def _run(self, job): """Drill a testcase.""" hooks = dict() for addr, symbol in self._cs.symbols.items(): if symbol in self.DONT_HOOK: continue if symbol in SimProcedures['libc.so.6']: LOG.info("Hooking up %#x -> %s", addr, symbol) hooks[addr] = SimProcedures['libc.so.6'][symbol] LOG.info("Hooked up %d addresses to simprocedures", len(hooks)) self._driller = driller.Driller(self._cbn.path, job.input_test.blob, self._cs.bitmap.first().blob, 'tag', hooks=hooks) for _, t in self._driller.drill_generator(): if t in self._seen: continue self._seen.add(t) LOG.info("Found new testcase (of length %s)!", len(t)) Test.get_or_create(cs=self._cs, job=self._job, blob=t) self._job.input_test.drilled = True self._job.input_test.save()
def test_simproc_drilling(): """ Test drilling on the cgc binary palindrome with simprocedures. """ binary = "tests/i386/driller_simproc" memcmp = angr.SIM_PROCEDURES['libc']['memcmp']() # memcmp(): 比较内存前n个字节 simprocs = {0x8048200: memcmp} # fuzzbitmap says every transition is worth satisfying. # input_str="A"*0x80. fuzz_bitmap="\xff"*65535. tag="whatever~". hooks=simprocs. d = driller.Driller(os.path.join(bin_location, binary), b"A" * 0x80, b"\xff" * 65535, "whatever~", hooks=simprocs) new_inputs = d.drill() print("hz- new_inputs: %s " % new_inputs) # Make sure driller produced a new input which satisfies the memcmp. # any 只有存在 一个以the_secret_password开头的输入, 就为true. password = b"the_secret_password_is_here_you_will_never_guess_it_especially_since_it_is_going_to_be_made_lower_case" nose.tools.assert_true( any(filter(lambda x: x[1].startswith(password), new_inputs)))
def test_vul(binary): d = driller.Driller(binary, "A" * 120, "\xff" * 65535, "whatever~") i = 0 for tmp_input in d.drill_generator(): print '\ninput ' + str(i) + ': ' + repr(tmp_input) + '\n' # log the driller sample into the file(number.input) file_tmp = open(str(i) + '.input', 'w') file_tmp.write(tmp_input[1]) file_tmp.close() i = i + 1
def test_vul(binary): d = driller.Driller(binary, "A" * 30, "\xff" * 65535, "whatever~") new_inputs = d.drill() i = 0 for tmp_input in new_inputs: print '\ninput ' + str(i) + ': ' + repr(tmp_input) + '\n' file_tmp = open(str(i) + '.input', 'w') file_tmp.write(tmp_input[1]) file_tmp.close() i = i + 1
def _doDrill(path, replyto, bitmap, binary): # Setup a new driller drill = driller.Driller(binary=binary, input_str=path, fuzz_bitmap=bitmap) # Drill drill drill results = drill.drill() # Grab the newly minted paths new_paths = set([result[1] for result in results]) # Send them back replyto.put(new_paths)
def test_vul(): """ Test drilling on the cgc binary, palindrome. """ binary = "./vul" # fuzzbitmap says every transition is worth satisfying. d = driller.Driller(binary, "AAAA", "\xff" * 65535, "whatever~") new_inputs = d.drill() for tmp_input in new_inputs: print repr(tmp_input)
def test_drilling_cgc(): """ Test drilling on the cgc binary, palindrome. """ binary = "tests/cgc/sc1_0b32aa01_01" # fuzzbitmap says every transition is worth satisfying. d = driller.Driller(os.path.join(bin_location, binary), b"AAAA", b"\xff"*65535, "whatever~") new_inputs = d.drill() nose.tools.assert_equal(len(new_inputs), 7) # Make sure driller produced a new input which hits the easter egg. nose.tools.assert_true(any(filter(lambda x: x[1].startswith(b'^'), new_inputs)))
