Save Lastest Changes

Signed-off-by: Phineas09 <[email protected]>

test_binary/source.c

@@ -0,0 +1,20 @@
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+int main(int argc, char *argv[]) {
+  int *null_pointer = NULL;
+
+  printf("Entered program!\n");
+
+  if (argc != 3)
+    return 1;
+
+  if (strcmp(argv[1], "--string") == 0) {
+    if (argv[2][0] == 's') {
+      *null_pointer = 0;
+    }
+  }
+
+  return 0;
+}

vulnerability_analytics/cli.py

@@ -12,40 +12,43 @@
 def cli() -> None:
     """Displays information about a binary crash for given input."""
 
-
 @cli.command("get", help="Displays information about the crash.")
 @click.option("--binary-path", required=True, type=str, help="Desired binary path.")
-@click.option("--other-arguments", type=str)
-@click.option("--crash-input", required=True, type=str)
+@click.option("--binary-arguments", type=str)
+@click.option("--binary-input", type=str)
 def get(
-    binary_path: str = None,
-    other_arguments: array = [],
-    crash_input: str = None
+    binary_path: str = "",
+    binary_arguments: array = [],
+    binary_input: str = ""
 ) -> None:
 
     image = DockerBuilder()
 
     # Maybe encode the crash_input into base64?
 
-    other_arguments = other_arguments.split(',')
+    binary_arguments_parsed = binary_arguments.split(',')
 
     binary_name = os.path.basename(binary_path).split('.')[0]
 
-    print(binary_path, other_arguments, crash_input)
+    print(binary_path, binary_arguments, binary_input)
 
+    # print(binary_name)
+    # print(binary_arguments)
+    out_string = binary_name + ";" + binary_arguments
+    # print(out_string.replace(" ", ""))
+    # exit(0)
     # Parse other_arguments
-
     image.build_custom_image(
-        binary_path, binary_name + ":crash", other_arguments)
+        binary_path, binary_name + ":crash", binary_arguments_parsed)
+
     analyzer = VulnerabilityAnalysis(
-        image, bytes(crash_input, 'utf-8')).start()
+        image, bytes(binary_input, 'utf-8')).start()
     input("Press Enter to continue...")
     print(analyzer.export2JSON())
 
 
 def main() -> None:
     cli(prog_name="vulnerability_analytics")
 
-
 if __name__ == "__main__":
     main()

vulnerability_analytics/rex_api/VunlerabilityAnalysis.py

@@ -14,7 +14,7 @@ class VulnerabilityAnalysis:
     crashInput : str
     crashTarget : archr.targets.DockerImageTarget
     localLogger : logging.Logger
-    crashOk : boolean
+    hasCrashed : boolean
 
     def __init__(self, dockerImage : DockerBuilder, crashInput : str) -> None:
 
@@ -25,13 +25,13 @@ def __init__(self, dockerImage : DockerBuilder, crashInput : str) -> None:
         # Configure logger for our program
 
         # Get custom logger for out app
-        self.localLogger = logging.getLogger('crs.vulnerability_analysis')
+        self.localLogger = logging.getLogger('crs.vulnerability_analytics')
         # By using this we can log everything
         # self.localLogger = logging.getLogger()
         self.localLogger.setLevel(logging.DEBUG)
 
         # Initialize components
-        self.crashOk = False
+        self.hasCrashed = False
         self.dockerImage = dockerImage
         self.crashInput = crashInput
 
@@ -44,19 +44,18 @@ def __init__(self, dockerImage : DockerBuilder, crashInput : str) -> None:
     def start(self): #-> typing.VulnerabilityAnalysis:
 
         self.crashTarget = archr.targets.DockerImageTarget(self.dockerImage.image.tags[0]).build().start()
-        self.crash = rex.Crash(self.crashTarget, self.crashInput, aslr=False, use_rop=False) 
+        self.crash = rex.Crash(self.crashTarget, self.crashInput, aslr=False, use_rop=False)
         self.localLogger.info(self.crash.crash_types)
 
-        self.crashOk = True
+        self.hasCrashed = True
 
         return self
 
-
     def getCrashTypes(self) -> typing.List:
 
         '''List containing identified crash types'''
 
-        if self.crashOk:       
+        if self.hasCrashed:       
             return self.crash.crash_types 
         self.localLogger.error('Crash not triggered!')
         return None
@@ -65,7 +64,7 @@ def getFunctionAddress(self) -> str:
 
         '''Current function hex addres as string'''
 
-        if self.crashOk:       
+        if self.hasCrashed:       
             return hex(self.crash.state.callstack.func_addr)
         self.localLogger.error('Crash not triggered!')
         return None
@@ -74,7 +73,7 @@ def getBasicBlockAddress(self) -> str:
 
         '''Address of the basic block that called the current function as hex string'''
 
-        if self.crashOk:       
+        if self.hasCrashed:       
             return hex(self.crash.state.callstack.func_addr)
         self.localLogger.error('Crash not triggered!')
         return None
@@ -83,7 +82,7 @@ def getReturnAddress(self) -> str:
 
         '''Return address of the current function as hex string'''
 
-        if self.crashOk:       
+        if self.hasCrashed:       
             return hex(self.crash.state.callstack.ret_addr)
         self.localLogger.error('Crash not triggered!')
         return None
@@ -92,18 +91,17 @@ def getStackPointer(self) -> str:
 
         '''Return address of the current stack pointer as hex string'''
 
-        if self.crashOk:       
+        if self.hasCrashed:       
             return hex(self.crash.state.callstack.stack_ptr)
         self.localLogger.error('Crash not triggered!')
         return None
 
-
     def getJumpKind(self) -> str:
 
         '''Type of executed jump 
         Source here: https://github.com/angr/fidget/blob/0f255bbd11c6721d39581c5d3d2863fce5fad785/fidget/structures.py'''
 
-        if self.crashOk:       
+        if self.hasCrashed:       
             return self.crash.state.callstack.jumpkind
         self.localLogger.error('Crash not triggered!')
         return None
@@ -112,7 +110,7 @@ def getCoreRegisters(self) -> typing.Dict:
 
         '''Returns a dictionary containing all core registers'''
 
-        if self.crashOk:       
+        if self.hasCrashed:       
             return self.crash.core_registers
         self.localLogger.error('Crash not triggered!')
         return None
@@ -121,7 +119,7 @@ def export2JSON(self) -> str:
 
         '''Export crash fields into JSON format'''
 
-        if self.crashOk:       
+        if self.hasCrashed:       
             return CrashExport(
                 self.getCrashTypes(),
                 self.getFunctionAddress(),
@@ -134,7 +132,6 @@ def export2JSON(self) -> str:
         self.localLogger.error('Crash not triggered!')
         return None
 
-
 class CrashExport:
 
     '''Object used to export the following information to JSON object'''

