Giter Site home page Giter Site logo

ertlnagoya / lwip-bug-finder Goto Github PK

View Code? Open in Web Editor NEW
13.0 2.0 0.0 562 KB

lwipのバグを半自動検出くん。First introduced in 「2018年 暗号と情報セキュリティシンポジウム」(SCIS2018).

Python 95.79% Shell 4.21%
lwip symbolic-execution angr bug-finding

lwip-bug-finder's Introduction

lwip bug finder

Find bugs with symbolic execution!

Requirements

Suggested commands are based on Ubuntu 16.04.

  • Python2
  • angr 7
    • sudo -H pip install angr
    • sudo -H pip install -I --no-use-wheel capstone if ImportError: cannot import name arm occurs
  • cxxfilt, hexdump
    • sudo -H pip install cxxfilt hexdump
  • scapy (packet manipulation library)
    • sudo -H pip install scapy
  • graphviz
    • To generate state history graph. Used by emoviz.py.
    • sudo apt install graphviz

Installation

apt install

Install following packages beforehand.

sudo apt install python python-pip pypy pypy-dev graphviz libffi-dev libncurses5-dev

git clone

This repository has git submodule. --recursive option will work.

git clone --recursive https://github.com/ertlnagoya/lwip-bug-finder.git

build lwip applications with each versions of lwip (NOT WORKING?)

simhost (located in unix/unixsim) and echop (located in unix/minimal) are applications provided by lwip-contrib.

build-full-version-simhost.sh builds simhost. Executables are located in ./bin.

build-full-version-dns-echop.sh builds echop which is DNS client. Executables are located in ./bin.

I git added my simhost-STABLE-1_3_0 and echop-STABLE-1_3_0 for my solver.

Usage

Analysis Flow:

  1. Before Analysis
    • Do memory dump
    • Do preprocess
  2. Main Analysis
    • Configure analysis options
    • Run solver
  3. After Analysis
    • Check results
    • Reproduce found bug (attack lwip application)

TODO: work-flow figure

I. Before Analysis

(Optional) analyze.py

CAUTION: Requires install radare2

This is function/data dependency analysis utility.

usage: analyze.py ELF_FILE FUNCTION_NAME_TO_START_ANALYSIS

for example:

% ./analyze.py bin/echop-STABLE-1_3_0 dns_recv
{'sym.snmp_mib_lrn_free', 'sym.pbuf_copy_partial', 'sym.memp_free', 'sym.dns_recv', 'sym.pbuf_free', 'sym.ntohl', 'sym.lwip_standard_chksum'}
{'obj.memp_tab', 'obj.dns_table', 'obj.dns_payload'}

You see functions snmp_mib_lrn_free, pbuf_copy_partial, ... are called after dns_recv has called, and objects memp_tab, dns_table, dns_payload are referenced after dns_recv has called.

Known issue:

  • NOT works with ARM binary
    • radare does not analyze data dependency correctly

memory-dump.py

This is memory dump utility. This dumps process memory and saves dumps with zip format. You must specify target binary name and memory regions using arguments.

dump steps:

  1. load this script in gdb attached to target process (use source command in gdb)
  2. run python memory_dump(BIN_NAME, [(begin,end)])
    • (begin, end) is a address pair of memory area

for example:

$ sudo gdb -p `pgrep echop` ### attach to target process
[...]
gdb-peda$ source /media/sf_share/lwip/memory-dump.py 
usage: python memory_dump(bin_name,[(begin,end), ...])
gdb-peda$ python memory_dump("bin/echop-STABLE-1_3_0", [(0x00619000,0x00620000)])
mem: 0x619000 0x620000
[[6393856, 6422528, "memory-619000-620000"]]
zip name: bin/echop-STABLE-1_3_0-dump.zip
[*] memory dump done! Go on your analysis!

preprocess.py

This is helper script. Running this script is required by solvers. This script collects following informations:

  • symbol information
    • address and size
  • function caller address
    • collect instructions (such as call func_x) address

Don't worry, solvers mentions how to run. Follow his instructions.

