vancaho / avalanche Goto Github PK

Test environment:
Ubuntu 10.04 32 bit (2.6.32-33-generic i686 SMP) in Virtualbox OSE 4.0.4, 2 
core of i5-2500, 768 mb of RAM
Host OS: ubuntu 11.04 64 bit (2.6.38-10-generic x86_64 SMP)
compiler: gcc version 4.4.3

=====================================
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>

#define BUF_SIZE        128

int main(int argc, char** argv)
{
        uint8_t input[BUF_SIZE];
        const uint8_t expected[BUF_SIZE]="verylongexpectedbadstring123456789abcdefghijklmnopqrstuvwxyz____";
        uint16_t dest;
        int  fd1 = open(argv[1], O_RDONLY | O_CREAT, S_IRWXU | S_IRWXG | S_IRWXO);

        dest=(argv[2])?atoi(argv[2]):32;

        if(dest>BUF_SIZE)
                dest=BUF_SIZE;

        read(fd1, input, dest);

        if(!memcmp(input,expected,dest))
                abort();

        return 0;
}
======================================

in2 - input zero-filled file
Compare:
ioex@ioex-desktop:~/workspace/avalanche/tests$ stat -c %s in2
28
ioex@ioex-desktop:~/workspace/avalanche/tests$ ~/avalanche-0.5/bin/avalanche 
--filename=./in2 ./test5 ./in2 32
Starting iteration 0
...
Starting iteration 13

Exploits report:

ioex@ioex-desktop:~/workspace/avalanche/tests$ stat -c %s in
4097
ioex@ioex-desktop:~/workspace/avalanche/tests$ ~/avalanche-0.5/bin/avalanche 
--filename=./in ./test5 ./in 32
Starting iteration 0
Starting iteration 1
...
Starting iteration 31
Crash detected.
No stack trace is available.
Dumping an exploit to file exploit_0_0
Starting iteration 32

Exploits report:
chunk 0: exploit_0_0 - No stack trace available

avalanche version: 0.4,0.5

What steps will reproduce the problem?
1. configure when using glibc 2.13 (as on Ubuntu 11.04 on amd64)

What is the expected output?
no configure errors

What do you see instead?
checking the GLIBC_VERSION version... unsupported version 2.13
configure: error: Valgrind requires glibc version 2.2 - 2.12
configure: error: ./configure failed for valgrind


What version of the product are you using? On what operating system?
avalanche 0.4 on ubuntu natty 11.04 amd64
Linux 2.6.38-8-generic #42-Ubuntu SMP Mon Apr 11 03:31:24 UTC 2011 x86_64 
x86_64 x86_64 GNU/Linux


Please provide any additional information below.

What steps will reproduce the problem?
1. tar zxf ~/Downloads/avalanche-0.6.tar.gz
2. cd avalanche-0.6.0
3. ./configure
4. make

What is the expected output?

Software should compile!

What do you see instead?

PL.y: In function ‘int yyparse()’:
PL.y:180:98: error: expected unqualified-id before numeric constant
PL.y:185:98: error: expected unqualified-id before numeric constant
PL.y:196:100: error: expected unqualified-id before numeric constant
PL.y:445:85: error: expected unqualified-id before numeric constant
PL.y:450:85: error: expected unqualified-id before numeric constant
PL.y:456:85: error: expected unqualified-id before numeric constant
PL.y:462:85: error: expected unqualified-id before numeric constant
PL.y:468:85: error: expected unqualified-id before numeric constant
PL.y:486:85: error: expected unqualified-id before numeric constant
PL.y:492:92: error: expected unqualified-id before numeric constant
PL.y:500:92: error: expected unqualified-id before numeric constant
PL.y:508:92: error: expected unqualified-id before numeric constant
PL.y:516:92: error: expected unqualified-id before numeric constant
PL.y:524:92: error: expected unqualified-id before numeric constant
PL.y:532:92: error: expected unqualified-id before numeric constant
PL.y:540:92: error: expected unqualified-id before numeric constant
PL.y:548:92: error: expected unqualified-id before numeric constant
PL.y:557:85: error: expected unqualified-id before numeric constant
PL.y:563:85: error: expected unqualified-id before numeric constant
PL.y:703:92: error: expected unqualified-id before numeric constant
PL.y:715:92: error: expected unqualified-id before numeric constant
PL.y:728:92: error: expected unqualified-id before numeric constant
PL.y:741:92: error: expected unqualified-id before numeric constant
PL.y:760:76: error: expected unqualified-id before numeric constant
PL.y:809:92: error: expected unqualified-id before numeric constant
PL.y:817:92: error: expected unqualified-id before numeric constant
PL.y:827:92: error: expected unqualified-id before numeric constant
PL.y:834:92: error: expected unqualified-id before numeric constant
PL.y:843:92: error: expected unqualified-id before numeric constant
PL.y:852:92: error: expected unqualified-id before numeric constant
PL.y:861:92: error: expected unqualified-id before numeric constant
PL.y:870:92: error: expected unqualified-id before numeric constant

What version of the product are you using?

Avalanche 0.6.0

On what operating system?

CentOS 5.8 (Kernel: 2.6.18-308.4.1.el5.centos.plus, GCC: Red Hat 4.1.2-52)

Please provide any additional information below.

This looks like a namespace issue within the STP parser, but I was able to 
compile avalanche-0.4; which seems to have the same version of STP.  After 
looking at the output from "configure" one difference seems to be that 0.6.0 
uses "lex" and "yacc", while 0.4 uses "flex" and "bison".  If I configure both 
versions then copy the stp directory from 0.4 into the 0.6.0 directory, then it 
builds fine.

1. Install avalanche into /usr/bin
2. Run avalanche using short name, rather than full path:

$ which avalanche
/usr/bin/avalanche
$ avalanche --verbose --filename=seed ./sample2 seed
INFO: Avalanche, a dynamic analysis tool.
INFO: Start time: Thu Jun 23 14:03:58 2011
DEBUG: Initializing plugin manager
DEBUG: Running execution manager
INFO: Running plugin kind=1
INFO: Executing command: ../lib/avalanche/valgrind, with args:  
../lib/avalanche/valgrind --tool=covgrind --trace-children=no --alarm=300 
--log-file=execution.log ./sample2 seed
INFO: exited on signal
ERROR: [TmpFile.cpp:76]: Cannot delete file tmpfile_1:No such file or directory
ERROR: [TmpFile.cpp:76]: Cannot delete file tmpfile_0:No such file or directory
Segmentation fault

What steps will reproduce the problem?
1. ./configure
2. make

Make encounters the following error :

Making all in stp-ver-0.1-11-18-2008
make[2]: Entering directory 
`/home/username/project/avalanche-0.6.0/stp-ver-0.1-11-18-2008'
make  all-recursive
make[3]: Entering directory 
`/home/username/project/avalanche-0.6.0/stp-ver-0.1-11-18-2008'
Making all in AST
make[4]: Entering directory 
`/home/username/project/avalanche-0.6.0/stp-ver-0.1-11-18-2008/AST'
g++ -DHAVE_CONFIG_H -I. -I.. -I../sat/mtl -I../sat/core    -g -O2 -MT AST.o -MD 
-MP -MF .deps/AST.Tpo -c -o AST.o AST.cpp
In file included from /usr/include/c++/4.7/ext/hash_map:61:0,
                 from AST.h:19,
                 from AST.cpp:10:
/usr/include/c++/4.7/backward/backward_warning.h:33:2: warning: #warning This 
file includes at least one deprecated or antiquated header which may be removed 
without further notice at a future date. Please use a non-deprecated interface 
with equivalent functionality instead. For a listing of replacement headers and 
interfaces, consult the file backward_warning.h. To disable this warning use 
-Wno-deprecated. [-Wcpp]
In file included from ../sat/core/Solver.h:25:0,
                 from AST.h:35,
                 from AST.cpp:10:
../sat/mtl/Map.h: In constructor ‘MINISAT::Map<K, D, H, E>::Map(const H&, 
const E&)’:
../sat/mtl/Map.h:90:41: warning: delegating constructors only available with 
-std=c++11 or -std=gnu++11 [enabled by default]
../sat/mtl/Map.h:90:50: error: mem-initializer for ‘MINISAT::Map<K, D, H, 
E>::hash’ follows constructor delegation
../sat/mtl/Map.h:90:61: error: mem-initializer for ‘MINISAT::Map<K, D, H, 
E>::equals’ follows constructor delegation
AST.cpp: In member function ‘BEEV::ASTNode 
BEEV::BeevMgr::CreateBVConst(unsigned int, long long unsigned int)’:
AST.cpp:802:55: warning: right shift count >= width of type [enabled by default]
make[4]: *** [AST.o] Error 1
make[4]: Leaving directory 
`/home/username/project/avalanche-0.6.0/stp-ver-0.1-11-18-2008/AST'
make[3]: *** [all-recursive] Error 1
make[3]: Leaving directory 
`/home/username/project/avalanche-0.6.0/stp-ver-0.1-11-18-2008'
make[2]: *** [all] Error 2
make[2]: Leaving directory 
`/home/username/project/avalanche-0.6.0/stp-ver-0.1-11-18-2008'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/username/project/avalanche-0.6.0'
make: *** [all] Error 2



