├── .gitignore
├── README.md
├── config.py
├── design.md
├── fuzzer.py
├── parser.py
├── requirements.txt
├── target.py
└── test.py


/.gitignore:
--------------------------------------------------------------------------------
  1 | # Byte-compiled / optimized / DLL files
  2 | __pycache__/
  3 | *.py[cod]
  4 | *$py.class
  5 | 
  6 | # C extensions
  7 | *.so
  8 | 
  9 | # Distribution / packaging
 10 | .Python
 11 | build/
 12 | develop-eggs/
 13 | dist/
 14 | downloads/
 15 | eggs/
 16 | .eggs/
 17 | lib/
 18 | lib64/
 19 | parts/
 20 | sdist/
 21 | var/
 22 | wheels/
 23 | pip-wheel-metadata/
 24 | share/python-wheels/
 25 | *.egg-info/
 26 | .installed.cfg
 27 | *.egg
 28 | MANIFEST
 29 | 
 30 | # PyInstaller
 31 | #  Usually these files are written by a python script from a template
 32 | #  before PyInstaller builds the exe, so as to inject date/other infos into it.
 33 | *.manifest
 34 | *.spec
 35 | 
 36 | # Installer logs
 37 | pip-log.txt
 38 | pip-delete-this-directory.txt
 39 | 
 40 | # Unit test / coverage reports
 41 | htmlcov/
 42 | .tox/
 43 | .nox/
 44 | .coverage
 45 | .coverage.*
 46 | .cache
 47 | nosetests.xml
 48 | coverage.xml
 49 | *.cover
 50 | *.py,cover
 51 | .hypothesis/
 52 | .pytest_cache/
 53 | 
 54 | # Translations
 55 | *.mo
 56 | *.pot
 57 | 
 58 | # Django stuff:
 59 | *.log
 60 | local_settings.py
 61 | db.sqlite3
 62 | db.sqlite3-journal
 63 | 
 64 | # Flask stuff:
 65 | instance/
 66 | .webassets-cache
 67 | 
 68 | # Scrapy stuff:
 69 | .scrapy
 70 | 
 71 | # Sphinx documentation
 72 | docs/_build/
 73 | 
 74 | # PyBuilder
 75 | target/
 76 | 
 77 | # Jupyter Notebook
 78 | .ipynb_checkpoints
 79 | 
 80 | # IPython
 81 | profile_default/
 82 | ipython_config.py
 83 | 
 84 | # pyenv
 85 | .python-version
 86 | 
 87 | # pipenv
 88 | #   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
 89 | #   However, in case of collaboration, if having platform-specific dependencies or dependencies
 90 | #   having no cross-platform support, pipenv may install dependencies that don't work, or not
 91 | #   install all needed dependencies.
 92 | #Pipfile.lock
 93 | 
 94 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow
 95 | __pypackages__/
 96 | 
 97 | # Celery stuff
 98 | celerybeat-schedule
 99 | celerybeat.pid
100 | 
101 | # SageMath parsed files
102 | *.sage.py
103 | 
104 | # Environments
105 | .env
106 | .venv
107 | env/
108 | venv/
109 | ENV/
110 | env.bak/
111 | venv.bak/
112 | 
113 | # Spyder project settings
114 | .spyderproject
115 | .spyproject
116 | 
117 | # Rope project settings
118 | .ropeproject
119 | 
120 | # mkdocs documentation
121 | /site
122 | 
123 | # mypy
124 | .mypy_cache/
125 | .dmypy.json
126 | dmypy.json
127 | 
128 | # Pyre type checker
129 | .pyre/
130 | 
131 | # pcap file
132 | *.pcap
133 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # QEMUSLNetFuzz
 2 | Stateless Network Fuzzer for QEMU (Targeting SLiRP)
 3 | 
 4 | ## Introduction
 5 | 
 6 | A naive way of fuzzing is implemented in this repository. Fuzzing is done **statelessly** instead of being done in *stateful* method which is done in *state-of-art* fuzzers. The attempts of doing the fuzzing statefully were practically done first, but it was hard because of high overhead in VMs.
 7 | 
 8 | This fuzzer uses randpkt from wireshark to generate packets. A file is considered to be a set of packets that could possibly crash the VM. If the VM is crashed, then the packet will be stored in file.
 9 | 
10 | The fuzzer consists of two parts: (1) fuzzer part that runs in host, (2) target part that runs in host. Fuzzer part runs VM and target and sends random vectors to target, so that target can receive the packet and convert it to packet, thus try to send it back to host. The fuzzer watches the state of VM and records the packet to a file. The target part is just a simple server that receives the vector and assemble the packet, send it back to host.


