vancaho / avalanche Goto Github PK
View Code? Open in Web Editor NEWAutomatically exported from code.google.com/p/avalanche
Automatically exported from code.google.com/p/avalanche
Test environment:
Ubuntu 10.04 32 bit (2.6.32-33-generic i686 SMP) in Virtualbox OSE 4.0.4, 2
core of i5-2500, 768 mb of RAM
Host OS: ubuntu 11.04 64 bit (2.6.38-10-generic x86_64 SMP)
compiler: gcc version 4.4.3
=====================================
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#define BUF_SIZE 128
int main(int argc, char** argv)
{
uint8_t input[BUF_SIZE];
const uint8_t expected[BUF_SIZE]="verylongexpectedbadstring123456789abcdefghijklmnopqrstuvwxyz____";
uint16_t dest;
int fd1 = open(argv[1], O_RDONLY | O_CREAT, S_IRWXU | S_IRWXG | S_IRWXO);
dest=(argv[2])?atoi(argv[2]):32;
if(dest>BUF_SIZE)
dest=BUF_SIZE;
read(fd1, input, dest);
if(!memcmp(input,expected,dest))
abort();
return 0;
}
======================================
in2 - input zero-filled file
Compare:
ioex@ioex-desktop:~/workspace/avalanche/tests$ stat -c %s in2
28
ioex@ioex-desktop:~/workspace/avalanche/tests$ ~/avalanche-0.5/bin/avalanche
--filename=./in2 ./test5 ./in2 32
Starting iteration 0
...
Starting iteration 13
Exploits report:
ioex@ioex-desktop:~/workspace/avalanche/tests$ stat -c %s in
4097
ioex@ioex-desktop:~/workspace/avalanche/tests$ ~/avalanche-0.5/bin/avalanche
--filename=./in ./test5 ./in 32
Starting iteration 0
Starting iteration 1
...
Starting iteration 31
Crash detected.
No stack trace is available.
Dumping an exploit to file exploit_0_0
Starting iteration 32
Exploits report:
chunk 0: exploit_0_0 - No stack trace available
avalanche version: 0.4,0.5
Original issue reported on code.google.com by xeioexception
on 22 Aug 2011 at 10:44
What steps will reproduce the problem?
1. configure when using glibc 2.13 (as on Ubuntu 11.04 on amd64)
What is the expected output?
no configure errors
What do you see instead?
checking the GLIBC_VERSION version... unsupported version 2.13
configure: error: Valgrind requires glibc version 2.2 - 2.12
configure: error: ./configure failed for valgrind
What version of the product are you using? On what operating system?
avalanche 0.4 on ubuntu natty 11.04 amd64
Linux 2.6.38-8-generic #42-Ubuntu SMP Mon Apr 11 03:31:24 UTC 2011 x86_64
x86_64 x86_64 GNU/Linux
Please provide any additional information below.
Original issue reported on code.google.com by [email protected]
on 7 May 2011 at 4:03
What steps will reproduce the problem?
1. tar zxf ~/Downloads/avalanche-0.6.tar.gz
2. cd avalanche-0.6.0
3. ./configure
4. make
What is the expected output?
Software should compile!
What do you see instead?
PL.y: In function ‘int yyparse()’:
PL.y:180:98: error: expected unqualified-id before numeric constant
PL.y:185:98: error: expected unqualified-id before numeric constant
PL.y:196:100: error: expected unqualified-id before numeric constant
PL.y:445:85: error: expected unqualified-id before numeric constant
PL.y:450:85: error: expected unqualified-id before numeric constant
PL.y:456:85: error: expected unqualified-id before numeric constant
PL.y:462:85: error: expected unqualified-id before numeric constant
PL.y:468:85: error: expected unqualified-id before numeric constant
PL.y:486:85: error: expected unqualified-id before numeric constant
PL.y:492:92: error: expected unqualified-id before numeric constant
PL.y:500:92: error: expected unqualified-id before numeric constant
PL.y:508:92: error: expected unqualified-id before numeric constant
PL.y:516:92: error: expected unqualified-id before numeric constant
PL.y:524:92: error: expected unqualified-id before numeric constant
PL.y:532:92: error: expected unqualified-id before numeric constant
PL.y:540:92: error: expected unqualified-id before numeric constant
PL.y:548:92: error: expected unqualified-id before numeric constant
PL.y:557:85: error: expected unqualified-id before numeric constant
PL.y:563:85: error: expected unqualified-id before numeric constant
PL.y:703:92: error: expected unqualified-id before numeric constant
PL.y:715:92: error: expected unqualified-id before numeric constant
PL.y:728:92: error: expected unqualified-id before numeric constant
PL.y:741:92: error: expected unqualified-id before numeric constant
PL.y:760:76: error: expected unqualified-id before numeric constant
PL.y:809:92: error: expected unqualified-id before numeric constant
PL.y:817:92: error: expected unqualified-id before numeric constant
PL.y:827:92: error: expected unqualified-id before numeric constant
PL.y:834:92: error: expected unqualified-id before numeric constant
PL.y:843:92: error: expected unqualified-id before numeric constant
PL.y:852:92: error: expected unqualified-id before numeric constant
PL.y:861:92: error: expected unqualified-id before numeric constant
PL.y:870:92: error: expected unqualified-id before numeric constant
What version of the product are you using?
Avalanche 0.6.0
On what operating system?
CentOS 5.8 (Kernel: 2.6.18-308.4.1.el5.centos.plus, GCC: Red Hat 4.1.2-52)
Please provide any additional information below.
This looks like a namespace issue within the STP parser, but I was able to
compile avalanche-0.4; which seems to have the same version of STP. After
looking at the output from "configure" one difference seems to be that 0.6.0
uses "lex" and "yacc", while 0.4 uses "flex" and "bison". If I configure both
versions then copy the stp directory from 0.4 into the 0.6.0 directory, then it
builds fine.
Original issue reported on code.google.com by [email protected]
on 9 May 2012 at 12:08
1. Install avalanche into /usr/bin
2. Run avalanche using short name, rather than full path:
$ which avalanche
/usr/bin/avalanche
$ avalanche --verbose --filename=seed ./sample2 seed
INFO: Avalanche, a dynamic analysis tool.
INFO: Start time: Thu Jun 23 14:03:58 2011
DEBUG: Initializing plugin manager
DEBUG: Running execution manager
INFO: Running plugin kind=1
INFO: Executing command: ../lib/avalanche/valgrind, with args:
../lib/avalanche/valgrind --tool=covgrind --trace-children=no --alarm=300
--log-file=execution.log ./sample2 seed
INFO: exited on signal
ERROR: [TmpFile.cpp:76]: Cannot delete file tmpfile_1:No such file or directory
ERROR: [TmpFile.cpp:76]: Cannot delete file tmpfile_0:No such file or directory
Segmentation fault
Original issue reported on code.google.com by [email protected]
on 23 Jun 2011 at 10:04
What steps will reproduce the problem?
1. ./configure
2. make
Make encounters the following error :
Making all in stp-ver-0.1-11-18-2008
make[2]: Entering directory
`/home/username/project/avalanche-0.6.0/stp-ver-0.1-11-18-2008'
make all-recursive
make[3]: Entering directory
`/home/username/project/avalanche-0.6.0/stp-ver-0.1-11-18-2008'
Making all in AST
make[4]: Entering directory
`/home/username/project/avalanche-0.6.0/stp-ver-0.1-11-18-2008/AST'
g++ -DHAVE_CONFIG_H -I. -I.. -I../sat/mtl -I../sat/core -g -O2 -MT AST.o -MD
-MP -MF .deps/AST.Tpo -c -o AST.o AST.cpp
In file included from /usr/include/c++/4.7/ext/hash_map:61:0,
from AST.h:19,
from AST.cpp:10:
/usr/include/c++/4.7/backward/backward_warning.h:33:2: warning: #warning This
file includes at least one deprecated or antiquated header which may be removed
without further notice at a future date. Please use a non-deprecated interface
with equivalent functionality instead. For a listing of replacement headers and
interfaces, consult the file backward_warning.h. To disable this warning use
-Wno-deprecated. [-Wcpp]
In file included from ../sat/core/Solver.h:25:0,
from AST.h:35,
from AST.cpp:10:
../sat/mtl/Map.h: In constructor ‘MINISAT::Map<K, D, H, E>::Map(const H&,
const E&)’:
../sat/mtl/Map.h:90:41: warning: delegating constructors only available with
-std=c++11 or -std=gnu++11 [enabled by default]
../sat/mtl/Map.h:90:50: error: mem-initializer for ‘MINISAT::Map<K, D, H,
E>::hash’ follows constructor delegation
../sat/mtl/Map.h:90:61: error: mem-initializer for ‘MINISAT::Map<K, D, H,
E>::equals’ follows constructor delegation
AST.cpp: In member function ‘BEEV::ASTNode
BEEV::BeevMgr::CreateBVConst(unsigned int, long long unsigned int)’:
AST.cpp:802:55: warning: right shift count >= width of type [enabled by default]
make[4]: *** [AST.o] Error 1
make[4]: Leaving directory
`/home/username/project/avalanche-0.6.0/stp-ver-0.1-11-18-2008/AST'
make[3]: *** [all-recursive] Error 1
make[3]: Leaving directory
`/home/username/project/avalanche-0.6.0/stp-ver-0.1-11-18-2008'
make[2]: *** [all] Error 2
make[2]: Leaving directory
`/home/username/project/avalanche-0.6.0/stp-ver-0.1-11-18-2008'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/username/project/avalanche-0.6.0'
make: *** [all] Error 2
What version of the product are you using? On what operating system?
Linux kali 3.7-trunk-amd64 #1 SMP Debian 3.7.2-0+kali6 x86_64 GNU/Linux
Please provide any additional information below.
I have also tried to compile it on a 32-bits Ubuntu and it works fine.
Original issue reported on code.google.com by [email protected]
on 9 May 2013 at 3:42
What steps will reproduce the problem?
1. Compile given source code and run avalanche on it with the given mask (mask)
and initial input (str_seed).
What is the expected output? What do you see instead?
Avalanche should find an exploit for this program - input file containing the
following sequence of bytes: 'E', 'E', 'L', 'F', '\0'. This sequence leads to a
segmentation fault (can be tested with str_exploit).
However, avalanche executes 12 iterations and no defect reports are generated.
Original issue reported on code.google.com by [email protected]
on 22 Jun 2011 at 2:13
Attachments:
=====================
static char val[2];
int main(int argc, char** argv)
{
int fd1 = open(argv[1], O_RDONLY | O_CREAT, S_IRWXU | S_IRWXG);
read(fd1, &val, 2);
if(val[0]==10)
abort();
return 0;
}
=====================
Expected result:exploit_0_0:=0x0A00 but received nothing
Test environment:
Ubuntu 10.04 32 bit (2.6.32-33-generic i686 SMP) in Virtualbox OSE 4.0.4, 2
core of i5-2500, 768 mb of RAM
Host OS: ubuntu 11.04 64 bit (2.6.38-10-generic x86_64 SMP)
compiler: gcc version 4.4.3
avalanche version: 0.4,0.5
Original issue reported on code.google.com by xeioexception
on 22 Aug 2011 at 10:35
What steps will reproduce the problem?
1. Run avalanche on fseek.c with samples/simple/seed
What is the expected output?
3 exploits causing segfaults.
What do you see instead?
1 exploit (and 2 divergence files if --debug is used)
Original issue reported on code.google.com by [email protected]
on 27 Jul 2011 at 9:24
Attachments:
I've downloaded avalanche from svn, typed:
./autogen.sh
./configure
While configuring I have received such error:
checking for a supported OS... ok (linux-gnu)
checking for the kernel version... unsupported (3.0.0-13-generic)
configure: error: Valgrind works on kernels 2.4, 2.6
configure: error: ./configure failed for valgrind
I'm using ubuntu 11.10 and at least in synaptic there is valgrind package so it
seems to me only local copy of valgrind doesn't work.
Original issue reported on code.google.com by [email protected]
on 21 Oct 2011 at 10:23
Test environment:
x86
Ubuntu 10.04 32 bit (2.6.32-33-generic i686 SMP) in Virtualbox OSE 4.0.4, 2
core of i5-2500, 768 mb of RAM
Host OS: ubuntu 11.04 64 bit (2.6.38-10-generic x86_64 SMP)
compiler: gcc version 4.4.3
Tested application:
3. p7ip-9.04 (Real bug:
http://sourceforge.net/tracker/?func=detail&aid=2863580&group_id=111810&atid=660
493)
confirm: ~/workspace/p7zip_9.04$ ./bin/7z x
~/Downloads/1e1a4fcdfe3092387458167488d4fdb2.rar
7-Zip 9.04 beta Copyright (c) 1999-2009 Igor Pavlov 2009-05-30
p7zip Version 9.04 (locale=en_US.utf8,Utf16=on,HugeFiles=on,4 CPUs)
Processing archive: /home/ioex/Downloads/1e1a4fcdfe3092387458167488d4fdb2.rar
Segmentation fault (core dumped)
in.rar is a valid archive:
~/workspace/p7zip_9.04/avtest$ ./bin/7z x ./in.rar
7-Zip 9.04 beta Copyright (c) 1999-2009 Igor Pavlov 2009-05-30
p7zip Version 9.04 (locale=en_US.utf8,Utf16=on,HugeFiles=on,4 CPUs)
Processing archive: ./in.rar
Extracting in
Everything is Ok
Size: 236
Compressed: 280
avalanche cmd line: ~/avalanche-0.4/bin/avalanche --filename=./in.rar ./bin/7z
x ./in.rar
Status: completed
Time consumed: ~ 7 days
Results: 10345 exploits
Verify perl script:
my $i=0;
while($i<10345)
{
system("./bin/7z x ./exploit_${i}_0");
$i++;
}
cmd line: perl p.pl 2>&1 > verify2.log;
verify2.log additionally was sorted by unique strings
It seems, the avalanche premature finished of checking the application
Original issue reported on code.google.com by xeioexception
on 1 Sep 2011 at 6:27
Attachments:
What steps will reproduce the problem?
