def main(args): if len(args) < 1: logger.warning("please provide a filename") return path = args[0] testcase = None # Can we read the testfile? with open(path, "r") as f: testcase = json.load(f) # Start all docker daemons that we'll use during the execution logger.setLevel(logging.DEBUG) ch = logging.StreamHandler() ch.setLevel(logging.INFO) formatter = logging.Formatter('%(asctime)s - %(levelname)s - %(message)s') ch.setFormatter(formatter) logger.addHandler(ch) f = Fuzzer(config=Config(dummy())) f.start_daemons() runTest(testcase, os.path.basename(path), f)
def check_fuzzer(args, factory): """Implementation of "fx fuzz check".""" device = factory.create_device() blank = True for package, executable in device.buildenv.fuzzers(args.name): fuzzer = Fuzzer(device, package, executable) if not args.name and not fuzzer.is_running(): continue if not fuzzer.is_resolved(): factory.host.echo('{}: NOT INSTALLED'.format(fuzzer)) elif fuzzer.is_running(): factory.host.echo('{}: RUNNING'.format(fuzzer)) else: factory.host.echo('{}: STOPPED'.format(fuzzer)) if fuzzer.is_resolved(): num, size = fuzzer.corpus.measure() factory.host.echo(' Corpus size: {} inputs / {} bytes'.format( num, size)) artifacts = fuzzer.list_artifacts() if artifacts: factory.host.echo(' Artifacts:') for artifact in artifacts: factory.host.echo(' {}'.format(artifact)) factory.host.echo('') blank = False if blank: factory.host.echo('No fuzzers are running.', 'Include \'name\' to check specific fuzzers.')
def minimize(self, test_case_asm: str, outfile: str, num_inputs: int, add_fences: bool): # initialize fuzzer fuzzer: Fuzzer = Fuzzer(self.instruction_set_spec, "", test_case_asm) fuzzer.initialize_modules() # Parse the test case and inputs test_case: TestCase = fuzzer.generator.parse_existing_test_case(test_case_asm) inputs: List[Input] = fuzzer.input_gen.generate(CONF.input_gen_seed, num_inputs) # Load, boost inputs, and trace fuzzer.model.load_test_case(test_case) boosted_inputs: List[Input] = fuzzer.boost_inputs(inputs, CONF.model_max_nesting) print("Trying to reproduce...") violations = self._get_all_violations(fuzzer, test_case, boosted_inputs) if not violations: print("Could not reproduce the violation. Exiting...") return print(f"Found {len(violations)} violations") # print("Searching for a minimal input set...") # min_inputs = self.minimize_inputs(fuzzer, test_case, boosted_inputs, violations) min_inputs = boosted_inputs print("Minimizing the test case...") min_test_case: TestCase = self.minimize_test_case(fuzzer, test_case, min_inputs) if add_fences: print("Trying to add fences...") min_test_case = self.add_fences(fuzzer, min_test_case, min_inputs) print("Storing the results") copy(min_test_case.asm_path, outfile)
def start_test(self): if len(self.devices) == 0: self.error = 'Wybierz urzadzenia do testu!' return port = settings.config['devices_start_port'] print('Pushing agents') for d in self.devices: d.push(settings.config['agent_path'], '/data/local/tmp/agent', 0o755) self.fuzzers.append(Fuzzer(d, port, self.devpath)) port += 1 for f in self.fuzzers: t = threading.Thread(target=f.run, daemon=True) self.threads.append(t) t.start() print('Fuzzing started!') print('{} active threads'.format(threading.active_count() - 1)) print('Press any key to stop testing...') input() print('Stopping..') for f in self.fuzzers: f.stop() for t in self.threads: t.join() self.fuzzers = [] self.threads = [] print('{} active threads'.format(threading.active_count() - 1))
def fuzz(self): # target = "http://192.168.234.161/login.php" parameter_list = http_params.HttpParams() parameter_list.load_from_string_list(self.parameter_list) payload_list = payloads.Payloads() payload_list.load_from_string_list(self.payload_list) fuzzer = Fuzzer(self.target, parameter_list.parameters, payload_list.payload_list) fuzzer.fuzz() return fuzzer.output
def fuzz(self, api_resources): """ Call APIFuzzer with the given api definition :type api_resources: dict """ with pytest.raises(SystemExit): prog = Fuzzer(api_resources=api_resources, report_dir=self.report_dir, test_level=1, alternate_url=self.test_app_url, test_result_dst=None, log_level='Debug', auth_headers={}) prog.prepare() prog.run()
