def main(args):
if len(args) < 1:
logger.warning("please provide a filename")
return
path = args[0]
testcase = None
# Can we read the testfile?
with open(path, "r") as f:
testcase = json.load(f)
# Start all docker daemons that we'll use during the execution
logger.setLevel(logging.DEBUG)
ch = logging.StreamHandler()
ch.setLevel(logging.INFO)
formatter = logging.Formatter('%(asctime)s - %(levelname)s - %(message)s')
ch.setFormatter(formatter)
logger.addHandler(ch)
f = Fuzzer(config=Config(dummy()))
f.start_daemons()
runTest(testcase, os.path.basename(path), f)
def check_fuzzer(args, factory):
"""Implementation of "fx fuzz check"."""
device = factory.create_device()
blank = True
for package, executable in device.buildenv.fuzzers(args.name):
fuzzer = Fuzzer(device, package, executable)
if not args.name and not fuzzer.is_running():
continue
if not fuzzer.is_resolved():
factory.host.echo('{}: NOT INSTALLED'.format(fuzzer))
elif fuzzer.is_running():
factory.host.echo('{}: RUNNING'.format(fuzzer))
else:
factory.host.echo('{}: STOPPED'.format(fuzzer))
if fuzzer.is_resolved():
num, size = fuzzer.corpus.measure()
factory.host.echo(' Corpus size: {} inputs / {} bytes'.format(
num, size))
artifacts = fuzzer.list_artifacts()
if artifacts:
factory.host.echo(' Artifacts:')
for artifact in artifacts:
factory.host.echo(' {}'.format(artifact))
factory.host.echo('')
blank = False
if blank:
factory.host.echo('No fuzzers are running.',
'Include \'name\' to check specific fuzzers.')
def minimize(self, test_case_asm: str, outfile: str, num_inputs: int, add_fences: bool):
# initialize fuzzer
fuzzer: Fuzzer = Fuzzer(self.instruction_set_spec, "", test_case_asm)
fuzzer.initialize_modules()
# Parse the test case and inputs
test_case: TestCase = fuzzer.generator.parse_existing_test_case(test_case_asm)
inputs: List[Input] = fuzzer.input_gen.generate(CONF.input_gen_seed, num_inputs)
# Load, boost inputs, and trace
fuzzer.model.load_test_case(test_case)
boosted_inputs: List[Input] = fuzzer.boost_inputs(inputs, CONF.model_max_nesting)
print("Trying to reproduce...")
violations = self._get_all_violations(fuzzer, test_case, boosted_inputs)
if not violations:
print("Could not reproduce the violation. Exiting...")
return
print(f"Found {len(violations)} violations")
# print("Searching for a minimal input set...")
# min_inputs = self.minimize_inputs(fuzzer, test_case, boosted_inputs, violations)
min_inputs = boosted_inputs
print("Minimizing the test case...")
min_test_case: TestCase = self.minimize_test_case(fuzzer, test_case, min_inputs)
if add_fences:
print("Trying to add fences...")
min_test_case = self.add_fences(fuzzer, min_test_case, min_inputs)
print("Storing the results")
copy(min_test_case.asm_path, outfile)
def start_test(self):
if len(self.devices) == 0:
self.error = 'Wybierz urzadzenia do testu!'
return
port = settings.config['devices_start_port']
print('Pushing agents')
for d in self.devices:
d.push(settings.config['agent_path'], '/data/local/tmp/agent',
0o755)
self.fuzzers.append(Fuzzer(d, port, self.devpath))
port += 1
for f in self.fuzzers:
t = threading.Thread(target=f.run, daemon=True)
self.threads.append(t)
t.start()
print('Fuzzing started!')
print('{} active threads'.format(threading.active_count() - 1))
print('Press any key to stop testing...')
input()
print('Stopping..')
for f in self.fuzzers:
f.stop()
for t in self.threads:
t.join()
self.fuzzers = []
self.threads = []
print('{} active threads'.format(threading.active_count() - 1))
def fuzz(self):
# target = "http://192.168.234.161/login.php"
parameter_list = http_params.HttpParams()
parameter_list.load_from_string_list(self.parameter_list)
payload_list = payloads.Payloads()
payload_list.load_from_string_list(self.payload_list)
fuzzer = Fuzzer(self.target, parameter_list.parameters,
payload_list.payload_list)
fuzzer.fuzz()
return fuzzer.output
def fuzz(self, api_resources):
"""
Call APIFuzzer with the given api definition
:type api_resources: dict
"""
with pytest.raises(SystemExit):
prog = Fuzzer(api_resources=api_resources,
report_dir=self.report_dir,
test_level=1,
alternate_url=self.test_app_url,
test_result_dst=None,
log_level='Debug',
auth_headers={})
prog.prepare()
prog.run()
def fuzz(self, api_resources):
"""
Call APIFuzzer with the given api definition
:type api_resources: dict
"""
prog = Fuzzer(api_resources=api_resources,
report_dir=self.report_dir,
test_level=1,
alternate_url=self.test_app_url,
test_result_dst=None,
log_level='Debug',
basic_output=False,
auth_headers={})
prog.prepare()
prog.run()
def create_fuzzer(self, args, device=None):
"""Constructs a Fuzzer from command line arguments, showing a
disambiguation menu if specified name matches more than one fuzzer."""
