I don't understand why this source code can't find buffer overflow bug by mayhem

1

Hi.

I tried running on Mayhem following program.
But, Mayhem can’t find any buffer overflow bug.
Why…

===================================-
#include <stdio.h>
#include <string.h>

int fuzzme(char *str)
{
  char buf[8];

  if(str[0] == 'H')
    if(str[1] == 'O')
        if(str[2] == 'G')
            if(str[3] == 'E') {
                strcpy(buf,str);
                printf("Hi %s!\n",buf);
            } 

  printf("Your input is: %s\n",str);

  return 0;
}

int main(int argc, char *argv[])
{

  char str[64];
  
  printf("Please, Input!\n");
  scanf("%64s",str);

  fuzzme(str);

  return 0;
}

My Mayhem file here.

# Namespaced project name that the target belongs to
project: n0r1k4zu/bof

# Target name (should be unique within the project)
target: bof

# Base image to run the binary in.
image: ghcr.io/n0r1k4zu/bof:latest

# List of commands used to test the target
cmds:

  # Command used to start the target, "@@" is the input file
  # (when "@@" is omitted Mayhem defaults to stdin inputs)
  - cmd: /bof
    env: {}
2

This program too…
Mayhem can’t find any bugs…but why.

$ cat testme.c
#include <stdio.h>
#include <string.h>

int fuzzme(char *buf)
{
  if(buf[0] == 'b')
    if(buf[1] == 'u')
      if(buf[2] == 'g') {
        abort(); // Defect: Sends a SIGABRT signal
      }
  return 0;
}

int main(int argc, char *argv[])
{
  FILE *f;
  char buf[12];

  if(argc != 2){
    fprintf(stderr, "Must supply a text file\n");
    return -1;
  }
  f = fopen(argv[1], "r");
  if(f == NULL){
    fprintf(stderr, "Could not open %s\n", argv[1]);
    return -1;
  }
  if(fgets(buf, sizeof(buf), f) == NULL){
    fprintf(stderr, "Could not read from %s\n", argv[1]);
    return -1;
  }
  fuzzme(buf);
  return 0;
}

$ cat Dockerfile 
# Build Stage:
FROM ubuntu:22.04 as builder

## Install build dependencies.
RUN apt update && \
    DEBIAN_FRONTEND=noninteractive apt install -y gcc

## Add Source Code
ADD testme.c /

## Build Step
RUN gcc -z norelro -fno-stack-protector -no-pie -z execstack -o testme testme.c

# Package Stage
FROM ubuntu:22.04
COPY --from=builder /testme /

$ cat Mayhemfile 
# Namespaced project name that the target belongs to
project: n0r1k4zu/testme

# Target name (should be unique within the project)
target: testme

# Base image to run the binary in.
image: ghcr.io/n0r1k4zu/testme:latest

#advanced_triage: true
#tasks:
#  - name: exploitability_factors
#  - name: behavior_testing
#  - name: regression_testing
#  - name: coverage_analysis

# List of commands used to test the target
cmds:

  # Command used to start the target, "@@" is the input file
  # (when "@@" is omitted Mayhem defaults to stdin inputs)
  - cmd: /testme @@
    env: {}
3

Hi @n0r1k4zu ! Welcome to the forums. Thanks for reaching out. I took a look at your first target - it appears that we were close to figuring out the issue, but the run ended before we discovered the crashing test case. Running again with no changes found the issue:
https://app.mayhem.security/n0r1k4zu/bof/bof/2?results=testcases&page=1&testcaseTab=related-defects

Regarding your second target, I was able to get it running, but due to the target using GLIBC 2.34, it takes a bit longer for Mayhem to find the issue.
https://app.mayhem.security/xansec/testme/testme/4

Since we currently have some analysis limitations with GLIBC 2.34, a recommendation for this target is to build on an older debian/ubuntu image, such as bullseye or buster.

4

Hi abrewer,

Thank you for your reply.
I understood.

But, how can I set the behavior testing duration.
I know that the behavior testing duration is 10 minutes.

5

You can set the duration time in the UI here:

image
image1225×687 36.5 KB

or in the Mayhemfile with

duration: <time in seconds>

On the free app.mayhem.security instance, the run time is capped to 10 minutes for users. Premium users or users with their own Mayhem instance can set run times beyond the 10 minute limit.