├── .gitignore
├── BigStringVoodoo.py
├── Executor.py
├── LICENSE.txt
├── Mutator.py
├── README
├── client.py
├── commands.py
├── fuzzer.py
├── mutations.py
└── server.py


/.gitignore:
--------------------------------------------------------------------------------
1 | *.swp
2 | *.pyc
3 | *~
4 | files/
5 | saved/
6 | 


--------------------------------------------------------------------------------
/BigStringVoodoo.py:
--------------------------------------------------------------------------------
 1 | ''' the twisted guys are crazy, here is some of their voodoo to send a whole file at once ;) '''
 2 | from twisted.protocols import amp
 3 | import itertools
 4 | 
 5 | def split_string(x, size):
 6 |     return list(x[i*size:(i+1)*size] for i in xrange((len(x)+size-1)//size))
 7 | 
 8 | class StringList(amp.Argument):
 9 |     def fromBox(self, name, strings, objects, proto):
10 |         objects[name] = list(itertools.takewhile(bool, (strings.pop('%s.%d' % (name, i), None) for i in itertools.count())))
11 |     def toBox(self, name, strings, objects, proto):
12 |         for i, elem in enumerate(objects.pop(name)):
13 |             strings['%s.%d' % (name, i)] = elem
14 | 
15 | class BigString(StringList):
16 |     def fromBox(self, name, strings, objects, proto):
17 |         StringList.fromBox(self, name, strings, objects, proto)
18 |         objects[name] = ''.join((elem) for elem in objects[name])
19 |     def toBox(self, name, strings, objects, proto):
20 |         objects[name] = split_string(objects[name], amp.MAX_VALUE_LENGTH)
21 |         StringList.toBox(self, name, strings, objects, proto)
22 | 


--------------------------------------------------------------------------------
/Executor.py:
--------------------------------------------------------------------------------
 1 | from pydbg import *
 2 | from pydbg.defines import *
 3 | from time import time, sleep
 4 | import utils
 5 | 
 6 | class Executor():
 7 |     def __init__(self, timeout=5):
 8 |         self.timeout   = timeout
 9 |         self.output    = None
10 | 
11 |     def execute(self, command, args):
12 |         self.output = None
13 |         dbg = pydbg()
14 |         dbg.set_callback(EXCEPTION_ACCESS_VIOLATION, self.handle_av)
15 |         dbg.set_callback(0xC000001D, self.handle_av) # illegal instruction
16 |         dbg.set_callback(USER_CALLBACK_DEBUG_EVENT, self.timeout_callback)
17 |         dbg.load(command, command_line=args)
18 |         dbg.start_time = time()
19 |         dbg.run()
20 | 
21 |         return self.output
22 | 
23 |     def timeout_callback(self, dbg):
24 |         if time() - dbg.start_time > self.timeout:
25 |             dbg.terminate_process()
26 |             return DBG_CONTINUE
27 | 
28 |     def handle_av(self, dbg):
29 |         crash_bin = utils.crash_binning.crash_binning()
30 |         crash_bin.record_crash(dbg)
31 |         self.output = crash_bin.crash_synopsis()
32 | 
33 |         dbg.terminate_process()
34 |         return DBG_EXCEPTION_NOT_HANDLED
35 | 


--------------------------------------------------------------------------------
/LICENSE.txt:
--------------------------------------------------------------------------------
 1 | Copyright (C) 2012  Mitchell Adair
 2 | 
 3 | This program is free software: you can redistribute it and/or modify
 4 | it under the terms of the GNU General Public License as published by
 5 | the Free Software Foundation, either version 3 of the License, or
 6 | (at your option) any later version.
 7 | 
 8 | This program is distributed in the hope that it will be useful,
 9 | but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
11 | GNU General Public License for more details.
12 | 
13 | You should have received a copy of the GNU General Public License
14 | along with this program.  If not, see <http://www.gnu.org/licenses/>.
15 | 
16 | 


--------------------------------------------------------------------------------
/Mutator.py:
--------------------------------------------------------------------------------
  1 | import struct
  2 | from sys import exit
  3 | from os.path import splitext, join
  4 | 
  5 | import mutations
  6 | 
  7 | class Mutator():
  8 | 
  9 |     def __init__(self, original_file, mutation_types, original_file_name, directory):
 10 |         self.original_file  = original_file		# original contents of file
 11 |         self.mutation_types = mutation_types	# list of possible mutations
 12 |         self.directory  = directory
 13 |         self.original_file_name = original_file_name
 14 |         self.original_file_base = splitext(self.original_file_name) [0]
 15 |         self.original_file_ext  = splitext(self.original_file_name) [1]
 16 | 
 17 |     def createMutatedFileName(self, offset, mutation_index):
 18 |         ''' create a file name that represents the current mutation, return it '''
 19 |         fname = '%s-%d-%d%s' % (self.original_file_base, offset, mutation_index, self.original_file_ext)
 20 |         return fname
 21 | 
 22 |     def createMutatedFile(self, offset, mutation_index):
 23 |         ''' mutate the contents of the original file, at offset, with mutation at 
 24 |             mutation_index, creating a new file. return the new file name '''
 25 | 
 26 |         new_bytes = list(self.original_file[:])
 27 |         mutation  = self.mutation_types[mutation_index]
 28 | 
 29 |         if mutation['type'] == 'replace':
 30 |             new_bytes[offset:offset+mutation['size']] = mutation['value']                 # if 'replace', then just substitute/replace the desired bytes
 31 |         elif mutation['type'] == 'insert':
 32 |             new_bytes = new_bytes[:offset] + list(mutation['value']) + new_bytes[offset:]    # if 'insert', stick them in, shifting the rest of the bytes down
 33 |         else:
 34 |              raise Exception('[*] UNKNOWN mutation[\'type\'], %s' % mutation['type'])
 35 | 
 36 |         # create the new file name, then it's full path
 37 |         mutated_file_name = self.createMutatedFileName(offset, mutation_index)
 38 |         mutated_file_name = join(self.directory, mutated_file_name)
 39 | 
 40 |         # write the file
 41 |         try:
 42 |             with open(mutated_file_name, 'wb') as fopen:
 43 |                 fopen.write( ''.join(new_bytes) ) 
 44 |         except Exception as e:
 45 |             raise Exception('[*] unable to open tmp file for mutation! Error : %s' % e)
 46 | 
 47 |         return mutated_file_name
 48 | 
 49 | class MutationGenerator():
 50 | 
 51 |     def __init__(self, value_type, strings=False):
 52 |         self.generateValues(value_type, strings)
 53 | 
 54 |     def generateValues(self, value_type, strings):
 55 |         values = []
 56 |         if value_type == 'byte':
 57 |             values.extend(mutations.values_8bit)
 58 |         elif value_type == 'word':
 59 |             values.extend(mutations.values_16bit)
 60 |         elif value_type == 'dword':
 61 |             values.extend(mutations.values_32bit)
 62 |         else:
 63 |             raise Exception('unknown value type passed to generateValues(...), %s' % value_type)
 64 | 
 65 |         if strings:
 66 |             values.extend(mutations.values_strings)
 67 | 
 68 |         # turn them into writeable bytes
 69 |         self.value_to_bytes(values, vtype=value_type)
 70 |         self.createWriteable(values)
 71 |         self.createStrings(values)
 72 |         self.values = values
 73 | 
 74 |     def createStrings(self, values):
 75 |         for value_dict in values:
 76 |             value_dict['value'] = ''.join(value_dict['value'])
 77 | 
 78 |     def value_to_bytes(self, values, vtype='dword'):
 79 |         '''Given a value as an int, return it in little endian bytes of length type.
 80 |            Example, given 0xabcdeff with type "dword" : (255, 222, 188, 10) '''
 81 |         for value_dict in values:
 82 |             if value_dict['type'] == 'insert':
 83 |                 continue
 84 |             value = value_dict['value']
 85 |             try:
 86 |                 if vtype == 'byte':
 87 |                         value_dict['value'] = list(struct.unpack('B', struct.pack('B', value)))
 88 |                 elif vtype == 'word':
 89 |                         value_dict['value'] = list(struct.unpack('BB', struct.pack('<H', value)))
 90 |                 elif vtype == 'dword':
 91 |                         value_dict['value'] = list(struct.unpack('BBBB', struct.pack('<I', value)))
 92 |             except:
 93 |                 print 'value =', value
 94 |                 exit(1)
 95 | 
 96 | 
 97 |     def createWriteable(self, values):     
 98 |         ''' When writting to a file, a string is required. This function itterates over
 99 |             all values generated, and turns any int values into their representative char. '''
100 | 
101 |         for value_dict in values:                                       # get each dictionary
102 |             for offset, value in enumerate(value_dict['value']):        # go through each of the indexes in the 'value' 
103 |                 if type(value) == int:                                  # if it's an int
104 |                     value_dict['value'][offset] = chr(value)            # turn it into it's char representation
105 | 
106 |     def getValues(self):
107 |         return self.values
108 | 


--------------------------------------------------------------------------------
/README:
--------------------------------------------------------------------------------
1 | For complete README information, visit :
2 | 
3 | http://rmadair.github.com/fuzzer/
4 | 


--------------------------------------------------------------------------------
/client.py:
--------------------------------------------------------------------------------
  1 | # for twisted
  2 | from twisted.internet import reactor, endpoints, protocol, defer
  3 | from twisted.internet.task import LoopingCall
  4 | from twisted.protocols import amp
  5 | import commands
  6 | 
  7 | # for mutations and execution
  8 | from Executor import Executor
  9 | from Mutator import Mutator
 10 | 
 11 | from os import remove
 12 | from os.path import join, split
 13 | from optparse import OptionParser
 14 | from shutil import copy
 15 | from sys import argv
 16 | from time import sleep
 17 | 
 18 | def stop(reason):
 19 |     ''' Generic function to stop the reactor  and print a message '''
 20 |     print 'Stopping :', reason
 21 |     # try to stop the reactor, may or may not be running
 22 |     try:
 23 |         reactor.stop()
 24 |     except:
 25 |         pass
 26 | 
 27 | class FuzzerClientProtocol(amp.AMP):
 28 | 
 29 |     def __init__(self):
 30 |         self.executor = Executor()
 31 |         self.original_file = None
 32 |         self.original_file_name = None
 33 |         self.mutation_types = None
 34 |         self.program = None
 35 |         self.mutator = None
 36 | 
 37 |     def connectionMade(self):
 38 |         setupDeferreds = [self.getOriginalFile(), self.getProgram(), self.getMutationTypes()]
 39 |         defer.gatherResults(setupDeferreds).addCallback(self.finishSetup).addErrback(stop)
 40 | 
 41 |     def finishSetup(self, ign):
 42 |         # we have all the pieces the mutator needs
 43 |         self.mutator = Mutator(
 44 |             self.original_file, self.mutation_types, self.original_file_name, self.factory.tmp_directory)
 45 | 
 46 |         # enter continuous loop
 47 |         self.lc = LoopingCall(self.getNextMutation)
 48 |         self.lc.start(0)
 49 | 
 50 |     def getNextMutation(self):
 51 |         ''' Ask the server for the next mutation '''
 52 |         return (self.callRemote(commands.GetNextMutation) # return deferred
 53 |                 .addCallback(self.executeNextMutation)
 54 |                 .addErrback(stop))
 55 | 
 56 |     def executeNextMutation(self, mutation):
 57 |         if mutation['stop']:
 58 |             stop("Server said to stop")
 59 |             return False
 60 | 
 61 |         if mutation['pause']:
 62 |             print 'Sever said to pause - sleeping for 60 seconds'
 63 |             sleep(60)
 64 |             return True
 65 | 
 66 |         # create the mutated file
 67 |         new_file_name = self.mutator.createMutatedFile(mutation['offset'], mutation['mutation_index'])
 68 | 
 69 |         # execute it
 70 |         print '(%d,%d)' % (mutation['offset'], mutation['mutation_index']),
 71 |         output = self.executor.execute(self.program, new_file_name)
 72 |         if output:
 73 |             print 'Got output, Offset = %d, Mutation_Index = %d, File = %s' % (mutation['offset'], mutation['mutation_index'], new_file_name)
 74 |             self.callRemote( commands.LogResults, mutation_index=mutation['mutation_index'], offset=mutation['offset'], output=output, filename=new_file_name )
 75 |             # copy the file - it caused a crash
 76 |             copy("%s"%new_file_name, "%s"%join(self.factory.save_directory, split(new_file_name)[-1]))
 77 | 
 78 |         # remove the file
 79 |         remove("%s"%new_file_name)
 80 | 
 81 |     @defer.inlineCallbacks
 82 |     def getOriginalFile(self):
 83 |         ''' get original file and file name'''
 84 |         response = yield self.callRemote(commands.GetOriginalFile)
 85 |         print '[*] Got original_file :', response['original_file_name']
 86 |         self.original_file = response['original_file']
 87 |         self.original_file_name = response['original_file_name']
 88 | 
 89 |     @defer.inlineCallbacks
 90 |     def getMutationTypes(self):
 91 |         ''' get list of mutations that will be used '''
 92 |         response = yield self.callRemote(commands.GetMutationTypes)
 93 |         print '[*] Got mutation types'
 94 |         self.mutation_types = response['mutation_types']
 95 | 
 96 |     @defer.inlineCallbacks
 97 |     def getProgram(self):
 98 |         ''' get target program that will be executed '''
 99 |         response = yield self.callRemote(commands.GetProgram)
100 |         print '[*] Got program :', response['program']
101 |         self.program = response['program']
102 | 
103 | class FuzzerClientFactory(protocol.ClientFactory):
104 |     protocol = FuzzerClientProtocol
105 | 
106 |     def __init__(self, tmp_directory, save_directory):
107 |         self.tmp_directory  = tmp_directory
108 |         self.save_directory = save_directory
109 | 
110 | def check_usage(args):
111 |     ''' Parse command line options - yes, these aren't really "options".... deal with it '''
112 | 
113 |     parser = OptionParser()
114 |     parser.add_option('-s', action="store", dest="host", help='Server to connect to', metavar="server")
115 |     parser.add_option('-p', action="store", dest="port", help='Port to connect on', type='int', metavar="port")
116 |     parser.add_option('-t', action="store", dest="temp_directory", help='Temporary directory for files to be created', metavar="temp_directory")
117 |     parser.add_option('-g', action="store", dest="save_directory", help='Save-directory, for files to be saved that cause crashes', metavar="save_directory")
118 |     parser.epilog = "Example:\n\n"
119 |     parser.epilog += './client.py -s 127.0.0.1 -p 12345 -t temp -s save'
120 |     options, args = parser.parse_args(args)
121 | 
122 |     # make sure enough args are passed
123 |     if not all((options.temp_directory, options.save_directory, options.port, options.host)):
124 |         parser.error("Incorrect number of arguments - must specify temp_directory, save_directory, host, port")
125 | 
126 |     return options
127 |         
128 | if __name__ == '__main__':
129 |     options = check_usage(argv)
130 |     (endpoints.TCP4ClientEndpoint(reactor, options.host, options.port)
131 |      .connect(FuzzerClientFactory(options.temp_directory, options.save_directory))
132 |      .addErrback(stop))
133 |     reactor.run()
134 | 
135 | 
136 | 


--------------------------------------------------------------------------------
/commands.py:
--------------------------------------------------------------------------------
 1 | from twisted.protocols import amp
 2 | from BigStringVoodoo import *
 3 | 
 4 | class GetNextMutation(amp.Command):
 5 |     arguments = []
 6 |     response = [('offset', amp.Integer()), ('mutation_index', amp.Integer()), ('stop', amp.Boolean()), ('pause', amp.Boolean())]
 7 | 
 8 | class LogResults(amp.Command):
 9 |     arguments = [('mutation_index',amp.Integer()), ('offset',amp.Integer()), ('output',amp.String()), ('filename',amp.String())]
10 |     response = []
11 | 
12 | class GetOriginalFile(amp.Command):
13 |     arguments = []
14 |     response = [('original_file_name', amp.String()), ('original_file', BigString())]
15 | 
16 | class GetProgram(amp.Command):
17 |     arguments = []
18 |     response = [('program', amp.String())]
19 | 
20 | class GetMutationTypes(amp.Command):
21 |     arguments = []
22 |     response = [('mutation_types', amp.AmpList([ ('value',amp.String()), ('type',amp.String()), ('size',amp.Integer()) ]))]
23 | 
24 | 


--------------------------------------------------------------------------------
/fuzzer.py:
--------------------------------------------------------------------------------
  1 | from multiprocessing import Process, Queue
  2 | from threading import Thread
