07.cmd │ │ ├── Makefile │ │ ├── ca-bad │ │ ├── ca-bad-mylibc │ │ ├── ca-bad-mylibc-diet-svn │ │ ├── crackaddr-bad-mylibc-strchr.c │ │ ├── crackaddr-bad-mylibc.c │ │ ├── crackaddr-bad.c │ │ ├── crackaddr-ok.c │ │ ├── run.sh │ │ ├── testcase │ │ ├── testcase.exploit │ │ └── testcase.init │ ├── s2 │ │ ├── 2010-11-10-guided.cmd │ │ ├── 2010-11-10.cmd │ │ ├── Makefile │ │ ├── ge-bad-diet-svn │ │ ├── main-bad.c │ │ ├── main-ok.c │ │ ├── mywrapper.c │ │ ├── recipient-bad.c │ │ ├── recipient-ok.c │ │ ├── recipient.c │ │ ├── run.sh │ │ ├── sendmail-bad.h │ │ ├── sendmail-ok.h │ │ ├── testcase │ │ ├── testcase.exploit │ │ ├── testcase.init │ │ ├── util-bad.c │ │ └── util-ok.c │ ├── s3 │ │ ├── 2010-11-17.cmd │ │ ├── Makefile │ │ ├── m1-bad-diet-svn │ │ ├── main.c │ │ ├── mime1-bad.c │ │ ├── mime1-ok.c │ │ ├── my-sendmail.h │ │ ├── run.sh │ │ ├── testcase │ │ ├── testcase.benign │ │ ├── testcase.exploit │ │ └── testcase.init │ ├── s4 │ │ ├── 2010-11-12-guided.cmd │ │ ├── 2010-11-12.cmd │ │ ├── Makefile │ │ ├── m2-bad-diet-svn │ │ ├── mime2-bad.c │ │ ├── mime2-ok.c │ │ ├── mime2.h │ │ ├── run.sh │ │ ├── testcase │ │ ├── testcase.benign │ │ ├── testcase.exploit │ │ └── testcase.init │ ├── s5 │ │ ├── 2010-11-18.cmd │ │ ├── Makefile │ │ ├── prescan-bad-diet-svn │ │ ├── prescan-overflow-bad.c │ │ ├── prescan-overflow-ok.c │ │ ├── run.sh │ │ ├── testcase │ │ ├── testcase.exploit │ │ └── testcase.init │ ├── s6 │ │ ├── 2010-10-23.cmd │ │ ├── 2010-11-04.cmd │ │ ├── 2010-11-12-hand-guide.cmd │ │ ├── 2010-11-12-warn-guide.cmd │ │ ├── 2010-11-12.cmd │ │ ├── Makefile │ │ ├── my-main.c │ │ ├── mymain.c │ │ ├── run.sh │ │ ├── sendmail.h │ │ ├── tTflag-bad-mylibc.c │ │ ├── tTflag-bad.c │ │ ├── tTflag-ok.c │ │ ├── testcase │ │ ├── testcase.exploit │ │ ├── testcase.init │ │ ├── ttflag-bad │ │ ├── ttflag-bad-mylibc │ │ └── ttflag-bad-mylibc-diet-svn │ └── s7 │ │ ├── 2010-11-14-hand-guide.cmd │ │ ├── 2010-11-14.cmd │ │ ├── Makefile │ │ ├── create-dns-file.c │ │ ├── my-util.c │ │ ├── run.sh │ │ ├── testcase │ │ ├── testcase.exploit │ │ ├── testcase.exploit2 │ │ ├── testcase.init │ │ ├── txt-dns-file-bad.c │ │ ├── txt-dns-file-ok.c │ │ ├── txt-dns.h │ │ └── txtdns-bad-diet-svn ├── show-bad-locations.sh └── wu-ftpd │ ├── f1 │ ├── 2010-11-05.cmd │ ├── 2010-11-06.cmd │ ├── Makefile │ ├── call_fb_realpath.c │ ├── make-long-path.c │ ├── mapped-path-bad.c │ ├── mapped-path-ok.c │ ├── mp-bad-mylibc │ ├── mp-bad-mylibc-diet-svn │ ├── my-include.h │ ├── pathfile.exploit │ ├── pathfile.init │ ├── realpath-bad.c │ ├── realpath-ok.c │ ├── run.sh │ ├── testcase │ └── testcase.init │ ├── f2 │ ├── 2010-11-09-fulllen.cmd │ ├── 2010-11-09.cmd │ ├── Makefile │ ├── call_fb_realpath.c │ ├── my-include.h │ ├── obo-bad-diet-svn │ ├── realpath-bad.c │ ├── realpath-ok.c │ ├── run.sh │ ├── testcase │ ├── testcase.exploit │ └── testcase.init │ └── f3 │ ├── 2010-11-10-guided.cmd │ ├── 2010-11-10.cmd │ ├── 2010-11-14-hand-guide.cmd │ ├── 2010-11-14-warn-guide.cmd │ ├── Makefile │ ├── call-realpath-bad.c │ ├── call-realpath-ok.c │ ├── my-include.h │ ├── mymain.c │ ├── realpath-2.4.2-bad.c │ ├── realpath-2.4.2-ok.c │ ├── rp-bad-diet-svn │ ├── run.sh │ ├── testcase │ ├── testcase.exploit │ └── testcase.init ├── warning.h └── warning2source.py /.gitignore: -------------------------------------------------------------------------------- 1 | *.o 2 | *.d 3 | /VEX 4 | /binutils 5 | /boost 6 | /fuzzball 7 | /pin-2.13-65163-gcc.4.4.7-linux 8 | /pin-2.14-71313-gcc.4.4.7-linux 9 | /pin-2.14-71313-gcc.4.4.7-linux.tar.gz 10 | /cfgs.h 11 | /cfgs.ml 12 | /cfgs.mli 13 | /cfgs_stubs.c 14 | /count-coverage 15 | /path-length-test 16 | /pintracer.so 17 | /rbtest 18 | /regiontest 19 | /static 20 | /stridedtest 21 | /vineir 22 | fuzzball-tmp-* 23 | [sbf][1-7]-baseline-*.out 24 | [sbf][1-7]-guided-*.out 25 | [sbf][1-7]-guided2-*.out 26 | *.cmi 27 | *.cmx 28 | /cfg_fuzzball 29 | /cfg/*.cfg 30 | vulapps/bind/b1/nxt-bad-myresolv-mylibc-diet 31 | vulapps/bind/b2/sig-bad-diet 32 | vulapps/bind/b3/iquery-bad-diet 33 | vulapps/bind/b4/nsl-bad-diet 34 | vulapps/sendmail/s1/ca-bad-mylibc-diet 35 | vulapps/sendmail/s2/ge-bad-diet 36 | vulapps/sendmail/s3/m1-bad-diet 37 | vulapps/sendmail/s4/m2-bad-diet 38 | vulapps/sendmail/s5/prescan-bad-diet 39 | vulapps/sendmail/s6/ttflag-bad-mylibc-diet 40 | vulapps/sendmail/s7/txtdns-bad-diet 41 | vulapps/wu-ftpd/f1/mp-bad-mylibc-diet 42 | vulapps/wu-ftpd/f2/obo-bad-diet 43 | vulapps/wu-ftpd/f3/rp-bad-diet 44 | include 45 | lib 46 | -------------------------------------------------------------------------------- /AbsRegion.cpp: -------------------------------------------------------------------------------- 1 | #include "AbsRegion.h" 2 | 3 | using namespace absdomain; 4 | using namespace utils; 5 | 6 | #define ABSREG Region 7 | 8 | template<> THREADLOCAL int ABSREG::counter(3); 9 | template<> THREADLOCAL const memmap::MemMap* ABSREG::mmap(0); 10 | 11 | #define ABSDOM ValueSet 12 | #define ABSDOMPTR boost::intrusive_ptr 13 | #define CPLXTYPE \ 14 | std::pair >, \ 15 | boost::intrusive_ptr > 16 | 17 | template<> THREADLOCAL Multimap* 18 | AbstractDomain::cache(0); 19 | 20 | template<> THREADLOCAL 21 | Multimap > >* 22 | RedBlackTree::cache(0); 23 | 24 | template<> THREADLOCAL RedBlackTree::Rbnode::RBVector* 25 | RedBlackTree::stack(0); 26 | 27 | template<> THREADLOCAL int RedBlackTree::opcounter(0); 28 | template<> THREADLOCAL bool RedBlackTree::doCache(true); 29 | 30 | #undef ABSREG 31 | #undef ABSDOM 32 | #undef ABSDOMPTR 33 | #undef CPLXTYPE 34 | 35 | #define CPLXTYPE std::pair, \ 36 | boost::intrusive_ptr > > 37 | 38 | template<> THREADLOCAL 39 | Multimap > >* 40 | RedBlackTree::cache(0); 41 | 42 | template<> THREADLOCAL RedBlackTree::Rbnode::RBVector* 43 | RedBlackTree::stack(0); 44 | 45 | template<> THREADLOCAL int RedBlackTree::opcounter(0); 46 | template<> THREADLOCAL bool RedBlackTree::doCache(true); 47 | 48 | #undef CPLXTYPE 49 | #define CPLXTYPE boost::intrusive_ptr > 51 | 52 | template<> THREADLOCAL 53 | Multimap > >* 54 | RedBlackTree::cache(0); 55 | 56 | template<> THREADLOCAL RedBlackTree::Rbnode::RBVector* 57 | RedBlackTree::stack(0); 58 | 59 | template<> THREADLOCAL int RedBlackTree::opcounter(0); 60 | template<> THREADLOCAL bool RedBlackTree::doCache(true); 61 | 62 | #undef CPLXTYPE 63 | -------------------------------------------------------------------------------- /CompilerPortability.h: -------------------------------------------------------------------------------- 1 | // -------------------------------------------------------------------- 2 | // Compiler abstraction layer 3 | // -------------------------------------------------------------------- 4 | 5 | #ifndef COMPILER_PORTABILITY_H 6 | #define COMPILER_PORTABILITY_H 7 | 8 | #if defined(_MSC_VER) 9 | // -------------------------------------------------------------------- 10 | // Microsoft compiler specific code 11 | // -------------------------------------------------------------------- 12 | 13 | #define THREADLOCAL __declspec( thread ) 14 | 15 | #elif defined(__GNUC__) 16 | // -------------------------------------------------------------------- 17 | // GNU-C/C++ specific code 18 | // -------------------------------------------------------------------- 19 | 20 | #define THREADLOCAL __thread 21 | 22 | #elif defined(ICC) 23 | // -------------------------------------------------------------------- 24 | // Intel compiler specific code 25 | // -------------------------------------------------------------------- 26 | 27 | #define THREADLOCAL __thread 28 | 29 | #else 30 | #error "Unsupported platform." 31 | #endif 32 | 33 | #endif // COMPILER_PORTABILITY_H 34 | -------------------------------------------------------------------------------- /Counted.h: -------------------------------------------------------------------------------- 1 | #ifndef UTILS_COUNTED_H 2 | #define UTILS_COUNTED_H 3 | 4 | #include 5 | #include 6 | #include 7 | 8 | namespace utils { 9 | // Enclosure into another namespace is needed to assure that 10 | // intrusive_ptr* don't get automatically specialized for arbitrary 11 | // classes. 12 | namespace pt { 13 | 14 | class Counted { 15 | mutable size_t counter; 16 | Counted(const Counted&); 17 | Counted& operator=(const Counted&); 18 | 19 | friend void intrusive_ptr_add_ref(Counted*); 20 | friend void intrusive_ptr_release(Counted*); 21 | 22 | protected: 23 | 24 | void ref() { // Increment ref counter 25 | counter++; 26 | if (counter == 0) { 27 | assert(false && "Ref counter overflow."); 28 | throw(std::overflow_error("Ref counter overflow.")); 29 | } 30 | } 31 | 32 | bool unref() { // Decrement ref counter 33 | if (counter <= 0) { 34 | assert(false && "Ref counter underflow."); 35 | throw(std::underflow_error("Ref counter underflow.")); 36 | } 37 | return --counter == 0; 38 | } 39 | 40 | public: 41 | Counted() : counter(0) {} 42 | size_t count() const { return counter; } 43 | virtual ~Counted() {} 44 | }; 45 | 46 | inline void intrusive_ptr_add_ref(Counted* p) { 47 | if (p) { 48 | p->ref(); 49 | } 50 | } 51 | 52 | inline void intrusive_ptr_release(Counted* p) { 53 | if (p) { 54 | if (p->unref()) { // Zero active references left 55 | delete p; 56 | } 57 | } 58 | } 59 | 60 | } // End of pt namespace 61 | } // End of utils namespace 62 | 63 | #endif // UTILS_COUNTED_H 64 | -------------------------------------------------------------------------------- /HashFunctions.h: -------------------------------------------------------------------------------- 1 | // -------------------------------------------------------------------- 2 | // Various basic hash functions for strings and integers 3 | // -------------------------------------------------------------------- 4 | 5 | #ifndef UTILS_HASH_FUNCTIONS 6 | #define UTILS_HASH_FUNCTIONS 7 | 8 | #include 9 | #include 10 | 11 | namespace utils { 12 | 13 | // -------------------------------------------------------------------- 14 | // Domagoj's hash functions 15 | // -------------------------------------------------------------------- 16 | int inthash(const int key); 17 | int64_t int64hash(const int64_t key); 18 | int32_t int32hash(const int32_t key); 19 | int64_t stringhash(const std::string& str); 20 | 21 | // -------------------------------------------------------------------- 22 | // String hashing 23 | // -------------------------------------------------------------------- 24 | unsigned int RSHash (const std::string& str); 25 | unsigned int JSHash (const std::string& str); 26 | // Method recommended in Aho, Sethi, Ullman book 27 | unsigned int PJWHash (const std::string& str); 28 | unsigned int ELFHash (const std::string& str); 29 | unsigned int BKDRHash(const std::string& str); 30 | unsigned int SDBMHash(const std::string& str); 31 | unsigned int DJBHash (const std::string& str); 32 | unsigned int DEKHash (const std::string& str); 33 | unsigned int APHash (const std::string& str); 34 | // Domagoj's simple hash - weighted sum of characters. 35 | unsigned int DBHash (const std::string& str); 36 | // Merge of PJW & DB hash, more efficient than using the two separately 37 | int64_t PJWDBHash (const std::string& str); 38 | 39 | // -------------------------------------------------------------------- 40 | // Integer hashing 41 | // -------------------------------------------------------------------- 42 | int64_t TWLongHash (const int64_t key); 43 | int64_t MULongHash (const int64_t key); 44 | unsigned int RJHash (const unsigned int key); 45 | unsigned int TWHash (const unsigned int key); 46 | 47 | } // End of utils namespace 48 | 49 | #endif // UTILS_HASH_FUNCTIONS 50 | -------------------------------------------------------------------------------- /InterProcCFG.h: -------------------------------------------------------------------------------- 1 | #include "func.h" 2 | #include "cfg.h" 3 | #include "callgraph.h" 4 | #include "warning.h" 5 | #include "influence.h" 6 | 7 | #include 8 | #include 9 | #include 10 | 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | 17 | using namespace std; 18 | using namespace boost; 19 | 20 | typedef map costmap; 21 | 22 | class InterProcCFG { 23 | protected: 24 | enum edge_type { 25 | INTRA_EDGE, 26 | BACK_EDGE, 27 | CALL_EDGE, 28 | RETURN_EDGE, 29 | CALL_TO_RET_EDGE, 30 | }; 31 | 32 | struct bb_ptr_t { typedef vertex_property_tag kind; }; 33 | 34 | struct edge_type_t { typedef edge_property_tag kind; }; 35 | 36 | struct paths_to_header_t { typedef vertex_property_tag kind; }; 37 | 38 | typedef adjacency_list > > >, 43 | property > > 45 | IPCFGraph; 46 | typedef graph_traits::vertex_descriptor IPCFGNode; 47 | typedef graph_traits::edge_descriptor IPCFGEdge; 48 | 49 | typedef map > subgraph_map; 50 | 51 | subgraph_map subgraphs; 52 | map bb_to_node; 53 | IPCFGraph ipcfg; 54 | IPCFGNode target_node; 55 | Warning *warning; 56 | set interesting_loops; 57 | 58 | tr1::unordered_map bb_lookup_cache; 59 | 60 | void copy_nodes_to_ipcfg(Function *func); 61 | void make_call_ret_edges(Instruction *i, bool include_returns); 62 | void copy_edges_to_ipcfg(Function *func, 63 | bool include_returns, 64 | bool include_call_to_rets, 65 | bool include_calls); 66 | long compute_pth(bool first_call, BasicBlock *bb); 67 | BasicBlock* lookup_bb(addr_t addr, 68 | map &functions); 69 | bool is_loop_exit_cond(BasicBlock *bb); 70 | bool edge_is_loop_exit(BasicBlock *from_bb, BasicBlock *to_bb); 71 | 72 | public: 73 | void to_vcg(ostream &out); 74 | void set_target_addr(addr_t target_addr, 75 | map &functions); 76 | void set_target_warning(Warning *w, 77 | map &functions); 78 | void compute_shortest_paths(); 79 | long long lookup_distance(addr_t source_addr, 80 | map &functions); 81 | int lookup_influence(addr_t addr, 82 | map &functions, 83 | influence_map_t *influence); 84 | long lookup_pth(addr_t addr, 85 | map &functions); 86 | bool is_loop_exit_cond(addr_t branch_addr, 87 | map &functions); 88 | bool edge_is_loop_exit(addr_t from_addr, addr_t to_addr, 89 | map &functions); 90 | bool is_interesting_loop(addr_t addr, 91 | map &functions); 92 | addr_t get_component(addr_t addr, 93 | map &functions); 94 | bool same_bb(addr_t addr1, addr_t addr2, 95 | map &functions); 96 | 97 | InterProcCFG(map &functions); 98 | InterProcCFG() {}; 99 | 100 | void remove_call_edges_from_g1(); 101 | void remove_ret_edges_from_g2(); 102 | void add_call_ret_edges_to_g1_and_g2(costmap &costs, map &); 103 | }; 104 | 105 | class IntraProcCFG : public InterProcCFG { 106 | private: 107 | Function *func; 108 | Cfg *cfg; 109 | BasicBlock *exitnode; 110 | 111 | public: 112 | IntraProcCFG(Function *func); 113 | ~IntraProcCFG(); 114 | 115 | void add_calls_costs_to_edges(costmap &costs); 116 | long long compute_shortest_path_to_exit(); 117 | }; 118 | 119 | InterProcCFG *build_ipcfg(const char *fname, map &); 120 | 121 | // Local Variables: 122 | // mode: c++ 123 | // c-basic-offset: 4 124 | // compile-command: "dchroot -c typeinfer -d make" 125 | // End: 126 | -------------------------------------------------------------------------------- /MemMap.h: -------------------------------------------------------------------------------- 1 | // TODO: 2 | // 1) hasn't been tested. 3 | // 2) Add an artificially created chunk for **argv 4 | // 3) add interface for getting the address of that **argv chunk 5 | // 4) change the constructor to take the size of **argv (number of 6 | // strings and size of each string) as parameters 7 | 8 | #ifndef GLOB_MEMMAP_H 9 | #define GLOB_MEMMAP_H 10 | 11 | #include "prog.h" 12 | #include 13 | 14 | namespace memmap { 15 | 16 | struct Comparator { 17 | typedef std::pair IntPair; 18 | bool operator()(const IntPair& a, const IntPair& b) const { 19 | return a.first <= b.first; 20 | } 21 | }; 22 | 23 | // Proxy to easiliy access initialized globals 24 | class MemMap { 25 | private: 26 | typedef std::pair IntPair; 27 | typedef std::map Adr2SecMap; 28 | Adr2SecMap addr2sec; 29 | typedef std::vector IntPairVec; 30 | typedef IntPairVec::const_iterator const_iterator; 31 | IntPairVec secs; 32 | const Prog* prog; 33 | 34 | public: 35 | MemMap(const Prog &p) : prog(&p) { 36 | for (sections_t::const_iterator sit = p.sec_begin(); 37 | sit != p.sec_end(); sit++) { 38 | if ((*sit)->isAllocated()) { 39 | secs.push_back(IntPair((*sit)->getAddress(), 40 | (*sit)->getAddress() + 41 | (*sit)->getSize() - 1)); 42 | addr2sec[(*sit)->getAddress()] = *sit; 43 | } 44 | } 45 | std::sort(secs.begin(), secs.end(), Comparator()); 46 | } 47 | 48 | ~MemMap(); 49 | 50 | // Returns the lower bound of the closest memory section 51 | size_t getLowerBound(size_t a) const { 52 | const IntPair p(a, a); 53 | const_iterator I = std::lower_bound(secs.begin(), secs.end(), p, 54 | Comparator()); 55 | if (I != secs.begin()) { 56 | const IntPair found = *--I; 57 | return found.first; 58 | } else { 59 | return 0; 60 | } 61 | } 62 | 63 | const Section* getSection(size_t a) const { 64 | const IntPair p(a, a); 65 | const_iterator I = std::lower_bound(secs.begin(), secs.end(), p, 66 | Comparator()); 67 | if (I != secs.begin()) { 68 | const IntPair found = *--I; 69 | if (I->first <= a && I->second >= a) { 70 | Adr2SecMap::const_iterator MI = addr2sec.find(found.first); 71 | assert(MI != addr2sec.end() && "Address not found."); 72 | return MI->second; 73 | } 74 | } 75 | return 0; 76 | } 77 | 78 | bool isValid(size_t a) const { return getSection(a) != 0; } 79 | 80 | 81 | byte_t get(size_t a) const { 82 | const Section* s = getSection(a); 83 | assert(s && "Requested section not found."); 84 | /* Too verbose 85 | #ifndef NDEBUG 86 | debug3("%.8x is in section %s %.8x-%.8x\n", a, 87 | s->getName(), s->getAddress(), s->getAddress() + 88 | s->getSize() - 1); 89 | #endif 90 | // */ 91 | return s->getByte(a); 92 | } 93 | 94 | void check() const { 95 | for (sections_t::const_iterator sit = prog->sec_begin(); 96 | sit != prog->sec_end(); ++sit) { 97 | addr_t a = (*sit)->getAddress(); 98 | 99 | for (bytes_t::const_iterator bit = (*sit)->bytes_begin(); 100 | bit != (*sit)->bytes_end(); ++bit) { 101 | 102 | byte_t b = *bit; 103 | assert(isValid(a)); 104 | assert(get(a) == b); 105 | ++a; 106 | } 107 | } 108 | } 109 | }; 110 | 111 | 112 | } // End of the memmap namespace 113 | 114 | #endif // GLOB_MEMMAP_H 115 | 116 | 117 | // Local Variables: 118 | // c-basic-offset: 4 119 | // compile-command: "dchroot -c typeinfer -d make" 120 | // End: 121 | -------------------------------------------------------------------------------- /PinDisasm.cc: -------------------------------------------------------------------------------- 1 | #include "debug.h" 2 | #include "types.h" 3 | #include "PinDisasm.h" 4 | #include 5 | #include 6 | #include 7 | 8 | size_t inslen(ADDRINT addr) { 9 | xed_state_t dstate; 10 | xed_decoded_inst_t xedd; 11 | 12 | xed_tables_init(); 13 | 14 | xed_state_zero(&dstate); 15 | xed_state_init(&dstate, 16 | XED_MACHINE_MODE_LEGACY_32, 17 | XED_ADDRESS_WIDTH_32b, 18 | XED_ADDRESS_WIDTH_32b); 19 | 20 | xed_decoded_inst_zero_set_mode(&xedd, &dstate); 21 | xed_decode(&xedd, (const xed_uint8_t*) addr, 16); 22 | return xed_decoded_inst_get_length(&xedd); 23 | } 24 | 25 | 26 | // Resolve thunks (only for main executable) In order for this to work lazy 27 | // binding must be disabled (i.e., LD_BIND_NOW must be set) 28 | // if (isplt(funcaddr) && !islib(instrptr)) { 29 | ADDRINT derefplt(ADDRINT instrptr, ADDRINT funcaddr, ADDRINT ebx) { 30 | unsigned char *plt = (unsigned char *) funcaddr; 31 | 32 | debug2("Try to dereference PLT entry @ %.8x with base %.8x\n", funcaddr, ebx); 33 | 34 | // The entry is of the form 'jmp *0x804a014' 35 | if (plt[0] == 0xFF && plt[1] == 0x25) { 36 | funcaddr += 2; 37 | funcaddr = *((ADDRINT *) (*((ADDRINT *) funcaddr))); 38 | debug2("Resolved function address %.8x (PLT) -> %.8x\n", (ADDRINT) plt, 39 | funcaddr); 40 | } else if (plt[0] == 0xFF && plt[1] == 0xa3) { 41 | // The entry is of the form 'jmp *0xc(%ebx)' 42 | funcaddr += 2; 43 | funcaddr = *((ADDRINT *) funcaddr); 44 | funcaddr = *((ADDRINT *) (ebx + funcaddr)); 45 | debug2("Resolved PIC function address %.8x (PLT) -> %.8x\n", (ADDRINT) plt, 46 | funcaddr); 47 | } else { 48 | assert_msg(0, "Unknown PLT entry type eip:%.8x funcaddr:%.8x " 49 | "plt[0]:%.2x plt[1]:%.2x", instrptr, funcaddr, plt[0], 50 | plt[1]); 51 | } 52 | 53 | return funcaddr; 54 | } 55 | 56 | byte_t ispicthunk(ADDRINT instptr) { 57 | if (memcmp((byte_t *) instptr, "\x8b\x1c\x24\xc3", 4) == 0) { 58 | return '\x1c'; 59 | } else if (memcmp((byte_t *) instptr, "\x8b\x0c\x24\xc3", 4) == 0) { 60 | return '\x0c'; 61 | } else if (memcmp((byte_t *) instptr, "\x8b\x14\x24\xc3", 4) == 0) { 62 | return '\x14'; 63 | } 64 | 65 | return 0; 66 | } 67 | 68 | bool patchpicthunk(ADDRINT instrptr, ADDRINT funcaddr, Instruction *I) { 69 | byte_t r = ispicthunk(funcaddr); 70 | // Is the target 'mov (%esp),%ebx; ret'? 71 | if (r) { 72 | // Simulate a 'mov retaddr, %ebx;' 73 | debug2("Detected PIC thunk @ %.8x, called from %.8x\n", funcaddr, 74 | instrptr); 75 | ADDRINT addr = instrptr + 5; 76 | byte_t fake[5]; 77 | 78 | // Generate fake 'mov $nexteip,%ebx' 79 | fake[0] = r; 80 | memcpy(fake + 1, &addr, sizeof(addr)); 81 | I->setRawBytes(fake, 5); 82 | 83 | return true; 84 | } 85 | 86 | return false; 87 | } 88 | 89 | // Local Variables: 90 | // mode: c++ 91 | // c-basic-offset: 4 92 | // compile-command: "dchroot -c typeinfer -d make" 93 | // End: 94 | -------------------------------------------------------------------------------- /PinDisasm.h: -------------------------------------------------------------------------------- 1 | #ifndef __PIN_DISASM_H__ 2 | #define __PIN_DISASM_H__ 3 | 4 | #include "instr.h" 5 | #include 6 | #include 7 | 8 | class Instruction; 9 | 10 | size_t inslen(ADDRINT addr); 11 | ADDRINT derefplt(ADDRINT instptr, ADDRINT funcaddr, ADDRINT ebx); 12 | byte_t ispicthunk(ADDRINT instptr); 13 | bool patchpicthunk(ADDRINT instrptr, ADDRINT funcaddr, Instruction *I); 14 | 15 | #endif // !__PIN_DISASM_H__ 16 | 17 | // Local Variables: 18 | // mode: c++ 19 | // c-basic-offset: 4 20 | // compile-command: "dchroot -c typeinfer -d make" 21 | // End: 22 | -------------------------------------------------------------------------------- /README.pintracer: -------------------------------------------------------------------------------- 1 | PINTRACER 2 | 3 | $ export LD_BIND_NOW=1 4 | $ pin -t pintracer.so PIN_ARGS -- PROG PROG_ARGS 5 | 6 | PIN_ARGS: 7 | 8 | --debug=N set the debug level to N; debug messages are written to 9 | '/tmp/pintrace.log' 10 | 11 | --skiplibs=0|1 skip (1) libraries functions when constructing the CFGs 12 | 13 | --trace=F dump a minimalistic execution trace to F; the trace 14 | contains the list of *all* the basic block executed 15 | 16 | --cfg=F dump the reconstructed program to F (CFG of each executed 17 | function and the callgraph) 18 | 19 | --dot=D dump the CFGs and the callgraph in 'graphviz' format into 20 | the directory D, which must already exist. 21 | 22 | --vcg=D like --dot, but use the VCG format for graphs. 23 | 24 | --outprog=F serialize the callgraph and the CFG to F 25 | 26 | --inprog=F unserialize the callgraph and the CFG from F (used for 27 | incremental CFG update) 28 | 29 | Have a look at the script 'trace.sh'. 30 | 31 | Please do not remove the comments at the end of .cc and .h files. They are used 32 | by my editor. 33 | 34 | -- lm 35 | -------------------------------------------------------------------------------- /Rand.cpp: -------------------------------------------------------------------------------- 1 | #include "Rand.h" 2 | #include "CompilerPortability.h" 3 | #include 4 | #include 5 | 6 | namespace utils { 7 | namespace rnd { 8 | 9 | namespace { 10 | 11 | typedef std::tr1::variate_generator< 12 | std::tr1::mt19937, 13 | std::tr1::uniform_int > Int32RGenTy; 14 | 15 | // Note that both of these functions are thread-safe 16 | static THREADLOCAL Int32RGenTy *Rnd = 0; 17 | 18 | } // End of anonymous namespace 19 | 20 | void init(unsigned seed) { 21 | std::tr1::mt19937 gen; 22 | gen.seed(seed); 23 | Rnd = new Int32RGenTy(gen, 24 | std::tr1::uniform_int(0,UINT_MAX)); 25 | } 26 | 27 | int irand() { 28 | return sizeof(int) == 4 ? i32rand() : i64rand(); 29 | } 30 | 31 | int32_t i32rand() { 32 | if (Rnd == 0) { 33 | init(); 34 | } 35 | return (*Rnd)(); 36 | } 37 | 38 | int64_t i64rand() { 39 | if (Rnd == 0) { 40 | init(); 41 | } 42 | return (static_cast((*Rnd)()) << 32) + (*Rnd)(); 43 | } 44 | 45 | double drand_closed() { 46 | if (Rnd == 0) { 47 | init(); 48 | } 49 | return static_cast((*Rnd)()) * (1. / 4294967295.); 50 | } 51 | 52 | double drand_open() { 53 | if (Rnd == 0) { 54 | init(); 55 | } 56 | return (static_cast((*Rnd)()) + .5) * 57 | (1. / 4294967296.); 58 | } 59 | 60 | // Generates 53-bit resolution doubles in the half-open interval [0,1) 61 | double drand_hopen() { 62 | if (Rnd == 0) { 63 | init(); 64 | } 65 | return (static_cast((*Rnd)() >> 5) * 67108864. + 66 | static_cast((*Rnd)() >> 6)) * 67 | (1. / 9007199254740992.); 68 | } 69 | 70 | void shutdown() { 71 | delete Rnd; 72 | Rnd = 0; 73 | } 74 | 75 | } // End of the rnd namespace 76 | } // End of utils namespace 77 | -------------------------------------------------------------------------------- /Rand.h: -------------------------------------------------------------------------------- 1 | #ifndef UTILS_RAND_H 2 | #define UTILS_RAND_H 3 | 4 | #include 5 | 6 | namespace utils { 7 | namespace rnd { 8 | 9 | int irand(); 10 | int32_t i32rand(); 11 | int64_t i64rand(); 12 | double drand_closed(); // In closed interval [0,1] 13 | double drand_open(); // In open interval (0,1) 14 | double drand_hopen(); // In half-open interval [0,1) 15 | 16 | // Call to set the seed 17 | void init(unsigned seed = 0x8944C407); // Arbitrary number 18 | // Call at the end of the program 19 | void shutdown(); 20 | 21 | } // End of the rnd namespace 22 | } // End of the utils namespace 23 | 24 | #endif // UTILS_RAND_H 25 | -------------------------------------------------------------------------------- /Registers.cpp: -------------------------------------------------------------------------------- 1 | #include "Registers.h" 2 | #include 3 | 4 | namespace absdomain { 5 | 6 | const struct regs* regLookup(const char* regName) { 7 | int low = 0; 8 | int mid; 9 | int high = sizeof(regs) / sizeof(regs[0]) - 1; 10 | while (low <= high) { 11 | int c; 12 | mid = low + (high - low) / 2; 13 | c = strcasecmp(regs[mid].name, regName); 14 | if (c == 0) { 15 | return ®s[mid]; 16 | } else if (c < 0) { 17 | low = mid + 1; 18 | } else { 19 | high = mid - 1; 20 | } 21 | } 22 | return NULL; 23 | } 24 | 25 | const char* getRegNameAtAddress(int lo, int hi) { 26 | const int limit = sizeof(regs) / sizeof(regs[0]) - 1; 27 | for (int i = 0; i <= limit; i++) { 28 | if (regs[i].begin == lo && regs[i].end == hi) { 29 | return regs[i].name; 30 | } 31 | } 32 | return 0; 33 | } 34 | 35 | } // End of the absdomain namespace 36 | -------------------------------------------------------------------------------- /Registers.h: -------------------------------------------------------------------------------- 1 | #ifndef ABSDOM_REGISTERS_H 2 | #define ABSDOM_REGISTERS_H 3 | 4 | namespace absdomain { 5 | 6 | const static struct regs { 7 | const char *name; 8 | const int id; 9 | const int begin; // Inclusive 10 | const int end; // Exclusive 11 | const int size; 12 | } regs[] = { 13 | // Invariant: This array has to be sorted by name. 14 | // i=0; while read a b c d e ; do echo "$a $i, $c $d $e,"; 15 | // i=$((i+1)); done 16 | {"AF", 0, 49, 50, 1}, 17 | {"AH", 1, 2, 3, 1}, 18 | {"AL", 2, 3, 4, 1}, 19 | {"AX", 3, 2, 4, 2}, 20 | {"BH", 4, 6, 7, 1}, 21 | {"BL", 5, 7, 8, 1}, 22 | {"BP", 6, 26, 28, 2}, 23 | {"BX", 7, 6, 8, 2}, 24 | {"CF", 8, 44, 45, 1}, 25 | {"CH", 9, 10, 11, 1}, 26 | {"CL", 10, 11, 12, 1}, 27 | {"CS", 11, 34, 36, 2}, 28 | {"CX", 12, 10, 12, 2}, 29 | {"DF", 13, 50, 51, 1}, 30 | {"DH", 14, 14, 15, 1}, 31 | {"DI", 15, 22, 24, 2}, 32 | {"DL", 16, 15, 16, 1}, 33 | {"DS", 17, 38, 40, 2}, 34 | {"DX", 18, 14, 16, 2}, 35 | {"EAX", 19, 0, 4, 4}, 36 | {"EBP", 20, 24, 28, 4}, 37 | {"EBX", 21, 4, 8, 4}, 38 | {"ECX", 22, 8, 12, 4}, 39 | {"EDI", 23, 20, 24, 4}, 40 | {"EDX", 24, 12, 16, 4}, 41 | {"ES", 25, 32, 34, 2}, 42 | {"ESI", 26, 16, 20, 4}, 43 | {"ESP", 27, 28, 32, 4}, 44 | {"FS", 28, 40, 42, 2}, 45 | {"GDT", 29, 56, 60, 4}, 46 | {"GS", 30, 42, 44, 2}, 47 | {"LDT", 31, 52, 56, 4}, 48 | {"OF", 32, 48, 49, 1}, 49 | {"PF", 33, 46, 47, 1}, 50 | {"SF", 34, 47, 48, 1}, 51 | {"SI", 35, 18, 20, 2}, 52 | {"SP", 36, 30, 32, 2}, 53 | {"SS", 37, 36, 38, 2}, 54 | {"ZF", 38, 45, 46, 1}, 55 | // Terminator, determines the size of the register region. 