Send Return Code back from child script to the Parent script - return-value

My child script can create a rc=110 when a FTPed file is not located. The Parent script sets the Error Handling RC=1. I want the Error Handling to set to the RC created in child script. Any ideas?

What operating system? In linux you can forward the paramenter using standard input/output using the | (pipe)
./script | ./binaryName
This forwards the output of ./script as the input of ./binaryName
and in your main:
int main(int argc, char **argv){
//Don't use argv[0]!
char* yourOutput = argv[1];
return 0;
}
I just realized your "parent" is a script too. Which language is this? All the languages I've worked with have a manner to get arguements like I just showed you in C++.

Related

`do_sys_open` vs `__x86_sys_open` when attaching kprobe

I have tried running opensnoop.py but using
fnname_open='do_sys_open'
(which I have seen in other scripts) instead of
fnname_open = b.get_syscall_prefix().decode() + 'open'
# = '__x86_sys_open' on Ubuntu 18.04
but the script then stops printing file names. What is causing the difference?
When using attach_kprobe(event=fn) is fn a system call or an event?
Do you get list of possible syscall from /proc/kallsyms as described here?
A BPF program attached to __x86_sys_open won't have the same result if you attach it to do_sys_open instead because those two functions don't have the same prototype:
long do_sys_open(int dfd, const char __user *filename, int flags, umode_t mode);
long sys_open(const char __user *filename, int flags, umode_t mode);
So the filename argument, for example, won't be stored in the same register depending on which function you trace. You will need to edit the BPF program as well to fix this.

AFL hello world example

I'm trying to figure out how to use AFL, but I can't seem to make a simple example running.
Here is my C program:
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <assert.h>
char *remove_white_space(char *s)
{
while (s && *s++)
if (*s == ' ')
return "moish";
return s;
}
int main(int argc, char **argv)
{
char buffer[256]={0};
FILE *fl = fopen(argv[1],"rt");
if (fl == NULL) return 0;
assert(fscanf(fl,"%s",buffer) > 0);
char *res = remove_white_space(buffer);
if (strcmp(res,"a b c d") == 0)
{
assert(0);
}
fclose(fl);
return 0;
}
My input seed is a text file with a single line abhgsd.
Here is what I did:
$ afl-gcc main.c -o main
afl-cc 2.56b by <lcamtuf#google.com>
afl-as 2.56b by <lcamtuf#google.com>
[+] Instrumented 62 locations (64-bit, non-hardened mode, ratio 100%).
$ afl-fuzz -i INPUTS/ -o OUTPUTS ./main ##
And I got this red CAPITAL CRASH message:
afl-fuzz 2.56b by <lcamtuf#google.com>
[+] You have 8 CPU cores and 1 runnable tasks (utilization: 12%).
[+] Try parallel jobs - see /usr/local/share/doc/afl/parallel_fuzzing.txt.
[*] Checking CPU core loadout...
[+] Found a free CPU core, binding to #0.
[*] Checking core_pattern...
[-] Hmm, your system is configured to send core dump notifications to an
external utility. This will cause issues: there will be an extended delay
between stumbling upon a crash and having this information relayed to the
fuzzer via the standard waitpid() API.
To avoid having crashes misinterpreted as timeouts, please log in as root
and temporarily modify /proc/sys/kernel/core_pattern, like so:
echo core >/proc/sys/kernel/core_pattern
[-] PROGRAM ABORT : Pipe at the beginning of 'core_pattern'
Location : check_crash_handling(), afl-fuzz.c:7316
I'm a bit reluctant to change something unless I'm sure what I'm doing.
What's going on here? Should I listen to what AFL is saying?
You should probably change your core pattern, but you can change it back later. Many linux distros have a crash reporting service like apport, which relies on having core dumps from crashing processes piped to it via a core pattern like |/usr/share/apport/apport %p %s %c %d %P (see man 5 core) When the core pattern is set up this way, every time a program crashes, apport is run and the core is fed to it as standard input. So if you change the core pattern to just core, do your fuzzing, and then change the core pattern back to whatever it is currently, your distro's crash reporter should resume its normal operation.
AFL may have an environment variable to disable this check, as I know there exist environment variables to disable other pre-fuzzing checks (like AFL_SKIP_CRASHES allowing crashing input in the initial seeds), but this one is pretty low-cost to toggle.
The answer is right there in front of you.
log in as root and echo core >/proc/sys/kernel/core_pattern

