def trigger_unique_crash(test_cases):
"""
Attempt to recreate crash based on target test-case
"""
# Clear logcat before running test-cases
ProcessManagement.clear()
processes = list()
# Clear existing tombstones
Utils.clear_tombstones()
# TODO - Figure out why /data/local/tmp doesn't work here
# TODO - Handle subprocess return codes
for test_case in test_cases:
logger.debug("Fuzzing : {0}".format("".join(test_case.split("/")[-1])))
try:
# Push the test-case to the device
# -----------------------------------------------------------------------------
pusher = Popen("".join([getcwd(), "/bin/adb push ",
test_case,
" /data/local/tmp"]),
stdout=PIPE,
shell=True)
ret = pusher.wait()
if ret:
processes.append(pusher)
time.sleep(3)
viewer = Popen(
"".join([getcwd(),
"/bin/adb shell su -c 'am start -n com.hancom.office.viewer/com.tf.thinkdroid.write.ni.viewer.WriteViewPlusActivity -d file:///data/local/tmp/{0}'"
.format("".join(test_case.split("/")[-1]))]),
stdout=PIPE,
shell=True)
ret = viewer.wait()
if ret:
processes.append(viewer)
time.sleep(1)
# Remove test-case from device
# ----------------------------------------------------------------------------------
remove = Popen(
"".join([getcwd(), "/bin/adb shell rm /data/local/tmp/{0}".format("".join(test_case.split("/")[-1]))]),
stdout=PIPE,
shell=True)
ret = remove.wait()
if ret:
processes.append(remove)
time.sleep(1)
# Kill target application process
# ------------------------------------------------------------------------------
Popen(
"".join([getcwd(), "/bin/adb shell am force-stop com.hancom.office.viewer"]),
shell=True)
# Kill all adb processes
# ------------------------------------------------------------------------------
ProcessManagement.kill(processes)
except CalledProcessError as called_process_error:
logger.error(called_process_error)
return False
# If everything succeeds return True
return True
def run():
print(t.yellow("[{0}] Starting fuzzer (!)".format(datetime.now())))
_test_cases = [
"docx",
"doc",
"pdf"
]
for test_case in _test_cases:
print(t.yellow("[{0}] Available test-case : ".format(datetime.now())) + test_case)
# Get target test-case
target = raw_input(t.yellow("[{0}] Select test-case : ".format(datetime.now())))
# Clear logcat before running test-cases
ProcessManagement.clear()
processes = list()
for test_case in _test_cases:
if target == test_case:
for item in listdir("".join([getcwd(), "/test-cases/{0}".format(target)])):
print(t.yellow("[{0}] Fuzzing : ".format(datetime.now())) + item)
try:
# Push the test-case to the device
# -----------------------------------------------------------------------------
pusher = Popen("".join([getcwd(), "/bin/adb push ",
"{0}/test-cases/{1}/{2}".format(getcwd(), target, item),
" /data/local/tmp"]),
stdout=PIPE,
shell=True)
processes.append(pusher)
time.sleep(2)
viewer = Popen(
"".join([getcwd(), "/bin/adb shell su '-c am start ",
"-n com.hancom.office.viewer/com.tf.thinkdroid.write.ni.viewer.WriteViewPlusActivity ",
"-d file:///data/local/tmp/{0}'".format(item)]),
stdout=PIPE,
shell=True)
processes.append(viewer)
time.sleep(1)
# Add each test-case as a log entry
# -------------------------------------------------------------------------------
log = Popen(
"".join([getcwd(), "/bin/adb shell log -p v -t 'Filename' {0}".format(item)]),
stdout=PIPE,
shell=True)
processes.append(log)
time.sleep(1)
# Find and write fatal log entries (SIGSEGV)
# ----------------------------------------------------------------------------------------
fatal = Popen(
"".join([getcwd(), "/bin/adb logcat -v time *:F > ",
"logs/samsung_core_prime_document_viewer_{0}_logs".format(target)]),
stdout=PIPE,
shell=True)
processes.append(fatal)
time.sleep(1)
# Find and write test-case entry logs
# ----------------------------------------------------------------------------------------
logcat = Popen(
"".join([getcwd(), "/bin/adb logcat -v time *:F -s 'Filename' >> ",
"logs/samsung_core_prime_document_viewer_{0}_logs".format(target)]),
stdout=PIPE,
shell=True)
processes.append(logcat)
time.sleep(2)
# Remove test-case from device
# ----------------------------------------------------------------------------------
remove = Popen(
"".join([getcwd(), "/bin/adb shell su '-c rm /data/local/tmp/{0}'".format(item)]),
stdout=PIPE,
shell=True)
processes.append(remove)
time.sleep(2)
# Kill target application process
# ------------------------------------------------------------------------------
Popen(
"".join([getcwd(), "/bin/adb shell am force-stop com.hancom.office.viewer"]),
shell=True)
# Kill all adb processes
#
ProcessManagement.kill(processes)
except CalledProcessError as called_process_error:
raise called_process_error
def run():
"""
Run target fuzzer
:return:
"""
logger.debug("Starting Kindle Fire Gallery Fuzzer (!)")