56 | {"TERM",39, 0, 60, 1 }, 57 | // { <++>, <++>, <++>, <++> }, 58 | }; 59 | 60 | namespace reg { 61 | 62 | enum RegEnumTy { 63 | AF_REG = 0, AH_REG, AL_REG, AX_REG, BH_REG, BL_REG, BP_REG, BX_REG, 64 | CF_REG, CH_REG, CL_REG, CS_REG, CX_REG, DF_REG, DH_REG, DI_REG, 65 | DL_REG, DS_REG, DX_REG, EAX_REG, EBP_REG, EBX_REG, ECX_REG, EDI_REG, 66 | EDX_REG, ES_REG, ESI_REG, ESP_REG, FS_REG, GDT_REG, GS_REG, LDT_REG, 67 | OF_REG, PF_REG, SF_REG, SI_REG, SP_REG, SS_REG, ZF_REG, TERM_REG 68 | }; 69 | 70 | } // End of the reg namespace 71 | 72 | // Binary search based on the register name 73 | const struct regs* regLookup(const char*); 74 | 75 | // Linear search, but this is needed only in debugging anyways 76 | const char* getRegNameAtAddress(int, int); 77 | 78 | } // End of the absdomain namespace 79 | 80 | #endif // ABSDOM_REGISTERS_H 81 | 82 | // Local Variables: 83 | // mode: c++ 84 | // c-basic-offset: 4 85 | // compile-command: "dchroot -c typeinfer -d make" 86 | // End: 87 | -------------------------------------------------------------------------------- /StridedIntervalTest.cpp: -------------------------------------------------------------------------------- 1 | #include "AbsDomStridedInterval.h" 2 | 3 | using namespace absdomain; 4 | using namespace std; 5 | 6 | int main(int, char**) { 7 | StridedIntervalPtr i1 = StridedInterval::get(4,8,4); 8 | StridedIntervalPtr i2 = StridedInterval::get(8,12,4); 9 | cout << *i1 << " join " << *i2 << " = " << *(i1->join(*i2)) << endl; 10 | cout << *i1 << " meet " << *i2 << " = " << *(i1->meet(*i2)) << endl; 11 | cout << *i1 << " widen " << *i2 << " = " << *(i1->widen(*i2)) << 12 | endl; 13 | StridedIntervalPtr i3 = StridedInterval::get(0,12,4); 14 | cout << *i1 << " <= " << *i3 << " = " << (*i1 <= *i3) << endl; 15 | StridedIntervalPtr i4 = StridedInterval::get(12,16,2); 16 | cout << *i3 << " + " << *i4 << " = " << *(*i3 + *i4) << endl; 17 | exit(0); 18 | } 19 | -------------------------------------------------------------------------------- /Utilities.cpp: -------------------------------------------------------------------------------- 1 | #include "Utilities.h" 2 | #include 3 | #include 4 | 5 | namespace utils { 6 | 7 | // Greatest common divisor 8 | int gcd(int a, int b) { 9 | assert(b != 0 && "Attempted modulo by zero."); 10 | int c; 11 | while(1) { 12 | c = a % b; 13 | if (c == 0) return b; 14 | a = b; 15 | b = c; 16 | } 17 | } 18 | 19 | int gcdu(unsigned a, unsigned b) { 20 | assert(b != 0 && "Attempted modulo by zero."); 21 | unsigned c; 22 | while(1) { 23 | c = a % b; 24 | if (c == 0) return b; 25 | a = b; 26 | b = c; 27 | } 28 | } 29 | 30 | unsigned gcdSafe(unsigned x, unsigned y) { 31 | if (y == 0) { 32 | return x == 0 ? 0 : 1; 33 | } else { 34 | return gcdu(x, y); 35 | } 36 | } 37 | 38 | int lcm(int a, int b) { 39 | if (a == 0 || b == 0) return 0; 40 | return a*b/gcd(a,b); 41 | } 42 | 43 | // Number of trailing zeros, e.g. if x is 1101000 (base 2), returns 3 44 | int tlz(unsigned x) { 45 | if (x == 0) return CHAR_BIT * sizeof(x); 46 | int r = 0; 47 | x = (x ^ (x - 1)) >> 1; // Set x's trailing 0s to 1s and zero rest 48 | for (; x; r++) x >>= 1; 49 | return r; 50 | } 51 | 52 | int max(int x, int y) { 53 | return x ^ ((x ^ y) & -(x < y)); 54 | } 55 | 56 | unsigned umin(unsigned x, unsigned y) { 57 | return x < y ? x : y; 58 | } 59 | 60 | unsigned umax(unsigned x, unsigned y) { 61 | return x > y ? x : y; 62 | } 63 | 64 | int min(int x, int y) { 65 | return y ^ ((x ^ y) & -(x < y)); 66 | } 67 | 68 | } // End of the utils namespace 69 | -------------------------------------------------------------------------------- /Utilities.h: -------------------------------------------------------------------------------- 1 | #ifndef UTILITIES_H 2 | #define UTILITIES_H 3 | 4 | #include 5 | #include 6 | 7 | namespace utils { 8 | 9 | template 10 | class Multimap : public std::tr1::unordered_multimap { 11 | typedef typename std::tr1::unordered_multimap _Base; 12 | public: 13 | typedef typename _Base::iterator iterator; 14 | typedef typename _Base::const_iterator const_iterator; 15 | typedef std::pair iterator_pair; 16 | typedef std::pair 17 | const_iterator_pair; 18 | }; 19 | 20 | template 21 | class Map : public std::tr1::unordered_map { 22 | typedef typename std::tr1::unordered_map _Base; 23 | public: 24 | typedef typename _Base::iterator iterator; 25 | typedef typename _Base::const_iterator const_iterator; 26 | typedef std::pair iterator_pair; 27 | typedef std::pair 28 | const_iterator_pair; 29 | }; 30 | 31 | template 32 | struct Hash { 33 | size_t operator()(T e) const { 34 | return static_cast(e); 35 | } 36 | }; 37 | 38 | template 39 | struct Hash { 40 | std::size_t operator()(const T *const x) const { 41 | return reinterpret_cast(x); 42 | } 43 | }; 44 | 45 | template 46 | struct Max { 47 | int operator()(T a) const { (void)a; return 0; } 48 | int operator()(T a, int b, int c) const { 49 | (void)a; (void)b; (void)c; return 0; 50 | } 51 | }; 52 | 53 | template 54 | struct Cmp { 55 | int operator()(T a, T b) const { 56 | return a == b ? 0 : a < b ? -1 : 1; 57 | } 58 | }; 59 | 60 | template 61 | struct Equal { 62 | int operator()(T a, T b) const { 63 | return a == b; 64 | } 65 | }; 66 | 67 | /* Usage example: 68 | std::transform(m.begin(), m.end(), std::back_inserter(vk), 69 | select1st::value_type>()) ; 70 | // */ 71 | 72 | // Select 1st from the pair. 73 | template 74 | struct select1st { 75 | typedef typename Pair::first_type result_type; 76 | const result_type &operator()(const Pair &p) const { 77 | return p.first; 78 | } 79 | }; 80 | 81 | // Select 2nd from the pair. 82 | template 83 | struct select2nd { 84 | typedef typename Pair::second_type result_type ; 85 | const result_type &operator()(const Pair &p) const { 86 | return p.second; 87 | } 88 | }; 89 | 90 | // This is a default overlap functor used below. Use this for types that 91 | // don't use interval trees. 92 | template 93 | struct Overlap { 94 | bool operator()(T, T) const { return false; } 95 | int low(T) const { return 0; } 96 | int high(T) const { return 0; } 97 | }; 98 | 99 | unsigned gcdSafe(unsigned, unsigned); 100 | int lcm(int, int); 101 | int tlz(unsigned); 102 | int min(int, int); 103 | int max(int, int); 104 | unsigned umin(unsigned, unsigned); 105 | unsigned umax(unsigned, unsigned); 106 | 107 | } // End of utils namespace 108 | 109 | #endif // UTILITIES_H 110 | -------------------------------------------------------------------------------- /argv_readparam.h: -------------------------------------------------------------------------------- 1 | /*BEGIN_LEGAL 2 | Intel Open Source License 3 | 4 | Copyright (c) 2002-2010 Intel Corporation. All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are 8 | met: 9 | 10 | Redistributions of source code must retain the above copyright notice, 11 | this list of conditions and the following disclaimer. Redistributions 12 | in binary form must reproduce the above copyright notice, this list of 13 | conditions and the following disclaimer in the documentation and/or 14 | other materials provided with the distribution. Neither the name of 15 | the Intel Corporation nor the names of its contributors may be used to 16 | endorse or promote products derived from this software without 17 | specific prior written permission. 18 | 19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 20 | ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 21 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 22 | A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE INTEL OR 23 | ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 24 | SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 25 | LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26 | DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27 | THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | END_LEGAL */ 31 | #ifndef _ARGV_READPARAM_H_ 32 | #define _ARGV_READPARAM_H_ 33 | 34 | int argv_hasFlag(int argc, char *argv[], char param); 35 | int argv_hasLongFlag(int argc, char *argv[], char *param); 36 | int argv_getInt(int argc, char *argv[], char *param, int *ret); 37 | int argv_getLong(int argc, char *argv, char *param, long *ret); 38 | char *argv_getString(int argc, char * argv[], char const * param, char **mem); 39 | 40 | #endif 41 | -------------------------------------------------------------------------------- /build-fresh-1404-32.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Ubuntu 14.04 32-bit is the easiest Ubuntu version to compile this 4 | # program on, since the system GCC matches the version that Pin needs, 5 | # and the system OCaml produces 32-bit executables. Systems that are 6 | # significantly older, significantly newer, or 64-bit are all more 7 | # complex to deal with, because more prereqs need to be custom 8 | # compiled. 9 | 10 | # The next set of commands are commented-out because if you're getting 11 | # this script from the Git repository, you must have already run them. 12 | 13 | # sudo apt-get -y install git 14 | # git clone https://github.com/bitblaze-fuzzball/d-s-se-directed-tests.git 15 | # cd d-s-se-directed-tests 16 | # # git checkout cgc-branch 17 | 18 | sudo apt-get -y install build-essential 19 | 20 | sudo apt-get -y install ccache 21 | 22 | git clone https://github.com/bitblaze-fuzzball/fuzzball 23 | # cd fuzzball 24 | # git checkout cgc-branch 25 | # cd .. 26 | 27 | ## VEX 28 | sudo apt-get -y install subversion 29 | sudo apt-get -y build-dep valgrind 30 | svn co -r3260 svn://svn.valgrind.org/vex/trunk VEX 31 | cd VEX 32 | patch -p0 <../fuzzball/vex-r3260.patch 33 | make -f Makefile-gcc CC="ccache gcc" 34 | cd .. 35 | 36 | ## STP 37 | git clone https://github.com/bitblaze-fuzzball/stp.git 38 | cd stp 39 | sudo apt-get -y install cmake 40 | sudo apt-get -y install bison flex 41 | sudo apt-get -y install libboost-program-options-dev libboost-system-dev 42 | mkdir build 43 | cd build 44 | cmake .. 45 | make -j6 46 | cp stp lib/libstp.a ../../fuzzball/stp 47 | cd .. 48 | cd .. 49 | 50 | 51 | ## GNU Binutils 52 | sudo apt-get -y install binutils-dev libiberty-dev 53 | sudo apt-get -y install zlib1g-dev 54 | 55 | ## FuzzBALL OCaml dependencies 56 | sudo apt-get -y install ocaml 57 | sudo apt-get -y install ocaml-native-compilers ocaml-findlib 58 | sudo apt-get -y install camlidl libextlib-ocaml-dev 59 | 60 | ## FuzzBALL 61 | cd fuzzball 62 | ./autogen.sh 63 | ./configure --with-vex=$(pwd)/../VEX CXXFLAGS=-g3 CC="ccache gcc" CXX="ccache g++" 64 | make 65 | cd .. 66 | 67 | ## Pin 68 | wget https://software.intel.com/sites/landingpage/pintool/downloads/pin-2.14-71313-gcc.4.4.7-linux.tar.gz 69 | tar xzf pin-2.14-71313-gcc.4.4.7-linux.tar.gz 70 | 71 | ## libelf 72 | sudo apt-get -y install libelf-dev 73 | 74 | ## Boost dependencies of d-s-se 75 | sudo apt-get -y install libboost-serialization-dev libboost-iostreams-dev 76 | sudo apt-get -y install libbz2-dev 77 | 78 | ## Compile d-s-se tools themselves 79 | make -j6 CXX="ccache g++" 80 | 81 | ## Dietlibc with sysenter disabled, useful for building subject programs 82 | sudo apt-get -y install cvs 83 | cvs -d :pserver:cvs@cvs.fefe.de:/cvs -z9 co dietlibc 84 | cd dietlibc 85 | perl -pi -e 'chomp; $_ = "/* $_ */" if /SYSENTER/; $_ .= "\n";' dietfeatures.h 86 | make 87 | cd .. 88 | 89 | ## Don't ask 90 | mkdir /tmp/yyy 91 | -------------------------------------------------------------------------------- /callgraph.cc: -------------------------------------------------------------------------------- 1 | #include "callgraph.h" 2 | 3 | void CallGraph::addCall(Function *caller, Function *callee) { 4 | CallGraphEdge *e; 5 | 6 | if (!hasVertex(caller)) { 7 | addVertex(caller); 8 | } 9 | 10 | if (!hasVertex(callee)) { 11 | addVertex(callee); 12 | } 13 | 14 | e = new CallGraphEdge(caller, callee); 15 | assert(e); 16 | 17 | addEdge(caller, callee, e); 18 | 19 | if (!main) 20 | setMain(caller); 21 | } 22 | 23 | std::string CallGraph::dot() { 24 | std::string r = ""; 25 | char tmp[1024]; 26 | 27 | r = "digraph G {\n"; 28 | 29 | for (CallGraph::const_func_iterator fit = func_begin(); 30 | fit != func_end(); fit++) { 31 | Function *f1 = *fit; 32 | sprintf(tmp, "func_%.8x [label=\"%s@%.8x\\n[%s]\", shape=rectangle%s" 33 | ",URL=\"%.8x.svg\"];\n", 34 | f1->getAddress(), f1->getName(), f1->getAddress(), 35 | f1->getModule(), f1 != main ? "" : ", color=red", 36 | f1->getAddress()); 37 | r += " " + std::string(tmp); 38 | } 39 | 40 | for (CallGraph::const_edge_iterator eit = edge_begin(); 41 | eit != edge_end(); eit++) { 42 | Function *f1 = (*eit)->getSource(); 43 | Function *f2 = (*eit)->getTarget(); 44 | sprintf(tmp, "func_%.8x -> func_%.8x;\n", f1->getAddress(), 45 | f2->getAddress()); 46 | r += " " + std::string(tmp); 47 | } 48 | 49 | r += "}"; 50 | 51 | return r; 52 | } 53 | 54 | std::string CallGraph::vcg() { 55 | std::string r = ""; 56 | char tmp[1024]; 57 | 58 | r = "graph: {\n"; 59 | 60 | for (CallGraph::const_func_iterator fit = func_begin(); 61 | fit != func_end(); fit++) { 62 | Function *f1 = *fit; 63 | sprintf(tmp, "node: { title: \"func_%.8x\" " 64 | "label: \"%s@%.8x\\n[%s]\" }\n", 65 | f1->getAddress(), f1->getName(), f1->getAddress(), 66 | f1->getModule()); 67 | r += " " + std::string(tmp); 68 | } 69 | 70 | for (CallGraph::const_edge_iterator eit = edge_begin(); 71 | eit != edge_end(); eit++) { 72 | Function *f1 = (*eit)->getSource(); 73 | Function *f2 = (*eit)->getTarget(); 74 | sprintf(tmp, "edge: { sourcename: \"func_%.8x\" " 75 | "targetname: \"func_%.8x\"}\n", f1->getAddress(), 76 | f2->getAddress()); 77 | r += " " + std::string(tmp); 78 | } 79 | 80 | r += "}"; 81 | 82 | return r; 83 | } 84 | 85 | 86 | // Local Variables: 87 | // c-basic-offset: 4 88 | // compile-command: "dchroot -c typeinfer -d make" 89 | // End: 90 | -------------------------------------------------------------------------------- /callgraph.h: -------------------------------------------------------------------------------- 1 | #ifndef __CALLGRAPH_H__ 2 | #define __CALLGRAPH_H__ 3 | 4 | #include "debug.h" 5 | #include "graph.h" 6 | #include "func.h" 7 | 8 | class Prog; 9 | 10 | class CallGraphEdge { 11 | private: 12 | Function *source; 13 | Function *target; 14 | 15 | friend class boost::serialization::access; 16 | template 17 | void serialize(Archive & ar, const unsigned int version) { 18 | ar & source; 19 | ar & target; 20 | (void)version; 21 | } 22 | 23 | public: 24 | CallGraphEdge() {;} 25 | ~CallGraphEdge() {;} 26 | CallGraphEdge(Function *s, Function *t) { 27 | source = s; 28 | target = t; 29 | } 30 | 31 | Function *getSource() { 32 | return source; 33 | } 34 | 35 | Function *getTarget() { 36 | return target; 37 | } 38 | }; 39 | 40 | class CallGraph : public Graph { 41 | private: 42 | typedef Graph callgraph_t; 43 | 44 | std::map addr2func; 45 | 46 | friend class boost::serialization::access; 47 | template 48 | void serialize(Archive & ar, const unsigned int version) { 49 | callgraph_t::serialize(ar, version); 50 | ar & addr2func; 51 | ar & main; 52 | } 53 | 54 | Function *main; 55 | 56 | public: 57 | CallGraph() { main = NULL; } 58 | ~CallGraph() {;} 59 | 60 | void addCall(Function *caller, Function *callee); 61 | std::string dot(); 62 | std::string vcg(); 63 | 64 | Function *getMain() const { return main; } 65 | void setMain(Function *m) { main = m; callgraph_t::setEntry(m); } 66 | 67 | typedef callgraph_t::const_vertex_iterator const_func_iterator; 68 | typedef callgraph_t::const_edge_iterator const_edge_iterator; 69 | 70 | const_func_iterator func_begin() { return vertices_begin(); } 71 | const_func_iterator func_end() { return vertices_end(); } 72 | const_edge_iterator edge_begin() { return edges_begin(); } 73 | const_edge_iterator edge_end() { return edges_end(); } 74 | }; 75 | 76 | #endif 77 | 78 | // Local Variables: 79 | // mode: c++ 80 | // c-basic-offset: 4 81 | // compile-command: "dchroot -c typeinfer -d make" 82 | // End: 83 | -------------------------------------------------------------------------------- /callstack.h: -------------------------------------------------------------------------------- 1 | #ifndef __CALLSTACK_H__ 2 | #define __CALLSTACK_H__ 3 | 4 | typedef struct { 5 | void *stackptr; 6 | void *funcaddr; 7 | void *calladdr; 8 | } callstack_t; 9 | 10 | #define CALLSTACK_MAX_DEPTH 1024 11 | 12 | static callstack_t __callstack[CALLSTACK_MAX_DEPTH]; 13 | static int __callstack_depth = 0; 14 | 15 | static inline void callstack_push(int tid, void *stackptr, void *funcaddr, void *calladdr) { 16 | (void)tid; 17 | assert(__callstack_depth >= 0 && __callstack_depth < CALLSTACK_MAX_DEPTH); 18 | 19 | __callstack_depth++; 20 | __callstack[__callstack_depth - 1].stackptr = stackptr; 21 | __callstack[__callstack_depth - 1].funcaddr = funcaddr; 22 | __callstack[__callstack_depth - 1].calladdr = calladdr; 23 | } 24 | 25 | static inline void callstack_pop(int tid, void *stackptr, void **funcaddr, void **calladdr) { 26 | (void)tid; 27 | assert(__callstack_depth >= 0 && __callstack_depth < CALLSTACK_MAX_DEPTH); 28 | 29 | while (__callstack_depth > 0 && __callstack[__callstack_depth - 1].stackptr != stackptr) { 30 | __callstack_depth--; 31 | } 32 | 33 | assert(__callstack_depth >= 0 && __callstack_depth < CALLSTACK_MAX_DEPTH); 34 | 35 | if (__callstack_depth > 0 && __callstack[__callstack_depth - 1].stackptr == stackptr) { 36 | *calladdr = __callstack[__callstack_depth - 1].calladdr; 37 | *funcaddr = __callstack[__callstack_depth - 1].funcaddr; 38 | __callstack_depth--; 39 | } else { 40 | *calladdr = *funcaddr = NULL; 41 | } 42 | return; 43 | } 44 | 45 | static inline void callstack_top(int tid, void **funcaddr, void **calladdr) { 46 | (void)tid; 47 | assert(__callstack_depth >= 0 && __callstack_depth < CALLSTACK_MAX_DEPTH); 48 | 49 | if (__callstack_depth > 0) { 50 | *calladdr = __callstack[__callstack_depth - 1].calladdr; 51 | *funcaddr = __callstack[__callstack_depth - 1].funcaddr; 52 | } else { 53 | *calladdr = *funcaddr = NULL; 54 | } 55 | return; 56 | } 57 | 58 | static inline void *callstack_top_funcaddr(int tid) { 59 | (void)tid; 60 | assert(__callstack_depth >= 0 && __callstack_depth < CALLSTACK_MAX_DEPTH); 61 | 62 | if (__callstack_depth > 0) { 63 | return __callstack[__callstack_depth - 1].funcaddr; 64 | } else { 65 | return NULL; 66 | } 67 | } 68 | 69 | static inline int callstack_depth(int tid) { 70 | (void)tid; 71 | assert(__callstack_depth >= 0 && __callstack_depth < CALLSTACK_MAX_DEPTH); 72 | 73 | return __callstack_depth; 74 | } 75 | 76 | #endif 77 | -------------------------------------------------------------------------------- /cfg/README: -------------------------------------------------------------------------------- 1 | Format for traces (CFG) 2 | ======================= 3 | 4 | * programname-cksum1-cksum2.stat.cfg 5 | 6 | * programname-cksum1-cksum2.dyn.cfg 7 | 8 | programname is the name of the binary analyzed 9 | 10 | cksum1 are the first 6 characters of the md5 of the program traces 11 | 12 | cksum2 are the first 6 characters of the md5 of the .cfg file 13 | 14 | .dyn stands for CFGs constructed entirely dynamically 15 | 16 | .stat stands for CFGs constructed dynamically and the augmented statically 17 | -------------------------------------------------------------------------------- /cfgfromtrace.cc: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #include "graph.h" 6 | #include "debug.h" 7 | 8 | int DEBUG_LEVEL = 2; 9 | FILE *DEBUG_FILE = stderr; 10 | 11 | int main(int argc, char **argv) { 12 | unsigned int funcaddr; 13 | FILE *trace; 14 | char *line = NULL; 15 | int tid, len, pos, linelen = 0; 16 | unsigned int addr, func, prev; 17 | Cfg *cfg; 18 | 19 | assert(argc == 3); 20 | 21 | trace = fopen(argv[1], "r"); 22 | assert(trace); 23 | funcaddr = strtoul(argv[2], NULL, 16); 24 | assert(funcaddr); 25 | 26 | cfg = new Cfg(); 27 | 28 | while (getline(&line, (size_t *) &linelen, trace) != -1) { 29 | sscanf(line, "%d %d %x %d %x %x", &tid, &pos, &addr, &len, &func, &prev); 30 | if (funcaddr == func) { 31 | cfg->addInstruction(addr, (unsigned char *) "\x00\x00\x00\x00\x00\x00\x00\x00", len, pos, prev); 32 | } 33 | 34 | } 35 | 36 | //printf("%s\n", cfg->dot().c_str()); 37 | } 38 | -------------------------------------------------------------------------------- /cfgs.idl: -------------------------------------------------------------------------------- 1 | typedef [abstract] void* program_info; 2 | typedef [abstract] void* interproc_cfg; 3 | 4 | program_info program_info_from_file([string] const char *fname); 5 | void free_program_info([in] program_info pi); 6 | 7 | interproc_cfg construct_interproc_cfg([in] program_info pi); 8 | void free_interproc_cfg([in] interproc_cfg ipcfg); 9 | 10 | void interproc_cfg_set_target_addr([in] interproc_cfg ipcfg, 11 | [int64] unsigned int addr, 12 | [in] program_info pi); 13 | 14 | void interproc_cfg_compute_shortest_paths([in] interproc_cfg ipcfg); 15 | 16 | long long interproc_cfg_lookup_distance([in] interproc_cfg ipcfg, 17 | [int64] unsigned int addr, 18 | [in] program_info pi); 19 | 20 | int interproc_cfg_lookup_influence([in] interproc_cfg ipcfg, 21 | [int64] unsigned int addr, 22 | [in] program_info pi); 23 | 24 | [int64] long interproc_cfg_lookup_pth([in] interproc_cfg ipcfg, 25 | [int64] unsigned int addr, 26 | [in] program_info pi); 27 | 28 | boolean interproc_cfg_is_loop_exit_cond([in] interproc_cfg ipcfg, 29 | [int64] unsigned int addr, 30 | [in] program_info pi); 31 | 32 | boolean interproc_cfg_edge_is_loop_exit([in] interproc_cfg ipcfg, 33 | [int64] unsigned int from_addr, 34 | [int64] unsigned int to_addr, 35 | [in] program_info pi); 36 | 37 | void interproc_cfg_set_target_warning([in] interproc_cfg ipcfg, 38 | [int64] unsigned int addr, 39 | [in] program_info pi, 40 | [string] const char *fname); 41 | 42 | boolean 43 | interproc_cfg_is_interesting_loop([in] interproc_cfg ipcfg, 44 | [int64] unsigned int addr, 45 | [in] program_info pi); 46 | 47 | [int64] unsigned int 48 | interproc_cfg_get_component([in] interproc_cfg ipcfg, 49 | [int64] unsigned int addr, 50 | [in] program_info pi); 51 | 52 | boolean 53 | interproc_cfg_same_bb([in] interproc_cfg ipcfg, 54 | [int64] unsigned int addr1, 55 | [int64] unsigned int addr2, 56 | [in] program_info pi); 57 | 58 | void compute_influence_for_warning([in] program_info pi, 59 | [int64] unsigned int addr); 60 | 61 | void warnings_from_file([string] const char *fname, [in,out] program_info pi); 62 | 63 | -------------------------------------------------------------------------------- /cfgs_for_ocaml.h: -------------------------------------------------------------------------------- 1 | #include "func.h" 2 | #include "cfg.h" 3 | #include "callgraph.h" 4 | #include "serialize.h" 5 | #include "InterProcCFG.h" 6 | #include "influence.h" 7 | 8 | extern "C" { 9 | /* CamlIDL assumes that "boolean" types in the IDL will translate into 10 | "int" types on the C side. But this wouldn't be compatible with 11 | a C++ "bool". */ 12 | typedef int bool_for_camlidl; 13 | 14 | struct program_info { 15 | Prog prog; 16 | CallGraph *callgraph; 17 | char *fname; 18 | map functions; 19 | std::map warnings; 20 | influence_map_t influence; 21 | }; 22 | 23 | program_info *program_info_from_file(const char *fname); 24 | 25 | void free_program_info(program_info *pi); 26 | 27 | InterProcCFG *construct_interproc_cfg(program_info *pi); 28 | 29 | void free_interproc_cfg(InterProcCFG *ipcfg); 30 | 31 | void interproc_cfg_set_target_addr(InterProcCFG *ipcfg, addr_t addr, 32 | program_info *pi); 33 | 34 | void interproc_cfg_compute_shortest_paths(InterProcCFG *ipcfg); 35 | 36 | long long interproc_cfg_lookup_distance(InterProcCFG *ipcfg, addr_t addr, 37 | program_info *pi); 38 | 39 | int interproc_cfg_lookup_influence(InterProcCFG *ipcfg, addr_t addr, 40 | program_info *pi); 41 | 42 | long interproc_cfg_lookup_pth(InterProcCFG *ipcfg, addr_t addr, 43 | program_info *pi); 44 | 45 | bool_for_camlidl 46 | interproc_cfg_is_loop_exit_cond(InterProcCFG *ipcfg, addr_t addr, 47 | program_info *pi); 48 | 49 | bool_for_camlidl 50 | interproc_cfg_edge_is_loop_exit(InterProcCFG *ipcfg, 51 | addr_t from_addr, addr_t to_addr, 52 | program_info *pi); 53 | 54 | void interproc_cfg_set_target_warning(InterProcCFG *ipcfg, addr_t addr, 55 | program_info *pi, 56 | const char *fname); 57 | 58 | bool_for_camlidl 59 | interproc_cfg_is_interesting_loop(InterProcCFG *ipcfg, 60 | addr_t addr, 61 | program_info *pi); 62 | 63 | unsigned 64 | interproc_cfg_get_component(InterProcCFG *ipcfg, 65 | addr_t addr, 66 | program_info *pi); 67 | 68 | bool_for_camlidl 69 | interproc_cfg_same_bb(InterProcCFG *ipcfg, 70 | addr_t addr1, addr_t addr2, 71 | program_info *pi); 72 | 73 | void compute_influence_for_warning(program_info *pi, addr_t addr); 74 | 75 | void warnings_from_file(const char *fname, program_info *pi); 76 | } 77 | 78 | // Local Variables: 79 | // c-basic-offset: 4 80 | // compile-command: "dchroot -c typeinfer -d make" 81 | // End: 82 | -------------------------------------------------------------------------------- /cfgs_test.ml: -------------------------------------------------------------------------------- 1 | let main argv = 2 | let prog_info = Cfgs.program_info_from_file argv.(1) in 3 | let src_addr = Int64.of_string argv.(2) and 4 | dst_addr = Int64.of_string argv.(3) in 5 | if (Array.length argv = 5) then ( 6 | Cfgs.warnings_from_file argv.