Esta es la salida de AddressSanitizer, para diferentes entradas obtengo errores de LECTURA y ESCRITURA. ¿Desde la perspectiva del desbordamiento de búfer de pila que son más interesantes? Quiero ejecutar mi shellcode. ¿Alguien puede interpretar esta salida de AndressSanitizer de una manera más "humana" y comprensible?
Ejemplo de LEER:
==24222== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000010000 at pc 0x4022bd bp 0x7fff9b142e90 sp 0x7fff9b142e88
READ of size 1 at 0x602000010000 thread T0
#0 0x4022bc (/home/user/final/apngdis-2.5.orig/apngdis+0x4022bc)
#1 0x40619a (/home/user/final/apngdis-2.5.orig/apngdis+0x40619a)
#2 0x4012cd (/home/user/final/apngdis-2.5.orig/apngdis+0x4012cd)
#3 0x7f677aadfec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
#4 0x401734 (/home/user/final/apngdis-2.5.orig/apngdis+0x401734)
0x602000010000 is located 0 bytes to the right of 192-byte region [0x60200000ff40,0x602000010000)
allocated by thread T0 here:
#0 0x7f677b0b141a (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0x1541a)
#1 0x4059bb (/home/user/final/apngdis-2.5.orig/apngdis+0x4059bb)
Shadow bytes around the buggy address:
0x0c047fff9fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9fe0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c047fff9ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fffa000:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==24222== ABORTING
A continuación se muestra la salida GDB
¿Este desbordamiento de Heap es explotable? ¿Qué debo buscar en el código? ¿Puedes dar algunos ejemplos con fragmentos de código?
Starting program: /home/user/final/apngdis-2.5.orig/apngdis crash.png
APNG Disassembler 2.5
Reading 'crash.png'...
Breakpoint 2, unpack (zstream=..., dst=dst@entry=0x6e1910 "", dst_size=dst_size@entry=192, src=src@entry=0x6e19e0 "x2b670", src_size=src_size@entry=14, h=2147483651,
rowbytes=rowbytes@entry=63, bpp=1 'root@user-lap:~/final/apngdis-2.5.orig# export ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer-3.4
root@user-lap:~/final/apngdis-2.5.orig# ASAN_OPTIONS=symbolize=1 ./apngdis crash.png
APNG Disassembler 2.5
Reading 'crash.png'...
=================================================================
==25265== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000010000 at pc 0x41c07d bp 0x7ffc560b3f20 sp 0x7ffc560b3f18
READ of size 1 at 0x602000010000 thread T0
#0 0x41c07c in unpack /home/user/final/apngdis-2.5.orig/apngdis.c:185
#1 0x41ff5a in LoadAPNG /home/user/final/apngdis-2.5.orig/apngdis.c:846
#2 0x40281d in main /home/user/final/apngdis-2.5.orig/apngdis.c:1208
#3 0x7fb4ca7e4ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#4 0x402c84 in _start (/home/user/final/apngdis-2.5.orig/apngdis+0x402c84)
0x602000010000 is located 0 bytes to the right of 192-byte region [0x60200000ff40,0x602000010000)
allocated by thread T0 here:
#0 0x412c0a in __interceptor_malloc (/home/user/final/apngdis-2.5.orig/apngdis+0x412c0a)
#1 0x41f77b in LoadAPNG /home/user/final/apngdis-2.5.orig/apngdis.c:635
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/final/apngdis-2.5.orig/apngdis.c:185 unpack
Shadow bytes around the buggy address:
0x0c047fff9fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9fe0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c047fff9ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fffa000:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==25265== ABORTING
1') at apngdis.c:171
171 {
(gdb)
(gdb)
(gdb) l
166 row[i] += row[i-bpp];
167 }
168 }
169
170 void unpack(z_stream zstream, unsigned char * dst, unsigned int dst_size, unsigned char * src, unsigned int src_size, unsigned int h, unsigned int rowbytes, unsigned char bpp)
171 {
172 unsigned int j;
173 unsigned char * row = dst;
174 unsigned char * prev_row = NULL;
175
(gdb) l
176 zstream.next_out = dst;
177 zstream.avail_out = dst_size;
178 zstream.next_in = src;
179 zstream.avail_in = src_size;
180 inflate(&zstream, Z_FINISH);
181 inflateReset(&zstream);
182
183 for (j=0; j<h; j++)
184 {
185 switch (*row++)
(gdb) l
186 {
187 case 0: break;
188 case 1: read_sub_row(row, rowbytes, bpp); break;
189 case 2: read_up_row(row, prev_row, rowbytes, bpp); break;
190 case 3: read_average_row(row, prev_row, rowbytes, bpp); break;
191 case 4: read_paeth_row(row, prev_row, rowbytes, bpp); break;
192 }
193 prev_row = row;
194 row += rowbytes;
195 }
(gdb) cont
Continuing.
