Overview
Syllabus
Intro
Tencent Blade Team
Agenda
The Magellan 2.0
Vulnerabilities or Bugs Found by the Fuzzer
Auditing Strategies: Blobs
Auditing Strategies: The memory operations
Auditing Strategies: Special Commands
Shadow Tables
Structure-Aware Fuzzing
How the Fuzzer is Implemented
Differences from Google's (1)
Raw Data
Generated Testcase
Preparations
Initial Queries of the Fuzzer
The Structure opdata_16
Example of Translating Opcode to Query
Table Selector and Column Selector
SQL Operation Selector
Get Data from Data Provider
Run Generated SQL Queries
Bypass the Defense-In-Depth
It's a Little Bit' Tough
Let's Make Some Fake Objects
Stabilize the Heap and the RCE
Get Uninitialized Heap Data
Overwrite the sqlite3Config
Set the Memory Page to RWX
Restore the Stack
Conclusion
Taught by
Hack In The Box Security Conference