├── .gitignore ├── README.md ├── config.py ├── design.md ├── fuzzer.py ├── parser.py ├── requirements.txt ├── target.py └── test.py /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | pip-wheel-metadata/ 24 | share/python-wheels/ 25 | *.egg-info/ 26 | .installed.cfg 27 | *.egg 28 | MANIFEST 29 | 30 | # PyInstaller 31 | # Usually these files are written by a python script from a template 32 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 33 | *.manifest 34 | *.spec 35 | 36 | # Installer logs 37 | pip-log.txt 38 | pip-delete-this-directory.txt 39 | 40 | # Unit test / coverage reports 41 | htmlcov/ 42 | .tox/ 43 | .nox/ 44 | .coverage 45 | .coverage.* 46 | .cache 47 | nosetests.xml 48 | coverage.xml 49 | *.cover 50 | *.py,cover 51 | .hypothesis/ 52 | .pytest_cache/ 53 | 54 | # Translations 55 | *.mo 56 | *.pot 57 | 58 | # Django stuff: 59 | *.log 60 | local_settings.py 61 | db.sqlite3 62 | db.sqlite3-journal 63 | 64 | # Flask stuff: 65 | instance/ 66 | .webassets-cache 67 | 68 | # Scrapy stuff: 69 | .scrapy 70 | 71 | # Sphinx documentation 72 | docs/_build/ 73 | 74 | # PyBuilder 75 | target/ 76 | 77 | # Jupyter Notebook 78 | .ipynb_checkpoints 79 | 80 | # IPython 81 | profile_default/ 82 | ipython_config.py 83 | 84 | # pyenv 85 | .python-version 86 | 87 | # pipenv 88 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 89 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 90 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 91 | # install all needed dependencies. 92 | #Pipfile.lock 93 | 94 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow 95 | __pypackages__/ 96 | 97 | # Celery stuff 98 | celerybeat-schedule 99 | celerybeat.pid 100 | 101 | # SageMath parsed files 102 | *.sage.py 103 | 104 | # Environments 105 | .env 106 | .venv 107 | env/ 108 | venv/ 109 | ENV/ 110 | env.bak/ 111 | venv.bak/ 112 | 113 | # Spyder project settings 114 | .spyderproject 115 | .spyproject 116 | 117 | # Rope project settings 118 | .ropeproject 119 | 120 | # mkdocs documentation 121 | /site 122 | 123 | # mypy 124 | .mypy_cache/ 125 | .dmypy.json 126 | dmypy.json 127 | 128 | # Pyre type checker 129 | .pyre/ 130 | 131 | # pcap file 132 | *.pcap 133 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # QEMUSLNetFuzz 2 | Stateless Network Fuzzer for QEMU (Targeting SLiRP) 3 | 4 | ## Introduction 5 | 6 | A naive way of fuzzing is implemented in this repository. Fuzzing is done **statelessly** instead of being done in *stateful* method which is done in *state-of-art* fuzzers. The attempts of doing the fuzzing statefully were practically done first, but it was hard because of high overhead in VMs. 7 | 8 | This fuzzer uses randpkt from wireshark to generate packets. A file is considered to be a set of packets that could possibly crash the VM. If the VM is crashed, then the packet will be stored in file. 9 | 10 | The fuzzer consists of two parts: (1) fuzzer part that runs in host, (2) target part that runs in host. Fuzzer part runs VM and target and sends random vectors to target, so that target can receive the packet and convert it to packet, thus try to send it back to host. The fuzzer watches the state of VM and records the packet to a file. The target part is just a simple server that receives the vector and assemble the packet, send it back to host. -------------------------------------------------------------------------------- /config.