  3 | from optparse import OptionParser
  4 | from shutil import copy
  5 | from os import remove
  6 | from time import sleep, ctime
  7 | from sys import exit, argv
  8 | 
  9 | from Executor import Executor
 10 | from Mutator import Mutator
 11 | 
 12 | # todo
 13 | # - set signal handler to SIGINT, show status, give option to quit
 14 | # - maybe save progress and continue later, or at least allow a run offset
 15 | # - add timeout to command line options
 16 | 
 17 | class Fuzzer():
 18 | 	def __init__(self, max_processes, logfile, save_directory):
 19 | 		self.q_to = Queue()
 20 | 		self.q_from = Queue()
 21 | 		self.processes = []
 22 | 		self.max_processes = max_processes
 23 | 		self.save_directory = save_directory
 24 | 		self.mutator = None
 25 | 		self.monitor_thread = None
 26 | 
 27 | 		# open the logfile
 28 | 		try:
 29 | 			log = open(logfile, 'w')
 30 | 		except:
 31 | 			print '[!] Unable to open logfile', logfile
 32 | 			exit(1)
 33 | 		self.log = log
 34 | 
 35 | 		
 36 | 	def start(self, command, original_file, timeout, temp_directory, mutation_type):
 37 | 		# create the consumers
 38 | 		for i in range(self.max_processes):
 39 | 			process = Process(target=Executor, args=(timeout, self.q_to, self.q_from))
 40 | 			self.processes.append(process)
 41 | 			process.start()
 42 | 
 43 | 		# create the thread to get consumer output
 44 | 		self.monitor_thread = Thread(target=self.monitor)
 45 | 		self.monitor_thread.start()
 46 | 
 47 | 		# create the mutator
 48 | 		mutator = Mutator(original_file, temp_directory, mutation_type)
 49 | 
 50 | 		# print some useful information, and figure out some relative percentages
 51 | 		mutator.print_statistics()
 52 | 		ten_percent = mutator.total_mutations / 10
 53 | 		percent     = 0
 54 | 
 55 | 		for counter, (offset, value_index, value_type, new_file) in enumerate(mutator.createNext()):
 56 | 			while not self.q_to.empty():
 57 | 				sleep(.1)
 58 | 
 59 | 			# check if we hit a 10% mark
 60 | 			if counter % ten_percent == 0:
 61 | 				print '%02d%% - %s' % (percent, ctime())
 62 | 				percent += 10
 63 | 
 64 | 			# add the job to the queue
 65 | 			self.q_to.put({'command':command, 'args':'%s'%new_file, 'offset':offset, 'value_index':value_index, 'value_type':value_type, 'new_file':new_file})
 66 | 
 67 | 		self.stop()
 68 | 	
 69 | 	def stop(self):
 70 | 		# kill the consumers
 71 | 		for i in range(self.max_processes):
 72 | 			self.q_to.put('STOP')
 73 | 		for process in self.processes:
 74 | 			process.join()
 75 | 		# kill the monitor thread
 76 | 		self.q_from.put('STOP')
 77 | 		self.monitor_thread.join()
 78 | 		# close the log file
 79 | 		self.log.close()
 80 | 
 81 | 	def monitor(self):
 82 | 		counter = 0
 83 | 
 84 | 		while True:
 85 | 			# wait for output
 86 | 			obj = self.q_from.get()	# this blocks
 87 | 
 88 | 			# poison pill
 89 | 			if obj == 'STOP':
 90 | 				break
 91 | 
 92 | 			self.log.write('[%d] executable = %s, offset=%d, value_index=%d, value_type=%s, args=%s\n--------------------------------------\n' % (
 93 | 				counter, obj['command'], obj['offset'], obj['value_index'], obj['value_type'], obj['args']))
 94 | 			if obj['crash']:
 95 | 				print 'Crash!'
 96 | 				self.log.write(obj['output'])
 97 | 				# save good files
 98 | 				copy(obj['new_file'], self.save_directory)	
 99 | 
100 | 			remove("%s"%obj['new_file'])
101 | 			counter += 1
102 | 
103 | def check_usage(args):
104 |     ''' Parse command line options - yes, these aren't really "options".... deal with it '''
105 | 
106 |     parser = OptionParser()
107 |     parser.add_option('-p', action="store", dest="program_cmd_line", help='Program to launch, the full command line that will be executed', metavar="program")
108 |     parser.add_option('-f', action="store", dest="original_file", help='File to be mutated', metavar="file")
109 |     parser.add_option('-d', action="store", dest="temp_directory", help='Directory for temporary files to be created', metavar="temp_directory")
110 |     parser.add_option('-t', action="store", dest="mutation_type", help='Type of mutation ("byte", "word", "dword")', metavar="mutation_type")
111 |     parser.add_option('-l', action="store", dest="log_file", help='Log file', metavar="log")
112 |     parser.add_option('-s', action="store", dest="save_directory", help='Save-directory, for files to be saved that cause crashes', metavar="save_directory")
113 |     parser.add_option('-m', action="store", dest="max_processes", help='Max Processes (Default is 1)', type="int", default=1, metavar="max_processes")
114 |     parser.epilog = "Example:\n\n"
115 |     parser.epilog += './fuzzer.py -p "C:\Program Files\Blah\prog.exe" -f original_file.mp3 -d temp -t dword -l log.txt -s save -m 4'
116 |     options, args = parser.parse_args(args)
117 | 
118 |     # make sure enough args are passed
119 |     if not all((options.program_cmd_line, options.original_file, options.temp_directory, options.mutation_type, options.log_file, options.save_directory)):
120 |         parser.error("Incorrect number of arguments - must specify program, original_file, temp_directory, mutation_type, log_file, save_directory")
121 | 
122 |     return options
123 | 
124 | 
125 | if __name__ == '__main__':
126 |     # check args, get args
127 |     options = check_usage(argv)
128 |     program_cmd_line = options.program_cmd_line
129 |     original_file    = options.original_file
130 |     temp_directory   = options.temp_directory
131 |     mutation_type    = options.mutation_type
132 |     log_file         = options.log_file
133 |     save_directory   = options.save_directory
134 |     max_processes    = options.max_processes
135 | 
136 |     # create the fuzzer, start it
137 |     fuzzer = Fuzzer(max_processes, log_file, save_directory)
138 |     fuzzer.start(program_cmd_line, original_file, 5, temp_directory, mutation_type)
139 | 


--------------------------------------------------------------------------------
/mutations.py:
--------------------------------------------------------------------------------
 1 | ''' List of all mutations. If you want to add/remove mutations, do it here! '''
 2 | 
 3 | # globals
 4 | MAX8  = 0xff
 5 | MAX16 = 0xffff
 6 | MAX32 = 0xffffffff
 7 | 
 8 | # Format :
 9 | # - 'value' and 'size' are self explanatory
10 | # - 'type' is either 'replace' or 'insert'
11 | #   - replace: overwrite the bytes at a specific offset with the new bytes
12 | #     - aka: AAAAAAAAAA -> AAAABBBBAA
13 | #   - insert: insert the bytes at a specific offset with the new bytes, shifting the rest of the bytes down
14 | #     - aka: AAAAAAAAAA -> AAAABBBBAAAAAA
15 | values_8bit  = [{'value':0x00,       'type':'replace', 'size':1}, {'value':0x01,    'type':'replace', 'size':1}, {'value':MAX8/2-16,  'type':'replace', 'size':1}, 
16 |                 {'value':MAX8/2-1,   'type':'replace', 'size':1}, {'value':MAX8/2,  'type':'replace', 'size':1}, {'value':MAX8/2+1,   'type':'replace', 'size':1}, 
17 |                 {'value':MAX8/2+16,  'type':'replace', 'size':1}, {'value':MAX8-1,  'type':'replace', 'size':1}, {'value':MAX8,       'type':'replace', 'size':1} ]
18 | 
19 | values_16bit  = [{'value':0x00,      'type':'replace', 'size':2}, {'value':0x01,    'type':'replace', 'size':2}, {'value':MAX16/2-16, 'type':'replace', 'size':2}, 
20 |                 {'value':MAX16/2-1,  'type':'replace', 'size':2}, {'value':MAX16/2, 'type':'replace', 'size':2}, {'value':MAX16/2+1,  'type':'replace', 'size':2}, 
21 |                 {'value':MAX16/2+16, 'type':'replace', 'size':2}, {'value':MAX16-1, 'type':'replace', 'size':2}, {'value':MAX16,      'type':'replace', 'size':2} ]
22 | 
23 | values_32bit  = [{'value':0x00,       'type':'replace', 'size':4}, {'value':0x01,    'type':'replace', 'size':4}, {'value':MAX32/2-16, 'type':'replace', 'size':4}, 
24 |                 {'value':MAX32/2-1,  'type':'replace', 'size':4}, {'value':MAX32/2, 'type':'replace', 'size':4}, {'value':MAX32/2+1,  'type':'replace', 'size':4}, 
25 |                 {'value':MAX32/2+16, 'type':'replace', 'size':4}, {'value':MAX32-1, 'type':'replace', 'size':4}, {'value':MAX32,      'type':'replace', 'size':4} ]
26 | 
27 | values_strings = [{'value':list("B"*100),  'type':'insert', 'size':100}, \
28 |                   {'value':list("B"*1000), 'type':'insert', 'size':1000}, \
29 |                   {'value':list("B"*10000),'type':'insert', 'size':10000}, \
30 |                   {'value':list("%s"*10),  'type':'insert', 'size':10}, \
31 |                   {'value':list("%s"*100), 'type':'insert', 'size':100}]
32 | 


--------------------------------------------------------------------------------
/server.py:
--------------------------------------------------------------------------------
  1 | # for twisted
  2 | from twisted.internet import protocol, reactor
  3 | from twisted.internet.protocol import ServerFactory
  4 | from twisted.protocols import amp
  5 | from time import time
  6 | import commands
  7 | 
  8 | # for mutations
  9 | from Mutator import MutationGenerator, Mutator
 10 | 
 11 | from optparse import OptionParser
 12 | from os.path import split
 13 | from sys import argv, exit
 14 | from threading import Thread
 15 | from time import sleep, ctime
 16 | 
 17 | class FuzzerServerProtocol(amp.AMP):
 18 | 
 19 |     @commands.GetNextMutation.responder
 20 |     def getNextMutation(self):
 21 |         ret = self.factory.getNextMutation()
 22 |         return ret
 23 | 
 24 |     @commands.LogResults.responder
 25 |     def logResults(self, mutation_index, offset, output, filename):
 26 |         print 'Got a crash!'
