示例#1
0
def fuzz(input_corpus, output_corpus, target_binary):
    """Run fuzzer."""
    run_options = ['-l', '2']
    aflplusplus_fuzzer.fuzz(input_corpus,
                            output_corpus,
                            target_binary,
                            flags=(run_options))
示例#2
0
def fuzz(input_corpus, output_corpus, target_binary):  # pylint: disable=too-many-branches,too-many-statements
    """Run fuzzer."""
    benchmark_name = os.environ['BENCHMARK']

    run_options = []

    if benchmark_name == 'bloaty_fuzz_target':
        run_options = ['-Z']
    elif benchmark_name == 'libpcap_fuzz_both':
        os.environ['AFL_TESTCACHE_SIZE'] = '50'
    elif benchmark_name == 'harfbuzz-1.3.2':
        run_options = []  # ['-Z']
    elif benchmark_name == 'libxml2-v2.9.2':
        os.environ['AFL_TESTCACHE_SIZE'] = '2'
    elif benchmark_name == 'libxml2-v2.9.2':
        os.environ['AFL_TESTCACHE_SIZE'] = '20'
    elif benchmark_name == 'mbedtls_fuzz_dtlsclient':
        os.environ['AFL_TESTCACHE_SIZE'] = '2'
    elif benchmark_name == 'openssl_x509':
        os.environ['AFL_TESTCACHE_SIZE'] = '2'
    elif benchmark_name == 'openthread-2019-12-23':
        os.environ['AFL_TESTCACHE_SIZE'] = '50'
    elif benchmark_name == 'proj4-2017-08-14':
        os.environ['AFL_TESTCACHE_SIZE'] = '2'
    elif benchmark_name == 're2-2014-12-09':
        os.environ['AFL_TESTCACHE_SIZE'] = '20'
    elif benchmark_name == 'sqlite3_ossfuzz':
        os.environ['AFL_TESTCACHE_SIZE'] = '20'
    else:
        os.environ['AFL_TESTCACHE_SIZE'] = '200'

    aflplusplus_fuzzer.fuzz(input_corpus,
                            output_corpus,
                            target_binary,
                            flags=(run_options))
示例#3
0
def fuzz(input_corpus, output_corpus, target_binary):  # pylint: disable=too-many-branches,too-many-statements
    """Run fuzzer."""
    run_options = []
    benchmark_name = os.environ['BENCHMARK']

    if benchmark_name == 'bloaty_fuzz_target':
        run_options = ["-L", "0"]
    elif benchmark_name == 'curl_curl_fuzzer_http':
        run_options = ["-L", "0"]
    elif benchmark_name == 'jsoncpp_jsoncpp_fuzzer':
        run_options = ["-L", "0"]
    elif benchmark_name == 'lcms-2017-03-21':
        run_options = ["-L", "-1"]
    elif benchmark_name == 'libjpeg-turbo-07-2017':
        run_options = ["-L", "0"]
    elif benchmark_name == 'libpcap_fuzz_both':
        run_options = ["-L", "0"]
    elif benchmark_name == 'libpng-1.2.56':
        run_options = ["-L", "-1"]
    elif benchmark_name == 'mbedtls_fuzz_dtlsclient':
        run_options = ["-L", "0"]
    elif benchmark_name == 'openthread-2019-12-23':
        run_options = ["-L", "0"]
    elif benchmark_name == 'proj4-2017-08-14':
        run_options = ["-L", "-1"]
    elif benchmark_name == 'sqlite3_ossfuzz':
        run_options = ["-L", "-1"]
    elif benchmark_name == 'woff2-2016-05-06':
        run_options = ["-L", "0"]

    aflplusplus_fuzzer.fuzz(input_corpus,
                            output_corpus,
                            target_binary,
                            flags=(run_options))
示例#4
0
def fuzz(input_corpus, output_corpus, target_binary):
    """Run fuzzer."""
    # Get LLVMFuzzerTestOneInput address.
    nm_proc = subprocess.run([
        'sh', '-c',
        'get_frida_entry.sh \'' + target_binary + '\' LLVMFuzzerTestOneInput'
    ],
                             stdout=subprocess.PIPE,
                             check=True)
    target_func = nm_proc.stdout.split()[0].decode("utf-8")
    print('[fuzz] LLVMFuzzerTestOneInput() address =', target_func)

