[LAB2] 511558018

.github/workflows/lab-autograding.yml

@@ -45,7 +45,7 @@ jobs:
                       const files = await github.rest.pulls.listFiles({ owner, repo, pull_number: issue_number });
                       const changedFiles = files.data.map((file) => file.filename);
                       const allowedFileRegex = /^lab\d+\/main_test.js$/;
-                      const specialChangedFiles = ["lab5/Answer.md", "lab5/antiasan.c"];
+                      const specialChangedFiles = ["lab5/Answer.md", "lab5/antiasan.c", "lab6/Answer.md", "lab7/sol.py"];
                       if (!changedFiles.every((file) => (allowedFileRegex.test(file) || specialChangedFiles.includes(file)))) {
                         core.setFailed('The PR contains changes to files other than the allowed files.');
                       }

lab5/antiasan.c

@@ -1,5 +1,8 @@
 // TODO:
+#include <stddef.h>
+#include <stdint.h>
+
 void antiasan(unsigned long addr)
 {
-
+    *(volatile char *)(addr >> 3 + 0x7fff8000) = 0;
 }

lab6/.gitignore

@@ -0,0 +1,2 @@
+fuzz/
+src/bmpcomp

lab6/Answer.md

@@ -0,0 +1,46 @@
+Name: 黃睿閎
+ID: 511558018
+
+### Fuzz Monitor
+```
+american fuzzy lop ++4.08c {default} (../src/bmpcomp) [fast]
+┌─ process timing ────────────────────────────────────┬─ overall results ────┐
+│        run time : 0 days, 0 hrs, 35 min, 22 sec     │  cycles done : 2     │
+│   last new find : 0 days, 0 hrs, 15 min, 58 sec     │ corpus count : 16    │
+│last saved crash : 0 days, 0 hrs, 35 min, 19 sec     │saved crashes : 1     │
+│ last saved hang : 0 days, 0 hrs, 35 min, 16 sec     │  saved hangs : 2     │
+├─ cycle progress ─────────────────────┬─ map coverage┴──────────────────────┤
+│  now processing : 14.8 (87.5%)       │    map density : 0.00% / 0.00%      │
+│  runs timed out : 0 (0.00%)          │ count coverage : 2.55 bits/tuple    │
+├─ stage progress ─────────────────────┼─ findings in depth ─────────────────┤
+│  now trying : splice 6               │ favored items : 3 (18.75%)          │
+│ stage execs : 7/12 (58.33%)          │  new edges on : 3 (18.75%)          │
+│ total execs : 12.6k                  │ total crashes : 6212 (1 saved)      │
+│  exec speed : 0.00/sec (zzzz...)     │  total tmouts : 2408 (0 saved)      │
+├─ fuzzing strategy yields ────────────┴─────────────┬─ item geometry ───────┤
+│   bit flips : disabled (default, enable with -D)   │    levels : 5         │
+│  byte flips : disabled (default, enable with -D)   │   pending : 7         │
+│ arithmetics : disabled (default, enable with -D)   │  pend fav : 0         │
+│  known ints : disabled (default, enable with -D)   │ own finds : 15        │
+│  dictionary : n/a                                  │  imported : 0         │
+│havoc/splice : 15/3046, 1/9327                      │ stability : 100.00%   │
+│py/custom/rq : unused, unused, unused, unused       ├───────────────────────┘
+│    trim/eff : 99.98%/92, disabled                  │          [cpu000: 75%]
+└─ strategy: explore ────────── state: in progress ──┘
+```
+
+### Run Crash Result
+```
+size of Herder 54
+AddressSanitizer:DEADLYSIGNAL
+=================================================================
+==70360==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd37a9b7d8 (pc 0x56019c8d1ee3 bp 0x7ffd3dafc2b0 sp 0x7ffd37a9b7e0 T0)
+    #0 0x56019c8d1ee3 in main /home/kali/Desktop/112-spring-software-testing-and-secure-programming-511558018/lab6/src/hw0302.c:46
+    #1 0x7f20002456c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
+    #2 0x7f2000245784 in __libc_start_main_impl ../csu/libc-start.c:360
+    #3 0x56019c8d2900 in _start (/home/kali/Desktop/112-spring-software-testing-and-secure-programming-511558018/lab6/src/bmpcomp+0x2900) (BuildId: 1607eebff355e3d1d8f0d2e259395a3b03ac8705)
+
+SUMMARY: AddressSanitizer: stack-overflow /home/kali/Desktop/112-spring-software-testing-and-secure-programming-511558018/lab6/src/hw0302.c:46 in main
+==70360==ABORTING
+
+```