Program received signal SIGSEGV, Segmentation fault.
unpack (zstream=..., dst=dst@entry=0x6e1910 "==2720== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60ae0003a81c at pc 0x41ee70 bp 0x7ffc84d157d0 sp 0x7ffc84d157c8
WRITE of size 4 at 0x60ae0003a81c thread T0
#0 0x41ee6f in compose6 /home/user/final/apngdis-2.5.orig/apngdis.c:475
#1 0x420025 in LoadAPNG /home/user/final/apngdis-2.5.orig/apngdis.c:853
#2 0x40281d in main /home/user/final/apngdis-2.5.orig/apngdis.c:1208
#3 0x7f4942135ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#4 0x402c84 in _start (/home/user/final/apngdis-2.5.orig/apngdis+0x402c84)
0x60ae0003a81c is located 0 bytes to the right of 114716-byte region [0x60ae0001e800,0x60ae0003a81c)
allocated by thread T0 here:
#0 0x412c0a in __interceptor_malloc (/home/user/final/apngdis-2.5.orig/apngdis+0x412c0a)
#1 0x41f746 in LoadAPNG /home/user/final/apngdis-2.5.orig/apngdis.c:633
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/final/apngdis-2.5.orig/apngdis.c:474 compose6
Shadow bytes around the buggy address:
0x0c163ffff4b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c163ffff4c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c163ffff4d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c163ffff4e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c163ffff4f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c163ffff500: 00 00 00[04]fa fa fa fa fa fa fa fa fa fa fa fa
0x0c163ffff510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c163ffff520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c163ffff530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c163ffff540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c163ffff550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==2720== ABORTING
37777356", '7' <repeats 17 times>, "ϗ{mfca'''00H$2\troot@laptop:~/security/apngfuzz/apngdis-2.5.orig# gdb ./apngdis crash/crash.png
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.04) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./apngdis...done.
"/home/user/security/apngfuzz/apngdis-2.5.orig/crash/crash.png" is not a core dump: File format not recognized
(gdb) r crash/crash.png
Starting program: /home/user/security/apngfuzz/apngdis-2.5.orig/apngdis crash/crash.png
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
APNG Disassembler 2.5
Reading 'crash/crash.png'...