if not device:
device = self.create_device()
package, executable = self._resolve_fuzzer(device.buildenv, args.name)
fuzzer = Fuzzer(device, package, executable)
keys = [
key for key, val in vars(Fuzzer).items()
if isinstance(val, property) and val.fset
]
for key, val in vars(args).items():
if key in keys and val is not None:
setattr(fuzzer, key, val)
return fuzzer
def start_run(self, chosen_devices, methods):
print(methods)
port = settings.config['devices_start_port']
self.view.log('Instaluję agenta na urządzeniach ({})...\n'.format(
len(chosen_devices)))
for idx in chosen_devices:
self.devices[idx].device.push(settings.config['agent_path'],
'/data/local/tmp/agent', 0o755)
#TODO: add devices.shell run agent
mutations = [x[1].get() for x in self.mutations]
self.fuzzers.append(
Fuzzer(self.devices[idx], port, self.project.devpath,
self.corpus, methods, mutations))
port += 1
for f in self.fuzzers:
t = threading.Thread(target=f.run, daemon=True)
self.threads.append(t)
t.start()
self.view.log('Rozpoczęto testowanie!\n')
def fuzz(self, api_resources, headers):
"""
Call APIFuzzer with the given api definition
:type api_resources: dict
:param headers: headers to add fuzz request
"""
if headers is None:
self.generate_random_auth_headers()
else:
self.auth_headers = headers
prog = Fuzzer(api_resources=api_resources,
report_dir=self.report_dir,
test_level=1,
alternate_url=self.test_app_url,
test_result_dst=None,
log_level='Debug',
basic_output=False,
auth_headers=self.auth_headers)
prog.prepare()
prog.run()
def read_fuzzers(self, pathname):
"""Parses the available fuzzers from an fuzzers.json pathname."""
with self.host.open(
pathname,
on_error=[
'Failed to read fuzzers from {}.'.format(pathname),
'Have you run "fx set ... --fuzz-with <sanitizer>"?'
]) as opened:
metadata = json.load(opened)
fuzz_specs = []
by_label = defaultdict(dict)
for entry in metadata:
# Try v2 metadata first.
label = entry.get('label')
if label:
by_label[label].update(entry)
continue
# Fallback to v1 metadata.
package = entry['fuzzers_package']
package_url = 'fuchsia-pkg://fuchsia.com/{}'.format(package)
for fuzzer in entry['fuzzers']:
fuzz_specs.append({
'package':
package,
'package_url':
package_url,
'fuzzer':
fuzzer,
'manifest':
'{}.cmx'.format(fuzzer),
'label':
'//generated/{}:{}'.format(package, fuzzer),
})
fuzz_specs += by_label.values()
self._fuzzers = [
Fuzzer(self._factory, fuzz_spec) for fuzz_spec in fuzz_specs
]
self._fuzzers.sort()
def afl(binary):
l.info("beginning to fuzz \"%s\"", binary)
binary_path = os.path.join(config.BINARY_DIR, binary)
seeds = ["111", "fuzz"]
fzr = Fuzzer(binary_path,
config.AFL_WORK_DIR,
config.AFL_INSTANCES,
time_limit=config.FUZZ_TIMEOUT,
qemu=False,
seeds=seeds,
create_dictionary=False)
try:
fzr.start()
# clean all stale redis data
clean_redis(fzr)
time.sleep(2)
# start the fuzzer and poll for a crash, timeout, or concolic assistance
while not fzr.found_crash() and not fzr.timed_out():
time.sleep(5)
if fzr.timed_out():
sql = 'update binarys SET status=5 WHERE binary_name = %s'
else:
sql = 'update binarys SET status=4 WHERE binary_name = %s'
db.execute(sql, binary)
fzr.kill()
except InstallError:
return False
def main():
config_file_path = sys.argv[1]
endpoints_description = sys.argv[2]
junit_output = sys.argv[3]
custom_payloads_path = sys.argv[4] if len(sys.argv) == 5 else None
with open(config_file_path, 'r') as config_file_pointer:
ConfigurationManager(config_file_pointer)
target = ConfigurationManager.config["target"]
# Load and generate default payloads
load_default_payloads(target["hostname"])
# If user specified file with custom payloads, we add them to our mutations
payloads_loader = PayloadsLoader(target["hostname"])
payloads_loader.load_payloads(custom_payloads_path,
FuzzPayloads.CUSTOM_PAYLOADS_KEY)
with open(junit_output, 'w', encoding='utf8') as junit_output_file_pointer:
with open(FUZZING_LOG_FILE, "w",
encoding='utf8') as full_log_file_pointer:
text_logger = TextLogger(full_log_file_pointer)
junit_logger = JUnitLogger(junit_output_file_pointer,
test_suite_name_delimiter=":",
hostname=target["hostname"])
protocol = 'ssl' if target["ssl"] is True else 'tcp'
with open(endpoints_description,
'r') as endpoints_description_file_pointer:
endpoints = json.loads(
endpoints_description_file_pointer.read())
fuzzer = Fuzzer(endpoints, text_logger, junit_logger, protocol)
fuzzer.fuzz()
return fuzzer.was_there_any_failure()
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='A DOM fuzzer')
parser.add_argument("-m", dest="mode", help="Fuzzing mode")
parser.add_argument("-n",
dest="num",
help="Number of generated testcases",
required=False)
parser.add_argument("-i", dest="index", help="Fuzzer ID")
parser.add_argument("-o", dest="output", required=False)
args = parser.parse_args()
mode = fuzz_modes.get(args.mode)
if mode is None:
parser.print_help()
sys.exit(1)
init()
if mode == FuzzMode.GenerateOnly:
if args.output is None or args.num is None:
print(
"Number of testcases (-n) and output directory (-o) are required in generated-only mode."
)
sys.exit(1)
manager = Manager(int(args.index), True, args.output)
fuzzer = Fuzzer(None, manager)
fuzzer.generate_only(int(args.num))
else:
pass
def main():
parser = ArgumentParser(description='', add_help=False)
subparsers = parser.add_subparsers(dest='subparser_name')
# Fuzzing
parser_fuzz = subparsers.add_parser('fuzz')
parser_fuzz.add_argument("-s",
"--instruction-set",
type=str,
required=True)
parser_fuzz.add_argument("-c", "--config", type=str, required=False)
parser_fuzz.add_argument(
"-n",
"--num-test-cases",
type=int,
default=1,
help="Number of test cases.",
)
parser_fuzz.add_argument(
"-i",
"--num-inputs",
type=int,
default=100,
help="Number of inputs per test case.",
)
parser_fuzz.add_argument(
'-w',
'--working-directory',
type=str,
default='',
)
parser_fuzz.add_argument('-t',
'--testcase',
type=str,
default=None,
help="Use an existing test case")
parser_fuzz.add_argument(
'--timeout',
type=int,
default=0,
help=
"Run fuzzing with a time limit [seconds]. No timeout when set to zero."
)
parser_fuzz.add_argument(
'--nonstop',
action='store_true',
help="Don't stop after detecting an unexpected result")
parser_mini = subparsers.add_parser('minimize')
parser_mini.add_argument(
'--infile',
'-i',
type=str,
required=True,
)
parser_mini.add_argument(
'--outfile',
'-o',
type=str,
required=True,
)
parser_mini.add_argument("-c", "--config", type=str, required=False)
parser_mini.add_argument(
"-n",
"--num-inputs",
type=int,
default=100,
help="Number of inputs per test case.",
)
parser_mini.add_argument(
"-f",
"--add-fences",
action='store_true',
default=False,
help="Add as many LFENCEs as possible, while preserving the violation.",
)
parser_mini.add_argument("-s",
"--instruction-set",
type=str,
required=True)
args = parser.parse_args()
# Update configuration
if args.config:
CONF.config_path = args.config
with open(args.config, "r") as f:
config_update: Dict = yaml.safe_load(f)
for var, value in config_update.items():
CONF.set(var, value)
CONF.sanity_check()
LOGGER.set_logging_modes()
# Fuzzing
if args.subparser_name == 'fuzz':
# Make sure we're ready for fuzzing
if args.working_directory and not os.path.isdir(
args.working_directory):
SystemExit("The working directory does not exist")
# Normal fuzzing mode
fuzzer = Fuzzer(args.instruction_set, args.working_directory,
args.testcase)
fuzzer.start(
args.num_test_cases,
args.num_inputs,
args.timeout,
args.nonstop,
)
return
# Test Case minimisation
if args.subparser_name == "minimize":
CONF.coverage_type = 'none'
postprocessor = Postprocessor(args.instruction_set)
postprocessor.minimize(args.infile, args.outfile, args.num_inputs,
args.add_fences)
return
raise Exception("Unreachable")
report_path = sys.argv[1]
else:
report_path = os.path.join(rp.get_path(source_path), "report")
if not os.path.exists(report_path):
os.makedirs(report_path)
print "Directory " + dirName + " Created"
try:
with open(config_path) as f:
config = json.load(f)
rospy.loginfo("Building Fuzzer with configuration.")
except IOError:
config = None
rospy.loginfo("The configuration file does not exist. Working with empty dictionary.")
fuzzer = Fuzzer(config)
# Anything necesary before the execution of state
# As built a mock robot or initialize the necessary services.
#
# skills = base_skills
# rospy.loginfo("Building robot with skills: ".join(skills))
# robot = robot_factory.build(skills)
sm = state_machine
# Only if you need or want a instronspection server to see the state machine structure:
# sis = smach_ros.IntrospectionServer("server_name", sm, "/SM_ROOT")
# sis.start()
# It can handle multiple state machines, only add to machines and it will test all togethers
machines = [sm._states]
def fuzz(binary):
l.info("beginning to fuzz \"%s\"", binary)
binary_path = os.path.join(config.BINARY_DIR, binary)
seeds = ["fuzzz", "111"]
# look for a pcap
pcap_path = os.path.join(config.PCAP_DIR, "%s.pcap" % binary)
if os.path.isfile(pcap_path):
l.info("found pcap for binary %s", binary)
seeds = pcap.process(pcap_path)
else:
l.warning(
"unable to find pcap file, will seed fuzzer with the default")
# TODO enable dictionary creation, this may require fixing parts of the fuzzer module
fzr = Fuzzer(binary_path,
config.FUZZER_WORK_DIR,
config.FUZZER_INSTANCES,
time_limit=config.FUZZ_TIMEOUT,
qemu=False,
seeds=seeds,
create_dictionary=False)
try:
fzr.start()
# start a listening for inputs produced by concolic
start_listener(fzr)
# clean all stale redis data
clean_redis(fzr)
# list of 'concolic request' each is a celery async result object
concolic_jobs = []
time.sleep(2)
# start the fuzzer and poll for a crash, timeout, or concolic assistance
while not fzr.found_crash() and not fzr.timed_out():
# check to see if concolic should be invoked
sql = 'update binarys SET status=1 WHERE binary_name = %s'
db.execute(sql, binary)
if 'fuzzer-1' in fzr.stats and 'pending_favs' in fzr.stats[
'fuzzer-1']:
if not int(fzr.stats['fuzzer-1']['pending_favs']) > 0:
sql = 'update binarys SET status=2 WHERE binary_name = %s'
db.execute(sql, binary)
concolic_jobs.extend(request_drilling(fzr))
time.sleep(config.CRASH_CHECK_INTERVAL)
# make sure to kill the fuzzers when we're done
fzr.kill()
except InstallError:
l.info("fuzzer InstallError")
return False
# we found a crash!
if fzr.found_crash():
l.info("found crash for \"%s\"", binary)
l.info("time for found_crash %d", fzr.compute_time())
sql = 'update binarys SET status=3 WHERE binary_name = %s'
db.execute(sql, binary)
# publish the crash
redis_inst = redis.Redis(host=config.REDIS_HOST,
port=config.REDIS_PORT,
db=config.REDIS_DB)
redis_inst.publish("crashes", binary)
# revoke any concolic jobs which are still working
for job in concolic_jobs:
if job.status == 'PENDING':
job.revoke(terminate=True)
if fzr.timed_out():
l.info("timed out while fuzzing \"%s\"", binary)
sql = 'update binarys SET status=-1 WHERE binary_name = %s'
db.execute(sql, binary)
# TODO end drilling jobs working on the binary
return len(fzr.crashes()) > 0
cert.cert.validity.setup('170420132219Z', '180420132219Z')
cert.cert.pubkey.setup(hexdump.dehex(pubkey))
cert.signature.setup(hexdump.dehex(signature))
iss = p7s.IssuerAndSerial()
iss[0] = st
obj.signedData.certificates[0].replace(cert)
si = obj.signedData.signerInfos[0]
si.issuerAndSerial.replace(iss)
si.attributes.signingTime.setup('170502094738Z')
si.attributes.messageDigest.setup(hexdump.dehex(msgDigest))
si.attributes.msEncryptionCert.setup(iss)
si.attributes.keyPref.setup(iss)
si.digest.setup(hexdump.dehex(digest))
data = obj.dump()
with open("../mails/cert.p7s", "rb") as f:
res = f.read()
print "test3:", "OK" if checkBuffers(res, data, True) else "FAILED"
# obj.pprint()
fuzz = Fuzzer()
fuzz.parseArgs(None, ['-v'])
with open("crashdata0.log", "rb") as f:
data = f.read()
print fuzz.parseTnef(fuzz.variant(data))