    # Fuzzer options for qemu_mode.
    flags = ['-O', '-c0']

    os.environ['AFL_FRIDA_PERSISTENT_ADDR'] = target_func
    os.environ['AFL_ENTRYPOINT'] = target_func
    os.environ['AFL_FRIDA_PERSISTENT_CNT'] = "1000000"
    os.environ['AFL_FRIDA_PERSISTENT_HOOK'] = "/out/frida_hook.so"
    os.environ['AFL_PATH'] = "/out"

    # resource.setrlimit(resource.RLIMIT_CORE,
    #                    (resource.RLIM_INFINITY, resource.RLIM_INFINITY))

    # The systemd benchmark fails without full library instrumentation :(
    benchmark_name = os.environ['BENCHMARK']
    if benchmark_name == 'systemd_fuzz-link-parser':
        os.environ['AFL_INST_LIBS'] = "1"

    aflplusplus_fuzzer.fuzz(input_corpus,
                            output_corpus,
                            target_binary,
                            flags=flags)
示例#5
0
def fuzz(input_corpus, output_corpus, target_binary):
    """Run fuzzer."""
    flags = []
    aflplusplus_fuzzer.fuzz(input_corpus,
                            output_corpus,
                            target_binary,
                            flags=flags)
示例#6
0
def fuzz(input_corpus, output_corpus, target_binary):
    """Run fuzzer."""

    # Get LLVMFuzzerTestOneInput address.
    nm_proc = subprocess.run([
        'sh', '-c',
        'nm \'' + target_binary + '\' | grep \'T afl_qemu_driver_stdin_input\''
    ],
                             stdout=subprocess.PIPE,
                             check=True)
    target_func = "0x" + nm_proc.stdout.split()[0].decode("utf-8")
    print('[fuzz] afl_qemu_driver_stdin_input() address =', target_func)

    # Dummy entry to to force retest
    # Fuzzer option for qemu_mode.
    flags = ['-Q', '-c', '0']

    os.environ['AFL_QEMU_PERSISTENT_ADDR'] = target_func
    os.environ['AFL_ENTRYPOINT'] = target_func
    os.environ['AFL_QEMU_PERSISTENT_CNT'] = "100000"
    os.environ['AFL_QEMU_DRIVER_NO_HOOK'] = "1"
    print(os.environ)
    aflplusplus_fuzzer.fuzz(input_corpus,
                            output_corpus,
                            target_binary,
                            flags=flags)
示例#7
0
def fuzz(input_corpus, output_corpus, target_binary):
    """Run fuzzer."""
    # Get LLVMFuzzerTestOneInput address.
    nm_proc = subprocess.run([
        'sh', '-c',
        'get_frida_entry.sh \'' + target_binary + '\' LLVMFuzzerTestOneInput'
    ],
                             stdout=subprocess.PIPE,
                             check=True)
    target_func = nm_proc.stdout.split()[0].decode("utf-8")
    print('[fuzz] LLVMFuzzerTestOneInput() address =', target_func)

    # Fuzzer options for qemu_mode.
    flags = ['-O', '-c0']

    os.environ['AFL_FRIDA_PERSISTENT_ADDR'] = target_func
    os.environ['AFL_ENTRYPOINT'] = target_func
    os.environ['AFL_FRIDA_PERSISTENT_CNT'] = "1000000"
    os.environ['AFL_FRIDA_PERSISTENT_HOOK'] = "/out/aflpp_qemu_driver_hook.so"
    os.environ['AFL_PATH'] = "/out"

    resource.setrlimit(resource.RLIMIT_CORE,
                       (resource.RLIM_INFINITY, resource.RLIM_INFINITY))

    aflplusplus_fuzzer.fuzz(input_corpus,
                            output_corpus,
                            target_binary,
                            flags=flags)

    sts = os.system("cp -v *core* corpus")
    if sts == 0:
        print('Copied cores')
示例#8
0
def afl_worker(input_corpus, output_corpus, target_binary):
    """Run AFL worker instance."""
    print('[afl_worker] Run AFL worker')
    aflplusplus_fuzzer.fuzz(input_corpus,
                            output_corpus,
                            target_binary,
                            flags=(['-S', 'afl-worker']))
示例#9
0
def fuzz(input_corpus, output_corpus, target_binary):
    """Run fuzzer."""
    run_options = ['-R']  # enable fmtrev

    aflplusplus_fuzzer.fuzz(input_corpus,
                            output_corpus,
                            target_binary,
                            flags=(run_options))
示例#10
0
def fuzz(input_corpus, output_corpus, target_binary):
    """Run fuzzer."""
    os.environ['AFL_CUSTOM_MUTATOR_LIBRARY'] = '/out/honggfuzz.so'
    os.environ['AFL_CUSTOM_MUTATOR_ONLY'] = '1'
    flags = []
    aflplusplus_fuzzer.fuzz(input_corpus,
                            output_corpus,
                            target_binary,
                            flags=flags)
示例#11
0
def afl_worker2(input_corpus, output_corpus, target_binary):
    """Run AFL worker instance."""
    print('[afl_worker] Run AFL worker2')
    aflplusplus_fuzzer.fuzz(input_corpus,
                            output_corpus,
                            target_binary,
                            flags=(['-S', 'afl-worker2', '-Q', '-c0']),
                            skip=True,
                            no_cmplog=True)
示例#12
0
def fuzz(input_corpus, output_corpus, target_binary):
    """Run fuzzer."""
    os.environ['AFL_DISABLE_TRIM'] = "1"
    run_options = []

    aflplusplus_fuzzer.fuzz(input_corpus,
                            output_corpus,
                            target_binary,
                            flags=(run_options),
                            skip=True)
示例#13
0
def fuzz(input_corpus, output_corpus, target_binary):
    """Run fuzzer."""
    os.environ['AFL_TESTCACHE_SIZE'] = '20'

    run_options = []

    aflplusplus_fuzzer.fuzz(input_corpus,
                            output_corpus,
                            target_binary,
                            flags=(run_options))
示例#14
0
def fuzz(input_corpus, output_corpus, target_binary):
    """Run fuzzer."""
    run_options = ['-p', 'fast']

    os.environ['AFL_DISABLE_TRIM'] = "1"

    aflplusplus_fuzzer.fuzz(input_corpus,
                            output_corpus,
                            target_binary,
                            flags=(run_options))
示例#15
0
def fuzz(input_corpus, output_corpus, target_binary):
    """Run fuzzer."""
    run_options = []
    os.environ['AFL_MAP_SIZE'] = '65536'
    os.environ['AFL_LLVM_MAP_ADDR'] = '0x1000000'
    os.environ['ZAFL_DRIVER_SETS_UP_MAP'] = '1'
    print(os.environ)
    aflplusplus_fuzzer.fuzz(input_corpus,
                            output_corpus,
                            target_binary,
                            flags=(run_options))
示例#16
0
def fuzz(input_corpus, output_corpus, target_binary):
    """Run fuzzer."""
    run_options = ['-l', '1A']

    os.environ['AFL_FAST_CAL'] = '1'
    os.environ['AFL_CMPLOG_ONLY_NEW'] = '1'

    aflplusplus_fuzzer.fuzz(input_corpus,
                            output_corpus,
                            target_binary,
                            flags=(run_options))
示例#17
0
def fuzz(input_corpus, output_corpus, target_binary):  # pylint: disable=too-many-branches,too-many-statements
    """Run fuzzer."""
    benchmark_name = os.environ['BENCHMARK']

    run_options = []

