search

dobin / ffw

A fuzzing framework for network servers
GNU General Public License v3.0
116 stars 24 forks source link

invalid literal for int() with base 16: '0x7ffccd440f70)' #19

Closed y1026 closed 6 years ago

y1026 commented 6 years ago

Hello,

Using the Verify function in ffw causes an error.

ffw file: out.zip

Thanks.

OS: Ubuntu 16_04 64bit.

y1026@y1026-VirtualBox:~/ffw/vulnserver$ ./fuzzing.py --verify --debug
Client Manager
Network Server Manager
INFO:root:Crash verifier
Processing 1 outcome files
Now processing: 0: /home/y1026/ffw/vulnserver/out/9215452092389361146.ffw
INFO:root:Using: TCP
INFO:root:DebugServer: Start Server
DEBUG:root:START: ['/home/y1026/ffw/vulnserver/bin/vulnserver_asan', '21000']
INFO:root:Attach <PtraceProcess #30140> to debugger
INFO:root:Set <PtraceProcess #30140> options to 1
Listening on port: 20000
INFO:root:Server PID: 30140
INFO:root:DebugServer: Waiting for process event
INFO:root:Verifier: Server pid: 30140
INFO:root:Verifier: Server Port: 20000
Check if we can connect to server
INFO:root:Verifier: Sending fuzzed messages
INFO:root:Open connection on localhost:20000
New client connected
New client connected
Received data with len: 1024 on state: 0
Auth success
Received data with len: 1024 on state: 1
INFO:root:DebugServer: Got event: Signal SIGABRT
INFO:root:DebugServer: Event Result: Crash
INFO:root:Get asan output: /home/y1026/ffw/vulnserver/temp/asan.30140
INFO:root:ReceiveData err on msg 3: timed out
INFO:root:Verifier: Wait for crash data
INFO:root:Found ASAN output file. Good.
INFO:root:Quit debugger
WARNING:root:Terminate <PtraceProcess #30140>
INFO:root:Verifier: I've got a crash: 
DEBUG:root:debugVerifyCrashData Register : {'gs': '0', 'gs_base': '0', 'rip': '140023069148200', 'r9': '18', 'r15': '140723752272432', 'cs': '51', 'es': '0', 'r13': '1024', 'rcx': '140023069148200', 'rax': '0', 'r14': '1024', 'fs': '0', 'r12': '140723752274800', 'rsi': '30140', 'r10': '8', 'r11': '514', 'orig_rax': '234', 'fs_base': '140023091140480', 'rsp': '140723752271800', 'ds': '0', 'rbx': '140723752272224', 'ss': '43', 'r8': '1', 'rdx': '6', 'rbp': '140723752274624', 'eflags': '514', 'rdi': '30140'}
DEBUG:root:debugVerifyCrashData Backtrace: ['IP=0x00007f59a94c0428: ??? ()', 'IP=0x00007f59a95822c0: ??? ()']
DEBUG:root:debugVerifyCrashData Cause    : None
ASANdata: ['=================================================================', '==30140==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x7ffccd440ac0,0x7ffccd440ec0) and [0x7ffccd440b70, 0x7ffccd440f70) overlap', '#0 0x7f59a98e1662 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c662)', '#1 0x401033 in handleData1 /home/y1026/ffw/vulnserver/vulnserver.c:20', '#2 0x40128a in doprocessing /home/y1026/ffw/vulnserver/vulnserver.c:51', '#3 0x401627 in main /home/y1026/ffw/vulnserver/vulnserver.c:114', '#4 0x7f59a94ab82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)', '#5 0x400ea8 in _start (/home/y1026/ffw/vulnserver/bin/vulnserver_asan+0x400ea8)', '', 'Address 0x7ffccd440ac0 is located in stack of thread T0 at offset 32 in frame', '#0 0x400fa1 in handleData1 /home/y1026/ffw/vulnserver/vulnserver.c:18', '', 'This frame has 1 object(s):', "[32, 40) 'buff' <== Memory access at offset 32 partially overflows this variable", 'HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext', '(longjmp and C++ exceptions *are* supported)', 'Address 0x7ffccd440b70 is located in stack of thread T0 at offset 32 in frame', '#0 0x4010d8 in doprocessing /home/y1026/ffw/vulnserver/vulnserver.c:31', '', 'This frame has 1 object(s):', "[32, 1056) 'data' <== Memory access at offset 32 is inside this variable", 'HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext', '(longjmp and C++ exceptions *are* supported)', 'SUMMARY: AddressSanitizer: memcpy-param-overlap ??:0 __asan_memcpy', '==30140==ABORTING']
Mainline: ['==30140==ERROR:', 'AddressSanitizer:', 'memcpy-param-overlap:', 'memory', 'ranges', '[0x7ffccd440ac0,0x7ffccd440ec0)', 'and', '[0x7ffccd440b70,', '0x7ffccd440f70)', 'overlap']
Traceback (most recent call last):
  File "./fuzzing.py", line 102, in <module>
    sys.exit(main())
  File "./fuzzing.py", line 98, in main
    framework.realMain(config)
  File "/home/y1026/ffw/vulnserver/../framework.py", line 185, in realMain
    v.verifyOutDir()
  File "/home/y1026/ffw/vulnserver/../verifier/verifier.py", line 104, in verifyOutDir
    self._verifyOutcome(targetPort, outcomeFile)
  File "/home/y1026/ffw/vulnserver/../verifier/verifier.py", line 152, in _verifyOutcome
    asanVerifyCrashData = asanParser.getAsCrashData()
  File "/home/y1026/ffw/vulnserver/../verifier/asanparser.py", line 35, in getAsCrashData
    asanData = self.getAsanData()
  File "/home/y1026/ffw/vulnserver/../verifier/asanparser.py", line 90, in getAsanData
    asanData["faultAddress"] = int(mainLine[8], 16)
ValueError: invalid literal for int() with base 16: '0x7ffccd440f70)'
dobin commented 6 years ago

Mhm ASAN appears to change it's layout regularly. "It does not need XML output, it's easy to parse" they said.

Add support for ASAN "memcpy-param-overlap" text output in https://github.com/dobin/ffw/blob/master/verifier/asanparser.py#L85