vulnerability_analytics/test.py

@@ -0,0 +1,115 @@
+import os
+import archr
+import rex
+import logging
+import subprocess
+from archr.analyzers.rr import *
+
+import docker
+
+from angr import SimState
+
+tests_location = os.path.dirname(os.path.realpath(__file__))
+
+def build_container():
+    subprocess.check_call(['make'], cwd=os.path.join(tests_location, 'hammer_controller'))
+    print("Tests Locations: ", tests_location)
+
+def __build_image_if_not_already_built(
+        self, client: docker.DockerClient
+    ) -> None:
+        if self.configuration.IMAGE_ID:
+            return
+
+        images = client.images.build(
+            path=".",
+            pull=True,
+            buildargs={
+                "USER_ID": str(os.getuid()),
+                "GROUP_ID": str(os.getgid()),
+            },
+        )
+        image = images[0]
+
+        return image
+
+
+
+def test_binary():
+
+    # build_container()
+
+    t = archr.targets.DockerImageTarget('test:source').build().start()
+    # tb = archr.arsenal.RRTracerBow(t, local_trace_dir='/tmp/rex_hammer_controller_trace', symbolic_fd=0)
+    print("OK Docker build and arsenal")
+
+
+    # time.sleep(30)
+    crash = rex.Crash(t, bytes("./source.bin;--string,santa\n", 'utf-8'), aslr=False, use_rop=False)#, tracer_bow=tb)
+    print("OK crash ?")
+    print(crash.crash_types)
+    print("Is the crash explorable?")
+
+    print(type(crash.prev)) # State of the current evaluated crash -> Crash.py line 455
+    print(type(crash.state)) # Crash.py line 455
+
+    # State plugins -> history | https://docs.angr.io/core-concepts/states#the-history-plugin
+
+    print(crash.state.history.descriptions)
+
+    # State plugins callstack plugin | https://docs.angr.io/core-concepts/states#the-callstack-plugin
+    print("----------------------------------")
+    print(crash.state.callstack) # Backtrace
+    print("----------------------------------")
+    print(crash.state.memory) # DefaultMemory object
+    print("----------------------------------")
+    print(crash.state.memory) # DefaultMemory object
+    print("----------------------------------")
+    print(crash.state.globals) # SimStateGlobals object
+    print("----------------------------------")
+    print(crash.state.registers) # DefaultMemory object
+    print("----------------------------------")
+    print(crash.state.mem) # SimMemView
+    print("----------------------------------")
+    print(crash.state.solver) # SimSolver Object
+    print("----------------------------------")
+    print("Start history")
+    import json 
+    print(crash.state.history.descriptions) # string descriptions of each round of execution?
+    print(crash.state.history.bbl_addrs) # list of basic blocks addresses executed
+    print(crash.state.history.jumpkinds) # list of the dispozition of each of control flow transitions
+    print(crash.state.history.jump_guards) # list of the conditions guarding the branches
+    print(crash.state.history.events) # "interesting events" during execution, such as 
+                                    # symbolic jump conditions
+    print("----------------------------------")
+
+    # print(json.dumps(crash.state.history, indent = 4))
+
+    print("----------------------------------")
+    print(hex(crash.state.callstack.ret_addr))
+    print("----------------------------------")
+    print(hex(crash.state.callstack.stack_ptr))
+    print("----------------------------------")
+    print(hex(crash.state.callstack.call_site_addr))
+    print("----------------------------------")
+    print(hex(crash.state.callstack.func_addr))
+    print("----------------------------------")
+    crash.state.get_plugin("test_name")
+
+    return None
+    exploit = crash.exploit()
+    print(exploit.arsenal)
+    assert 'rop_chess_control' in exploit.arsenal
+    exploit.arsenal['rop_chess_control'].script()
+    exploit.arsenal['rop_chess_control'].script("x2.py")
+
+
+def main():
+    logging.getLogger("angr.exploration_techniques.tracer").setLevel(logging.DEBUG)
+    logging.getLogger("rex").setLevel(logging.DEBUG)
+
+    test_binary()
+
+
+if __name__ == '__main__':
+    main()

vulnerability_analytics/test_docker/Dockerfile

@@ -0,0 +1,8 @@
+from ubuntu:latest
+
+copy source.bin /
+copy start.bin /
+copy libc.so.6 /libc.so.6
+copy ld-linux-x86-64.so.2 /ld-linux-x86-64.so.2
+
+ENTRYPOINT ["./start.bin"]

vulnerability_analytics/test_docker/source.c

@@ -0,0 +1,23 @@
+#include <stdio.h>
+#include <string.h>
+
+int main(int argc, char *argv[]) {
+  int *null_pointer = NULL;
+
+  // printf("Entered program %d!\n", argc);
+
+  // for(int i=0;i< argc;i++) {
+  //     printf("%s\n", argv[i]);
+  // }
+
+  if (argc != 3)
+    return 1;
+
+  if (strcmp(argv[1], "--string") == 0) {
+    if (argv[2][0] == 's') {
+      *null_pointer = 0;
+    }
+  }
+
+  return 0;
+}