II. Main Analysis

Configure analysis options

./config directory holds configuration files. Configuration files describes analysis options. Following options are available:

  • arch: CPU architecture
  • arch_bits: CPU bits (32 or 64)
  • ELF_FILE: target binary to be analyzed
  • dump: memory dump file (zip file; generated by memory-dump.py)
  • skip_funcs: functions to be blocked call
  • init_objs: objectes should be initialized in the symbolic engine
  • find: same with angr's find
  • avoid: same with angr's avoid

Run solver

(runtime: < 3 min)

Solver explores target binary to find bugs. result.py to reproduce found bug is generated when a bug is found.

dns-echop (named as bin/echop-***) is DNS client. He sends a DNS request at initialization phase.

Exploration results are saved to last-output directory when exploration succeeded.

about options

Here are options in lwip-bug-finder.py:

-c : (required) configuration file (must be located in config directory)

-f : (required) function name to start analysis

--dfs : Depth-first search mode in exploration (default is Width-first search)

--segv : Segmentation fault detection mode

to find bugs

(Run time: < 3min)

DNS bug #1, #2 are described in doc/dns-bugs.md.

### to find lwip bug #24596 (TCP bug)
./lwip-bug-finder.py -c intel_simhost -f tcp_input

### to find DNS bug #1
./lwip-bug-finder.py -c intel_echop -f dns_recv --dfs  # or
./lwip-bug-finder.py -c intel_echop -f dns_recv -b 1,2 --dfs

### to find DNS bug #2
./lwip-bug-finder.py -c intel_echop -f dns_recv -b 1,2 --segv

III. After Analysis

Check ./last-output directory

Following files are located in this directory when analysis succeeded:

  • README.md
  • result.py
  • angr.log
  • ./trace
about ./trace directory

angr's state history is visualized with emoviz in this directory (saved as {dot,png} file). Let's check!

This directory is located in root directory when analysis failed.

Reproduce found bug

Generated script ./result.py attacks lwip applications and invokes the bug.

Tips

emoviz

emoviz is angr's history visualizer module. See emoviz.py for detail. See lwip-bug-finder.py for usage.

lwip-solve-bug24596.py

Running lwip-solve-bug24596.py will generates attack packet for lwip bug #24596 and saves result to result.py.

Run sudo ./simhost-STABLE-XXX -d and run sudo python result.py 0 to attack simhost. Version of lwip must be 1.x.

script/lwip-bug24596.py is PoC of this lwip bug #24596.

lwip-bug-finder's People

Contributors

k-atc avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar

lwip-bug-finder's Issues

make error at STABLE-2_0_1 when runnig ./build-full-version-simhost.sh 

cc -g -Wall -DLWIP_DEBUG -pedantic -Werror -Wparentheses -Wsequence-point -Wswitch-default -Wextra -Wundef -Wshadow -Wpointer-arith -Wcast-qual -Wc++-compat -Wwrite-strings -Wold-style-definition -Wcast-align -Wmissing-prototypes -Wredundant-decls -Wnested-externs -Wno-address -Wunreachable-code -Wuninitialized -Wlogical-op -I. -I../../.. -I../../../../lwip/src/include -I../../../ports/unix/port/include -Wno-error=unused-but-set-variable -Wno-error=nested-externs -Wno-error=implicit-function-declaration -pthread -Wno-address -c ../../../../lwip/src/apps/lwiperf/lwiperf.c
cc -g -Wall -DLWIP_DEBUG -pedantic -Werror -Wparentheses -Wsequence-point -Wswitch-default -Wextra -Wundef -Wshadow -Wpointer-arith -Wcast-qual -Wc++-compat -Wwrite-strings -Wold-style-definition -Wcast-align -Wmissing-prototypes -Wredundant-decls -Wnested-externs -Wno-address -Wunreachable-code -Wuninitialized -Wlogical-op -I. -I../../.. -I../../../../lwip/src/include -I../../../ports/unix/port/include -Wno-error=unused-but-set-variable -Wno-error=nested-externs -Wno-error=implicit-function-declaration -pthread -Wno-address -c ../../../../lwip/src/apps/sntp/sntp.c
cc -g -Wall -DLWIP_DEBUG -pedantic -Werror -Wparentheses -Wsequence-point -Wswitch-default -Wextra -Wundef -Wshadow -Wpointer-arith -Wcast-qual -Wc++-compat -Wwrite-strings -Wold-style-definition -Wcast-align -Wmissing-prototypes -Wredundant-decls -Wnested-externs -Wno-address -Wunreachable-code -Wuninitialized -Wlogical-op -I. -I../../.. -I../../../../lwip/src/include -I../../../ports/unix/port/include -Wno-error=unused-but-set-variable -Wno-error=nested-externs -Wno-error=implicit-function-declaration -pthread -Wno-address -c ../../../../lwip/src/apps/mdns/mdns.c
cc -g -Wall -DLWIP_DEBUG -pedantic -Werror -Wparentheses -Wsequence-point -Wswitch-default -Wextra -Wundef -Wshadow -Wpointer-arith -Wcast-qual -Wc++-compat -Wwrite-strings -Wold-style-definition -Wcast-align -Wmissing-prototypes -Wredundant-decls -Wnested-externs -Wno-address -Wunreachable-code -Wuninitialized -Wlogical-op -I. -I../../.. -I../../../../lwip/src/include -I../../../ports/unix/port/include -Wno-error=unused-but-set-variable -Wno-error=nested-externs -Wno-error=implicit-function-declaration -pthread -Wno-address -c ../../../../lwip/src/apps/netbiosns/netbiosns.c
cc -g -Wall -DLWIP_DEBUG -pedantic -Werror -Wparentheses -Wsequence-point -Wswitch-default -Wextra -Wundef -Wshadow -Wpointer-arith -Wcast-qual -Wc++-compat -Wwrite-strings -Wold-style-definition -Wcast-align -Wmissing-prototypes -Wredundant-decls -Wnested-externs -Wno-address -Wunreachable-code -Wuninitialized -Wlogical-op -I. -I../../.. -I../../../../lwip/src/include -I../../../ports/unix/port/include -Wno-error=unused-but-set-variable -Wno-error=nested-externs -Wno-error=implicit-function-declaration -pthread -Wno-address -c ../../../../lwip/src/apps/tftp/tftp_server.c
