cb = "CADET_00003"cb = "EAGLE_00005"cb = "PRINTF_0"cb = "RECIPE_0"concolic

1. cb = "CADET_00003"
2. cb = "EAGLE_00005"
3. cb = "PRINTF_0"
4. cb = "RECIPE_0"
5.  
6. concolic = not true
7.  
8. image_dir = os.getenv("IMAGE")
9.  
10. s2e = {
11. logging = {
12. console = "warn",
13. logLevel = "debug"
14. },
15. kleeArgs = {
16. "--state-shared-memory=true",
17. "--fork-on-symbolic-address=true",
18. "--enable-speculative-forking=false",
19. "--simplify-sym-indices=false",
20. "--use-concolic-execution=true",
21. }
22. }
23.  
24. plugins = {
25. "BaseInstructions",
26.  
27. "HostFiles",
28. "Vmi",
29.  
30. "ExecutionTracer",
31. "ModuleTracer",
32.  
33. "CGCMonitor",
34. "CGCReportCollector",
35. "POVGenerator",
36. --"ExploitGenerator",
37. "VulnerabilityFinder",
38. "Recipe",
39.  
40. "ModuleExecutionDetector",
41. "ProcessExecutionDetector",
42. "FunctionMonitor",
43.  
44. "Database",
45. "CGCInterface",
46. }
47.  
48. function file_exists(name)
49. local f=io.open(name,"r")
50. if f~=nil then io.close(f) return true else return false end
51. end
52.  
53. pluginsConfig = {}
54.  
55. pluginsConfig.HostFiles = {
56. baseDirs = {image_dir, image_dir .. "/binaries/"},
57. allowWrite = true
58. }
59.  
60. pluginsConfig.Vmi = {
61. baseDirs = {image_dir, image_dir .. "/binaries/"},
62. }
63.  
64. pluginsConfig.CGCMonitor = {
65. invokeOriginalSyscalls = concolic,
66. concolicMode = concolic,
67.  
68. --feedConcreteData = "",
69.  
70. terminateOnSegfault = false,
71. terminateProcessGroupOnSegfault = false,
72.  
73. maxReadLimitCount = 65536,
74. symbolicReadLimitCount = 65536,
75. }
76.  
77. pluginsConfig.CGCInterface = {
78. databases = {},
79. ctci_analysis_id = 0,
80. cb_sha256_combined = 0,
81. }
82.  
83. if concolic then
84. table.insert(plugins, "SeedSearcher")
85. pluginsConfig.SeedSearcher = {seedCount = 1}
86. end
87.  
88. pluginsConfig.ModuleExecutionDetector = {
89. mod_0 = {
90. moduleName = cb,
91. kernelMode = false
92. },
93. }
94.  
95. pluginsConfig.ProcessExecutionDetector = {
96. moduleNames = {cb}
97. }
98.  
99. pluginsConfig.Recipe = {
100. recipe = [[
101. *EIP points to executable memory*
102. [EIP+0] == 0x31
103. [EIP+1] == 0xc0
104. [EIP+2] == 0x31
105. [EIP+3] == 0xdb
106. [EIP+4] == 0x31
107. [EIP+5] == 0xd2
108. [EIP+6] == 0xb0
109. [EIP+7] == 0x02
110. [EIP+8] == 0xb3
111. [EIP+9] == 0x01
112. [EIP+10] == 0xb9
113. [EIP+11] == $addr[0]
114. [EIP+12] == $addr[1]
115. [EIP+13] == 0x47
116. [EIP+14] == 0x43
117. [EIP+15] == 0xb2
118. [EIP+16] == $size[0]
119. [EIP+17] == 0xb6
120. [EIP+18] == $size[1]
121. [EIP+19] == 0x31
122. [EIP+20] == 0xf6
123. [EIP+21] == 0xcd
124. [EIP+22] == 0x80
125. ]]
126. }
127.  
128. g_function_models = {}
129. dofile(image_dir .. "/binaries/" .. cb .. ".functions.lua")
130.  
131. pluginsConfig.VulnerabilityFinder = {
132. functions = g_function_models
133. }