Tuesday, November 21, 2006

File Fuzzer

Hello, now im writting to release a little file fuzzer.
It has been very useful for me, but now im bored of it, so its time for other people to play with it.

Characteristics:

- Can trace deep into child child's. (Fuzzer->Child0->Child1->...->ChildN) :)
- You can define the file structure and then pass it to the fuzzer.
- It can "learn" the file format (In the case of ASCII Input files).
- Pretty fast (Compared to other file fuzzers).
- Works on Linux (Full support) and FreeBSD (No ptrace support, but it is not difficult to make the port, just change some #defines and then you will be OK).
- No makefile :P

Sample Output:
gr00vy@kenny:~/ffuzer/src$ ./gwar -D -i ../iput.elf -o ../tmp/output.elf -r -52 -t 3 -m 5 "/usr/bin/readelf -a %FILENAME%"
[%] Logging to readelf.log
[%] Loaded 190 fuzzing variables
[%] Fuzzing from 0 to 52
[%] Number of files to be generated 10070
[%] Proceding with fuzzing
[%] Byte [ 52] FuzzString [ 0] Process [ 0] Bugs? [40]
[%] Time elapsed 79.000000
[%] Number of succesful executions 10070
[%] Skipped executions due to fuzzing string size 0
[%] Number of "bugs" found: 40
Sample Bug Report

[i] Signal: Unknown signal 127
[i] Fuzzing string: 186 Offset: 52
[i] Detail: address not mapped to object - Address of exception: 0x4949e961
Registers dump:
---------------

eax = 0x4949e961 ebx = 0x00004141 ecx = 0x00000000
edx = 0x0806853c esi = 0x00001274 edi = 0x0808921f
ebp = 0xbfb8a398 esp = 0xbfb8a360 eip = 0x080685bf

Stack frame dump:
-----------------

0xbfb8a360: 84 a3 b8 bf 5d 5c e4 b7 a4 a3 b8 bf 98 08 08 08 ....]\..........
0xbfb8a370: f4 cf f3 b7 04 00 00 00 1f 92 08 08 98 a3 b8 bf ................
0xbfb8a380: 03 68 e6 b7 c0 d4 f3 b7 8e 08 08 08 41 41 00 00 .h..........AA..
0xbfb8a390: 74 12 00 00 1f 92 08 08 t.......

Disassembly dump:
-----------------

806858d ADD [EAX], AL
806858f ADD CL, CH
8068591 CMPSD
8068592 ADD [EAX], EAX
8068594 ADD [EBX-0x49f0f7bb], CL
806859a ADD [EDI], CL
806859c MOV DH, 0xd0
806859e MOV EAX, [EBP+0x8]
80685a1 INC EAX
80685a2 MOVZX EAX, BYTE [EAX]
80685a5 MOVZX EAX, AL
80685a8 SHL EAX, 0x8
80685ab OR EAX, EDX
80685ad MOV [EBP-0x20], EAX
80685b0 MOV DWORD [EBP-0x1c], 0x0
80685b7 JMP 0x806873c
80685bc MOV EAX, [EBP+0x8]
EIP -> 80685bf MOVZX EAX, BYTE [EAX]

Thats all for now, if you have any suggestions, please leave a comment.

Web
Download

3 comments:

joaco said...

Non capisco un cazzo!

kovacs said...

Great work, keep the groove! ;P

Unknown said...

Hey
nice work
am trying to use it for my master thesis but have problems defining the structure of the input file... and i found no documentation... i even have sent you a mail with my question :D
your help is highly appreciated