=================================================================
==14864==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ef91 at pc 0x00000040b1b4 bp 0x7fffffffd9b0 sp 0x7fffffffd9a0
READ of size 1 at 0x60200000ef91 thread T0
#0 0x40b1b3 in compose6 /home/user/security/apngfuzz/apngdis-2.5.orig/apngdis.c:469
#1 0x40ca5f in LoadAPNG /home/user/security/apngfuzz/apngdis-2.5.orig/apngdis.c:850
#2 0x4017be in main /home/user/security/apngfuzz/apngdis-2.5.orig/apngdis.c:1202
#3 0x7ffff68a782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#4 0x402048 in _start (/home/user/security/apngfuzz/apngdis-2.5.orig/apngdis+0x402048)
0x60200000ef91 is located 0 bytes to the right of 1-byte region [0x60200000ef90,0x60200000ef91)
allocated by thread T0 here:
#0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x40bb97 in LoadAPNG /home/user/security/apngfuzz/apngdis-2.5.orig/apngdis.c:632
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/security/apngfuzz/apngdis-2.5.orig/apngdis.c:469 compose6
Shadow bytes around the buggy address:
0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 06
=>0x0c047fff9df0: fa fa[01]fa fa fa 04 fa fa fa 01 fa fa fa 01 fa
0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==14864==ABORTING
[Inferior 1 (process 14864) exited with code 01]
(gdb) disass crash/crash.pngQuit
(gdb) dis
disable disassemble disconnect display
(gdb) disass 0x40b1b3
Dump of assembler code for function compose6:
0x000000000040a990 <+0>: lea -0x98(%rsp),%rsp
0x000000000040a998 <+8>: mov %rdx,(%rsp)
0x000000000040a99c <+12>: mov %rcx,0x8(%rsp)
0x000000000040a9a1 <+17>: mov %rax,0x10(%rsp)
0x000000000040a9a6 <+22>: mov $0xbb3f,%rcx
0x000000000040a9ad <+29>: callq 0x4112e0 <__afl_maybe_log>
0x000000000040a9b2 <+34>: mov 0x10(%rsp),%rax
0x000000000040a9b7 <+39>: mov 0x8(%rsp),%rcx
0x000000000040a9bc <+44>: mov (%rsp),%rdx
0x000000000040a9c0 <+48>: lea 0x98(%rsp),%rsp
0x000000000040a9c8 <+56>: push %r15
0x000000000040a9ca <+58>: push %r14
0x000000000040a9cc <+60>: push %r13
0x000000000040a9ce <+62>: push %r12
0x000000000040a9d0 <+64>: push %rbp
0x000000000040a9d1 <+65>: push %rbx
0x000000000040a9d2 <+66>: sub $0x48,%rsp
0x000000000040a9d6 <+70>: movzbl 0x88(%rsp),%r13d
0x000000000040a9df <+79>: mov %rdi,0x18(%rsp)
0x000000000040a9e4 <+84>: mov %r8d,0x28(%rsp)
0x000000000040a9e9 <+89>: mov %r9d,0x2c(%rsp)
0x000000000040a9ee <+94>: add $0x7,%r13d
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) i r
The program has no registers now.
(gdb) b *0x40b1b3
Breakpoint 1 at 0x40b1b3: file apngdis.c, line 469.
(gdb) r crash/crash.png
Starting program: /home/user/security/apngfuzz/apngdis-2.5.orig/apngdis crash/crash.png
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
APNG Disassembler 2.5
Reading 'crash/crash.png'...
Program received signal SIGSEGV, Segmentation fault.
0xffffffffcd4013e0 in ?? ()
(gdb) i r
rax 0x1 1
rbx 0x1 1
rcx 0x60210000efd0 105694850248656
rdx 0xc0400001df2 13211319410162
rsi 0x60200000ef92 105690555281298
rdi 0x60200000ef91 105690555281297
rbp 0x2 0x2
rsp 0x7fffffffd9b8 0x7fffffffd9b8
r8 0x0 0
r9 0x1 1
r10 0x60200000eff0 105690555281392
r11 0x60200000ef91 105690555281297
r12 0x40000000 1073741824
r13 0x1 1
r14 0x1 1
r15 0x4 4
rip 0xffffffffcd4013e0 0xffffffffcd4013e0
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
---Type <return> to continue, or q <return> to quit---
gs 0x0 0
(gdb) info registers rip
rip 0xffffffffcd4013e0 0xffffffffcd4013e0
4==24222== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000010000 at pc 0x4022bd bp 0x7fff9b142e90 sp 0x7fff9b142e88
READ of size 1 at 0x602000010000 thread T0
#0 0x4022bc (/home/user/final/apngdis-2.5.orig/apngdis+0x4022bc)
#1 0x40619a (/home/user/final/apngdis-2.5.orig/apngdis+0x40619a)
#2 0x4012cd (/home/user/final/apngdis-2.5.orig/apngdis+0x4012cd)
#3 0x7f677aadfec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
#4 0x401734 (/home/user/final/apngdis-2.5.orig/apngdis+0x401734)
0x602000010000 is located 0 bytes to the right of 192-byte region [0x60200000ff40,0x602000010000)
allocated by thread T0 here:
#0 0x7f677b0b141a (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0x1541a)
#1 0x4059bb (/home/user/final/apngdis-2.5.orig/apngdis+0x4059bb)
Shadow bytes around the buggy address:
0x0c047fff9fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9fe0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c047fff9ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fffa000:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==24222== ABORTING
2Starting program: /home/user/final/apngdis-2.5.orig/apngdis crash.png
APNG Disassembler 2.5
Reading 'crash.png'...
