Open tiwanari opened 5 years ago
$ tree .
.
├── clamd
├── clamdscan
├── clamscan
├── libclamav.so.7.1.1
├── patch.diff
└── readme.md
$ file clamd
clamd: ELF 64-bit LSB shared object x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=8de8f14247e2d035348f6e698bfc69f01f0a50c6, with debug_info, not stripped
$ file clamdscan
clamdscan: ELF 64-bit LSB shared object x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=5ded86d3f6b5029b17b05eb38a542d5660dec880, with debug_info, not stripped
$ file clamscan
clamscan: ELF 64-bit LSB shared object x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=b60fa918852efbb890c5d6244da75895ec4251f4, with debug_info, not stripped
$ cat readme.md
There is a patched [clamav](https://github.com/Cisco-Talos/clamav-devel)(commit id: `6c11e824a794770c469f3a46141d5ea7927b6ea6`) running on ubuntu:18.04.
Everytime you upload your payloads, we will scan these with the following commands
bash:
clamdscan your_upload_file
clamscan your_upload_file
Try to pwn this antivirus software.
$ cat patch.diff
diff --git a/libclamunrar/unrar.c b/libclamunrar/unrar.c
index ee850c2c6..45fcf1b2d 100644
--- a/libclamunrar/unrar.c
+++ b/libclamunrar/unrar.c
@@ -1088,9 +1088,9 @@ static int rar_unpack29(int fd, int solid, unpack_data_t *unpack_data)
}
}
- if (retval) {
+ /* if (retval) { */
unp_write_buf(unpack_data);
- }
+ /* } */
return retval;
}
diff --git a/libclamunrar/unrarvm.c b/libclamunrar/unrarvm.c
index 813ec0867..93722be03 100644
--- a/libclamunrar/unrarvm.c
+++ b/libclamunrar/unrarvm.c
@@ -311,11 +311,13 @@ void rarvm_set_memory(rarvm_data_t *rarvm_data, unsigned int pos, uint8_t *data,
}
}
-static unsigned int *rarvm_get_operand(rarvm_data_t *rarvm_data,
+/* static unsigned int *rarvm_get_operand(rarvm_data_t *rarvm_data, */
+static size_t *rarvm_get_operand(rarvm_data_t *rarvm_data,
struct rarvm_prepared_operand *cmd_op)
{
if (cmd_op->type == VM_OPREGMEM) {
- return ((unsigned int *)&rarvm_data->mem[(*cmd_op->addr+cmd_op->base) & RARVM_MEMMASK]);
+ /* return ((unsigned int *)&rarvm_data->mem[(*cmd_op->addr+cmd_op->base) & RARVM_MEMMASK]); */
+ return ((size_t *)&rarvm_data->mem[(*cmd_op->addr+cmd_op->base) /*& RARVM_MEMMASK*/]);
} else {
return cmd_op->addr;
}
@@ -589,7 +591,8 @@ static int rarvm_execute_code(rarvm_data_t *rarvm_data,
{
int max_ops=25000000, i, SP;
struct rarvm_prepared_command *cmd;
- unsigned int value1, value2, result, divider, FC, *op1, *op2;
+ unsigned int value1, value2, result, divider, FC/*, *op1, *op2*/;
+ size_t *op1, *op2;
const int reg_count=sizeof(rarvm_data->R)/sizeof(rarvm_data->R[0]);
rar_dbgmsg("in rarvm_execute_code\n");
diff --git a/libclamunrar/unrarvm.h b/libclamunrar/unrarvm.h
index 5babd6840..91caf44e1 100644
--- a/libclamunrar/unrarvm.h
+++ b/libclamunrar/unrarvm.h
@@ -56,10 +56,13 @@ enum rarvm_op_type {
};
struct rarvm_prepared_operand {
- unsigned int *addr;
+ // unsigned int *addr;
+ size_t *addr;
enum rarvm_op_type type;
- unsigned int data;
- unsigned int base;
+ // unsigned int data;
+ size_t data;
+ // unsigned int base;
+ size_t base;
};
struct rarvm_prepared_command {
@@ -76,7 +79,8 @@ struct rarvm_prepared_program {
uint8_t *filtered_data;
long global_size, static_size;
int cmd_count;
- unsigned int init_r[7];
+ // unsigned int init_r[7];
+ size_t init_r[7];
unsigned int filtered_data_size;
};
@@ -89,7 +93,8 @@ typedef struct rarvm_input_tag {
typedef struct rarvm_data_tag {
uint8_t *mem;
- unsigned int R[8];
+ // unsigned int R[8];
+ size_t R[8];
unsigned int Flags;
} rarvm_data_t;
The size_t type may be bigger than, equal to, or smaller than an unsigned int, and your compiler might make assumptions about it for optimization.
更新されていた
Attachment has been updated for challenge anti-antivirus
Posted on 2019-09-15 08:26:51(+09:00)