cc -g -Wall -DLWIP_DEBUG -pedantic -Werror -Wparentheses -Wsequence-point -Wswitch-default -Wextra -Wundef -Wshadow -Wpointer-arith -Wcast-qual -Wc++-compat -Wwrite-strings -Wold-style-definition -Wcast-align -Wmissing-prototypes -Wredundant-decls -Wnested-externs -Wno-address -Wunreachable-code -Wuninitialized -Wlogical-op -I. -I../../.. -I../../../../lwip/src/include -I../../../ports/unix/port/include -Wno-error=unused-but-set-variable -Wno-error=nested-externs -Wno-error=implicit-function-declaration -pthread -Wno-address -c ../../../../lwip/src/apps/mqtt/mqtt.c
ar rs liblwipapps.a httpserver-netconn.o chargen.o udpecho.o tcpecho.o shell.o udpecho_raw.o tcpecho_raw.o netio.o ping.o lwip_prvmib.o smtp.o socket_examples.o rtp.o snmp_asn1.o snmp_core.o snmp_mib2.o snmp_mib2_icmp.o snmp_mib2_interfaces.o snmp_mib2_ip.o snmp_mib2_snmp.o snmp_mib2_system.o snmp_mib2_tcp.o snmp_mib2_udp.o snmp_msg.o snmpv3.o snmp_netconn.o snmp_pbuf_stream.o snmp_raw.o snmp_scalar.o snmp_table.o snmp_threadsync.o snmp_traps.o snmpv3_mbedtls.o snmpv3_dummy.o fs.o httpd.o lwiperf.o sntp.o mdns.o netbiosns.o tftp_server.o mqtt.o
ar: creating liblwipapps.a
cc -g -Wall -DLWIP_DEBUG -pedantic -Werror -Wparentheses -Wsequence-point -Wswitch-default -Wextra -Wundef -Wshadow -Wpointer-arith -Wcast-qual -Wc++-compat -Wwrite-strings -Wold-style-definition -Wcast-align -Wmissing-prototypes -Wredundant-decls -Wnested-externs -Wno-address -Wunreachable-code -Wuninitialized -Wlogical-op -I. -I../../.. -I../../../../lwip/src/include -I../../../ports/unix/port/include -Wno-error=unused-but-set-variable -Wno-error=nested-externs -Wno-error=implicit-function-declaration -pthread -Wno-address -c simhost.c
simhost.c: In function ‘ping_send’:
simhost.c:323:5: warning: implicit declaration of function ‘inet_addr_from_ipaddr’ [-Wimplicit-function-declaration]
     inet_addr_from_ipaddr(&to4->sin_addr, ip_2_ip4(addr));
     ^
simhost.c:323:5: warning: nested extern declaration of ‘inet_addr_from_ipaddr’ [-Wnested-externs]
simhost.c: In function ‘ping_recv’:
simhost.c:357:5: warning: implicit declaration of function ‘inet_addr_to_ipaddr’ [-Wimplicit-function-declaration]
     inet_addr_to_ipaddr(ip_2_ip4(&ip_from), &from4->sin_addr);
     ^
simhost.c:357:5: warning: nested extern declaration of ‘inet_addr_to_ipaddr’ [-Wnested-externs]
cc -g -Wall -DLWIP_DEBUG -pedantic -Werror -Wparentheses -Wsequence-point -Wswitch-default -Wextra -Wundef -Wshadow -Wpointer-arith -Wcast-qual -Wc++-compat -Wwrite-strings -Wold-style-definition -Wcast-align -Wmissing-prototypes -Wredundant-decls -Wnested-externs -Wno-address -Wunreachable-code -Wuninitialized -Wlogical-op -I. -I../../.. -I../../../../lwip/src/include -I../../../ports/unix/port/include -Wno-error=unused-but-set-variable -Wno-error=nested-externs -Wno-error=implicit-function-declaration -pthread -Wno-address -o simhost simhost.o -Wl,--start-group liblwipapps.a liblwipcommon.a -Wl,--end-group -pthread -lutil -lrt
simhost.o: In function `ping_send':
/home/tomori/lwip/lwip-bug-finder/lwip-contrib/ports/unix/unixsim/simhost.c:323: undefined reference to `inet_addr_from_ipaddr'
simhost.o: In function `ping_recv':
/home/tomori/lwip/lwip-bug-finder/lwip-contrib/ports/unix/unixsim/simhost.c:357: undefined reference to `inet_addr_to_ipaddr'
collect2: error: ld returned 1 exit status
Makefile:48: recipe for target 'simhost' failed
make: *** [simhost] Error 1
[!] make error at STABLE-2_0_1