def fuzz(self, api_resources): """ Call APIFuzzer with the given api definition :type api_resources: dict """ prog = Fuzzer(api_resources=api_resources, report_dir=self.report_dir, test_level=1, alternate_url=self.test_app_url, test_result_dst=None, log_level='Debug', basic_output=False, auth_headers={}) prog.prepare() prog.run()
def create_fuzzer(self, args, device=None): """Constructs a Fuzzer from command line arguments, showing a disambiguation menu if specified name matches more than one fuzzer.""" if not device: device = self.create_device() package, executable = self._resolve_fuzzer(device.buildenv, args.name) fuzzer = Fuzzer(device, package, executable) keys = [ key for key, val in vars(Fuzzer).items() if isinstance(val, property) and val.fset ] for key, val in vars(args).items(): if key in keys and val is not None: setattr(fuzzer, key, val) return fuzzer
def start_run(self, chosen_devices, methods): print(methods) port = settings.config['devices_start_port'] self.view.log('Instaluję agenta na urządzeniach ({})...\n'.format( len(chosen_devices))) for idx in chosen_devices: self.devices[idx].device.push(settings.config['agent_path'], '/data/local/tmp/agent', 0o755) #TODO: add devices.shell run agent mutations = [x[1].get() for x in self.mutations] self.fuzzers.append( Fuzzer(self.devices[idx], port, self.project.devpath, self.corpus, methods, mutations)) port += 1 for f in self.fuzzers: t = threading.Thread(target=f.run, daemon=True) self.threads.append(t) t.start() self.view.log('Rozpoczęto testowanie!\n')
def fuzz(self, api_resources, headers): """ Call APIFuzzer with the given api definition :type api_resources: dict :param headers: headers to add fuzz request """ if headers is None: self.generate_random_auth_headers() else: self.auth_headers = headers prog = Fuzzer(api_resources=api_resources, report_dir=self.report_dir, test_level=1, alternate_url=self.test_app_url, test_result_dst=None, log_level='Debug', basic_output=False, auth_headers=self.auth_headers) prog.prepare() prog.run()
def read_fuzzers(self, pathname): """Parses the available fuzzers from an fuzzers.json pathname.""" with self.host.open( pathname, on_error=[ 'Failed to read fuzzers from {}.'.format(pathname), 'Have you run "fx set ... --fuzz-with <sanitizer>"?' ]) as opened: metadata = json.load(opened) fuzz_specs = [] by_label = defaultdict(dict) for entry in metadata: # Try v2 metadata first. label = entry.get('label') if label: by_label[label].update(entry) continue # Fallback to v1 metadata. package = entry['fuzzers_package'] package_url = 'fuchsia-pkg://fuchsia.com/{}'.format(package) for fuzzer in entry['fuzzers']: fuzz_specs.append({ 'package': package, 'package_url': package_url, 'fuzzer': fuzzer, 'manifest': '{}.cmx'.format(fuzzer), 'label': '//generated/{}:{}'.format(package, fuzzer), }) fuzz_specs += by_label.values() self._fuzzers = [ Fuzzer(self._factory, fuzz_spec) for fuzz_spec in fuzz_specs ] self._fuzzers.sort()
def afl(binary): l.info("beginning to fuzz \"%s\"", binary) binary_path = os.path.join(config.BINARY_DIR, binary) seeds = ["111", "fuzz"] fzr = Fuzzer(binary_path, config.AFL_WORK_DIR, config.AFL_INSTANCES, time_limit=config.FUZZ_TIMEOUT, qemu=False, seeds=seeds, create_dictionary=False) try: fzr.start() # clean all stale redis data clean_redis(fzr) time.sleep(2) # start the fuzzer and poll for a crash, timeout, or concolic assistance while not fzr.found_crash() and not fzr.timed_out(): time.sleep(5) if fzr.timed_out(): sql = 'update binarys SET status=5 WHERE binary_name = %s' else: sql = 'update binarys SET status=4 WHERE binary_name = %s' db.execute(sql, binary) fzr.kill() except InstallError: return False
