Andrea Fioraldi andreafioraldi
andreafioraldi
/ CDemu libmirage buffer overflow detailed issue
Created
August 25, 2019 13:57
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Hi, | |
| I found a critical bug in libmirage 3.2.2, specifically in the CSO filter. | |
| The file content that triggers the bug (PoV) is the following (344 bytes in hex): | |
| 43 49 53 4F 00 00 00 00 FF 00 00 00 00 00 00 FF | |
| FF 00 00 00 00 30 00 00 00 00 00 00 61 61 00 00 | |
| 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A | |
| 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A | |
| 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A |
andreafioraldi
/ CDemu libmirage null ptr deref
Created
August 25, 2019 17:32
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Hi, | |
| I found a Null Pointer Dereference in libmirage 3.2.2, specifically in the NRG parser. | |
| I'm writing you directly here and not in the public bug tracker cause I'm not sure if this is a security issue or not. | |
| The content of the file that triggers the bug is the following (12 bytes in hex): | |
| 02 80 F4 4B 4E 45 52 4F 00 00 00 04 | |
| The issue appears at the memcpy at line 103 (mirage_parser_nrg_build_block_index routine) of images/image-nrg/parser.c: | |
| /* Populate block index */ |
andreafioraldi
/ dmg2img vfdecrypt command injection
Created
August 27, 2019 08:17
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| This: | |
| if (*cmd && *inFile) { | |
| sprintf(cmd, | |
| "strings %s | grep '^[0-9a-fA-F]*$' | awk '{ if (length($1) == 72) print; }'", | |
| inFile); | |
| system(cmd); | |
| exit(0); | |
| } |
andreafioraldi
/ neg_int_feedback.diff
Last active
October 23, 2019 19:05
An example of a domain-specific custom coverage for AFL++ QEMU mode. This patch hooks functions calls and give feedbacks to the fuzzer if an argument of the function (the first 4 are considered in this naive example) is not a pointer and is a negative integer (can be both a 32 bit negative or a 64 bit negative).
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/accel/tcg/tcg-runtime.c b/accel/tcg/tcg-runtime.c | |
| index d0d44844..d10d51ce 100644 | |
| --- a/accel/tcg/tcg-runtime.c | |
| +++ b/accel/tcg/tcg-runtime.c | |
| @@ -167,3 +167,29 @@ void HELPER(exit_atomic)(CPUArchState *env) | |
| { | |
| cpu_loop_exit_atomic(ENV_GET_CPU(env), GETPC()); | |
| } | |
| + | |
| + |
andreafioraldi
/ neg_syscall_feedback.diff
Last active
October 23, 2019 19:07
An example of a domain-specific custom coverage for AFL++ QEMU mode. This patch provide a feedback for the fuzzer when the return value of a syscall is negative (so an error happened)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/linux-user/i386/cpu_loop.c b/linux-user/i386/cpu_loop.c | |
| index 51cfa006..510e4cbf 100644 | |
| --- a/linux-user/i386/cpu_loop.c | |
| +++ b/linux-user/i386/cpu_loop.c | |
| @@ -80,6 +80,8 @@ static void set_idt(int n, unsigned int dpl) | |
| } | |
| #endif | |
| +#include "../patches/afl-qemu-common.h" | |
| + |
andreafioraldi
/ afl_stalker.js
Created
November 14, 2019 09:33
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function startAFLFollow() { | |
| Stalker.follow(Process.getCurrentThreadId(), { | |
| events: { | |
| call: false, | |
| ret: false, | |
| exec: false, | |
| block: false, | |
| compile: true | |
| }, |
andreafioraldi
/ afl_frida_gum_test.c
Last active
November 14, 2019 19:39
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * Compile with: | |
| * | |
| * gcc -static-libgcc -fPIC -shared -m64 -ffunction-sections -fdata-sections -Wall -Os -pipe -g3 afl_frida_gum_test.c -I . -o afl-frida-gum.so -L. -lfrida-gum -lresolv -ldl -lrt -lm -Wl,--gc-sections,-z,noexecstack -pthread | |
| */ | |
| #include "frida-gum.h" | |
| #include <fcntl.h> | |
| #include <unistd.h> |
andreafioraldi
/ a.js
Created
December 10, 2019 22:55
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var STALKER_QUEUE_CAP = 100000000; | |
| var STALKER_QUEUE_DRAIN_INT = 1000*1000; | |
| Stalker.trustThreshold = 0; | |
| Stalker.queueCapacity = STALKER_QUEUE_CAP; | |
| Stalker.queueDrainInterval = STALKER_QUEUE_DRAIN_INT; | |
| var TARGET_MODULE = "libnative-lib.so"; | |
| var TARGET_FUNCTION = Module.findExportByName(TARGET_MODULE, "target_func"); |
andreafioraldi
/ asov_cheatshit_singlefile.txt
Last active
February 22, 2024 07:48
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ___ ____ ______ __ | |
| / | / __ \/ ___/ | / / | |
| / /| |/ / / /\__ \| | / / | |
| / ___ / /_/ /___/ /| |/ / | |
| /_/__||||||_//____/ |___/__ _____ __ _ __ | |
| / ____/ /_ ___ _____/ /_/ ___// /_ (_) /_ | |
| / / / __ \/ _ \/ ___/ __/\__ \/ __ \/ / __/ | |
| / /___/ / / / __/ /__/ /_ ___/ / / / / / /_ | |
| \____/_/ /_/\___/\___/\__//____/_/ /_/_/\__/ |
andreafioraldi
/ libxml2_harness.js
Created
December 19, 2019 15:54
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var fuzz = require("./frida-fuzzer/fuzz"); | |
| fuzz.target_module = "libxml2.so.2"; | |
| /* Load libdislocator and hook the PLT of the target module. DO NOT hook the | |
| symbols in libc otherwise Frida itself will use the dislocator malloc | |
| and freeze your machine (problably there are memory leaks in the runtime) */ | |
| var subs = ["malloc", "calloc", "realloc", "free", "memalign", "posix_memalign"]; | |
| var disloc = Module.load("/home/andrea/AFLplusplus/libdislocator.so"); |