Ejemplo n.º 1
0
Archivo: core.py Proyecto: vient/kAFL 
def start(config):

    if not post_self_check(config):
        return -1

    if config.argument_values['v']:
        enable_logging(config.argument_values["work_dir"])

    log_info("Dumping target addresses...")

    # TODO: use proper temp file or store to $work_dir
    if os.path.exists("/tmp/kAFL_info.txt"):
        os.remove("/tmp/kAFL_info.txt")

    q = qemu(0, config)
    q.start()
    q.shutdown()

    try:
        with open("/tmp/kAFL_info.txt", 'r') as f:
            print(f.read())
        os.remove("/tmp/kAFL_info.txt")
    except:
        pass

    return 0
Ejemplo n.º 2
0
def start():
    config = InfoConfiguration()

    if not post_self_check(config):
        return -1

    config.argument_values["work_dir"] = DEFAULT_INFO_WORKDIR

    if config.argument_values['v']:
        enable_logging(config.argument_values["work_dir"])

    prepare_working_dir(config.argument_values['work_dir'])

    log_info("Dumping target addresses...")
    if os.path.exists("/tmp/kAFL_info.txt"):
        os.remove("/tmp/kAFL_info.txt")
    q = qemu(0, config)
    q.start()
    q.__del__()
    try:
        for line in open("/tmp/kAFL_info.txt"):
            print line,
        os.remove("/tmp/kAFL_info.txt")
    except:
        pass

    shutil.rmtree(DEFAULT_INFO_WORKDIR)
    return 0
Ejemplo n.º 3
0
def debug_execution(config, execs, qemu_verbose=False, notifiers=True):
    log_info("Starting...")

    zero_hash = mmh3.hash64(("\xFF" * config.config_values['BITMAP_SHM_SIZE']))
    q = qemu(1337, config, debug_mode=True, notifiers=notifiers)
    q.start(verbose=qemu_verbose)
    q.set_payload(open(config.argument_values["payload"][0]).read())
    start = time.time()
    for i in range(execs):
        print("+----------------------------------------------+")
        current_hash = mmh3.hash64(q.send_payload())
        if zero_hash == current_hash:
            print("Hash: " + str(current_hash) + common.color.WARNING +
                  " (WARNING: Zero hash found!)" + common.color.ENDC)
        else:
            print("Hash: " + str(current_hash))
    end = time.time()
    print("Performance: " + str(execs / (end - start)) + "t/s")

    q.__del__()
    try:
        for i in range(512):
            if os.path.exists("/tmp/kAFL_printf.txt." + str(i)):
                os.remove("/tmp/kAFL_printf.txt." + str(i))
            else:
                break
    except:
        pass
    os.system("stty sane")
    return 0
Ejemplo n.º 4
0
def benchmark(config):
    log_info("Starting...")

    q = qemu(1337, config, debug_mode=False)
    q.start(verbose=False)
    q.set_payload(open(config.argument_values["payload"][0]).read())
    print(q.send_payload().hash())
    try:
        while True:
            start = time.time()
            execs = 0
            # for i in range(execs):
            while (time.time() - start < REFRESH):
                q.set_payload(
                    open(config.argument_values["payload"][0]).read())
                q.send_payload()
                execs += 1
            end = time.time()
            # print("Performance: " + str(execs/(end - start)) + "t/s")
            stdout.write(common.color.FLUSH_LINE + "Performance: " +
                         str(execs / (end - start)) + "t/s")
            stdout.flush()
    except:
        print("\nExit")

    q.__del__()
    try:
        for i in range(512):
            if os.path.exists("/tmp/kAFL_printf.txt." + str(i)):
                os.remove("/tmp/kAFL_printf.txt." + str(i))
            else:
                break
    except:
        pass
    return 0
Ejemplo n.º 5
0
def redqueen_dbg(config, qemu_verbose=False):
    global thread_done
    log_info("Starting...")

    q = qemu(1337, config, debug_mode=True)
    q.start(verbose=qemu_verbose)
    payload = open(config.argument_values["payload"][0]).read()
    q.set_payload(payload)

    if os.path.exists("patches"):
        shutil.copyfile("patches",
                        "/tmp/redqueen_workdir_1337/redqueen_patches.txt")

    start = time.time()

    thread = Thread(target=lambda: redqueen_dbg_thread(q))
    thread.start()
    result = q.execute_in_redqueen_mode(debug_mode=True)
    thread_done = True
    thread.join()
    requeen_print_state(q)
    end = time.time()
    if result:
        print(common.color.OKGREEN + "Execution succeded!" + common.color.ENDC)
    else:
        print(common.color.FLUSH_LINE + common.color.FAIL +
              "Execution failed!" + common.color.ENDC)
    print("Time: " + str(end - start) + "t/s")

    q.__del__()
    os.system("stty sane")
    return 0
Ejemplo n.º 6
0
def redqueen_cov(config, qemu_verbose=False):
    import json
    global thread_done
    log_info("Starting...")

    q = qemu(1337, config, debug_mode=True)
    q.start(verbose=qemu_verbose)

    known_lines = set()

    for input in config.argument_values["payload"]:
        name = os.path.basename(input)
        output = "trace_" + name + ".rqse"
        print((input, "=>", output))
        with open(output, "w") as f:
            print(common.color.OKGREEN + "Running: %s" % input +
                  common.color.ENDC)
            q.set_payload(open(input).read())
            start = time.time()

            result = q.execute_in_redqueen_mode(se_mode=False,
                                                debug_mode=True,
                                                trace_only=True)
            end = time.time()
            if result:
                print(common.color.OKGREEN + "Execution succeded!" +
                      common.color.ENDC)
            else:
                print(common.color.FLUSH_LINE + common.color.FAIL +
                      "Execution failed!" + common.color.ENDC)
            print("Time: " + str(end - start) + "t/s")
            requeen_print_state(q)
            f.write(json.dumps({"input_path": input}) + "\n")
            with open(q.redqueen_workdir.pt_trace(), "r") as trace:
                for line in trace.readlines():
                    if not line in known_lines:
                        print line
                        known_lines.add(line)
                        f.write(line)

    os.system("killall -9 qemu-system-x86_64")
    os.system("killall -9 python")
    print("kill qemu")
    q.__del__()
    print("fix tty")
    os.system("stty sane")
    return 0
Ejemplo n.º 7
0
def start():
    config = InfoConfiguration()

    if not post_self_check(config):
        return -1

    if config.argument_values['v']:
        enable_logging()

    log_info("Dumping target addresses...")
    if os.path.exists("/tmp/kAFL_info.txt"):
        os.remove("/tmp/kAFL_info.txt")
    q = qemu(0, config)
    q.start()
    q.__del__()
    try:
        for line in open("/tmp/kAFL_info.txt"):
            print line,
        os.remove("/tmp/kAFL_info.txt")
    except:
        pass
    return 0
Ejemplo n.º 8
0
def verify_dbg(config, qemu_verbose=False):
    global thread_done

    log_info("Starting...")

    rq_state = RedqueenState()
    workdir = RedqueenWorkdir(1337)

    if os.path.exists("patches"):
        with open("patches", "r") as f:
            for x in f.readlines():
                rq_state.add_candidate_hash_addr(int(x, 16))
    if not rq_state.get_candidate_hash_addrs():
        print
        "WARNING: no patches configured\n"
        print
        "Maybe add ./patches with addresses to patch\n"
    else:
        print
        "OK: got patches %s\n" % rq_state.get_candidate_hash_addrs()
    q = qemu(1337, config, debug_mode=True)

    print("using qemu command:\n%s\n" % q.cmd)

    q.start(verbose=qemu_verbose)

    orig_input = open(config.argument_values["payload"][0]).read()
    q.set_payload(orig_input)

    # result = q.send_payload()

    with open(q.redqueen_workdir.whitelist(), "w") as w:
        with open(q.redqueen_workdir.patches(), "w") as p:
            for addr in rq_state.get_candidate_hash_addrs():
                addr = hex(addr).rstrip("L").lstrip("0x") + "\n"
                w.write(addr)
                p.write(addr)

    print("RUN WITH PATCHING:")
    bmp1 = q.send_payload(apply_patches=True)

    print("\nNOT PATCHING:")
    bmp2 = q.send_payload(apply_patches=False)

    if bmp1 == bmp2:
        print
        "WARNING: patches don't seem to change anything, are checksums present?"
    else:
        print
        "OK: bitmaps are distinct"

    q.soft_reload()

    hash = HashFixer(q, rq_state)

    print
    "fixing hashes\n"
    fixed_payload = hash.try_fix_data(orig_input)
    if fixed_payload:

        print
        repr("".join(map(chr, fixed_payload)))

        q.set_payload(fixed_payload)

        bmp3 = q.send_payload(apply_patches=False)

        if bmp1 == bmp3:
            print
            "CONGRATZ, BITMAPS ARE THE SAME, all cmps fixed\n"
        else:
            print
            "Warning, after fixing cmps, bitmaps differ\n"
    else:
        print
        "couldn't fix payload"

    start = time.time()
    q.__del__()
    os.system("stty sane")
    return 0
Ejemplo n.º 9
0
def redqueen_cov(config, qemu_verbose=False):
    global thread_done
    log_info("Starting...")

    q = qemu(1337, config, debug_mode=True)
    q.start(verbose=qemu_verbose)

    known_lines = set()

    trace_parser = TraceParser(config)

    inputs, input_to_timestamp = parse_input_cov_list(
        config.argument_values["payload"])

    for input_path in inputs:
        name = os.path.basename(input_path)
        print(common.color.OKGREEN + "Running: %s" % input_path +
              common.color.ENDC)
        q.set_payload(open(input_path).read())
        start = time.time()
        result = q.execute_in_trace_mode(debug_mode=True,
                                         timeout_detection=False)
        end = time.time()
        if result:
            print(common.color.OKGREEN + "Execution succeded!" +
                  common.color.ENDC)
        else:
            print(common.color.FLUSH_LINE + common.color.FAIL +
                  "Execution failed!" + common.color.ENDC)
        print("Time: " + str(end - start) + "t/s")

        trace_parser.parse_and_add_trace(
            input_path,
            "/tmp/kafl_debug_workdir/redqueen_workdir_1337/pt_trace_results.txt"
        )

    input_to_new_bbs = trace_parser.input_to_new_targets

    if all([
            input_to_timestamp.get(input_path) is not None
            for input_path in inputs
    ]):
        plot_bb(inputs, input_to_timestamp, input_to_new_bbs)
    else:
        for input in sorted(list(input_to_new_bbs)):
            safe_print("%s: %s" %
                       (input, repr(map(hex, input_to_new_bbs[input]))))

    count = 0
    for _, bbs in input_to_new_bbs.items():
        count += len(bbs)
    print("total: %d" % count)

    print("kill qemu")
    os.system("killall -9 qemu-system-x86_64")
    q.__del__()

    print("fix tty")
    os.system("stty sane")
    print("kill python")
    os.system("killall -9 python")
    return 0
Ejemplo n.º 10
0
def debug_non_det(config, payload, max_iterations=0, q=None):
    log_info("Starting...")

    # Define IP Range!!
    if q is None:
        q = qemu(1337, config, debug_mode=False)
        q.start(verbose=False)
    hash_value = None
    default_hash = None
    hash_list = []
    try:
        q.set_payload(payload)
        bitmap = q.send_payload()
        # bitmap = q.send_payload()
        default_hash = bitmap.hash()
        hash_list.append(default_hash)

        # q.set_payload(open(config.argument_values["payload"]).read())
        # bitmap = q.send_payload()
        print("Default Hash: " + str(default_hash))
        total = 1
        hash_mismatch = 0
        count = 0
        while True:
            mismatch_r = 0
            start = time.time()
            # for i in range(execs):
            execs = 0
            while (time.time() - start < REFRESH):
                # time.sleep(0.00001 * randint(0, 9))
                # q.set_payload(open(config.argument_values["payload"]).read())
                q.set_payload(payload)
                bitmap = q.send_payload()

                hash_value = bitmap.hash()
                if hash_value != default_hash:
                    mismatch_r += 1
                    if hash_value not in hash_list:
                        hash_list.append(hash_value)
                    # print(common.color.FAIL + "[WARNING]: hash mismatch" + common.color.ENDC)
                execs += 1
            end = time.time()
            total += execs
            hash_mismatch += mismatch_r
            # print("Performance: " +  str(format(((execs*0.1)/(end - start)), '.4f')) + "  t/s\tTotal: " + str(total) + "\tMismatch: " + common.color.FAIL + str(hash_mismatch) + common.color.ENDC + " (+" + str(mismatch_r) + ")\tRatio: " + str(format(((hash_mismatch*1.0)/total)*100.00, '.4f')) + "%")
            stdout.write(common.color.FLUSH_LINE + "Performance: " +
                         str(format(((execs * 1.0) / (end - start)), '.4f')) +
                         "  t/s\tTotal: " + str(total) + "\tMismatch: ")
            if (len(hash_list) != 1):
                stdout.write(
                    common.color.FAIL + str(hash_mismatch) +
                    common.color.ENDC + " (+" + str(mismatch_r) +
                    ")\tRatio: " +
                    str(format((
                        (hash_mismatch * 1.0) / total) * 100.00, '.4f')) + "%")
                stdout.write("\t\tHashes:\t" + str(len(hash_list)) + " (" +
                             str(
                                 format(((len(hash_list) * 1.0) / total) *
                                        100.00, '.4f')) + "%)")
            else:
                stdout.write(
                    common.color.OKGREEN + str(hash_mismatch) +
                    common.color.ENDC + " (+" + str(mismatch_r) +
                    ")\tRatio: " +
                    str(format((
                        (hash_mismatch * 1.0) / total) * 100.00, '.4f')) + "%")
            stdout.flush()

            if max_iterations != 0 and total >= count:
                break

            count += 1

    except Exception as e:
        pass
        # if max_iterations == 0:
        # print("\nExit + (" + str(e) + ")")
        # print('Error on line {}'.format(sys.exc_info()[-1].tb_lineno), type(e).__name__, e)

    if max_iterations != 0:
        print("")

    for e in hash_list:
        print(e)

    if max_iterations != 0:
        print("")

    # q.__del__()
    try:
        for i in range(512):
            if os.path.exists("/tmp/kAFL_printf.txt." + str(i)):
                os.remove("/tmp/kAFL_printf.txt." + str(i))
            else:
                break
    except:
        pass
    return 0