Gdb error

River3/TestPrograms/crackme_sample.c

@@ -1,3 +1,7 @@
+#include <stdio.h>
+#include <stdint.h>
+
+static uint8_t inputBuf[1 << 20];
 
 int RIVERTestOneInput(const char* data, const int size)
 {
@@ -13,6 +17,6 @@ int RIVERTestOneInput(const char* data, const int size)
 
 int main(int ac, const char **av)
 {
-  return RIVERTestOneInput(av[1], 5);
+  return RIVERTestOneInput((char *)inputBuf, 5);
 }
 

River3/TestPrograms/crackme_xor.c

@@ -1,8 +1,10 @@
 
 #include <stdio.h>
 #include <stdlib.h>
+#include <stdint.h>
 
-char *serial = "\x31\x3e\x3d\x26\x31";
+char *serial="elite";
+static uint8_t inputBuf[20];
 
 void RIVERTestOneInput(char *ptr)
 {
@@ -14,7 +16,7 @@ void RIVERTestOneInput(char *ptr)
       printf("Print wrong password\n");
       return;
     }
-
+    printf("%s\n", ptr);    
     i++;
   }
 
@@ -25,12 +27,12 @@ int main(int ac, char **av)
 {
   int ret;
 
-  if (ac != 2)
-  {
-    printf("First param must be the string password");
-    return -1;
-  }
-
-  RIVERTestOneInput(av[1]);
+ // if (ac != 2)
+  //{
+    //printf("First param must be the string password");
+    //return -1;
+  //}
+  printf("Hello %s\n", inputBuf);
+  RIVERTestOneInput(inputBuf);
 }
 

River3/TestPrograms/libxml2-v2.9.2/Dockerfile

@@ -0,0 +1,32 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+FROM gcr.io/oss-fuzz-base/base-builder
+
+RUN apt-get update && \
+    apt-get install -y \
+    make \
+    wget \
+    autoconf \
+    automake \
+    libtool \
+    libglib2.0-dev
+
+RUN git clone https://gitlab.gnome.org/GNOME/libxml2.git
+
+RUN wget -qO $OUT/fuzz-target.dict \
+    https://raw.githubusercontent.com/google/AFL/debe27037b9444bbf090a0ffbd5d24889bb887ae/dictionaries/xml.dict
+COPY target.cc build.sh $SRC/

River3/TestPrograms/libxml2-v2.9.2/Makefile

@@ -0,0 +1,33 @@
+OUT=out
+CXX=g++
+CXXFLAGS=--coverage
+
+.PHONY: clean
+
+$(OUT)/xml: target.cc river_shim.o libxml2/.libs/libxml2.a
+	test -d $(OUT) || mkdir -p $(OUT)
+	$(CXX) $(CXXFLAGS) -std=c++11 river_shim.o -o $(OUT)/xml -I libxml2/include -Wl,--whole-archive libxml2/.libs/libxml2.a  target.cc -ldl -fprofile-arcs -ftest-coverage -Wl,--no-whole-archive
+	#$(CXX) $(CXXFLAGS) -std=c++11 -g -O0 target.cc -I libxml2/include libxml2/.libs/libxml2.a river_shim.o -o $(OUT)/xml
+	#$(CXX) $(CXXFLAGS) -std=c++11 -g -O0 target.cc -I libxml2/include libxml2/.libs/libxml2.a river_shim.o -static -o $(OUT)/xml
+
+libxml2/.libs/libxml2.a:
+	test -d libxml2 || git clone https://gitlab.gnome.org/GNOME/libxml2.git
+	test -d libxml2 && cd libxml2 \
+		&& git checkout -f v2.9.2 \
+		&& ./autogen.sh \
+		&& CCLD="$(CXX) $(CXXFLAGS)" ./configure --without-python --with-threads=no --with-zlib=no --with-lzma=no \
+		&& make -j $(nproc)
+
+river_shim.o: river_shim.cpp
+	#$(CXX) $(CXXFLAGS) -stdlib=libc++ -std=c++11 -O2 -c river_shim.cpp -o river_shim.o
+	#$(CXX) $(CXXFLAGS) -std=c++11 -O2 -c river_shim.cpp -o river_shim.o
+	$(CXX) $(CXXFLAGS) -std=c++11 -O0 -g -c river_shim.cpp -o river_shim.o 
+
+$(OUT)/fuxx-target.dict:
+	wget -qO $OUT/fuzz-target.dict https://raw.githubusercontent.com/google/AFL/debe27037b9444bbf090a0ffbd5d24889bb887ae/dictionaries/xml.dict
+
+dump: $(OUT)/xml
+	objdump -D -M intel $(OUT)/xml > dump.asm
+
+clean:
+	rm $(OUT)/xml river_shim.o *.gcda