What version of the product are you using? On what operating system?
Linux kali 3.7-trunk-amd64 #1 SMP Debian 3.7.2-0+kali6 x86_64 GNU/Linux

Please provide any additional information below.
I have also tried to compile it on a 32-bits Ubuntu and it works fine.

What steps will reproduce the problem?
1. Compile given source code and run avalanche on it with the given mask (mask) 
and initial input (str_seed).

What is the expected output? What do you see instead?

Avalanche should find an exploit for this program - input file containing the 
following sequence of bytes: 'E', 'E', 'L', 'F', '\0'. This sequence leads to a 
segmentation fault (can be tested with str_exploit). 

However, avalanche executes 12 iterations and no defect reports are generated.

=====================
static char val[2];
int main(int argc, char** argv)
{
        int  fd1 = open(argv[1], O_RDONLY | O_CREAT, S_IRWXU | S_IRWXG);

        read(fd1, &val, 2);
        if(val[0]==10)
                abort();

        return 0;
}
=====================
Expected result:exploit_0_0:=0x0A00 but received nothing

Test environment:
Ubuntu 10.04 32 bit (2.6.32-33-generic i686 SMP) in Virtualbox OSE 4.0.4, 2 
core of i5-2500, 768 mb of RAM
Host OS: ubuntu 11.04 64 bit (2.6.38-10-generic x86_64 SMP)
compiler: gcc version 4.4.3

avalanche version: 0.4,0.5

What steps will reproduce the problem?
1. Run avalanche on fseek.c with samples/simple/seed

What is the expected output?
3 exploits causing segfaults.

What do you see instead?
1 exploit (and 2 divergence files if --debug is used)

I've downloaded avalanche from svn, typed:
./autogen.sh
./configure
While configuring I have received such error:

checking for a supported OS... ok (linux-gnu)
checking for the kernel version... unsupported (3.0.0-13-generic)
configure: error: Valgrind works on kernels 2.4, 2.6
configure: error: ./configure failed for valgrind

I'm using ubuntu 11.10 and at least in synaptic there is valgrind package so it 
seems to me only local copy of valgrind doesn't work.

Test environment:
x86
Ubuntu 10.04 32 bit (2.6.32-33-generic i686 SMP) in Virtualbox OSE 4.0.4, 2 
core of i5-2500, 768 mb of RAM
Host OS: ubuntu 11.04 64 bit (2.6.38-10-generic x86_64 SMP)
compiler: gcc version 4.4.3

Tested application:
3. p7ip-9.04  (Real bug: 
http://sourceforge.net/tracker/?func=detail&aid=2863580&group_id=111810&atid=660
493)
confirm: ~/workspace/p7zip_9.04$ ./bin/7z x 
~/Downloads/1e1a4fcdfe3092387458167488d4fdb2.rar 
7-Zip 9.04 beta  Copyright (c) 1999-2009 Igor Pavlov  2009-05-30
p7zip Version 9.04 (locale=en_US.utf8,Utf16=on,HugeFiles=on,4 CPUs)
Processing archive: /home/ioex/Downloads/1e1a4fcdfe3092387458167488d4fdb2.rar
Segmentation fault (core dumped)

in.rar is a valid archive:
~/workspace/p7zip_9.04/avtest$ ./bin/7z x ./in.rar 

7-Zip 9.04 beta  Copyright (c) 1999-2009 Igor Pavlov  2009-05-30
p7zip Version 9.04 (locale=en_US.utf8,Utf16=on,HugeFiles=on,4 CPUs)

Processing archive: ./in.rar

Extracting  in

Everything is Ok

Size:       236
Compressed: 280


avalanche cmd line: ~/avalanche-0.4/bin/avalanche --filename=./in.rar ./bin/7z 
x ./in.rar

