tiwanari
commented
5 years ago Open tiwanari opened 5 years ago
tiwanari
commented
5 years ago tiwanari
commented
5 years ago tiwanari
commented
5 years ago $ tree .
.
├── clamd
├── clamdscan
├── clamscan
├── libclamav.so.7.1.1
├── patch.diff
└── readme.md$ file clamd
clamd: ELF 64-bit LSB shared object x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=8de8f14247e2d035348f6e698bfc69f01f0a50c6, with debug_info, not stripped
$ file clamdscan
clamdscan: ELF 64-bit LSB shared object x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=5ded86d3f6b5029b17b05eb38a542d5660dec880, with debug_info, not stripped
$ file clamscan
clamscan: ELF 64-bit LSB shared object x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=b60fa918852efbb890c5d6244da75895ec4251f4, with debug_info, not stripped$ cat readme.md
There is a patched [clamav](https://github.com/Cisco-Talos/clamav-devel)(commit id: `6c11e824a794770c469f3a46141d5ea7927b6ea6`) running on ubuntu:18.04.
Everytime you upload your payloads, we will scan these with the following commands
bash:
clamdscan your_upload_file
clamscan your_upload_file
Try to pwn this antivirus software.$ cat patch.diff
diff --git a/libclamunrar/unrar.c b/libclamunrar/unrar.c
index ee850c2c6..45fcf1b2d 100644
--- a/libclamunrar/unrar.c
+++ b/libclamunrar/unrar.c
@@ -1088,9 +1088,9 @@ static int rar_unpack29(int fd, int solid, unpack_data_t *unpack_data)
}
}
- if (retval) {
+ /* if (retval) { */
unp_write_buf(unpack_data);
- }
+ /* } */
return retval;
}
diff --git a/libclamunrar/unrarvm.c b/libclamunrar/unrarvm.c
index 813ec0867..93722be03 100644
--- a/libclamunrar/unrarvm.c
+++ b/libclamunrar/unrarvm.c
@@ -311,11 +311,13 @@ void rarvm_set_memory(rarvm_data_t *rarvm_data, unsigned int pos, uint8_t *data,
}
}
-static unsigned int *rarvm_get_operand(rarvm_data_t *rarvm_data,
+/* static unsigned int *rarvm_get_operand(rarvm_data_t *rarvm_data, */
+static size_t *rarvm_get_operand(rarvm_data_t *rarvm_data,
struct rarvm_prepared_operand *cmd_op)
{
if (cmd_op->type == VM_OPREGMEM) {
- return ((unsigned int *)&rarvm_data->mem[(*cmd_op->addr+cmd_op->base) & RARVM_MEMMASK]);
+ /* return ((unsigned int *)&rarvm_data->mem[(*cmd_op->addr+cmd_op->base) & RARVM_MEMMASK]); */
+ return ((size_t *)&rarvm_data->mem[(*cmd_op->addr+cmd_op->base) /*& RARVM_MEMMASK*/]);
} else {
return cmd_op->addr;
}
@@ -589,7 +591,8 @@ static int rarvm_execute_code(rarvm_data_t *rarvm_data,
{
int max_ops=25000000, i, SP;
struct rarvm_prepared_command *cmd;
- unsigned int value1, value2, result, divider, FC, *op1, *op2;
+ unsigned int value1, value2, result, divider, FC/*, *op1, *op2*/;
+ size_t *op1, *op2;
const int reg_count=sizeof(rarvm_data->R)/sizeof(rarvm_data->R[0]);
rar_dbgmsg("in rarvm_execute_code\n");
diff --git a/libclamunrar/unrarvm.h b/libclamunrar/unrarvm.h
index 5babd6840..91caf44e1 100644
--- a/libclamunrar/unrarvm.h
+++ b/libclamunrar/unrarvm.h
@@ -56,10 +56,13 @@ enum rarvm_op_type {
};
struct rarvm_prepared_operand {
- unsigned int *addr;
+ // unsigned int *addr;
+ size_t *addr;
enum rarvm_op_type type;
- unsigned int data;
- unsigned int base;
+ // unsigned int data;
+ size_t data;
+ // unsigned int base;
+ size_t base;
};
struct rarvm_prepared_command {
@@ -76,7 +79,8 @@ struct rarvm_prepared_program {
uint8_t *filtered_data;
long global_size, static_size;
int cmd_count;
- unsigned int init_r[7];
+ // unsigned int init_r[7];
+ size_t init_r[7];
unsigned int filtered_data_size;
};
@@ -89,7 +93,8 @@ typedef struct rarvm_input_tag {
typedef struct rarvm_data_tag {
uint8_t *mem;
- unsigned int R[8];
+ // unsigned int R[8];
+ size_t R[8];
unsigned int Flags;
} rarvm_data_t;The size_t type may be bigger than, equal to, or smaller than an unsigned int, and your compiler might make assumptions about it for optimization.
tiwanari
commented
5 years ago 更新されていた
Attachment has been updated for challenge anti-antivirus
Posted on 2019-09-15 08:26:51(+09:00)