add new examples: (#48)

Examples/Crusher/Linux/OpenSSL_mod_client/client.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+./client/openssl-clean s_client -tls1_2 -connect 127.0.0.1:4444 -legacy_renegotiation

Examples/Crusher/Linux/OpenSSL_mod_client/client/client.patch

@@ -0,0 +1,123 @@
+diff --git a/apps/s_client.c b/apps/s_client.c
+index a6c5a559a9..e4b2b34856 100644
+--- a/apps/s_client.c
++++ b/apps/s_client.c
+@@ -48,6 +48,42 @@ typedef unsigned int u_int;
+ #include "timeouts.h"
+ #include "internal/sockets.h"
+
++#include <openssl/rand.h>
++
++static int fuzz_bytes(unsigned char *buf, int num)
++{
++    unsigned char val = 1;
++
++    while (--num >= 0)
++        *buf++ = val++;
++    return 1;
++}
++
++static int fuzz_status(void)
++{
++    return 1;
++}
++
++static RAND_METHOD fuzz_rand_method = {
++        NULL,
++        fuzz_bytes,
++        NULL,
++        NULL,
++        fuzz_bytes,
++        fuzz_status
++};
++
++void FuzzerSetRand(void)
++{
++    RAND_set_rand_method(&fuzz_rand_method);
++}
++
++// client state flags
++uint8_t hs_done = 0;
++uint8_t reneg_start = 0;
++uint8_t reneg_done = 0;
++//
++
+ #if defined(__has_feature)
+ # if __has_feature(memory_sanitizer)
+ #  include <sanitizer/msan_interface.h>
+@@ -840,8 +876,19 @@ static int new_session_cb(SSL *s, SSL_SESSION *sess)
+     return 0;
+ }
+
++#include "../../mod-client-api/mod-client-api.h"
++
++#include <signal.h>
++
++void sig_handler(int signum){
++  printf("SIGALARM handler - exit\n");
++  exit(0);
++}
++
+ int s_client_main(int argc, char **argv)
+ {
++    signal(SIGALRM, sig_handler);
++
+     BIO *sbio;
+     EVP_PKEY *key = NULL;
+     SSL *con = NULL;
+@@ -2167,6 +2214,12 @@ int s_client_main(int argc, char **argv)
+     if (tfo)
+         BIO_printf(bio_c_out, "Connecting via TFO\n");
+  re_start:
++    custom_fork_server();
++
++    FuzzerSetRand();
++
++    ualarm(100000, 25000);
++
+     if (init_client(&sock, host, port, bindhost, bindport, socket_family,
+                     socket_type, protocol, tfo, !isquic, &peer_addr) == 0) {
+         BIO_printf(bio_err, "connect:errno=%d\n", get_last_socket_error());
+@@ -2924,6 +2977,8 @@ int s_client_main(int argc, char **argv)
+                 }
+
+                 print_stuff(bio_c_out, con, full_log);
++                hs_done = 1;
++
+                 if (full_log > 0)
+                     full_log--;
+
+@@ -3886,6 +3941,14 @@ static int user_data_execute(struct user_data_st *user_data, int cmd, char *arg)
+ static int user_data_process(struct user_data_st *user_data, size_t *len,
+                              size_t *off)
+ {
++
++    if (hs_done && !reneg_done) {
++        reneg_done = 1;
++        return user_data_execute(user_data, USER_COMMAND_RENEGOTIATE, NULL);
++    } if (reneg_done) {
++        return user_data_execute(user_data, USER_COMMAND_QUIT, NULL);
++    }
++
+     char *buf_start = user_data->buf + user_data->bufoff;
+     size_t outlen = user_data->buflen;
+
+diff --git a/crypto/packet.c b/crypto/packet.c
+index ac5c2e33f8..147dc1f563 100644
+--- a/crypto/packet.c
++++ b/crypto/packet.c
+@@ -207,9 +207,14 @@ int WPACKET_set_flags(WPACKET *pkt, unsigned int flags)
+     return 1;
+ }
+
++#include "../../mod-client-api/mod-client-api.h"
++
+ /* Store the |value| of length |len| at location |data| */
+ static int put_value(unsigned char *data, uint64_t value, size_t len)
+ {
++
++    value = mutate_int(value, len);
++
+     if (data == NULL)
+         return 1;
+

Examples/Crusher/Linux/OpenSSL_mod_client/client/mod-client-api/mod-client-api.h

@@ -0,0 +1,8 @@
+#include <stdint.h>
+
+// fork
+void custom_fork_server();
+
+// mut
+uint64_t mutate_int(uint64_t value, size_t len);
+void mutate_buf(void *buf, uint32_t *len);

Examples/Crusher/Linux/OpenSSL_mod_client/config.json

@@ -0,0 +1,27 @@
+{
+	"manager-options": {
+		"--dse-cores": 0,
+		"--wait-next-instance": 200,
+		"-t": 400
+	},
+
+	"instance-options": {
+		"-I": "StaticForkSrv",
+		"--redirect-stdin-off": true,
+		"-T": "ModClient",
+		"--mod-client": "./plugins/client.py",
+		"--port": "__free_port",
+		"--delay": 20,
+		"--configurator-script": "./plugins/conf.py"
+	},
+
+	"fuzz-options": {
+		"--eat-sync": true
+	},
+
+	"eat-options": {
+		"--no-valgrind": true,
+		"--no-drmemory": true,
+		"--no-crash-critical": true
+	}
+}

Examples/Crusher/Linux/OpenSSL_mod_client/keys/cert.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDazCCAlOgAwIBAgIUSiJcBN4JS1gHVIgP3OFXboGQc3UwDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMjEwMTYxMzU5MzZaFw0zMjEw
+MTMxMzU5MzZaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
+HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQCsB6BqCFfWZuBrb3PAD06Q8CVH2HmXm5mLiSxCyJyJ
+2vWxYvOgqiupx1M/Zp5kQCptTSXKBUmxObkA5LHP8h31/9SAYDRdItcCnRYuCkX4
+Dk3HXCio1HQuQAPDeaiMftb3UcXNve8mX9fkFcdcOQV/NPE8URZ6669uSmuIEp39
+dG8g87PLQTdcNYBlhsL1JA3rqWWR1/ITu7N8JyJkZeQIsnFzYTAJnzJKqfUFZB9o
+KRkAP5QgDfG1NnZa4Oy3pZQEQIwg1BiXkVQJk5UxJBIs9a7SSM35Qk9x/haPVuKp
+tsngV287UA+MFyy8e+Rgr8EygiDrSmyy5UeK1DLBZOWDAgMBAAGjUzBRMB0GA1Ud
+DgQWBBSq6UTh+ktm2E6gxdcS/Y7w8aqUXDAfBgNVHSMEGDAWgBSq6UTh+ktm2E6g
+xdcS/Y7w8aqUXDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCB
+4UBAEKPboY9EHATwvDYXJ7c4SFUI6mKJVdhCWUtnbUoGGH1V7g+VYC7GprCjQl+i
+GT/PP7k2ZIK1Xd6qbsVgGI6Kw16D/+wChTW707n9ZqJnsGu3qNj0ZGhR1BgD8/So
+DF06umPaSNf1ApyKEWzm/Utfbgzd/WP022+hakm6/h81j9MSkO54H0T0jgfTrAeb
+ttNvfUpOj0U25TC7N7t5ak8AQ7yrsUWYmch0OwleOxnp1XI9FpdwNyQnvN+tyqUk
+h3DEsvq9/DD4G00prDB6yDQmwHuvzjSsnbCr31UUvN2MYfrkvJcMUaYnOi+VyR7T
+8bBd8yl8wkxtv+72HW0K
+-----END CERTIFICATE-----

Examples/Crusher/Linux/OpenSSL_mod_client/keys/key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCsB6BqCFfWZuBr
+b3PAD06Q8CVH2HmXm5mLiSxCyJyJ2vWxYvOgqiupx1M/Zp5kQCptTSXKBUmxObkA
+5LHP8h31/9SAYDRdItcCnRYuCkX4Dk3HXCio1HQuQAPDeaiMftb3UcXNve8mX9fk
+FcdcOQV/NPE8URZ6669uSmuIEp39dG8g87PLQTdcNYBlhsL1JA3rqWWR1/ITu7N8
+JyJkZeQIsnFzYTAJnzJKqfUFZB9oKRkAP5QgDfG1NnZa4Oy3pZQEQIwg1BiXkVQJ
+k5UxJBIs9a7SSM35Qk9x/haPVuKptsngV287UA+MFyy8e+Rgr8EygiDrSmyy5UeK
+1DLBZOWDAgMBAAECggEAKQ1y3wrZp00KnijNJxagCZ99Tg1fSuozdKSJ/u/vx0gM
+3MV/3SXu4Ie0GourHcJgPZAtBe5IHTZoq0loE3c0ZimkdPRAWr9/Ltz814TVGLKV
+Jg+cllmI1iapn0LPkaONOhz2BrieMvqpQwFdf2kOIkKolNvG8ROAXGH/EkxbDooO
+8nPBc4JbFVrJNSdbiyo2yT0+X3DVVl6qD4g3teNgm736FQEiPxZXaEA5X3hd0kSX
+oU0HuRhDkYlmdpJa43rkXKs1J5fi/nK7wYa2wdMSzcWwRp1uOaesmSSvcqLGtyji
+/PBj9X2x6CHmImAkgOzbCnLT+jiNLXlRIwBRupggtQKBgQC18ixBZ0UOb5+oMXbt
+gIA5RMY08WDYgeLBhHV3xYCldGtJRRayp7dEqjhWzPByAihFJC4/JUHBoAP49K/g
+KsYRIbzEY0kS7H8Uptbo1wOknBNKvK0P5odh0JOFp9SOMnbhdXz7wg4cAj1jNKSU
+o0PudpQKz0em8NroORtWQSYhpwKBgQDyDDzSKxcVxOrroD4D4qigpiJOZg7VjdIY
+kfcqG4BpoqosvWZi5ONDYaSKFW1H0dFcFSa72PBeT8PtPVJYBXlQsFn1+Bwnnq8+
+5gge4k0z6MsMWc4+LI/TNMFmrPyoD/gN+GV7MYkAdugyEt+J7hA7aFx4fDOgekNs
+jFbsSCsAxQKBgQCRLXRcl49FjpHBff6cUc1+ZL8W3YdeGn2Z1hx4/jHBU5yLsUIE
+OckFVCFyOUKeZdRGHzF7lznZytmAm5V+dALpBpd9yI81N1nLW7jdvzsb7KGEH/qj
+VlmuFeSwYBM9h0zOZ5XbuKLTfIIJF6c/Jur8aseDvJM6xLKXW4HRmFhZvwKBgQCo
+OeMnuzUfNy6DN2sCrky+4tijHoGe4SOtWf2r8VNNl/WohLadczGUyk9efUfni6dz
+1WuHUV62Xb/xqhYKATvw3bCYqKmAy+RG1f+831IDCv/chKo4QiZwB5GHeCFd+UNR
+ClwVxDbQ8NOuwblFlwUHFSB3yPLkzTUBQ4TCUeI5dQKBgBqBO6jflmp9eaMERtQI
+i0OF4CifGg1yyLPD34n5B00sZ8uA2SgikVSBAiT1vvuNzhbEkzrUs26SyjGcAa4c
+Tq29KO6Q5ZFJ7p0T/iNq2UoWnYTlN0HMnvFVwCoMy255SWk2JbfCjY99KB3wf801
+lTzWke1bacJ5maCkyRClGzzA
+-----END PRIVATE KEY-----

Examples/Crusher/Linux/OpenSSL_mod_client/plugins/client.py

@@ -0,0 +1,37 @@
+from subprocess import Popen, PIPE
+import time
+from pathlib import Path
+import os
+
+
+def process_is_alive(pid):
+    """
+    Check if process is alive
+    """
+    try:
+        os.kill(pid, 0)
+    except OSError:
+        return False
+    return True
+
+
+work_dir = Path(os.getenv("WORK_DIR"))
+port = int(os.getenv("PORT"))
+
+target_dir = os.path.join(os.path.dirname(__file__), os.pardir)
+
+if __name__ == '__main__':
+    # Run client parent (only once)
+    client_parent_file = work_dir / "client_parent"
+    if not client_parent_file.exists() or True:
+        # TODO - clean ?
+        command = [f"{target_dir}/client/openssl-clean", "s_client", "-tls1_2", "-connect", f"127.0.0.1:{str(port)}", "-legacy_renegotiation"]
+        client = Popen(command, stdin=PIPE)
+        print(f"Client PID = {client.pid}")
+        client_parent_file.touch()
+
+        # TODO - fix
+        f = open(str(client_parent_file), "w")
+        f.write(str(client.pid))
+        f.close()
+

Examples/Crusher/Linux/OpenSSL_mod_client/plugins/conf.py

@@ -0,0 +1,44 @@
+"""
+This configurator script provides for firefox unique value of "-P" (profile) option.
+This avoids conflicts when multiple firefox instances are running.
+We assume that these profiles already exist - they must be created manually or with environment script (env.py),
+which is run before this script.
+"""
+
+import json
+import traceback
+import os
+
+# Set profiles dir
+stend_dir = os.path.join(os.path.dirname(os.path.abspath(__file__)), os.pardir)
+# you can set directory you want
+#profiles_dir = os.path.join(stend_dir, 'target', 'profiles')
+
+log_file = os.path.join(stend_dir, 'tmp', 'env.log')
+
+
+def transform_options(ops_json):
+    """
+    Transform fuzz/eat options
+    :param ops_json: options from fuzz/eat in dict format
+    :return: modified options
+    """
+    try:
+        # Parse options
+        jops = json.loads(ops_json)
+        args = jops['target_args'] # target options (all after "--" in fuzzer run command)
+        instance_name = jops['configuration']['instance_name']
+
+        # Replace target binary
+        if instance_name == 'FUZZ-SLAVE_0':
+            args[0] = args[0].replace('afl', 'afl-asan')
+        elif instance_name == 'FUZZ-SLAVE_1':
+            args[0] = args[0].replace('afl', 'afl-msan')
+
+        return json.dumps(jops)
+
+    except Exception as ex:
+
+        print("EXCEPTION!")
+        traceback.print_exc()
+        return None