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | 3 | # network info 4 | GUEST_IP = "10.0.2.15" 5 | HOST_IP = "10.0.2.2" 6 | FUZZ_PORT = 65432 7 | 8 | INTERFACE_NAME = "ens3" 9 | MTU = 1500 10 | 11 | # gen info 12 | PKT_SIZE = 100 # packet size 13 | PKT_TYPE = "rnd" 14 | 15 | # debug info 16 | DEBUG=True 17 | -------------------------------------------------------------------------------- /design.md: -------------------------------------------------------------------------------- 1 | # Design 2 | -------------------------------------------------------------------------------- /fuzzer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | 3 | import socket 4 | import subprocess 5 | import random 6 | 7 | import config 8 | 9 | if __name__ == "__main__": 10 | # start target program (QEMU) 11 | # not implemented 12 | 13 | # start socket 14 | with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: 15 | s.bind(("0.0.0.0", config.FUZZ_PORT)) 16 | s.listen() 17 | conn, addr = s.accept() 18 | with conn: 19 | if config.DEBUG: 20 | print('Connected by', addr) 21 | 22 | while True: 23 | if config.DEBUG: 24 | print("running file") 25 | 26 | # generate file 27 | if config.PKT_TYPE == "rnd": 28 | subprocess.run(["randpkt", "-c", str(config.PKT_SIZE), "-b", str(config.MTU), "-t", random.choice(["ip", "tcp", "udp", "dns", "sctp", "icmp"]), "cur.pcap"]) 29 | else: 30 | subprocess.run(["randpkt", "-c", str(config.PKT_SIZE), "-b", str(config.MTU), "-t", config.PKT_TYPE, "cur.pcap"]) 31 | 32 | cur_data = b"" 33 | with open("cur.pcap", "rb") as f: 34 | cur_data = f.read() 35 | 36 | if config.DEBUG: 37 | print("file length :", len(cur_data)) 38 | 39 | try: 40 | if len(cur_data) % 1024 != 0: 41 | conn.sendall(cur_data) 42 | else: 43 | conn.sendall(cur_data + b"over") 44 | 45 | if config.DEBUG: 46 | print("Sending file done") 47 | 48 | if conn.recv(1024): 49 | continue 50 | except KeyboardInterrupt: 51 | break 52 | except: 53 | with open("crash.pcap", "wb") as f: 54 | f.write(cur_data) 55 | break 56 | -------------------------------------------------------------------------------- /parser.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | 3 | import pyshark 4 | 5 | def parse_pcap(filename): 6 | pkts = pyshark.FileCapture(input_file=filename, use_json=True, include_raw=True) 7 | return pkts 8 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | pyshark 2 | nest_asyncio 3 | -------------------------------------------------------------------------------- /target.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | 3 | import socket 4 | import pyshark 5 | import nest_asyncio 6 | 7 | import config 8 | import parser 9 | 10 | if __name__ == "__main__": 11 | # pyshark async problem resolve 12 | nest_asyncio.apply() 13 | 14 | with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as conn: 15 | conn.connect((config.HOST_IP, config.FUZZ_PORT)) 16 | 17 | # recv pcap data 18 | while True: 19 | pcap_data = b"" 20 | while True: 21 | data = conn.recv(1024) 22 | if not data: 23 | break 24 | 25 | # if len(data) % 1024 == 0 26 | if data == b"over": 27 | break 28 | 29 | pcap_data += data 30 | 31 | if len(data) != 1024: 32 | break 33 | 34 | if config.DEBUG: 35 | print("pcap len :", len(pcap_data)) 36 | 37 | # save file and parse it 38 | with open("rcv.pcap", "wb") as f: 39 | f.write(pcap_data) 40 | pkts = parser.parse_pcap("rcv.pcap") 41 | 42 | if config.DEBUG: 43 | pkts.set_debug() 44 | 45 | raw_sock = socket.socket(socket.AF_PACKET, socket.SOCK_RAW) 46 | raw_sock.bind((config.INTERFACE_NAME, 0)) 47 | 48 | for pkt in pkts: 49 | raw_sock.send(bytearray.fromhex(pkt.frame_raw.value)) 50 | pkts.close() 51 | 52 | conn.sendall(b"NXT") 53 | -------------------------------------------------------------------------------- /test.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | 3 | import parser 4 | 5 | def test_parsing(fname): 6 | pkts = parser.parse_pcap(fname) 7 | for pkt in pkts: 8 | print(len(pkt)) 9 | # pkt.show() 10 | 11 | if __name__ == "__main__": 12 | test_parsing("test.pcap") 13 | --------------------------------------------------------------------------------