(4) prog_info; 7 | Cfgs.compute_influence_for_warning prog_info dst_addr 8 | ); 9 | let ipcfg = Cfgs.construct_interproc_cfg prog_info in 10 | Cfgs.interproc_cfg_set_target_addr ipcfg dst_addr prog_info; 11 | Cfgs.interproc_cfg_compute_shortest_paths ipcfg; 12 | let dist = Cfgs.interproc_cfg_lookup_distance ipcfg src_addr prog_info in 13 | Printf.printf "Distance from 0x%08Lx to 0x%08Lx is %Ld\n" 14 | src_addr dst_addr dist; 15 | Cfgs.free_interproc_cfg ipcfg; 16 | Cfgs.free_program_info prog_info 17 | ;; 18 | 19 | main Sys.argv 20 | -------------------------------------------------------------------------------- /countfpfn.sh: -------------------------------------------------------------------------------- 1 | benchmark="$1" 2 | 3 | warns=$(grep "Write out-of-bound" cfg/MIT/$benchmark.warn | grep -v ": 00000000 : " | cut -f -4 -d ":" | sort -u | sed "s/ : /|/g" | cut -f 3 -d "|" | cut -f 2- -d "/" | sed "s/ //g" | sort -u ) 4 | bugs=$(cat BUGS | grep "^$benchmark" | cut -f 2 -d " ") 5 | 6 | tmp1=$(mktemp) 7 | tmp2=$(mktemp) 8 | 9 | time=$(grep "### Wallclock time:" cfg/MIT/$benchmark.log | cut -f 2 -d ":") 10 | mem=$(grep "### Maximum resident size" cfg/MIT/$benchmark.log | cut -f 5 -d " ") 11 | 12 | 13 | RED="\x1b[31;01m" 14 | GREEN="\x1b[32;01m" 15 | YELLOW="\x1b[33;01m" 16 | DEFAULT="\x1b[39;49;00m" 17 | 18 | bugsno=0 19 | for bug in $bugs 20 | do 21 | echo $bug >> $tmp1 22 | bugsno=$((bugsno+1)) 23 | done 24 | 25 | warnsno=0 26 | fpno=0 27 | fnno=0 28 | for warn in $warns 29 | do 30 | warnsno=$((warnsno+1)) 31 | echo $warn >> $tmp2 32 | if grep -q $warn $tmp1 33 | then 34 | aaaaaaaaa=0 35 | else 36 | fpno=$((fpno+1)) 37 | fi 38 | done 39 | 40 | for bug in $bugs 41 | do 42 | if grep -q $bug $tmp2 43 | then 44 | echo -n "" 45 | else 46 | echo -ne "\t$RED" 47 | echo -n "$bug (false negative)" 48 | echo -e "$DEFAULT" 49 | fi 50 | done 51 | 52 | benchmark=$(echo $benchmark | cut -f -2 -d "/" | sed "s/sendmail/Sendmail/" | sed "s/wu-ftpd/WU-FTPD/" | sed "s/bind/BIND/") 53 | 54 | echo "$benchmark & $warnsno & $bugsno & $fpno & $fnno & $time & $mem \\\\" 55 | 56 | rm -f $tmp1 $tmp2 57 | -------------------------------------------------------------------------------- /dataflow.h: -------------------------------------------------------------------------------- 1 | #ifndef __DATAFLOW_H__ 2 | #define __DATAFLOW_H__ 3 | 4 | #include "debug.h" 5 | #include "cfg.h" 6 | #include "instr.h" 7 | 8 | #include 9 | #include 10 | #include 11 | 12 | typedef std::string var_t; 13 | typedef std::set var_set_t; 14 | typedef std::pair def_t; 15 | 16 | std::string def_to_string(def_t vd); 17 | 18 | struct defcmp { 19 | bool operator()(const def_t &d1, const def_t &d2) const { 20 | debug("%s %s %d\n", def_to_string(d1).c_str(), def_to_string(d2).c_str(), 21 | strcmp(def_to_string(d1).c_str(), def_to_string(d2).c_str()) < 0); 22 | return strcmp(def_to_string(d1).c_str(), def_to_string(d2).c_str()) < 0; 23 | } 24 | }; 25 | 26 | typedef std::set def_set_t; 27 | 28 | typedef std::map bb2def_set_t; 29 | typedef std::map defuse_map_t; 30 | typedef std::map ud_chain_t; 31 | 32 | 33 | std::string def_to_string(def_t vd); 34 | 35 | std::string def_to_string(def_set_t &vds); 36 | 37 | // Compute the set of generated variables (by an instruction) 38 | void computeGeneratedVariables(Instruction *i, defuse_map_t &defmap, 39 | def_set_t &defs); 40 | 41 | // Compute the set of generated variables (by a basic block) 42 | void computeGeneratedVariables(BasicBlock *bb, defuse_map_t &defmap, 43 | def_set_t &defs); 44 | 45 | // Compute the set of generated variables (by the function) 46 | void computeDefinedVariables(Cfg *cfg, defuse_map_t &defmap, 47 | def_set_t &defs); 48 | 49 | // Compute the set of killed definitions 50 | void computeKilledVariables(BasicBlock *bb, defuse_map_t &defmap, 51 | def_set_t &defs, def_set_t &kills); 52 | 53 | // Compute reaching definitions 54 | void computeReachingDef(Cfg *cfg, defuse_map_t &defmap, 55 | bb2def_set_t &reachdefs); 56 | 57 | // Compute ud-chain for each instruction of the function 58 | void computeUseDefChain(Cfg *cfg, defuse_map_t &defmap, defuse_map_t &usemap, 59 | ud_chain_t &ud_chain); 60 | 61 | void computeSlice(Instruction *i, defuse_map_t &defmap, defuse_map_t &usemap, 62 | std::set &slice); 63 | #endif 64 | 65 | // Local Variables: 66 | // mode: c++ 67 | // End: 68 | -------------------------------------------------------------------------------- /fpfn.sh: -------------------------------------------------------------------------------- 1 | benchmark="$1" 2 | 3 | warns=$(grep "Write out-of-bound" cfg/MIT/$benchmark.warn | grep -v ": 00000000 : " | cut -f -4 -d ":" | sort -u | sed "s/ : /|/g" | cut -f 3 -d "|" | cut -f 2- -d "/" | sed "s/ //g") 4 | bugs=$(cat BUGS | grep "^$benchmark" | cut -f 2 -d " ") 5 | 6 | tmp1=$(mktemp) 7 | tmp2=$(mktemp) 8 | 9 | RED="\x1b[31;01m" 10 | GREEN="\x1b[32;01m" 11 | YELLOW="\x1b[33;01m" 12 | DEFAULT="\x1b[39;49;00m" 13 | 14 | for bug in $bugs 15 | do 16 | echo $bug >> $tmp1 17 | done 18 | 19 | for warn in $warns 20 | do 21 | echo $warn >> $tmp2 22 | if grep -q $warn $tmp1 23 | then 24 | echo -ne "\t$GREEN" 25 | echo -n "$warn" 26 | echo -e "$DEFAULT" 27 | else 28 | echo -ne "\t$YELLOW" 29 | echo -n "$warn (false positive)" 30 | echo -e "$DEFAULT" 31 | fi 32 | done 33 | 34 | for bug in $bugs 35 | do 36 | if grep -q $bug $tmp2 37 | then 38 | echo -n "" 39 | else 40 | echo -ne "\t$RED" 41 | echo -n "$bug (false negative)" 42 | echo -e "$DEFAULT" 43 | fi 44 | done 45 | 46 | rm -f $tmp1 $tmp2 -------------------------------------------------------------------------------- /func.cc: -------------------------------------------------------------------------------- 1 | #include "func.h" 2 | #include "Utilities.h" 3 | 4 | Function::Function(std::string n, addr_t a, size_t l, std::string m) { 5 | name = n; 6 | address = a; 7 | size = l; 8 | module = m; 9 | cfg = new Cfg(this); 10 | argumentsno = -1; 11 | pending = false; 12 | prog = NULL; 13 | } 14 | 15 | Function::Function(addr_t a) { 16 | argumentsno = -1; 17 | cfg = new Cfg(this); 18 | address = a; 19 | name = "unknown"; 20 | module = "unknown"; 21 | pending = false; 22 | prog = NULL; 23 | } 24 | 25 | Function::~Function() { 26 | delete cfg; 27 | } 28 | 29 | const char *Function::getName() const { 30 | return name.c_str(); 31 | } 32 | 33 | const char *Function::getModule() const { 34 | return module.c_str(); 35 | } 36 | 37 | addr_t Function::getAddress() const { 38 | return address; 39 | } 40 | 41 | size_t Function::getSize() const { 42 | return size; 43 | } 44 | 45 | Cfg *Function::getCfg() { 46 | return cfg; 47 | } 48 | 49 | // Scan the instructions to detect the number of arguments (assume the 50 | // framepointer is not used as a general purpose register, 51 | // -fno-omit-frame-pointer) 52 | void Function::guessArgumentsNo() { 53 | cfg->decode(); 54 | 55 | for (Cfg::const_bb_iterator bbit = cfg->bb_begin(); 56 | bbit != cfg->bb_end(); bbit++) { 57 | for (instructions_t::const_iterator iit = (*bbit)->inst_begin(); 58 | iit != (*bbit)->inst_end(); iit++) { 59 | std::string tempebp; 60 | 61 | for (statements_t::const_iterator sit = (*iit)->stmt_begin(); 62 | sit != (*iit)->stmt_end(); sit++) { 63 | vine::Stmt *s = *sit; 64 | 65 | if (s->stmt_type == vine::MOVE) { 66 | vine::Exp *lhs = static_cast(s)->lhs, *rhs = static_cast(s)->rhs; 67 | if (lhs->exp_type == vine::TEMP && rhs->exp_type == vine::TEMP) { 68 | vine::Temp *t0 = static_cast(lhs), *t1 = static_cast(rhs); 69 | // debug("%.8x %s\n", (*iit)->getAddress(), s->tostring().c_str()); 70 | if (t1->name == "R_EBP") { 71 | tempebp = t0->name; 72 | // debug("EBP copied into %s\n", tempebp.c_str()); 73 | } 74 | } else if (lhs->exp_type == vine::TEMP && rhs->exp_type == vine::BINOP) { 75 | vine::BinOp *op = static_cast(rhs); 76 | if (op->binop_type == vine::PLUS && op->lhs->exp_type == vine::TEMP && 77 | op->rhs->exp_type == vine::CONSTANT) { 78 | vine::Temp *base = static_cast(op->lhs); 79 | vine::Constant *offset = static_cast(op->rhs); 80 | if (base->name == tempebp) { 81 | // debug("%.8x %s\n", (*iit)->getAddress(), s->tostring().c_str()); 82 | if (offset->val > 0 && offset->val < 0xFFFF) { 83 | // debug("EBP is being used in an addition %.8x\n", (unsigned int) (offset->val & 0xFFFF)); 84 | argumentsno = utils::max(argumentsno, ((int) 85 | (offset->val & 0xFFFF)) / 4); 86 | } 87 | } 88 | } 89 | } 90 | } 91 | } 92 | } 93 | } 94 | 95 | if (argumentsno == -1) 96 | argumentsno = 0; 97 | else 98 | argumentsno--; 99 | } 100 | 101 | int Function::getArgumentsNo() { 102 | if (argumentsno == -1) { 103 | guessArgumentsNo(); 104 | } 105 | 106 | return argumentsno; 107 | } 108 | 109 | // Local Variables: 110 | // c-basic-offset: 4 111 | // compile-command: "dchroot -c typeinfer -d make" 112 | // End: 113 | -------------------------------------------------------------------------------- /func.h: -------------------------------------------------------------------------------- 1 | #ifndef __FUNC_H__ 2 | #define __FUNC_H__ 3 | 4 | #include "cfg.h" 5 | #include 6 | #include 7 | 8 | class Cfg; 9 | class Function; 10 | class Prog; 11 | 12 | class Function { 13 | private: 14 | Cfg *cfg; 15 | Prog *prog; 16 | std::string name; 17 | std::string module; 18 | std::string prototype; 19 | addr_t address; 20 | size_t size; 21 | int argumentsno; 22 | 23 | bool pending; 24 | 25 | friend class boost::serialization::access; 26 | template 27 | void serialize(Archive & ar, const unsigned int version) { 28 | ar & address; 29 | ar & size; 30 | ar & name; 31 | ar & module; 32 | ar & cfg; 33 | (void)version; 34 | } 35 | 36 | void guessArgumentsNo(); 37 | 38 | public: 39 | Function() {argumentsno = -1; cfg = NULL; pending = false; prog = NULL;} 40 | Function(addr_t a); 41 | Function(std::string n, addr_t a, size_t l, std::string m); 42 | ~Function(); 43 | 44 | const char *getName() const; 45 | const char *getModule() const; 46 | Cfg *getCfg(); 47 | addr_t getAddress() const; 48 | size_t getSize() const; 49 | int getArgumentsNo(); 50 | 51 | void setSize(size_t s) { size = s; } 52 | void setModule(const char *m) { module = m; } 53 | void setName(const char *n) { name = n; } 54 | void setAddress(addr_t a) { address = a; } 55 | 56 | bool isPending() { return pending; } 57 | void setPending(bool b) { pending = b; } 58 | 59 | void setProg(Prog *p) { prog = p; } 60 | Prog *getProg() { assert(prog); return prog; } 61 | }; 62 | 63 | #endif 64 | 65 | // Local Variables: 66 | // mode: c++ 67 | // c-basic-offset: 4 68 | // compile-command: "dchroot -c typeinfer -d make" 69 | // End: 70 | -------------------------------------------------------------------------------- /instr.h: -------------------------------------------------------------------------------- 1 | #ifndef __INSTR_H__ 2 | #define __INSTR_H__ 3 | 4 | #include 5 | #include 6 | #include 7 | 8 | #include 9 | 10 | #include "debug.h" 11 | #include "types.h" 12 | 13 | /* There's something a bit ugly going on with the "namespace vine" 14 | below. Putting all of the Vine/LibASMIR stuff in its own namespace 15 | is a reasonable complexity management idea, since there isn't any 16 | other naming convention used to make the LibASMIR code distinct, 17 | and it defines lots of common-sounding types. However the LibASMIR 18 | code was not designed to live in its own namespace, and putting a 19 | namespace declaration around a random include file doesn't 20 | necessarily do the right thing. In particular the C++ parts of 21 | LibASMIR use a lot of STL include files, but if those inclusions 22 | are inside a "namespace vine" the compiler will get confused, for 23 | instance thinking that std::cout is really vine::std::cout, so that 24 | then other uses will be wrong. The ugly thing that makes it work is 25 | include guards: each STL header file is designed to be empty if it 26 | has already been included. So as long as all of the STL headers 27 | that LibASMIR uses are actually included here before the "namespace 28 | vine" code tries to include them, everything will get into the 29 | right namespace. This is what the extensive list of STL includes 30 | below is for. -- SMcC */ 31 | 32 | #include 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include 38 | 39 | namespace vine { 40 | #include "irtoir.h" 41 | } 42 | 43 | #define BASICBLOCK_MIDDLE 0 44 | #define BASICBLOCK_HEAD 1 45 | #define BASICBLOCK_TAIL 2 46 | 47 | class Instruction; 48 | class BasicBlock; 49 | 50 | typedef std::vector statements_t; 51 | 52 | #define MAX_INSTR_LEN 16 53 | 54 | class Instruction { 55 | friend class Cfg; 56 | friend class BasicBlock; 57 | 58 | private: 59 | addr_t address; 60 | byte_t rawbytes[MAX_INSTR_LEN]; 61 | size_t size; 62 | statements_t statements; 63 | bool decoded; 64 | BasicBlock *basicblock; 65 | uint32_t cksum; 66 | bool executed; 67 | 68 | friend class boost::serialization::access; 69 | template 70 | void serialize(Archive & ar, const unsigned int version) { 71 | ar & address; 72 | ar & size; 73 | ar & rawbytes; 74 | ar & cksum; 75 | ar & basicblock; 76 | ar & executed; 77 | (void)version; 78 | } 79 | 80 | public: 81 | Instruction(); // for serialization 82 | Instruction(addr_t, byte_t *b, size_t l); 83 | ~Instruction(); 84 | 85 | void decode(); 86 | size_t getSize(); 87 | addr_t getAddress() const; 88 | byte_t *getRawBytes(); 89 | BasicBlock *getBasicBlock(); 90 | uint32_t computeCksum(); 91 | uint32_t getCksum(); 92 | 93 | void setAddress(addr_t a) { address = a; } 94 | 95 | bool isCall(); 96 | bool isReturn(); 97 | 98 | void setExecuted(); 99 | bool isExecuted(); 100 | 101 | void setRawBytes(const byte_t *, size_t); 102 | 103 | functions_t::const_iterator call_targets_begin() const; 104 | functions_t::const_iterator call_targets_end() const; 105 | 106 | statements_t::const_iterator stmt_begin() const; 107 | statements_t::const_iterator stmt_end() const; 108 | statements_t::const_reverse_iterator stmt_rbegin() const; 109 | statements_t::const_reverse_iterator stmt_rend() const; 110 | }; 111 | 112 | std::ostream& operator<<(std::ostream&, const Instruction&); 113 | 114 | #endif 115 | 116 | // Local Variables: 117 | // mode: c++ 118 | // c-basic-offset: 4 119 | // compile-command: "dchroot -c typeinfer -d make" 120 | // End: 121 | -------------------------------------------------------------------------------- /path-length-test.cc: -------------------------------------------------------------------------------- 1 | #include "debug.h" 2 | #include "func.h" 3 | #include "cfg.h" 4 | #include "callgraph.h" 5 | #include "serialize.h" 6 | #include "warning.h" 7 | #include "InterProcCFG.h" 8 | 9 | #include 10 | 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | 17 | using namespace std; 18 | using namespace boost::program_options; 19 | using namespace boost; 20 | 21 | int DEBUG_LEVEL = 0; 22 | FILE *DEBUG_FILE = stderr; 23 | 24 | int main(int argc, char **argv) { 25 | options_description opts; 26 | options_description mandatory("Mandatory parameters"); 27 | options_description optional("Allowed options"); 28 | FILE *f; 29 | char tmp[PATH_MAX]; 30 | 31 | variables_map vm; 32 | mandatory.add_options() 33 | ("cfg", value(), "Graph to analyze") 34 | ("target-addr", value(), "Code address to target") 35 | ; 36 | optional.add_options() 37 | ("warn-file", value(), "Serialized warnings") 38 | ("warn-addr", value(), "Warning to focus on") 39 | ("dlev", value(), "Debug level [0-2]"); 40 | ; 41 | opts.add(mandatory).add(optional); 42 | 43 | try { 44 | store(parse_command_line(argc, argv, opts), vm); 45 | } catch (...) { 46 | cerr << "Command-line options parsing failure." << endl; 47 | cout << opts << endl; 48 | return EXIT_FAILURE; 49 | } 50 | 51 | if (vm.count("dlev")) { 52 | DEBUG_LEVEL = vm["dlev"].as(); 53 | if (DEBUG_LEVEL > 2) { 54 | cerr << "Debug level must be between 0 and 2." << endl; 55 | cout << opts << endl; 56 | return EXIT_FAILURE; 57 | } 58 | } 59 | 60 | if (vm.count("cfg") == 0) { 61 | cerr << "Mandatory parameter --cfg missing." << endl; 62 | cout << opts << endl; 63 | return EXIT_FAILURE; 64 | } 65 | 66 | addr_t target_addr = 0; 67 | if (vm.count("target-addr") == 0) { 68 | target_addr = 0; 69 | } else { 70 | target_addr = vm["target-addr"].as(); 71 | } 72 | 73 | // Map addresses to functions 74 | map functions; 75 | InterProcCFG *ipcfg = build_ipcfg(vm["cfg"].as().c_str(), functions); 76 | 77 | if (vm.count("warn-file")) { 78 | warnings_t ww; 79 | unserialize(vm["warn-file"].as().c_str(), ww); 80 | assert(ww.size() >= 1); 81 | addr_t warn_addr; 82 | if (vm.count("warn-addr")) { 83 | warn_addr = vm["warn-addr"].as(); 84 | } else { 85 | warn_addr = 0; 86 | } 87 | Warning *w = 0; 88 | for (warnings_t::const_iterator it = ww.begin(); 89 | it != ww.end(); ++it) { 90 | if (!warn_addr || 91 | (warn_addr && warn_addr == (*it)->getAddress())) { 92 | w = *it; 93 | } 94 | } 95 | assert(w); 96 | ipcfg->set_target_warning(w, functions); 97 | ipcfg->compute_shortest_paths(); 98 | } else if (target_addr) { 99 | ipcfg->set_target_addr(target_addr, functions); 100 | ipcfg->compute_shortest_paths(); 101 | } 102 | ipcfg->to_vcg(cout); 103 | 104 | return EXIT_SUCCESS; 105 | } 106 | 107 | // Local Variables: 108 | // c-basic-offset: 4 109 | // compile-command: "dchroot -c typeinfer -d make" 110 | // End: 111 | -------------------------------------------------------------------------------- /serialize.cc: -------------------------------------------------------------------------------- 1 | #include "serialize.h" 2 | #include 3 | #include 4 | #include 5 | 6 | #include 7 | 8 | #include 9 | #include 10 | 11 | void unserialize(const char *f, Prog &prog, CallGraph *&callgraph, 12 | std::map &functions) { 13 | 14 | try { 15 | std::ifstream ifs(f, std::ios::in|std::ios::binary); 16 | if (!ifs.is_open()) { 17 | fprintf(stderr, "Failed to open %s: %s\n", f, 18 | strerror(errno)); 19 | exit(1); 20 | } 21 | boost::iostreams::filtering_streambuf 22 | in; 23 | in.push(boost::iostreams::bzip2_decompressor()); 24 | in.push(ifs); 25 | boost::archive::binary_iarchive ia(in); 26 | 27 | // Unserialize the CFGs 28 | ia >> prog; 29 | } catch (boost::iostreams::bzip2_error) { 30 | std::ifstream ifs(f, std::ios::in|std::ios::binary); 31 | if (!ifs.is_open()) { 32 | fprintf(stderr, "Failed to open %s: %s\n", f, 33 | strerror(errno)); 34 | exit(1); 35 | } 36 | boost::archive::binary_iarchive ia(ifs); 37 | 38 | // Unserialize the CFGs 39 | ia >> prog; 40 | } 41 | 42 | callgraph = prog.getCallGraph(); 43 | for (CallGraph::const_func_iterator fit = callgraph->func_begin(); 44 | fit != callgraph->func_end(); fit++) { 45 | 46 | Function *f = *fit; 47 | functions[f->getAddress()] = f; 48 | } 49 | } 50 | 51 | void serialize(const char *f, const Prog &prog) { 52 | std::ofstream ofs(f, 53 | std::ios::out|std::ios::binary|std::ios::trunc); 54 | boost::iostreams::filtering_streambuf out; 55 | out.push(boost::iostreams::bzip2_compressor()); 56 | out.push(ofs); 57 | boost::archive::binary_oarchive oa(out); 58 | oa << prog; 59 | } 60 | 61 | // Local Variables: 62 | // c-basic-offset: 4 63 | // compile-command: "dchroot -c typeinfer -d make" 64 | // End: 65 | 66 | 67 | -------------------------------------------------------------------------------- /serialize.h: -------------------------------------------------------------------------------- 1 | #ifndef __SERIALIZE_H__ 2 | #define __SERIALIZE_H__ 3 | 4 | #include "cfg.h" 5 | #include "callgraph.h" 6 | #include "func.h" 7 | #include "prog.h" 8 | #include 9 | 10 | void unserialize(const char *, Prog &, CallGraph *&, std::map &); 12 | void serialize(const char *, const Prog &); 13 | 14 | #endif // !__SERIALIZE_H__ 15 | 16 | // Local Variables: 17 | // c-basic-offset: 4 18 | // compile-command: "dchroot -c typeinfer -d make" 19 | // End: 20 | -------------------------------------------------------------------------------- /slice.py: -------------------------------------------------------------------------------- 1 | import sys 2 | 3 | defs = {} 4 | uses = {} 5 | definitions = {} 6 | 7 | regs = { 8 | "R1:4[0x14,0x18]" : "EDI", 9 | "R1:4[0x8,0xc]" : "ECX", 10 | "R1:4[0,0x4]" : "EAX" 11 | } 12 | 13 | def reg2str(r): 14 | if r in regs: 15 | return regs[r] 16 | else: 17 | return r 18 | 19 | def parse(infile, addr = 0): 20 | defs.clear() 21 | uses.clear() 22 | definitions.clear() 23 | 24 | _uses = _defs = _definitions = _go = False 25 | 26 | 27 | infile = open(infile) 28 | for l in infile.xreadlines(): 29 | 30 | if l.startswith("@@@@@@@") and "%.x" % addr in l: 31 | _go = True 32 | continue 33 | 34 | if not _go: 35 | continue 36 | 37 | if _go and l.startswith("@@@@@"): 38 | break 39 | 40 | l = l.strip() 41 | if "===== USES" in l: 42 | _uses = True 43 | continue 44 | elif "==== DEFS" in l: 45 | _uses = False 46 | _defs = True 47 | continue 48 | elif "==== DEFINI" in l: 49 | _definitions = True 50 | _defs = False 51 | continue 52 | 53 | if _uses: 54 | if not l: 55 | _uses = False 56 | continue 57 | assert "\t" in l, l 58 | instr = int(l.split("\t")[0], 16) 59 | if not instr in uses: 60 | uses[instr] = set() 61 | for u in l.split("\t")[1].split(): 62 | uses[instr].add(reg2str(u)) 63 | assert len(uses[instr]) > 0, l 64 | 65 | if _defs: 66 | if not l: 67 | _defs = False 68 | continue 69 | assert "\t" in l, l 70 | instr = int(l.split("\t")[0], 16) 71 | if not instr in defs: 72 | defs[instr] = set() 73 | for d in l.split("\t")[1].split(): 74 | defs[instr].add(reg2str(d)) 75 | assert len(defs[instr]) > 0, l 76 | 77 | if _definitions: 78 | if not l or l.startswith("Serializing"): 79 | _definitions = False 80 | continue 81 | assert "\t" in l, l 82 | d = reg2str(l.split("\t")[0]) 83 | if not d in definitions: 84 | definitions[d] = set() 85 | for i in l.split("\t")[1].split(): 86 | definitions[d].add(int(i, 16)) 87 | assert len(definitions[d]) > 0, l 88 | 89 | 90 | if __name__ == "__main__": 91 | parse("/dev/stdin", int(sys.argv[1], 16)) 92 | 93 | -------------------------------------------------------------------------------- /small-examples/hello-nolibc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitblaze-fuzzball/d-s-se-directed-tests/7104647e90ad925bde18a2bd22afc33fa09d2135/small-examples/hello-nolibc -------------------------------------------------------------------------------- /small-examples/hello-nolibc.c: -------------------------------------------------------------------------------- 1 | /* This is a minimal hello world program that doesn't use any C 2 | library at all, instead implementing its own wrappers to call 3 | Linux/x86-32 system calls. This avoids some features even in 4 | dietlibc that lead to false positives, so this is an example of a 5 | program that the static analysis can correctly conclude has no 6 | memory safety vulnerabilities. */ 7 | 8 | /* Compile with: 9 | gcc-4.8 -Wall -Og -g -m32 -nostdlib hello-nolibc.c -o hello-nolibc 10 | */ 11 | 12 | #define __NR_exit 1 13 | #define __NR_write 4 14 | 15 | typedef unsigned long size_t; 16 | typedef long ssize_t; 17 | 18 | void exit(int status) { 19 | int syscall_num = __NR_exit; 20 | asm volatile ("int $0x80" : : "a" (syscall_num), "b" (status)); 21 | __builtin_unreachable(); /* exit(2) can never fail to exit */ 22 | } 23 | 24 | ssize_t write(int fd, const void *buf, size_t count) { 25 | int syscall_num = __NR_write; 26 | int retval; 27 | asm volatile ("int $0x80" : "=a" (retval) : "a" (syscall_num), 28 | "b" (fd), "c" (buf), "d" (count)); 29 | return retval; 30 | } 31 | 32 | int main(void) { 33 | char msg[] = "Hello, world!\n"; 34 | write(1, msg, sizeof(msg) - 1); 35 | return 0; 36 | } 37 | 38 | void _start(void) { 39 | int retval = main(); 40 | exit(retval); 41 | } 42 | -------------------------------------------------------------------------------- /small-examples/mini-start.S: -------------------------------------------------------------------------------- 1 | /* https://stackoverflow.com/questions/16721164/x86-linux-assembler-get-program-parameters-from-start */ 2 | 3 | .globl _start 4 | 5 | _start: sub $8, %esp 6 | mov 8(%esp), %ecx 7 | lea 12(%esp), %edx 8 | push %edx 9 | push %ecx 10 | call main 11 | mov %eax, %ebx 12 | mov $1, %eax 13 | int $0x80 14 | 15 | -------------------------------------------------------------------------------- /small-examples/rot13char-overflow-nolibc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitblaze-fuzzball/d-s-se-directed-tests/7104647e90ad925bde18a2bd22afc33fa09d2135/small-examples/rot13char-overflow-nolibc -------------------------------------------------------------------------------- /small-examples/rot13char-overflow-nolibc.c: -------------------------------------------------------------------------------- 1 | /* Compile with: 2 | gcc-4.8 -Wall -Og -g -m32 -nostdlib rot13char-overflow-nolibc.c mini-start.S -o rot13char-overflow-nolibc 3 | */ 4 | 5 | #define __NR_exit 1 6 | #define __NR_write 4 7 | 8 | typedef unsigned long size_t; 9 | typedef long ssize_t; 10 | 11 | ssize_t write(int fd, const void *buf, size_t count) { 12 | int syscall_num = __NR_write; 13 | int retval; 14 | asm volatile ("int $0x80" : "=a" (retval) : "a" (syscall_num), 15 | "b" (fd), "c" (buf), "d" (count)); 16 | return retval; 17 | } 18 | 19 | int main(int argc, char **argv) { 20 | char rot_table_ucase[] = "NOPQRSTUVWXYZABCDEFGHIJKLM"; 21 | char rot_table_lcase[] = "nopqrstuvwxyzabcdefghijklm"; 22 | char out_char = '?'; 23 | char out_msg[] = "x\n"; 24 | unsigned char in_char = '!'; 25 | if (argc > 1 && argv[1][0]) 26 | in_char = argv[1][0]; 27 | if (in_char >= ' ' && in_char < 'A') { 28 | out_char = in_char; 29 | } else if (in_char >= 'A' && in_char < 'a') { 30 | out_char = rot_table_ucase[in_char - 'A']; 31 | } else { 32 | out_char = rot_table_lcase[in_char - 'a']; 33 | } 34 | out_msg[0] = out_char; 35 | write(1, out_msg, sizeof(out_msg) - 1); 36 | return 0; 37 | } 38 | 39 | -------------------------------------------------------------------------------- /tabulate-fuzzball-coverage.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | use strict; 4 | 5 | my @all = qw(b1 b2 b3 b4 s1 s2 s3 s4 s5 s6 s7 f1 f2 f3); 6 | my $N = 5; 7 | 8 | my %prog_size = 9 | ("b1" => 1075+2120, 10 | "b2" => 1290+2178, 11 | "b3" => 719+3058, 12 | "b4" => 394+3621, 13 | "s1" => 929+2021, 14 | "s2" => 524+2750, 15 | "s3" => 318+1653, 16 | "s4" => 370+2447, 17 | "s5" => 392+1282, 18 | "s6" => 595+2247, 19 | "s7" => 957+2595, 20 | "f1" => 571+1561, 21 | "f2" => 807+2549, 22 | "f3" => 684+1639, 23 | ); 24 | 25 | for my $b (@all) { 26 | for my $t ("baseline", "guided") { 27 | my $short = 28 | {"baseline" => "U ", "guided" => "D ", "guided2" => "D2"}->{$t}; 29 | print "$b-$short: "; 30 | my $num_seen = 0; 31 | my $tot_cover = 0; 32 | for my $i (1 .. $N) { 33 | my $fname = "$b-$t-$i.out.gz"; 34 | my $prog = "zcat"; 35 | if (not -e $fname) { 36 | $fname = "$b-$t-$i.out"; 37 | $prog = "cat"; 38 | } 39 | next unless -e $fname; 40 | open(LOG, "$prog $fname |"); 41 | my $best_cover = -1; 42 | while () { 43 | if (/^Coverage increased to (\d+) on/) { 44 | my $cover = $1; 45 | die unless $cover > $best_cover; 46 | $best_cover = $cover; 47 | } elsif (/^Final coverage: (\d+)$/) { 48 | my $cover = $1; 49 | die unless $cover >= $best_cover; 50 | $best_cover = $cover; 51 | } 52 | } 53 | close LOG; 54 | printf "%5d ", $best_cover; 55 | $tot_cover += $best_cover; 56 | $num_seen++ unless $best_cover == -1; 57 | } 58 | if ($num_seen == $N) { 59 | my $avg_cover = $tot_cover/$N; 60 | my $pct = 100 * ($avg_cover/$prog_size{$b}); 61 | printf "| %5d %3.1f%%", $avg_cover, $pct; 62 | } 63 | print "\n"; 64 | } 65 | print "\n"; 66 | } 67 | -------------------------------------------------------------------------------- /tabulate-fuzzball-results.