Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- cb = "CADET_00003"
- cb = "EAGLE_00005"
- cb = "PRINTF_0"
- cb = "RECIPE_0"
- concolic = not true
- image_dir = os.getenv("IMAGE")
- s2e = {
- logging = {
- console = "warn",
- logLevel = "debug"
- },
- kleeArgs = {
- "--state-shared-memory=true",
- "--fork-on-symbolic-address=true",
- "--enable-speculative-forking=false",
- "--simplify-sym-indices=false",
- "--use-concolic-execution=true",
- }
- }
- plugins = {
- "BaseInstructions",
- "HostFiles",
- "Vmi",
- "ExecutionTracer",
- "ModuleTracer",
- "CGCMonitor",
- "CGCReportCollector",
- "POVGenerator",
- --"ExploitGenerator",
- "VulnerabilityFinder",
- "Recipe",
- "ModuleExecutionDetector",
- "ProcessExecutionDetector",
- "FunctionMonitor",
- "Database",
- "CGCInterface",
- }
- function file_exists(name)
- local f=io.open(name,"r")
- if f~=nil then io.close(f) return true else return false end
- end
- pluginsConfig = {}
- pluginsConfig.HostFiles = {
- baseDirs = {image_dir, image_dir .. "/binaries/"},
- allowWrite = true
- }
- pluginsConfig.Vmi = {
- baseDirs = {image_dir, image_dir .. "/binaries/"},
- }
- pluginsConfig.CGCMonitor = {
- invokeOriginalSyscalls = concolic,
- concolicMode = concolic,
- --feedConcreteData = "",
- terminateOnSegfault = false,
- terminateProcessGroupOnSegfault = false,
- maxReadLimitCount = 65536,
- symbolicReadLimitCount = 65536,
- }
- pluginsConfig.CGCInterface = {
- databases = {},
- ctci_analysis_id = 0,
- cb_sha256_combined = 0,
- }
- if concolic then
- table.insert(plugins, "SeedSearcher")
- pluginsConfig.SeedSearcher = {seedCount = 1}
- end
- pluginsConfig.ModuleExecutionDetector = {
- mod_0 = {
- moduleName = cb,
- kernelMode = false
- },
- }
- pluginsConfig.ProcessExecutionDetector = {
- moduleNames = {cb}
- }
- pluginsConfig.Recipe = {
- recipe = [[
- *EIP points to executable memory*
- [EIP+0] == 0x31
- [EIP+1] == 0xc0
- [EIP+2] == 0x31
- [EIP+3] == 0xdb
- [EIP+4] == 0x31
- [EIP+5] == 0xd2
- [EIP+6] == 0xb0
- [EIP+7] == 0x02
- [EIP+8] == 0xb3
- [EIP+9] == 0x01
- [EIP+10] == 0xb9
- [EIP+11] == $addr[0]
- [EIP+12] == $addr[1]
- [EIP+13] == 0x47
- [EIP+14] == 0x43
- [EIP+15] == 0xb2
- [EIP+16] == $size[0]
- [EIP+17] == 0xb6
- [EIP+18] == $size[1]
- [EIP+19] == 0x31
- [EIP+20] == 0xf6
- [EIP+21] == 0xcd
- [EIP+22] == 0x80
- ]]
- }
- g_function_models = {}
- dofile(image_dir .. "/binaries/" .. cb .. ".functions.lua")
- pluginsConfig.VulnerabilityFinder = {
- functions = g_function_models
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement