IsraelTorres

s4ndman-sfuzz

May 27th, 2011
216
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /*
  2.     S-Fuzz - Mutation Based Fuzzer
  3.  
  4.     This program is free software: you can redistribute it and/or modify
  5.     it under the terms of the GNU General Public License as published by
  6.     the Free Software Foundation, either version 3 of the License, or
  7.     (at your option) any later version.
  8.  
  9.     This program is distributed in the hope that it will be useful,
  10.     but WITHOUT ANY WARRANTY; without even the implied warranty of
  11.     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12.     GNU General Public License for more details.
  13.  
  14.     You should have received a copy of the GNU General Public License
  15.     along with this program.  If not, see <http://www.gnu.org/licenses/>.
  16. ************************************************************************
  17.  s4ndman
  18.  mail all bugs to: <r[dot]coded[AT]gmail[dot]com>
  19.  READFIRST: site link: http://mmaptonull.blogspot.com/2011/02/sfuzz-file-format-fuzzer.html
  20.  
  21. :::::::CHANGELOG:::::::::
  22.  
  23. v.1 ~ 05/12/09
  24.   -first _simple_ version out
  25.  
  26. v.3 ~ 07/12/09
  27.   -additional options added
  28.     +logging added
  29.    
  30.  
  31. v.5 ~ 10/12/09
  32.   -malloc implementation for [large file sizes]
  33.     +auto malloc by calculating file sizes
  34.   -improved logging
  35.   -bugfixes
  36.  
  37. v.6 ~ 8/06/10
  38.   -sleep timer adder to reduce computation load
  39.   -memory corruption bugfixes [multiple _offbyone_ bugs]
  40.  
  41. v.7 ~ 10/02/11
  42.   -implemented header offset
  43.    +avoids header region if needed for strict header testing programs
  44.   -added verbosity choice for logfile to reduce log file size
  45.  
  46. TODO: implement data addition mutation option
  47. ***********************************************************************/
  48.  
  49. #include <stdio.h>
  50. #include <string.h>
  51. #include <stdlib.h>
  52. #include <unistd.h>
  53.  
  54. FILE *fpin, *fpout, *fplog;
  55.  
  56. main(int argc, char *argv[]){
  57.    
  58.     if (argc < 9){
  59.         printf("[*]@@@@__S-Fuzz__@@@@\n");
  60.         printf("[*]type: Mutation Fuzzer\n");
  61.         printf("[*]by: Sandman, 05/05/2010\n");
  62.         printf("[i]usage: ./sfuzz <i> <o> <nf> <fsz> <mbovr> <logf> <slp> <hdr> <vrb>\n");
  63.         printf("[i]i     > infile\n");
  64.         printf("[i]o     > outfile\n");
  65.         printf("[i]nf    > number of files\n");
  66.         printf("[i]fsz   > max file size (-1 to autocalculate)\n");
  67.         printf("[i]mbovr > maximum bytes to overwrite\n");
  68.         printf("[i]logf  > logfile name to log all actions.\n");
  69.         printf("[i]slp   > sleep time between file writes [seconds]\n");
  70.         printf("[i]hdr   > header offset [bytes from beginning, to avoid header corruption by fuzzing]\n");
  71.         printf("[i]vrb   > logfile verbosity [0=off, 1=on]  [to avoid clutter in the logfile]\n");
  72.         printf("[!]NOTE: ALL SWITCHES ARE REQUIRED.\n");
  73.         exit(1);
  74.         }
  75.        
  76.     int vrb, bLoc, rByte, fNumBytes, i, x, nFiles, maxNBytes, nBytes, fMemAllocd, sleepTime, hdrOffset;
  77.     printf("%s\n",argv[4]);
  78.     char *mainBuf;
  79.     char *backupBuf;
  80.     char outFile[1024];
  81.     sleepTime = atoi(argv[7]);
  82.     maxNBytes = atoi(argv[5]);
  83.     nFiles = atoi(argv[3]);
  84.     hdrOffset = atoi(argv[8]);
  85.     vrb = atoi(argv[9]);
  86.    
  87.     fplog = fopen(argv[6], "w");
  88.    
  89.     fprintf(fplog, "[i]starting sfuzz on file %s\n", argv[1]);
  90.     fprintf(fplog, "[i]starting with parameters:\n");
  91.     fprintf(fplog, "[i]infile: %s\n", argv[1]);
  92.     fprintf(fplog, "[i]outfile: %s\n", argv[2]);
  93.     fprintf(fplog, "[i]number of fuzzed files: %s\n", argv[3]);
  94.     fprintf(fplog, "[i]max file size (autocalculated if -1): %s\n bytes", argv[4]);
  95.     fprintf(fplog, "[i]max bytes to overwrite: %s\n bytes", argv[5]);
  96.     fprintf(fplog, "[i]log file: %s\n", argv[6]);
  97.     fprintf(fplog, "[i]sleep time: %s\n", argv[7]);
  98.     fprintf(fplog, "[i]header offset: %s\n bytes", argv[8]);
  99.     fprintf(fplog, "[i]logfile verbosity: %s\n", argv[9]);
  100.  
  101.    
  102.     if ((atoi(argv[4])) == -1){
  103.         fpin = fopen(argv[1], "r");
  104.         if (fpin == NULL){
  105.             printf("[-]infile read error, does it exist??\n");
  106.             fprintf(fplog, "[-]error file read error on %s\n", argv[1]);
  107.             fclose(fplog);
  108.             exit(-1);
  109.         }
  110.         fseek(fpin, 0, SEEK_END);
  111.         fMemAllocd = ftell(fpin);
  112.         fprintf(fplog, "[i]file size auto-calculate result: %d bytes\n", fMemAllocd);
  113.         fprintf(fplog, "[i]allocating buffer size: %d bytes + 1000 bytes.\n", fMemAllocd);
  114.         fclose(fpin);
  115.         mainBuf = (char*)malloc(fMemAllocd+1000);
  116.         backupBuf = (char*)malloc(fMemAllocd+1000);
  117.         if (mainBuf == NULL || backupBuf == NULL){
  118.             printf("[-]error: out of memory, malloc failed!\n");
  119.             fprintf(fplog,"[-]error: out of memory, malloc failed!\n");
  120.             fclose(fplog);
  121.             exit(-1);
  122.             }
  123.     }
  124.     else{
  125.         mainBuf = (char*)malloc(atoi(argv[4]));
  126.         backupBuf = (char*)malloc(atoi(argv[4]));
  127.         if (mainBuf == NULL || backupBuf == NULL){
  128.             printf("[-]error: out of memory, malloc failed!\n");
  129.             fprintf(fplog,"[-]error: out of memory, malloc failed!\n");
  130.             fclose(fplog);
  131.             exit(-1);
  132.             }
  133.         fprintf(fplog, "[i]allocating buffer size: %s bytes\n", argv[4]);
  134.         }
  135.    
  136.     fpin = fopen(argv[1],"r");
  137.     if (fpin == NULL){
  138.             printf("[-]infile read error, does it exist??\n");
  139.             fprintf(fplog, "[-]error file read error on %s\n", argv[1]);
  140.             free(mainBuf);
  141.             free(backupBuf);
  142.             fclose(fplog);
  143.             exit(-1);
  144.         }
  145.     if ((atoi(argv[4])) == -1){
  146.         fNumBytes = read(fileno(fpin), mainBuf, (fMemAllocd+1000));
  147.         }
  148.     else{
  149.         fseek(fpin, 0, SEEK_END);
  150.         fMemAllocd = ftell(fpin);
  151.         fseek(fpin, 0, SEEK_SET);
  152.         if (fMemAllocd > (atoi(argv[4]))){
  153.             printf("[!]Warning: Allocated buffer [%d] is less than file size [%d], fuzzed files will be truncated.\n", (atoi(argv[4])), fMemAllocd);
  154.             fprintf(fplog,"[!]Warning: Allocated buffer [%d] is less than file size [%d]; fuzzed files will be truncated.\n", (atoi(argv[4])), fMemAllocd);
  155.             }
  156.         fNumBytes = read(fileno(fpin), mainBuf, (atoi(argv[4])));
  157.         }
  158.        
  159.     fclose(fpin);
  160.    
  161.     memcpy(backupBuf, mainBuf, fNumBytes);
  162.    
  163.     for(i=0; i<nFiles; i++){
  164.        
  165.         srand(time(NULL));
  166.         nBytes = rand() % maxNBytes;
  167.         nBytes++;
  168.        
  169.         printf("[+]Modifying %d byte(s) in copy %d\n", nBytes, i);
  170.         fprintf(fplog, "[+]Modifying %d byte(s) in copy %d\n", nBytes, i);
  171.        
  172.         for (x=0; x<nBytes; x++){
  173.             rByte = rand() % 257;
  174.             bLoc = ((rand() % (fNumBytes-hdrOffset))+hdrOffset) -1;
  175.            
  176.             if (rByte == 256){
  177.                 rByte = -1;
  178.                 }
  179.                
  180.             mainBuf[bLoc] = rByte;
  181.             if (vrb == 1){
  182.                 printf("[*]File buffer[%d] orig-byte = %d\n",bLoc, backupBuf[bLoc]);
  183.                 printf("[*]File buffer[%d] new-byte = %d\n",bLoc, rByte);
  184.                 fprintf(fplog,"[*]File buffer[%d] orig-byte = %d\n",bLoc, backupBuf[bLoc]);
  185.                 fprintf(fplog,"[*]File buffer[%d] new-byte = %d\n",bLoc, rByte);}
  186.         }
  187.            
  188.             sprintf(outFile, "%d-%s",i,argv[2]);
  189.             fpout = fopen(outFile, "w");
  190.             write(fileno(fpout), mainBuf, fNumBytes);
  191.             printf("[+]Writing file %s\n", outFile);
  192.             fprintf(fplog,"[+]Writing file %s\n", outFile);
  193.             fclose(fpout);
  194.             printf("[-]sleeping %s seconds...\n", argv[7]);
  195.             fprintf(fplog,"[-]sleeping %d seconds...", sleepTime);
  196.             sleep(sleepTime);
  197.            
  198.             memcpy(mainBuf, backupBuf, fNumBytes);
  199.     }
  200.    
  201.     printf("[+]completed creating %d fuzzed files.\n", nFiles);
  202.     fprintf(fplog,"[+]completed creating %d fuzzed files.\n", nFiles);
  203.     free(mainBuf);
  204.     free(backupBuf);
  205.     fclose(fplog);
  206. }
RAW Paste Data