River3/TestPrograms/libxml2-v2.9.2/arguments.json

@@ -0,0 +1,9 @@
+{
+	"binaryPath": "/home/ubuntu/Desktop/licenta/river/River3/TestPrograms/libxml2-v2.9.2/out/xml",
+	"entryfuncName": "main",
+	"architecture": "x64",
+	"maxLen" : 5,
+	"logLevel" : "CRITICAL",
+	"secondsBetweenStats" : 10,
+	"outputType": "textual"
+}

River3/TestPrograms/libxml2-v2.9.2/benchmark.yaml

@@ -0,0 +1,16 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+fuzz_target: xml
+project: libxml2

River3/TestPrograms/libxml2-v2.9.2/build.sh

@@ -0,0 +1,27 @@
+#!/bin/bash -ex
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+cd libxml2
+# Git is converting CRLF to LF automatically and causing issues when checking
+# out the branch. So use -f to ignore the complaint about lost changes that we
+# don't even want.
+git checkout -f v2.9.2
+./autogen.sh
+CCLD="$CXX $CXXFLAGS" ./configure --without-python --with-threads=no \
+    --with-zlib=no --with-lzma=no
+make -j $(nproc)
+
+$CXX $CXXFLAGS -std=c++11 $SRC/target.cc -I include .libs/libxml2.a \
+    $FUZZER_LIB -o $OUT/xml

River3/TestPrograms/libxml2-v2.9.2/river_shim.cpp

@@ -0,0 +1,54 @@
+#include <iostream>
+
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdint.h>
+
+#include <fcntl.h> /* O_RDWR, O_CREAT, O_TRUNC, O_WRONLY */
+
+extern "C" {
+    int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
+    __attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv);
+}
+
+// Input buffer.
+static const size_t kMaxInputSize = 1 << 20;
+static uint8_t inputBuf[kMaxInputSize];
+int main(int argc, char** argv)
+{
+    int fd1;
+    if (LLVMFuzzerInitialize)
+        LLVMFuzzerInitialize(&argc, &argv);
+
+    //while (1) {
+        printf("Here with %s\n", inputBuf);
+        //fd1 = open("out.txt", O_RDWR | O_CREAT, 0644);
+        //dprintf(fd1, "Here %d\n", 42);
+
+      //  ssize_t n_read = read(0, inputBuf, kMaxInputSize);
+        write(1, inputBuf, 4);
+       // if (n_read > 0) {
+            ////char len[2] = {(char)inputBuf[0], 0};
+            ////size_t river_in_len = (size_t) atoi(len);
+            //size_t river_in_len = (size_t) inputBuf[0];
+            //uint8_t *copy = new uint8_t[river_in_len + 1];
+            //memcpy(copy, inputBuf + 1, river_in_len);
+            //copy[river_in_len] = 0;
+            ////std::cout << copy << " " << river_in_len << "\n";
+            //LLVMFuzzerTestOneInput(copy, river_in_len);
+
+            //char len[2] = {(char)inputBuf[0], 0};
+            //size_t river_in_len = (size_t) atoi(len);
+            size_t river_in_len = (size_t) inputBuf[0];
+            //uint8_t *copy = new uint8_t[river_in_len + 1];
+            //memcpy(copy, inputBuf + 1, river_in_len);
+            //copy[river_in_len] = 0;
+            //std::cout << copy << " " << river_in_len << "\n";
+            LLVMFuzzerTestOneInput(&inputBuf[1], river_in_len);
+            //delete[] copy;
+        //}
+    //}
+    return 0;
+}

