diff --git a/lab6/Answer.md b/lab6/Answer.md index fabc82e6..dba45cbf 100644 --- a/lab6/Answer.md +++ b/lab6/Answer.md @@ -3,10 +3,43 @@ ID: ### Fuzz Monitor ``` + american fuzzy lop 2.57b (bmpcomp) +┌─ process timing ─────────────────────────────────────┬─ overall results ─────┐ +│ run time : 0 days, 0 hrs, 0 min, 14 sec │ cycles done : 0 │ +│ last new path : 0 days, 0 hrs, 0 min, 0 sec │ total paths : 6 │ +│ last uniq crash : 0 days, 0 hrs, 0 min, 10 sec │ uniq crashes : 1 │ +│ last uniq hang : none seen yet │ uniq hangs : 0 │ +├─ cycle progress ────────────────────┬─ map coverage ─┴───────────────────────┤ +│ now processing : 0 (0.00%) │ map density : 0.04% / 0.04% │ +│ paths timed out : 0 (0.00%) │ count coverage : 1.77 bits/tuple │ +├─ stage progress ────────────────────┼─ findings in depth ────────────────────┤ +│ now trying : bitflip 2/1 │ favored paths : 1 (16.67%) │ +│ stage execs : 184/223 (82.51%) │ new edges on : 1 (16.67%) │ +│ total execs : 497 │ total crashes : 23 (1 unique) │ +│ exec speed : 22.29/sec (slow!) │ total tmouts : 45 (3 unique) │ +├─ fuzzing strategy yields ───────────┴───────────────┬─ path geometry ────────┤ +│ bit flips : 4/224, 0/0, 0/0 │ levels : 2 │ +│ byte flips : 0/0, 0/0, 0/0 │ pending : 6 │ +│ arithmetics : 0/0, 0/0, 0/0 │ pend fav : 1 │ +│ known ints : 0/0, 0/0, 0/0 │ own finds : 5 │ +│ dictionary : 0/0, 0/0, 0/0 │ imported : n/a │ +│ havoc : 0/0, 0/0 │ stability : 100.00% │ +│ trim : 100.00%/37, n/a ├────────────────────────┘ +└─────────────────────────────────────────────────────┘ [cpu010: 9%] ``` ### Run Crash Result ``` +size of Herder 54 +AddressSanitizer:DEADLYSIGNAL +================================================================= +==401==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd0726d698 (pc 0x556c57c0d02e bp 0x7ffd07a6caf0 sp 0x7ffd0726c6a0 T0) + #0 0x556c57c0d02e in main /home/pipi/112-spring-software-testing-and-secure-programming/lab6/src/hw0302.c:46 + #1 0x7f64e8941d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) + #2 0x7f64e8941e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) + #3 0x556c57c0db44 in _start (/home/pipi/112-spring-software-testing-and-secure-programming/lab6/src/bmpcomp+0x2b44) +SUMMARY: AddressSanitizer: stack-overflow /home/pipi/112-spring-software-testing-and-secure-programming/lab6/src/hw0302.c:46 in main +==401==ABORTING ``` diff --git a/lab7/sol.py b/lab7/sol.py index e69de29b..5b2a4628 100644 --- a/lab7/sol.py +++ b/lab7/sol.py @@ -0,0 +1,35 @@ +import angr +import sys + +def main(): + # 載入要分析的程式 './login' + project = angr.Project('./login') + + # 創建初始狀態 + initial_state = project.factory.entry_state() + + # 創建模擬執行管理器 + simulation_manager = project.factory.simgr(initial_state) + + def is_successful(state): + # 取得標準輸出的內容 + stdout_output = state.posix.dumps(sys.stdout.fileno()) + # 檢查是否包含 "Login successful" 字串 + return "Login successful" in stdout_output.decode() + + # 進行符號執行,尋找成功狀態 + simulation_manager.explore(find=is_successful, depth=100) + + if simulation_manager.found: + # 如果找到了成功狀態 + solution_state = simulation_manager.found[0] + # 取得標準輸入的內容,即為密碼 + password = solution_state.posix.dumps(sys.stdin.fileno()) + # 將密碼解碼為字串輸出 + print(password.decode()) + else: + # 如果沒有找到成功狀態,輸出未找到密碼的提示 + print("無法找到密碼") + +if __name__ == '__main__': + main() \ No newline at end of file