def test_simproc_drilling(): """ test drilling on the cgc binary palindrome with simprocedures. """ binary = "tests/i386/driller_simproc" memcmp = simuvex.procedures.libc___so___6.memcmp.memcmp simprocs = {0x8048200: memcmp} # fuzzbitmap says every transition is worth satisfying d = driller.Driller(os.path.join(bin_location, binary), "A"*0x80, "\xff"*65535, "whatever~", hooks=simprocs) new_inputs = d.drill() # make sure driller produced a new input which satisfies the memcmp password = "******" nose.tools.assert_true(any(filter(lambda x: x[1].startswith(password), new_inputs)))
def test_drilling_cgc(): ''' test drilling on the cgc binary, palindrome. ''' binary = "cgc_scored_event_1/cgc/0b32aa01_01" # fuzzbitmap says every transition is worth satisfying d = driller.Driller(os.path.join(bin_location, binary), "AAAA", "\xff" * 65535, "whatever~") new_inputs = d.drill() nose.tools.assert_equal(len(new_inputs), 7) # make sure driller produced a new input which hits the easter egg nose.tools.assert_true( any(filter(lambda x: x[1].startswith('^'), new_inputs)))
def test_vul(binary): """ Test drilling on the cgc binary, palindrome. """ #binary = "./vul" # fuzzbitmap says every transition is worth satisfying. d = driller.Driller(binary, "A" * 120, "\xff" * 65535, "whatever~") new_inputs = d.drill() i = 0 for tmp_input in new_inputs: print '\ninput ' + str(i) + ': ' + repr(tmp_input) + '\n' # log the driller sample into the file(number.input) file_tmp = open(str(i) + '.input', 'w') file_tmp.write(tmp_input[1]) file_tmp.close() i = i + 1
def test_drilling_cgc(): """ Test drilling on the cgc binary, palindrome 回文. """ binary = "tests/cgc/sc1_0b32aa01_01" # binary = "hi" # binary = "all_patched/KPRCA_00110_patched" # fuzzbitmap says every transition is worth satisfying. # input_str=AAAA. fuzz_bitmap="\xff"*65535. tag="whatever~"。 d = driller.Driller(os.path.join(bin_location, binary), b"AAAA", b"\xff" * 65535, "whatever~") new_inputs = d.drill() print("hz- new_inputs: %s " % new_inputs) nose.tools.assert_equal(len(new_inputs), 7) # Make sure driller produced a new input which hits the easter egg 复活节彩蛋. # any 只有存在 一个以'^'开头的输入, 就为true. nose.tools.assert_true( any(filter(lambda x: x[1].startswith(b'^'), new_inputs)))
binary_path, fuzzer_out_dir, bitmap_path, path_to_input_to_drill = sys.argv[1:5] fuzzer_bitmap = open(args.bitmap_path, "rb").read() # create a folder driller_dir = os.path.join(args.fuzzer_out_dir, "driller") driller_queue_dir = os.path.join(driller_dir, "queue") try: os.mkdir(driller_dir) except OSError: pass try: os.mkdir(driller_queue_dir) except OSError: pass l.debug('drilling %s', path_to_input_to_drill) # get the input inputs_to_drill = [open(args.path_to_input_to_drill, "rb").read()] if args.length_extension: inputs_to_drill.append(inputs_to_drill[0] + b'\0' * args.length_extension) for input_to_drill in inputs_to_drill: d = driller.Driller(args.binary_path, input_to_drill, fuzzer_bitmap) count = 0 for new_input in d.drill_generator(): id_num = len(os.listdir(driller_queue_dir)) fuzzer_from = args.path_to_input_to_drill.split("sync/")[1].split("/")[0] + args.path_to_input_to_drill.split("id:")[1].split(",")[0] filepath = "id:" + ("%d" % id_num).rjust(6, "0") + ",from:" + fuzzer_from filepath = os.path.join(driller_queue_dir, filepath) with open(filepath, "wb") as f: f.write(new_input[1]) count += 1 l.warning("found %d new inputs", count)
import driller d = driller.Driller("simple_test", "abcd", "\xff"*65535, "whatever~") inp = d.drill() inp
import driller import logging logging.getLogger().setLevel('DEBUG') d = driller.Driller( "./CADET_00001", # path to the target binary b"racecar", # initial testcase "\xff" * 65535, # AFL bitmap with no discovered transitions ) new_inputs = d.drill()