Skip to content

Commit

Permalink
gdb-exploitable tests (#168)
Browse files Browse the repository at this point in the history
  • Loading branch information
@anfedotoff
anfedotoff authored Oct 25, 2023
1 parent f654bcd commit ca3ba4f
Showing 1 changed file with 129 additions and 122 deletions.
251 changes: 129 additions & 122 deletions libcasr/src/gdb/exploitable.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1715,27 +1715,41 @@ mod tests {

#[test]
fn test_dest_av_arm() {
// rz-asm -a arm -b 32 'ldr r0, [r0]; mov r1, r0; orr r1, 0x1; ldr r0, [r1]; str r1, [r0]'
let data: &[u8] = &[
0x00, 0x00, 0x90, 0xe5, 0x00, 0x10, 0xa0, 0xe1, 0x01, 0x10, 0x81, 0xe3, 0x00, 0x00,
0x91, 0xe5, 0x00, 0x10, 0x80, 0xe5,
];
let sig = Siginfo {
si_signo: SIGINFO_SIGSEGV,
si_code: 2,
si_errno: 0,
si_addr: 0xdeadbeaf,
};
let machine = MachineInfo {
byte_width: 4,
endianness: Endian::Little,
arch: header::EM_ARM,
};
let mut registers = Registers::new();
registers.insert("r0".to_string(), 0xdeadbeaf);
registers.insert("pc".to_string(), 0x400000);
registers.insert("cpsr".to_string(), 0x80200000);
let context = GdbContext {
siginfo: sig,
registers,
mappings: MappedFiles::new(),
pc_memory: MemoryObject {
address: 0x400000,
// rz-asm -a arm -b 32 'ldr r0, [r0]; mov r1, r0; orr r1, 0x1; ldr r0, [r1]; str r1, [r0]'
data: vec![
0x00, 0x00, 0x90, 0xe5, 0x00, 0x10, 0xa0, 0xe1, 0x01, 0x10, 0x81, 0xe3, 0x00,
0x00, 0x91, 0xe5, 0x00, 0x10, 0x80, 0xe5,
],
},
machine,
stacktrace: Vec::new(),
};
let expected_class = ExecutionClass::find("DestAvTainted").unwrap();
let cs = Capstone::new()
.arm()
.mode(arch::arm::ArchMode::Arm)
.endian(capstone::Endian::Little)
.detail(true)
.build();

if let Ok(cs) = cs {
if let Ok(insns) = cs.disasm_all(data, 0) {
if let Ok(result) = check_taint(&cs, &insns) {
assert_eq!(expected_class, result);
} else {
unreachable!();
}
}
if let Ok(res) = context.severity() {
assert_eq!(res, expected_class);
} else {
unreachable!();
}
}

Expand Down Expand Up @@ -1790,26 +1804,39 @@ mod tests {

#[test]
fn test_str_arm64() {
// rz-asm -a arm -b 64 'ldr x8, [x0]; ldr x8, [x8]; str x1, [x8]'
let data: &[u8] = &[
0x08, 0x00, 0x40, 0xf9, 0x08, 0x01, 0x40, 0xf9, 0x01, 0x01, 0x00, 0xf9,
];
let sig = Siginfo {
si_signo: SIGINFO_SIGSEGV,
si_code: 2,
si_errno: 0,
si_addr: 0xcafecafedeadbeaf,
};
let machine = MachineInfo {
byte_width: 8,
endianness: Endian::Little,
arch: header::EM_AARCH64,
};
let mut registers = Registers::new();
registers.insert("x0".to_string(), 0xcafecafedeadbeaf);
registers.insert("pc".to_string(), 0x400000);
let context = GdbContext {
siginfo: sig,
registers,
mappings: MappedFiles::new(),
pc_memory: MemoryObject {
address: 0x400000,
// rz-asm -a arm -b 64 'ldr x8, [x0]; ldr x8, [x8]; str x1, [x8]'
data: vec![
0x08, 0x00, 0x40, 0xf9, 0x08, 0x01, 0x40, 0xf9, 0x01, 0x01, 0x00, 0xf9,
],
},
machine,
stacktrace: Vec::new(),
};
let expected_class = ExecutionClass::find("DestAvTainted").unwrap();
let cs = Capstone::new()
.arm64()
.mode(arch::arm64::ArchMode::Arm)
.endian(capstone::Endian::Little)
.detail(true)
.build();

if let Ok(cs) = cs {
if let Ok(insns) = cs.disasm_all(data, 0) {
if let Ok(result) = check_taint(&cs, &insns) {
assert_eq!(expected_class, result);
} else {
unreachable!();
}
}
if let Ok(res) = context.severity() {
assert_eq!(res, expected_class);
} else {
unreachable!();
}
}