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | use strict; 4 | 5 | my @all = qw(b1 b2 b3 b4 s1 s2 s3 s4 s5 s6 s7 f1 f2 f3); 6 | my $N = 5; 7 | 8 | 9 | for my $b (@all) { 10 | for my $t ("baseline", "guided", "guided2") { 11 | my $short = 12 | {"baseline" => "U ", "guided" => "D ", "guided2" => "D2"}->{$t}; 13 | print "$b-$short: "; 14 | my $num_seen = 0; 15 | my($tot_iter, $tot_time); 16 | for my $i (1 .. $N) { 17 | my $fname = "$b-$t-$i.out.gz"; 18 | my $prog = "zcat"; 19 | if (not -e $fname) { 20 | $fname = "$b-$t-$i.out"; 21 | $prog = "cat"; 22 | } 23 | next unless -e $fname; 24 | $num_seen++; 25 | open(LOG, "$prog $fname |"); 26 | my $last_iter = -1; 27 | my $wall_time = 0; 28 | while () { 29 | if (/^Iteration (\d+):/) { 30 | $last_iter = $1; 31 | } elsif (/^### Wallclock time: (.*) s/) { 32 | $wall_time = $1; 33 | } 34 | } 35 | close LOG; 36 | printf "%5d/%7.1f ", $last_iter, $wall_time; 37 | $tot_iter += $last_iter; 38 | $tot_time += $wall_time; 39 | } 40 | if ($num_seen == $N) { 41 | printf "| %5d/%7.1f", $tot_iter/$N, $tot_time/$N; 42 | } 43 | print "\n"; 44 | } 45 | print "\n"; 46 | } 47 | -------------------------------------------------------------------------------- /trace.cc: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #include "debug.h" 7 | #include "trace.h" 8 | 9 | // TODO: 10 | // * Add iterator to traverse the instructions in the trace 11 | // * Compress trace 12 | 13 | Trace::Trace() { 14 | ; 15 | } 16 | 17 | Trace::~Trace() { 18 | ; 19 | } 20 | 21 | void Trace::append(unsigned int base, int size) { 22 | t.push_back(pair(base, size)); 23 | } 24 | 25 | unsigned int Trace::size() { 26 | return t.size(); 27 | } 28 | 29 | // Local Variables: 30 | // c-basic-offset: 4 31 | // compile-command: "dchroot -c typeinfer -d make" 32 | // End: 33 | -------------------------------------------------------------------------------- /trace.h: -------------------------------------------------------------------------------- 1 | #ifndef __TRACE_H__ 2 | #define __TRACE_H__ 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | using namespace std; 10 | 11 | namespace boost { 12 | namespace serialization { 13 | template 14 | void serialize(Archive &ar, pair &p, 15 | const unsigned int) { 16 | ar & p.first; 17 | ar & p.second; 18 | } 19 | } 20 | } 21 | 22 | class Trace { 23 | private: 24 | typedef list > instr_t; 25 | instr_t t; 26 | 27 | friend class boost::serialization::access; 28 | template 29 | void serialize(Archive & ar, const unsigned int version) { 30 | ar & t; 31 | (void)version; 32 | } 33 | 34 | public: 35 | Trace(); 36 | ~Trace(); 37 | 38 | void append(unsigned int, int); 39 | unsigned int size(); 40 | 41 | class const_iterator { 42 | typedef const_iterator _Self; 43 | public: 44 | typedef std::random_access_iterator_tag iterator_category; 45 | typedef instr_t value_type; 46 | typedef size_t difference_type; 47 | typedef const unsigned int &reference; 48 | typedef const unsigned int *pointer; 49 | private: 50 | Trace *t; 51 | instr_t::iterator tit; 52 | 53 | explicit const_iterator(Trace *t_, instr_t::iterator tit_) { 54 | t = t_; 55 | tit = tit_; 56 | } 57 | 58 | public: 59 | // No need for copy ctor, copy assign. Defaults are fine. 60 | const_iterator() { 61 | t = NULL; 62 | } 63 | 64 | explicit const_iterator(Trace *t_) { 65 | t = t_; 66 | tit = t->t.begin(); 67 | } 68 | 69 | explicit const_iterator(Trace *t_, bool) { 70 | t = t_; 71 | tit = t->t.end(); 72 | } 73 | 74 | bool operator==(const _Self& B) { 75 | return tit == B.tit; 76 | } 77 | 78 | bool operator!=(const _Self& B) { 79 | return tit != B.tit; 80 | } 81 | 82 | _Self &operator++() { 83 | tit++; 84 | return *this; 85 | } 86 | 87 | _Self operator++(int) { 88 | return _Self(t, tit++); 89 | } 90 | 91 | _Self &operator--() { 92 | tit--; 93 | return *this; 94 | } 95 | 96 | _Self operator--(int) { 97 | return _Self(t, tit--); 98 | } 99 | 100 | reference operator*() const { 101 | return tit->first; 102 | } 103 | 104 | pointer operator->() const { 105 | return &(tit->first); 106 | } 107 | }; 108 | 109 | }; 110 | 111 | #endif 112 | 113 | // Local Variables: 114 | // c-basic-offset: 4 115 | // compile-command: "dchroot -c typeinfer -d make" 116 | // End: 117 | -------------------------------------------------------------------------------- /trace.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | tmp=$(mktemp) 4 | PIN=./pin-2.14-71313-gcc.4.4.7-linux/pin 5 | OUTDIR="./cfg" 6 | DEBUG="3" 7 | 8 | while getopts "d:sO:o:c:" flag 9 | do 10 | case $flag in 11 | O) OUTDIR="$OPTARG";; 12 | o) OUTFILE="$OPTARG";; 13 | c) CHDIR="--chdir=$OPTARG";; 14 | s) STATIC="--augment-cfg";; 15 | d) DEBUG="$OPTARG";; 16 | esac 17 | done 18 | 19 | shift $((OPTIND-1)) 20 | 21 | if [ "$*" == "" ] 22 | then 23 | echo "Invalid argument(s)" 24 | exit 1 25 | else 26 | PT_ARGS="--skiplibs=0 --debug=$DEBUG $CHDIR --outprog=$tmp $STATIC" 27 | PROG="$(which $1)" 28 | shift 1 29 | export LD_BIND_NOW=1 30 | $PIN -ifeellucky -injection child -t pintracer.so $PT_ARGS -- "$PROG" "$@" 31 | ret=$? 32 | 33 | if [ $ret -eq 0 ] 34 | then 35 | MD51=$(md5sum "$PROG" | cut -f 1 -d " " | cut -c -6) 36 | MD52=$(md5sum "$tmp" | cut -f 1 -d " " | cut -c -6) 37 | PROG=$(basename "$PROG") 38 | if [ "$STATIC" = "" ] 39 | then 40 | EXT="dyn.cfg" 41 | else 42 | EXT="stat.cfg" 43 | fi 44 | if [ "$OUTFILE" = "" ] 45 | then 46 | OUTFILE="$OUTDIR/$PROG-$MD51-$MD52.$EXT" 47 | fi 48 | mv -f "$tmp" "$OUTFILE" 49 | echo "**** Program succesfully executed (trace saved in $OUTFILE)" 50 | else 51 | echo "!!!! Execution failed" 52 | fi 53 | 54 | rm -f $CFG 55 | fi 56 | -------------------------------------------------------------------------------- /types.h: -------------------------------------------------------------------------------- 1 | #ifndef __TYPES_H__ 2 | #define __TYPES_H__ 3 | 4 | #include 5 | #include 6 | 7 | class BasicBlock; 8 | class Function; 9 | class Instruction; 10 | class Cfg; 11 | class CallGraph; 12 | 13 | typedef unsigned int addr_t; 14 | typedef unsigned char byte_t; 15 | 16 | #if 0 17 | #warning "Extreme DANGER! These associative containers are sorted " \ 18 | "by pointers and will cause non-determinism, sooner-or-later. " \ 19 | "This is a BIG NO-NO." 20 | #endif 21 | 22 | typedef std::set functions_t; 23 | typedef std::set basicblocks_t; 24 | typedef std::vector instructions_t; 25 | typedef std::pair range_t; 26 | 27 | #endif 28 | -------------------------------------------------------------------------------- /vineir.cc: -------------------------------------------------------------------------------- 1 | //====================================================================== 2 | // 3 | // This file contains a test of the VEX IR translation interface. 4 | // 5 | //====================================================================== 6 | 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | #include "asm_program.h" 15 | 16 | extern "C" 17 | { 18 | #include "libvex.h" 19 | } 20 | 21 | #include "irtoir.h" 22 | 23 | using namespace std; 24 | 25 | void print_vine_ir(asm_program_t *prog, vector vblocks ) 26 | { 27 | unsigned int i, j; 28 | 29 | for ( i = 0; i < vblocks.size(); i++ ) 30 | { 31 | vine_block_t *block = vblocks.at(i); 32 | assert(block); 33 | 34 | vector *inner = block->vine_ir; 35 | 36 | ostringstream os; 37 | ostream_insn(prog, block->inst, os); 38 | cout << " // " << os.str() << endl; 39 | 40 | 41 | vector globals = get_reg_decls(); 42 | map context; 43 | for(vector::const_iterator gi = globals.begin(); 44 | gi != globals.end(); gi++){ 45 | VarDecl *vd = *gi; 46 | context.insert(pair(vd->name, vd->typ)); 47 | } 48 | 49 | for ( j = 0; j < inner->size(); j++ ) 50 | { 51 | Stmt *s = inner->at(j); 52 | cout << " " << s->tostring(); 53 | cout << endl; 54 | 55 | } 56 | } 57 | 58 | } 59 | 60 | int main(int argc, char **argv) { 61 | unsigned char buf[1024]; 62 | int size; 63 | asm_program_t *prog; 64 | vine_block_t *block; 65 | vector vblocks; 66 | 67 | extern bool translate_calls_and_returns; 68 | 69 | (void)argc; (void)argv; 70 | 71 | translate_calls_and_returns = true; 72 | 73 | size = read(0, buf, sizeof(buf)); 74 | 75 | prog = byte_insn_to_asmp(asmir_arch_x86, 0, (unsigned char *) buf, size); 76 | block = asm_addr_to_ir(prog, 0); 77 | 78 | vblocks.push_back(block); 79 | 80 | print_vine_ir(prog, vblocks); 81 | } 82 | -------------------------------------------------------------------------------- /vulapps/Makefile: -------------------------------------------------------------------------------- 1 | all: sendmail bind wu-ftpd 2 | 3 | sendmail: s1 s2 s3 s4 s5 s6 s7 4 | 5 | bind: b1 b2 b3 b4 6 | 7 | wu-ftpd: f1 f2 f3 8 | 9 | s1: 10 | cd sendmail/s1; \ 11 | make; \ 12 | cd ../.. 13 | s2: 14 | cd sendmail/s2; \ 15 | make; \ 16 | cd ../.. 17 | s3: 18 | cd sendmail/s3; \ 19 | make; \ 20 | cd ../.. 21 | s4: 22 | cd sendmail/s4; \ 23 | make; \ 24 | cd ../.. 25 | s5: 26 | cd sendmail/s5; \ 27 | make; \ 28 | cd ../.. 29 | s6: 30 | cd sendmail/s6; \ 31 | make; \ 32 | cd ../.. 33 | s7: 34 | cd sendmail/s7; \ 35 | make; \ 36 | cd ../.. 37 | 38 | 39 | b1: 40 | cd bind/b1; \ 41 | make; \ 42 | cd ../.. 43 | b2: 44 | cd bind/b2; \ 45 | make; \ 46 | cd ../.. 47 | b3: 48 | cd bind/b3; \ 49 | make; \ 50 | cd ../.. 51 | b4: 52 | cd bind/b4; \ 53 | make; \ 54 | cd ../.. 55 | 56 | f1: 57 | cd wu-ftpd/f1; \ 58 | make; \ 59 | cd ../.. 60 | f2: 61 | cd wu-ftpd/f2; \ 62 | make; \ 63 | cd ../.. 64 | f3: 65 | cd wu-ftpd/f3; \ 66 | make; \ 67 | cd ../.. 68 | 69 | 70 | clean: 71 | rm runAll.out ; \ 72 | cd sendmail ; \ 73 | cd s1; make clean ; cd .. ; \ 74 | cd s2; make clean ; cd .. ; \ 75 | cd s3; make clean ; cd .. ; \ 76 | cd s4; make clean ; cd .. ; \ 77 | cd s5; make clean ; cd .. ; \ 78 | cd s6; make clean ; cd .. ; \ 79 | cd s7; make clean ; cd .. ; \ 80 | cd ../bind ; \ 81 | cd b1; make clean ; cd .. ; \ 82 | cd b2; make clean ; cd .. ; \ 83 | cd b3; make clean ; cd .. ; \ 84 | cd b4; make clean ; cd .. ; \ 85 | cd ../wu-ftpd ; \ 86 | cd f1; make clean ; cd .. ; \ 87 | cd f2; make clean ; cd .. ; \ 88 | cd f3; make clean 89 | 90 | -------------------------------------------------------------------------------- /vulapps/bind/b1/2010-11-04.cmd: -------------------------------------------------------------------------------- 1 | ./cfg_fuzzball ./nxt-bad -linux-syscalls -check-condition-at 0x08048d28:'R_EAX:reg32_t >= 0x7fffffff:reg32_t' -stp-path ./stp -trace-iterations -trace-syscalls -trace-assigns-string -trace-stopping -coverage-stats -time-stats -fuzz-start-addr 0x080489fb -symbolic-cstring 0x0804b070+104 -- nxt-bad 2 | -------------------------------------------------------------------------------- /vulapps/bind/b1/2010-11-05-cfg-dir.cmd: -------------------------------------------------------------------------------- 1 | ./cfg_fuzzball ./nxt-bad-nojt -linux-syscalls -check-condition-at 0x08048d6c:'R_EAX:reg32_t >= 0x7fffffff:reg32_t' -stp-path ./stp -trace-iterations -trace-syscalls -trace-assigns-string -trace-stopping -coverage-stats -time-stats -fuzz-start-addr 0x080489fb -symbolic-cstring 0x0804b070+104 -cfg b1.cg -target-addr 0x08048d6c -- nxt-bad-nojt 2 | -------------------------------------------------------------------------------- /vulapps/bind/b1/Makefile: -------------------------------------------------------------------------------- 1 | DIET = diet 2 | DIET_CFLAGS = -DDIETLIBC 3 | DIET_LDFLAGS = /opt/diet/lib-i386/libcompat.a 4 | 5 | 6 | all: nxt-bad nxt-ok 7 | 8 | clean: 9 | rm -f nxt-bad nxt-ok nxt-bad.out nxt-ok.out 10 | 11 | nxt-bad: nxt-bad.c 12 | $(CC) -o nxt-bad nxt-bad.c -I . -lresolv 13 | 14 | nxt-bad-nojt: nxt-bad.c 15 | $(CC) -g -fno-jump-tables -o $@ nxt-bad.c -I . -lresolv 16 | 17 | nxt-bad-myresolv: nxt-bad.c my-resolv.c 18 | $(CC) -g -o $@ nxt-bad.c my-resolv.c -I . 19 | 20 | nxt-bad-myresolv-mylibc: nxt-bad.c my-resolv.c ../../my-libc.o 21 | $(CC) -g -o $@ nxt-bad.c my-resolv.c ../../my-libc.o -I . 22 | 23 | nxt-bad-myresolv-mylibc-diet: nxt-bad.c my-resolv.c ../../my-libc.c 24 | $(DIET) $(CC) $(DIET_CFLAGS) -g -o $@ nxt-bad.c my-resolv.c ../../my-libc.c -I . 25 | 26 | nxt-bad-myresolv-mylibc-nojt: nxt-bad.c my-resolv.c ../../my-libc.o 27 | $(CC) -fno-jump-tables -g -o $@ nxt-bad.c my-resolv.c ../../my-libc.o -I . 28 | 29 | nxt-ok: nxt-ok.c 30 | $(CC) -o nxt-ok nxt-ok.c -I . -lresolv 31 | -------------------------------------------------------------------------------- /vulapps/bind/b1/nxt-bad-myresolv-mylibc-diet-svn: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitblaze-fuzzball/d-s-se-directed-tests/7104647e90ad925bde18a2bd22afc33fa09d2135/vulapps/bind/b1/nxt-bad-myresolv-mylibc-diet-svn -------------------------------------------------------------------------------- /vulapps/bind/b1/nxt-bad-nojt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitblaze-fuzzball/d-s-se-directed-tests/7104647e90ad925bde18a2bd22afc33fa09d2135/vulapps/bind/b1/nxt-bad-nojt -------------------------------------------------------------------------------- /vulapps/bind/b1/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # Hardcoded Input: a file named 'testcase' that contains a sample DNS QUERY packet. 4 | # 5 | ./nxt-bad 6 | -------------------------------------------------------------------------------- /vulapps/bind/b1/testcase: -------------------------------------------------------------------------------- 1 | testcase.init -------------------------------------------------------------------------------- /vulapps/bind/b1/testcase.exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitblaze-fuzzball/d-s-se-directed-tests/7104647e90ad925bde18a2bd22afc33fa09d2135/vulapps/bind/b1/testcase.exploit -------------------------------------------------------------------------------- /vulapps/bind/b1/testcase.init: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitblaze-fuzzball/d-s-se-directed-tests/7104647e90ad925bde18a2bd22afc33fa09d2135/vulapps/bind/b1/testcase.init -------------------------------------------------------------------------------- /vulapps/bind/b2/2010-11-08-cfg-guide.cmd: -------------------------------------------------------------------------------- 1 | ./cfg_fuzzball ./sig-bad-nojt -linux-syscalls -check-condition-at 0x08048fdf:'R_EAX:reg32_t >= 0x7fffffff:reg32_t' -stp-path ./stp -trace-iterations -trace-syscalls -trace-assigns-string -trace-stopping -coverage-stats -time-stats -fuzz-start-addr 0x08049195 -zero-memory -symbolic-cstring 0x00804b070+114 -cfg b2.cg -target-addr 0x08048ff0 -- sig-bad-nojt 2 | -------------------------------------------------------------------------------- /vulapps/bind/b2/2010-11-08.cmd: -------------------------------------------------------------------------------- 1 | ./cfg_fuzzball ./sig-bad-nojt -linux-syscalls -check-condition-at 0x08048fdf:'R_EAX:reg32_t >= 0x7fffffff:reg32_t' -stp-path ./stp -trace-iterations -trace-syscalls -trace-assigns-string -trace-stopping -coverage-stats -time-stats -fuzz-start-addr 0x08049195 -zero-memory -symbolic-cstring 0x00804b070+114 -- ./sig-bad-nojt 2 | -------------------------------------------------------------------------------- /vulapps/bind/b2/Makefile: -------------------------------------------------------------------------------- 1 | DIET = diet 2 | DIET_CFLAGS = -DDIETLIBC -g -fno-jump-tables 3 | DIET_LDFLAGS = /opt/diet/lib-i386/libcompat.a 4 | 5 | all: sig-bad sig-ok #create 6 | 7 | clean: 8 | rm -f sig-bad sig-ok create sig-bad.out sig-ok.out SIGFILE 9 | 10 | sig-bad: sig-bad.c 11 | $(CC) -g -o sig-bad sig-bad.c -I . -lresolv 12 | 13 | sig-bad-diet: sig-bad.c ../b1/my-resolv.c 14 | $(DIET) $(CC) $(DIET_CFLAGS) -o sig-bad-diet sig-bad.c ../b1/my-resolv.c -I . 15 | 16 | sig-bad-nojt: sig-bad.c 17 | $(CC) -fno-jump-tables -g -o $@ sig-bad.c -I . -lresolv 18 | 19 | sig-ok: sig-ok.c 20 | $(CC) -o sig-ok sig-ok.c -I . -lresolv 21 | 22 | create: create_sig.c 23 | $(CC) -o create create_sig.c -lresolv ; \ 24 | ./create 25 | -------------------------------------------------------------------------------- /vulapps/bind/b2/create_sig.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | int main(){ 12 | 13 | FILE *f; 14 | u_char buf[1000]; 15 | u_char *p; 16 | char *temp, *temp1; 17 | u_char *comp_dn, *comp_dn2; 18 | char exp_dn[200], exp_dn2[200]; 19 | u_char **dnptrs, **lastdnptr, **dnptrs2; 20 | int i,len = 0, comp_size; 21 | u_long now; 22 | 23 | 24 | dnptrs = (unsigned char **) malloc(2 * sizeof(unsigned char *)); 25 | dnptrs2 = (unsigned char **) malloc(2 * sizeof(unsigned char *)); 26 | 27 | comp_dn = (unsigned char *) malloc(200*sizeof(unsigned char)); 28 | comp_dn2 = (unsigned char *) malloc(200*sizeof(unsigned char)); 29 | 30 | temp1 = (char *) malloc(400*sizeof(char)); 31 | 32 | temp = temp1; 33 | 34 | p = buf; 35 | 36 | strcpy(temp, "HEADER JUNK:"); 37 | 38 | len += strlen(temp); 39 | 40 | while (*temp != '\0') 41 | *p++ = *temp++; 42 | 43 | strcpy(exp_dn, "lcs.mit.edu"); 44 | 45 | *dnptrs++ = (u_char *) exp_dn; 46 | *dnptrs-- = NULL; 47 | 48 | lastdnptr = NULL; 49 | 50 | printf("Calling dn_comp..\n"); 51 | comp_size = dn_comp((const char *) exp_dn, comp_dn, 200, dnptrs, lastdnptr); 52 | printf("uncomp_size = %d\n", strlen(exp_dn)); 53 | printf("comp_size = %d\n", comp_size); 54 | printf("exp_dn = %s, comp_dn = %s\n", exp_dn, (char *) comp_dn); 55 | 56 | for(i=0; i 66 | 67 | */ 68 | 69 | #include 70 | #include 71 | #include 72 | #include 73 | 74 | #define MAXDATA 10 75 | 76 | int main(){ 77 | 78 | int n; 79 | unsigned short s1 = 10; 80 | unsigned int s2 = 10; 81 | size_t s3 = 10; 82 | char buf[MAXDATA]; 83 | 84 | n = -1; 85 | 86 | if (n < s1) 87 | printf("-1 < 10 (unsigned short) \n"); 88 | else 89 | printf("-1 >= 10 (unsigned short)\n"); 90 | 91 | if (n < s2) 92 | printf("-1 < 10 (unsigned int) \n"); 93 | else 94 | printf("-1 >= 10 (unsigned int) \n"); 95 | 96 | if (n < s3) 97 | printf("-1 < 10 (size_t) \n"); 98 | else 99 | printf("-1 >= 10 (size_t) \n"); 100 | 101 | if (n < sizeof(buf)) 102 | printf("-1 < 10 (sizeof(buf)) \n"); 103 | else 104 | printf("-1 >= 10 (sizeof(buf)) \n"); 105 | 106 | 107 | return 0; 108 | } 109 | 110 | /* 111 | 112 | 113 | 114 | */ 115 | 116 | -------------------------------------------------------------------------------- /vulapps/bind/b2/testcase: -------------------------------------------------------------------------------- 1 | testcase.init -------------------------------------------------------------------------------- /vulapps/bind/b2/testcase.exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitblaze-fuzzball/d-s-se-directed-tests/7104647e90ad925bde18a2bd22afc33fa09d2135/vulapps/bind/b2/testcase.exploit -------------------------------------------------------------------------------- /vulapps/bind/b2/testcase.init: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitblaze-fuzzball/d-s-se-directed-tests/7104647e90ad925bde18a2bd22afc33fa09d2135/vulapps/bind/b2/testcase.init -------------------------------------------------------------------------------- /vulapps/bind/b3/2010-11-10.cmd: -------------------------------------------------------------------------------- 1 | ./cfg_fuzzball ./iquery-bad-diet -stp-path ./stp -linux-syscalls -trace-syscalls -trace-stopping -trace-assigns-string -coverage-stats -time-stats -trace-iterations -check-condition-at 0x080482b4:'R_EAX:reg32_t >= 512:reg32_t' -fuzz-start-addr 0x0804838a -symbolic-cstring 0x50002008+511 -skip-func-ret 0x0804945c=10 -symbolic-word 0xbffffd48=len -- ./iquery-bad-diet b3.in 2 | -------------------------------------------------------------------------------- /vulapps/bind/b3/2010-11-11.cmd: -------------------------------------------------------------------------------- 1 | ./cfg_fuzzball ./iquery-bad-diet -stp-path ./stp -linux-syscalls -trace-syscalls -trace-stopping -trace-assigns-string -coverage-stats -time-stats -trace-iterations -check-condition-at 0x080482b4:'R_EAX:reg32_t >= 512:reg32_t' -fuzz-start-addr 0x0804838a -symbolic-cstring 0x50002008+511 -skip-func-ret 0x0804945c=10 -symbolic-word 0xbffffd48=len -cfg ../../../cfg/MIT/bind/b3/iquery-bad-diet.cfg -target-addr 0x080482b4 -- ./iquery-bad-diet b3.in 2 | -------------------------------------------------------------------------------- /vulapps/bind/b3/Makefile: -------------------------------------------------------------------------------- 1 | DIET = diet 2 | DIET_CFLAGS = -DDIETLIBC -g -fno-jump-tables 3 | DIET_LDFLAGS = /opt/diet/lib-i386/libcompat.a 4 | 5 | all: iquery-bad iquery-ok # create 6 | 7 | clean: 8 | rm -f iquery-bad iquery-ok create iquery-bad.out iquery-ok.out 9 | 10 | iquery-bad: iquery-bad.c 11 | $(CC) -o iquery-bad iquery-bad.c -lresolv 12 | 13 | iquery-bad-diet: iquery-bad.c ../b1/my-resolv.c 14 | $(DIET) $(CC) $(DIET_CFLAGS) -o iquery-bad-diet iquery-bad.c ../b1/my-resolv.c 15 | 16 | iquery-ok: iquery-ok.c 17 | $(CC) -o iquery-ok iquery-ok.c -lresolv 18 | 19 | create: create_iquery.c 20 | $(CC) -o create create_iquery.c -lresolv ; \ 21 | ./create 22 | 23 | 24 | -------------------------------------------------------------------------------- /vulapps/bind/b3/b3.in: -------------------------------------------------------------------------------- 1 | 9283721 2 | -------------------------------------------------------------------------------- /vulapps/bind/b3/iquery-bad-diet-svn: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitblaze-fuzzball/d-s-se-directed-tests/7104647e90ad925bde18a2bd22afc33fa09d2135/vulapps/bind/b3/iquery-bad-diet-svn -------------------------------------------------------------------------------- /vulapps/bind/b3/iquery-file.exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitblaze-fuzzball/d-s-se-directed-tests/7104647e90ad925bde18a2bd22afc33fa09d2135/vulapps/bind/b3/iquery-file.exploit -------------------------------------------------------------------------------- /vulapps/bind/b3/iquery-file.init: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitblaze-fuzzball/d-s-se-directed-tests/7104647e90ad925bde18a2bd22afc33fa09d2135/vulapps/bind/b3/iquery-file.init -------------------------------------------------------------------------------- /vulapps/bind/b3/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # Hardcoded Input: a file named 'iquery-file' that contains a sample DNS QUERY packet. 4 | # 5 | ./iquery-bad b3.in 6 | -------------------------------------------------------------------------------- /vulapps/bind/b3/testcase: -------------------------------------------------------------------------------- 1 | testcase.init -------------------------------------------------------------------------------- /vulapps/bind/b3/testcase.init: -------------------------------------------------------------------------------- 1 | b3.in -------------------------------------------------------------------------------- /vulapps/bind/b4/2010-11-11-guided.cmd: -------------------------------------------------------------------------------- 1 | ./cfg_fuzzball ./nsl-bad-diet -stp-path ./stp -linux-syscalls -trace-syscalls -trace-stopping -trace-assigns-string -coverage-stats -time-stats -trace-iterations -check-condition-at 0x08048230:'R_EAX:reg32_t > 999:reg32_t' -zero-memory -fuzz-start-addr 0x0804861b -symbolic-cstring-fulllen 0xbffff9a0+975 -cfg ../../../cfg/MIT/bind/b4/nsl-bad-diet.cfg -target-addr 0x08048230 -loop-weight 0x0804a84d=4000.0 -- ./nsl-bad-diet testcase.init 2 | -------------------------------------------------------------------------------- /vulapps/bind/b4/2010-11-11.cmd: -------------------------------------------------------------------------------- 1 | ./cfg_fuzzball ./nsl-bad-diet -stp-path ./stp -linux-syscalls -trace-syscalls -trace-stopping -trace-assigns-string -coverage-stats -time-stats -trace-iterations -check-condition-at 0x08048230:'R_EAX:reg32_t > 999:reg32_t' -zero-memory -fuzz-start-addr 0x0804861b -symbolic-cstring-fulllen 0xbffff9a0+975 -- ./nsl-bad-diet testcase.init 2 | -------------------------------------------------------------------------------- /vulapps/bind/b4/Makefile: -------------------------------------------------------------------------------- 1 | DIET = diet 2 | DIET_CFLAGS = -g -fno-jump-tables 3 | DIET_LDFLAGS = /opt/diet/lib-i386/libcompat.a 4 | 5 | all: nsl-bad nsl-ok #create 6 | 7 | clean: 8 | rm -f nsl-bad nsl-ok create nsl-bad.out nsl-ok.out 9 | 10 | nsl-bad: ns-lookup-bad.c 11 | $(CC) -g -fno-stack-protector -o nsl-bad ns-lookup-bad.c 12 | 13 | nsl-bad-diet: ns-lookup-bad.c 14 | $(DIET) $(CC) $(DIET_CFLAGS) -fno-stack-protector -o nsl-bad-diet ns-lookup-bad.c 15 | 16 | nsl-ok: ns-lookup-ok.c 17 | $(CC) -o nsl-ok ns-lookup-ok.c 18 | 19 | create: create_address_file 20 | $(CC) -fno-stack-protector -o create create_address_file.c ; \ 21 | ./create 22 | -------------------------------------------------------------------------------- /vulapps/bind/b4/address_file: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitblaze-fuzzball/d-s-se-directed-tests/7104647e90ad925bde18a2bd22afc33fa09d2135/vulapps/bind/b4/address_file -------------------------------------------------------------------------------- /vulapps/bind/b4/address_file.bak: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitblaze-fuzzball/d-s-se-directed-tests/7104647e90ad925bde18a2bd22afc33fa09d2135/vulapps/bind/b4/address_file.bak -------------------------------------------------------------------------------- /vulapps/bind/b4/create_address_file.c: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | 4 | MIT Copyright Notice 5 | 6 | Copyright 2003 M.I.T. 7 | 8 | Permission is hereby granted, without written agreement or royalty fee, to use, 9 | copy, modify, and distribute this software and its documentation for any 10 | purpose, provided that the above copyright notice and the following three 11 | paragraphs appear in all copies of this software. 12 | 13 | IN NO EVENT SHALL M.I.T. BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, 14 | INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS SOFTWARE 15 | AND ITS DOCUMENTATION, EVEN IF M.I.T. HAS BEEN ADVISED OF THE POSSIBILITY OF 16 | SUCH DAMANGE. 17 | 18 | M.I.T. SPECIFICALLY DISCLAIMS ANY WARRANTIES INCLUDING, BUT NOT LIMITED TO 19 | THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, 20 | AND NON-INFRINGEMENT. 21 | 22 | THE SOFTWARE IS PROVIDED ON AN "AS-IS" BASIS AND M.I.T. HAS NO OBLIGATION TO 23 | PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. 24 | 25 | $Author: tleek $ 26 | $Date: 2004/01/05 17:27:41 $ 27 | $Header: /mnt/leo2/cvs/sabo/hist-040105/bind/b4/create_address_file.c,v 1.1.1.1 2004/01/05 17:27:41 tleek Exp $ 28 | 29 | 30 | 31 | */ 32 | 33 | 34 | /* 35 | 36 | BIND Copyright Notice 37 | 38 | Copyright (C) 2000-2002 Internet Software Consortium. 39 | 40 | Permission to use, copy, modify, and distribute this software for any 41 | purpose with or without fee is hereby granted, provided that the above 42 | copyright notice and this permission notice appear in all copies. 