1. Build and install Avalanche.
2. Run the sample:
cd /usr/src/avalanche-0.4/samples/simple
avalanche --filename=`pwd`/seed `pwd`/sample2 `pwd`/seed --verbose
What is the expected output? What do you see instead?
The exploit does not succeed:
root@clean:/usr/src/avalanche-0.4/samples/simple# avalanche
--filename=`pwd`/seed `pwd`/sample2 `pwd`/seed --verbose
INFO: Avalanche, a dynamic analysis tool.
INFO: Start time: Mon Oct 31 20:43:17 2011
DEBUG: Initializing plugin manager
DEBUG: Running execution manager
INFO: Running plugin kind=1
INFO: Executing command: valgrind, with args: valgrind --tool=covgrind
--trace-children=no --alarm=300 --log-file=execution.log
/usr/src/avalanche-0.4/samples/simple/sample2
/usr/src/avalanche-0.4/samples/simple/seed
INFO: Covgrind is finished
ERROR: [ExecutionManager.cpp:413]: Error opening file basic_blocks.log
INFO: score=0
Starting iteration 0
INFO: inputs.size()=1
INFO: selected next input with score 0
INFO: Running plugin kind=0
INFO: Executing command: valgrind, with args: valgrind --tool=tracegrind
--trace-children=no --startdepth=1 --invertdepth=100 --dump-prediction=yes
--check-danger=no --file=/usr/src/avalanche-0.4/samples/simple/seed
/usr/src/avalanche-0.4/samples/simple/sample2
/usr/src/avalanche-0.4/samples/simple/seed
INFO: Tracegrind is finished
INFO: no QUERY's found
INFO: Time statistics:
total: 1, tracegrind: 1 (100%), covgrind: 0 (0%), stp: 0 (0%)
Exploits report:
DEBUG: Destructing plugin manager
root@clean:/usr/src/avalanche-0.4/samples/simple# echo $?
0
What version of the product are you using? On what operating system?
I tried revision 247 and avalanche-0.4.tar.gz on this machine:
Linux clean 3.0.0-1-486 #1 Sat Aug 27 15:56:48 UTC 2011 i686 GNU/Linux
wheezy/sid
Пакет: libc6
Состояние: установлен
Автоматически установлен: нет
Версия: 2.13-21
and the alike with amd64 kernel.
Original issue reported on code.google.com by [email protected]
on 31 Oct 2011 at 4:49
Test environment:
Ubuntu 10.04 32 bit (2.6.32-33-generic i686 SMP) in Virtualbox OSE 4.0.4, 2
core of i5-2500, 768 mb of RAM
Host OS: ubuntu 11.04 64 bit (2.6.38-10-generic x86_64 SMP)
compiler: gcc version 4.4.3
The tested tools version: 0.4 stable release
Open source application testing with known bugs
1. imagemagick-6.6.10
(http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=18136)
confirm: ./bin/convert ./test_image.png /tmp/x.png
convert: magick/splay-tree.c:883: GetValueFromSplayTree: Assertion `splay_tree
!= (SplayTreeInfo *) ((void *)0)' failed.
Aborted (core dumped)
cmdline: ~/avalanche-0.4/bin/avalanche --filename=./test_image_2.png
./bin/convert ./test_image_2.png /tmp/x.png
results: 8 exploits were found (false-positive, not reproduced after), total
640 iteration passed, avalanche finished without warnings. NO EXPECTED BUG FOUND
The result of crashes were out-of-memory cases but the tools detects it as real
crashes.
Original issue reported on code.google.com by xeioexception
on 22 Aug 2011 at 6:40
Attachments:
What steps will reproduce the problem?
1. Fix ./configure for the 3.* kernel & 2.13 glibc.
2. Run ./configure on machine without lex or yacc
What is the expected output? What do you see instead?
Configure should report lack of thees tools. Instead it breaks the build
process when STP is compiled.
What version of the product are you using? On what operating system?
Linux clean 3.0.0-1-486 #1 Sat Aug 27 15:56:48 UTC 2011 i686 GNU/Linux
wheezy/sid
Пакет: libc6
Состояние: установлен
Автоматически установлен: нет
Версия: 2.13-21
No lex and yacc installed.
Original issue reported on code.google.com by [email protected]
on 31 Oct 2011 at 12:51
[deleted issue]
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.