Expand Down Expand Up @@ -1956,94 +1983,74 @@ mod tests {

#[test]
fn test_call_av_x86() {
let cs = Capstone::new()
.x86()
.mode(arch::x86::ArchMode::Mode32)
.syntax(arch::x86::ArchSyntax::Intel)
.detail(true)
.build();
if let Ok(cs) = cs {
let sig = Siginfo {
si_signo: SIGINFO_SIGSEGV,
si_code: 2,
si_errno: 0,
si_addr: 0xdeadbeaf,
};
let machine = MachineInfo {
byte_width: 4,
endianness: Endian::Little,
arch: header::EM_386,
};
let mut registers = Registers::new();
registers.insert("eax".to_string(), 0xdeadbeaf);
let context = GdbContext {
siginfo: sig,
registers,
mappings: MappedFiles::new(),
pc_memory: MemoryObject {
address: 0x0,
data: vec![0x8b, 0x00, 0x8b, 0x00, 0xff, 0xd0],
},
machine,
stacktrace: Vec::new(),
};
let data: &[u8] = &[0x8b, 0x00, 0x8b, 0x00, 0xff, 0xd0];
let insns = cs.disasm_all(data, 0).unwrap();
let expected_class = ExecutionClass::find("CallAvTainted").unwrap();
if let Ok(res) = GdbContext::analyze_instructions(&cs, &insns, &context) {
assert_eq!(res, expected_class);
} else {
unreachable!();
}
let sig = Siginfo {
si_signo: SIGINFO_SIGSEGV,
si_code: 2,
si_errno: 0,
si_addr: 0xdeadbeaf,
};
let machine = MachineInfo {
byte_width: 4,
endianness: Endian::Little,
arch: header::EM_386,
};
let mut registers = Registers::new();
registers.insert("eax".to_string(), 0xdeadbeaf);
registers.insert("eip".to_string(), 0x400000);
let context = GdbContext {
siginfo: sig,
registers,
mappings: MappedFiles::new(),
pc_memory: MemoryObject {
address: 0x400000,
data: vec![0x8b, 0x00, 0x8b, 0x00, 0xff, 0xd0],
},
machine,
stacktrace: Vec::new(),
};
let expected_class = ExecutionClass::find("CallAvTainted").unwrap();
if let Ok(res) = context.severity() {
assert_eq!(res, expected_class);
} else {
unreachable!();
}
}

#[test]
fn test_call_av_riscv() {
let cs = Capstone::new()
.riscv()
.mode(arch::riscv::ArchMode::RiscV64)
.detail(true)
.build();
if let Ok(cs) = cs {
let sig = Siginfo {
si_signo: SIGINFO_SIGSEGV,
si_code: 2,
si_errno: 0,
si_addr: 0xdeadbeaf,
};
let machine = MachineInfo {
byte_width: 4,
endianness: Endian::Little,
arch: header::EM_RISCV,
};
let mut registers = Registers::new();
registers.insert("a5".to_string(), 0xcafecafedeadbeaf);
let context = GdbContext {
siginfo: sig,
registers,
mappings: MappedFiles::new(),
pc_memory: MemoryObject {
address: 0x0,
data: vec![
0x83, 0xb7, 0x07, 0x00, 0x83, 0xb7, 0x07, 0x00, 0x03, 0x35, 0x04, 0xfd,
0xe7, 0x80, 0x07, 0x00,
],
},
machine,
stacktrace: Vec::new(),
};
let data: &[u8] = &[
0x83, 0xb7, 0x07, 0x00, 0x83, 0xb7, 0x07, 0x00, 0x03, 0x35, 0x04, 0xfd, 0xe7, 0x80,
0x07, 0x00,
];
let insns = cs.disasm_all(data, 0).unwrap();
let expected_class = ExecutionClass::find("CallAvTainted").unwrap();
if let Ok(res) = GdbContext::analyze_instructions(&cs, &insns, &context) {
assert_eq!(res, expected_class);
} else {
unreachable!();
}
let machine = MachineInfo {
byte_width: 8,
endianness: Endian::Little,
arch: header::EM_RISCV,
};
let sig = Siginfo {
si_signo: SIGINFO_SIGSEGV,
si_code: 2,
si_errno: 0,
si_addr: 0xcafecafedeadbeaf,
};
let mut registers = Registers::new();
registers.insert("a5".to_string(), 0xcafecafedeadbeaf);
registers.insert("pc".to_string(), 0x400000);
let context = GdbContext {
siginfo: sig,
registers,
mappings: MappedFiles::new(),
pc_memory: MemoryObject {
address: 0x400000,
data: vec![
0x83, 0xb7, 0x07, 0x00, 0x83, 0xb7, 0x07, 0x00, 0x03, 0x35, 0x04, 0xfd, 0xe7,
0x80, 0x07, 0x00,
],
},
machine,
stacktrace: Vec::new(),
};
let expected_class = ExecutionClass::find("CallAvTainted").unwrap();
if let Ok(res) = context.severity() {
assert_eq!(res, expected_class);
} else {
unreachable!();
}
}
}

0 comments on commit ca3ba4f

Please sign in to comment.