 27 |         # log the crash
 28 |         self.factory.log_file.write('Offset: %d, Mutation_Index: %d, Filename: %s, Output:\n%s'%
 29 |                 (offset, mutation_index, filename, output))
 30 |         self.factory.log_file.flush()
 31 |         # add it to the servers list
 32 |         self.factory.crashes.append({'mutation_index':mutation_index, 'offset':offset, 'output':output, 'filename':filename})
 33 |         # create the file locally
 34 |         print 'Created file :', self.factory.mutator.createMutatedFile(offset, mutation_index)
 35 |         return {}
 36 | 
 37 |     @commands.GetOriginalFile.responder
 38 |     def getOriginalFile(self):
 39 |         return {'original_file_name':self.factory.file_name, 'original_file':self.factory.contents}
 40 | 
 41 |     @commands.GetMutationTypes.responder
 42 |     def getMutationTypes(self):
 43 |         return {'mutation_types':self.factory.mutations}
 44 | 
 45 |     @commands.GetProgram.responder
 46 |     def getProgram(self):
 47 |         return {'program':self.factory.program}
 48 | 
 49 |     def connectionMade(self):
 50 |         ''' add new clients to the list '''
 51 |         self.factory.clients.append(self.transport.getPeer())
 52 | 
 53 |     def connectionLost(self, traceback):
 54 |         ''' remove clients from the list '''
 55 |         self.factory.clients.remove(self.transport.getPeer())
 56 | 
 57 | class FuzzerFactory(ServerFactory):
 58 |     protocol = FuzzerServerProtocol
 59 | 
 60 |     def __init__(self, program, original_file, log_file_name, mutation_type, directory):
 61 |         print 'FuzzerFactory(...) started'
 62 |         self.mutation_generator = MutationGenerator(mutation_type)  # create the list of mutations
 63 |         self.mutator            = None                              # to create the files that reportedly cause crashes
 64 |         self.mutations          = self.mutation_generator.getValues()
 65 |         self.mutations_range    = range(len(self.mutations))
 66 |         self.file_name          = split(original_file)[1]       # just the filename
 67 |         self.program            = program
 68 |         self.log_file_name      = log_file_name                 # just the name
 69 |         self.directory          = directory                     # directory to save crash causing files
 70 |         self.log_file           = None                          # the opened instance
 71 |         self.contents           = None
 72 |         self.contents_range     = None
 73 |         self.generator          = self.createGenerator()
 74 |         self.clients            = []                            # list of clients
 75 |         self.crashes            = []                            # list of crashes
 76 |         self.mutations_executed = 0                             # number of mutations executed so far
 77 |         self.paused             = False
 78 | 
 79 |         # make sure we can read the original target file
 80 |         try:
 81 |             self.contents = open(original_file, 'rb').read()
 82 |             self.contents_range = range(len(self.contents))
 83 |         except Exception as e:
 84 |             quit('Unable to open "%s" and read the contents. Error: %s' % (original_file, e))
 85 |     
 86 |         # make sure we can write to the logfile
 87 |         try:
 88 |             self.log_file = open(self.log_file_name, 'w')
 89 |         except Exception as e:
 90 |             quit('Unable to open logfile "%s". Error: %s' % (self.log_file_name, self.log_file))
 91 | 
 92 |         # we have all the pieces for the mutator now
 93 |         self.mutator = Mutator(self.contents, self.mutations, self.file_name, self.directory)
 94 | 
 95 |         # a thread to handle user input and print statistics
 96 |         menu_thread = Thread(target=self.menu)
 97 |         menu_thread.start()
 98 |             
 99 |     def createGenerator(self):
100 |         for offset in self.contents_range:
101 |             for mutation_index in self.mutations_range:
102 |                 yield {'offset':offset, 'mutation_index':mutation_index, 'stop':False, 'pause':False}
103 | 
104 |     def getNextMutation(self):
105 |         if self.paused:
106 |             return {'offset':0, 'mutation_index':0, 'stop':False, 'pause':True}
107 |         try:
108 |             n = self.generator.next()
109 |             self.mutations_executed += 1
110 |             return n
111 |         except StopIteration:
112 |             # no more mutations, close the logfile
