GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → ChrisTheCoolHut → Easy-Pickings

ChrisTheCoolHut / Easy-Pickings

Licence: GPL-3.0 license
Automatic function exporting and linking for fuzzing cross-architecture binaries.

Programming Languages

python
139335 projects - #7 most used programming language
shell
77523 projects

Labels

fuzzing

Projects that are alternatives of or similar to Easy-Pickings

py3webfuzz
A Python3 module to assist in fuzzing web applications
Stars: ✭ 54 (+10.2%)
Mutual labels:  fuzzing
ronin-support
A support library for Ronin. Like activesupport, but for hacking!
Stars: ✭ 23 (-53.06%)
Mutual labels:  fuzzing
afl-pin
run AFL with pintool
Stars: ✭ 64 (+30.61%)
Mutual labels:  fuzzing
IEC61850-MMS-Fuzzer
Mutation Based Fuzzer for IEC61850 Server IED'S
Stars: ✭ 20 (-59.18%)
Mutual labels:  fuzzing
kbdysch
A collection of user-space Linux kernel specific guided fuzzers based on LKL
Stars: ✭ 62 (+26.53%)
Mutual labels:  fuzzing
foundry
Foundry is a blazing fast, portable and modular toolkit for Ethereum application development written in Rust.
Stars: ✭ 4,623 (+9334.69%)
Mutual labels:  fuzzing
RTSPhuzz
RTSPhuzz - An RTSP Fuzzer written using the Boofuzz framework
Stars: ✭ 33 (-32.65%)
Mutual labels:  fuzzing
afl-cygwin
AFL "mostly" ported to cygwin
Stars: ✭ 24 (-51.02%)
Mutual labels:  fuzzing
unicorn-fuzzer
expansion of afl-unicorn using c++
Stars: ✭ 25 (-48.98%)
Mutual labels:  fuzzing
rbuster
yet another dirbuster
Stars: ✭ 21 (-57.14%)
Mutual labels:  fuzzing
x41-smartcard-fuzzing
X41 Smartcard Fuzzer
Stars: ✭ 113 (+130.61%)
Mutual labels:  fuzzing
FirmWire
FirmWire is a full-system baseband firmware emulation platform for fuzzing, debugging, and root-cause analysis of smartphone baseband firmwares
Stars: ✭ 555 (+1032.65%)
Mutual labels:  fuzzing
PersonalStuff
This is a repo is to upload files done during my research.
Stars: ✭ 94 (+91.84%)
Mutual labels:  fuzzing
afl-dynamorio
run AFL with dynamorio
Stars: ✭ 32 (-34.69%)
Mutual labels:  fuzzing
MsFontsFuzz
OpenType font file format fuzzer for Windows
Stars: ✭ 49 (+0%)
Mutual labels:  fuzzing
HITB2020 FSFUZZER
My Material for the HITB presentation
Stars: ✭ 33 (-32.65%)
Mutual labels:  fuzzing
gini
A fast SAT solver
Stars: ✭ 139 (+183.67%)
Mutual labels:  fuzzing
swiftfuzztools
Swift-based fuzzing tools
Stars: ✭ 18 (-63.27%)
Mutual labels:  fuzzing
sidefuzz
Fuzzer to automatically find side-channel (timing) vulnerabilities
Stars: ✭ 94 (+91.84%)
Mutual labels:  fuzzing
libdft64
libdft for Intel Pin 3.x and 64 bit platform. (Dynamic taint tracking, taint analysis)
Stars: ✭ 174 (+255.1%)
Mutual labels:  fuzzing
View All Similar Projects ➔

Easy Pickings

Automatic function exporting and linking for fuzzing cross-architecture binaries.

This tool uses radare2 to identify functions and lief to parse executables. lief is used to export these functions to shared objects (.so) to link against a stub runner. This script will further automatically create this runner and supplies an interface for selecting functions. Finally Dockcross is used to cross compile the stub.

Inspired by this tutorial, this tool enables fast stub building for fuzzing parsing functions hidden deep in code.

Install

Dependencies

For function identification, this tool requires radare2:

git clone https://github.com/radare/radare2
sudo ./radare2/sys/install.sh

Install Script

Docker, dockcross, leif, and r2pipe are installed from the script below

./install.sh

Usage

Easy Pickings is a python script requiring a file and either --Functions or and address.

$ ./Easy_Pickings.py  -h
usage: Easy_Pickings.py [-h] (--Functions | --Address ADDRESS) File

positional arguments:
  File                  File to pull function

optional arguments:
  -h, --help            show this help message and exit
  --Functions           List functions in binary to choose
  --Address ADDRESS, -A ADDRESS
                        Use this address for function creation

Example

Running the script

Running the script with an address will not run radare2, and will immediatly create a function stub to run and link from.

 $ ./Easy_Pickings.py makeRequest.cgi --A 0x401210
[+] Using User_Supplied : 0x401210
[+] Parsing binary makeRequest.cgi
[+] Creating export
[+] Writing to file libmakeRequest.cgi.so
[+] Creating c runner

The script will produce a shared object with the exported function and a c function stub for running the function.

Cross Compiling

For cross compiling, Dockcross is used to quickly cross compile. An example command is shown below:

$ sudo ./dockcross-linux-mipsel bash -c '$CC User_Supplied_runner.c -static -O0 -fPIC -Wl,-strip-all -ldl -o User_Supplied_runner.bin'

Running the function

Since the function stub is cross compiled statically, qemu can be used to run it immediatly:

$ qemu-mipsel -g 4444 ./User_Supplied_runner.bin
$ afl-fuzz -i in/ -o out/ -Q -m none -- ./User_supplied_runner.bin

Function stub

The stub will link the function using dlopen and dlsym and finally call the function. The script can be modified at this point to better suit your fuzzing.

$ cat User_Supplied_runner.c

#include <dlfcn.h>
#include <stdio.h>
#include <stdlib.h>

//For this static non-sense to work, you should run and compile on the exact same environment
//sudo ./dockcross-linux-mipsel bash -c '$CC User_Supplied_runner.c -static -O0 -fPIC -Wl,-strip-all -ldl -o User_Supplied_runner.bin'
typedef int(*check_t)(char*);

int main (int argc, char** argv) {

  void* handler = dlopen("./libmakeRequest.cgi.so", RTLD_LAZY);
  check_t User_Supplied = (check_t)dlsym(handler, "User_Supplied");

  int output = User_Supplied(argv[1]);

  printf("Output of User_Supplied('%s'): %d\n", argv[1], output);

  return 0;
}
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].