lwip-solve-echop2.py does not generate a packet attacks segment fault bug without symbolizing pcbs

The solver does not generate a correct attack packet for dns_recv without following symolize and constraints. Why?

### symbolize tcp/udp pcbs
print "[*] symbolizing tcp/udp pcbs"
"""
gdb-peda$ p tcp_listen_pcbs
$6 = {
  listen_pcbs = 0x560bea7c7b28 <memp_memory+1736>,
  pcbs = 0x560bea7c7b28 <memp_memory+1736>
}
gdb-peda$ p *(tcp_listen_pcbs->listen_pcbs)
$8 = {
  local_ip = {
    addr = 0x0
  },
  remote_ip = {
    addr = 0x560b
  },
  so_options = 0x2,
  tos = 0x0,
  ttl = 0xff,
  next = 0x560bea7c7b60 <memp_memory+1792>,
  state = LISTEN,
  prio = 0x0,
  callback_arg = 0x560bea7c8250 <memp_memory+3568>,
  local_port = 0x7,
  accept = 0x560bea5a9039 <accept_function>
}
gdb-peda$ x/20wx (tcp_listen_pcbs->listen_pcbs)
0x560bea7c7b28 <memp_memory+1736>:  0x00000000  0x0000560b  0xff000002  0x00000000
0x560bea7c7b38 <memp_memory+1752>:  0xea7c7b60  0x0000560b  0x00000001  0x00000000 // + 16
0x560bea7c7b48 <memp_memory+1768>:  0xea7c8250  0x0000560b  0x00000007  0x00000000 // + 32
0x560bea7c7b58 <memp_memory+1784>:  0xea5a9039  0x0000560b  0x00000000  0x0000560b // + 48
0x560bea7c7b68 <memp_memory+1800>:  0xff000002  0x00000000  0xea7c7b98  0x0000560b

gdb-peda$ x/20wx (tcp_listen_pcbs->listen_pcbs)->callback_arg
0x560bea7c8250 <memp_memory+3568>:  0x00000010  0x00000002  0xea7c7b28  0x0000560b
0x560bea7c8260 <memp_memory+3584>:  0x00000000  0x00000000  0xec000b10  0x00007fd4
0x560bea7c8270 <memp_memory+3600>:  0x00000000  0x00000000  0xe8000f40  0x00007fd4
0x560bea7c8280 <memp_memory+3616>:  0xffffffff  0x00000000  0x00000000  0x00000000
0x560bea7c8290 <memp_memory+3632>:  0x00000000  0x00000000  0x00000000  0x00000000
"""
listen_pcbs = MY_SYMVAR_REGION_BEGIN + 0x10000
callback_arg = listen_pcbs + sizeof("tcp_listen_pcbs")
# state.mem[rebased_addr('tcp_listen_pcbs')].uint64_t = state.se.Reverse(state.se.BVV(listen_pcbs, 64))
state.mem[rebased_addr('tcp_listen_pcbs')].uint64_t = listen_pcbs
state.mem[callback_arg + 0].uint32_t = 0x00000010
state.mem[callback_arg + 4].uint32_t = 0x00000002
symvar_listen_pcbs = state.se.BVS('listen_pcbs', 56 * 8)
symvar_listen_pcbs_state = state.se.BVS('listen_pcbs', 4 * 8)
"""
include/lwip/tcpbase.h
enum tcp_state {
  CLOSED      = 0,
  LISTEN      = 1,
  SYN_SENT    = 2,
  SYN_RCVD    = 3,
  ESTABLISHED = 4,
  FIN_WAIT_1  = 5,
  FIN_WAIT_2  = 6,
  CLOSE_WAIT  = 7,
  CLOSING     = 8,
  LAST_ACK    = 9,
  TIME_WAIT   = 10
};
"""
"""
  for(pcb = tcp_active_pcbs; pcb != NULL; pcb = pcb->next) {
    LWIP_ASSERT("tcp_input: active pcb->state != CLOSED", pcb->state != CLOSED);
    LWIP_ASSERT("tcp_input: active pcb->state != TIME-WAIT", pcb->state != TIME_WAIT);
    LWIP_ASSERT("tcp_input: active pcb->state != LISTEN", pcb->state != LISTEN);
"""
state.add_constraints(state.se.And(symvar_listen_pcbs_state > 1, symvar_listen_pcbs_state < 10)) # to pass assertions
state.add_constraints(NoReverse(state.se.Extract(8 * 4 - 1, 8 * 0, symvar_listen_pcbs)) == 0x0) # local ip
state.add_constraints(NoReverse(state.se.Extract(8 * 8 - 1, 8 * 4, symvar_listen_pcbs)) == 0x560b) # remote ip
state.add_constraints(NoReverse(state.se.Extract(8 * 12 - 1, 8 * 8, symvar_listen_pcbs)) == 0xff000002) # so_options, tos, ttl
state.add_constraints(NoReverse(state.se.Extract(8 * 16 - 1, 8 * 12, symvar_listen_pcbs)) == 0x0) # padding?
state.add_constraints(NoReverse(state.se.Extract(8 * 24 - 1, 8 * 16, symvar_listen_pcbs)) == 0) # next
state.add_constraints(NoReverse(state.se.Extract(8 * 28 - 1, 8 * 24, symvar_listen_pcbs)) == symvar_listen_pcbs_state) # state
# state.add_constraints(NoReverse(state.se.Extract(8 * 32 - 1, 8 * 28, symvar_listen_pcbs)) == 0) # prio?
state.add_constraints(NoReverse(state.se.Extract(8 * 40 - 1, 8 * 32, symvar_listen_pcbs)) == callback_arg) # callback_arg
# state.add_constraints(NoReverse(state.se.Extract(8 * 44 - 1, 8 * 40, symvar_listen_pcbs)) == 7) # local_port
# state.add_constraints(NoReverse(state.se.Extract(8 * 56 - 1, 8 * 48, symvar_listen_pcbs)) == rebased_addr('accept_function')) # accept
state.memory.store(listen_pcbs, state.se.Reverse(symvar_listen_pcbs))