43 | 44 | THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM 45 | DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL 46 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL 47 | INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, 48 | INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING 49 | FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, 50 | NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION 51 | WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 52 | 53 | 54 | $Author: tleek $ 55 | $Date: 2004/01/05 17:27:41 $ 56 | $Header: /mnt/leo2/cvs/sabo/hist-040105/bind/b4/create_address_file.c,v 1.1.1.1 2004/01/05 17:27:41 tleek Exp $ 57 | 58 | 59 | 60 | */ 61 | 62 | 63 | /* 64 | 65 | 66 | 67 | */ 68 | 69 | #include 70 | #include 71 | 72 | 73 | 74 | int main(){ 75 | 76 | FILE *f; 77 | int i; 78 | 79 | f = fopen("address_file","w"); 80 | 81 | for(i=0; i<4; i++){ 82 | fputc((u_char) 255, f); 83 | fputc((u_char) 255, f); 84 | fputc((u_char) 255, f); 85 | fputc((u_char) 255, f); 86 | } 87 | 88 | fclose(f); 89 | return 0; 90 | } 91 | 92 | /* 93 | 94 | 95 | 96 | */ 97 | 98 | -------------------------------------------------------------------------------- /vulapps/bind/b4/nsl-bad-diet-svn: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitblaze-fuzzball/d-s-se-directed-tests/7104647e90ad925bde18a2bd22afc33fa09d2135/vulapps/bind/b4/nsl-bad-diet-svn -------------------------------------------------------------------------------- /vulapps/bind/b4/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # Input: a file named 'testcase' that contains a list of domain names 4 | # 5 | ./nsl-bad testcase 6 | -------------------------------------------------------------------------------- /vulapps/bind/b4/testcase: -------------------------------------------------------------------------------- 1 | testcase.init -------------------------------------------------------------------------------- /vulapps/bind/b4/testcase.exploit: -------------------------------------------------------------------------------- 1 | web.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.eduweb.aaa.mit.edu 2 | 3 | -------------------------------------------------------------------------------- /vulapps/bind/b4/testcase.init: -------------------------------------------------------------------------------- 1 | web.aaa.mit.edu 2 | 3 | -------------------------------------------------------------------------------- /vulapps/compute-bad-locations.sh: -------------------------------------------------------------------------------- 1 | for m in $(find . -name Makefile); do d=$(dirname $m) ; b=$(echo $d/*-diet); echo 1>&2 "Parsing $m"; for f in $(grep -- "\$(DIET).*" $m) ; do if echo $f | grep -q "\.c$" ; then echo 1>&2 " Found source $f"; for l in $(grep -n "/\* *BAD *\*/" $d/$f | cut -f 1 -d ":") ; do echo 1>&2 " Found BUG @ $l"; echo $b $d/$f:$((l+1)) ;done; fi ; done ; done | sed "s/\.\///g" 2 | -------------------------------------------------------------------------------- /vulapps/my-libc.c: -------------------------------------------------------------------------------- 1 | int isdigit(int c) { 2 | return c >= '0' && c <= '9'; 3 | } 4 | 5 | int isspace(int c) { 6 | return c == ' ' || c == '\f' || c == '\n' || c == '\r' || c == '\t' 7 | || c == '\v'; 8 | } 9 | 10 | int isascii(int c) { 11 | return !(c & 0x80); 12 | } 13 | 14 | int strcmp(const char *s1, const char *s2) { 15 | while (*s1 && *s1 == *s2) { 16 | s1++; 17 | s2++; 18 | } 19 | return *s1 - *s2; 20 | } 21 | 22 | char *strchr(const char *s, int c) { 23 | char *p; 24 | for (p = (char *)s; *p; p++) { 25 | if (*p == c) 26 | return p; 27 | } 28 | return 0; 29 | } 30 | 31 | char *strcpy(char *buf, const char *src) { 32 | char *p; 33 | for (p = buf; *src; src++, p++) { 34 | *p = *src; 35 | } 36 | *p = 0; 37 | return buf; 38 | } 39 | 40 | unsigned strlen(const char *s) { 41 | unsigned i; 42 | for (i = 0; *s; s++) 43 | i++; 44 | return i; 45 | } 46 | 47 | char *strcat(char *buf, const char *extra) { 48 | char *p = buf; 49 | p += strlen(p); 50 | strcpy(p, extra); 51 | return buf; 52 | } 53 | 54 | void *memcpy(void *dest, const void *src, unsigned int n) { 55 | unsigned i; 56 | char *d = (char *)dest; 57 | const char *s = (const char *)src; 58 | for (i = 0; i < n; i++) { 59 | d[i] = s[i]; 60 | } 61 | return dest; 62 | } 63 | 64 | char *optarg; 65 | int optind, opterr, optopt; 66 | 67 | static void getopterror(int which) { 68 | static char error1[]="Unknown option `-x'.\n"; 69 | static char error2[]="Missing argument for `-x'.\n"; 70 | if (opterr) { 71 | if (which) { 72 | error2[23]=optopt; 73 | write(2,error2,28); 74 | } else { 75 | error1[17]=optopt; 76 | write(2,error1,22); 77 | } 78 | } 79 | } 80 | 81 | int getopt(int argc, char * const argv[], const char *optstring) { 82 | static int lastidx,lastofs; 83 | char *tmp; 84 | if (optind==0) { optind=1; lastidx=0; } /* whoever started setting optind to 0 should be shot */ 85 | again: 86 | if (optind>argc || !argv[optind] || *argv[optind]!='-' || argv[optind][1]==0) 87 | return -1; 88 | if (argv[optind][1]=='-' && argv[optind][2]==0) { 89 | ++optind; 90 | return -1; 91 | } 92 | if (lastidx!=optind) { 93 | lastidx=optind; lastofs=0; 94 | } 95 | optopt=argv[optind][lastofs+1]; 96 | if (optopt != ':' && (tmp=strchr(optstring,optopt))) { 97 | if (*tmp==0) { /* apparently, we looked for \0, i.e. end of argument */ 98 | ++optind; 99 | goto again; 100 | } 101 | if (tmp[1]==':') { /* argument expected */ 102 | if (tmp[2]==':' || argv[optind][lastofs+2]) { /* "-foo", return "oo" as optarg */ 103 | if (!*(optarg=argv[optind]+lastofs+2)) optarg=0; 104 | goto found; 105 | } 106 | optarg=argv[optind+1]; 107 | if (!optarg) { /* missing argument */ 108 | ++optind; 109 | if (*optstring==':') return ':'; 110 | getopterror(1); 111 | return ':'; 112 | } 113 | ++optind; 114 | } else { 115 | ++lastofs; 116 | return optopt; 117 | } 118 | found: 119 | ++optind; 120 | return optopt; 121 | } else { /* not found */ 122 | getopterror(0); 123 | ++optind; 124 | return '?'; 125 | } 126 | } 127 | -------------------------------------------------------------------------------- /vulapps/runAll.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl -w 2 | 3 | use strict; 4 | 5 | my $histDir = "."; 6 | my $sDir = "$histDir/sendmail"; 7 | my $bDir = "$histDir/bind"; 8 | my $fDir = "$histDir/wu-ftpd"; 9 | 10 | 11 | my $log = "$histDir/runAll.out"; 12 | if (-e $log) { 13 | `/bin/rm $log`; 14 | } 15 | 16 | open LF, ">$log" or die; 17 | 18 | # SM1 crackaddr 19 | &crun ("$sDir/s1", "ca", "< s1.in"); 20 | 21 | # SM2 gecos 22 | &crun ("$sDir/s2", "ge", ""); 23 | 24 | # SM3 mime1 25 | &crun ("$sDir/s3", "m1", "s3.in"); 26 | 27 | # SM4 mime2 28 | &crun ("$sDir/s4", "m2", "s4.in"); 29 | 30 | # SM5 prescan 31 | &crun ("$sDir/s5", "prescan", ""); 32 | 33 | # SM6 34 | &crun ("$sDir/s6", "ttflag", "-d 4294967200-100"); 35 | 36 | # SM7 37 | &crun ("$sDir/s7", "txtdns", ""); 38 | 39 | # BIND1 40 | &crun ("$bDir/b1", "nxt", ""); 41 | 42 | # BIND2 43 | # need to have run the program "create" in this dir fairly recently too.. 44 | &crun ("$bDir/b2", "sig", ""); 45 | 46 | # BIND3 47 | &crun ("$bDir/b3", "iquery", "b3.in"); 48 | 49 | # BIND4 50 | &crun ("$bDir/b4", "nsl", "b4.in"); 51 | 52 | # FTP1 53 | &crun ("$fDir/f1", "mp", "f1.in"); 54 | 55 | # FTP2 56 | # NB: this file must exist.. DOn't move it or change dir structure above it (length of this string is critical) 57 | # this abs filename is 45 chars (46 with \0) which is why MAXPATHLEN is set to 46. 58 | &crun ("$fDir/f2", "obo", "/tmp/foo/bar/foo/bar/foo/bar/foo/bar/abcdefgh"); 59 | 60 | # FTP3 61 | &crun ("$fDir/f3", "rp", "/aaa/aaa/aaa/aaa/aaa/aaa/aaa/aaa/aaa/aa/aaa/aaa/aaa/aaa/aaa/aaa/aaa/aaa/aaa/aaa/aa/aaa/aaa/aaa/aaa/aaa/aaa/aaa/aaa/aaa/aaa/aa/aaa/aaa/aaa/aaa/aaa/aaa/aaa/aaa/aaa/aaa/aa/aaa/aaa/aaa/aaa/aaa/aaa/aaa/aaa/aaa/aaa/aa/aaa/aaa/aaa/aaa/aaa/aaa/aaa/aaa/aaa/aaa/aa/aaa/aaa/aaa/aaa/aaa/aaa/aaa/aaa/aaa/aaa/aa/aaa/aaa/aaa/aaa/aaa/aaa/aaa/aaa/aaa/aaa/aa/aaa/aaa/aaa/aaa/aaa/aaa/aaa/aaa/aaa/aaa/aa/aaa"); 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | sub crun () { 72 | my ($dir, $obj, $args) = @_; 73 | 74 | my $bobj = "$obj-bad"; 75 | my $oobj = "$obj-ok"; 76 | my $ofb = "$bobj.out"; 77 | my $ofo = "$oobj.out"; 78 | &run ("cd $dir; ./$bobj $args > $ofb 2>&1"); 79 | &run ("cd $dir; ./$oobj $args > $ofo 2>&1"); 80 | } 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | sub run () { 90 | my ($commands) = @_; 91 | 92 | print LF "\n\n\n$commands\n\n"; 93 | my $rc; 94 | 95 | 96 | $rc = 0xffff & system ("$commands"); 97 | 98 | 99 | $rc /= 256; 100 | # seg fault 101 | if ($rc == 139) { 102 | print LF "SEGFAULT\n"; 103 | } 104 | # assert failed 105 | elsif ($rc == 134) { 106 | print LF "ASSERT\n"; 107 | } 108 | elsif ($rc == 0) { 109 | print LF "NORMAL\n"; 110 | } 111 | else { 112 | print LF "UNKNOWN\n"; 113 | } 114 | 115 | return ($rc); 116 | 117 | } 118 | -------------------------------------------------------------------------------- /vulapps/sendmail/s1/2010-11-06.cmd: -------------------------------------------------------------------------------- 1 | ./cfg_fuzzball ./ca-bad -linux-syscalls -trace-iterations -trace-syscalls -trace-assigns-string -trace-stopping -iteration-limit 4000 -coverage-stats -time-stats -stp-path ./stp -check-condition-at 0x08048668:'(R_EBX:reg32_t - 0x08049e7e:reg32_t) >= 30:reg32_t' -zero-memory -fuzz-start-addr 0x08048c28 -symbolic-cstring 0xbffffd14+99 -- ./ca-bad 2 | -------------------------------------------------------------------------------- /vulapps/sendmail/s1/2010-11-07.cmd: -------------------------------------------------------------------------------- 1 | ./cfg_fuzzball ./ca-bad-mylibc -linux-syscalls -trace-iterations -trace-syscalls -trace-assigns-string -trace-stopping -iteration-limit 4000 -coverage-stats -time-stats -stp-path ./stp -check-condition-at 0x0804884d:'(R_EBX:reg32_t - 0x0804a4ce:reg32_t) >= 31:reg32_t' -zero-memory -fuzz-start-addr 0x08048da8 -symbolic-cstring-fulllen 0xbffffd14+40 -cfg s1.cg -target-addr 0x08048c13 -trace-cjmp-heuristic -- ./ca-bad-mylibc 2 | -------------------------------------------------------------------------------- /vulapps/sendmail/s1/Makefile: -------------------------------------------------------------------------------- 1 | DIET = diet 2 | DIET_CFLAGS = 3 | DIET_LDFLAGS = 4 | 5 | all: ca-bad ca-ok 6 | 7 | clean: 8 | rm -f ca-bad ca-ok ca-bad.out ca-ok.out 9 | 10 | ca-bad: crackaddr-bad.c 11 | $(CC) -g -o ca-bad crackaddr-bad.c 12 | 13 | ca-bad-mylibc: crackaddr-bad-mylibc.c ../../my-libc.o 14 | $(CC) -g -o $@ crackaddr-bad-mylibc.c ../../my-libc.o 15 | 16 | ca-bad-mylibc-diet: crackaddr-bad-mylibc.c ../../my-libc.c 17 | $(DIET) $(CC) $(DIET_CFLAGS) -g -o $@ crackaddr-bad-mylibc.c ../../my-libc.c $(DIET_LDFLAGS) 18 | 19 | ca-bad-mylibc-strchr-diet: crackaddr-bad-mylibc-strchr.c ../../my-libc.c 20 | $(DIET) $(CC) $(DIET_CFLAGS) -g -o $@ crackaddr-bad-mylibc-strchr.c ../../my-libc.c $(DIET_LDFLAGS) 21 | 22 | ca-ok: crackaddr-ok.c 23 | $(CC) -g -o ca-ok crackaddr-ok.c 24 | 25 | -------------------------------------------------------------------------------- /vulapps/sendmail/s1/ca-bad: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitblaze-fuzzball/d-s-se-directed-tests/7104647e90ad925bde18a2bd22afc33fa09d2135/vulapps/sendmail/s1/ca-bad -------------------------------------------------------------------------------- /vulapps/sendmail/s1/ca-bad-mylibc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitblaze-fuzzball/d-s-se-directed-tests/7104647e90ad925bde18a2bd22afc33fa09d2135/vulapps/sendmail/s1/ca-bad-mylibc -------------------------------------------------------------------------------- /vulapps/sendmail/s1/ca-bad-mylibc-diet-svn: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitblaze-fuzzball/d-s-se-directed-tests/7104647e90ad925bde18a2bd22afc33fa09d2135/vulapps/sendmail/s1/ca-bad-mylibc-diet-svn -------------------------------------------------------------------------------- /vulapps/sendmail/s1/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # Hardcoded Input: a file named 'testcase' that contains sample email entries 4 | # 5 | ./ca-bad 6 | -------------------------------------------------------------------------------- /vulapps/sendmail/s1/testcase: -------------------------------------------------------------------------------- 1 | testcase.init -------------------------------------------------------------------------------- /vulapps/sendmail/s1/testcase.exploit: -------------------------------------------------------------------------------- 1 | <><><><><><><><><><><><><><><><><><><><><> 2 | -------------------------------------------------------------------------------- /vulapps/sendmail/s1/testcase.init: -------------------------------------------------------------------------------- 1 | <><><> 2 | -------------------------------------------------------------------------------- /vulapps/sendmail/s2/2010-11-10-guided.cmd: -------------------------------------------------------------------------------- 1 | ./cfg_fuzzball ./ge-bad-diet -linux-syscalls -trace-iterations -trace-syscalls -trace-assigns-string -trace-stopping -iteration-limit 8000 -coverage-stats -time-stats -stp-path ./stp -skip-func-ret 0x08048fdc=10 -skip-func-ret 0x08049012=8 -fuzz-start-addr 0x080487c6 -symbolic-cstring 0x50000108+344 -skip-call-ret 0x08048575=0 -check-condition-at 0x080486aa:'R_EAX:reg32_t > 5:reg32_t' -cfg ../../../cfg/MIT/sendmail/s2/ge-bad-diet.stat.cfg -target-addr 0x080486aa -loop-weight 0x080486d7=344 -- ./ge-bad-diet 2 | -------------------------------------------------------------------------------- /vulapps/sendmail/s2/2010-11-10.cmd: -------------------------------------------------------------------------------- 1 | ./cfg_fuzzball ./ge-bad-diet -linux-syscalls -trace-iterations -trace-syscalls -trace-assigns-string -trace-stopping -iteration-limit 8000 -coverage-stats -time-stats -stp-path ./stp -skip-func-ret 0x08048fdc=10 -skip-func-ret 0x08049012=8 -fuzz-start-addr 0x080487c6 -symbolic-cstring 0x50000108+344 -skip-call-ret 0x08048575=0 -check-condition-at 0x080486aa:'R_EAX:reg32_t > 5:reg32_t' -- ./ge-bad-diet 2 | -------------------------------------------------------------------------------- /vulapps/sendmail/s2/Makefile: -------------------------------------------------------------------------------- 1 | DIET = diet 2 | DIET_CFLAGS = 3 | DIET_LDFLAGS = /opt/diet/lib-i386/libcompat.a 4 | 5 | all: ge-bad ge-ok 6 | 7 | clean: 8 | rm -f ge-bad ge-ok ge-bad.out ge-ok.out *.o 9 | 10 | ge-bad: main-bad.c recipient-bad.c util-bad.c mywrapper.c 11 | $(CC) -g -c main-bad.c -I . 12 | $(CC) -g -c recipient-bad.c -I . 13 | $(CC) -g -c util-bad.c -I . 14 | $(CC) -g -c mywrapper.c -I . 15 | ld --wrap getpwent -r -o ge-bad.o main-bad.o recipient-bad.o util-bad.o mywrapper.o 16 | $(CC) ge-bad.o -o ge-bad $(LDFLAGS) 17 | 18 | ge-bad-diet: main-bad.c recipient-bad.c util-bad.c mywrapper.c 19 | $(DIET) $(CC) -g -c main-bad.c -I . 20 | $(DIET) $(CC) -g -c recipient-bad.c -I . 21 | $(DIET) $(CC) -g -c util-bad.c -I . 22 | $(DIET) $(CC) -g -c mywrapper.c -I . 23 | ld --wrap getpwent -r -o ge-bad.o main-bad.o recipient-bad.o util-bad.o mywrapper.o 24 | $(DIET) $(CC) $(DIET_CFLAGS) ge-bad.o -o ge-bad-diet $(DIET_LDFLAGS) 25 | 26 | ge-ok: main-ok.c recipient-ok.c util-ok.c mywrapper.c 27 | $(CC) -g -c main-ok.c -I . 28 | $(CC) -g -c recipient-ok.c -I . 29 | $(CC) -g -c util-ok.c -I . 30 | $(CC) -g -c mywrapper.c -I . 31 | ld --wrap getpwent -r -o ge-ok.o main-ok.o recipient-ok.o util-ok.o mywrapper.o 32 | $(CC) ge-ok.o -o ge-ok $(LDFLAGS) 33 | 34 | 35 | -------------------------------------------------------------------------------- /vulapps/sendmail/s2/ge-bad-diet-svn: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitblaze-fuzzball/d-s-se-directed-tests/7104647e90ad925bde18a2bd22afc33fa09d2135/vulapps/sendmail/s2/ge-bad-diet-svn -------------------------------------------------------------------------------- /vulapps/sendmail/s2/main-bad.c: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | 4 | MIT Copyright Notice 5 | 6 | Copyright 2003 M.I.T. 7 | 8 | Permission is hereby granted, without written agreement or royalty fee, to use, 9 | copy, modify, and distribute this software and its documentation for any 10 | purpose, provided that the above copyright notice and the following three 11 | paragraphs appear in all copies of this software. 12 | 13 | IN NO EVENT SHALL M.I.T. BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, 14 | INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS SOFTWARE 15 | AND ITS DOCUMENTATION, EVEN IF M.I.T. HAS BEEN ADVISED OF THE POSSIBILITY OF 16 | SUCH DAMANGE. 17 | 18 | M.I.T. SPECIFICALLY DISCLAIMS ANY WARRANTIES INCLUDING, BUT NOT LIMITED TO 19 | THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, 20 | AND NON-INFRINGEMENT. 21 | 22 | THE SOFTWARE IS PROVIDED ON AN "AS-IS" BASIS AND M.I.T. HAS NO OBLIGATION TO 23 | PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. 24 | 25 | $Author: tleek $ 26 | $Date: 2004/01/05 17:27:42 $ 27 | $Header: /mnt/leo2/cvs/sabo/hist-040105/sendmail/s2/main-bad.c,v 1.1.1.1 2004/01/05 17:27:42 tleek Exp $ 28 | 29 | 30 | 31 | */ 32 | 33 | 34 | /* 35 | 36 | Sendmail Copyright Notice 37 | 38 | 39 | Copyright (c) 1998-2003 Sendmail, Inc. and its suppliers. 40 | All rights reserved. 41 | Copyright (c) 1983, 1995-1997 Eric P. Allman. All rights reserved. 42 | Copyright (c) 1988, 1993 43 | The Regents of the University of California. All rights reserved. 44 | 45 | By using this file, you agree to the terms and conditions set 46 | forth in the LICENSE file which can be found at the top level of 47 | the sendmail distribution. 48 | 49 | 50 | $Author: tleek $ 51 | $Date: 2004/01/05 17:27:42 $ 52 | $Header: /mnt/leo2/cvs/sabo/hist-040105/sendmail/s2/main-bad.c,v 1.1.1.1 2004/01/05 17:27:42 tleek Exp $ 53 | 54 | 55 | 56 | */ 57 | 58 | 59 | /* 60 | 61 | 62 | 63 | */ 64 | 65 | 66 | 67 | #include 68 | #include 69 | #include 70 | 71 | int main(){ 72 | 73 | ADDRESS **sendq = NULL; 74 | ADDRESS *ret_address; 75 | int aliaslevel = 0; 76 | 77 | /* allocate single address */ 78 | ADDRESS *a = (ADDRESS *) malloc(sizeof(struct address)); 79 | 80 | a->q_flags = 0x00000000; /* initial flags */ 81 | 82 | a->q_user = "rpc123"; 83 | 84 | ret_address = (ADDRESS *) recipient(a, sendq, aliaslevel); 85 | 86 | printf("Real name of user %s = %s\n", a->q_user, ret_address->q_fullname); 87 | 88 | return 0; 89 | } 90 | 91 | /* 92 | 93 | 94 | 95 | */ 96 | 97 | -------------------------------------------------------------------------------- /vulapps/sendmail/s2/main-ok.c: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | 4 | MIT Copyright Notice 5 | 6 | Copyright 2003 M.I.T. 7 | 8 | Permission is hereby granted, without written agreement or royalty fee, to use, 9 | copy, modify, and distribute this software and its documentation for any 10 | purpose, provided that the above copyright notice and the following three 11 | paragraphs appear in all copies of this software. 12 | 13 | IN NO EVENT SHALL M.I.T. BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, 14 | INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS SOFTWARE 15 | AND ITS DOCUMENTATION, EVEN IF M.I.T. HAS BEEN ADVISED OF THE POSSIBILITY OF 16 | SUCH DAMANGE. 17 | 18 | M.I.T. SPECIFICALLY DISCLAIMS ANY WARRANTIES INCLUDING, BUT NOT LIMITED TO 19 | THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, 20 | AND NON-INFRINGEMENT. 21 | 22 | THE SOFTWARE IS PROVIDED ON AN "AS-IS" BASIS AND M.I.T. HAS NO OBLIGATION TO 23 | PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. 24 | 25 | $Author: tleek $ 26 | $Date: 2004/01/05 17:27:42 $ 27 | $Header: /mnt/leo2/cvs/sabo/hist-040105/sendmail/s2/main-ok.c,v 1.1.1.1 2004/01/05 17:27:42 tleek Exp $ 28 | 29 | 30 | 31 | */ 32 | 33 | 34 | /* 35 | 36 | Sendmail Copyright Notice 37 | 38 | 39 | Copyright (c) 1998-2003 Sendmail, Inc. and its suppliers. 40 | All rights reserved. 41 | Copyright (c) 1983, 1995-1997 Eric P. Allman. All rights reserved. 42 | Copyright (c) 1988, 1993 43 | The Regents of the University of California. All rights reserved. 44 | 45 | By using this file, you agree to the terms and conditions set 46 | forth in the LICENSE file which can be found at the top level of 47 | the sendmail distribution. 48 | 49 | 50 | $Author: tleek $ 51 | $Date: 2004/01/05 17:27:42 $ 52 | $Header: /mnt/leo2/cvs/sabo/hist-040105/sendmail/s2/main-ok.c,v 1.1.1.1 2004/01/05 17:27:42 tleek Exp $ 53 | 54 | 55 | 56 | */ 57 | 58 | 59 | /* 60 | 61 | 62 | 63 | */ 64 | 65 | #include 66 | #include 67 | #include 68 | 69 | int main(){ 70 | 71 | ADDRESS **sendq = NULL; 72 | ADDRESS *ret_address; 73 | int aliaslevel = 0; 74 | 75 | /* allocate single address */ 76 | ADDRESS *a = (ADDRESS *) malloc(sizeof(struct address)); 77 | 78 | a->q_flags = 0x00000000; /* initial flags */ 79 | 80 | a->q_user = "rpc"; 81 | 82 | ret_address = (ADDRESS *) recipient(a, sendq, aliaslevel); 83 | 84 | printf("Real name of user %s = %s\n", a->q_user, ret_address->q_fullname); 85 | 86 | return 0; 87 | } 88 | 89 | /* 90 | 91 | 92 | 93 | */ 94 | 95 | -------------------------------------------------------------------------------- /vulapps/sendmail/s2/mywrapper.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | void 7 | taint_data(char *fname, struct passwd* pwd) 8 | { 9 | FILE *fp = fopen (fname, "r"); 10 | int dummy =0; 11 | 12 | printf ("TAINTED HERE !!\n"); 13 | 14 | if (!pwd) 15 | return; 16 | 17 | if (!fp) { 18 | fprintf (stderr, "Can't find testcase file (%s) with %d lines of tainted input. You should manually 'cp testcase.exploit testcase' or 'cp testcase.init testcase'\n", fname, 2); 19 | exit(1); 20 | } 21 | 22 | pwd->pw_name = NULL; 23 | pwd->pw_gecos = NULL; 24 | getline (&(pwd->pw_name), &dummy, fp); 25 | getline (&(pwd->pw_gecos), &dummy, fp); 26 | } 27 | 28 | 29 | struct passwd * 30 | __wrap_getpwent() 31 | { 32 | struct passwd* ret = __real_getpwent(); 33 | taint_data ("testcase", ret); 34 | return ret; 35 | 36 | } 37 | 38 | 39 | -------------------------------------------------------------------------------- /vulapps/sendmail/s2/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # Hardcoded Input: a file named 'testcase' that contains a sample struct password 4 | # 5 | ./ge-bad 6 | -------------------------------------------------------------------------------- /vulapps/sendmail/s2/testcase: -------------------------------------------------------------------------------- 1 | testcase.init -------------------------------------------------------------------------------- /vulapps/sendmail/s2/testcase.exploit: -------------------------------------------------------------------------------- 1 | root 2 | rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootroot 3 | -------------------------------------------------------------------------------- /vulapps/sendmail/s2/testcase.init: -------------------------------------------------------------------------------- 1 | root 2 | root 3 | -------------------------------------------------------------------------------- /vulapps/sendmail/s3/2010-11-17.cmd: -------------------------------------------------------------------------------- 1 | ./cfg_fuzzball ./m1-bad-diet -stp-path ./stp -linux-syscalls -trace-syscalls -trace-stopping -coverage-stats -time-stats -trace-iterations -trace-assigns-string -check-condition-at 0x0804831f:'R_EAX:reg32_t - 0xbfffcece:reg32_t >= 50:reg32_t' -fuzz-start-addr 0x08049464 -symbolic-cstring 0x50001008+177 -fuzz-end-addr 0x08048fe2 -cfg ../../../cfg/MIT/sendmail/s3/m1-bad-diet.cfg -target-addr 0x0804831f -loop-pattern 0x08048332 -trace-pattern -finish-on-nonfalse-cond -extra-condition "$(perl -e 'for (0 .. 176) { $op = $_ % 3 ? "<>" : "=="; push @a, "input0_$_:reg8_t $op 10:reg8_t"} ; print join(" & ", @a), "\n"')" -- ./m1-bad-diet testcase.benign 2 | -------------------------------------------------------------------------------- /vulapps/sendmail/s3/Makefile: -------------------------------------------------------------------------------- 1 | DIET = diet 2 | DIET_CFLAGS = 3 | DIET_LDFLAGS = /opt/diet/lib-i386/libcompat.a 4 | 5 | all: m1-bad m1-ok 6 | 7 | clean: 8 | rm -f m1-bad m1-ok m1-bad.out m1-ok.out 9 | 10 | m1-bad: mime1-bad.c main.c 11 | $(CC) -g -o m1-bad mime1-bad.c main.c -I . 12 | 13 | m1-bad-diet: mime1-bad.c main.c 14 | $(DIET) $(CC) -g -o m1-bad-diet mime1-bad.c main.c -I . 15 | 16 | m1-ok: mime1-ok.c main.c 17 | $(CC) -g -o m1-ok mime1-ok.c main.c -I . 18 | 19 | -------------------------------------------------------------------------------- /vulapps/sendmail/s3/m1-bad-diet-svn: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitblaze-fuzzball/d-s-se-directed-tests/7104647e90ad925bde18a2bd22afc33fa09d2135/vulapps/sendmail/s3/m1-bad-diet-svn -------------------------------------------------------------------------------- /vulapps/sendmail/s3/main.c: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | 4 | MIT Copyright Notice 5 | 6 | Copyright 2003 M.I.T. 7 | 8 | Permission is hereby granted, without written agreement or royalty fee, to use, 9 | copy, modify, and distribute this software and its documentation for any 10 | purpose, provided that the above copyright notice and the following three 11 | paragraphs appear in all copies of this software. 12 | 13 | IN NO EVENT SHALL M.I.T. BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, 14 | INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS SOFTWARE 15 | AND ITS DOCUMENTATION, EVEN IF M.I.T. HAS BEEN ADVISED OF THE POSSIBILITY OF 16 | SUCH DAMANGE. 17 | 18 | M.I.T. SPECIFICALLY DISCLAIMS ANY WARRANTIES INCLUDING, BUT NOT LIMITED TO 19 | THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, 20 | AND NON-INFRINGEMENT. 21 | 22 | THE SOFTWARE IS PROVIDED ON AN "AS-IS" BASIS AND M.I.T. HAS NO OBLIGATION TO 23 | PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. 24 | 25 | $Author: tleek $ 26 | $Date: 2004/01/05 17:27:43 $ 27 | $Header: /mnt/leo2/cvs/sabo/hist-040105/sendmail/s3/main.c,v 1.1.1.1 2004/01/05 17:27:43 tleek Exp $ 28 | 29 | 30 | 31 | */ 32 | 33 | 34 | /* 35 | 36 | Sendmail Copyright Notice 37 | 38 | 39 | Copyright (c) 1998-2003 Sendmail, Inc. and its suppliers. 40 | All rights reserved. 41 | Copyright (c) 1983, 1995-1997 Eric P. Allman. All rights reserved. 42 | Copyright (c) 1988, 1993 43 | The Regents of the University of California. All rights reserved. 44 | 45 | By using this file, you agree to the terms and conditions set 46 | forth in the LICENSE file which can be found at the top level of 47 | the sendmail distribution. 