    if benchmark_name == 'bloaty_fuzz_target':
        run_options = ['-L', '0']
        os.environ['AFL_TESTCACHE_SIZE'] = '2'
    elif benchmark_name == 'curl_curl_fuzzer_http':
        run_options = ['-L', '-1']
    elif benchmark_name == 'libpng-1.2.56':
        os.environ['AFL_TESTCACHE_SIZE'] = '2'
        run_options = ['-l', '2AT']
    elif benchmark_name == 'libpcap_fuzz_both':
        os.environ['AFL_TESTCACHE_SIZE'] = '50'
        run_options = ['-l', '2T']
    elif benchmark_name == 'libxml2-v2.9.2':
        os.environ['AFL_TESTCACHE_SIZE'] = '500'
        run_options = ['-l', '2AT']
    elif benchmark_name == 'libxslt_xpath':
        os.environ['AFL_TESTCACHE_SIZE'] = '50'
        run_options = ['-l', '2AT']
    elif benchmark_name == 'mbedtls_fuzz_dtlsclient':
        os.environ['AFL_TESTCACHE_SIZE'] = '50'
    elif benchmark_name == 'openssl_x509':
        os.environ['AFL_TESTCACHE_SIZE'] = '500'
        run_options = ['-l', '2AT', '-L', '0']
    elif benchmark_name == 'openthread-2019-12-23':
        os.environ['AFL_TESTCACHE_SIZE'] = '2'
        run_options = ['-l', '2A']
    elif benchmark_name == 're2-2014-12-09':
        os.environ['AFL_TESTCACHE_SIZE'] = '2'
        run_options = ['-l', '2AT']
    elif benchmark_name == 'sqlite3_ossfuzz':
        os.environ['AFL_TESTCACHE_SIZE'] = '500'
        run_options = ['-l', '2T']
    elif benchmark_name == 'vorbis-2017-12-11':
        os.environ['AFL_TESTCACHE_SIZE'] = '50'
    elif benchmark_name == 'woff2-2016-05-06':
        os.environ['AFL_TESTCACHE_SIZE'] = '50'
    else:
        os.environ['AFL_TESTCACHE_SIZE'] = '2'

    aflplusplus_fuzzer.fuzz(input_corpus,
                            output_corpus,
                            target_binary,
                            flags=(run_options))
示例#18
0
def fuzz(input_corpus, output_corpus, target_binary):  # pylint: disable=too-many-branches,too-many-statements
    """Run fuzzer."""
    benchmark_name = os.environ['BENCHMARK']

    run_options = []

    if benchmark_name == 'bloaty_fuzz_target':
        run_options = ['-Z', '-L', '0', '-p', 'coe']
        os.environ['AFL_TESTCACHE_SIZE'] = '50'
    elif benchmark_name == 'curl_curl_fuzzer_http':
        os.environ['AFL_TESTCACHE_SIZE'] = '50'
        run_options = ['-L', '-1', '-p', 'coe']
    elif benchmark_name == 'lcms-2017-03-21':
        run_options = ['-L', '0', '-p', 'exploit']
    elif benchmark_name == 'libjpeg-turbo-07-2017':
        os.environ['AFL_TESTCACHE_SIZE'] = '50'
    elif benchmark_name == 'libxml2-v2.9.2':
        run_options = ['-p', 'coe']
    elif benchmark_name == 'libxslt_xpath':
        os.environ['AFL_TESTCACHE_SIZE'] = '50'
        run_options = ['-L', '-1']
    elif benchmark_name == 'mbedtls_fuzz_dtlsclient':
        run_options = ['-L', '-1']
    elif benchmark_name == 'openssl_x509':
        run_options = ['-L', '0', '-p', 'exploit']
    elif benchmark_name == 'proj4-2017-08-14':
        os.environ['AFL_TESTCACHE_SIZE'] = '50'
    elif benchmark_name == 're2-2014-12-09':
        os.environ['AFL_TESTCACHE_SIZE'] = '50'
    elif benchmark_name == 'sqlite3_ossfuzz':
        os.environ['AFL_TESTCACHE_SIZE'] = '500'
        run_options = ['-L', '0', '-p', 'explore']
    elif benchmark_name == 'vorbis-2017-12-11':
        run_options = ['-p', 'exploit']
    elif benchmark_name == 'woff2-2016-05-06':
        os.environ['AFL_TESTCACHE_SIZE'] = '50'
    elif benchmark_name == 'zlib_zlib_uncompress_fuzzer':
        os.environ['AFL_TESTCACHE_SIZE'] = '50'
        run_options = ['-p', 'exploit']
    else:
        os.environ['AFL_TESTCACHE_SIZE'] = '2'

