Add Qiling and Unicorn crusher examples

Examples/Crusher/Linux/qiling/README.md

@@ -0,0 +1,9 @@
+## Установка
+
+Необходимо дополнительно установить поддержку qiling/unicorn в python фаззера, см. пункт _Частичная
+эмуляция с помощью Unicorn/Qiling_ в документации к Crusher.
+
+## Лицензия
+
+Данный пример взят из [репозитория qiling](https://github.com/qilingframework/qiling), поэтому тоже
+поставляется под лицензией GPL2

Examples/Crusher/Linux/qiling/fuzz.c

@@ -0,0 +1,27 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+// Program that will crash easily.
+#define SIZE (10)
+
+int fun(int i)
+{
+    char *buf = malloc(SIZE);
+    char buf2[SIZE];
+
+    while (*buf = getc(stdin) == 'A')
+    {
+        buf[i++] = *buf;
+    }
+
+    strncpy(buf2, buf, i);
+    printf(buf2);
+
+    return 0;
+}
+
+int main(int argc, char **argv)
+{
+    return fun(argc);
+}

Examples/Crusher/Linux/qiling/fuzz.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+if [[ "$#" -ne 4 ]]; then
+    echo "Error: not enough arguments"
+    echo "Usage: ./fuzz.sh -f <path/to/crusher/bin_x86-64/fuzz_manager> -c <cores count>"
+    exit 1
+fi
+
+FUZZMANAGER=$2
+CORES=$4
+
+clean_result () {
+    rm -f -r out
+}
+
+echo ""
+echo "Qiling fuzzing"
+echo ""
+clean_result
+
+COMMAND="$FUZZMANAGER --start $CORES --eat-cores 1 --dse-cores 0 -i in -o out -I qiling -T partemu -- ./fuzz_x8664_linux.py @@"
+echo $COMMAND
+$COMMAND

Examples/Crusher/Linux/qiling/fuzz_x8664_linux.py

@@ -0,0 +1,83 @@
+#!/usr/bin/env python3
+
+import functools
+import os
+
+from qiling import Qiling
+from qiling.const import QL_VERBOSE
+from qiling.os.posix import stat
+
+from crusher_qiling import QilingInstrumentation, read_path_arguments
+
+
+class MyPipe:
+    """Fake stdin to handle incoming fuzzed keystrokes."""
+
+    def __init__(self):
+        self.buf = b""
+
+    def write(self, s: bytes):
+        self.buf += s
+
+    def read(self, size: int) -> bytes:
+        ret = self.buf[:size]
+        self.buf = self.buf[size:]
+
+        return ret
+
+    def fileno(self) -> int:
+        return 0
+
+    def show(self):
+        pass
+
+    def clear(self):
+        pass
+
+    def flush(self):
+        pass
+
+    def close(self):
+        self.outpipe.close()
+
+    def lseek(self, offset: int, origin: int):
+        pass
+
+    def fstat(self):
+        return stat.Fstat(self.fileno())
+
+
+def place_input_callback(instrumentation: QilingInstrumentation, stdin_mock: MyPipe):
+    """Called with every newly generated input."""
+    stdin_mock.write(instrumentation.cur_input)
+
+
+stdin_mock = MyPipe()
+
+ql = Qiling(
+    ["./x8664_fuzz"],
+    "./rootfs",
+    verbose=QL_VERBOSE.OFF,  # keep qiling logging off
+    console=False,  # thwart program output
+    stdin=stdin_mock,  # redirect stdin to our fake one
+    stdout=None,
+    stderr=None,
+)
+
+args = read_path_arguments()
+instrumentation = QilingInstrumentation(args.input_path, [ql.os.exit_point], args.lighthouse)
+
+# get image base address
+ba = ql.loader.images[0].base
+
+# make process crash whenever __stack_chk_fail@plt is about to be called.
+# this way afl will count stack protection violations as crashes
+ql.hook_address(callback=lambda x: os.abort(), address=ba + 0x1225)
+
+# set a hook on main() to let unicorn fork and start instrumentation
+ql.hook_address(callback=instrumentation.start_fuzzing_hook, address=ba + 0x122C)
+
+instrumentation.set_input_callback(functools.partial(place_input_callback, stdin_mock=stdin_mock))
+
+# okay, ready to roll
+instrumentation.run(ql)

Examples/Crusher/Linux/qiling/in/a

@@ -0,0 +1 @@
+A

Examples/Crusher/Linux/unicorn/README.md

@@ -0,0 +1,4 @@
+## Установка
+
+Необходимо дополнительно установить поддержку qiling/unicorn в python фаззера, см. пункт _Частичная
+эмуляция с помощью Unicorn/Qiling_ в документации к Crusher.

Examples/Crusher/Linux/unicorn/c/Makefile

@@ -0,0 +1,46 @@
+# UnicornAFL Usage
+# Original Unicorn Example Makefile by Nguyen Anh Quynh <[email protected]>, 2015
+# Adapted for AFL++ by domenukk <[email protected]>, 2020
+.POSIX:
+UNAME_S =$(shell uname -s)# GNU make
+UNAME_S:sh=uname -s       # BSD make
+_UNIQ=_QINU_
+
+BIN_EXT =
+AR_EXT = a
+
+# Verbose output?
+V ?= 0
+
+CFLAGS += -Wall -Werror -I$(UNICORNAFL_DIR)/include
+
+LDFLAGS += -L$(UNICORNAFL_DIR) -lpthread -lm
+
+_LRT = $(_UNIQ)$(UNAME_S:Linux=)
+__LRT = $(_LRT:$(_UNIQ)=-lrt)
+LRT = $(__LRT:$(_UNIQ)=)
+
+LDFLAGS += $(LRT)
+
+_CC = $(_UNIQ)$(CROSS)
+__CC = $(_CC:$(_UNIQ)=$(CC))
+MYCC = $(__CC:$(_UNIQ)$(CROSS)=$(CROSS)gcc)
+
+.PHONY: all clean
+
+all: harness
+
+clean:
+	rm -rf *.o harness harness-debug
+
+harness.o: harness.c $(UNICORNAFL_DIR)/include/unicorn/*.h
+	${MYCC} ${CFLAGS} -O3 -c harness.c
+
+harness-debug.o: harness.c $(UNICORNAFL_DIR)/include/unicorn/*.h
+	${MYCC} ${CFLAGS} -g -c harness.c -o $@
+
+harness: harness.o
+	${MYCC} -L${UNICORNAFL_DIR} harness.o $(UNICORNAFL_DIR)/libunicornafl.a $(LDFLAGS) -o $@
+
+debug: harness-debug.o
+	${MYCC} -L${UNICORNAFL_DIR} harness.o $(UNICORNAFL_DIR)/libunicornafl.a $(LDFLAGS) -o harness-debug

Examples/Crusher/Linux/unicorn/c/fuzz.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+if [[ "$#" -ne 4 ]]; then
+    echo "Error: not enough arguments"
+    echo "Usage: ./fuzz.sh -f <path/to/crusher/bin_x86-64/fuzz_manager> -c <cores count>"
+    exit 1
+fi
+
+FUZZMANAGER=$2
+CORES=$4
+
+clean_result () {
+    rm -f -r out
+}
+
+echo ""
+echo "Unicorn c harness example"
+echo ""
+clean_result
+
+COMMAND="$FUZZMANAGER --start $CORES --eat-cores 1 --dse-cores 0 -i in -o out -I unicorn -T partemu -- ./harness @@"
+echo $COMMAND
+$COMMAND