113 |             if not self.log_file.closed:
114 |                 self.log_file.close()
115 |             # tell any clients to 'stop'
116 |             return {'offset':0, 'mutation_index':0, 'stop':True, 'pause':False}
117 | 
118 |     def printStatistics(self, mutations=False, clients=False, crashes=False):
119 |         ''' print some statistics information '''
120 | 
121 |         print ''
122 |         if mutations:
123 |             total_mutations = len(self.contents) * len(self.mutations) 
124 |             print 'Mutations:'
125 |             print '  - File size                    :', len(self.contents)
126 |             print '  - Number of possible mutations :', len(self.mutations)
127 |             print '  - Total number of mutations    :', total_mutations
128 |             print '  - Total executed so far        : %d (%d%%)' % (self.mutations_executed, float(self.mutations_executed)/total_mutations*100)
129 |         if clients:
130 |             print 'Clients:'
131 |             for client in self.clients:
132 |                 print '  - %s:%d' % (client.host, client.port)
133 |         if crashes:
134 |             print 'Crashes:'
135 |             for crash in self.crashes:
136 |                 print '  - Offset         :',   crash['offset']
137 |                 print '  - Mutation Index :',   crash['mutation_index']
138 |                 print '  - Filename       :',   crash['filename']
139 |                 print '  - Output         :\n', crash['output']
140 | 
141 |     def menu(self):
142 |         while True:
143 |             print '\n'
144 |             if self.paused: print '---- PAUSED ----'
145 |             print 'Menu :'
146 |             print '1. Show clients'
147 |             print '2. Show crashes'
148 |             print '3. Mutations'
149 |             print '4. Show all'
150 |             print '5. Pause/Resume'
151 |             selection = raw_input('Enter Selection : ').rstrip()
152 |             if selection == '1':
153 |                 self.printStatistics(clients=True)
154 |             if selection == '2':
155 |                 self.printStatistics(crashes=True)
156 |             if selection == '3':
157 |                 self.printStatistics(mutations=True)
158 |             if selection == '4':
159 |                 self.printStatistics(clients=True, crashes=True, mutations=True)
160 |             if selection == '5':
161 |                 self.paused = False if self.paused else True
162 | 
163 | def quit(message=None):
164 |     if message:
165 |         print message
166 |     print 'Exiting!'
167 |     exit(1)
168 | 
169 | def check_usage(args):
170 |     ''' Parse command line - they're not really optional, shhh'''
171 | 
172 |     parser = OptionParser()
173 |     parser.add_option('-e', action="store", dest="program_cmd_line", help='Executable program to launch, the full command line that will be executed', metavar="program")
174 |     parser.add_option('-f', action="store", dest="original_file", help='File to be mutated', metavar="file")
175 |     parser.add_option('-t', action="store", dest="mutation_type", help='Type of mutation ("byte", "word", "dword")', metavar="mutation_type")
176 |     parser.add_option('-l', action="store", dest="log_file", help='Log file', metavar="log")
177 |     parser.add_option('-p', action="store", dest="port", help='Port to listen on', type='int', metavar="port")
178 |     parser.add_option('-d', action="store", dest="directory", help="Directory to save files that cause crashes", metavar="directory")
179 |     parser.epilog = "Example:\n\n"
180 |     parser.epilog += './server.py -e "C:\Program Files\Blah\prog.exe" -f original_file.mp3 -t dword -l log.txt -p 12345 -d save'
181 |     options, args = parser.parse_args(args)
182 | 
183 |     # make sure enough args are passed
184 |     if not all((options.program_cmd_line, options.original_file, options.mutation_type, options.log_file, options.port, options.directory)):
185 |         parser.error("Incorrect number of arguments - must specify program, original_file, mutation_type, log_file, port, directory")
186 | 
187 |     return options
188 | 
189 | if __name__ == '__main__':
190 |     options = check_usage(argv)
191 |     factory = FuzzerFactory(options.program_cmd_line, options.original_file, options.log_file, options.mutation_type, options.directory)
192 |     reactor.listenTCP(options.port, factory)
193 |     reactor.run()
194 | 
195 | 


--------------------------------------------------------------------------------