Ticket #1740 (assigned bug)

Opened 11 years ago

Last modified 11 years ago

pbc_dump crashes on certain inputs

Reported by: ild Owned by: dukeleto
Priority: normal Milestone:
Component: none Version: 2.6.0
Severity: medium Keywords:
Cc: Language:
Patch status: Platform:

Description

A number of bugs discovered in pbc_dump by Avalanche dynamic program analysis tool ( http://code.google.com/p/avalanche/).

pbc_dump crashes on certain exploit inputs (attached).

Attachments

exploit_0_0 Download (130.1 KB) - added by ild 11 years ago.
exploit_3_0 Download (130.1 KB) - added by ild 11 years ago.
exploit_7_0 Download (130.1 KB) - added by ild 11 years ago.
exploit_11_0 Download (130.1 KB) - added by ild 11 years ago.
stacktrace_20.log Download (480 bytes) - added by ild 11 years ago.
exploit_20_0 Download (130.1 KB) - added by ild 11 years ago.
exploit_27_0 Download (130.1 KB) - added by ild 11 years ago.
exploit_46_0 Download (130.1 KB) - added by ild 11 years ago.

Change History

Changed 11 years ago by ild

Changed 11 years ago by ild

Changed 11 years ago by ild

Changed 11 years ago by ild

Changed 11 years ago by ild

Changed 11 years ago by ild

Changed 11 years ago by ild

Changed 11 years ago by ild

Changed 11 years ago by ild

to reproduce:

parrot-2.6.0/inst/bin/pbc_dump -d exploit_0_0 parrot-2.6.0/inst/bin/pbc_dump -d exploit_3_0 ... etc.

stacktrace_20.log added by mistake

Changed 11 years ago by dukeleto

  • status changed from new to assigned
  • owner set to dukeleto

Could you describe how you used the Avalanche tool to create the exploit_* files? That would be really useful. Thanks!

Changed 11 years ago by ild

I'm pleased that you are interested in Avalanche. Cause I'm its developer:)

OK, I'll try to describe it. We are currently working on adding new features to Avalanche, and those exploits were found using these features. They are probably not yet stable, but already quite useful.

You'll have to checkout the sources from SVN:

$ svn checkout http://avalanche.googlecode.com/svn/branches/separate-analysis avalanche

Then build Avalanche (you'll need autotools for that)

$ ./autogen.sh
$ ./configure --prefix=<path to avalanche install directory>
$ make
$ make install

If everything is build fine, run Avalanche. You may find the actual command line  here.

There is a special new option for Avalanche: '--input-filter-file=<mask file>'. If it is not specified, Avalanche considers all the data in the input file as tainted. In this case the analysis may take too much time and won't be effective. If this option is specified, then only those positions that are listed in the mask file are considered to hold the tainted data. It may significantly speed up the analysis and allows Avalanche to explore certain parts of the application ignoring other parts.

Other options should be described  here

That was a very brief description. Consult the  Avalanche wiki for further information and feel free to ask any questions. You may write to iisaev@ispras.ru. I'm interested in any feedback.

Hope you'll find Avalanche useful.

Changed 11 years ago by ild

In addition to previous comment:

'--input-filter-file=<mask file>' Avalanche option is now renamed to '--mask=<mask file>'

Note: See TracTickets for help on using tickets.