48 | 49 | 50 | $Author: tleek $ 51 | $Date: 2004/01/05 17:27:43 $ 52 | $Header: /mnt/leo2/cvs/sabo/hist-040105/sendmail/s3/main.c,v 1.1.1.1 2004/01/05 17:27:43 tleek Exp $ 53 | 54 | 55 | 56 | */ 57 | 58 | 59 | /* 60 | 61 | 62 | 63 | */ 64 | 65 | #include "my-sendmail.h" 66 | #include 67 | 68 | int main(int argc, char **argv){ 69 | 70 | HDR *header; 71 | register ENVELOPE *e; 72 | FILE *temp; 73 | 74 | assert (argc == 2); 75 | temp = fopen (argv[1], "r"); 76 | assert (temp != NULL); 77 | 78 | header = (HDR *) malloc(sizeof(struct header)); 79 | 80 | header->h_field = (char *) malloc(sizeof(char) * 100); 81 | header->h_field = "Content-Transfer-Encoding"; 82 | header->h_value = (char *) malloc(sizeof(char) * 100); 83 | header->h_value = "quoted-printable"; 84 | 85 | e = (ENVELOPE *) malloc(sizeof(struct envelope)); 86 | 87 | e->e_id = (char *) malloc(sizeof(char) * 50); 88 | e->e_id = "First Entry"; 89 | 90 | 91 | e->e_dfp = temp; 92 | mime7to8(header, e); 93 | 94 | fclose(temp); 95 | 96 | return 0; 97 | 98 | } 99 | 100 | /* 101 | 102 | 103 | 104 | */ 105 | 106 | -------------------------------------------------------------------------------- /vulapps/sendmail/s3/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # Input: a textfile named 'testcase' 4 | # 5 | ./m1-bad testcase 6 | -------------------------------------------------------------------------------- /vulapps/sendmail/s3/testcase: -------------------------------------------------------------------------------- 1 | testcase.init -------------------------------------------------------------------------------- /vulapps/sendmail/s3/testcase.benign: -------------------------------------------------------------------------------- 1 | 123456789012345678901234567890 2 | 123456789012345678901234567 3 | 123456789012345678901234567890 4 | 123456789012345678901234567 5 | 123456789012345678901234567890 6 | 123456789012345678901234567 7 | -------------------------------------------------------------------------------- /vulapps/sendmail/s3/testcase.exploit: -------------------------------------------------------------------------------- 1 | a= 2 | a= 3 | a= 4 | a= 5 | a= 6 | a= 7 | a= 8 | a= 9 | a= 10 | a= 11 | a= 12 | a= 13 | a= 14 | a= 15 | a= 16 | a= 17 | a= 18 | a= 19 | a= 20 | a= 21 | a= 22 | a= 23 | a= 24 | a= 25 | a= 26 | a= 27 | a= 28 | a= 29 | a= 30 | a= 31 | a= 32 | a= 33 | a= 34 | a= 35 | a= 36 | a= 37 | a= 38 | a= 39 | a= 40 | a= 41 | a= 42 | a= 43 | a= 44 | a= 45 | a= 46 | a= 47 | a= 48 | a= 49 | a= 50 | a= 51 | a= 52 | a= 53 | a= 54 | a= 55 | a= 56 | a= 57 | a= 58 | a= 59 | a= 60 | -------------------------------------------------------------------------------- /vulapps/sendmail/s3/testcase.init: -------------------------------------------------------------------------------- 1 | a= 2 | a= 3 | -------------------------------------------------------------------------------- /vulapps/sendmail/s4/2010-11-12-guided.cmd: -------------------------------------------------------------------------------- 1 | ./cfg_fuzzball ./m2-bad-diet -stp-path ./stp -linux-syscalls -trace-syscalls -trace-stopping -coverage-stats -time-stats -trace-iterations -check-condition-at 0x08048567:'mem[R_EBP:reg32_t - 0x26:reg32_t]:reg32_t <> 0x444f4f47:reg32_t' -fuzz-start-addr 0x08048e34 -symbolic-cstring-fulllen 0x50003008+150 -tracepoint 0x0804824c:'mem[R_EBP:reg32_t - 0x1c:reg32_t]:reg32_t' -cfg ../../../cfg/MIT/sendmail/s4/m2-bad-diet.cfg -target-addr 0x08048567 -- ./m2-bad-diet testcase.benign 2 | -------------------------------------------------------------------------------- /vulapps/sendmail/s4/2010-11-12.cmd: -------------------------------------------------------------------------------- 1 | ./cfg_fuzzball ./m2-bad-diet -stp-path ./stp -linux-syscalls -trace-syscalls -trace-stopping -coverage-stats -time-stats -trace-iterations -check-condition-at 0x08048567:'mem[R_EBP:reg32_t - 0x26:reg32_t]:reg32_t <> 0x444f4f47:reg32_t' -fuzz-start-addr 0x08048e34 -symbolic-cstring-fulllen 0x50003008+150 -tracepoint 0x0804824c:'mem[R_EBP:reg32_t - 0x1c:reg32_t]:reg32_t' -- ./m2-bad-diet testcase.benign 2 | -------------------------------------------------------------------------------- /vulapps/sendmail/s4/Makefile: -------------------------------------------------------------------------------- 1 | DIET = diet 2 | DIET_CFLAGS = 3 | DIET_LDFLAGS = /opt/diet/lib-i386/libcompat.a 4 | 5 | all: m2-bad m2-ok 6 | 7 | clean: 8 | rm -f m2-bad m2-ok m2-bad.out m2-ok.out 9 | 10 | m2-bad: mime2-bad.c 11 | $(CC) -g -o m2-bad mime2-bad.c -I . 12 | 13 | m2-bad-diet: mime2-bad.c 14 | $(DIET) $(CC) -g -o m2-bad-diet mime2-bad.c -I . 15 | 16 | m2-ok: mime2-ok.c 17 | $(CC) -g -o m2-ok mime2-ok.c -I . 18 | 19 | -------------------------------------------------------------------------------- /vulapps/sendmail/s4/m2-bad-diet-svn: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitblaze-fuzzball/d-s-se-directed-tests/7104647e90ad925bde18a2bd22afc33fa09d2135/vulapps/sendmail/s4/m2-bad-diet-svn -------------------------------------------------------------------------------- /vulapps/sendmail/s4/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # Input: a textfile named 'testcase' 4 | # 5 | ./m2-bad testcase 6 | -------------------------------------------------------------------------------- /vulapps/sendmail/s4/testcase: -------------------------------------------------------------------------------- 1 | testcase.init -------------------------------------------------------------------------------- /vulapps/sendmail/s4/testcase.benign: -------------------------------------------------------------------------------- 1 | aaaaaa 2 | aaaaaaaa 3 | aaaaaaaaaaa 4 | aaaa 5 | aaaaaaaaaa 6 | aaaaaaaaaaa 7 | aaaaaaaa 8 | aaaaaaaaaaaa 9 | aaaaaaaaaaaaa 10 | aaaaaaaaaaaa 11 | aaaaaaaaaaa 12 | aaaaaaaaa 13 | aaaaaaaaaaaa 14 | aaaaaaaaa 15 | -------------------------------------------------------------------------------- /vulapps/sendmail/s4/testcase.exploit: -------------------------------------------------------------------------------- 1 | aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa -------------------------------------------------------------------------------- /vulapps/sendmail/s4/testcase.init: -------------------------------------------------------------------------------- 1 | aaa -------------------------------------------------------------------------------- /vulapps/sendmail/s5/2010-11-18.cmd: -------------------------------------------------------------------------------- 1 | ./cfg_fuzzball ./prescan-bad-diet -stp-path ./stp -linux-syscalls -trace-syscalls -trace-stopping -coverage-stats -time-stats -trace-iterations -trace-assigns-string -check-condition-at 0x08048269:'R_ESI:reg32_t - 0xbfffcf09:reg32_t > 50:reg32_t' -fuzz-start-addr 0x08048555 -symbolic-cstring-fulllen 0x50000008+110 -finish-on-nonfalse-cond -cfg ../../../cfg/MIT/sendmail/s5/prescan-bad-diet.cfg -target-addr 0x08048269 -loop-pattern 0x0804817a -trace-pattern -- ./prescan-bad-diet |& tee 2010-11-18.out 2 | -------------------------------------------------------------------------------- /vulapps/sendmail/s5/Makefile: -------------------------------------------------------------------------------- 1 | DIET = diet 2 | DIET_CFLAGS = 3 | DIET_LDFLAGS = /opt/diet/lib-i386/libcompat.a 4 | 5 | all: prescan-bad prescan-ok 6 | 7 | clean: 8 | rm -f prescan-bad prescan-ok prescan-bad.out prescan-ok.out 9 | 10 | prescan-bad: prescan-overflow-bad.c 11 | $(CC) -g -o prescan-bad prescan-overflow-bad.c 12 | 13 | prescan-bad-diet: prescan-overflow-bad.c 14 | $(DIET) $(CC) -g -o prescan-bad-diet prescan-overflow-bad.c 15 | 16 | prescan-ok: prescan-overflow-ok.c 17 | $(CC) -g -o prescan-ok prescan-overflow-ok.c 18 | 19 | 20 | -------------------------------------------------------------------------------- /vulapps/sendmail/s5/prescan-bad-diet-svn: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitblaze-fuzzball/d-s-se-directed-tests/7104647e90ad925bde18a2bd22afc33fa09d2135/vulapps/sendmail/s5/prescan-bad-diet-svn -------------------------------------------------------------------------------- /vulapps/sendmail/s5/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # Hardcoded Input: a textfile named 'testcase' 4 | # 5 | ./prescan-bad 6 | -------------------------------------------------------------------------------- /vulapps/sendmail/s5/testcase: -------------------------------------------------------------------------------- 1 | testcase.init -------------------------------------------------------------------------------- /vulapps/sendmail/s5/testcase.exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitblaze-fuzzball/d-s-se-directed-tests/7104647e90ad925bde18a2bd22afc33fa09d2135/vulapps/sendmail/s5/testcase.exploit -------------------------------------------------------------------------------- /vulapps/sendmail/s5/testcase.init: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitblaze-fuzzball/d-s-se-directed-tests/7104647e90ad925bde18a2bd22afc33fa09d2135/vulapps/sendmail/s5/testcase.init -------------------------------------------------------------------------------- /vulapps/sendmail/s6/2010-10-23.cmd: -------------------------------------------------------------------------------- 1 | ./fuzzball ./ttflag-bad-mylibc -linux-syscalls -check-condition-at 0x080489aa:'R_EAX:reg32_t >= 100:reg32_t' -stp-path ./stp -trace-iterations -trace-syscalls -fuzz-start-addr 0x080486f4 -skip-call-addr 0x08048608=10 -symbolic-cstring 0x0804a170+15 -trace-assigns-string -trace-stopping -fuzz-end-addr 0x080489c9 -iteration-limit 4000 -coverage-stats -time-stats -trace-binary-paths-bracketed -save-decision-tree-interval 3600 -- ttflag-bad-mylibc 2 | -------------------------------------------------------------------------------- /vulapps/sendmail/s6/2010-11-04.cmd: -------------------------------------------------------------------------------- 1 | ./cfg_fuzzball ./ttflag-bad-mylibc -linux-syscalls -check-condition-at 0x080489aa:'R_EAX:reg32_t >= 100:reg32_t' -stp-path ./stp -trace-iterations -trace-syscalls -fuzz-start-addr 0x080486f4 -skip-call-addr 0x08048608=10 -symbolic-cstring 0x0804a170+15 -trace-assigns-string -trace-stopping -iteration-limit 4000 -coverage-stats -time-stats -cfg s6.cg -target-addr 0x080489a1 -loop-weight 0x80488c0=20.0 -loop-weight 0x80488ce=20.0 -- ttflag-bad-mylibc 2 | -------------------------------------------------------------------------------- /vulapps/sendmail/s6/2010-11-12-hand-guide.cmd: -------------------------------------------------------------------------------- 1 | ./cfg_fuzzball ./ttflag-bad-mylibc-diet -linux-syscalls -check-condition-at 0x080483d9:'R_EAX:reg32_t >= 100:reg32_t' -stp-path ./stp -trace-iterations -trace-syscalls -trace-assigns-string -trace-stopping -iteration-limit 4000 -coverage-stats -time-stats -fuzz-start-addr 0x08048254 -skip-func-ret 0x08049008=10 -symbolic-cstring 0x50002008+15 -cfg ../../../cfg/MIT/sendmail/s6/ttflag-bad-mylibc-diet.cfg -loop-weight 0x80482f0=100.0 -loop-weight 0x080482fe=100.0 -target-addr 0x080483dd -- ./ttflag-bad-mylibc-diet 2 | -------------------------------------------------------------------------------- /vulapps/sendmail/s6/2010-11-12-warn-guide.cmd: -------------------------------------------------------------------------------- 1 | ./cfg_fuzzball ./ttflag-bad-mylibc-diet -linux-syscalls -check-condition-at 0x080483d9:'R_EAX:reg32_t >= 100:reg32_t' -stp-path ./stp -trace-iterations -trace-syscalls -trace-assigns-string -trace-stopping -iteration-limit 4000 -coverage-stats -time-stats -fuzz-start-addr 0x08048254 -skip-func-ret 0x08049008=10 -symbolic-cstring 0x50002008+20 -cfg ../../../cfg/MIT/sendmail/s6/ttflag-bad-mylibc-diet.cfg -warn-file ../../../cfg/MIT/sendmail/s6/ttflag-bad-mylibc-diet.slice -target-addr 0x080483dd -- ./ttflag-bad-mylibc-diet 2 | -------------------------------------------------------------------------------- /vulapps/sendmail/s6/2010-11-12.cmd: -------------------------------------------------------------------------------- 1 | ./cfg_fuzzball ./ttflag-bad-mylibc-diet -linux-syscalls -check-condition-at 0x080483d9:'R_EAX:reg32_t >= 100:reg32_t' -stp-path ./stp -trace-iterations -trace-syscalls -trace-assigns-string -trace-stopping -iteration-limit 4000 -coverage-stats -time-stats -fuzz-start-addr 0x08048254 -skip-func-ret 0x08049008=10 -symbolic-cstring 0x50002008+15 -- ./ttflag-bad-mylibc-diet 2 | -------------------------------------------------------------------------------- /vulapps/sendmail/s6/Makefile: -------------------------------------------------------------------------------- 1 | DIET = diet 2 | DIET_CFLAGS = -g -fno-jump-tables -fno-omit-frame-prointer -O2 3 | DIET_LDFLAGS = /opt/diet/lib-i386/libcompat.a 4 | 5 | all: ttflag-bad ttflag-ok ttflag-bad-mylibc 6 | 7 | clean: 8 | rm -f ttflag-bad ttflag-ok ttflag-bad.out ttflag-ok.out 9 | 10 | ttflag-bad: my-main.c tTflag-bad.c 11 | $(CC) -g -o ttflag-bad my-main.c mymain.c tTflag-bad.c -I . $(LDFLAGS) 12 | 13 | ttflag-ok: my-main.c tTflag-ok.c 14 | $(CC) -g -o ttflag-ok my-main.c mymain.c tTflag-ok.c -I . $(LDFLAGS) 15 | 16 | ttflag-bad-mylibc: my-main.c tTflag-bad-mylibc.c ../../my-libc.o 17 | $(CC) -g -o ttflag-bad-mylibc my-main.c mymain.c tTflag-bad-mylibc.c -I . ../../my-libc.o $(LDFLAGS) 18 | 19 | ttflag-bad-mylibc-diet: my-main.c tTflag-bad-mylibc.c ../../my-libc.c 20 | $(DIET) $(CC) -g -o ttflag-bad-mylibc-diet my-main.c mymain.c tTflag-bad-mylibc.c -I . ../../my-libc.c $(DIET_LDFLAGS) 21 | 22 | 23 | 24 | -------------------------------------------------------------------------------- /vulapps/sendmail/s6/my-main.c: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | 4 | MIT Copyright Notice 5 | 6 | Copyright 2003 M.I.T. 7 | 8 | Permission is hereby granted, without written agreement or royalty fee, to use, 9 | copy, modify, and distribute this software and its documentation for any 10 | purpose, provided that the above copyright notice and the following three 11 | paragraphs appear in all copies of this software. 12 | 13 | IN NO EVENT SHALL M.I.T. BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, 14 | INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS SOFTWARE 15 | AND ITS DOCUMENTATION, EVEN IF M.I.T. HAS BEEN ADVISED OF THE POSSIBILITY OF 16 | SUCH DAMANGE. 17 | 18 | M.I.T. SPECIFICALLY DISCLAIMS ANY WARRANTIES INCLUDING, BUT NOT LIMITED TO 19 | THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, 20 | AND NON-INFRINGEMENT. 21 | 22 | THE SOFTWARE IS PROVIDED ON AN "AS-IS" BASIS AND M.I.T. HAS NO OBLIGATION TO 23 | PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. 24 | 25 | $Author: tleek $ 26 | $Date: 2004/01/05 17:27:45 $ 27 | $Header: /mnt/leo2/cvs/sabo/hist-040105/sendmail/s6/my-main.c,v 1.1.1.1 2004/01/05 17:27:45 tleek Exp $ 28 | 29 | 30 | 31 | */ 32 | 33 | 34 | /* 35 | 36 | Sendmail Copyright Notice 37 | 38 | 39 | Copyright (c) 1998-2003 Sendmail, Inc. and its suppliers. 40 | All rights reserved. 41 | Copyright (c) 1983, 1995-1997 Eric P. Allman. All rights reserved. 42 | Copyright (c) 1988, 1993 43 | The Regents of the University of California. All rights reserved. 44 | 45 | By using this file, you agree to the terms and conditions set 46 | forth in the LICENSE file which can be found at the top level of 47 | the sendmail distribution. 48 | 49 | 50 | $Author: tleek $ 51 | $Date: 2004/01/05 17:27:45 $ 52 | $Header: /mnt/leo2/cvs/sabo/hist-040105/sendmail/s6/my-main.c,v 1.1.1.1 2004/01/05 17:27:45 tleek Exp $ 53 | 54 | 55 | 56 | */ 57 | 58 | 59 | /* 60 | 61 | 62 | 63 | */ 64 | 65 | #include 66 | #include 67 | #include 68 | #include 69 | #include 70 | #include 71 | #include 72 | 73 | #define OPTIONS "B:b:C:cd:e:F:f:Gh:IiL:M:mN:nO:o:p:q:R:r:sTtUV:vX:" 74 | 75 | #define LEN 100 76 | unsigned char tTdvect[LEN]; 77 | 78 | 79 | int 80 | myfoo(argc, argv) 81 | int argc; 82 | char **argv; 83 | { 84 | int j; 85 | 86 | tTsetup(tTdvect, LEN, "0-99.1"); 87 | 88 | while ((j = getopt(argc, argv, OPTIONS)) != -1) 89 | { 90 | switch (j) 91 | { 92 | case 'd': 93 | /* hack attack -- see if should use ANSI mode */ 94 | if (strcmp(optarg, "ANSI") == 0) 95 | { 96 | break; 97 | } 98 | tTflag(optarg); 99 | setbuf(stdout, (char *) NULL); 100 | break; 101 | 102 | case 'G': /* relay (gateway) submission */ 103 | break; 104 | 105 | case 'L': 106 | break; 107 | 108 | case 'U': /* initial (user) submission */ 109 | break; 110 | } 111 | } 112 | 113 | 114 | return 0; 115 | 116 | 117 | } 118 | 119 | /* 120 | 121 | 122 | 123 | */ 124 | 125 | -------------------------------------------------------------------------------- /vulapps/sendmail/s6/mymain.c: -------------------------------------------------------------------------------- 1 | #define _GNU_SOURCE 2 | #include 3 | #include 4 | 5 | int myfoo(int argc, char **argv); 6 | 7 | int main() { 8 | char* argv[3]; 9 | char* name = "myfoo"; 10 | size_t dummy; 11 | 12 | FILE * fp = fopen ("testcase", "r"); 13 | if (!fp) { 14 | fprintf (stderr, "Could not find a testfile\n"); 15 | exit(1); 16 | } 17 | argv[0] = name; 18 | argv[1] = NULL; 19 | argv[2] = NULL; 20 | 21 | getline(&(argv[1]), &dummy, fp); 22 | getline(&(argv[2]), &dummy, fp); 23 | 24 | return (myfoo(3, argv)); 25 | } 26 | -------------------------------------------------------------------------------- /vulapps/sendmail/s6/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # # Hardcoded Input: a file named 'testcase' that contains a string '-d aaaaaaaaaa-2' for an initial benigh input and '-d 4222222222-2' for the exploit input. 4 | # 5 | ./ttflag-bad 6 | -------------------------------------------------------------------------------- /vulapps/sendmail/s6/sendmail.h: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | 4 | MIT Copyright Notice 5 | 6 | Copyright 2003 M.I.T. 7 | 8 | Permission is hereby granted, without written agreement or royalty fee, to use, 9 | copy, modify, and distribute this software and its documentation for any 10 | purpose, provided that the above copyright notice and the following three 11 | paragraphs appear in all copies of this software. 12 | 13 | IN NO EVENT SHALL M.I.T. BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, 14 | INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS SOFTWARE 15 | AND ITS DOCUMENTATION, EVEN IF M.I.T. HAS BEEN ADVISED OF THE POSSIBILITY OF 16 | SUCH DAMANGE. 17 | 18 | M.I.T. SPECIFICALLY DISCLAIMS ANY WARRANTIES INCLUDING, BUT NOT LIMITED TO 19 | THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, 20 | AND NON-INFRINGEMENT. 21 | 22 | THE SOFTWARE IS PROVIDED ON AN "AS-IS" BASIS AND M.I.T. HAS NO OBLIGATION TO 23 | PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. 24 | 25 | $Author: tleek $ 26 | $Date: 2004/01/05 17:27:46 $ 27 | $Header: /mnt/leo2/cvs/sabo/hist-040105/sendmail/s6/sendmail.h,v 1.1.1.1 2004/01/05 17:27:46 tleek Exp $ 28 | 29 | 30 | 31 | */ 32 | 33 | 34 | /* 35 | 36 | Sendmail Copyright Notice 37 | 38 | 39 | Copyright (c) 1998-2003 Sendmail, Inc. and its suppliers. 40 | All rights reserved. 41 | Copyright (c) 1983, 1995-1997 Eric P. Allman. All rights reserved. 42 | Copyright (c) 1988, 1993 43 | The Regents of the University of California. All rights reserved. 44 | 45 | By using this file, you agree to the terms and conditions set 46 | forth in the LICENSE file which can be found at the top level of 47 | the sendmail distribution. 48 | 49 | 50 | $Author: tleek $ 51 | $Date: 2004/01/05 17:27:46 $ 52 | $Header: /mnt/leo2/cvs/sabo/hist-040105/sendmail/s6/sendmail.h,v 1.1.1.1 2004/01/05 17:27:46 tleek Exp $ 53 | 54 | 55 | 56 | */ 57 | 58 | 59 | /* 60 | 61 | 62 | 63 | */ 64 | 65 | typedef unsigned char u_char; 66 | typedef unsigned int u_int; 67 | typedef unsigned long u_long; 68 | typedef unsigned short u_short; 69 | 70 | extern u_char tTdvect[]; /* trace vector */ 71 | 72 | extern void tTflag __P((char *)); 73 | extern void tTsetup __P((u_char *, int, char *)); 74 | 75 | /* 76 | 77 | 78 | 79 | */ 80 | 81 | -------------------------------------------------------------------------------- /vulapps/sendmail/s6/testcase: -------------------------------------------------------------------------------- 1 | testcase.init -------------------------------------------------------------------------------- /vulapps/sendmail/s6/testcase.exploit: -------------------------------------------------------------------------------- 1 | -d 4222222222-2 -------------------------------------------------------------------------------- /vulapps/sendmail/s6/testcase.init: -------------------------------------------------------------------------------- 1 | -d aaaaaaaaaa-2 -------------------------------------------------------------------------------- /vulapps/sendmail/s6/ttflag-bad: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitblaze-fuzzball/d-s-se-directed-tests/7104647e90ad925bde18a2bd22afc33fa09d2135/vulapps/sendmail/s6/ttflag-bad -------------------------------------------------------------------------------- /vulapps/sendmail/s6/ttflag-bad-mylibc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitblaze-fuzzball/d-s-se-directed-tests/7104647e90ad925bde18a2bd22afc33fa09d2135/vulapps/sendmail/s6/ttflag-bad-mylibc -------------------------------------------------------------------------------- /vulapps/sendmail/s6/ttflag-bad-mylibc-diet-svn: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitblaze-fuzzball/d-s-se-directed-tests/7104647e90ad925bde18a2bd22afc33fa09d2135/vulapps/sendmail/s6/ttflag-bad-mylibc-diet-svn -------------------------------------------------------------------------------- /vulapps/sendmail/s7/2010-11-14-hand-guide.cmd: -------------------------------------------------------------------------------- 1 | ./cfg_fuzzball ./txtdns-bad-diet -stp-path ./stp -linux-syscalls -trace-syscalls -trace-stopping -coverage-stats -time-stats -trace-iterations -trace-assigns-string -check-condition-at 0x08048777:'R_EDX:reg32_t > 30:reg32_t' -fuzz-start-addr 0x08048893 -symbolic-cstring 0xbffff950+52 -zero-memory -iteration-limit 200 -cfg ../../../cfg/MIT/sendmail/s7/txtdns-bad-diet.cfg -target-addr 0x08048777 -skip-call-ret-symbol 0x08048ca2=malloc -- ./txtdns-bad-diet 2 | -------------------------------------------------------------------------------- /vulapps/sendmail/s7/2010-11-14.cmd: -------------------------------------------------------------------------------- 1 | ./cfg_fuzzball ./txtdns-bad-diet -stp-path ./stp -linux-syscalls -trace-syscalls -trace-stopping -coverage-stats -time-stats -trace-iterations -trace-assigns-string -check-condition-at 0x08048777:'R_EDX:reg32_t > 30:reg32_t' -fuzz-start-addr 0x08048893 -symbolic-cstring 0xbffff950+52 -zero-memory -iteration-limit 200 -- ./txtdns-bad-diet 2 | -------------------------------------------------------------------------------- /vulapps/sendmail/s7/Makefile: -------------------------------------------------------------------------------- 1 | DIET = diet 2 | DIET_CFLAGS = -DDIETLIBC -g -fno-jump-tables 3 | DIET_LDFLAGS = /opt/diet/lib-i386/libcompat.a 4 | 5 | all: txtdns-bad txtdns-ok 6 | 7 | clean: 8 | rm -f txtdns-bad txtdns-ok txtdns-bad.out txtdns-ok.out 9 | 10 | txtdns-bad: txt-dns-file-bad.c my-util.c 11 | $(CC) -o txtdns-bad txt-dns-file-bad.c my-util.c -I . -lresolv 12 | 13 | txtdns-bad-diet: txt-dns-file-bad.c my-util.c 14 | $(DIET) $(CC) $(DIET_CFLAGS) -o txtdns-bad-diet txt-dns-file-bad.c my-util.c -I . 15 | 16 | txtdns-ok: txt-dns-file-ok.c my-util.c 17 | $(CC) -o txtdns-ok txt-dns-file-ok.c my-util.c -I . -lresolv 18 | -------------------------------------------------------------------------------- /vulapps/sendmail/s7/create-dns-file.c: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | 4 | MIT Copyright Notice 5 | 6 | Copyright 2003 M.I.T. 7 | 8 | Permission is hereby granted, without written agreement or royalty fee, to use, 9 | copy, modify, and distribute this software and its documentation for any 10 | purpose, provided that the above copyright notice and the following three 11 | paragraphs appear in all copies of this software. 12 | 13 | IN NO EVENT SHALL M.I.T. BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, 14 | INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS SOFTWARE 15 | AND ITS DOCUMENTATION, EVEN IF M.I.T. HAS BEEN ADVISED OF THE POSSIBILITY OF 16 | SUCH DAMANGE. 17 | 18 | M.I.T. SPECIFICALLY DISCLAIMS ANY WARRANTIES INCLUDING, BUT NOT LIMITED TO 19 | THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, 20 | AND NON-INFRINGEMENT. 21 | 22 | THE SOFTWARE IS PROVIDED ON AN "AS-IS" BASIS AND M.I.T. HAS NO OBLIGATION TO 23 | PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. 24 | 25 | $Author: tleek $ 26 | $Date: 2004/01/05 17:27:47 $ 27 | $Header: /mnt/leo2/cvs/sabo/hist-040105/sendmail/s7/create-dns-file.c,v 1.1.1.1 2004/01/05 17:27:47 tleek Exp $ 28 | 29 | 30 | 31 | */ 32 | 33 | 34 | /* 35 | 36 | Sendmail Copyright Notice 37 | 38 | 39 | Copyright (c) 1998-2003 Sendmail, Inc. and its suppliers. 40 | All rights reserved. 41 | Copyright (c) 1983, 1995-1997 Eric P. Allman. All rights reserved. 42 | Copyright (c) 1988, 1993 43 | The Regents of the University of California. All rights reserved. 44 | 45 | By using this file, you agree to the terms and conditions set 46 | forth in the LICENSE file which can be found at the top level of 47 | the sendmail distribution. 48 | 49 | 50 | $Author: tleek $ 51 | $Date: 2004/01/05 17:27:47 $ 52 | $Header: /mnt/leo2/cvs/sabo/hist-040105/sendmail/s7/create-dns-file.c,v 1.1.1.1 2004/01/05 17:27:47 tleek Exp $ 53 | 54 | 55 | 56 | */ 57 | 58 | 59 | /* 60 | 61 | 62 | 63 | */ 64 | 65 | #include 66 | #include 67 | #include 68 | #include 69 | #include 70 | 71 | int create_dns_file(){ 72 | 73 | FILE *f; 74 | unsigned char buf[200]; 75 | unsigned char *p; 76 | unsigned char *temp; 77 | int i, type, len; 78 | 79 | strcat(buf,"HEADER JUNK:"); 80 | strcat(buf,"LL.MIT.EDU"); 81 | i = len = strlen(buf); 82 | p = buf + i; 83 | 84 | *p++ = 0; 85 | *p++ = 16; /* type = T_TXT = 16 */ 86 | *p++ = 0; 87 | *p++ = 1; /* class = C_IN or 1 */ 88 | 89 | p = buf + i + 4; 90 | len += 4; 91 | 92 | temp = "BLAH.MIT.EDU"; 93 | 94 | strcpy(p, temp); 95 | 96 | i = strlen(temp); 97 | p += i; 98 | len += i; 99 | 100 | *p++ = 0; 101 | *p++ = 16; /* T_TXT type */ 102 | 103 | *p++ = 0; 104 | *p++ = 1; /* C_IN class */ 105 | 106 | *p++ = 0; 107 | *p++ = 0; 108 | *p++ = 0; 109 | *p++ = 255; /* ttl = 255 */ 110 | 111 | *p++ = 0; 112 | *p++ = 20; /* size = 20 */ 113 | *p++ = 30; /* txtlen = 30... this is bad: txtlen should be < size */ 114 | 115 | len += 11; 116 | 117 | strcat(p,"This is random junk in the TXT record that will overflow (*rr)->rr_u.rr_txt"); 118 | 119 | f = fopen("dns-file", "w"); 120 | 121 | p = buf; 122 | for(i=0; i 132 | 133 | */ 134 | 135 | -------------------------------------------------------------------------------- /vulapps/sendmail/s7/my-util.c: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | 4 | MIT Copyright Notice 5 | 6 | Copyright 2003 M.I.T. 7 | 8 | Permission is hereby granted, without written agreement or royalty fee, to use, 9 | copy, modify, and distribute this software and its documentation for any 10 | purpose, provided that the above copyright notice and the following three 11 | paragraphs appear in all copies of this software. 12 | 13 | IN NO EVENT SHALL M.I.T. BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, 14 | INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS SOFTWARE 15 | AND ITS DOCUMENTATION, EVEN IF M.I.T. HAS BEEN ADVISED OF THE POSSIBILITY OF 16 | SUCH DAMANGE. 17 | 18 | M.I.T. SPECIFICALLY DISCLAIMS ANY WARRANTIES INCLUDING, BUT NOT LIMITED TO 19 | THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, 20 | AND NON-INFRINGEMENT. 21 | 22 | THE SOFTWARE IS PROVIDED ON AN "AS-IS" BASIS AND M.I.T. HAS NO OBLIGATION TO 23 | PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. 