Breakpoint 2, unpack (zstream=..., dst=dst@entry=0x6e1910 "", dst_size=dst_size@entry=192, src=src@entry=0x6e19e0 "x2b670", src_size=src_size@entry=14, h=2147483651,
rowbytes=rowbytes@entry=63, bpp=1 'root@user-lap:~/final/apngdis-2.5.orig# export ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer-3.4
root@user-lap:~/final/apngdis-2.5.orig# ASAN_OPTIONS=symbolize=1 ./apngdis crash.png
APNG Disassembler 2.5
Reading 'crash.png'...
=================================================================
==25265== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000010000 at pc 0x41c07d bp 0x7ffc560b3f20 sp 0x7ffc560b3f18
READ of size 1 at 0x602000010000 thread T0
#0 0x41c07c in unpack /home/user/final/apngdis-2.5.orig/apngdis.c:185
#1 0x41ff5a in LoadAPNG /home/user/final/apngdis-2.5.orig/apngdis.c:846
#2 0x40281d in main /home/user/final/apngdis-2.5.orig/apngdis.c:1208
#3 0x7fb4ca7e4ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#4 0x402c84 in _start (/home/user/final/apngdis-2.5.orig/apngdis+0x402c84)
0x602000010000 is located 0 bytes to the right of 192-byte region [0x60200000ff40,0x602000010000)
allocated by thread T0 here:
#0 0x412c0a in __interceptor_malloc (/home/user/final/apngdis-2.5.orig/apngdis+0x412c0a)
#1 0x41f77b in LoadAPNG /home/user/final/apngdis-2.5.orig/apngdis.c:635
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/final/apngdis-2.5.orig/apngdis.c:185 unpack
Shadow bytes around the buggy address:
0x0c047fff9fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9fe0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c047fff9ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fffa000:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==25265== ABORTING
1') at apngdis.c:171
171 {
(gdb)
(gdb)
(gdb) l
166 row[i] += row[i-bpp];
167 }
168 }
169
170 void unpack(z_stream zstream, unsigned char * dst, unsigned int dst_size, unsigned char * src, unsigned int src_size, unsigned int h, unsigned int rowbytes, unsigned char bpp)
171 {
172 unsigned int j;
173 unsigned char * row = dst;
174 unsigned char * prev_row = NULL;
175
(gdb) l
176 zstream.next_out = dst;
177 zstream.avail_out = dst_size;
178 zstream.next_in = src;
179 zstream.avail_in = src_size;
180 inflate(&zstream, Z_FINISH);
181 inflateReset(&zstream);
182
183 for (j=0; j<h; j++)
184 {
185 switch (*row++)
(gdb) l
186 {
187 case 0: break;
188 case 1: read_sub_row(row, rowbytes, bpp); break;
189 case 2: read_up_row(row, prev_row, rowbytes, bpp); break;
190 case 3: read_average_row(row, prev_row, rowbytes, bpp); break;
191 case 4: read_paeth_row(row, prev_row, rowbytes, bpp); break;
192 }
193 prev_row = row;
194 row += rowbytes;
195 }
(gdb) cont
Continuing.
Program received signal SIGSEGV, Segmentation fault.
unpack (zstream=..., dst=dst@entry=0x6e1910 "==2720== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60ae0003a81c at pc 0x41ee70 bp 0x7ffc84d157d0 sp 0x7ffc84d157c8
WRITE of size 4 at 0x60ae0003a81c thread T0
#0 0x41ee6f in compose6 /home/user/final/apngdis-2.5.orig/apngdis.c:475
#1 0x420025 in LoadAPNG /home/user/final/apngdis-2.5.orig/apngdis.c:853
#2 0x40281d in main /home/user/final/apngdis-2.5.orig/apngdis.c:1208
#3 0x7f4942135ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#4 0x402c84 in _start (/home/user/final/apngdis-2.5.orig/apngdis+0x402c84)
0x60ae0003a81c is located 0 bytes to the right of 114716-byte region [0x60ae0001e800,0x60ae0003a81c)
allocated by thread T0 here:
#0 0x412c0a in __interceptor_malloc (/home/user/final/apngdis-2.5.orig/apngdis+0x412c0a)
#1 0x41f746 in LoadAPNG /home/user/final/apngdis-2.5.orig/apngdis.c:633
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/final/apngdis-2.5.orig/apngdis.c:474 compose6
Shadow bytes around the buggy address:
0x0c163ffff4b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c163ffff4c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c163ffff4d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c163ffff4e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c163ffff4f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c163ffff500: 00 00 00[04]fa fa fa fa fa fa fa fa fa fa fa fa
0x0c163ffff510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c163ffff520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c163ffff530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c163ffff540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c163ffff550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==2720== ABORTING
37777356", '7' <repeats 17 times>, "ϗ{mfca'''00H$2\troot@laptop:~/security/apngfuzz/apngdis-2.5.orig# gdb ./apngdis crash/crash.png
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.04) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./apngdis...done.
"/home/user/security/apngfuzz/apngdis-2.5.orig/crash/crash.png" is not a core dump: File format not recognized
(gdb) r crash/crash.png
Starting program: /home/user/security/apngfuzz/apngdis-2.5.orig/apngdis crash/crash.png
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
APNG Disassembler 2.5
Reading 'crash/crash.png'...
=================================================================
==14864==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ef91 at pc 0x00000040b1b4 bp 0x7fffffffd9b0 sp 0x7fffffffd9a0
READ of size 1 at 0x60200000ef91 thread T0
#0 0x40b1b3 in compose6 /home/user/security/apngfuzz/apngdis-2.5.orig/apngdis.c:469
#1 0x40ca5f in LoadAPNG /home/user/security/apngfuzz/apngdis-2.5.orig/apngdis.c:850
#2 0x4017be in main /home/user/security/apngfuzz/apngdis-2.5.orig/apngdis.c:1202
#3 0x7ffff68a782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#4 0x402048 in _start (/home/user/security/apngfuzz/apngdis-2.5.orig/apngdis+0x402048)
0x60200000ef91 is located 0 bytes to the right of 1-byte region [0x60200000ef90,0x60200000ef91)
allocated by thread T0 here:
#0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x40bb97 in LoadAPNG /home/user/security/apngfuzz/apngdis-2.5.orig/apngdis.c:632
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/security/apngfuzz/apngdis-2.5.orig/apngdis.c:469 compose6