def main(): config_file_path = sys.argv[1] endpoints_description = sys.argv[2] junit_output = sys.argv[3] custom_payloads_path = sys.argv[4] if len(sys.argv) == 5 else None with open(config_file_path, 'r') as config_file_pointer: ConfigurationManager(config_file_pointer) target = ConfigurationManager.config["target"] # Load and generate default payloads load_default_payloads(target["hostname"]) # If user specified file with custom payloads, we add them to our mutations payloads_loader = PayloadsLoader(target["hostname"]) payloads_loader.load_payloads(custom_payloads_path, FuzzPayloads.CUSTOM_PAYLOADS_KEY) with open(junit_output, 'w', encoding='utf8') as junit_output_file_pointer: with open(FUZZING_LOG_FILE, "w", encoding='utf8') as full_log_file_pointer: text_logger = TextLogger(full_log_file_pointer) junit_logger = JUnitLogger(junit_output_file_pointer, test_suite_name_delimiter=":", hostname=target["hostname"]) protocol = 'ssl' if target["ssl"] is True else 'tcp' with open(endpoints_description, 'r') as endpoints_description_file_pointer: endpoints = json.loads( endpoints_description_file_pointer.read()) fuzzer = Fuzzer(endpoints, text_logger, junit_logger, protocol) fuzzer.fuzz() return fuzzer.was_there_any_failure()
if __name__ == "__main__": parser = argparse.ArgumentParser(description='A DOM fuzzer') parser.add_argument("-m", dest="mode", help="Fuzzing mode") parser.add_argument("-n", dest="num", help="Number of generated testcases", required=False) parser.add_argument("-i", dest="index", help="Fuzzer ID") parser.add_argument("-o", dest="output", required=False) args = parser.parse_args() mode = fuzz_modes.get(args.mode) if mode is None: parser.print_help() sys.exit(1) init() if mode == FuzzMode.GenerateOnly: if args.output is None or args.num is None: print( "Number of testcases (-n) and output directory (-o) are required in generated-only mode." ) sys.exit(1) manager = Manager(int(args.index), True, args.output) fuzzer = Fuzzer(None, manager) fuzzer.generate_only(int(args.num)) else: pass
def main(): parser = ArgumentParser(description='', add_help=False) subparsers = parser.add_subparsers(dest='subparser_name') # Fuzzing parser_fuzz = subparsers.add_parser('fuzz') parser_fuzz.add_argument("-s", "--instruction-set", type=str, required=True) parser_fuzz.add_argument("-c", "--config", type=str, required=False) parser_fuzz.add_argument( "-n", "--num-test-cases", type=int, default=1, help="Number of test cases.", ) parser_fuzz.add_argument( "-i", "--num-inputs", type=int, default=100, help="Number of inputs per test case.", ) parser_fuzz.add_argument( '-w', '--working-directory', type=str, default='', ) parser_fuzz.add_argument('-t', '--testcase', type=str, default=None, help="Use an existing test case") parser_fuzz.add_argument( '--timeout', type=int, default=0, help= "Run fuzzing with a time limit [seconds]. No timeout when set to zero." ) parser_fuzz.add_argument( '--nonstop', action='store_true', help="Don't stop after detecting an unexpected result") parser_mini = subparsers.add_parser('minimize') parser_mini.add_argument( '--infile', '-i', type=str, required=True, ) parser_mini.add_argument( '--outfile', '-o', type=str, required=True, ) parser_mini.add_argument("-c", "--config", type=str, required=False) parser_mini.add_argument( "-n", "--num-inputs", type=int, default=100, help="Number of inputs per test case.", ) parser_mini.add_argument( "-f", "--add-fences", action='store_true', default=False, help="Add as many LFENCEs as possible, while preserving the violation.", ) parser_mini.add_argument("-s", "--instruction-set", type=str, required=True) args = parser.parse_args() # Update configuration if args.config: CONF.config_path = args.config with open(args.config, "r") as f: config_update: Dict = yaml.safe_load(f) for var, value in config_update.items(): CONF.set(var, value) CONF.sanity_check() LOGGER.set_logging_modes() # Fuzzing if args.subparser_name == 'fuzz': # Make sure we're ready for fuzzing if args.working_directory and not os.path.isdir( args.working_directory): SystemExit("The working directory does not exist") # Normal fuzzing mode fuzzer = Fuzzer(args.instruction_set, args.working_directory, args.testcase) fuzzer.start( args.num_test_cases, args.num_inputs, args.timeout, args.nonstop, ) return # Test Case minimisation if args.subparser_name == "minimize": CONF.coverage_type = 'none' postprocessor = Postprocessor(args.instruction_set) postprocessor.minimize(args.infile, args.outfile, args.num_inputs, args.add_fences) return raise Exception("Unreachable")