24 | 25 | $Author: tleek $ 26 | $Date: 2004/01/05 17:27:47 $ 27 | $Header: /mnt/leo2/cvs/sabo/hist-040105/sendmail/s7/my-util.c,v 1.1.1.1 2004/01/05 17:27:47 tleek Exp $ 28 | 29 | 30 | 31 | */ 32 | 33 | 34 | /* 35 | 36 | Sendmail Copyright Notice 37 | 38 | 39 | Copyright (c) 1998-2003 Sendmail, Inc. and its suppliers. 40 | All rights reserved. 41 | Copyright (c) 1983, 1995-1997 Eric P. Allman. All rights reserved. 42 | Copyright (c) 1988, 1993 43 | The Regents of the University of California. All rights reserved. 44 | 45 | By using this file, you agree to the terms and conditions set 46 | forth in the LICENSE file which can be found at the top level of 47 | the sendmail distribution. 48 | 49 | 50 | $Author: tleek $ 51 | $Date: 2004/01/05 17:27:47 $ 52 | $Header: /mnt/leo2/cvs/sabo/hist-040105/sendmail/s7/my-util.c,v 1.1.1.1 2004/01/05 17:27:47 tleek Exp $ 53 | 54 | 55 | 56 | */ 57 | 58 | 59 | /* 60 | 61 | 62 | 63 | */ 64 | 65 | #include "txt-dns.h" 66 | #include 67 | #include 68 | #include 69 | #include 70 | #include 71 | 72 | /* 73 | ** XALLOC -- Allocate memory on heap 74 | */ 75 | 76 | void *xalloc(size_t sz) { 77 | void *p; 78 | 79 | /* some systems can't handle size zero mallocs */ 80 | assert(sz>0); 81 | 82 | p = (void *) malloc(sz); 83 | assert (p!=NULL); 84 | 85 | return (p); 86 | } 87 | 88 | 89 | 90 | /* 91 | * Copy src to string dst of size siz. At most siz-1 characters 92 | * will be copied. Always NUL terminates (unless siz == 0). 93 | * Returns strlen(src); if retval >= siz, truncation occurred. 94 | */ 95 | size_t 96 | strlcpy(char *dst, const char *src, size_t siz) 97 | { 98 | register char *d = dst; 99 | register const char *s = src; 100 | register size_t n = siz; 101 | 102 | /* Copy as many bytes as will fit */ 103 | if (n != 0 && --n != 0) { 104 | do { 105 | if ((*d++ = *s++) == 0) 106 | break; 107 | } while (--n != 0); 108 | } 109 | 110 | /* Not enough room in dst, add NUL and traverse rest of src */ 111 | if (n == 0) { 112 | if (siz != 0) 113 | *d = '\0'; /* NUL-terminate dst */ 114 | while (*s++) 115 | ; 116 | } 117 | 118 | return(s - src - 1); /* count does not include NUL */ 119 | } 120 | 121 | /* 122 | 123 | 124 | 125 | */ 126 | 127 | -------------------------------------------------------------------------------- /vulapps/sendmail/s7/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # Hardcoded Input: a file named 'testcase' that contains DNS Response packet 4 | # 5 | ./txtdns-bad 6 | -------------------------------------------------------------------------------- /vulapps/sendmail/s7/testcase: -------------------------------------------------------------------------------- 1 | testcase.init -------------------------------------------------------------------------------- /vulapps/sendmail/s7/testcase.exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitblaze-fuzzball/d-s-se-directed-tests/7104647e90ad925bde18a2bd22afc33fa09d2135/vulapps/sendmail/s7/testcase.exploit -------------------------------------------------------------------------------- /vulapps/sendmail/s7/testcase.exploit2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitblaze-fuzzball/d-s-se-directed-tests/7104647e90ad925bde18a2bd22afc33fa09d2135/vulapps/sendmail/s7/testcase.exploit2 -------------------------------------------------------------------------------- /vulapps/sendmail/s7/testcase.init: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitblaze-fuzzball/d-s-se-directed-tests/7104647e90ad925bde18a2bd22afc33fa09d2135/vulapps/sendmail/s7/testcase.init -------------------------------------------------------------------------------- /vulapps/sendmail/s7/txt-dns.h: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | 4 | MIT Copyright Notice 5 | 6 | Copyright 2003 M.I.T. 7 | 8 | Permission is hereby granted, without written agreement or royalty fee, to use, 9 | copy, modify, and distribute this software and its documentation for any 10 | purpose, provided that the above copyright notice and the following three 11 | paragraphs appear in all copies of this software. 12 | 13 | IN NO EVENT SHALL M.I.T. BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, 14 | INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS SOFTWARE 15 | AND ITS DOCUMENTATION, EVEN IF M.I.T. HAS BEEN ADVISED OF THE POSSIBILITY OF 16 | SUCH DAMANGE. 17 | 18 | M.I.T. SPECIFICALLY DISCLAIMS ANY WARRANTIES INCLUDING, BUT NOT LIMITED TO 19 | THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, 20 | AND NON-INFRINGEMENT. 21 | 22 | THE SOFTWARE IS PROVIDED ON AN "AS-IS" BASIS AND M.I.T. HAS NO OBLIGATION TO 23 | PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. 24 | 25 | $Author: tleek $ 26 | $Date: 2004/01/05 17:27:47 $ 27 | $Header: /mnt/leo2/cvs/sabo/hist-040105/sendmail/s7/txt-dns.h,v 1.1.1.1 2004/01/05 17:27:47 tleek Exp $ 28 | 29 | 30 | 31 | */ 32 | 33 | 34 | /* 35 | 36 | Sendmail Copyright Notice 37 | 38 | 39 | Copyright (c) 1998-2003 Sendmail, Inc. and its suppliers. 40 | All rights reserved. 41 | Copyright (c) 1983, 1995-1997 Eric P. Allman. All rights reserved. 42 | Copyright (c) 1988, 1993 43 | The Regents of the University of California. All rights reserved. 44 | 45 | By using this file, you agree to the terms and conditions set 46 | forth in the LICENSE file which can be found at the top level of 47 | the sendmail distribution. 48 | 49 | 50 | $Author: tleek $ 51 | $Date: 2004/01/05 17:27:47 $ 52 | $Header: /mnt/leo2/cvs/sabo/hist-040105/sendmail/s7/txt-dns.h,v 1.1.1.1 2004/01/05 17:27:47 tleek Exp $ 53 | 54 | 55 | 56 | */ 57 | 58 | 59 | /* 60 | 61 | 62 | 63 | */ 64 | 65 | #include 66 | 67 | #define DNSMAP 1 68 | 69 | typedef unsigned char u_char; 70 | typedef unsigned int u_int; 71 | typedef unsigned long u_long; 72 | typedef unsigned short u_short; 73 | 74 | 75 | typedef struct 76 | { 77 | char *dns_q_domain; 78 | unsigned int dns_q_type; 79 | unsigned int dns_q_class; 80 | } DNS_QUERY_T; 81 | 82 | typedef struct 83 | { 84 | unsigned int mx_r_preference; 85 | char mx_r_domain[1]; 86 | } MX_RECORD_T; 87 | 88 | typedef struct 89 | { 90 | unsigned int srv_r_priority; 91 | unsigned int srv_r_weight; 92 | unsigned int srv_r_port; 93 | char srv_r_target[1]; 94 | } SRV_RECORDT_T; 95 | 96 | 97 | typedef struct resource_record RESOURCE_RECORD_T; /* from sm_resolve.h */ 98 | 99 | struct resource_record 100 | { 101 | char *rr_domain; 102 | unsigned int rr_type; 103 | unsigned int rr_class; 104 | unsigned int rr_ttl; 105 | unsigned int rr_size; 106 | union 107 | { 108 | void *rr_data; 109 | MX_RECORD_T *rr_mx; 110 | MX_RECORD_T *rr_afsdb; /* mx and afsdb are identical */ 111 | SRV_RECORDT_T *rr_srv; 112 | # if NETINET 113 | struct in_addr *rr_a; 114 | # endif /* NETINET */ 115 | # if NETINET6 116 | struct in6_addr *rr_aaaa; 117 | # endif /* NETINET6 */ 118 | char *rr_txt; 119 | } rr_u; 120 | RESOURCE_RECORD_T *rr_next; 121 | }; 122 | 123 | typedef struct 124 | { 125 | HEADER dns_r_h; 126 | DNS_QUERY_T dns_r_q; 127 | RESOURCE_RECORD_T *dns_r_head; 128 | } DNS_REPLY_T; 129 | 130 | 131 | 132 | /* 133 | 134 | 135 | 136 | */ 137 | 138 | -------------------------------------------------------------------------------- /vulapps/sendmail/s7/txtdns-bad-diet-svn: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitblaze-fuzzball/d-s-se-directed-tests/7104647e90ad925bde18a2bd22afc33fa09d2135/vulapps/sendmail/s7/txtdns-bad-diet-svn -------------------------------------------------------------------------------- /vulapps/show-bad-locations.sh: -------------------------------------------------------------------------------- 1 | ctxbefore=2 2 | ctxafter=5 3 | for l in $(sh compute-bad-locations.sh | cut -f 2- -d " ") ; do f=$(echo $l | cut -f 1 -d ":"); l=$(echo $l | cut -f 2 -d ":"); echo "$f:$l" ; echo "===================================================" ; head -n $((l+ctxafter)) $f | tail -n $((ctxbefore+ctxafter)); echo ; done 4 | 5 | -------------------------------------------------------------------------------- /vulapps/wu-ftpd/f1/2010-11-05.cmd: -------------------------------------------------------------------------------- 1 | ./cfg_fuzzball -linux-syscalls -trace-syscalls -trace-stopping -check-condition-at 0x080487c3:'mem[R_EBP:reg32_t - 12:reg32_t]:reg32_t == 7:reg32_t' -fuzz-start-addr 0x08048865 -symbolic-cstring 0xbffffd3e+30 -trace-assigns-string -coverage-stats -time-stats -fuzz-end-addr 0x080487c7 ./mp-bad -stp-path ./stp -skip-call-addr 0x080484e8=0 -- ./mp-bad pathfile.init 2 | -------------------------------------------------------------------------------- /vulapps/wu-ftpd/f1/2010-11-06.cmd: -------------------------------------------------------------------------------- 1 | ./cfg_fuzzball -linux-syscalls -trace-syscalls -trace-stopping -check-condition-at 0x08048933:'mem[R_EBP:reg32_t - 12:reg32_t]:reg32_t == 7:reg32_t' -fuzz-start-addr 0x080489d1 -trace-assigns-string -trace-iterations -coverage-stats -time-stats -fuzz-end-addr 0x08048937 ./mp-bad-mylibc -stp-path ./stp -skip-call-addr 0x08048668=0 -symbolic-cstring 0xbffffd3e+29 -cfg f1.cg -target-addr 0x08048933 -loop-weight 0x08048aca=20.0 -- ./mp-bad-mylibc pathfile.init 2 | -------------------------------------------------------------------------------- /vulapps/wu-ftpd/f1/Makefile: -------------------------------------------------------------------------------- 1 | DIET = diet 2 | DIET_CFLAGS = 3 | DIET_LDFLAGS = /opt/diet/lib-i386/libcompat.a 4 | 5 | all: mp-bad mp-ok create 6 | 7 | clean: 8 | rm -f mp-bad mp-ok create mp-bad.out mp-ok.out 9 | 10 | mp-bad: mapped-path-bad.c 11 | $(CC) -g -fno-stack-protector -o mp-bad mapped-path-bad.c 12 | 13 | mp-bad-mylibc: mapped-path-bad.c ../../my-libc.o 14 | $(CC) -g -fno-stack-protector -o $@ mapped-path-bad.c ../../my-libc.o 15 | 16 | mp-bad-mylibc-diet: mapped-path-bad.c ../../my-libc.c 17 | $(DIET) $(CC) -g -fno-stack-protector -o $@ mapped-path-bad.c ../../my-libc.c 18 | 19 | mp-ok: mapped-path-ok.c 20 | $(CC) -fno-stack-protector -o mp-ok mapped-path-ok.c 21 | 22 | create: make-long-path.c 23 | $(CC) -o create make-long-path.c ; \ 24 | touch pathfile ; \ 25 | ./create 26 | -------------------------------------------------------------------------------- /vulapps/wu-ftpd/f1/call_fb_realpath.c: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | 4 | MIT Copyright Notice 5 | 6 | Copyright 2003 M.I.T. 7 | 8 | Permission is hereby granted, without written agreement or royalty fee, to use, 9 | copy, modify, and distribute this software and its documentation for any 10 | purpose, provided that the above copyright notice and the following three 11 | paragraphs appear in all copies of this software. 12 | 13 | IN NO EVENT SHALL M.I.T. BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, 14 | INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS SOFTWARE 15 | AND ITS DOCUMENTATION, EVEN IF M.I.T. HAS BEEN ADVISED OF THE POSSIBILITY OF 16 | SUCH DAMANGE. 17 | 18 | M.I.T. SPECIFICALLY DISCLAIMS ANY WARRANTIES INCLUDING, BUT NOT LIMITED TO 19 | THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, 20 | AND NON-INFRINGEMENT. 21 | 22 | THE SOFTWARE IS PROVIDED ON AN "AS-IS" BASIS AND M.I.T. HAS NO OBLIGATION TO 23 | PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. 24 | 25 | $Author: tleek $ 26 | $Date: 2004/01/05 17:27:50 $ 27 | $Header: /mnt/leo2/cvs/sabo/hist-040105/wu-ftpd/f3/call_fb_realpath.c,v 1.1.1.1 2004/01/05 17:27:50 tleek Exp $ 28 | 29 | 30 | 31 | */ 32 | 33 | 34 | /* 35 | 36 | WU-FTPD Copyright Notice 37 | 38 | 39 | Copyright (c) 1999,2000 WU-FTPD Development Group. 40 | All rights reserved. 41 | 42 | Portions Copyright (c) 1980, 1985, 1988, 1989, 1990, 1991, 1993, 1994 43 | The Regents of the University of California. 44 | Portions Copyright (c) 1993, 1994 Washington University in Saint Louis. 45 | Portions Copyright (c) 1996, 1998 Berkeley Software Design, Inc. 46 | Portions Copyright (c) 1989 Massachusetts Institute of Technology. 47 | Portions Copyright (c) 1998 Sendmail, Inc. 48 | Portions Copyright (c) 1983, 1995, 1996, 1997 Eric P. Allman. 49 | Portions Copyright (c) 1997 by Stan Barber. 50 | Portions Copyright (c) 1997 by Kent Landfield. 51 | Portions Copyright (c) 1991, 1992, 1993, 1994, 1995, 1996, 1997 52 | Free Software Foundation, Inc. 53 | 54 | Use and distribution of this software and its source code are governed 55 | by the terms and conditions of the WU-FTPD Software License ("LICENSE"). 56 | 57 | If you did not receive a copy of the license, it may be obtained online 58 | at http://www.wu-ftpd.org/license.html. 59 | 60 | 61 | $Author: tleek $ 62 | $Date: 2004/01/05 17:27:50 $ 63 | $Header: /mnt/leo2/cvs/sabo/hist-040105/wu-ftpd/f3/call_fb_realpath.c,v 1.1.1.1 2004/01/05 17:27:50 tleek Exp $ 64 | 65 | 66 | 67 | */ 68 | 69 | 70 | /* 71 | 72 | 73 | 74 | */ 75 | 76 | #include 77 | #include 78 | #include "my-include.h" 79 | #include 80 | #include 81 | 82 | #define printf if(0) printf 83 | 84 | 85 | 86 | int main(int argc, char **argv){ 87 | char resolved_path[MAXPATHLEN]; 88 | char path[100]; 89 | FILE *f; 90 | 91 | printf ("MAXPATHLEN=%d\n", MAXPATHLEN); 92 | 93 | assert (argc==2); 94 | 95 | strcpy(path, argv[1]); 96 | 97 | printf("Input path = %s, strlen(path) = %d\n", path, strlen(path)); 98 | printf("MAXPATHLEN = %d\n", MAXPATHLEN); 99 | fb_realpath(path, resolved_path); 100 | 101 | return 0; 102 | } 103 | 104 | /* 105 | 106 | 107 | 108 | */ 109 | 110 | -------------------------------------------------------------------------------- /vulapps/wu-ftpd/f1/make-long-path.c: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | 4 | MIT Copyright Notice 5 | 6 | Copyright 2003 M.I.T. 7 | 8 | Permission is hereby granted, without written agreement or royalty fee, to use, 9 | copy, modify, and distribute this software and its documentation for any 10 | purpose, provided that the above copyright notice and the following three 11 | paragraphs appear in all copies of this software. 12 | 13 | IN NO EVENT SHALL M.I.T. BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, 14 | INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS SOFTWARE 15 | AND ITS DOCUMENTATION, EVEN IF M.I.T. HAS BEEN ADVISED OF THE POSSIBILITY OF 16 | SUCH DAMANGE. 17 | 18 | M.I.T. SPECIFICALLY DISCLAIMS ANY WARRANTIES INCLUDING, BUT NOT LIMITED TO 19 | THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, 20 | AND NON-INFRINGEMENT. 21 | 22 | THE SOFTWARE IS PROVIDED ON AN "AS-IS" BASIS AND M.I.T. HAS NO OBLIGATION TO 23 | PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. 24 | 25 | $Author: tleek $ 26 | $Date: 2004/01/05 17:27:52 $ 27 | $Header: /mnt/leo2/cvs/sabo/hist-040105/wu-ftpd/f1/make-long-path.c,v 1.1.1.1 2004/01/05 17:27:52 tleek Exp $ 28 | 29 | 30 | 31 | */ 32 | 33 | 34 | /* 35 | 36 | WU-FTPD Copyright Notice 37 | 38 | 39 | Copyright (c) 1999,2000 WU-FTPD Development Group. 40 | All rights reserved. 41 | 42 | Portions Copyright (c) 1980, 1985, 1988, 1989, 1990, 1991, 1993, 1994 43 | The Regents of the University of California. 44 | Portions Copyright (c) 1993, 1994 Washington University in Saint Louis. 45 | Portions Copyright (c) 1996, 1998 Berkeley Software Design, Inc. 46 | Portions Copyright (c) 1989 Massachusetts Institute of Technology. 47 | Portions Copyright (c) 1998 Sendmail, Inc. 48 | Portions Copyright (c) 1983, 1995, 1996, 1997 Eric P. Allman. 49 | Portions Copyright (c) 1997 by Stan Barber. 50 | Portions Copyright (c) 1997 by Kent Landfield. 51 | Portions Copyright (c) 1991, 1992, 1993, 1994, 1995, 1996, 1997 52 | Free Software Foundation, Inc. 53 | 54 | Use and distribution of this software and its source code are governed 55 | by the terms and conditions of the WU-FTPD Software License ("LICENSE"). 56 | 57 | If you did not receive a copy of the license, it may be obtained online 58 | at http://www.wu-ftpd.org/license.html. 59 | 60 | 61 | $Author: tleek $ 62 | $Date: 2004/01/05 17:27:52 $ 63 | $Header: /mnt/leo2/cvs/sabo/hist-040105/wu-ftpd/f1/make-long-path.c,v 1.1.1.1 2004/01/05 17:27:52 tleek Exp $ 64 | 65 | 66 | 67 | */ 68 | 69 | 70 | /* 71 | 72 | 73 | 74 | */ 75 | 76 | #include 77 | #include 78 | #include 79 | #include 80 | #include 81 | 82 | #include "my-include.h" 83 | // MAXPATHLEN is 10 84 | 85 | int main(){ 86 | 87 | char orig_path[MAXPATHLEN + 20]; 88 | char *temp; 89 | FILE *f; 90 | int i, n; 91 | 92 | temp = orig_path; 93 | 94 | 95 | /* define a long path /tmp/aaaaa... */ 96 | strcpy(temp, "/tmp/"); 97 | temp = temp + 5; 98 | memset(temp, 'a', sizeof(char) * (MAXPATHLEN + 15)); 99 | orig_path[MAXPATHLEN + 19] = '\0'; 100 | mkdir(orig_path, O_RDONLY); 101 | chmod(orig_path, 0700); 102 | 103 | f = (FILE *) fopen("pathfile", "r+"); 104 | 105 | n = strlen(orig_path); 106 | 107 | for(i=0; i 122 | 123 | */ 124 | 125 | -------------------------------------------------------------------------------- /vulapps/wu-ftpd/f1/mp-bad-mylibc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitblaze-fuzzball/d-s-se-directed-tests/7104647e90ad925bde18a2bd22afc33fa09d2135/vulapps/wu-ftpd/f1/mp-bad-mylibc -------------------------------------------------------------------------------- /vulapps/wu-ftpd/f1/mp-bad-mylibc-diet-svn: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitblaze-fuzzball/d-s-se-directed-tests/7104647e90ad925bde18a2bd22afc33fa09d2135/vulapps/wu-ftpd/f1/mp-bad-mylibc-diet-svn -------------------------------------------------------------------------------- /vulapps/wu-ftpd/f1/my-include.h: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | 4 | MIT Copyright Notice 5 | 6 | Copyright 2003 M.I.T. 7 | 8 | Permission is hereby granted, without written agreement or royalty fee, to use, 9 | copy, modify, and distribute this software and its documentation for any 10 | purpose, provided that the above copyright notice and the following three 11 | paragraphs appear in all copies of this software. 12 | 13 | IN NO EVENT SHALL M.I.T. BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, 14 | INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS SOFTWARE 15 | AND ITS DOCUMENTATION, EVEN IF M.I.T. HAS BEEN ADVISED OF THE POSSIBILITY OF 16 | SUCH DAMANGE. 17 | 18 | M.I.T. SPECIFICALLY DISCLAIMS ANY WARRANTIES INCLUDING, BUT NOT LIMITED TO 19 | THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, 20 | AND NON-INFRINGEMENT. 21 | 22 | THE SOFTWARE IS PROVIDED ON AN "AS-IS" BASIS AND M.I.T. HAS NO OBLIGATION TO 23 | PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. 24 | 25 | $Author: tleek $ 26 | $Date: 2004/01/05 17:27:52 $ 27 | $Header: /mnt/leo2/cvs/sabo/hist-040105/wu-ftpd/f1/my-include.h,v 1.1.1.1 2004/01/05 17:27:52 tleek Exp $ 28 | 29 | 30 | 31 | */ 32 | 33 | 34 | /* 35 | 36 | WU-FTPD Copyright Notice 37 | 38 | 39 | Copyright (c) 1999,2000 WU-FTPD Development Group. 40 | All rights reserved. 41 | 42 | Portions Copyright (c) 1980, 1985, 1988, 1989, 1990, 1991, 1993, 1994 43 | The Regents of the University of California. 44 | Portions Copyright (c) 1993, 1994 Washington University in Saint Louis. 45 | Portions Copyright (c) 1996, 1998 Berkeley Software Design, Inc. 46 | Portions Copyright (c) 1989 Massachusetts Institute of Technology. 47 | Portions Copyright (c) 1998 Sendmail, Inc. 48 | Portions Copyright (c) 1983, 1995, 1996, 1997 Eric P. Allman. 49 | Portions Copyright (c) 1997 by Stan Barber. 50 | Portions Copyright (c) 1997 by Kent Landfield. 51 | Portions Copyright (c) 1991, 1992, 1993, 1994, 1995, 1996, 1997 52 | Free Software Foundation, Inc. 53 | 54 | Use and distribution of this software and its source code are governed 55 | by the terms and conditions of the WU-FTPD Software License ("LICENSE"). 56 | 57 | If you did not receive a copy of the license, it may be obtained online 58 | at http://www.wu-ftpd.org/license.html. 59 | 60 | 61 | $Author: tleek $ 62 | $Date: 2004/01/05 17:27:52 $ 63 | $Header: /mnt/leo2/cvs/sabo/hist-040105/wu-ftpd/f1/my-include.h,v 1.1.1.1 2004/01/05 17:27:52 tleek Exp $ 64 | 65 | 66 | 67 | */ 68 | 69 | 70 | /* 71 | 72 | 73 | 74 | */ 75 | 76 | #define MAPPING_CHDIR 1 /* mz: define MAPPING_CHDIR to be true */ 77 | #define MAXPATHLEN 10 78 | #define HAVE_GETCWD 1 79 | 80 | #define printf if (0) printf 81 | /* 82 | 83 | 84 | 85 | */ 86 | 87 | -------------------------------------------------------------------------------- /vulapps/wu-ftpd/f1/pathfile.exploit: -------------------------------------------------------------------------------- 1 | aaaaaaaaa -------------------------------------------------------------------------------- /vulapps/wu-ftpd/f1/pathfile.init: -------------------------------------------------------------------------------- 1 | aaa -------------------------------------------------------------------------------- /vulapps/wu-ftpd/f1/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # Hardcoded Input: a textfile named 'pathfile' 4 | # 5 | ./mp-bad pathfile 6 | -------------------------------------------------------------------------------- /vulapps/wu-ftpd/f1/testcase: -------------------------------------------------------------------------------- 1 | testcase.init -------------------------------------------------------------------------------- /vulapps/wu-ftpd/f1/testcase.init: -------------------------------------------------------------------------------- 1 | pathfile.init -------------------------------------------------------------------------------- /vulapps/wu-ftpd/f2/2010-11-09-fulllen.cmd: -------------------------------------------------------------------------------- 1 | (export F2=`pwd`; (cd /tmp/foo/bar/foo/bar/foo/bar/foo/ba; $F2/cfg_fuzzball $F2/obo-bad-diet -stp-path $F2/stp -linux-syscalls -trace-syscalls -trace-stopping -trace-assigns-string -coverage-stats -time-stats -trace-iterations -check-condition-at 0x08048a20:'R_EAX:reg32_t > 0x2e:reg32_t' -fuzz-start-addr 0x080481cc -symbolic-cstring-fulllen 0xbffffd4e+10 -symbolic-syscall-error -2 -skip-call-ret 0x08048b80=0 -cfg $F2/../../../cfg/MIT/wu-ftpd/f2/obo-bad-diet.stat.cfg -target-addr 0x08048a20 -- $F2/obo-bad-diet testcase)) 2 | -------------------------------------------------------------------------------- /vulapps/wu-ftpd/f2/2010-11-09.cmd: -------------------------------------------------------------------------------- 1 | (export F2=`pwd`; (cd /tmp/foo/bar/foo/bar/foo/bar/foo/ba; $F2/cfg_fuzzball $F2/obo-bad-diet -stp-path $F2/stp -linux-syscalls -trace-syscalls -trace-stopping -trace-assigns-string -coverage-stats -time-stats -trace-iterations -check-condition-at 0x08048a20:'R_EAX:reg32_t > 0x2e:reg32_t' -fuzz-start-addr 0x080481cc -symbolic-cstring 0xbffffd4e+10 -symbolic-syscall-error -2 -skip-call-ret 0x08048b80=0 -- $F2/obo-bad-diet testcase)) 2 | -------------------------------------------------------------------------------- /vulapps/wu-ftpd/f2/Makefile: -------------------------------------------------------------------------------- 1 | DIET = diet 2 | DIET_CFLAGS = -g -fno-jump-tables 3 | DIET_LDFLAGS = /opt/diet/lib-i386/libcompat.a 4 | 5 | all: obo-bad obo-ok setup 6 | 7 | clean: 8 | rm -rf obo-bad obo-ok /tmp/foo obo-bad.out obo-ok.out 9 | 10 | obo-bad: call_fb_realpath.c realpath-bad.c 11 | $(CC) -o obo-bad call_fb_realpath.c realpath-bad.c 12 | 13 | obo-bad-diet: call_fb_realpath.c realpath-bad.c 14 | $(DIET) $(CC) $(DIET_CFLAGS) -o obo-bad-diet call_fb_realpath.c realpath-bad.c 15 | 16 | obo-ok: call_fb_realpath.c realpath-ok.c 17 | $(CC) -o obo-ok call_fb_realpath.c realpath-ok.c 18 | 19 | setup: 20 | mkdir -p /tmp/foo/bar/foo/bar/foo/bar/foo/bar ; \ 21 | touch /tmp/foo/bar/foo/bar/foo/bar/foo/bar/abcdefghi ; \ 22 | ln -nsf /tmp/foo/bar/foo/bar/foo/bar/foo/bar/abcdefghi /tmp/foo/bar/foo/bar/foo/bar/foo/bar/abcdefgh 23 | 24 | 25 | -------------------------------------------------------------------------------- /vulapps/wu-ftpd/f2/call_fb_realpath.c: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | 4 | MIT Copyright Notice 5 | 6 | Copyright 2003 M.I.T. 7 | 8 | Permission is hereby granted, without written agreement or royalty fee, to use, 9 | copy, modify, and distribute this software and its documentation for any 10 | purpose, provided that the above copyright notice and the following three 11 | paragraphs appear in all copies of this software. 12 | 13 | IN NO EVENT SHALL M.I.T. BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, 14 | INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS SOFTWARE 15 | AND ITS DOCUMENTATION, EVEN IF M.I.T. HAS BEEN ADVISED OF THE POSSIBILITY OF 16 | SUCH DAMANGE. 17 | 18 | M.I.T. SPECIFICALLY DISCLAIMS ANY WARRANTIES INCLUDING, BUT NOT LIMITED TO 19 | THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, 20 | AND NON-INFRINGEMENT. 21 | 22 | THE SOFTWARE IS PROVIDED ON AN "AS-IS" BASIS AND M.I.T. HAS NO OBLIGATION TO 23 | PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. 24 | 25 | $Author: tleek $ 26 | $Date: 2004/01/05 17:27:50 $ 27 | $Header: /mnt/leo2/cvs/sabo/hist-040105/wu-ftpd/f3/call_fb_realpath.c,v 1.1.1.1 2004/01/05 17:27:50 tleek Exp $ 28 | 29 | 30 | 31 | */ 32 | 33 | 34 | /* 35 | 36 | WU-FTPD Copyright Notice 37 | 38 | 39 | Copyright (c) 1999,2000 WU-FTPD Development Group. 40 | All rights reserved. 41 | 42 | Portions Copyright (c) 1980, 1985, 1988, 1989, 1990, 1991, 1993, 1994 43 | The Regents of the University of California. 44 | Portions Copyright (c) 1993, 1994 Washington University in Saint Louis. 45 | Portions Copyright (c) 1996, 1998 Berkeley Software Design, Inc. 46 | Portions Copyright (c) 1989 Massachusetts Institute of Technology. 47 | Portions Copyright (c) 1998 Sendmail, Inc. 48 | Portions Copyright (c) 1983, 1995, 1996, 1997 Eric P. Allman. 49 | Portions Copyright (c) 1997 by Stan Barber. 50 | Portions Copyright (c) 1997 by Kent Landfield. 51 | Portions Copyright (c) 1991, 1992, 1993, 1994, 1995, 1996, 1997 52 | Free Software Foundation, Inc. 53 | 54 | Use and distribution of this software and its source code are governed 55 | by the terms and conditions of the WU-FTPD Software License ("LICENSE"). 56 | 57 | If you did not receive a copy of the license, it may be obtained online 58 | at http://www.wu-ftpd.org/license.html. 59 | 60 | 61 | $Author: tleek $ 62 | $Date: 2004/01/05 17:27:50 $ 63 | $Header: /mnt/leo2/cvs/sabo/hist-040105/wu-ftpd/f3/call_fb_realpath.c,v 1.1.1.1 2004/01/05 17:27:50 tleek Exp $ 64 | 65 | 66 | 67 | */ 68 | 69 | 70 | /* 71 | 72 | 73 | 74 | */ 75 | 76 | #include 77 | #include 78 | #include "my-include.h" 79 | #include 80 | #include 81 | 82 | #define printf if(0) printf 83 | 84 | 85 | 86 | int main(int argc, char **argv){ 87 | char resolved_path[MAXPATHLEN]; 88 | char path[100]; 89 | FILE *f; 90 | 91 | printf ("MAXPATHLEN=%d\n", MAXPATHLEN); 92 | 93 | assert (argc==2); 94 | 95 | strcpy(path, argv[1]); 96 | 97 | printf("Input path = %s, strlen(path) = %d\n", path, strlen(path)); 98 | printf("MAXPATHLEN = %d\n", MAXPATHLEN); 99 | fb_realpath(path, resolved_path); 100 | 101 | return 0; 102 | } 103 | 104 | /* 105 | 106 | 107 | 108 | */ 109 | 110 | -------------------------------------------------------------------------------- /vulapps/wu-ftpd/f2/my-include.h: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | 4 | MIT Copyright Notice 5 | 6 | Copyright 2003 M.I.T. 7 | 8 | Permission is hereby granted, without written agreement or royalty fee, to use, 9 | copy, modify, and distribute this software and its documentation for any 10 | purpose, provided that the above copyright notice and the following three 11 | paragraphs appear in all copies of this software. 