### symbolize tcp_active_pcbs
print "[*] symbolizing tcp_active_pcbs"
"""
gdb-peda$ p (struct tcp_pcb) pcb
$11 = {
  local_ip = {
    addr = 0xea7cbfa8
  },
  remote_ip = {
    addr = 0x560b
  },
  so_options = 0x0,
  tos = 0x0,
  ttl = 0x0,
  next = 0x7fd50530fdf0,
  state = 3931789480,
  prio = 0xb,
  callback_arg = 0x0,
  local_port = 0xfe50,
  remote_port = 0x530,
  flags = 0xd5,
  rcv_nxt = 0xea5a629c,
  rcv_wnd = 0x560b,
  rcv_ann_wnd = 0x0,
  tmr = 0xea7cce00,
  polltmr = 0xb,
  pollinterval = 0x56,
  rtime = 0x0,
  mss = 0xbfa8,
  rttest = 0x560b,
  rtseq = 0x530fe70,
  sa = 0x7fd5,
  sv = 0x0,
  rto = 0x14,
  nrtx = 0x30,
  lastack = 0x1,
  dupacks = 0xce,
  cwnd = 0xea7c,
  ssthresh = 0x560b,
  snd_nxt = 0xea7cce00,
  snd_max = 0x560b,
  snd_wnd = 0x0,
  snd_wl1 = 0x0,
  snd_wl2 = 0x5b10d6e,
  snd_lbb = 0x7fd5,
  acked = 0xd6f,
  snd_buf = 0x5b1,
  snd_queuelen = 0x7fd5,
  unsent = 0x7fd505310700,
  unacked = 0x7fd50530fe80,
  ooseq = 0x560bea5aa751 <tcpip_thread+344>,
  refused_data = 0x0,
  sent = 0x0,
  recv = 0x560bea7c86d8 <memp_memory+4728>,
  connected = 0x69cd72e63fead100,
  accept = 0x0,
  poll = 0x7fd50733c08a <start_thread+218>,
  errf = 0x0,
  keep_idle = 0x5310700,
  persist_cnt = 0x7fd5,
  persist_backoff = 0x0,
  keep_cnt_sent = 0x7
}
"""
pcb = MY_SYMVAR_REGION_BEGIN + 0x16000
state.mem[rebased_addr('tcp_active_pcbs')].uint64_t = pcb
# state.mem[rebased_addr('tcp_active_pcbs') + 8].uint64_t = 0 # terminate with NULL
state.mem[rebased_addr('udp_pcbs')].uint64_t = pcb
symvar_pcb = state.se.BVS('pcb', 0xe0 * 8)
if tcp:
    state.add_constraints(NoReverse(state.se.Extract(8 * 4 - 1, 8 * 0, symvar_pcb)) == 0x0) # local ip
    state.add_constraints(NoReverse(state.se.Extract(8 * 8 - 1, 8 * 4, symvar_pcb)) == 0x560b) # remote ip
    state.add_constraints(NoReverse(state.se.Extract(8 * 12 - 1, 8 * 8, symvar_pcb)) == 0xff000002) # so_options, tos, ttl
    state.add_constraints(NoReverse(state.se.Extract(8 * 16 - 1, 8 * 12, symvar_pcb)) == 0x0) # padding?
    state.add_constraints(NoReverse(state.se.Extract(8 * 24 - 1, 8 * 16, symvar_pcb)) == 0) # next
    state.add_constraints(NoReverse(state.se.Extract(8 * 28 - 1, 8 * 24, symvar_pcb)) == symvar_listen_pcbs_state) # state
elif udp:
    """
gdb-peda$ p *udp_pcbs
$2 = {
  local_ip = {
    addr = 0x0
  },
  remote_ip = {
    addr = 0x0
  },
  so_options = 0x0,
  tos = 0x0,
  ttl = 0xff,
  next = 0x0, // + 16
  flags = 0x0,
  local_port = 0x7, // + 24
  remote_port = 0x0, // + 26
  recv = 0x55b3c4ce893d <recv_udp>,
  recv_arg = 0x55b3c4f082a0 <memp_memory+3648>
}

