diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..dda4f8f --- /dev/null +++ b/.gitignore @@ -0,0 +1,164 @@ +### Python template +# Byte-compiled / optimized / DLL files +__pycache__/ +*.py[cod] +*$py.class + +# C extensions +*.so + +# Distribution / packaging +.Python +build/ +develop-eggs/ +dist/ +downloads/ +eggs/ +.eggs/ +lib/ +lib64/ +parts/ +sdist/ +var/ +wheels/ +share/python-wheels/ +*.egg-info/ +.installed.cfg +*.egg +MANIFEST + +# PyInstaller +# Usually these files are written by a python script from a template +# before PyInstaller builds the exe, so as to inject date/other infos into it. +*.manifest +*.spec + +# Installer logs +pip-log.txt +pip-delete-this-directory.txt + +# Unit test / coverage reports +htmlcov/ +.tox/ +.nox/ +.coverage +.coverage.* +.cache +nosetests.xml +coverage.xml +*.cover +*.py,cover +.hypothesis/ +.pytest_cache/ +cover/ + +# Translations +*.mo +*.pot + +# Django stuff: +*.log +local_settings.py +db.sqlite3 +db.sqlite3-journal + +# Flask stuff: +instance/ +.webassets-cache + +# Scrapy stuff: +.scrapy + +# Sphinx documentation +docs/_build/ + +# PyBuilder +.pybuilder/ +target/ + +# Jupyter Notebook +.ipynb_checkpoints + +# IPython +profile_default/ +ipython_config.py + +# pyenv +# For a library or package, you might want to ignore these files since the code is +# intended to run in multiple environments; otherwise, check them in: +# .python-version + +# pipenv +# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. +# However, in case of collaboration, if having platform-specific dependencies or dependencies +# having no cross-platform support, pipenv may install dependencies that don't work, or not +# install all needed dependencies. +#Pipfile.lock + +# poetry +# Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control. +# This is especially recommended for binary packages to ensure reproducibility, and is more +# commonly ignored for libraries. +# https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control +#poetry.lock + +# pdm +# Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control. +#pdm.lock +# pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it +# in version control. +# https://pdm.fming.dev/latest/usage/project/#working-with-version-control +.pdm.toml +.pdm-python +.pdm-build/ + +# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm +__pypackages__/ + +# Celery stuff +celerybeat-schedule +celerybeat.pid + +# SageMath parsed files +*.sage.py + +# Environments +.env +.venv +env/ +venv/ +ENV/ +env.bak/ +venv.bak/ + +# Spyder project settings +.spyderproject +.spyproject + +# Rope project settings +.ropeproject + +# mkdocs documentation +/site + +# mypy +.mypy_cache/ +.dmypy.json +dmypy.json + +# Pyre type checker +.pyre/ + +# pytype static type analyzer +.pytype/ + +# Cython debug symbols +cython_debug/ + +# PyCharm +# JetBrains specific template is maintained in a separate JetBrains.gitignore that can +# be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore +# and can be added to the global gitignore or merged into this file. For a more nuclear +# option (not recommended) you can uncomment the following to ignore the entire idea folder. +#.idea/ + diff --git a/AUTHORS b/AUTHORS new file mode 100644 index 0000000..976a4a7 --- /dev/null +++ b/AUTHORS @@ -0,0 +1,11 @@ +Main developers +=============== + +Victor Stinner aka haypo + +Contributor +=========== + +Geoffroy Couprie aka geal + + diff --git a/COPYING b/COPYING new file mode 100644 index 0000000..3912109 --- /dev/null +++ b/COPYING @@ -0,0 +1,340 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc. + 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Library General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Library General +Public License instead of this License. diff --git a/ChangeLog b/ChangeLog new file mode 100644 index 0000000..94b1b2a --- /dev/null +++ b/ChangeLog @@ -0,0 +1,164 @@ +Changelog +========= + +Fusil 1.5 (2013-03-05) +---------------------- + + * experimental Python 3.3 support with the same code base; python 2.5 is no + more supported + * fusil-python: generate buffer objects and Unicode strings with surrogate + characters + * Change the default process memory limit from 100 MB to 500 MB + +Fusil 1.4 (2011-02-16) +---------------------- + + * Python 3 support + * fusil-python: + + - improve function listing all Python modules: use sys.builtin_module_names + and pkgutil.iter_modules() + - blacklist more modules, classes and functions + +Fusil 1.3.2 (2010-01-09) +------------------------ + + * replay.py: set sys.path to ease the usage of Fusil without installing it + * Fix fusil-gettext: ignore strace errors in locateMO() + * fusil-python: + + - hide Python warnings + - listAllModules() includes builtin modules + - new option --only-c to test only modules written in C + - fix memory leak: unload tested modules + - fix getFunctions(): use also isclass() to detect classes + + * Disable Fusil process maximum memory limit + +Fusil 1.3.1 (2009-11-09) +------------------------ + + * fusil-python: autodiscover all modules instead of using a static list of + modules, catch any exception when loading a module, only fuzz public + functions (use module.__all__) + * FileWatch: ignore duplicate parts on session rename + * Remove session name parts duplicate (eg. "pickle-error-error" => + "picke-error") + * replay.py: don't redirect stdin to /dev/null if --ptrace is used + * CPU probe: set max duration from 3 to 10 seconds (and rename the session on + success) + +Fusil 1.3 (2009-09-18) +---------------------- + + * Create fusil-gimp + * Remove charset from WriteCode: use builtin open() instead codecs.open() + because files created by open() are much faster + * Optimize FileWatch: don't recompile patterns at each session + * fusil now depends on python-ptrace 0.6 + * Don't use close_fds argument of subprocess.Popen() on Windows + * Fix configuration reader: normal_calm_load, normal_calm_sleep, + slow_calm_load, slow_calm_sleep keys global options are float, not integer + * Project website moved to http://bitbucket.org/haypo/fusil/wiki/Home + * FileWatch uses the pattern to rename the session + +Fusil 1.2.1 (2009-02-06) +------------------------ + + * Fix mangle agent of the Image Magick fuzzer + * Fix AttachProcessPID() probe: stop the probe at process exit + +Fusil 1.2 (2009-02-04) +---------------------- + +User visible changes: + + * Fusil now requires Python 2.5 + * Documentation: write an index (index.rst) and an user guide (usage.rst) + * Replay script: copy HOME environment for GDB and catch setuid() error + * fusil-firefox: support more file formats (bmp, gif, ico, png, svg), create + --test command line option, write the HTML page into index.html file + * fusil-python: write errors to stderr (instead of stdout) to avoid unicode + error (especially with Python3) + * FileWatch: rename the session with "long_output" if the program wrote more + than max_nbline lines + * fusil-python: blacklist posix.fork() to avoid false positive + * If the process is killed by a signal, rename the session using the + signal name (already worked if the debugger was disabled) + +Developer changes: + + * MangleAgent supports multiple input files + * Create DummyMangle: agent with MangleFile API but don't touch file content + to test the fuzzer + * Network: close() method of NetworkClient and ServerClient use + shutdown(SHUT_RDWR) + * NetworkServer uses a backlog of 5 clients for socket.listen() (instead of 1) + +Bugfixes: + + * Fix Directory.rmtree() and replay script for Python 3.0 + * Fix ServerClient.sendBytes(): use socket.send() result to get the next + data offset + +Fusil 1.1 (2008-10-22) +---------------------- + +User visible changes: + * replay.py: ask confirmation if the fuzzer will not be running under a + different user or as root + * Even with --force-unsafe, show safety warning if the fuzzer is + running as the root user + * Close files for child processes (close_fds=True) + * Fix directory.rmtree() for Python 3.0 final + +Developer changes: + * Create IntegerRangeGenerator in fusil.unicode_generator + * Create EnvVarIntegerRange in fusil.process.env + * Create fusil-wizzard fuzzer + * Write timestamp in session.log + * Add session() method to ProjectAgent + * Add NAME attribute to a fuzzer, reused to choose the project directory name + +Bugfixes: + * Fix Debugger.processSignal(): use the process agent to send the message + (session_rename) since the debugger agent may be disabled + * Fix replay.py: quote gdb arguments escape quote and antislash characters + (eg. "text=\"Hello\\n\".") + * replay.py uses /dev/null for stdin as Fusil does + * FileWatch: open file in binary mode to use bytes in Python3 + +Fusil 1.0 final (2008-09-13) +---------------------------- + +Visible changes: + + * Create fusil-zzuf fuzzer (use the zzuf library) + * Create fusil-vlc fuzzer (VLC media player) + * For each session, generate a Python script (replay.py) to replay the + session. The script can run the target in gdb, valgrind or gdb.py + (python-ptrace debugger), with many options (--user, --limit, etc.) + * Create --force-unsafe option, like --unsafe without the confirmation + * CreateProcess is now a probe (with a score): if the debugger catchs a + fatal signal, the session stops + * Always use a null device as stdin for child processes to avoid blocking the + fuzzer if the process reads stdin (eg. call getchar()) + * Write the created process identifier in the logs + +Developer: + + * Create EnvVarIntegerRange: environment variable with an integer value + in a fixed range + * Changes to get a minimal Windows support: disable "change user/group" + feature on Windows; remove log file before removing the project directory; + use ":NUL" instead of /dev/null for null input/output + * On setupProject() error, make sure that the project is cleaned + * Close stdout files (input and output) at process exit (fix needed + by Windows) + * Rename long2raw() to uint2bytes(), and bytes2long() to bytes2uint() + * Normalize score that make sure that a probe score is in range [-1; +1] + and so that score*weight is in range[-weight; +weight] + * CodeC: remove method lines(), writeCode() is renamed writeIntoFile(), + use unicode strings (instead of byte strings) + * Remove StdoutFile class, code merged in CreateProcess + diff --git a/IDEAS b/IDEAS new file mode 100644 index 0000000..0be0aa9 --- /dev/null +++ b/IDEAS @@ -0,0 +1,54 @@ +Reuse existing libraries and projects +===================================== + + * http://www.nongnu.org/failmalloc/ + + +Ideas to crash programs +======================= + + * Don't create stdin, stdout or stderr to check if first open file gets file descriptor #0 + * Continue to analyze gettext :-) + * write C library to inject errors in libc calls (eg. malloc() failure) + + * Generate [http://michael-prokop.at/blog/2007/06/12/error-handling-enospc/ ENOSPC] errors? + * file: open(), close(), read(), write() + * directory: opendir(), chdir() + * memory: malloc(), realloc(), calloc() + * network: socket(), setsockopt() + * time: time(), gettimeofday() + http://software.inl.fr/trac/trac.cgi/wiki/Macfly + + * network socket proxy fuzzer + +Signals +------- + +Send signals like SIGINT, SIGTERM, SIGSTOP, SIGUSR1, SIGUSR2. + +Old bugs: + * broken pipe (SIGPIPE) + https://bugzilla.mindrot.org/show_bug.cgi?id=85 + * libc deadlock + http://sourceware.org/bugzilla/show_bug.cgi?id=838 + * openssh pre-authentification denial of service + https://bugzilla.mindrot.org/show_bug.cgi?id=1129 + + +Score +===== + + * Code coverage: + + * gcov: http://gcc.gnu.org/onlinedocs/gcc/Gcov.html + * Valgrind: http://www.valgrind.org/ Valgrind + * DynamoRio: http://www.cag.lcs.mit.edu/dynamorio/ + + * Check invalid use of memory using Valgrind (or any memory checker tool) + * increment score if one of these function is called: + + - fgets(), memcpy(), strcpy() + - input comes from user (?) + - bytes read by the program + - memory usage + diff --git a/INSTALL b/INSTALL new file mode 100644 index 0000000..73636fe --- /dev/null +++ b/INSTALL @@ -0,0 +1,51 @@ +Fusil dependencies +================== + + * Python 2.6+ + http://python.org/ + * python-ptrace 0.7+ + http://python-ptrace.hachoir.org/ + * GCC needed by compileC() function from fusil.c_tools: + http://gcc.gnu.org/ + +Optional dependencies: + + * rst2html program, part of docutils Python project + Debian package: python-docutils + http://docutils.sourceforge.net/ + * Xlib Python module, required by fusil.xlib module + and used by fusil-firefox: + http://python-xlib.sourceforge.net/ + +Running on Windows: + + * win32api for Python: + http://starship.python.net/crew/mhammond/win32/ + + +Projects dependencies +===================== + +Each project may require external program or special environment: + + * Linux operating system: *linux_ioctl* and *linux_syscall* projects are specific + to Linux + * Mplayer program: needed by *mplayer* project + * MySQL server and MySQL command line client: needed by *mysql* project + * etc. + + +Installation +============ + +Fusil uses the user "fusil" and the group "fusil" to run child processes to +avoid remove an arbitrary file or kill an arbitrary process. + +Type as root: + + ./setup.py install + +Or using sudo program: + + sudo python setup.py install + diff --git a/MANIFEST.in b/MANIFEST.in new file mode 100644 index 0000000..f770ff0 --- /dev/null +++ b/MANIFEST.in @@ -0,0 +1,21 @@ +include AUTHORS +include ChangeLog +include COPYING +include doc/*.rst +include doc/Makefile +include examples/good-bye-world* +include examples/hello-world* +include examples/xterm* +include fuzzers/notworking/fusil-* +include graph.sh +include IDEAS +include INSTALL +include lsall.sh +include pyflakes.sh +include MANIFEST.in +include README +include README.windows.txt +include test_doc.py +include tests/*.rst +include tests/cmd_help/*.help +include TODO diff --git a/PKG-INFO b/PKG-INFO new file mode 100644 index 0000000..291bf31 --- /dev/null +++ b/PKG-INFO @@ -0,0 +1,259 @@ +Metadata-Version: 1.1 +Name: fusil +Version: 1.5 +Summary: Fuzzing framework +Home-page: http://bitbucket.org/haypo/fusil/wiki/Home +Author: Victor Stinner +Author-email: UNKNOWN +License: GNU GPL v2 +Download-URL: http://bitbucket.org/haypo/fusil/wiki/Home +Description: Fusil is a Python library used to write fuzzing programs. It helps to start + process with a prepared environment (limit memory, environment variables, + redirect stdout, etc.), start network client or server, and create mangled + files. Fusil has many probes to detect program crash: watch process exit code, + watch process stdout and syslog for text patterns (eg. "segmentation fault"), + watch session duration, watch cpu usage (process and system load), etc. + + Fusil is based on a multi-agent system architecture. It computes a session + score used to guess fuzzing parameters like number of injected errors to input + files. + + Available fuzzing projects: ClamAV, Firefox (contains an HTTP server), + gettext, gstreamer, identify, libc_env, libc_printf, libexif, linux_syscall, + mplayer, php, poppler, vim, xterm. + + Website: http://bitbucket.org/haypo/fusil/wiki/Home + + + Usage + ===== + + Fusil is a library and a set of fuzzers called "fusil-...". To run a fuzzer, + call it by its name. Example: :: + + $ fusil-gettext + Fusil version 0.9.1 -- GNU GPL v2 + http://bitbucket.org/haypo/fusil/wiki/Home + (...) + [0][session 13] Start session + [0][session 13] ------------------------------------------------------------ + [0][session 13] PID: 16989 + [0][session 13] Signal: SIGSEGV + [0][session 13] Invalid read from 0x0c1086e0 + [0][session 13] - instruction: CMP EDX, [EAX] + [0][session 13] - mapping: 0x0c1086e0 is not mapped in memory + [0][session 13] - register eax=0x0c1086e0 + [0][session 13] - register edx=0x00000019 + [0][session 13] ------------------------------------------------------------ + [0][session 13] End of session: score=100.0%, duration=3.806 second + (...) + Success 1/1! + Project done: 13 sessions in 5.4 seconds (414.5 ms per session), total 5.9 seconds, aggresssivity: 19.0% + Total: 1 success + Keep non-empty directory: /home/haypo/prog/SVN/fusil/trunk/run-3 + + + Features + ======== + + Why using Fusil instead your own hand made C script? + + * Fusil limits child process environment: limit memory, use timeout, make + sure that process is killed on session end + * Fusil waits until system load is load before starting a fuzzing session + * Fusil creates a session directory used as the process current working + directory and Fusil only creates files in this directory (and not in /tmp) + * Fusil stores all actions in fusil.log but also session.log for all + actions related of a session + * Fusil has multiple available probes to compute session score: guess if + a sessions is a succes or not + * Fusil redirects process output to a file and searchs bug text patterns + in the stdout/stderr (Fusil contains many text patterns to detect crashes + and problems) + + + Installation + ============ + + Read INSTALL documentation file. + + + Documentation + ============= + + Read doc/index.rst: documentation index. + + Changelog + ========= + + Fusil 1.5 (2013-03-05) + ---------------------- + + * experimental Python 3.3 support with the same code base; python 2.5 is no + more supported + * fusil-python: generate buffer objects and Unicode strings with surrogate + characters + * Change the default process memory limit from 100 MB to 500 MB + + Fusil 1.4 (2011-02-16) + ---------------------- + + * Python 3 support + * fusil-python: + + - improve function listing all Python modules: use sys.builtin_module_names + and pkgutil.iter_modules() + - blacklist more modules, classes and functions + + Fusil 1.3.2 (2010-01-09) + ------------------------ + + * replay.py: set sys.path to ease the usage of Fusil without installing it + * Fix fusil-gettext: ignore strace errors in locateMO() + * fusil-python: + + - hide Python warnings + - listAllModules() includes builtin modules + - new option --only-c to test only modules written in C + - fix memory leak: unload tested modules + - fix getFunctions(): use also isclass() to detect classes + + * Disable Fusil process maximum memory limit + + Fusil 1.3.1 (2009-11-09) + ------------------------ + + * fusil-python: autodiscover all modules instead of using a static list of + modules, catch any exception when loading a module, only fuzz public + functions (use module.__all__) + * FileWatch: ignore duplicate parts on session rename + * Remove session name parts duplicate (eg. "pickle-error-error" => + "picke-error") + * replay.py: don't redirect stdin to /dev/null if --ptrace is used + * CPU probe: set max duration from 3 to 10 seconds (and rename the session on + success) + + Fusil 1.3 (2009-09-18) + ---------------------- + + * Create fusil-gimp + * Remove charset from WriteCode: use builtin open() instead codecs.open() + because files created by open() are much faster + * Optimize FileWatch: don't recompile patterns at each session + * fusil now depends on python-ptrace 0.6 + * Don't use close_fds argument of subprocess.Popen() on Windows + * Fix configuration reader: normal_calm_load, normal_calm_sleep, + slow_calm_load, slow_calm_sleep keys global options are float, not integer + * Project website moved to http://bitbucket.org/haypo/fusil/wiki/Home + * FileWatch uses the pattern to rename the session + + Fusil 1.2.1 (2009-02-06) + ------------------------ + + * Fix mangle agent of the Image Magick fuzzer + * Fix AttachProcessPID() probe: stop the probe at process exit + + Fusil 1.2 (2009-02-04) + ---------------------- + + User visible changes: + + * Fusil now requires Python 2.5 + * Documentation: write an index (index.rst) and an user guide (usage.rst) + * Replay script: copy HOME environment for GDB and catch setuid() error + * fusil-firefox: support more file formats (bmp, gif, ico, png, svg), create + --test command line option, write the HTML page into index.html file + * fusil-python: write errors to stderr (instead of stdout) to avoid unicode + error (especially with Python3) + * FileWatch: rename the session with "long_output" if the program wrote more + than max_nbline lines + * fusil-python: blacklist posix.fork() to avoid false positive + * If the process is killed by a signal, rename the session using the + signal name (already worked if the debugger was disabled) + + Developer changes: + + * MangleAgent supports multiple input files + * Create DummyMangle: agent with MangleFile API but don't touch file content + to test the fuzzer + * Network: close() method of NetworkClient and ServerClient use + shutdown(SHUT_RDWR) + * NetworkServer uses a backlog of 5 clients for socket.listen() (instead of 1) + + Bugfixes: + + * Fix Directory.rmtree() and replay script for Python 3.0 + * Fix ServerClient.sendBytes(): use socket.send() result to get the next + data offset + + Fusil 1.1 (2008-10-22) + ---------------------- + + User visible changes: + * replay.py: ask confirmation if the fuzzer will not be running under a + different user or as root + * Even with --force-unsafe, show safety warning if the fuzzer is + running as the root user + * Close files for child processes (close_fds=True) + * Fix directory.rmtree() for Python 3.0 final + + Developer changes: + * Create IntegerRangeGenerator in fusil.unicode_generator + * Create EnvVarIntegerRange in fusil.process.env + * Create fusil-wizzard fuzzer + * Write timestamp in session.log + * Add session() method to ProjectAgent + * Add NAME attribute to a fuzzer, reused to choose the project directory name + + Bugfixes: + * Fix Debugger.processSignal(): use the process agent to send the message + (session_rename) since the debugger agent may be disabled + * Fix replay.py: quote gdb arguments escape quote and antislash characters + (eg. "text=\"Hello\\n\".") + * replay.py uses /dev/null for stdin as Fusil does + * FileWatch: open file in binary mode to use bytes in Python3 + + Fusil 1.0 final (2008-09-13) + ---------------------------- + + Visible changes: + + * Create fusil-zzuf fuzzer (use the zzuf library) + * Create fusil-vlc fuzzer (VLC media player) + * For each session, generate a Python script (replay.py) to replay the + session. The script can run the target in gdb, valgrind or gdb.py + (python-ptrace debugger), with many options (--user, --limit, etc.) + * Create --force-unsafe option, like --unsafe without the confirmation + * CreateProcess is now a probe (with a score): if the debugger catchs a + fatal signal, the session stops + * Always use a null device as stdin for child processes to avoid blocking the + fuzzer if the process reads stdin (eg. call getchar()) + * Write the created process identifier in the logs + + Developer: + + * Create EnvVarIntegerRange: environment variable with an integer value + in a fixed range + * Changes to get a minimal Windows support: disable "change user/group" + feature on Windows; remove log file before removing the project directory; + use ":NUL" instead of /dev/null for null input/output + * On setupProject() error, make sure that the project is cleaned + * Close stdout files (input and output) at process exit (fix needed + by Windows) + * Rename long2raw() to uint2bytes(), and bytes2long() to bytes2uint() + * Normalize score that make sure that a probe score is in range [-1; +1] + and so that score*weight is in range[-weight; +weight] + * CodeC: remove method lines(), writeCode() is renamed writeIntoFile(), + use unicode strings (instead of byte strings) + * Remove StdoutFile class, code merged in CreateProcess + + +Platform: UNKNOWN +Classifier: Intended Audience :: Developers +Classifier: Development Status :: 5 - Production/Stable +Classifier: Environment :: Console +Classifier: License :: OSI Approved :: GNU General Public License (GPL) +Classifier: Operating System :: OS Independent +Classifier: Natural Language :: English +Classifier: Programming Language :: Python +Classifier: Programming Language :: Python :: 3 diff --git a/README b/README new file mode 100644 index 0000000..47bbf3a --- /dev/null +++ b/README @@ -0,0 +1,76 @@ +Fusil is a Python library used to write fuzzing programs. It helps to start +process with a prepared environment (limit memory, environment variables, +redirect stdout, etc.), start network client or server, and create mangled +files. Fusil has many probes to detect program crash: watch process exit code, +watch process stdout and syslog for text patterns (eg. "segmentation fault"), +watch session duration, watch cpu usage (process and system load), etc. + +Fusil is based on a multi-agent system architecture. It computes a session +score used to guess fuzzing parameters like number of injected errors to input +files. + +Available fuzzing projects: ClamAV, Firefox (contains an HTTP server), +gettext, gstreamer, identify, libc_env, libc_printf, libexif, linux_syscall, +mplayer, php, poppler, vim, xterm. + +Website: http://bitbucket.org/haypo/fusil/wiki/Home + + +Usage +===== + +Fusil is a library and a set of fuzzers called "fusil-...". To run a fuzzer, +call it by its name. Example: :: + + $ fusil-gettext + Fusil version 0.9.1 -- GNU GPL v2 + http://bitbucket.org/haypo/fusil/wiki/Home + (...) + [0][session 13] Start session + [0][session 13] ------------------------------------------------------------ + [0][session 13] PID: 16989 + [0][session 13] Signal: SIGSEGV + [0][session 13] Invalid read from 0x0c1086e0 + [0][session 13] - instruction: CMP EDX, [EAX] + [0][session 13] - mapping: 0x0c1086e0 is not mapped in memory + [0][session 13] - register eax=0x0c1086e0 + [0][session 13] - register edx=0x00000019 + [0][session 13] ------------------------------------------------------------ + [0][session 13] End of session: score=100.0%, duration=3.806 second + (...) + Success 1/1! + Project done: 13 sessions in 5.4 seconds (414.5 ms per session), total 5.9 seconds, aggresssivity: 19.0% + Total: 1 success + Keep non-empty directory: /home/haypo/prog/SVN/fusil/trunk/run-3 + + +Features +======== + +Why using Fusil instead your own hand made C script? + + * Fusil limits child process environment: limit memory, use timeout, make + sure that process is killed on session end + * Fusil waits until system load is load before starting a fuzzing session + * Fusil creates a session directory used as the process current working + directory and Fusil only creates files in this directory (and not in /tmp) + * Fusil stores all actions in fusil.log but also session.log for all + actions related of a session + * Fusil has multiple available probes to compute session score: guess if + a sessions is a succes or not + * Fusil redirects process output to a file and searchs bug text patterns + in the stdout/stderr (Fusil contains many text patterns to detect crashes + and problems) + + +Installation +============ + +Read INSTALL documentation file. + + +Documentation +============= + +Read doc/index.rst: documentation index. + diff --git a/README.windows.txt b/README.windows.txt new file mode 100644 index 0000000..30c3df2 --- /dev/null +++ b/README.windows.txt @@ -0,0 +1,16 @@ +Status of Windows support +========================= + +Windows support of Fusil is minimal. No fuzzer works because all depends on +programs missing on Windows (eg. strace for fusil-gettext). + +TODO +==== + + * SUPPORT_UID: Run child process as a different user/group + * Create replay.bat (instead of replay.sh) + * CreateProcess: write workaround for preexec_fn + * Implement functions in fusil.process.tools (eg. limitMemory()) + * Implement AttachProcessPID.checkAlive() + * Implement searching a process for AttachProcessPID + diff --git a/TODO b/TODO new file mode 100644 index 0000000..8c220db --- /dev/null +++ b/TODO @@ -0,0 +1,13 @@ +Fusil TODO list +=============== + + * setup.py: run 2to3 on docstrings and rst files ("2to3 -w -d . doc/*.rst + tests/*.rst"). See also python3.0.rst + * replay.py is unable to open a file as stdin, required by fusil-gimp + * Factorize code responsible to rename the session on process exit + (share code between Debugger and CreateProcess) + * Protect the terminal using setsid(), setpgrp(), or setpgid() + * Use initgroups() in CreateProcess? + * Remove the class WatchProcess: move code to CreateProcess to avoid duplicate + events (agent score) and duplicate code + diff --git a/setup.cfg b/setup.cfg new file mode 100644 index 0000000..861a9f5 --- /dev/null +++ b/setup.cfg @@ -0,0 +1,5 @@ +[egg_info] +tag_build = +tag_date = 0 +tag_svn_revision = 0 + diff --git a/setup.py b/setup.py new file mode 100644 index 0000000..960b863 --- /dev/null +++ b/setup.py @@ -0,0 +1,89 @@ +#!/usr/bin/env python + +# Todo list to prepare a release: +# - hg in # check that there is no incoming changes +# - run: ./pyflakes.sh +# - run: ./test_doc.py +# - run: sudo bash -c "PYTHONPATH=$PWD ./fuzzers/fusil-gettext" +# - edit fusil/version.py: check/set version +# - edit ChangeLog: set release date +# - hg ci +# - hg tag fusil-x.y +# - hg push +# - ./setup.py sdist register upload +# - upload the tarball to Python Package Index +# - update the website home page (url, md5 and news) +# +# After the release: +# - edit fusil/version.py: set version to n+1 +# - edit ChangeLog: add a new empty section for version n+1 +# - hg ci +# - hg push + +from imp import load_source +from os import path +from sys import argv +from glob import glob + +CLASSIFIERS = [ + 'Intended Audience :: Developers', + 'Development Status :: 5 - Production/Stable', + 'Environment :: Console', + 'License :: OSI Approved :: GNU General Public License (GPL)', + 'Operating System :: OS Independent', + 'Natural Language :: English', + 'Programming Language :: Python', + 'Programming Language :: Python :: 3', +] + +MODULES = ( + "fusil", + "fusil.linux", + "fusil.mas", + "fusil.network", + "fusil.process", +) + +SCRIPTS = glob("fuzzers/fusil-*") + +def main(): + if "--setuptools" in argv: + argv.remove("--setuptools") + from setuptools import setup + use_setuptools = True + else: + from distutils.core import setup + use_setuptools = False + + fusil = load_source("version", path.join("fusil", "version.py")) + PACKAGES = {} + for name in MODULES: + PACKAGES[name] = name.replace(".", "/") + + with open('README') as fp: + long_description = fp.read() + with open('ChangeLog') as fp: + long_description += fp.read() + + install_options = { + "name": fusil.PACKAGE, + "version": fusil.VERSION, + "url": fusil.WEBSITE, + "download_url": fusil.WEBSITE, + "author": "Victor Stinner", + "description": "Fuzzing framework", + "long_description": long_description, + "classifiers": CLASSIFIERS, + "license": fusil.LICENSE, + "packages": list(PACKAGES.keys()), + "package_dir": PACKAGES, + "scripts": SCRIPTS, + } + + if use_setuptools: + install_options["install_requires"] = ["python-ptrace>=0.7"] + setup(**install_options) + +if __name__ == "__main__": + main() +