The firmware is extracted from an IoT device that needs parsing some files and in this use-case JSON files. Only the JSON parsing part of the firmware is available. The MCU running this firmware is a STM32F412.
The goal is exploring the implementation with TritonDSE to try finding vulnerabilities.
The code is ARM Thumb-2
Base address is: 0x08000000
Entrypoint is: 0x81dc46e | 1
Exit point: (can be set to instruction just after)
The entrypoint is a call on the function parsing the JSON input. Its prototype is the following:
int json_parser(char* buffer, int len, JSON_ctx* ctx);
While the two first parameters are straightforward. The third is an object for which we don’t know the exact structure.
Load the firmware into a
SymbolicExplorator(see the Loaders section of the tutorial).
Try out different exploration strategies and visualize the resulting coverage in Lighthouse.
Different CoverageStrategy values.
Inject one one parameter at the time then multiple ones (see How to inject arbitrary variables in the Seeds section of the tutorial).
Use Sanitizers to detect potential bugs.
The JSON_ctx structure contains two callback functions that you will need to stub (using hooks) to enable emulation to be carried to the end.
Make sure both buffers
ctxpoints to a recognizable memory area.