    aflplusplus_fuzzer.fuzz(input_corpus,
                            output_corpus,
                            target_binary,
                            flags=(run_options))
示例#19
0
def fuzz(input_corpus, output_corpus, target_binary):
    """Run fuzzer."""
    # get LLVMFuzzerTestOneInput address
    nm_proc = subprocess.run([
        'sh', '-c',
        'nm \'' + target_binary + '\' | grep \'T afl_qemu_driver_stdin_input\''
    ],
                             stdout=subprocess.PIPE,
                             check=True)
    target_func = "0x" + nm_proc.stdout.split()[0].decode("utf-8")
    print('[run_fuzzer] afl_qemu_driver_stdin_input() address =', target_func)
    # fuzzer options
    flags = ['-Q', '-L', '0']  # MOpt flags
    os.environ['AFL_COMPCOV_LEVEL'] = '3'  # float compcov
    os.environ['AFL_QEMU_PERSISTENT_ADDR'] = target_func
    os.environ['AFL_ENTRYPOINT'] = target_func
    os.environ['AFL_QEMU_PERSISTENT_CNT'] = "100000"
    os.environ['AFL_QEMU_DRIVER_NO_HOOK'] = "1"
    aflplusplus_fuzzer.fuzz(input_corpus,
                            output_corpus,
                            target_binary,
                            flags=flags)
示例#20
0
def fuzz(input_corpus, output_corpus, target_binary):  # pylint: disable=too-many-branches,too-many-statements
    """Run fuzzer."""
    benchmark_name = os.environ['BENCHMARK']

    if benchmark_name == 'bloaty_fuzz_target':
        run_options = ['-Z']
    if benchmark_name == 'lcms-2017-03-21':
        run_options = ['-Z']
    if benchmark_name == 'libpcap_fuzz_both':
        run_options = ['-Z']
    if benchmark_name == 'libxslt_xpath':
        run_options = ['-Z']
    if benchmark_name == 'openssl_x509':
        run_options = ['-Z']
    if benchmark_name == 'proj4-2017-08-14':
        run_options = ['-Z']
    else:
        run_options = []

    aflplusplus_fuzzer.fuzz(input_corpus,
                            output_corpus,
                            target_binary,
                            flags=(run_options))
示例#21
0
def fuzz(input_corpus, output_corpus, target_binary):
    """Run fuzzer."""
    # Get LLVMFuzzerTestOneInput address.
    nm_proc = subprocess.run([
        'sh', '-c',
        'nm \'' + target_binary + '\' | grep -i \'T LLVMFuzzerTestOneInput\''
    ],
                             stdout=subprocess.PIPE,
                             check=True)
    target_func = "0x" + nm_proc.stdout.split()[0].decode("utf-8")
    print('[fuzz] LLVMFuzzerTestOneInput() address =', target_func)

    # Fuzzer option for qemu_mode.
    flags = ['-Q', '-c0']

    os.environ['AFL_QEMU_PERSISTENT_ADDR'] = target_func
    os.environ['AFL_ENTRYPOINT'] = target_func
    os.environ['AFL_QEMU_PERSISTENT_HOOK'] = "/out/aflpp_qemu_driver_hook.so"
    os.environ['AFL_QEMU_PERSISTENT_CNT'] = "100000"
    aflplusplus_fuzzer.fuzz(input_corpus,
                            output_corpus,
                            target_binary,
                            flags=flags)
示例#22
0
def fuzz(input_corpus, output_corpus, target_binary):
    """Run fuzzer."""
    # Get LLVMFuzzerTestOneInput address.
    nm_proc = subprocess.run([
        'sh', '-c',
        'get_frida_entry.sh \'' + target_binary + '\' afl_qemu_driver_stdin'
    ],
                             stdout=subprocess.PIPE,
                             check=True)
    target_func = nm_proc.stdout.split()[0].decode("utf-8")
    print('[fuzz] afl_qemu_driver_stdin_input() address =', target_func)

    # Fuzzer options for qemu_mode.
    flags = ['-O', '-c0']

    os.environ['AFL_FRIDA_PERSISTENT_ADDR'] = target_func
    os.environ['AFL_ENTRYPOINT'] = target_func
    os.environ['AFL_FRIDA_PERSISTENT_CNT'] = "1000000"
    os.environ['AFL_QEMU_DRIVER_NO_HOOK'] = "1"
    os.environ['AFL_PATH'] = "/out"
    aflplusplus_fuzzer.fuzz(input_corpus,
                            output_corpus,
                            target_binary,
                            flags=flags)
示例#23
0
def fuzz(input_corpus, output_corpus, target_binary):
    """Run fuzzer."""
    aflplusplus_fuzzer.fuzz(input_corpus,
                            output_corpus,
                            target_binary,
                            flags=("-p", "mmopt"))
示例#24
0
def fuzz(input_corpus, output_corpus, target_binary):
    """Run fuzzer."""
    aflplusplus_fuzzer.fuzz(input_corpus, output_corpus, target_binary)