River3/TestPrograms/libxml2-v2.9.2/run_river.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+gdb --batch-silent -x /home/ubuntu/Desktop/licenta/river/River3/python/concolic_GenerationalSearch2.py --batch --args /home/ubuntu/Desktop/licenta/river/River3/TestPrograms/libxml2-v2.9.2/sample

River3/TestPrograms/libxml2-v2.9.2/sample.c

@@ -0,0 +1,70 @@
+#include <stdio.h>
+#include <stdint.h>
+#include <string.h>
+#include <stdlib.h>
+
+static uint8_t inputBuf[1 << 20];
+
+char *Funct(uint8_t *ptr) {
+	if (ptr[0] & 101) {
+		return "a";
+	}
+	return "b";
+}
+
+char *Func(char *ptr) {
+	ptr[1] = 1;
+	return ptr;
+}
+
+void TestInput(uint8_t *ptr, size_t size) {
+	uint8_t *new_ptr = (uint8_t*) malloc(sizeof(uint8_t) * size);
+	memcpy(new_ptr, ptr, size);
+	printf("START\n"); 
+
+	if (new_ptr[1] == 32) {
+		printf("%s\n\n", "First vulnerability");
+		free(new_ptr);
+		free(new_ptr);
+	}
+
+	printf("%s\n", "First stage");
+
+	new_ptr[2] = 3;
+	new_ptr[1] = 1;
+
+	if (size == 1) {
+		printf("%s\n\n", "Second vulnerability");
+		free(ptr);
+	}
+
+	printf("%s\n", "Second stage");
+
+	if (size == 2) {
+		printf("%s\n\n", "Third vulnerability");
+		free(ptr);
+	}
+
+	printf("%s\n", "Third stage");
+
+	if (ptr[1] & 100) {
+		ptr = Funct(&ptr[1]);
+	} else {
+		ptr = Funct(&ptr[0]);
+	}
+
+	printf("\n");
+
+}
+
+int main(int argc, char *argv[]) {
+
+	size_t size = (size_t) inputBuf[0];
+	printf("Injected input: ");
+	for(int i = 0; i < 4; i++) {
+		printf("%d ", inputBuf[i]);
+	}
+	printf("\n====================\n");
+	TestInput(&inputBuf[1], size);
+	return 0;
+}

River3/TestPrograms/libxml2-v2.9.2/script.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+cd report 
+rm -rf*
+cd ..
+lcov -c -d . -d libxml2/ -o report/app.info
+
+cd report
+genhtml app.info
+cd ..
+

River3/TestPrograms/libxml2-v2.9.2/target.cc

@@ -0,0 +1,34 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <string>
+#include <iostream>
+#include <vector>
+#include "libxml/xmlversion.h"
+#include "libxml/parser.h"
+#include "libxml/HTMLparser.h"
+#include "libxml/tree.h"
+
+void ignore (void * ctx, const char * msg, ...) {}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    //std::cout << "llfz " << data << " " << size << "\n";
+    xmlSetGenericErrorFunc(NULL, &ignore);
+    if (auto doc = xmlReadMemory(reinterpret_cast<const char *>(data), size,
+                "noname.xml", NULL, 0)) {
+        //std::cout << "Here\n";
+        xmlFreeDoc(doc);
+    }
+    return 0;
+}

River3/Unittests/arguments.json

@@ -0,0 +1,9 @@
+{
+  "binaryPath": "/home/ubuntu/Desktop/auux/river/River3/Unittests/BinaryFiles/crackme_sample",
+  "entryfuncName": "main",
+  "architecture": "x64",
+  "maxLen": 256,
+  "logLevel": "CRITICAL",
+  "secondsBetweenStats": 10,
+  "outputType": "textual"
+}