Libfuzzer target for on-disk parsing

I'm currently integrating libFuzzer in a project which parses files on the hard drive. I have some prior experience with AFL, where a command line like this one was used:
afl-fuzz -m500 -i input/ -o output/ -t100 -- program_to_fuzz ##
...where ## was a path to the generated input.
Looking at libFuzzer however, I see that the fuzz targets look like this:
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
DoSomethingInterestingWithMyAPI(Data, Size);
return 0; // Non-zero return values are reserved for future use.
}
I understand that the input isn't provided in the form of a file, but as a buffer in-memory instead. The problem is that the program I'm trying to fuzz works with files and obtains its data through fread() calls. At no point in time is the whole input supposed to be loaded in memory (where, in the general case, it might not even fit); so there's not much I can do with a const uint8_t*.
Writing the buffer back to the hard drive to get back a file seems extremely inefficient. Is there a way around this?
You can do as in this example from google security team.
The buf_to_file defined here takes your buffer and returns a char* pathname you can then pass to you target:
(from https://github.com/google/security-research-pocs/blob/master/autofuzz/fuzz_utils.h#L27 )
// Write the data provided in buf to a new temporary file. This function is
// meant to be called by LLVMFuzzerTestOneInput() for fuzz targets that only
// take file names (and not data) as input.
//
// Return the path of the newly created file or NULL on error. The caller should
// eventually free the returned buffer (see delete_file).
extern "C" char *buf_to_file(const uint8_t *buf, size_t size);
Be sure to free the ressource with the delete_file function.
You could use LD_PRELOAD and override fread.

Mach Injection: System call open is not getting interposed when injecting in Excel

I hooked system calls open, read, write, lstat etc. using osxinj project. Injected this into TextEdit application provided by apple and everything worked fine. When I opened new file using textedit, opencallback was called and messages were logged in system.log file.
typedef int (*open_type)(const char *, int, mode_t);
open_type open_func = 0;
int opencallback(const char* path, int oflag, mode_t mode)
{
syslog(LOG_ALERT, "In open...");
int returnVal = open_func(path, oflag, mode);
syslog(LOG_ALERT,"Open, ends\n");
return returnVal;
}
Injected into Excel and tried to override open system call using below code:
void* func_ptr = dlsym( RTLD_NEXT, "open");
if (func_ptr)
{
open_func = (open_type)func_ptr;
mach_error_t me = mach_override_ptr( func_ptr,
(void*)&opencallback,
(void**)&open_func);
}
opencallback is called when injecting to TextEdit but it is not getting called when injected in Microsoft Excel. But code written on same lines for other system calls read, write, lstat are getting interposed when injected in Excel.
Any thoughts on why open is not getting interposed when injected to Excel.
Finally, I got my code running. I am posting answer hoping it might help somebody.
I hooked __open which is an alias for open and it worked fine for i386 application like excel.

System call implementation in Pintos

I want to implement the already defined system calls in PintOS ( halt(), create()...etc defined in pintos/src/lib/user/syscall.c ). The current system call handler in pintos/src/userprog/syscall.c does not do anything. How do I make a process that makes system calls. Further I need to myself add a few system calls. How do I proceed in that too. But first I need to implement the existing system calls.
The default implementation in pintos terminates the calling process.
goto this link.There is explanation on where to modify the code to implement the system calls.
The "src/examples" directory contains a few sample user programs.
The "Makefile" in this directory compiles the provided examples, and you can edit it compile your own programs as well.
This program/process when run will inturn make a system call.
Use gdb to follow the execution of one such program a simple printf statement will eventually call write system call to STDOUT file.
The link given also has pointers on how to run pintos on gdb, my guess is you are using either bochs or qemu.In any case just run the gdb once with a simple hello world program running on pintos.
This will give u an idea of how the system call is made.
static void
syscall_handler (struct intr_frame *f)// UNUSED)
{
int *p=f->esp;
switch(*p)
case *p=SYS_CREATE // NUMBER # DEFINED
const char *name=*(p+1); //extract the filename
if(name==NULL||*name==NULL)
exit(-1);
off_t size=(int32_t)*(p+2);//extract file size
f->eax=filesys_create(name,size,_FILE); //call filesys_create
//eax will have the return value
}
This is pseudo code for sys_create .. all file system related system call are very trivial,
Filesys realted system calls like open read write close needs you to translate file to their corresponding fd (file descriptor). You need to add a file table for each process to keep track this, this can either be preprocess data or a global data.(UR choice),
case (*p==SYS_WRITE)
{
// printf("wite syscall\n");
char *buffer=*(p+2);
unsigned size=*(p+3);
int fd=*(p+1);
// getiing the fd of specified file
struct file *fil= thread_current()->fdtable[fd];/ my per thread fdtable
if(fd==1) goto here;
if(is_directory(fil->inode)){
exit(-1);
goto done;
}
here:
if(buffer>=PHYS_BASE)exit(-1);
if(fd<0||fd>=128){exit(-1);}
if(fd==0){exit(-1);} // writing to STDIN
if(fd==1) //writing to STDOUT
{
int a=(int)size;
while(a>=100)
{
putbuf(buffer,100);
buffer=buffer+100;
a-=100;
}
putbuf(buffer,a);
f->eax=(int)size;
}
else
if(thread_current()->fdtable[fd]==NULL)
{f->eax=-1;}
else
{
f->eax=file_write(thread_current()->fdtable[fd],buffer,(off_t)size);
}
done: ;
}//printf("write");} /* Write to a file. */
Open - adds anew entry to fdtable and return the fd number u give to the file,
close - remove that entry from fd table
read - similar to write.
The process_create ,wait are not simple to implement...
Cheers :)