Examples/Crusher/Linux/OpenSSL_mod_client/server.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+./server/openssl-debug s_server -cert ./keys/cert.pem -key ./keys/key.pem -tls1_2 -accept 4444 -naccept 1 -legacy_renegotiation

Examples/Crusher/Linux/OpenSSL_mod_client/server/server.patch

@@ -0,0 +1,75 @@
+diff --git a/apps/s_server.c b/apps/s_server.c
+index 0ba75999fd..c5af6fa093 100644
+--- a/apps/s_server.c
++++ b/apps/s_server.c
+@@ -60,6 +60,36 @@ typedef unsigned int u_int;
+ #endif
+ #include "internal/sockets.h"
+
++#include <openssl/rand.h>
++
++static int fuzz_bytes(unsigned char *buf, int num)
++{
++  unsigned char val = 1;
++
++  while (--num >= 0)
++    *buf++ = val++;
++  return 1;
++}
++
++static int fuzz_status(void)
++{
++  return 1;
++}
++
++static RAND_METHOD fuzz_rand_method = {
++        NULL,
++        fuzz_bytes,
++        NULL,
++        NULL,
++        fuzz_bytes,
++        fuzz_status
++};
++
++void FuzzerSetRand(void)
++{
++  RAND_set_rand_method(&fuzz_rand_method);
++}
++
+ static int not_resumable_sess_cb(SSL *s, int is_forward_secure);
+ static int sv_body(int s, int stype, int prot, unsigned char *context);
+ static int www_body(int s, int stype, int prot, unsigned char *context);
+@@ -970,8 +1000,17 @@ const OPTIONS s_server_options[] = {
+  (o == OPT_SSL3 || o == OPT_TLS1 || o == OPT_TLS1_1 || o == OPT_TLS1_2 \
+   || o == OPT_TLS1_3 || o == OPT_DTLS || o == OPT_DTLS1 || o == OPT_DTLS1_2)
+
++#include <signal.h>
++
++void sig_handler(int signum){
++  printf("SIGALARM handler - exit\n");
++  exit(0);
++}
++
+ int s_server_main(int argc, char *argv[])
+ {
++    signal(SIGALRM, sig_handler);
++
+     ENGINE *engine = NULL;
+     EVP_PKEY *s_key = NULL, *s_dkey = NULL;
+     SSL_CONF_CTX *cctx = NULL;
+@@ -2152,6 +2191,15 @@ int s_server_main(int argc, char *argv[])
+         && unlink_unix_path)
+         unlink(host);
+ #endif
++
++#ifdef __AFL_HAVE_MANUAL_CONTROL
++    __AFL_INIT();
++#endif
++
++    FuzzerSetRand();
++
++    ualarm(100000, 25000);
++
+     do_server(&accept_socket, host, port, socket_family, socket_type, protocol,
+               server_cb, context, naccept, bio_s_out);
+     print_stats(bio_s_out, ctx);

Examples/Crusher/Linux/README.md

@@ -15,7 +15,9 @@
 12) [java](java) - фаззинг JAVA приложения через файл;
 13) [python_fuzz](python_fuzz) - фаззинг библиотеки на языке python;
 14) [c#](csharp) - фаззинг dll библиотек, написанных на C#, через файл и stdin;
-15) [nginx_docker](nginx_docker) - фаззинг сервера Nginx в Docker-режиме
+15) [nginx_docker](nginx_docker) - фаззинг сервера Nginx в Docker-режиме;
+16) [OpenSSL_mod_client](OpenSSL_mod_client) - фаззинг OpenSSL-сервера методом модифицированного клиента;
+17) [arm_rootfs_gzip](arm_rootfs_gzip) - фаззинг gzip из Ubuntu20 (ARM) с применением Qemu (user-mode).
 
 Далее приведена последовательность действий по фаззингу, мониторингу и воспроизведению аварийных завершений (крешей) для следующих примеров: `python`, `jasper` и `faad`.