_test_cases = [
"gif",
"png",
"mp4"
]
for test_case in _test_cases:
logger.debug("Available Test-Case : {0}".format(test_case))
# Get target test-case
target = raw_input(t.yellow("(DroidFuzzer) Select Test-Case: "))
# Clear logcat before running through available test-cases
ProcessManagement.clear()
processes = list()
for test_case in _test_cases:
if target == test_case:
for item in listdir("".join([getcwd(), "/test-cases/{0}".format(target)])):
logger.debug("Fuzzing : {0}".format(item))
try:
# Push the test-case to the device
# -----------------------------------------------------------------------------
pusher = Popen("".join([getcwd(), "/bin/adb push ",
"{0}/test-cases/{1}/{2}".format(getcwd(), target, item),
" /data/local/tmp"]),
stdout=PIPE,
shell=True)
processes.append(pusher)
time.sleep(2)
viewer = Popen(
"".join([getcwd(), "/bin/adb shell am start ",
"-n com.amazon.photos/com.amazon.gallery.thor.app.activity.ThorViewActivity ",
"-d file:///data/local/tmp/{0}".format(item)]),
stdout=PIPE,
shell=True)
processes.append(viewer)
time.sleep(1)
# Add each test-case as a log entry
# -------------------------------------------------------------------------------
log = Popen(
"".join([getcwd(), "/bin/adb shell log -p v -t 'Filename' {0}".format(item)]),
stdout=PIPE,
shell=True)
processes.append(log)
time.sleep(1)
# Find and write fatal log entries (SIGSEGV)
# ----------------------------------------------------------------------------------------
fatal = Popen(
"".join([getcwd(), "/bin/adb logcat -v time *:F > ",
"logs/kindle_fire_gallery_viewer_{0}_logs".format(target)]),
stdout=PIPE,
shell=True)
processes.append(fatal)
time.sleep(1)
# Find and write test-case entry logs
# ----------------------------------------------------------------------------------------
logcat = Popen(
"".join([getcwd(), "/bin/adb logcat -v time *:F -s 'Filename' >> ",
"logs/kindle_fire_gallery_viewer_{0}_logs".format(target)]),
stdout=PIPE,
shell=True)
processes.append(logcat)
time.sleep(2)
# Remove test-case from device
# ----------------------------------------------------------------------------------
remove = Popen(
"".join([getcwd(), "/bin/adb shell rm /data/local/tmp/{0}".format(item)]),
stdout=PIPE,
shell=True)
processes.append(remove)
time.sleep(2)
# Kill target application process
# ------------------------------------------------------------------------------
Popen(
"".join([getcwd(), "/bin/adb shell am force-stop com.amazon.photos"]),
shell=True)
# Kill all adb processes
#
ProcessManagement.kill(processes)
except CalledProcessError as called_process_error:
raise called_process_error
def run():
"""
Run target fuzzer
:return:
"""
logger.debug("Starting Samsung Core Prime Document Viewer Fuzzer (!)")
_test_cases = [
"docx",
"doc",
"pdf"
]
for test_case in _test_cases:
logger.debug("Available Test-Case : {0}".format(test_case))
# Get target test-case
target = raw_input(t.yellow("(DroidFuzzer) Select Test-Case: "))
# Clear logcat before running test-cases
ProcessManagement.clear()
processes = list()
# Clear existing tombstones
Utils.clear_tombstones()
# Clear existing logs
if path.isfile("".join([getcwd(), "/logs/samsung_core_prime_document_viewer_{0}_logs".format(target)])):
logger.debug("Removing existing logs (!)")
# Got an unresolved reference when just importing the function (?)
os.remove("".join([getcwd(), "/logs/samsung_core_prime_document_viewer_{0}_logs".format(target)]))
for test_case in _test_cases:
if target == test_case:
for item in listdir("".join([getcwd(), "/test-cases/{0}".format(target)])):
logger.debug("Fuzzing : {0}".format(item))
try:
# Push the test-case to the device
# -----------------------------------------------------------------------------
pusher = Popen("".join([getcwd(), "/bin/adb push ",
"{0}/test-cases/{1}/{2}".format(getcwd(), target, item),
" /data/local/tmp"]),
stdout=PIPE,
shell=True)
processes.append(pusher)
time.sleep(2)
viewer = Popen(
"".join([getcwd(), "/bin/adb shell su '-c am start ",
"-n com.hancom.office.viewer/com.tf.thinkdroid.write.ni.viewer.WriteViewPlusActivity ",
"-d file:///data/local/tmp/{0}'".format(item)]),
stdout=PIPE,
shell=True)
processes.append(viewer)
time.sleep(1)
# Add each test-case as a log entry
# -------------------------------------------------------------------------------
log = Popen(
"".join([getcwd(), "/bin/adb shell log -p v -t 'Filename' {0}".format(item)]),
stdout=PIPE,
shell=True)
processes.append(log)
time.sleep(1)
# Find and write fatal log entries (SIGSEGV)
# ----------------------------------------------------------------------------------------
fatal = Popen(
"".join([getcwd(), "/bin/adb logcat -v time *:F > ",
"logs/samsung_core_prime_document_viewer_{0}_logs".format(target)]),
stdout=PIPE,
shell=True)
processes.append(fatal)
time.sleep(1)
# Find and write test-case entry logs
# ----------------------------------------------------------------------------------------
logcat = Popen(
"".join([getcwd(), "/bin/adb logcat -v time *:F -s 'Filename' >> ",
"logs/samsung_core_prime_document_viewer_{0}_logs".format(target)]),
stdout=PIPE,
shell=True)
processes.append(logcat)
time.sleep(1)
# Remove test-case from device
# ----------------------------------------------------------------------------------
remove = Popen(
"".join([getcwd(), "/bin/adb shell su '-c rm /data/local/tmp/{0}'".format(item)]),
stdout=PIPE,
shell=True)
processes.append(remove)
time.sleep(1)
# Kill target application process
# ------------------------------------------------------------------------------
Popen(
"".join([getcwd(), "/bin/adb shell am force-stop com.hancom.office.viewer"]),
shell=True)
# Kill all adb processes
#
ProcessManagement.kill(processes)
sys.stdout.flush()
except CalledProcessError as called_process_error:
raise called_process_error
def run():
"""
Run target fuzzer
:return:
"""
logger.debug("Starting LG GPad 7 Media Scanner Fuzzer (!)")
_test_cases = ["png", "jpg", "gif", "doc", "docx", "pdf", "ppt"]
for test_case in _test_cases:
logger.debug("Available Test-Case : {0}".format(test_case))
# Get target test-case
target = raw_input(
t.yellow("(DroidFuzzer) Select" + t.white(" Test-Case: ")))
# Clear logcat before running test-cases
ProcessManagement.clear()
processes = list()
# Clear existing tombstones
Utils.clear_tombstones()
for test_case in _test_cases:
log_id = randint(0, 10000)
if target == test_case:
# Always return a random sample of the generate test-cases
for item in sample(
listdir("".join(
[getcwd(), "/test-cases/{0}".format(target)])),
len(
listdir("".join(
[getcwd(),
"/test-cases/{0}".format(target)])))):
logger.debug("Fuzzing : {0}".format(item))
try:
# Push the selected test-case on to the device
pusher = ProcessManagement.execute("".join([
getcwd(), "/bin/adb push ",
"{0}/test-cases/{1}/{2}".format(
getcwd(), target, item), " /sdcard/"
]))
processes.append(pusher)
time.sleep(5)
# Execute the target parser
viewer = ProcessManagement.execute("".join([
getcwd(), "/bin/adb shell su -c 'am broadcast ",
"-a android.intent.action.MEDIA_SCANNER_SCAN_FILE ",
"-d file:///sdcard/{0}'".format(item)
]))
processes.append(viewer)
time.sleep(10)
# Log the test-case
log = ProcessManagement.execute("".join([
getcwd(),
"/bin/adb shell log -p v -t 'Filename' {0}".format(
item)
]))
processes.append(log)
time.sleep(3)
# Log any SIGSEGV
fatal = ProcessManagement.execute("".join([
getcwd(), "/bin/adb logcat -v time *:F > ",
"logs/lg_gpad_7/media_scanner/{0}/lg_gpad_7_media_scanner_{1}_{2}_logs"
.format(target, item, log_id)
]))
processes.append(fatal)
time.sleep(3)
# Log the test-case that triggered the SIGSEGV
logcat = ProcessManagement.execute("".join([
getcwd(),
"/bin/adb logcat -v time *:F -s 'Filename' > ",
"logs/lg_gpad_7/media_scanner/{0}/lg_gpad_7_media_scanner_{1}_{2}_logs"
.format(target, item, log_id)
]))
processes.append(logcat)
time.sleep(3)
# Remove the selected test-case
remove = ProcessManagement.execute("".join([
getcwd(),
"/bin/adb shell su '-c rm /sdcard/{0}'".format(
item)
]))
ret = remove.wait()
# Make sure we have received a return code before proceeding
if ret:
processes.append(remove)
time.sleep(3)
# Recursively kill all child processes
ProcessManagement.kill(processes)
ProcessManagement.clear()
except CalledProcessError as called_process_error:
raise called_process_error
except Exception as e:
# Handle this ...
if e.message == "[Errno 35] Resource temporarily unavailable":
logger.error(e.message)
def crash_triage(test_cases):
"""
Attempt to recreate crash based on target test-case
"""
# Clear logcat before running test-cases
ProcessManagement.clear()
processes = list()
# Clear existing tombstones
Utils.clear_tombstones()
# TODO - Figure out why /data/local/tmp doesn't work here
for test_case in test_cases:
logger.debug("Fuzzing : {0}".format("".join(
test_case.split("/")[-1])))
try:
# Push the test-case to the device
# -----------------------------------------------------------------------------
pusher = Popen("".join([
getcwd(), "/bin/adb push ", test_case, " /data/local/tmp"
]),
stdout=PIPE,
shell=True)
ret = pusher.wait()
if ret:
processes.append(pusher)
time.sleep(3)
viewer = Popen("".join([
getcwd(),
"/bin/adb shell su -c 'am start -n com.hancom.office.viewer/com.tf.thinkdroid.write.ni.viewer.WriteViewPlusActivity -d file:///data/local/tmp/{0}'"
.format("".join(test_case.split("/")[-1]))
]),
stdout=PIPE,
shell=True)
ret = viewer.wait()
if ret:
processes.append(viewer)
time.sleep(1)
# Remove test-case from device
# ----------------------------------------------------------------------------------
remove = Popen("".join([
getcwd(),
"/bin/adb shell rm /data/local/tmp/{0}".format("".join(
test_case.split("/")[-1]))
]),
stdout=PIPE,
shell=True)
ret = remove.wait()
if ret:
processes.append(remove)
time.sleep(1)
# Kill target application process
# ------------------------------------------------------------------------------
Popen("".join([
getcwd(),
"/bin/adb shell am force-stop com.hancom.office.viewer"
]),
shell=True)
# Kill all adb processes
# ------------------------------------------------------------------------------
ProcessManagement.kill(processes)
except CalledProcessError as called_process_error:
logger.error(called_process_error)
def run():
"""
Run target fuzzer
:return:
"""
logger.debug("Starting Samsung Core Prime Document Viewer Fuzzer (!)")
_test_cases = ["docx", "doc", "pdf"]
for test_case in _test_cases:
logger.debug("Available Test-Case : {0}".format(test_case))
# Get target test-case
target = raw_input(t.yellow("(DroidFuzzer) Select Test-Case: "))
# Clear logcat before running test-cases
ProcessManagement.clear()
processes = list()
# Clear existing tombstones
Utils.clear_tombstones()
# Clear existing logs
if path.isfile("".join([
getcwd(),
"/logs/samsung_core_prime_document_viewer_{0}_logs".format(
target)
])):
logger.debug("Removing existing logs (!)")
# Got an unresolved reference when just importing the function (?)
os.remove("".join([
getcwd(),
"/logs/samsung_core_prime_document_viewer_{0}_logs".format(
target)
]))
for test_case in _test_cases:
if target == test_case:
for item in listdir("".join(
[getcwd(), "/test-cases/{0}".format(target)])):
logger.debug("Fuzzing : {0}".format(item))
try:
# Push the test-case to the device
# -----------------------------------------------------------------------------
pusher = Popen("".join([
getcwd(), "/bin/adb push ",
"{0}/test-cases/{1}/{2}".format(
getcwd(), target, item), " /data/local/tmp"
]),
stdout=PIPE,
shell=True)
processes.append(pusher)
time.sleep(2)
viewer = Popen("".join([
getcwd(), "/bin/adb shell su '-c am start ",
"-n com.hancom.office.viewer/com.tf.thinkdroid.write.ni.viewer.WriteViewPlusActivity ",
"-d file:///data/local/tmp/{0}'".format(item)
]),
stdout=PIPE,
shell=True)
processes.append(viewer)
time.sleep(1)
# Add each test-case as a log entry
# -------------------------------------------------------------------------------
log = Popen("".join([
getcwd(),
"/bin/adb shell log -p v -t 'Filename' {0}".format(
item)
]),
stdout=PIPE,
shell=True)
processes.append(log)
time.sleep(1)
# Find and write fatal log entries (SIGSEGV)
# ----------------------------------------------------------------------------------------
fatal = Popen("".join([
getcwd(), "/bin/adb logcat -v time *:F > ",
"logs/samsung_core_prime_document_viewer_{0}_logs".
format(target)
]),
stdout=PIPE,
shell=True)
processes.append(fatal)
time.sleep(1)
# Find and write test-case entry logs
# ----------------------------------------------------------------------------------------
logcat = Popen("".join([
getcwd(),
"/bin/adb logcat -v time *:F -s 'Filename' >> ",
"logs/samsung_core_prime_document_viewer_{0}_logs".
format(target)
]),
stdout=PIPE,
shell=True)
processes.append(logcat)
time.sleep(1)
# Remove test-case from device
# ----------------------------------------------------------------------------------
remove = Popen("".join([
getcwd(),
"/bin/adb shell su '-c rm /data/local/tmp/{0}'".
format(item)
]),
stdout=PIPE,
shell=True)
processes.append(remove)
time.sleep(1)
# Kill target application process
# ------------------------------------------------------------------------------
Popen("".join([
getcwd(),
"/bin/adb shell am force-stop com.hancom.office.viewer"
]),
shell=True)
# Kill all adb processes
#
ProcessManagement.kill(processes)
sys.stdout.flush()
except CalledProcessError as called_process_error:
raise called_process_error
def run():
"""
Run target fuzzer
:return:
"""
logger.debug("Starting LG GPad 7 Gallery Fuzzer (!)")
_test_cases = [
"gif",
"jpg"
]
for test_case in _test_cases:
logger.debug("Available Test-Case : {0}".format(test_case))
# Get target test-case
target = raw_input(t.yellow("(DroidFuzzer) Select" + t.white(" Test-Case: ")))
# Clear logcat before running test-cases
ProcessManagement.clear()
processes = list()
# Clear existing tombstones
Utils.clear_tombstones()
for test_case in _test_cases:
log_id = randint(0, 10000)
if target == test_case:
# Always return a random sample of the generate test-cases
for item in sample(listdir("".join([getcwd(), "/test-cases/{0}".format(target)])),
len(listdir("".join([getcwd(), "/test-cases/{0}".format(target)])))):
logger.debug("Fuzzing : {0}".format(item))
try:
# Push the selected test-case on to the device
pusher = ProcessManagement.execute("".join([getcwd(),
"/bin/adb push ",
"{0}/test-cases/{1}/{2}".format(getcwd(),
target,
item),
" /sdcard/"]))
processes.append(pusher)
time.sleep(5)
# Execute the target parser
viewer = ProcessManagement.execute("".join([getcwd(),
"/bin/adb shell su -c 'am start ",
"-a android.intent.action.VIEW ",
"-t image/gif "
"-n com.android.gallery3d/.app.Gallery "
"-d file:///storage/emulated/0/{0}'".format(item)]))
processes.append(viewer)
time.sleep(10)
# Log the test-case
log = ProcessManagement.execute(
"".join([getcwd(),
"/bin/adb shell log -p v -t 'Filename' {0}".format(item)]))
processes.append(log)
time.sleep(3)
# Log any SIGSEGV
fatal = ProcessManagement.execute(
"".join([getcwd(),
"/bin/adb logcat -v time *:F > ",
"logs/lg_gpad_7/gallery/{0}/lg_gpad_7_gallery_{1}_{2}_logs"
.format(target, item, log_id)]))
processes.append(fatal)
time.sleep(3)
# Log the test-case that triggered the SIGSEGV
logcat = ProcessManagement.execute(
"".join([getcwd(),
"/bin/adb logcat -v time *:F -s 'Filename' > ",
"logs/lg_gpad_7/gallery/{0}/lg_gpad_7_gallery_{1}_{2}_logs"
.format(target, item, log_id)]))
processes.append(logcat)
time.sleep(3)
# Remove the selected test-case
remove = ProcessManagement.execute(
"".join([getcwd(), "/bin/adb shell su '-c rm /sdcard/{0}'".format(item)]))
processes.append(remove)
time.sleep(3)
# Kill the target parser
ProcessManagement.execute(
"".join([getcwd(), "/bin/adb shell am force-stop com.android.gallery3d"]))
# Recursively kill all child processes
ProcessManagement.kill(processes)
ProcessManagement.clear()
except CalledProcessError as called_process_error:
raise called_process_error
except Exception as e:
# Handle this ...
if e.message == "[Errno 35] Resource temporarily unavailable":
logger.error(e.message)
def run():
"""
Run gallery fuzzer
"""
logger.debug("Starting ASUS ZenFone 2E Document Fuzzer (!)")
_test_cases = ["pdf", "doc", "docx", "xls"]
for test_case in _test_cases:
logger.debug("Available Test-Case : {0}".format(test_case))
# Get target test-case
target = raw_input(t.yellow("(DroidFuzzer) Select Test-Case: "))
# Clear logcat before running test-cases
ProcessManagement.clear()
processes = list()
# Clear existing tombstones
Utils.clear_tombstones()
for test_case in _test_cases:
log_id = randint(0, 10000)
if target == test_case:
for item in listdir("".join(
[getcwd(), "/test-cases/{0}".format(target)])):
logger.debug("Fuzzing : {0}".format(item))
try:
# Push the test-case to the device
# -----------------------------------------------------------------------------
pusher = Popen("".join([
getcwd(), "/bin/adb push ",
"{0}/test-cases/{1}/{2}".format(
getcwd(), target, item), " /sdcard/"
]),
shell=True)
processes.append(pusher)
time.sleep(2)
viewer = Popen("".join([
getcwd(), "/bin/adb shell su -c 'am start ",
"-n com.tf.thinkdroid.asus/com.tf.thinkdroid.pdf.app.StartTfpActivity ",
"-t application/{0} ".format(target),
"-a android.intent.action.VIEW ",
"-d file:///sdcard/{0}'".format(item)
]),
shell=True)
processes.append(viewer)
time.sleep(1)
# Add each test-case as a log entry
# -------------------------------------------------------------------------------
log = Popen("".join([
getcwd(),
"/bin/adb shell log -p v -t 'Filename' {0}".format(
item)
]),
shell=True)
processes.append(log)
time.sleep(1)
# Find and write fatal log entries (SIGSEGV)
# ----------------------------------------------------------------------------------------
fatal = Popen("".join([
getcwd(), "/bin/adb logcat -v time *:F > ",
getcwd(),
"/logs/asus_zenfone_2e/document/{0}/asus_zenfone_2e_document_{0}_{1}_{2}_logs"
.format(target, item, log_id)
]),
shell=True)
processes.append(fatal)
time.sleep(1)
# Find and write test-case entry logs
# ----------------------------------------------------------------------------------------
logcat = Popen("".join([
getcwd(),
"/bin/adb logcat -v time *:F -s 'Filename' > ",
getcwd(),
"/logs/asus_zenfone_2e/document/{0}/asus_zenfone_2e_document_{0}_{1}_{2}_logs"
.format(target, item, log_id)
]),
shell=True)
processes.append(logcat)
time.sleep(1)
# Remove test-case from device
# ----------------------------------------------------------------------------------
remove = Popen("".join([
getcwd(),
"/bin/adb shell rm /sdcard/{0}".format(item)
]),
shell=True)
ret = remove.wait()
if ret:
processes.append(remove)
time.sleep(1)
# Kill target application process
# ------------------------------------------------------------------------------
Popen("".join([
getcwd(),
"/bin/adb shell am force-stop com.tf.thinkdroid.asus"
]),
shell=True)
# Kill all adb processes
ProcessManagement.kill(processes)
ProcessManagement.clear()
except CalledProcessError as called_process_error:
raise called_process_error
def run():
"""
Run gallery fuzzer
"""
logger.debug("Starting ASUS ZenFone 2E Gallery Fuzzer (!)")
_test_cases = [
"jpg"
]
for test_case in _test_cases:
logger.debug("Available Test-Case : {0}".format(test_case))
# Get target test-case
target = raw_input(t.yellow("(DroidFuzzer) Select Test-Case: "))
# Clear logcat before running test-cases
ProcessManagement.clear()
processes = list()
# Clear existing tombstones
Utils.clear_tombstones()
for test_case in _test_cases:
log_id = randint(0, 10000)
if target == test_case:
for item in listdir("".join([getcwd(), "/test-cases/{0}".format(target)])):
logger.debug("Fuzzing : {0}".format(item))
try:
# Push the test-case to the device
# -----------------------------------------------------------------------------
pusher = Popen("".join([getcwd(), "/bin/adb push ",
"{0}/test-cases/{1}/{2}".format(getcwd(), target, item),
" /data/local/tmp"]),
shell=True)
processes.append(pusher)
time.sleep(2)
viewer = Popen(
"".join([getcwd(), "/bin/adb shell am start ",
"-n com.asus.gallery/.app.EPhotoActivity ",
"-t image/jpeg "
"-a android.intent.action.VIEW ",
"-d file:///data/local/tmp/{0}".format(item)]),
shell=True)
processes.append(viewer)
time.sleep(1)
# Add each test-case as a log entry
# -------------------------------------------------------------------------------
log = Popen(
"".join([getcwd(), "/bin/adb shell log -p v -t 'Filename' {0}".format(item)]),
shell=True)
processes.append(log)
time.sleep(1)
# Find and write fatal log entries (SIGSEGV)
# ----------------------------------------------------------------------------------------
fatal = Popen(
"".join([getcwd(),
"/bin/adb logcat -v time *:F > ", getcwd(),
"/logs/asus_zenfone_2e/gallery/{0}/asus_zenfone_2e_gallery_{0}_{1}_{2}_logs"
.format(target, item, log_id)]),
shell=True)
processes.append(fatal)
time.sleep(1)
# Find and write test-case entry logs
# ----------------------------------------------------------------------------------------
logcat = Popen(
"".join([getcwd(),
"/bin/adb logcat -v time *:F -s 'Filename' > ", getcwd(),
"/logs/asus_zenfone_2e/gallery/{0}/asus_zenfone_2e_gallery_{0}_{1}_{2}_logs"
.format(target, item, log_id)]),
shell=True)
processes.append(logcat)
time.sleep(1)
# Remove test-case from device
# ----------------------------------------------------------------------------------
remove = Popen(
"".join([getcwd(), "/bin/adb shell rm /data/local/tmp/{0}".format(item)]),
shell=True)
ret = remove.wait()
if ret:
processes.append(remove)
time.sleep(1)
# Kill target application process
# ------------------------------------------------------------------------------
Popen(
"".join([getcwd(), "/bin/adb shell am force-stop com.asus.gallery"]),
shell=True)
# Kill all adb processes
ProcessManagement.kill(processes)
ProcessManagement.clear()
except CalledProcessError as called_process_error:
raise called_process_error
def run():
"""
Run target fuzzer
:return:
"""
logger.debug("Starting Samsung Core Prime Document Viewer Fuzzer (!)")
_test_cases = ["docx", "doc", "pdf"]
for test_case in _test_cases:
logger.debug("Available Test-Case : {0}".format(test_case))
# Get target test-case
target = raw_input(
t.yellow("(DroidFuzzer) Select" + t.white(" Test-Case: ")))
# Clear logcat before running test-cases
ProcessManagement.clear()
processes = list()
# Clear existing tombstones
Utils.clear_tombstones()
for test_case in _test_cases:
log_id = randint(0, 10000)
if target == test_case:
# Always return a random sample of the generate test-cases
for item in sample(
listdir("".join(
[getcwd(), "/test-cases/{0}".format(target)])),
len(
listdir("".join(
[getcwd(),
"/test-cases/{0}".format(target)])))):
logger.debug("Fuzzing : {0}".format(item))
try:
# Push the selected test-case on to the device
pusher = ProcessManagement.execute("".join([
getcwd(), "/bin/adb push ",
"{0}/test-cases/{1}/{2}".format(
getcwd(), target, item), " /data/local/tmp"
]))
processes.append(pusher)
time.sleep(5)
# Execute the target parser
viewer = ProcessManagement.execute("".join([
getcwd(), "/bin/adb shell su '-c am start ",
"-n com.hancom.office.viewer/com.tf.thinkdroid.write.ni.viewer.WriteViewPlusActivity ",
"-d file:///data/local/tmp/{0}'".format(item)
]))
processes.append(viewer)
time.sleep(10)
# Log the test-case
log = ProcessManagement.execute("".join([
getcwd(),
"/bin/adb shell log -p v -t 'Filename' {0}".format(
item)
]))
processes.append(log)
time.sleep(3)
# Log any SIGSEGV
fatal = ProcessManagement.execute("".join([
getcwd(), "/bin/adb logcat -v time *:F > ",
"logs/samsung_core_prime/document_viewer/{0}/samsung_core_prime_document_viewer_{1}_{2}_logs"
.format(target, item, log_id)
]))
processes.append(fatal)
time.sleep(3)
# Log the test-case that triggered the SIGSEGV
logcat = ProcessManagement.execute("".join([
getcwd(),
"/bin/adb logcat -v time *:F -s 'Filename' > ",
"logs/samsung_core_prime/document_viewer/{0}/samsung_core_prime_document_viewer_{1}_{2}_logs"
.format(target, item, log_id)
]))
processes.append(logcat)
time.sleep(3)
# Remove the selected test-case
remove = ProcessManagement.execute("".join([
getcwd(),
"/bin/adb shell su '-c rm /data/local/tmp/{0}'".
format(item)
]))
ret = remove.wait()
# Make sure we have received a return code before proceeding
if ret:
processes.append(remove)
time.sleep(3)
# Kill the target parser
ProcessManagement.execute("".join([
getcwd(),
"/bin/adb shell am force-stop com.hancom.office.viewer"
]))
# Recursively kill all child processes
ProcessManagement.kill(processes)
ProcessManagement.clear()
except CalledProcessError as called_process_error:
raise called_process_error
except Exception as e:
# Handle this ...
if e.message == "[Errno 35] Resource temporarily unavailable":
logger.error(e.message)
def run():
"""
Run target fuzzer
:return:
"""
logger.debug("Starting Kindle Fire Gallery Fuzzer (!)")
_test_cases = ["gif", "png", "mp4"]
for test_case in _test_cases:
logger.debug("Available Test-Case : {0}".format(test_case))
# Get target test-case
target = raw_input(t.yellow("(DroidFuzzer) Select Test-Case: "))
# Clear logcat before running through available test-cases
ProcessManagement.clear()
processes = list()
for test_case in _test_cases:
if target == test_case:
for item in listdir("".join(
[getcwd(), "/test-cases/{0}".format(target)])):
logger.debug("Fuzzing : {0}".format(item))
try:
# Push the test-case to the device
# -----------------------------------------------------------------------------
pusher = Popen("".join([
getcwd(), "/bin/adb push ",
"{0}/test-cases/{1}/{2}".format(
getcwd(), target, item), " /data/local/tmp"
]),
stdout=PIPE,
shell=True)
processes.append(pusher)
time.sleep(2)
viewer = Popen("".join([
getcwd(), "/bin/adb shell am start ",
"-n com.amazon.photos/com.amazon.gallery.thor.app.activity.ThorViewActivity ",
"-d file:///data/local/tmp/{0}".format(item)
]),
stdout=PIPE,
shell=True)
processes.append(viewer)
time.sleep(1)
# Add each test-case as a log entry
# -------------------------------------------------------------------------------
log = Popen("".join([
getcwd(),
"/bin/adb shell log -p v -t 'Filename' {0}".format(
item)
]),
stdout=PIPE,
shell=True)
processes.append(log)
time.sleep(1)
# Find and write fatal log entries (SIGSEGV)
# ----------------------------------------------------------------------------------------
fatal = Popen("".join([
getcwd(), "/bin/adb logcat -v time *:F > ",
"logs/kindle_fire_gallery_viewer_{0}_logs".format(
target)
]),
stdout=PIPE,
shell=True)
processes.append(fatal)
time.sleep(1)
# Find and write test-case entry logs
# ----------------------------------------------------------------------------------------
logcat = Popen("".join([
getcwd(),
"/bin/adb logcat -v time *:F -s 'Filename' >> ",
"logs/kindle_fire_gallery_viewer_{0}_logs".format(
target)
]),
stdout=PIPE,
shell=True)
processes.append(logcat)
time.sleep(2)
# Remove test-case from device
# ----------------------------------------------------------------------------------
remove = Popen("".join([
getcwd(),
"/bin/adb shell rm /data/local/tmp/{0}".format(
item)
]),
stdout=PIPE,
shell=True)
processes.append(remove)
time.sleep(2)
# Kill target application process
# ------------------------------------------------------------------------------
Popen("".join([
getcwd(),
"/bin/adb shell am force-stop com.amazon.photos"
]),
shell=True)
# Kill all adb processes
#
ProcessManagement.kill(processes)
except CalledProcessError as called_process_error:
raise called_process_error
def run():
"""
Run target fuzzer
:return:
"""
logger.debug("Starting Samsung Core Prime Document Viewer Fuzzer (!)")
