def _run(self, job):
"""Drill a testcase."""
hooks = dict()
for addr, symbol in self._cs.symbols.items():
if symbol in self.DONT_HOOK:
continue
if symbol in SimProcedures['libc.so.6']:
LOG.info("Hooking up %#x -> %s", addr, symbol)
hooks[addr] = SimProcedures['libc.so.6'][symbol]
LOG.info("Hooked up %d addresses to simprocedures", len(hooks))
self._driller = driller.Driller(self._cbn.path,
job.input_test.blob,
self._cs.bitmap.first().blob,
'tag',
hooks=hooks)
for _, t in self._driller.drill_generator():
if t in self._seen:
continue
self._seen.add(t)
LOG.info("Found new testcase (of length %s)!", len(t))
Test.get_or_create(cs=self._cs, job=self._job, blob=t)
self._job.input_test.drilled = True
self._job.input_test.save()
def test_simproc_drilling():
"""
Test drilling on the cgc binary palindrome with simprocedures.
"""
binary = "tests/i386/driller_simproc"
memcmp = angr.SIM_PROCEDURES['libc']['memcmp']() # memcmp(): 比较内存前n个字节
simprocs = {0x8048200: memcmp}
# fuzzbitmap says every transition is worth satisfying.
# input_str="A"*0x80. fuzz_bitmap="\xff"*65535. tag="whatever~". hooks=simprocs.
d = driller.Driller(os.path.join(bin_location, binary),
b"A" * 0x80,
b"\xff" * 65535,
"whatever~",
hooks=simprocs)
new_inputs = d.drill()
print("hz- new_inputs: %s " % new_inputs)
# Make sure driller produced a new input which satisfies the memcmp.
# any 只有存在 一个以the_secret_password开头的输入, 就为true.
password = b"the_secret_password_is_here_you_will_never_guess_it_especially_since_it_is_going_to_be_made_lower_case"
nose.tools.assert_true(
any(filter(lambda x: x[1].startswith(password), new_inputs)))
def test_vul(binary):
d = driller.Driller(binary, "A" * 120, "\xff" * 65535, "whatever~")
i = 0
for tmp_input in d.drill_generator():
print '\ninput ' + str(i) + ': ' + repr(tmp_input) + '\n'
# log the driller sample into the file(number.input)
file_tmp = open(str(i) + '.input', 'w')
file_tmp.write(tmp_input[1])
file_tmp.close()
i = i + 1
def test_vul(binary):
d = driller.Driller(binary, "A" * 30, "\xff" * 65535, "whatever~")
new_inputs = d.drill()
i = 0
for tmp_input in new_inputs:
print '\ninput ' + str(i) + ': ' + repr(tmp_input) + '\n'
file_tmp = open(str(i) + '.input', 'w')
file_tmp.write(tmp_input[1])
file_tmp.close()
i = i + 1
def _doDrill(path, replyto, bitmap, binary):
# Setup a new driller
drill = driller.Driller(binary=binary, input_str=path, fuzz_bitmap=bitmap)
# Drill drill drill
results = drill.drill()
# Grab the newly minted paths
new_paths = set([result[1] for result in results])
# Send them back
replyto.put(new_paths)
def test_vul():
"""
Test drilling on the cgc binary, palindrome.
"""
binary = "./vul"
# fuzzbitmap says every transition is worth satisfying.
d = driller.Driller(binary, "AAAA", "\xff" * 65535, "whatever~")
new_inputs = d.drill()
for tmp_input in new_inputs:
print repr(tmp_input)
def test_drilling_cgc():
"""
Test drilling on the cgc binary, palindrome.
"""
binary = "tests/cgc/sc1_0b32aa01_01"
# fuzzbitmap says every transition is worth satisfying.
d = driller.Driller(os.path.join(bin_location, binary), b"AAAA", b"\xff"*65535, "whatever~")
new_inputs = d.drill()
nose.tools.assert_equal(len(new_inputs), 7)
# Make sure driller produced a new input which hits the easter egg.
nose.tools.assert_true(any(filter(lambda x: x[1].startswith(b'^'), new_inputs)))
def test_simproc_drilling():
"""
test drilling on the cgc binary palindrome with simprocedures.
"""
binary = "tests/i386/driller_simproc"
memcmp = simuvex.procedures.libc___so___6.memcmp.memcmp
simprocs = {0x8048200: memcmp}
# fuzzbitmap says every transition is worth satisfying
d = driller.Driller(os.path.join(bin_location, binary), "A"*0x80, "\xff"*65535, "whatever~", hooks=simprocs)
new_inputs = d.drill()
# make sure driller produced a new input which satisfies the memcmp
password = "******"
nose.tools.assert_true(any(filter(lambda x: x[1].startswith(password), new_inputs)))
def test_drilling_cgc():
'''
test drilling on the cgc binary, palindrome.
'''
binary = "cgc_scored_event_1/cgc/0b32aa01_01"
# fuzzbitmap says every transition is worth satisfying
d = driller.Driller(os.path.join(bin_location, binary), "AAAA",
"\xff" * 65535, "whatever~")
new_inputs = d.drill()
nose.tools.assert_equal(len(new_inputs), 7)
# make sure driller produced a new input which hits the easter egg
nose.tools.assert_true(
any(filter(lambda x: x[1].startswith('^'), new_inputs)))
def test_vul(binary):
"""
Test drilling on the cgc binary, palindrome.
"""
#binary = "./vul"
# fuzzbitmap says every transition is worth satisfying.
d = driller.Driller(binary, "A" * 120, "\xff" * 65535, "whatever~")
new_inputs = d.drill()
i = 0
for tmp_input in new_inputs:
print '\ninput ' + str(i) + ': ' + repr(tmp_input) + '\n'
# log the driller sample into the file(number.input)
file_tmp = open(str(i) + '.input', 'w')
file_tmp.write(tmp_input[1])
file_tmp.close()
i = i + 1
def test_drilling_cgc():
"""
Test drilling on the cgc binary, palindrome 回文.
"""
binary = "tests/cgc/sc1_0b32aa01_01"
# binary = "hi"
# binary = "all_patched/KPRCA_00110_patched"
# fuzzbitmap says every transition is worth satisfying.
# input_str=AAAA. fuzz_bitmap="\xff"*65535. tag="whatever~"。
d = driller.Driller(os.path.join(bin_location, binary), b"AAAA",
b"\xff" * 65535, "whatever~")
new_inputs = d.drill()
print("hz- new_inputs: %s " % new_inputs)
nose.tools.assert_equal(len(new_inputs), 7)
# Make sure driller produced a new input which hits the easter egg 复活节彩蛋.
# any 只有存在 一个以'^'开头的输入, 就为true.
nose.tools.assert_true(
any(filter(lambda x: x[1].startswith(b'^'), new_inputs)))
binary_path, fuzzer_out_dir, bitmap_path, path_to_input_to_drill = sys.argv[1:5]
fuzzer_bitmap = open(args.bitmap_path, "rb").read()
# create a folder
driller_dir = os.path.join(args.fuzzer_out_dir, "driller")
driller_queue_dir = os.path.join(driller_dir, "queue")
try: os.mkdir(driller_dir)
except OSError: pass
try: os.mkdir(driller_queue_dir)
except OSError: pass
l.debug('drilling %s', path_to_input_to_drill)
# get the input
inputs_to_drill = [open(args.path_to_input_to_drill, "rb").read()]
if args.length_extension:
inputs_to_drill.append(inputs_to_drill[0] + b'\0' * args.length_extension)
for input_to_drill in inputs_to_drill:
d = driller.Driller(args.binary_path, input_to_drill, fuzzer_bitmap)
count = 0
for new_input in d.drill_generator():
id_num = len(os.listdir(driller_queue_dir))
fuzzer_from = args.path_to_input_to_drill.split("sync/")[1].split("/")[0] + args.path_to_input_to_drill.split("id:")[1].split(",")[0]
filepath = "id:" + ("%d" % id_num).rjust(6, "0") + ",from:" + fuzzer_from
filepath = os.path.join(driller_queue_dir, filepath)
with open(filepath, "wb") as f:
f.write(new_input[1])
count += 1
l.warning("found %d new inputs", count)
import driller
d = driller.Driller("simple_test", "abcd", "\xff"*65535, "whatever~")
inp = d.drill()
inp
import driller
import logging
logging.getLogger().setLevel('DEBUG')
d = driller.Driller(
"./CADET_00001", # path to the target binary
b"racecar", # initial testcase
"\xff" * 65535, # AFL bitmap with no discovered transitions
)
new_inputs = d.drill()