gdb-peda$ x/20wx udp_pcbs
0x55b3c4f07580 <memp_memory+288>:   0x00000000  0x00000000  0xff000000  0x00000000
0x55b3c4f07590 <memp_memory+304>:   0x00000000  0x00000000  0x00070000  0x00000000
0x55b3c4f075a0 <memp_memory+320>:   0xc4ce893d  0x000055b3  0xc4f082a0  0x000055b3 // + 32
0x55b3c4f075b0 <memp_memory+336>:   0x00000000  0x00000000  0x00000000  0x00000000
0x55b3c4f075c0 <memp_memory+352>:   0x00000000  0x00000000  0x00000000  0x00000000
    """
    state.add_constraints(NoReverse(state.se.Extract(8 * 8 - 1, 8 * 4, symvar_pcb)) == 0x0) # remote ip
    state.add_constraints(NoReverse(state.se.Extract(8 * 12 - 1, 8 * 8, symvar_pcb)) == 0xff000000) # so_options, tos, ttl
    state.add_constraints(NoReverse(state.se.Extract(8 * 16 - 1, 8 * 12, symvar_pcb)) == 0x0) # padding?
    state.add_constraints(NoReverse(state.se.Extract(8 * 24 - 1, 8 * 16, symvar_pcb)) == 0) # next
    state.add_constraints(NoReverse(state.se.Extract(8 * 26 - 1, 8 * 24, symvar_pcb)) == 0x7) # local_port
    state.add_constraints(NoReverse(state.se.Extract(8 * 28 - 1, 8 * 26, symvar_pcb)) == 0x0) # remote_port
    state.add_constraints(NoReverse(state.se.Extract(8 * 32 - 1, 8 * 28, symvar_pcb)) == 0x0) # padding?
    # state.add_constraints(NoReverse(state.se.Extract(8 * 40 - 1, 8 * 32, symvar_pcb)) == rebased_addr('recv_udp')) # recv
state.memory.store(pcb, state.se.Reverse(symvar_pcb))

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.