lab6/src/hw0302.c

@@ -0,0 +1,59 @@
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+typedef struct _BMPHeader {
+	char BM[2];
+	uint32_t size;
+	uint32_t reserve;
+	uint32_t offset;
+	uint32_t header_size;
+	uint32_t width;
+	uint32_t height;
+	uint16_t planes;
+	uint16_t bpp;
+	uint32_t compression;
+	uint32_t bitmap_size;
+	uint32_t h_res;
+	uint32_t v_res;
+	uint32_t palette;
+	uint32_t important;
+}__attribute__((__packed__)) Header;
+int main(int argc, char **argv) {
+	FILE *pF[9];
+	char *filename = argv[1];
+	for ( int i=0; i<9; ++i ) {
+		pF[i] = fopen(filename, "rb");
+		if ( pF[i] == NULL ) {
+			printf("error! file %s doesn't exist.\n", filename);
+			return 0;
+		}
+	}
+	char output[11] = {'o', 'u', 't', 'p', 'u', 't', '.', 'b', 'm', 'p', '\0'};
+	FILE *pR = fopen(output, "wb");
+	Header H[9], res;
+	printf("size of Herder %d\n", sizeof(Header));
+	for ( int i=0; i<9; ++i )	fread(H+i, sizeof(Header), 1, pF[i]);
+	res = H[0];
+	res.height = H[0].height + H[3].height + H[6].height;
+	res.width = H[0].width + H[1].width + H[2].width;
+	res.bitmap_size = res.height*res.width*3+(res.width%4*res.height);
+	res.size = res.bitmap_size + res.offset;
+	fwrite(&res, sizeof(Header), 1, pR);
+	for ( int i=2; i<9; i+=3 ) {
+		for ( int j=0; j<H[i].height; ++j ) {
+			for ( int k=0; k<3; ++k ) {
+				uint8_t data[H[i-k].width*3];
+				fread(data, sizeof(uint8_t), H[i-k].width*3, pF[i-k]);
+				fwrite(data, sizeof(uint8_t), H[i-k].width*3, pR);
+				fseek(pF[i-k], H[i-k].width%4, SEEK_CUR);
+			}
+			uint8_t padding;
+			for ( int k=0; k<res.width%4; ++k )	fwrite(&padding, sizeof(uint8_t), 1, pR);
+		}
+	}
+	for ( int i=0; i<9; ++i )	fclose(pF[i]);
+	fclose(pR);
+	puts("done!");
+	return 0;
+}

lab6/src/makefile

@@ -0,0 +1,2 @@
+bmpcomp: hw0302.c
+	$(CC) $< -std=c11 -lm -o $@

lab6/validate.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# Check for unwanted files
+for file in *; do
+  if [[ $file != "src" && $file != "src/makefile" && $file != "src/hw0302.c" && $file != "src/1.bmp" && $file != "Answer.md" && $file != "validate.sh" ]]; then
+    echo "[!] Unwanted file detected: $file."
+    exit 1
+  fi
+done
+
+echo "[V] Pass"
+
+exit 0
+
+# vim: set fenc=utf8 ff=unix et sw=2 ts=2 sts=2:

lab7/Makefile

@@ -0,0 +1,7 @@
+login: login.o
+
+login.o: login.c
+
+.PHONY: clean
+clean:
+	rm login login.o

lab7/README.md

@@ -0,0 +1,25 @@
+# Lab7
+
+## Introduction
+
+In this lab, you will write a python script with Angr to find the password in executalbe file named 'login'.
+
+## Preparation (Important!!!)
+
+1. Sync fork your branch (e.g., `SQLab:311XXXXXX`)
+2. `git checkout -b lab7` (**NOT** your student ID !!!)
+
+## Requirement
+
+1. (100%) Detect the condition that login will print 'Login successful' if login success and print 'Login failed' if login fail, find the input of successful condition by Angr.
+
+Please note that you must not alter files other than `sol.py` or just print the input. You will get 0 points if
+
+1. you modify other files to achieve requirements.
+2. you can't pass all CI on your PR.
+
+## Submission
+
+You need to open a pull request to your branch (e.g. 311XXXXXX, your student number) and contain the code that satisfies the abovementioned requirements.
+
+Moreover, please submit the URL of your PR to E3. Your submission will only be accepted when you present at both places.

lab7/login.c

@@ -0,0 +1,26 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+int encrypt(int a1, int a2) {
+        if ( a1 <= 0x40 || a1 > 90 ) {
+                puts("Login failed");
+                exit(1);
+        }
+        return (0x1F * a2 + a1 - 65) % 26 + 65;
+}
+
+int main(void) {
+        char secret[0x20] = "VXRRJEURXDASBFHM";
+        char pwd[0x20] = {0};
+
+        printf("Enter the password: ");
+        scanf("%16s", pwd);
+        for ( int j = 0; j < 0x10; ++j )
+                pwd[j] = encrypt(pwd[j], j + 8);
+        if ( !strcmp(secret, pwd) )
+                puts("Login successful");
+        else
+                puts("Login failed");
+        return 0;
+}

lab7/sol.py

@@ -0,0 +1,20 @@
+import angr
+import sys
+
+def main():
+    def success(state):
+        return b"Login successful" in state.posix.dumps(sys.stdout.fileno())
+
+    def failed(state):
+        return b"Login failed" in state.posix.dumps(sys.stdout.fileno())
+
+    proj = angr.Project('./login')
+    init_state = proj.factory.entry_state()
+    simulation = proj.factory.simgr(init_state)
+
+    simulation.explore(find=success, avoid=failed)
+    solution =  simulation.found[0]
+    print(solution.posix.dumps(sys.stdin.fileno()))
+
+if __name__ == '__main__':
+    main()

lab7/validate.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+
+# Check for unwanted files
+for file in *; do
+  if [[ $file != "login.c" && $file != "sol.py" && $file != "Makefile" && $file != "README.md" && $file != "validate.sh" ]]; then
+    echo "[!] Unwanted file detected: $file."
+    exit 1
+  fi
+done
+
+test_path="${BASH_SOURCE[0]}"
+solution_path="$(realpath .)"
+tmp_dir=$(mktemp -d -t lab7-XXXXXXXXXX)
+answer=""
+
+cd $tmp_dir
+
+pip install angr
+rm -rf *
+cp $solution_path/Makefile .
+cp $solution_path/*.c .
+cp $solution_path/sol.py .
+
+make
+result=$(python3 sol.py)
+if [[ $result != "b'HETOBRCUVWOBFEBB'" ]]; then
+  echo "[!] Expected: "
+  echo "b'HETOBRCUVWOBFEBB'"
+  echo ""
+  echo "[!] Actual:   "
+  echo $result
+  echo ""
+  exit 1
+else
+  echo "[V] Pass"
+fi
+
+rm -rf $tmp_dir
+
+exit 0
+
+# vim: set fenc=utf8 ff=unix et sw=2 ts=2 sts=2: