def PackMute(self): rdata = "" rdata += self.DATA[:self.e_lfanew] # DOS_HEADER ~ STUB_CODE rdata += self.PE_HEADER[0x0:0x4] # Signature lfh_zzuf = pyZZUF(self.PE_HEADER[IMAGE_FILE_HEADER:IMAGE_OPTIONAL_HEADER]) lfh_zzuf.set_ratio(0.3) rdata += lfh_zzuf.mutate().tostring() # PE_HEADER 1 loh_zzuf1 = pyZZUF(self.PE_HEADER[IMAGE_OPTIONAL_HEADER:IMAGE_OPTIONAL_HEADER+0x10]) loh_zzuf1.set_ratio(0.3) rdata += loh_zzuf1.mutate().tostring() # PE_HEADER 2 rdata += struct.pack('<I',self.EP) # EP loh_zzuf2 = pyZZUF(self.PE_HEADER[IMAGE_OPTIONAL_HEADER+0x14:self.EP]) loh_zzuf2.set_ratio(0.3) rdata += loh_zzuf2.mutate().tostring() # PE_HEADER 3 rdata += self.PE_HEADER[self.EP:self.EP+0x20] #Save Packer Signature ep_zzuf3 = pyZZUF(self.PE_HEADER[self.EP+0x20:]) ep_zzuf3.set_ratio(0.3) rdata += ep_zzuf3.mutate().tostring() return rdata
def blob_generator(blob): zzuf = pyZZUF(blob) yield blob # Very tricky seed value zzuf.set_seed(666) zzuf.set_fuzz_mode(FUZZ_MODE_XOR) for data in zzuf.mutagen(start=0.0, stop=1, step=0.001): yield data.tostring()
def sevenzip_fuzz(self): # so dirty...... SIGN = self.INPUT[:6] zzbuf = pyZZUF(self.INPUT[6:]) zzbuf.set_ratio(0.3) rdata = "" rdata += SIGN rdata += zzbuf.mutate().tostring() return rdata
def zzmutate(seed, ratio, input_file): ratio = float(ratio) / 100 zzuf = pyZZUF(input_file) zzuf.set_seed(seed) zzuf.set_ratio(ratio) outfile = 's' + str(seed) + "__" + 'r' + str(ratio).replace('.', '_') with open(outfile, 'wb') as fout: mut_data = zzuf.mutate() fout.write(mut_data) fout.close() logging.debug("Testcase is %s" % outfile) file_path = os.getcwd() + '\\' + outfile return file_path
def thread_it(fuzz_range_start, fuzz_range_end, number_of_samples, data_to_be_flipped, extension): for x in range(0, int(number_of_samples)): zzuf = pyZZUF(data_to_be_flipped) # Random seed (default 0) zzuf.set_seed(9) # Bit fuzzing ratio (default 0.004) zzuf.set_ratio(0.91) # Only fuzz bytes at offsets within <ranges> zzuf.set_fuzz_bytes([[fuzz_range_start, fuzz_range_end]]) # zzuf.set_fuzz_bytes([[0, 3], [6, EOF]]) # Fuzzing mode <mode> ([xor] set unset) zzuf.set_fuzz_mode(FUZZ_MODE_XOR) with open("generated_samples_folder/" + "sample" + str(x) + "-" + str(fuzz_range_start) + "-" + str( fuzz_range_end) + extension, 'wb') as output: output.write(zzuf.mutate())
def gzip_fuzz(self): length = len(self.INPUT) SIGN = self.INPUT[:2] CHECKSUM = self.INPUT[length - 8:length - 4] FILESIZE = self.INPUT[length - 4:] zzbuf = pyZZUF(self.INPUT[2:]) zzbuf.set_ratio(0.3) rdata = "" rdata += SIGN rdata += zzbuf.mutate().tostring() rdata += CHECKSUM rdata += FILESIZE return rdata
def Mutation(self): with open(self.SEED_DIR + self.FILENAME, 'rb') as f: ole = f.read() ole = ole[8:] ole = pyZZUF(ole) ole.set_ratio(0.3) ole_write = ole.mutate().tostring() try: with open(self.OUT_DIR + self.FILENAME, 'wb') as f: f.write(ole_write) return True except IOError as error: print error return False
def rar_fuzz(self): SIGN = self.INPUT[:0x5] HEADER_SIZE = self.INPUT[0x5:0x7] FILE_CHECKSUM = self.INPUT[0x24:0x28] BHEADER_SIZE = self.INPUT[0x19:0x1b] HEAD_TYPE1 = chr(0x73) HEAD_TYPE2 = chr(0x74) fuzzed_data = pyZZUF(self.INPUT) fuzzed_data.set_ratio(0.3) fuzzed_data = fuzzed_data.mutate().tostring() rdata = "" rdata += SIGN rdata += HEADER_SIZE tmp_data = HEAD_TYPE1 tmp_data += fuzzed_data[0xa:0x14] HEADER_CRC = zlib.crc32(tmp_data) & 0xffffffff rdata += chr(HEADER_CRC & 0xff) rdata += chr((HEADER_CRC >> 8) & 0xff) rdata += tmp_data size = ord(BHEADER_SIZE[0]) + 0xff * ord(BHEADER_SIZE[1]) tmp_data = HEAD_TYPE2 tmp_data += fuzzed_data[0x17:0x19] tmp_data += BHEADER_SIZE tmp_data += fuzzed_data[0x1b:0x24] tmp_data += FILE_CHECKSUM tmp_data += fuzzed_data[0x28:0x14 + size] BHEADER_CRC = zlib.crc32(tmp_data) & 0xffffffff rdata += chr(BHEADER_CRC & 0xff) rdata += chr((BHEADER_CRC >> 8) & 0xff) rdata += tmp_data rdata += fuzzed_data[0x14 + size:-7] END_CRC = self.INPUT[-7:] rdata += END_CRC return rdata
def thread_it(fuzz_range_start, fuzz_range_end, number_of_samples, data_to_be_flipped, extension): for x in range(0, int(number_of_samples)): zzuf = pyZZUF(data_to_be_flipped) # Random seed (default 0) zzuf.set_seed(9) # Bit fuzzing ratio (default 0.004) zzuf.set_ratio(0.91) # Only fuzz bytes at offsets within <ranges> zzuf.set_fuzz_bytes([[fuzz_range_start, fuzz_range_end]]) # zzuf.set_fuzz_bytes([[0, 3], [6, EOF]]) # Fuzzing mode <mode> ([xor] set unset) zzuf.set_fuzz_mode(FUZZ_MODE_XOR) with open( "generated_samples_folder/" + "sample" + str(x) + "-" + str(fuzz_range_start) + "-" + str(fuzz_range_end) + extension, 'wb') as output: output.write(zzuf.mutate())
def mutation(self, test_file): mutation_file = test_file print '- file name: ', mutation_file self.ole = olefile.OleFileIO(mutation_file, write_mode=True) #field1의 특정 오프셋부터 일정 바이트를 field2의 특정 오프셋부터 일정 바이트로 덮어쓸것 field1, field2 = self.hwp_field_select() print '- selected field: ', field1, field2 #랜덤으로 선택된 필드 읽어들이기 stream1 = self.ole.openstream(field1) stream2 = self.ole.openstream(field2) data1 = stream1.read() data2 = stream2.read() stream1.seek(0) stream2.seek(0) size1 = self.hwp_field_size[field1] size2 = self.hwp_field_size[field2] #print size1, size2 if size1 < 5000 and size2 < 5000: rannum = random.randrange(1, 4) else: rannum = random.randrange(2, 4) if rannum == 1: if size1 > size2: #data1이 덮어씌어지기 전에 임시 buf에 저장 temp_buf = data1 temp_stream = stream1 #1) field1 <--- field2 #필드 사이즈 차이 계산해서 같은 크기로 맞추기 num = size1 / size2 data2 = data2 * num sub = size1 - len(data2) #data1과 data2의 사이즈가 같아짐 data2 = stream2.read(sub) + data2 self.ole.write_stream(field1, data2) #2) field2 <--- field1 #data1과 stream1을 원래대로 복구 data1 = temp_buf stream1 = temp_stream #stream1을 size2만큼 읽어서 field2에 덮어쓰기 data1 = stream1.read(size2) self.ole.write_stream(field2, data1) elif size2 > size1: temp_buf = data1 temp_stream = stream1 #1) field1 <--- field2 data2 = stream2.read(size1) self.ole.write_stream(field1, data2) #2) field2 <--- field1 data1 = temp_buf sream1 = temp_stream num = size2 / size1 data1 = data1 * num sub = size2 - len(data1) data1 = stream1.read(sub) + data1 self.ole.write_stream(field2, data1) else: pass if rannum == 2: if size1 < 300 or size2 < 300: size = min(size1, size2) / 2 rand_offset1 = random.randrange(1, size1 - size - 1) rand_offset2 = random.randrange(1, size2 - size - 1) data2_cut = data2[rand_offset2:rand_offset2 + size] data1 = data1[:rand_offset1] + data2_cut + data1[rand_offset1 + size:] self.ole.write_stream(field1, data1) ''' if size1<20 or size2<20: size=min(size1,size2)/2 rand_offset1=random.randrange(1,size1-11) rand_offset2=random.randrange(1,size2-11) data2_cut=data2[rand_offset2:rand_offset2+10] data1=data1[:rand_offset1]+data2_cut+data1[rand_offset1+10:] self.ole.write_stream(field1,data1) ''' else: rand_offset1 = random.randrange(1, size1 - 301) rand_offset2 = random.randrange(1, size2 - 301) data2_cut = data2[rand_offset2:rand_offset2 + 300] data1 = data1[:rand_offset1] + data2_cut + data1[rand_offset1 + 300:] self.ole.write_stream(field1, data1) if rannum == 3: if size1 < 300 or size2 < 300: size = min(size1, size2) / 2 rand_offset1 = random.randrange(1, size1 - size - 1) rand_offset2 = random.randrange(1, size2 - size - 1) data1_cut = data1[rand_offset1:rand_offset1 + size] zzuf = pyZZUF(data1_cut) zzuf.set_seed(int(random.randrange(0, 255))) zzuf.set_ratio(0.03) zzuf_data = zzuf.mutate() data1 = data1[:rand_offset1] + str( zzuf_data) + data1[rand_offset1 + size:] self.ole.write_stream(field1, data1) ''' if size1<20 or size2<20: rand_offset1=random.randrange(1,size1-11) rand_offset2=random.randrange(1,size2-11) data1_cut=data1[rand_offset1:rand_offset1+10] zzuf=pyZZUF(data1_cut) zzuf.set_seed(int(random.randrange(0,255))) zzuf.set_ratio(0.03) zzuf_data=zzuf.mutate() data1=data1[:rand_offset1]+str(zzuf_data)+data1[rand_offset1+10:] self.ole.write_stream(field1,data1) ''' else: rand_offset1 = random.randrange(1, size1 - 301) rand_offset2 = random.randrange(1, size2 - 301) #print hexdump(data1) data1_cut = data1[rand_offset1:rand_offset1 + 300] zzuf = pyZZUF(data1_cut) zzuf.set_seed(int(random.randrange(0, 255))) zzuf.set_ratio(0.03) zzuf_data = zzuf.mutate() data1 = data1[:rand_offset1] + str( zzuf_data) + data1[rand_offset1 + 300:] self.ole.write_stream(field1, data1)
def test_flipping(): for x in range(100, 200): print pyZZUF(str(x)).mutate()