12 | 13 | IN NO EVENT SHALL M.I.T. BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, 14 | INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS SOFTWARE 15 | AND ITS DOCUMENTATION, EVEN IF M.I.T. HAS BEEN ADVISED OF THE POSSIBILITY OF 16 | SUCH DAMANGE. 17 | 18 | M.I.T. SPECIFICALLY DISCLAIMS ANY WARRANTIES INCLUDING, BUT NOT LIMITED TO 19 | THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, 20 | AND NON-INFRINGEMENT. 21 | 22 | THE SOFTWARE IS PROVIDED ON AN "AS-IS" BASIS AND M.I.T. HAS NO OBLIGATION TO 23 | PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. 24 | 25 | $Author: tleek $ 26 | $Date: 2004/01/05 17:27:49 $ 27 | $Header: /mnt/leo2/cvs/sabo/hist-040105/wu-ftpd/f2/my-include.h,v 1.1.1.1 2004/01/05 17:27:49 tleek Exp $ 28 | 29 | 30 | 31 | */ 32 | 33 | 34 | /* 35 | 36 | WU-FTPD Copyright Notice 37 | 38 | 39 | Copyright (c) 1999,2000 WU-FTPD Development Group. 40 | All rights reserved. 41 | 42 | Portions Copyright (c) 1980, 1985, 1988, 1989, 1990, 1991, 1993, 1994 43 | The Regents of the University of California. 44 | Portions Copyright (c) 1993, 1994 Washington University in Saint Louis. 45 | Portions Copyright (c) 1996, 1998 Berkeley Software Design, Inc. 46 | Portions Copyright (c) 1989 Massachusetts Institute of Technology. 47 | Portions Copyright (c) 1998 Sendmail, Inc. 48 | Portions Copyright (c) 1983, 1995, 1996, 1997 Eric P. Allman. 49 | Portions Copyright (c) 1997 by Stan Barber. 50 | Portions Copyright (c) 1997 by Kent Landfield. 51 | Portions Copyright (c) 1991, 1992, 1993, 1994, 1995, 1996, 1997 52 | Free Software Foundation, Inc. 53 | 54 | Use and distribution of this software and its source code are governed 55 | by the terms and conditions of the WU-FTPD Software License ("LICENSE"). 56 | 57 | If you did not receive a copy of the license, it may be obtained online 58 | at http://www.wu-ftpd.org/license.html. 59 | 60 | 61 | $Author: tleek $ 62 | $Date: 2004/01/05 17:27:49 $ 63 | $Header: /mnt/leo2/cvs/sabo/hist-040105/wu-ftpd/f2/my-include.h,v 1.1.1.1 2004/01/05 17:27:49 tleek Exp $ 64 | 65 | 66 | 67 | */ 68 | 69 | 70 | /* 71 | 72 | 73 | 74 | */ 75 | 76 | extern char *my_realpath(const char *pathname, char *result, char* chroot_path); 77 | #define MAXPATHLEN 46 78 | 79 | #define HAVE_SYMLINK 1 80 | #define HAVE_GETCWD 1 81 | 82 | /* 83 | 84 | 85 | 86 | */ 87 | 88 | -------------------------------------------------------------------------------- /vulapps/wu-ftpd/f2/obo-bad-diet-svn: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitblaze-fuzzball/d-s-se-directed-tests/7104647e90ad925bde18a2bd22afc33fa09d2135/vulapps/wu-ftpd/f2/obo-bad-diet-svn -------------------------------------------------------------------------------- /vulapps/wu-ftpd/f2/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # Input: a textfile named 'testcase' 4 | # 5 | ./obo-bad testcase 6 | -------------------------------------------------------------------------------- /vulapps/wu-ftpd/f2/testcase: -------------------------------------------------------------------------------- 1 | testcase.init -------------------------------------------------------------------------------- /vulapps/wu-ftpd/f2/testcase.exploit: -------------------------------------------------------------------------------- 1 | aaaaaaaaaa -------------------------------------------------------------------------------- /vulapps/wu-ftpd/f2/testcase.init: -------------------------------------------------------------------------------- 1 | aaa -------------------------------------------------------------------------------- /vulapps/wu-ftpd/f3/2010-11-10-guided.cmd: -------------------------------------------------------------------------------- 1 | (export F3=`pwd`; (cd /tmp/f3; $F3/cfg_fuzzball $F3/rp-bad-diet -stp-path $F3/stp -linux-syscalls -trace-syscalls -trace-stopping -trace-assigns-string -coverage-stats -time-stats -trace-iterations -check-condition-at 0x08048268:'R_EAX:reg32_t == 10:reg32_t' -skip-func-ret 0x08049588=10 -fuzz-start-addr 0x080482fe -symbolic-cstring-fulllen 0x50002008+41 -symbolic-syscall-error -2 -cfg $F3/../../../cfg/MIT/wu-ftpd/f3/rp-bad-diet.stat.cfg -target-addr 0x08048268 -loop-weight 0x08049229=50.0 -- $F3/rp-bad-diet)) 2 | -------------------------------------------------------------------------------- /vulapps/wu-ftpd/f3/2010-11-10.cmd: -------------------------------------------------------------------------------- 1 | (export F3=`pwd`; (cd /tmp/f3; $F3/cfg_fuzzball $F3/rp-bad-diet -stp-path $F3/stp -linux-syscalls -trace-syscalls -trace-stopping -trace-assigns-string -coverage-stats -time-stats -trace-iterations -check-condition-at 0x08048268:'R_EAX:reg32_t == 10:reg32_t' -skip-func-ret 0x08049588=10 -fuzz-start-addr 0x080482fe -symbolic-cstring-fulllen 0x50002008+41 -symbolic-syscall-error -2 -- $F3/rp-bad-diet)) 2 | -------------------------------------------------------------------------------- /vulapps/wu-ftpd/f3/2010-11-14-hand-guide.cmd: -------------------------------------------------------------------------------- 1 | (export F3=`pwd`; (cd /tmp/f3; $F3/cfg_fuzzball $F3/rp-bad-diet -stp-path $F3/stp -linux-syscalls -trace-syscalls -trace-stopping -trace-assigns-string -coverage-stats -time-stats -trace-iterations -check-condition-at 0x08048268:'R_EAX:reg32_t == 10:reg32_t' -skip-func-ret 0x08049588=10 -fuzz-start-addr 0x080482fe -symbolic-cstring-fulllen 0x50002008+41 -symbolic-syscall-error -2 -cfg $F3/../../../cfg/MIT/wu-ftpd/f3/rp-bad-diet.cfg -target-addr 0x08048268 -loop-weight 0x08049491=100.0 -- $F3/rp-bad-diet)) 2 | -------------------------------------------------------------------------------- /vulapps/wu-ftpd/f3/2010-11-14-warn-guide.cmd: -------------------------------------------------------------------------------- 1 | (export F3=`pwd`; (cd /tmp/f3; $F3/cfg_fuzzball $F3/rp-bad-diet -stp-path $F3/stp -linux-syscalls -trace-syscalls -trace-stopping -trace-assigns-string -coverage-stats -time-stats -trace-iterations -check-condition-at 0x08048268:'R_EAX:reg32_t == 10:reg32_t' -skip-func-ret 0x08049588=10 -fuzz-start-addr 0x080482fe -symbolic-cstring-fulllen 0x50002008+41 -symbolic-syscall-error -2 -cfg $F3/../../../cfg/MIT/wu-ftpd/f3/rp-bad-diet.cfg -warn-file $F3/../../../cfg/MIT/wu-ftpd/f3/rp-bad-diet.slice -target-addr 0x080487b5 -- $F3/rp-bad-diet)) 2 | -------------------------------------------------------------------------------- /vulapps/wu-ftpd/f3/Makefile: -------------------------------------------------------------------------------- 1 | DIET = diet 2 | DIET_CFLAGS = -g -fno-jump-tables -DHAVE_SYMLINK 3 | DIET_LDFLAGS = /opt/diet/lib-i386/libcompat.a 4 | 5 | all: rp-bad rp-ok 6 | 7 | clean: 8 | rm -f rp-bad rp-ok rp-bad.out rp-ok.out 9 | 10 | rp-bad: call-realpath-bad.c realpath-2.4.2-bad.c 11 | $(CC) -fno-stack-protector -o rp-bad mymain.c call-realpath-bad.c realpath-2.4.2-bad.c 12 | 13 | rp-bad-diet: call-realpath-bad.c realpath-2.4.2-bad.c 14 | $(DIET) $(CC) $(DIET_CFLAGS) -fno-stack-protector -o rp-bad-diet mymain.c call-realpath-bad.c realpath-2.4.2-bad.c $(DIET_LDFLAGS) 15 | 16 | rp-ok: call-realpath-ok.c realpath-2.4.2-ok.c 17 | $(CC) -fno-stack-protector -o rp-ok mymain.c call-realpath-ok.c realpath-2.4.2-ok.c 18 | 19 | 20 | 21 | -------------------------------------------------------------------------------- /vulapps/wu-ftpd/f3/call-realpath-bad.c: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | 4 | MIT Copyright Notice 5 | 6 | Copyright 2003 M.I.T. 7 | 8 | Permission is hereby granted, without written agreement or royalty fee, to use, 9 | copy, modify, and distribute this software and its documentation for any 10 | purpose, provided that the above copyright notice and the following three 11 | paragraphs appear in all copies of this software. 12 | 13 | IN NO EVENT SHALL M.I.T. BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, 14 | INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS SOFTWARE 15 | AND ITS DOCUMENTATION, EVEN IF M.I.T. HAS BEEN ADVISED OF THE POSSIBILITY OF 16 | SUCH DAMANGE. 17 | 18 | M.I.T. SPECIFICALLY DISCLAIMS ANY WARRANTIES INCLUDING, BUT NOT LIMITED TO 19 | THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, 20 | AND NON-INFRINGEMENT. 21 | 22 | THE SOFTWARE IS PROVIDED ON AN "AS-IS" BASIS AND M.I.T. HAS NO OBLIGATION TO 23 | PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. 24 | 25 | $Author: tleek $ 26 | $Date: 2004/01/05 17:27:49 $ 27 | $Header: /mnt/leo2/cvs/sabo/hist-040105/wu-ftpd/f2/call-realpath-bad.c,v 1.1.1.1 2004/01/05 17:27:49 tleek Exp $ 28 | 29 | 30 | 31 | */ 32 | 33 | 34 | /* 35 | 36 | WU-FTPD Copyright Notice 37 | 38 | 39 | Copyright (c) 1999,2000 WU-FTPD Development Group. 40 | All rights reserved. 41 | 42 | Portions Copyright (c) 1980, 1985, 1988, 1989, 1990, 1991, 1993, 1994 43 | The Regents of the University of California. 44 | Portions Copyright (c) 1993, 1994 Washington University in Saint Louis. 45 | Portions Copyright (c) 1996, 1998 Berkeley Software Design, Inc. 46 | Portions Copyright (c) 1989 Massachusetts Institute of Technology. 47 | Portions Copyright (c) 1998 Sendmail, Inc. 48 | Portions Copyright (c) 1983, 1995, 1996, 1997 Eric P. Allman. 49 | Portions Copyright (c) 1997 by Stan Barber. 50 | Portions Copyright (c) 1997 by Kent Landfield. 51 | Portions Copyright (c) 1991, 1992, 1993, 1994, 1995, 1996, 1997 52 | Free Software Foundation, Inc. 53 | 54 | Use and distribution of this software and its source code are governed 55 | by the terms and conditions of the WU-FTPD Software License ("LICENSE"). 56 | 57 | If you did not receive a copy of the license, it may be obtained online 58 | at http://www.wu-ftpd.org/license.html. 59 | 60 | 61 | $Author: tleek $ 62 | $Date: 2004/01/05 17:27:49 $ 63 | $Header: /mnt/leo2/cvs/sabo/hist-040105/wu-ftpd/f2/call-realpath-bad.c,v 1.1.1.1 2004/01/05 17:27:49 tleek Exp $ 64 | 65 | 66 | 67 | */ 68 | 69 | 70 | /* 71 | 72 | 73 | 74 | */ 75 | 76 | #include 77 | #include 78 | #include "my-include.h" 79 | #include 80 | 81 | char chroot_path[MAXPATHLEN]; 82 | 83 | /* Overflowing path[] can overwrite gid and uid and potentially escalate */ 84 | /* user privileges. Also, the ret address of call_realpath can get overwritten*/ 85 | /* possibly leading to execution of arbitrary code */ 86 | 87 | /* call_realpath models the function makedir() inside ftpd.c which calls */ 88 | /* realpath() several times */ 89 | 90 | void call_realpath(char *name){ 91 | 92 | unsigned int uid = 10; 93 | unsigned int gid = 100; 94 | char path[MAXPATHLEN + 1]; /* for my-realpath() later - cky */ 95 | 96 | printf("Before my-realpath(): uid = %d, gid = %d\n", uid, gid); 97 | 98 | printf ("strlen(name) =%d\n", strlen(name)); 99 | my_realpath(name, path, chroot_path); 100 | printf("Resolved path = %s\n", path); 101 | printf("After my-realpath(): uid = %d, gid = %d\n", uid, gid); 102 | } 103 | 104 | int myfoo(int argc, char *argv[]){ 105 | char *name; 106 | char *root_path; 107 | 108 | 109 | assert (argc==2 || argc==3); 110 | 111 | if (argc == 2){ 112 | name = argv[1]; /* name could be very long, i.e longer than MAXPATHLEN*/ 113 | root_path = "/"; 114 | } 115 | else { // argc == 3 116 | name = argv[1]; /* name could be very long, i.e longer than MAXPATHLEN*/ 117 | root_path = argv[2]; 118 | } 119 | 120 | (void) strncpy (chroot_path, root_path, sizeof (chroot_path)); 121 | call_realpath(name); 122 | 123 | return 0; 124 | } 125 | 126 | 127 | /* 128 | 129 | 130 | 131 | */ 132 | 133 | -------------------------------------------------------------------------------- /vulapps/wu-ftpd/f3/call-realpath-ok.c: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | 4 | MIT Copyright Notice 5 | 6 | Copyright 2003 M.I.T. 7 | 8 | Permission is hereby granted, without written agreement or royalty fee, to use, 9 | copy, modify, and distribute this software and its documentation for any 10 | purpose, provided that the above copyright notice and the following three 11 | paragraphs appear in all copies of this software. 12 | 13 | IN NO EVENT SHALL M.I.T. BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, 14 | INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS SOFTWARE 15 | AND ITS DOCUMENTATION, EVEN IF M.I.T. HAS BEEN ADVISED OF THE POSSIBILITY OF 16 | SUCH DAMANGE. 17 | 18 | M.I.T. SPECIFICALLY DISCLAIMS ANY WARRANTIES INCLUDING, BUT NOT LIMITED TO 19 | THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, 20 | AND NON-INFRINGEMENT. 21 | 22 | THE SOFTWARE IS PROVIDED ON AN "AS-IS" BASIS AND M.I.T. HAS NO OBLIGATION TO 23 | PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. 24 | 25 | $Author: tleek $ 26 | $Date: 2004/01/05 17:27:49 $ 27 | $Header: /mnt/leo2/cvs/sabo/hist-040105/wu-ftpd/f2/call-realpath-ok.c,v 1.1.1.1 2004/01/05 17:27:49 tleek Exp $ 28 | 29 | 30 | 31 | */ 32 | 33 | 34 | /* 35 | 36 | WU-FTPD Copyright Notice 37 | 38 | 39 | Copyright (c) 1999,2000 WU-FTPD Development Group. 40 | All rights reserved. 41 | 42 | Portions Copyright (c) 1980, 1985, 1988, 1989, 1990, 1991, 1993, 1994 43 | The Regents of the University of California. 44 | Portions Copyright (c) 1993, 1994 Washington University in Saint Louis. 45 | Portions Copyright (c) 1996, 1998 Berkeley Software Design, Inc. 46 | Portions Copyright (c) 1989 Massachusetts Institute of Technology. 47 | Portions Copyright (c) 1998 Sendmail, Inc. 48 | Portions Copyright (c) 1983, 1995, 1996, 1997 Eric P. Allman. 49 | Portions Copyright (c) 1997 by Stan Barber. 50 | Portions Copyright (c) 1997 by Kent Landfield. 51 | Portions Copyright (c) 1991, 1992, 1993, 1994, 1995, 1996, 1997 52 | Free Software Foundation, Inc. 53 | 54 | Use and distribution of this software and its source code are governed 55 | by the terms and conditions of the WU-FTPD Software License ("LICENSE"). 56 | 57 | If you did not receive a copy of the license, it may be obtained online 58 | at http://www.wu-ftpd.org/license.html. 59 | 60 | 61 | $Author: tleek $ 62 | $Date: 2004/01/05 17:27:49 $ 63 | $Header: /mnt/leo2/cvs/sabo/hist-040105/wu-ftpd/f2/call-realpath-ok.c,v 1.1.1.1 2004/01/05 17:27:49 tleek Exp $ 64 | 65 | 66 | 67 | */ 68 | 69 | 70 | /* 71 | 72 | 73 | 74 | */ 75 | 76 | #include 77 | #include 78 | #include "my-include.h" 79 | 80 | char chroot_path[MAXPATHLEN]; 81 | 82 | /* Overflowing path[] can overwrite gid and uid and potentially escalate */ 83 | /* user privileges. Also, the ret address of call_realpath can get overwritten*/ 84 | /* possibly leading to execution of arbitrary code */ 85 | 86 | /* call_realpath models the function makedir() inside ftpd.c which calls */ 87 | /* realpath() several times */ 88 | 89 | void call_realpath(char *name){ 90 | 91 | unsigned int uid = 10; 92 | unsigned int gid = 100; 93 | char path[MAXPATHLEN + 1]; /* for my-realpath() later - cky */ 94 | 95 | printf("Before my-realpath(): uid = %d, gid = %d\n", uid, gid); 96 | 97 | if (((my_realpath(name, path, chroot_path)) != NULL)) { 98 | printf("Resolved path = %s\n", path); 99 | } 100 | 101 | printf("After my-realpath(): uid = %d, gid = %d\n", uid, gid); 102 | } 103 | 104 | int myfoo(int argc, char *argv[]){ 105 | char *name; 106 | char *root_path; 107 | 108 | if (argc < 2) 109 | printf("usage:prog pathname chroot_path\n"); 110 | else if (argc == 2){ 111 | name = argv[1]; /* name could be very long, i.e longer than MAXPATHLEN*/ 112 | root_path = "/"; 113 | } 114 | else{ 115 | name = argv[1]; /* name could be very long, i.e longer than MAXPATHLEN*/ 116 | root_path = argv[2]; 117 | } 118 | 119 | (void) strncpy (chroot_path, root_path, sizeof (chroot_path)); 120 | call_realpath(name); 121 | 122 | return 0; 123 | } 124 | 125 | 126 | /* 127 | 128 | 129 | 130 | */ 131 | 132 | -------------------------------------------------------------------------------- /vulapps/wu-ftpd/f3/my-include.h: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | 4 | MIT Copyright Notice 5 | 6 | Copyright 2003 M.I.T. 7 | 8 | Permission is hereby granted, without written agreement or royalty fee, to use, 9 | copy, modify, and distribute this software and its documentation for any 10 | purpose, provided that the above copyright notice and the following three 11 | paragraphs appear in all copies of this software. 12 | 13 | IN NO EVENT SHALL M.I.T. BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, 14 | INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS SOFTWARE 15 | AND ITS DOCUMENTATION, EVEN IF M.I.T. HAS BEEN ADVISED OF THE POSSIBILITY OF 16 | SUCH DAMANGE. 17 | 18 | M.I.T. SPECIFICALLY DISCLAIMS ANY WARRANTIES INCLUDING, BUT NOT LIMITED TO 19 | THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, 20 | AND NON-INFRINGEMENT. 21 | 22 | THE SOFTWARE IS PROVIDED ON AN "AS-IS" BASIS AND M.I.T. HAS NO OBLIGATION TO 23 | PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. 24 | 25 | $Author: tleek $ 26 | $Date: 2004/01/05 17:27:50 $ 27 | $Header: /mnt/leo2/cvs/sabo/hist-040105/wu-ftpd/f3/my-include.h,v 1.1.1.1 2004/01/05 17:27:50 tleek Exp $ 28 | 29 | 30 | 31 | */ 32 | 33 | 34 | /* 35 | 36 | WU-FTPD Copyright Notice 37 | 38 | 39 | Copyright (c) 1999,2000 WU-FTPD Development Group. 40 | All rights reserved. 41 | 42 | Portions Copyright (c) 1980, 1985, 1988, 1989, 1990, 1991, 1993, 1994 43 | The Regents of the University of California. 44 | Portions Copyright (c) 1993, 1994 Washington University in Saint Louis. 45 | Portions Copyright (c) 1996, 1998 Berkeley Software Design, Inc. 46 | Portions Copyright (c) 1989 Massachusetts Institute of Technology. 47 | Portions Copyright (c) 1998 Sendmail, Inc. 48 | Portions Copyright (c) 1983, 1995, 1996, 1997 Eric P. Allman. 49 | Portions Copyright (c) 1997 by Stan Barber. 50 | Portions Copyright (c) 1997 by Kent Landfield. 51 | Portions Copyright (c) 1991, 1992, 1993, 1994, 1995, 1996, 1997 52 | Free Software Foundation, Inc. 53 | 54 | Use and distribution of this software and its source code are governed 55 | by the terms and conditions of the WU-FTPD Software License ("LICENSE"). 56 | 57 | If you did not receive a copy of the license, it may be obtained online 58 | at http://www.wu-ftpd.org/license.html. 59 | 60 | 61 | $Author: tleek $ 62 | $Date: 2004/01/05 17:27:50 $ 63 | $Header: /mnt/leo2/cvs/sabo/hist-040105/wu-ftpd/f3/my-include.h,v 1.1.1.1 2004/01/05 17:27:50 tleek Exp $ 64 | 65 | 66 | 67 | */ 68 | 69 | 70 | /* 71 | 72 | 73 | 74 | */ 75 | 76 | #define MAXPATHLEN 46 77 | #define HAVE_GETCWD 1 78 | 79 | extern char *fb_realpath(const char *, char *); 80 | 81 | /* 82 | 83 | 84 | 85 | */ 86 | 87 | -------------------------------------------------------------------------------- /vulapps/wu-ftpd/f3/mymain.c: -------------------------------------------------------------------------------- 1 | #define _GNU_SOURCE 2 | #include 3 | #include 4 | 5 | int myfoo(int argc, char **argv); 6 | 7 | int main() { 8 | char* argv[3]; 9 | char* name = "myfoo"; 10 | size_t dummy; 11 | 12 | FILE * fp = fopen ("testcase", "r"); 13 | if (!fp) { 14 | fprintf (stderr, "Could not find a testfile\n"); 15 | exit(1); 16 | } 17 | argv[0] = name; 18 | argv[1] = NULL; 19 | argv[2] = NULL; 20 | 21 | getline(&(argv[1]), &dummy, fp); 22 | getline(&(argv[2]), &dummy, fp); 23 | 24 | return (myfoo(3, argv)); 25 | } 26 | -------------------------------------------------------------------------------- /vulapps/wu-ftpd/f3/rp-bad-diet-svn: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bitblaze-fuzzball/d-s-se-directed-tests/7104647e90ad925bde18a2bd22afc33fa09d2135/vulapps/wu-ftpd/f3/rp-bad-diet-svn -------------------------------------------------------------------------------- /vulapps/wu-ftpd/f3/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # Hardcoded Input: a textfile named 'testcase' 4 | # 5 | ./rp-bad 6 | -------------------------------------------------------------------------------- /vulapps/wu-ftpd/f3/testcase: -------------------------------------------------------------------------------- 1 | testcase.init -------------------------------------------------------------------------------- /vulapps/wu-ftpd/f3/testcase.exploit: -------------------------------------------------------------------------------- 1 | aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa -------------------------------------------------------------------------------- /vulapps/wu-ftpd/f3/testcase.init: -------------------------------------------------------------------------------- 1 | aaa -------------------------------------------------------------------------------- /warning.h: -------------------------------------------------------------------------------- 1 | #ifndef __WARNING_H__ 2 | #define __WARNING_H__ 3 | 4 | extern addr_t current_instruction; 5 | addr_t last_program_instruction(); 6 | void __enter_function(addr_t caller, const std::string); 7 | void __exit_function(); 8 | void __warning(addr_t, addr_t); 9 | 10 | #define WARNING(msg, ...) { \ 11 | if (current_instruction != 0) { \ 12 | fprintf(DEBUG_FILE, "%s ### %.8x ### %.8x\n", msg, \ 13 | current_instruction, last_program_instruction()); \ 14 | if (strstr(msg, "Write out of bounds")) { \ 15 | __warning(current_instruction, last_program_instruction()); \ 16 | } \ 17 | } \ 18 | } 19 | 20 | #include "types.h" 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | 29 | class Warning { 30 | private: 31 | std::set slice; 32 | addr_t addr; 33 | 34 | friend class boost::serialization::access; 35 | template 36 | void serialize(Archive & ar, const unsigned int version) { 37 | ar & slice; 38 | ar & addr; 39 | (void)version; 40 | } 41 | 42 | public: 43 | Warning() {}; 44 | 45 | Warning(addr_t a) { 46 | addr = a; 47 | } 48 | 49 | void addToSlice(addr_t b) { 50 | slice.insert(b); 51 | } 52 | 53 | addr_t getAddress() const { 54 | return addr; 55 | } 56 | 57 | typedef std::set::const_iterator slice_iterator; 58 | 59 | slice_iterator slice_begin() const { 60 | return slice.begin(); 61 | } 62 | 63 | slice_iterator slice_end() const { 64 | return slice.end(); 65 | } 66 | 67 | bool slice_find(addr_t b) const { 68 | return slice.find(b) != slice.end(); 69 | } 70 | 71 | size_t getSliceSize() const { 72 | return slice.size(); 73 | } 74 | }; 75 | 76 | struct warningcmp { 77 | bool operator()(const Warning *w1, const Warning *w2) const { 78 | return w1->getAddress() < w2->getAddress(); 79 | } 80 | }; 81 | 82 | typedef std::set warnings_t; 83 | 84 | #include 85 | #include 86 | #include 87 | 88 | inline void serialize(const char *f, const warnings_t &ww) { 89 | std::ofstream ofs(f, 90 | std::ios::out|std::ios::binary|std::ios::trunc); 91 | boost::iostreams::filtering_streambuf out; 92 | out.push(boost::iostreams::bzip2_compressor()); 93 | out.push(ofs); 94 | boost::archive::binary_oarchive oa(out); 95 | oa << ww; 96 | } 97 | 98 | inline void unserialize(const char *f, warnings_t &ww) { 99 | try { 100 | std::ifstream ifs(f, std::ios::in|std::ios::binary); 101 | if (!ifs.is_open()) { 102 | fprintf(stderr, "Failed to open %s: %s\n", f, 103 | strerror(errno)); 104 | exit(1); 105 | } 106 | boost::iostreams::filtering_streambuf 107 | in; 108 | in.push(boost::iostreams::bzip2_decompressor()); 109 | in.push(ifs); 110 | boost::archive::binary_iarchive ia(in); 111 | 112 | ia >> ww; 113 | } catch (boost::iostreams::bzip2_error) { 114 | std::ifstream ifs(f, std::ios::in|std::ios::binary); 115 | if (!ifs.is_open()) { 116 | fprintf(stderr, "Failed to open %s: %s\n", f, 117 | strerror(errno)); 118 | exit(1); 119 | } 120 | boost::archive::binary_iarchive ia(ifs); 121 | 122 | ia >> ww; 123 | } 124 | } 125 | 126 | #endif 127 | 128 | // Local Variables: 129 | // mode: c++ 130 | // c-basic-offset: 4 131 | // compile-command: "dchroot -c typeinfer -d make" 132 | // End: 133 | -------------------------------------------------------------------------------- /warning2source.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import sys, os, subprocess 4 | 5 | ADDR2LINE = "addr2line" 6 | 7 | NULL_DEREF_READ = 0 8 | NULL_DEREF_WRITE = 1 9 | MISALIGN_READ = 2 10 | MISALIGN_WRITE = 3 11 | WRITE_OOB = 4 12 | READ_OOB = 5 13 | READ_UNINIT = 6 14 | UNBOUND_MALLOC = 7 15 | 16 | msg2code = [("Possible NULL ptr dereference (read)", NULL_DEREF_READ), 17 | ("Possible NULL ptr dereference (write)", NULL_DEREF_WRITE), 18 | ("Misaligned read discovered", MISALIGN_READ), 19 | ("Misaligned write discovered", MISALIGN_WRITE), 20 | ("Write out of bounds", WRITE_OOB), 21 | ("Read out of bounds", READ_OOB), 22 | ("Read of uninitialized address", READ_UNINIT), 23 | ("Unbounded malloc", UNBOUND_MALLOC)] 24 | 25 | code2warn = { 26 | NULL_DEREF_READ : "Null pointer dereference (read)", 27 | NULL_DEREF_WRITE : "Null pointer dereference (write)", 28 | MISALIGN_READ : "Misaligned read", 29 | MISALIGN_WRITE : "Misaligned write", 30 | WRITE_OOB : "Write out-of-bounds", 31 | READ_OOB : "Read out-of-bounds", 32 | READ_UNINIT : "Read of uninitialized address", 33 | UNBOUND_MALLOC : "Allocate the entire address space"} 34 | 35 | __cache = {} 36 | def addr2line(exe, addr): 37 | if (exe, addr) in __cache: 38 | return __cache[(exe, addr)] 39 | cmdline = "%s -f -e %s 0x%.8x" % (ADDR2LINE, exe, addr) 40 | pipe = subprocess.Popen(cmdline.split(), stdout = subprocess.PIPE) 41 | output = pipe.communicate()[0] 42 | assert ":" in output 43 | output = output.split("\n") 44 | func = output[0] 45 | source, line = output[1].split(":") 46 | __cache[(exe, addr)] = func, source, int(line) 47 | return func, source, int(line) 48 | 49 | # IGNORE = [MISALIGN_WRITE, MISALIGN_READ, NULL_DEREF_WRITE, NULL_DEREF_READ, READ_UNINIT] 50 | IGNORE = [] 51 | 52 | def parsewarn(msg): 53 | if msg.startswith("***"): 54 | for m, c in msg2code: 55 | if m in msg: 56 | if not c in IGNORE: 57 | a1 = int(msg.split(" ### ")[1].strip(), 16) 58 | a2 = int(msg.split(" ### ")[2].strip(), 16) 59 | return c, a1, a2 60 | else: 61 | return None 62 | assert False, "Invalid warning '%s'" % msg 63 | else: 64 | return None 65 | 66 | def printwarn(warn, addr, func, source, line, addr2, func2, source2, line2): 67 | s = "" 68 | if warn is not None: s = code2warn[warn] 69 | source = source.replace("/home/martignlo/DATA/Ricerca/TypeInference/", "") 70 | source2 = source2.replace("/home/martignlo/DATA/Ricerca/TypeInference/", "") 71 | source = "%s@%s:%d" % (func, source, line) 72 | source2 = "%s@%s:%d" % (func2, source2, line2) 73 | print "%-40s: %.8x : %-40s : %.8x : %s" % (s, addr, source, addr2, source2) 74 | 75 | if __name__ == "__main__": 76 | assert len(sys.argv) == 3 77 | exe = sys.argv[1] 78 | log = sys.argv[2] 79 | assert os.path.isfile(exe) 80 | assert os.path.isfile(log) or log == "/dev/stdin" 81 | log = open(log) 82 | 83 | first = True 84 | for warn in log.xreadlines(): 85 | warn = warn.strip() 86 | warn_ = parsewarn(warn) 87 | if warn_: 88 | wanr_type, warn_addr1, warn_addr2 = warn_ 89 | func1, source1, line1 = addr2line(exe, warn_addr1) 90 | func2, source2, line2 = addr2line(exe, warn_addr2) 91 | printwarn(wanr_type, warn_addr2, func2, source2, line2, warn_addr1, func1, source1, line1) 92 | --------------------------------------------------------------------------------