Shadow bytes around the buggy address:
0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 06
=>0x0c047fff9df0: fa fa[01]fa fa fa 04 fa fa fa 01 fa fa fa 01 fa
0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==14864==ABORTING
[Inferior 1 (process 14864) exited with code 01]
(gdb) disass crash/crash.pngQuit
(gdb) dis
disable disassemble disconnect display
(gdb) disass 0x40b1b3
Dump of assembler code for function compose6:
0x000000000040a990 <+0>: lea -0x98(%rsp),%rsp
0x000000000040a998 <+8>: mov %rdx,(%rsp)
0x000000000040a99c <+12>: mov %rcx,0x8(%rsp)
0x000000000040a9a1 <+17>: mov %rax,0x10(%rsp)
0x000000000040a9a6 <+22>: mov $0xbb3f,%rcx
0x000000000040a9ad <+29>: callq 0x4112e0 <__afl_maybe_log>
0x000000000040a9b2 <+34>: mov 0x10(%rsp),%rax
0x000000000040a9b7 <+39>: mov 0x8(%rsp),%rcx
0x000000000040a9bc <+44>: mov (%rsp),%rdx
0x000000000040a9c0 <+48>: lea 0x98(%rsp),%rsp
0x000000000040a9c8 <+56>: push %r15
0x000000000040a9ca <+58>: push %r14
0x000000000040a9cc <+60>: push %r13
0x000000000040a9ce <+62>: push %r12
0x000000000040a9d0 <+64>: push %rbp
0x000000000040a9d1 <+65>: push %rbx
0x000000000040a9d2 <+66>: sub $0x48,%rsp
0x000000000040a9d6 <+70>: movzbl 0x88(%rsp),%r13d
0x000000000040a9df <+79>: mov %rdi,0x18(%rsp)
0x000000000040a9e4 <+84>: mov %r8d,0x28(%rsp)
0x000000000040a9e9 <+89>: mov %r9d,0x2c(%rsp)
0x000000000040a9ee <+94>: add $0x7,%r13d
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) i r
The program has no registers now.
(gdb) b *0x40b1b3
Breakpoint 1 at 0x40b1b3: file apngdis.c, line 469.
(gdb) r crash/crash.png
Starting program: /home/user/security/apngfuzz/apngdis-2.5.orig/apngdis crash/crash.png
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
APNG Disassembler 2.5
Reading 'crash/crash.png'...
Program received signal SIGSEGV, Segmentation fault.
0xffffffffcd4013e0 in ?? ()
(gdb) i r
rax 0x1 1
rbx 0x1 1
rcx 0x60210000efd0 105694850248656
rdx 0xc0400001df2 13211319410162
rsi 0x60200000ef92 105690555281298
rdi 0x60200000ef91 105690555281297
rbp 0x2 0x2
rsp 0x7fffffffd9b8 0x7fffffffd9b8
r8 0x0 0
r9 0x1 1
r10 0x60200000eff0 105690555281392
r11 0x60200000ef91 105690555281297
r12 0x40000000 1073741824
r13 0x1 1
r14 0x1 1
r15 0x4 4
rip 0xffffffffcd4013e0 0xffffffffcd4013e0
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
---Type <return> to continue, or q <return> to quit---
gs 0x0 0
(gdb) info registers rip
rip 0xffffffffcd4013e0 0xffffffffcd4013e0
4%pre%2%pre%1", dst_size=dst_size@entry=192,
src=src@entry=0x6e19e0 "x2b670", src_size=src_size@entry=14, h=2147483651, rowbytes=rowbytes@entry=63, bpp=1 '%pre%1') at apngdis.c:185
185 switch (*row++)
(gdb)
1", dst_size=dst_size@entry=192,
src=src@entry=0x6e19e0 "x2b670", src_size=src_size@entry=14, h=2147483651, rowbytes=rowbytes@entry=63, bpp=1 '%pre%1') at apngdis.c:185
185 switch (*row++)
(gdb)
Aquí con símbolos:
%pre%Por último, pero no menos importante, un enlace a un buen tutorial sobre Desbordamientos de búfer de pila en Linux que es real será increíble.
Aquí está el código completo del programa en cuestión:
Actualización 29.02.2016
Encontré una escritura de 4 bytes. Parece que hay una llamada malloc en LoadAPNG con valor controlado por el usuario. ¿Se puede utilizar la técnica "La Casa de la Fuerza"?
%pre%Actualización 07.02.2017
Según lo solicitado por @grepNstepN
%pre%