Ryan Fitblip

## ctl_example.json
// curl -s 'https://ct1.digicert-ct.com/log/ct/v1/get-entries?start=0&end=0' | jq .
{
  "entries": [
    {
      "leaf_input": "AAAAAAFIyfaldAAAAAcDMIIG/zCCBeegAwIBAgIQBnEXzRy4ia2KEDMQEa+lMjANBgkqhkiG9w0BAQsFADB1MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVkIFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTE0MDkzMDAwMDAwMFoXDTE1MTAwNTEyMDAwMFowggEOMR0wGwYDVQQPDBRQcml2YXRlIE9yZ2FuaXphdGlvbjETMBEGCysGAQQBgjc8AgEDEwJVUzEVMBMGCysGAQQBgjc8AgECEwRVdGFoMRUwEwYDVQQFEww1Mjk5NTM3LTAxNDIxEjAQBgNVBAkTCVN1aXRlIDUwMDEkMCIGA1UECRMbMjYwMCBXZXN0IEV4ZWN1dGl2ZSBQYXJrd2F5MQ4wDAYDVQQREwU4NDA0MzELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxDTALBgNVBAcTBExlaGkxFzAVBgNVBAoTDkRpZ2lDZXJ0LCBJbmMuMRwwGgYDVQQDExNjdDEuZGlnaWNlcnQtY3QuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyysV+OCPSn5MnCri+xQk7v+iOuA8EoSNUJqvTA95F1OEPzK0szO7seL6NlHPS4/Qkza9/l4d5AyZN7z7GHz1T955WiOmFOxlt3x5wrPUnsUJoEcv9fGfb6rjRdPKxgTJP+0EVup/jV0uvokyRkNzABhZOHi023gMkuudh75yOiYUYllUij0mQR/ZBMRg7Iigj2o9t/zKyHHY

## get_all_ctl_counts.py
import requests
import json
import locale
locale.setlocale(locale.LC_ALL, 'en_US')

ctl_log = requests.get('https://www.gstatic.com/ct/log_list/log_list.json').json()

total_certs = 0

human_format = lambda x: locale.format('%d', x, grouping=True)

## keybase.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                Fitblip
                / keybase.md
            
            
              Created
              January 25, 2017 22:25
            
              
                keybase.md
              
          
    Keybase proof

I hereby claim:

I am fitblip on github.
I am fitblip (https://keybase.io/fitblip) on keybase.
I have a public key ASDrBgOsT14rT3qzqYUK2ypD6G-W9vHelq5PZY8wnbEPXQo

To claim this, I am signing this object:

  
## tests.py
'''
It's worth noting that we use the built-in User model, but also have a tweak that enforces email
uniqueness (which IMO is a pretty large oversight by the django folks), so that's why it's acceptable
that `Migrations for 'auth'` is in the payload.
'''
class TestForNonGeneratedMigrations(TestCase):
    def test_for_migrations_to_run(self):
        stdout = StringIO.StringIO()

        call_command('makemigrations', no_color=True, dry_run=True, stdout=stdout)

## gist:aa14d00ed97ac6750640
alert(1)

## gist:5218816
import sys

string = sys.argv[-1]
lines = []

print "String length : %d" % len(string)
print "Opcodes to push this string onto the stack :"

for i in range(0,len(string),4):
  line = string[:4]

## Magic issues
# Before patch
    [objdump -p]                     [VDB]
Magic                   010b         0b01
MajorLinkerVersion      7            (7)
MinorLinkerVersion      0            (0)
SizeOfCode              00007000     00007000
SizeOfInitializedData   00007000     00007000
SizeOfUninitializedData 00019000     00019000
AddressOfEntryPoint     00020cd0     00020cd0
BaseOfCode              0001a000     0001a000

## bmp.py
from sulley import *


s_initialize("bug.bmp")
s_string('BM') #signature de root
s_dword('2046820608', endian='<') #file_size de root
s_binary("00000000",fuzz="random", percent=10) # reserved de root
s_dword('2046820352', endian='<') #data_start de root
s_dword('1811939328', endian='<') #header_size de header
s_dword('2147483648', endian='<') #width de header

## sessions.py.patch
diff --git a/sessions.py b/sessions.py
index 21bd1aa..bf025d9 100644
--- a/sessions.py
+++ b/sessions.py
@@ -383,7 +383,7 @@ class session (pgraph.graph):
                 self.total_mutant_index += 1

                 # if we've hit the restart interval, restart the target.
-                if self.restart_interval and self.total_mutant_index % self.restart_interval == 0:
+                if self.restart_interval and self.total_mutant_index % self.restart_interval == 0 and self.total_mutant_index > self.skip:

## use-hashlib.patch
diff --git a/sulley/blocks.py b/sulley/blocks.py
--- a/sulley/blocks.py
+++ b/sulley/blocks.py
@@ -3,8 +3,15 @@
 import sex

 import zlib
-import md5
-import sha
+try:
	// curl -s 'https://ct1.digicert-ct.com/log/ct/v1/get-entries?start=0&end=0' \| jq .
	{
	"entries": [
	{
	"leaf_input": "AAAAAAFIyfaldAAAAAcDMIIG/zCCBeegAwIBAgIQBnEXzRy4ia2KEDMQEa+lMjANBgkqhkiG9w0BAQsFADB1MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVkIFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTE0MDkzMDAwMDAwMFoXDTE1MTAwNTEyMDAwMFowggEOMR0wGwYDVQQPDBRQcml2YXRlIE9yZ2FuaXphdGlvbjETMBEGCysGAQQBgjc8AgEDEwJVUzEVMBMGCysGAQQBgjc8AgECEwRVdGFoMRUwEwYDVQQFEww1Mjk5NTM3LTAxNDIxEjAQBgNVBAkTCVN1aXRlIDUwMDEkMCIGA1UECRMbMjYwMCBXZXN0IEV4ZWN1dGl2ZSBQYXJrd2F5MQ4wDAYDVQQREwU4NDA0MzELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxDTALBgNVBAcTBExlaGkxFzAVBgNVBAoTDkRpZ2lDZXJ0LCBJbmMuMRwwGgYDVQQDExNjdDEuZGlnaWNlcnQtY3QuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyysV+OCPSn5MnCri+xQk7v+iOuA8EoSNUJqvTA95F1OEPzK0szO7seL6NlHPS4/Qkza9/l4d5AyZN7z7GHz1T955WiOmFOxlt3x5wrPUnsUJoEcv9fGfb6rjRdPKxgTJP+0EVup/jV0uvokyRkNzABhZOHi023gMkuudh75yOiYUYllUij0mQR/ZBMRg7Iigj2o9t/zKyHHY
	import requests
	import json
	import locale
	locale.setlocale(locale.LC_ALL, 'en_US')

	ctl_log = requests.get('https://www.gstatic.com/ct/log_list/log_list.json').json()

	total_certs = 0

	human_format = lambda x: locale.format('%d', x, grouping=True)
	'''
	It's worth noting that we use the built-in User model, but also have a tweak that enforces email
	uniqueness (which IMO is a pretty large oversight by the django folks), so that's why it's acceptable
	that `Migrations for 'auth'` is in the payload.
	'''
	class TestForNonGeneratedMigrations(TestCase):
	def test_for_migrations_to_run(self):
	stdout = StringIO.StringIO()

	call_command('makemigrations', no_color=True, dry_run=True, stdout=stdout)
	import sys

	string = sys.argv[-1]
	lines = []

	print "String length : %d" % len(string)
	print "Opcodes to push this string onto the stack :"

	for i in range(0,len(string),4):
	line = string[:4]
	# Before patch
	[objdump -p] [VDB]
	Magic 010b 0b01
	MajorLinkerVersion 7 (7)
	MinorLinkerVersion 0 (0)
	SizeOfCode 00007000 00007000
	SizeOfInitializedData 00007000 00007000
	SizeOfUninitializedData 00019000 00019000
	AddressOfEntryPoint 00020cd0 00020cd0
	BaseOfCode 0001a000 0001a000
	from sulley import *


	s_initialize("bug.bmp")
	s_string('BM') #signature de root
	s_dword('2046820608', endian='<') #file_size de root
	s_binary("00000000",fuzz="random", percent=10) # reserved de root
	s_dword('2046820352', endian='<') #data_start de root
	s_dword('1811939328', endian='<') #header_size de header
	s_dword('2147483648', endian='<') #width de header
	diff --git a/sessions.py b/sessions.py
	index 21bd1aa..bf025d9 100644
	--- a/sessions.py
	+++ b/sessions.py
	@@ -383,7 +383,7 @@ class session (pgraph.graph):
	self.total_mutant_index += 1

	# if we've hit the restart interval, restart the target.
	- if self.restart_interval and self.total_mutant_index % self.restart_interval == 0:
	+ if self.restart_interval and self.total_mutant_index % self.restart_interval == 0 and self.total_mutant_index > self.skip:
	diff --git a/sulley/blocks.py b/sulley/blocks.py
	--- a/sulley/blocks.py
	+++ b/sulley/blocks.py
	@@ -3,8 +3,15 @@
	import sex

	import zlib
	-import md5
	-import sha
	+try: