This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Hi, | |
I found a critical bug in libmirage 3.2.2, specifically in the CSO filter. | |
The file content that triggers the bug (PoV) is the following (344 bytes in hex): | |
43 49 53 4F 00 00 00 00 FF 00 00 00 00 00 00 FF | |
FF 00 00 00 00 30 00 00 00 00 00 00 61 61 00 00 | |
2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A | |
2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A | |
2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Hi, | |
I found a Null Pointer Dereference in libmirage 3.2.2, specifically in the NRG parser. | |
I'm writing you directly here and not in the public bug tracker cause I'm not sure if this is a security issue or not. | |
The content of the file that triggers the bug is the following (12 bytes in hex): | |
02 80 F4 4B 4E 45 52 4F 00 00 00 04 | |
The issue appears at the memcpy at line 103 (mirage_parser_nrg_build_block_index routine) of images/image-nrg/parser.c: | |
/* Populate block index */ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This: | |
if (*cmd && *inFile) { | |
sprintf(cmd, | |
"strings %s | grep '^[0-9a-fA-F]*$' | awk '{ if (length($1) == 72) print; }'", | |
inFile); | |
system(cmd); | |
exit(0); | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff --git a/accel/tcg/tcg-runtime.c b/accel/tcg/tcg-runtime.c | |
index d0d44844..d10d51ce 100644 | |
--- a/accel/tcg/tcg-runtime.c | |
+++ b/accel/tcg/tcg-runtime.c | |
@@ -167,3 +167,29 @@ void HELPER(exit_atomic)(CPUArchState *env) | |
{ | |
cpu_loop_exit_atomic(ENV_GET_CPU(env), GETPC()); | |
} | |
+ | |
+ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff --git a/linux-user/i386/cpu_loop.c b/linux-user/i386/cpu_loop.c | |
index 51cfa006..510e4cbf 100644 | |
--- a/linux-user/i386/cpu_loop.c | |
+++ b/linux-user/i386/cpu_loop.c | |
@@ -80,6 +80,8 @@ static void set_idt(int n, unsigned int dpl) | |
} | |
#endif | |
+#include "../patches/afl-qemu-common.h" | |
+ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function startAFLFollow() { | |
Stalker.follow(Process.getCurrentThreadId(), { | |
events: { | |
call: false, | |
ret: false, | |
exec: false, | |
block: false, | |
compile: true | |
}, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
* Compile with: | |
* | |
* gcc -static-libgcc -fPIC -shared -m64 -ffunction-sections -fdata-sections -Wall -Os -pipe -g3 afl_frida_gum_test.c -I . -o afl-frida-gum.so -L. -lfrida-gum -lresolv -ldl -lrt -lm -Wl,--gc-sections,-z,noexecstack -pthread | |
*/ | |
#include "frida-gum.h" | |
#include <fcntl.h> | |
#include <unistd.h> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
var STALKER_QUEUE_CAP = 100000000; | |
var STALKER_QUEUE_DRAIN_INT = 1000*1000; | |
Stalker.trustThreshold = 0; | |
Stalker.queueCapacity = STALKER_QUEUE_CAP; | |
Stalker.queueDrainInterval = STALKER_QUEUE_DRAIN_INT; | |
var TARGET_MODULE = "libnative-lib.so"; | |
var TARGET_FUNCTION = Module.findExportByName(TARGET_MODULE, "target_func"); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
___ ____ ______ __ | |
/ | / __ \/ ___/ | / / | |
/ /| |/ / / /\__ \| | / / | |
/ ___ / /_/ /___/ /| |/ / | |
/_/__||||||_//____/ |___/__ _____ __ _ __ | |
/ ____/ /_ ___ _____/ /_/ ___// /_ (_) /_ | |
/ / / __ \/ _ \/ ___/ __/\__ \/ __ \/ / __/ | |
/ /___/ / / / __/ /__/ /_ ___/ / / / / / /_ | |
\____/_/ /_/\___/\___/\__//____/_/ /_/_/\__/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
var fuzz = require("./frida-fuzzer/fuzz"); | |
fuzz.target_module = "libxml2.so.2"; | |
/* Load libdislocator and hook the PLT of the target module. DO NOT hook the | |
symbols in libc otherwise Frida itself will use the dislocator malloc | |
and freeze your machine (problably there are memory leaks in the runtime) */ | |
var subs = ["malloc", "calloc", "realloc", "free", "memalign", "posix_memalign"]; | |
var disloc = Module.load("/home/andrea/AFLplusplus/libdislocator.so"); |