Status: completed
Time consumed: ~ 7 days
Results: 10345 exploits

Verify perl script:
my $i=0;
while($i<10345)
{
    system("./bin/7z x ./exploit_${i}_0");
    $i++;
}
cmd line: perl p.pl 2>&1 > verify2.log; 
verify2.log additionally was sorted by unique strings

It seems, the avalanche premature finished of checking the application 

What steps will reproduce the problem?
1. Build and install Avalanche.
2. Run the sample:
cd /usr/src/avalanche-0.4/samples/simple
avalanche --filename=`pwd`/seed `pwd`/sample2 `pwd`/seed --verbose 

What is the expected output? What do you see instead?
The exploit does not succeed:
root@clean:/usr/src/avalanche-0.4/samples/simple# avalanche 
--filename=`pwd`/seed `pwd`/sample2 `pwd`/seed --verbose
INFO: Avalanche, a dynamic analysis tool.
INFO: Start time: Mon Oct 31 20:43:17 2011
DEBUG: Initializing plugin manager
DEBUG: Running execution manager
INFO: Running plugin kind=1
INFO: Executing command: valgrind, with args:  valgrind --tool=covgrind 
--trace-children=no --alarm=300 --log-file=execution.log 
/usr/src/avalanche-0.4/samples/simple/sample2 
/usr/src/avalanche-0.4/samples/simple/seed
INFO: Covgrind is finished
ERROR: [ExecutionManager.cpp:413]: Error opening file basic_blocks.log
INFO: score=0
Starting iteration 0
INFO: inputs.size()=1
INFO: selected next input with score 0
INFO: Running plugin kind=0
INFO: Executing command: valgrind, with args:  valgrind --tool=tracegrind 
--trace-children=no --startdepth=1 --invertdepth=100 --dump-prediction=yes 
--check-danger=no --file=/usr/src/avalanche-0.4/samples/simple/seed 
/usr/src/avalanche-0.4/samples/simple/sample2 
/usr/src/avalanche-0.4/samples/simple/seed
INFO: Tracegrind is finished
INFO: no QUERY's found

INFO: Time statistics:
total: 1, tracegrind: 1 (100%), covgrind: 0 (0%), stp: 0 (0%)

Exploits report:

DEBUG: Destructing plugin manager
root@clean:/usr/src/avalanche-0.4/samples/simple# echo $?
0

What version of the product are you using? On what operating system?
I tried revision 247 and avalanche-0.4.tar.gz on this machine:
Linux clean 3.0.0-1-486 #1 Sat Aug 27 15:56:48 UTC 2011 i686 GNU/Linux
wheezy/sid
Пакет: libc6                                     
Состояние: установлен
Автоматически установлен: нет
Версия: 2.13-21

and the alike with amd64 kernel.

Test environment:
Ubuntu 10.04 32 bit (2.6.32-33-generic i686 SMP) in Virtualbox OSE 4.0.4, 2 
core of i5-2500, 768 mb of RAM
Host OS: ubuntu 11.04 64 bit (2.6.38-10-generic x86_64 SMP)
compiler: gcc version 4.4.3

The tested tools version: 0.4 stable release

Open source application testing with known bugs
1. imagemagick-6.6.10  
(http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=18136)
confirm: ./bin/convert ./test_image.png /tmp/x.png
convert: magick/splay-tree.c:883: GetValueFromSplayTree: Assertion `splay_tree 
!= (SplayTreeInfo *) ((void *)0)' failed.
Aborted (core dumped)

cmdline: ~/avalanche-0.4/bin/avalanche --filename=./test_image_2.png 
./bin/convert ./test_image_2.png /tmp/x.png

results: 8 exploits were found (false-positive, not reproduced  after), total 
640 iteration passed, avalanche finished without warnings. NO EXPECTED BUG FOUND

The result of crashes were out-of-memory cases but the tools detects it as real 
crashes.

What steps will reproduce the problem?
1. Fix ./configure for the 3.* kernel & 2.13 glibc.
2. Run ./configure on machine without lex or yacc

What is the expected output? What do you see instead?
Configure should report lack of thees tools. Instead it breaks the build 
process when STP is compiled.

What version of the product are you using? On what operating system?
Linux clean 3.0.0-1-486 #1 Sat Aug 27 15:56:48 UTC 2011 i686 GNU/Linux
wheezy/sid
Пакет: libc6                                     
Состояние: установлен
Автоматически установлен: нет
Версия: 2.13-21

No lex and yacc installed.

[deleted issue]