report_path = sys.argv[1] else: report_path = os.path.join(rp.get_path(source_path), "report") if not os.path.exists(report_path): os.makedirs(report_path) print "Directory " + dirName + " Created" try: with open(config_path) as f: config = json.load(f) rospy.loginfo("Building Fuzzer with configuration.") except IOError: config = None rospy.loginfo("The configuration file does not exist. Working with empty dictionary.") fuzzer = Fuzzer(config) # Anything necesary before the execution of state # As built a mock robot or initialize the necessary services. # # skills = base_skills # rospy.loginfo("Building robot with skills: ".join(skills)) # robot = robot_factory.build(skills) sm = state_machine # Only if you need or want a instronspection server to see the state machine structure: # sis = smach_ros.IntrospectionServer("server_name", sm, "/SM_ROOT") # sis.start() # It can handle multiple state machines, only add to machines and it will test all togethers machines = [sm._states]
def fuzz(binary): l.info("beginning to fuzz \"%s\"", binary) binary_path = os.path.join(config.BINARY_DIR, binary) seeds = ["fuzzz", "111"] # look for a pcap pcap_path = os.path.join(config.PCAP_DIR, "%s.pcap" % binary) if os.path.isfile(pcap_path): l.info("found pcap for binary %s", binary) seeds = pcap.process(pcap_path) else: l.warning( "unable to find pcap file, will seed fuzzer with the default") # TODO enable dictionary creation, this may require fixing parts of the fuzzer module fzr = Fuzzer(binary_path, config.FUZZER_WORK_DIR, config.FUZZER_INSTANCES, time_limit=config.FUZZ_TIMEOUT, qemu=False, seeds=seeds, create_dictionary=False) try: fzr.start() # start a listening for inputs produced by concolic start_listener(fzr) # clean all stale redis data clean_redis(fzr) # list of 'concolic request' each is a celery async result object concolic_jobs = [] time.sleep(2) # start the fuzzer and poll for a crash, timeout, or concolic assistance while not fzr.found_crash() and not fzr.timed_out(): # check to see if concolic should be invoked sql = 'update binarys SET status=1 WHERE binary_name = %s' db.execute(sql, binary) if 'fuzzer-1' in fzr.stats and 'pending_favs' in fzr.stats[ 'fuzzer-1']: if not int(fzr.stats['fuzzer-1']['pending_favs']) > 0: sql = 'update binarys SET status=2 WHERE binary_name = %s' db.execute(sql, binary) concolic_jobs.extend(request_drilling(fzr)) time.sleep(config.CRASH_CHECK_INTERVAL) # make sure to kill the fuzzers when we're done fzr.kill() except InstallError: l.info("fuzzer InstallError") return False # we found a crash! if fzr.found_crash(): l.info("found crash for \"%s\"", binary) l.info("time for found_crash %d", fzr.compute_time()) sql = 'update binarys SET status=3 WHERE binary_name = %s' db.execute(sql, binary) # publish the crash redis_inst = redis.Redis(host=config.REDIS_HOST, port=config.REDIS_PORT, db=config.REDIS_DB) redis_inst.publish("crashes", binary) # revoke any concolic jobs which are still working for job in concolic_jobs: if job.status == 'PENDING': job.revoke(terminate=True) if fzr.timed_out(): l.info("timed out while fuzzing \"%s\"", binary) sql = 'update binarys SET status=-1 WHERE binary_name = %s' db.execute(sql, binary) # TODO end drilling jobs working on the binary return len(fzr.crashes()) > 0
cert.cert.validity.setup('170420132219Z', '180420132219Z') cert.cert.pubkey.setup(hexdump.dehex(pubkey)) cert.signature.setup(hexdump.dehex(signature)) iss = p7s.IssuerAndSerial() iss[0] = st obj.signedData.certificates[0].replace(cert) si = obj.signedData.signerInfos[0] si.issuerAndSerial.replace(iss) si.attributes.signingTime.setup('170502094738Z') si.attributes.messageDigest.setup(hexdump.dehex(msgDigest)) si.attributes.msEncryptionCert.setup(iss) si.attributes.keyPref.setup(iss) si.digest.setup(hexdump.dehex(digest)) data = obj.dump() with open("../mails/cert.p7s", "rb") as f: res = f.read() print "test3:", "OK" if checkBuffers(res, data, True) else "FAILED" # obj.pprint() fuzz = Fuzzer() fuzz.parseArgs(None, ['-v']) with open("crashdata0.log", "rb") as f: data = f.read() print fuzz.parseTnef(fuzz.variant(data))