_test_cases = [
"docx",
"doc",
"pdf"
]
for test_case in _test_cases:
logger.debug("Available Test-Case : {0}".format(test_case))
# Get target test-case
target = raw_input(t.yellow("(DroidFuzzer) Select" + t.white(" Test-Case: ")))
# Clear logcat before running test-cases
ProcessManagement.clear()
processes = list()
# Clear existing tombstones
Utils.clear_tombstones()
for test_case in _test_cases:
log_id = randint(0, 10000)
if target == test_case:
# Always return a random sample of the generate test-cases
for item in sample(listdir("".join([getcwd(), "/test-cases/{0}".format(target)])),
len(listdir("".join([getcwd(), "/test-cases/{0}".format(target)])))):
logger.debug("Fuzzing : {0}".format(item))
try:
# Push the selected test-case on to the device
pusher = ProcessManagement.execute("".join([getcwd(),
"/bin/adb push ",
"{0}/test-cases/{1}/{2}".format(getcwd(),
target, item)," /data/local/tmp"]))
processes.append(pusher)
time.sleep(5)
# Execute the target parser
viewer = ProcessManagement.execute("".join([getcwd(),
"/bin/adb shell su '-c am start ",
"-n com.hancom.office.viewer/com.tf.thinkdroid.write.ni.viewer.WriteViewPlusActivity ",
"-d file:///data/local/tmp/{0}'".format(item)]))
processes.append(viewer)
time.sleep(10)
# Log the test-case
log = ProcessManagement.execute(
"".join([getcwd(),
"/bin/adb shell log -p v -t 'Filename' {0}".format(item)]))
processes.append(log)
time.sleep(3)
# Log any SIGSEGV
fatal = ProcessManagement.execute(
"".join([getcwd(),
"/bin/adb logcat -v time *:F > ",
"logs/samsung_core_prime/document_viewer/{0}/samsung_core_prime_document_viewer_{1}_{2}_logs"
.format(target, item, log_id)]))
processes.append(fatal)
time.sleep(3)
# Log the test-case that triggered the SIGSEGV
logcat = ProcessManagement.execute(
"".join([getcwd(),
"/bin/adb logcat -v time *:F -s 'Filename' > ",
"logs/samsung_core_prime/document_viewer/{0}/samsung_core_prime_document_viewer_{1}_{2}_logs"
.format(target, item, log_id)]))
processes.append(logcat)
time.sleep(3)
# Remove the selected test-case
remove = ProcessManagement.execute(
"".join([getcwd(), "/bin/adb shell su '-c rm /data/local/tmp/{0}'".format(item)]))
ret = remove.wait()
# Make sure we have received a return code before proceeding
if ret:
processes.append(remove)
time.sleep(3)
# Kill the target parser
ProcessManagement.execute(
"".join([getcwd(), "/bin/adb shell am force-stop com.hancom.office.viewer"]))
# Recursively kill all child processes
ProcessManagement.kill(processes)
ProcessManagement.clear()
except CalledProcessError as called_process_error:
raise called_process_error
except Exception as e:
# Handle this ...
if e.message == "[Errno 35] Resource temporarily unavailable":
logger.error(e.message)
def run():
"""
Run target fuzzer
:return:
"""
logger.debug("Samsung Core Prime Media Scanner Fuzzer (!)")
_test_cases = [
"jpg",
"gif"
]
for test_case in _test_cases:
logger.debug("Available Test-Case : {0}".format(test_case))
# Get target test-case
target = raw_input(t.yellow("(DroidFuzzer) Select" + t.white(" Test-Case: ")))
# Clear logcat before running test-cases
ProcessManagement.clear()
processes = list()
# Clear existing tombstones
Utils.clear_tombstones()
for test_case in _test_cases:
log_id = randint(0, 10000)
if target == test_case:
# Always return a random sample of the generate test-cases
for item in sample(listdir("".join([getcwd(), "/test-cases/{0}".format(target)])),
len(listdir("".join([getcwd(), "/test-cases/{0}".format(target)])))):
logger.debug("Fuzzing : {0}".format(item))
try:
# Push the selected test-case on to the device
pusher = ProcessManagement.execute("".join([getcwd(),
"/bin/adb push ",
"{0}/test-cases/{1}/{2}".format(getcwd(),
target,
item),
" /sdcard/"]))
processes.append(pusher)
time.sleep(5)
# Execute the target parser
viewer = ProcessManagement.execute("".join([getcwd(),
"/bin/adb shell am broadcast ",
"-a android.intent.action.MEDIA_MOUNTED ",
"-d file:///mnt/shell/emulated/0/"]))
processes.append(viewer)
time.sleep(10)
# Log the test-case
log = ProcessManagement.execute(
"".join([getcwd(),
"/bin/adb shell log -p v -t 'Filename' {0}".format(item)]))
processes.append(log)
time.sleep(3)
# Log any SIGSEGV
fatal = ProcessManagement.execute(
"".join([getcwd(),
"/bin/adb logcat -v time *:F > ",
"logs/samsung_core_prime/media_scanner/{0}/samsung_core_prime_media_scanner_{1}_{2}_logs"
.format(target, item, log_id)]))
processes.append(fatal)
time.sleep(3)
# Log the test-case that triggered the SIGSEGV
logcat = ProcessManagement.execute(
"".join([getcwd(),
"/bin/adb logcat -v time *:F -s 'Filename' > ",
"logs/samsung_core_prime/media_scanner/{0}/samsung_core_prime_media_scanner_{1}_{2}_logs"
.format(target, item, log_id)]))
processes.append(logcat)
time.sleep(3)
# Remove the selected test-case
remove = ProcessManagement.execute(
"".join([getcwd(), "/bin/adb shell rm /sdcard/{0}".format(item)]))
ret = remove.wait()
# Make sure we have received a return code before proceeding
if ret:
processes.append(remove)
time.sleep(3)
# Recursively kill all child processes
ProcessManagement.kill(processes)
ProcessManagement.clear()
except CalledProcessError as called_process_error:
raise called_process_error
except Exception as e:
# Handle this ...
if e.message == "[Errno 35] Resource temporarily unavailable":
logger.error(e.message)