def main():
#Read the README before you start.
Logger.info("Setting up configuration")
gdb_script_64bit = r"""printf "[+] Disabling verbose and complaints\n"
set verbose off
set complaints 0
printf "[+] Backtrace:\n"
bt
printf "[+] info reg:\n"
info reg
printf "[+] exploitable:\n"
exploitable
printf "[+] disassemble $rip, $rip+16:\n"
disassemble $rip, $rip+16
"""
gdb_script_32bit = r"""printf "[+] Disabling verbose and complaints\n"
set verbose off
set complaints 0
printf "[+] Backtrace:\n"
bt
printf "[+] info reg:\n"
info reg
printf "[+] exploitable:\n"
exploitable
printf "[+] disassemble $eip, $eip+16:\n"
disassemble $eip, $eip+16
"""
where_this_python_script_lives = os.path.dirname(os.path.realpath(__file__))
gdb_command = "gdb"
gdb_command_osx = "/opt/local/bin/gdb-apple"
config_gm = CrashAnalysisConfig(where_this_python_script_lives,
target_binary_instrumented=where_this_python_script_lives+"/test-cases/gm/graphicsmagick-afl/utilities/gm",
args_before="identify",
args_after="",
target_binary_plain=where_this_python_script_lives+"/test-cases/gm/graphicsmagick-plain/utilities/gm",
target_binary_asan=where_this_python_script_lives+"/test-cases/gm/graphicsmagick-asan/utilities/gm",
env={"ASAN_SYMBOLIZER_PATH": "/usr/bin/llvm-symbolizer-3.4", "ASAN_OPTIONS": "symbolize=1:redzone=512:quarantine_size=512Mb:exitcode=1"},
crash_dir=where_this_python_script_lives+"/test-cases/gm/crashes",
gdb_script=gdb_script_32bit,
gdb_binary=gdb_command
)
# config_ffmpeg = CrashAnalysisConfig(where_this_python_script_lives,
# target_binary_instrumented=where_this_python_script_lives+"/test-cases/ffmpeg/ffmpeg-afl/ffmpeg",
# args_before="-i",
# args_after="-loglevel quiet",
# target_binary_plain=where_this_python_script_lives+"/test-cases/ffmpeg/ffmpeg-plain/ffmpeg",
## target_binary_asan=where_this_python_script_lives+"/test-cases/ffmpeg/ffmpeg-asan/ffmpeg",
# env={"ASAN_SYMBOLIZER_PATH": "/usr/bin/llvm-symbolizer-3.4", "ASAN_OPTIONS": "symbolize=1:redzone=512:quarantine_size=512Mb:exitcode=1"},
# crash_dir=where_this_python_script_lives+"/test-cases/ffmpeg/crashes",
# gdb_script=gdb_script_32bit,
# gdb_binary=gdb_command
# )
#
Logger.info("Input crashes directory operations")
#
Logger.info("Removing README.txt files")
fdf = FileDuplicateFinder(config_gm)
fdf.remove_readmes(config_gm.original_crashes_directory)
Logger.info("Removing duplicates from original crashes folder (same file size + MD5)")
fdf.delete_duplicates_recursively(config_gm.original_crashes_directory)
Logger.info("Renaming files from original crashes folder so that the filename is a unique identifier. This allows us to copy all crash files into one directory (eg. for tmin output) if necessary, without name collisions")
fdf.rename_same_name_files(config_gm.original_crashes_directory)
#
Logger.info("Finding signals for all crash files")
#
sf = SignalFinder(config_gm)
if os.path.exists(sf.output_dir):
Logger.warning("Seems like all crashes were already categorized by signal, skipping. Remove output directory or remove this folder if you want to rerun:", sf.output_dir)
else:
Logger.info("Dividing files to output folder according to their signal")
os.mkdir(sf.output_dir)
sf.divide_by_signal(0)
#
Logger.info("Running binaries to discover stdout/stderr, gdb and ASAN output for crash files that result in interesting signals")
#
#signals, negative on OSX, 129 and above for Linux. No harm if we go on with all of them.
signals = (-4, -6, -11, 132, 134, 139)
get_output_for_signals(config_gm, sf, signals)
#
Logger.info("Minimizing input files that result in interesting signals (and removing duplicates from the results)")
#
im = InputMinimizer(config_gm)
if os.path.exists(im.output_dir):
Logger.warning("Seems like minimized crashes were already categorized by signal, skipping. Remove output directory or remove this folder if you want to rerun:", im.output_dir)
else:
os.mkdir(im.output_dir)
for signal in signals:
Logger.info("Processing minimized folder for crash-minimizer for signal %i" % signal)
signal_folder = sf.get_folder_path_for_signal(signal)
im = InputMinimizer(config_gm, signal_folder)
if os.path.exists(signal_folder):
Logger.info("Minimizing inputs resulting in signal %i" % signal)
im.minimize_testcases()
else:
Logger.warning("Seems that none of the crashes results in a %i signal" % signal)
Logger.info("Removing duplicates from minimized tests")
fdf.delete_duplicates_recursively(im.output_dir)
#
Logger.info("Finding signals for minimized crash files")
#
sf_minimized_crashes = SignalFinder(config_gm, im.output_dir, os.path.join(config_gm.output_dir, "minimized-inputs-per-signal"))
if os.path.exists(sf_minimized_crashes.output_dir):
Logger.warning("Seems like crashes were already categorized by signal, skipping.")
Logger.warning("Remove output directory or remove this folder if you want to rerun:", sf_minimized_crashes.output_dir)
else:
os.mkdir(sf_minimized_crashes.output_dir)
Logger.info("Dividing files to output folder according to their signal")
sf_minimized_crashes.divide_by_signal(0)
#
Logger.info("Running binaries to discover stdout/stderr, gdb and ASAN output for minimized input files that result in interesting signals")
#
get_output_for_signals(config_gm, sf_minimized_crashes, signals)
def main():
#Read the README before you start.
Logger.info("Setting up configuration")
gdb_script_64bit = r"""printf "[+] Disabling verbose and complaints\n"
set verbose off
set complaints 0
printf "[+] Backtrace:\n"
bt
printf "[+] info reg:\n"
info reg
printf "[+] exploitable:\n"
exploitable
printf "[+] disassemble $rip, $rip+16:\n"
disassemble $rip, $rip+16
"""
gdb_script_32bit = r"""printf "[+] Disabling verbose and complaints\n"
set verbose off
set complaints 0
printf "[+] Backtrace:\n"
bt
printf "[+] info reg:\n"
info reg
printf "[+] exploitable:\n"
exploitable
printf "[+] disassemble $eip, $eip+16:\n"
disassemble $eip, $eip+16
"""
where_this_python_script_lives = os.path.dirname(
os.path.realpath(__file__))
gdb_command = "gdb"
gdb_command_osx = "/opt/local/bin/gdb-apple"
config_gm = CrashAnalysisConfig(
where_this_python_script_lives,
target_binary_instrumented=where_this_python_script_lives +
"/test-cases/gm/graphicsmagick-afl/utilities/gm",
args_before="identify",
args_after="",
target_binary_plain=where_this_python_script_lives +
"/test-cases/gm/graphicsmagick-plain/utilities/gm",
target_binary_asan=where_this_python_script_lives +
"/test-cases/gm/graphicsmagick-asan/utilities/gm",
env={
"ASAN_SYMBOLIZER_PATH":
"/usr/bin/llvm-symbolizer-3.4",
"ASAN_OPTIONS":
"symbolize=1:redzone=512:quarantine_size=512Mb:exitcode=1"
},
crash_dir=where_this_python_script_lives + "/test-cases/gm/crashes",
gdb_script=gdb_script_32bit,
gdb_binary=gdb_command)
# config_ffmpeg = CrashAnalysisConfig(where_this_python_script_lives,
# target_binary_instrumented=where_this_python_script_lives+"/test-cases/ffmpeg/ffmpeg-afl/ffmpeg",
# args_before="-i",
# args_after="-loglevel quiet",
# target_binary_plain=where_this_python_script_lives+"/test-cases/ffmpeg/ffmpeg-plain/ffmpeg",
## target_binary_asan=where_this_python_script_lives+"/test-cases/ffmpeg/ffmpeg-asan/ffmpeg",
# env={"ASAN_SYMBOLIZER_PATH": "/usr/bin/llvm-symbolizer-3.4", "ASAN_OPTIONS": "symbolize=1:redzone=512:quarantine_size=512Mb:exitcode=1"},
# crash_dir=where_this_python_script_lives+"/test-cases/ffmpeg/crashes",
# gdb_script=gdb_script_32bit,
# gdb_binary=gdb_command
# )
#
Logger.info("Input crashes directory operations")
#
Logger.info("Removing README.txt files")
fdf = FileDuplicateFinder(config_gm)
fdf.remove_readmes(config_gm.original_crashes_directory)
Logger.info(
"Removing duplicates from original crashes folder (same file size + MD5)"
)
fdf.delete_duplicates_recursively(config_gm.original_crashes_directory)
Logger.info(
"Renaming files from original crashes folder so that the filename is a unique identifier. This allows us to copy all crash files into one directory (eg. for tmin output) if necessary, without name collisions"
)
fdf.rename_same_name_files(config_gm.original_crashes_directory)
#
Logger.info("Finding signals for all crash files")
#
sf = SignalFinder(config_gm)
if os.path.exists(sf.output_dir):
Logger.warning(
"Seems like all crashes were already categorized by signal, skipping. Remove output directory or remove this folder if you want to rerun:",
sf.output_dir)
else:
Logger.info(
"Dividing files to output folder according to their signal")
os.mkdir(sf.output_dir)
sf.divide_by_signal(0)
#
Logger.info(
"Running binaries to discover stdout/stderr, gdb and ASAN output for crash files that result in interesting signals"
)
#
#signals, negative on OSX, 129 and above for Linux. No harm if we go on with all of them.
signals = (-4, -6, -11, 132, 134, 139)
get_output_for_signals(config_gm, sf, signals)
#
Logger.info(
"Minimizing input files that result in interesting signals (and removing duplicates from the results)"
)
#
im = InputMinimizer(config_gm)
if os.path.exists(im.output_dir):
Logger.warning(
"Seems like minimized crashes were already categorized by signal, skipping. Remove output directory or remove this folder if you want to rerun:",
im.output_dir)
else:
os.mkdir(im.output_dir)
for signal in signals:
Logger.info(
"Processing minimized folder for crash-minimizer for signal %i"
% signal)
signal_folder = sf.get_folder_path_for_signal(signal)
im = InputMinimizer(config_gm, signal_folder)
if os.path.exists(signal_folder):
Logger.info("Minimizing inputs resulting in signal %i" %
signal)
im.minimize_testcases()
else:
Logger.warning(
"Seems that none of the crashes results in a %i signal" %
signal)
Logger.info("Removing duplicates from minimized tests")
fdf.delete_duplicates_recursively(im.output_dir)
#
Logger.info("Finding signals for minimized crash files")
#
sf_minimized_crashes = SignalFinder(
config_gm, im.output_dir,
os.path.join(config_gm.output_dir, "minimized-inputs-per-signal"))
if os.path.exists(sf_minimized_crashes.output_dir):
Logger.warning(
"Seems like crashes were already categorized by signal, skipping.")
Logger.warning(
"Remove output directory or remove this folder if you want to rerun:",
sf_minimized_crashes.output_dir)
else:
os.mkdir(sf_minimized_crashes.output_dir)
Logger.info(
"Dividing files to output folder according to their signal")
sf_minimized_crashes.divide_by_signal(0)
#
Logger.info(
"Running binaries to discover stdout/stderr, gdb and ASAN output for minimized input files that result in interesting signals"
)
#
get_output_for_signals(config_gm, sf_minimized_crashes, signals)