--------------------------------------------------------------------------------
/config.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | 
 3 | # network info
 4 | GUEST_IP = "10.0.2.15"
 5 | HOST_IP = "10.0.2.2"
 6 | FUZZ_PORT = 65432
 7 | 
 8 | INTERFACE_NAME = "ens3"
 9 | MTU = 1500
10 | 
11 | # gen info
12 | PKT_SIZE = 100 # packet size
13 | PKT_TYPE = "rnd"
14 | 
15 | # debug info
16 | DEBUG=True
17 | 


--------------------------------------------------------------------------------
/design.md:
--------------------------------------------------------------------------------
1 | # Design
2 | 


--------------------------------------------------------------------------------
/fuzzer.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | 
 3 | import socket
 4 | import subprocess
 5 | import random
 6 | 
 7 | import config
 8 | 
 9 | if __name__ == "__main__":
10 |   # start target program (QEMU)
11 |   # not implemented
12 | 
13 |   # start socket
14 |   with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
15 |     s.bind(("0.0.0.0", config.FUZZ_PORT))
16 |     s.listen()
17 |     conn, addr = s.accept()
18 |     with conn:
19 |       if config.DEBUG:
20 |         print('Connected by', addr)
21 |       
22 |       while True:
23 |         if config.DEBUG:
24 |           print("running file")
25 | 
26 |         # generate file
27 |         if config.PKT_TYPE == "rnd":
28 |           subprocess.run(["randpkt", "-c", str(config.PKT_SIZE), "-b", str(config.MTU), "-t", random.choice(["ip", "tcp", "udp", "dns", "sctp", "icmp"]), "cur.pcap"])
29 |         else:
30 |           subprocess.run(["randpkt", "-c", str(config.PKT_SIZE), "-b", str(config.MTU), "-t", config.PKT_TYPE, "cur.pcap"])
31 | 
32 |         cur_data = b""
33 |         with open("cur.pcap", "rb") as f:
34 |           cur_data = f.read()
35 | 
36 |         if config.DEBUG:
37 |           print("file length :", len(cur_data))
38 | 
39 |         try:
40 |           if len(cur_data) % 1024 != 0:
41 |             conn.sendall(cur_data)
42 |           else:
43 |             conn.sendall(cur_data + b"over")
44 | 
45 |           if config.DEBUG:
46 |             print("Sending file done")
47 | 
48 |           if conn.recv(1024):
49 |             continue
50 |         except KeyboardInterrupt:
51 |           break
52 |         except:
53 |           with open("crash.pcap", "wb") as f:
54 |             f.write(cur_data)
55 |           break
56 | 


--------------------------------------------------------------------------------
/parser.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python3
2 | 
3 | import pyshark
4 | 
5 | def parse_pcap(filename):
6 |   pkts = pyshark.FileCapture(input_file=filename, use_json=True, include_raw=True)
7 |   return pkts
8 | 


--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | pyshark
2 | nest_asyncio
3 | 


--------------------------------------------------------------------------------
/target.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 |   
 3 | import socket
 4 | import pyshark
 5 | import nest_asyncio
 6 | 
 7 | import config
 8 | import parser
 9 | 
10 | if __name__ == "__main__":
11 |   # pyshark async problem resolve
12 |   nest_asyncio.apply()
13 | 
14 |   with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as conn:
15 |     conn.connect((config.HOST_IP, config.FUZZ_PORT))
16 | 
17 |     # recv pcap data
18 |     while True:
19 |       pcap_data = b""
20 |       while True:
21 |         data = conn.recv(1024)
22 |         if not data:
23 |           break
24 |         
25 |         # if len(data) % 1024 == 0
26 |         if data == b"over":
27 |           break
28 | 
29 |         pcap_data += data
30 | 
31 |         if len(data) != 1024:
32 |           break
33 |       
34 |       if config.DEBUG:
35 |         print("pcap len :", len(pcap_data))
36 | 
37 |       # save file and parse it
38 |       with open("rcv.pcap", "wb") as f:
39 |         f.write(pcap_data)
40 |       pkts = parser.parse_pcap("rcv.pcap")
41 | 
42 |       if config.DEBUG:
43 |         pkts.set_debug()
44 | 
45 |       raw_sock = socket.socket(socket.AF_PACKET, socket.SOCK_RAW)
46 |       raw_sock.bind((config.INTERFACE_NAME, 0))
47 | 
48 |       for pkt in pkts:
49 |         raw_sock.send(bytearray.fromhex(pkt.frame_raw.value))
50 |       pkts.close()
51 | 
52 |       conn.sendall(b"NXT")
53 | 


--------------------------------------------------------------------------------
/test.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | 
 3 | import parser
 4 | 
 5 | def test_parsing(fname):
 6 |   pkts = parser.parse_pcap(fname)
 7 |   for pkt in pkts:
 8 |     print(len(pkt))
 9 |     # pkt.show()
10 | 
11 | if __name__ == "__main__":
12 |   test_parsing("test.pcap")
13 | 


--------------------------------------------------------------------------------