Misc examples fixes

Author: elicn

examples/fuzzing/dlink_dir815/dir815_mips32el_linux.py

@@ -5,15 +5,15 @@
 
 # Everything about the bug and firmware https://www.exploit-db.com/exploits/33863
 
-import os,sys
+import sys
 sys.path.append("../../..")
 
 from qiling import Qiling
 from qiling.const import QL_VERBOSE
 from qiling.extensions.afl import ql_afl_fuzz
 
 
-def main(input_file, enable_trace=False):
+def main(input_file: str):
 
     env_vars = {
         "REQUEST_METHOD": "POST",
@@ -24,40 +24,36 @@ def main(input_file, enable_trace=False):
         # "CONTENT_LENGTH": "8", # no needed
     }
 
-    ql = Qiling(["./rootfs/htdocs/web/hedwig.cgi"], "./rootfs",
-                verbose=QL_VERBOSE.DEBUG, env=env_vars, console=enable_trace)
+    ql = Qiling(["./rootfs/htdocs/web/hedwig.cgi"], "./rootfs", verbose=QL_VERBOSE.DISABLED, env=env_vars)
 
-    def place_input_callback(ql: Qiling, input: bytes, _: int):
-        env_var = ("HTTP_COOKIE=uid=1234&password=").encode()
-        env_vars = env_var + input + b"\x00" + (ql.path).encode() + b"\x00"
-        ql.mem.write(ql.target_addr, env_vars)
+    def place_input_callback(ql: Qiling, data: bytes, _: int) -> bool:
+        # construct the payload
+        payload = b''.join((b"HTTP_COOKIE=uid=1234&password=", bytes(data), b"\x00", ql_path, b"\x00"))
 
-    def start_afl(_ql: Qiling):
+        # patch the value of 'HTTP_COOKIE' in memory
+        ql.mem.write(target_addr, payload)
+
+        # payload is in place, we are good to go
+        return True
 
+    def start_afl(_ql: Qiling):
         """
         Callback from inside
         """
+
         ql_afl_fuzz(_ql, input_file=input_file, place_input_callback=place_input_callback, exits=[ql.os.exit_point])
 
-    addr = ql.mem.search("HTTP_COOKIE=uid=1234&password=".encode())
-    ql.target_addr = addr[0]
+    addr = ql.mem.search(b"HTTP_COOKIE=uid=1234&password=")
+    target_addr = addr[0]
+    ql_path = ql.path.encode()
 
-    main_addr = ql.loader.elf_entry
-    ql.hook_address(callback=start_afl, address=main_addr)
+    ql.hook_address(start_afl, ql.loader.elf_entry)
 
-    try:
-        ql.run()
-        os._exit(0)
-    except:
-        if enable_trace:
-            print("\nFuzzer Went Shit")
-        os._exit(0)
+    ql.run()
 
 
 if __name__ == "__main__":
-    if len(sys.argv) == 1:
+    if len(sys.argv) < 2:
         raise ValueError("No input file provided.")
-    if len(sys.argv) > 2 and sys.argv[1] == "-t":
-        main(sys.argv[2], enable_trace=True)
-    else:
-        main(sys.argv[1])
+
+    main(sys.argv[1])

examples/sality.py

@@ -159,7 +159,7 @@ def hook_StartServiceA(ql: Qiling, address: int, params):
                 init_unseen_symbols(ql.amsint32_driver, ntoskrnl.base+0xb7695, b"NtTerminateProcess", 0, "ntoskrnl.exe")
                 #ql.amsint32_driver.debugger= ":9999"
                 try:
-                    ql.amsint32_driver.load()
+                    ql.amsint32_driver.run()
                     return 1
                 except UcError as e:
                     print("Load driver error: ", e)

examples/tendaac1518_httpd.py

@@ -78,6 +78,8 @@ def __vfork(ql: Qiling):
 
         ql.os.set_syscall('vfork', __vfork)
 
+    os.unlink(fr'{ROOTFS}/proc/sys/kernel/core_pattern')
+
     ql.run()