Skip to content

Instantly share code, notes, and snippets.

@hayd
Forked from kedarbellare/pdf_fuzz.py
Created July 20, 2012 09:15
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save hayd/3149778 to your computer and use it in GitHub Desktop.
Save hayd/3149778 to your computer and use it in GitHub Desktop.
PDF Fuzzer
file_list = ["10.1.1.111.1781.pdf", "10.1.1.111.5264.pdf", "10.1.1.39.1596.pdf", "10.1.1.41.8589.pdf", "10.1.1.42.5619.pdf"]
apps_list = [
"/Applications/Adobe Reader 9/Adobe Reader.app/Contents/MacOS/AdobeReader",
"/Applications/Adobe Reader.app/Contents/MacOS/AdobeReader",
"/Applications/Preview.app/Contents/MacOS/Preview"]
fuzz_output = "fuzz.pdf"
FuzzFactor = 250
num_tests = 100
import math
import random
import string
import subprocess
import time
for i in xrange(num_tests):
file_choice = random.choice(file_list)
app_choice = random.choice(apps_list)
buf = bytearray(open(file_choice, 'rb').read())
# start Charlie Miller code (modified)
numwrites = random.randrange(math.ceil(((float(len(buf)))/FuzzFactor)))+1 #The higher the FuzzFactor the shorter the block (of random changes)
assert numwrites <= len(buf), "we are trying to modify %s bytes in a file (%s) of length only %s bytes" % (numwrites, file_choice, len(buf) )
fuzz_choice = random.choice(['start', 'end', 'middle', 'random'])
if fuzz_choice is 'start': begin = 0
elif fuzz_choice is 'end': begin = len(buf)-numwrites-1
elif fuzz_choice is 'middle': begin = random.randrange(len(buf)-numwrites)
elif fuzz_choice is 'random': begin = None #instead of modifying a block, we just flip randomly
for j in xrange(numwrites):
rbyte = random.randrange(256)
if begin is None:
rn = random.randrange(len(buf))
else:
rn = begin
begin += 1
buf[rn] = "%c" % rbyte
# end Charlie Miller code (modified)
open(fuzz_output, 'wb').write(buf)
print "Using app: %s orig_file: %s fuzz_type: %s #writes=%d" % (app_choice, file_choice, fuzz_choice, numwrites)
process = subprocess.Popen([app_choice, fuzz_output])
time.sleep(1)
crashed = process.poll()
if not crashed:
process.terminate()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment