Skip to content

Instantly share code, notes, and snippets.

@hhc0null

hhc0null/my_first_fuzzing.py

Created April 2, 2016 23:16
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save hhc0null/b8b3282f053041576d902724c48205d7 to your computer and use it in GitHub Desktop.
Save hhc0null/b8b3282f053041576d902724c48205d7 to your computer and use it in GitHub Desktop.
Download ZIP
For NDH2K16: Crazy Town Famous(pwn350). Works not well, I have no taste for programming...
Raw
my_first_fuzzing.py
#!/usr/bin/env python2
import binascii
import hashlib
import itertools
import random
import re
import socket
import string
import struct
import subprocess
import time
import telnetlib
def p(x, t="<I"): return struct.pack(t, x)
def pl(l): return ''.join(map(p, l))
def u(x, t="<I"): return struct.unpack(t, x)[0]
def ui(x): return u(p(x, t="<i"), t="<I")
def hx(b): return binascii.hexlify(b)
def uh(s): return binascii.unhexlify(s)
def a2n(s): return socket.inet_aton(s)
def n2a(s): return socket.inet_ntoa(s)
def read_until(f, delim='\n'):
data = ""
while not data.endswith(delim):
data += f.read(1)
return data
def wn(f, b):
f.write(b+'\n')
def connect(rhp):
I("Connect to %s:%d"%(rhp))
s = socket.create_connection(rhp)
f = s.makefile('rw', bufsize=0)
return s, f
def interact(s):
t = telnetlib.Telnet()
t.sock = s
I('4ll y0U n33D 15 5h3ll!!')
t.interact()
def gen_shellcode(source, bits=32):
source = "".join([
"BITS %d\n"%(bits),
source,
])
filename = hashlib.md5(source).hexdigest()
with open("/tmp/%s.s"%(filename), "wb") as f:
f.write(source)
subprocess.call("nasm /tmp/%s.s -o /tmp/%s"%(filename, filename), shell=True)
with open("/tmp/%s"%filename, "rb") as f:
shellcode = f.read()
return filename, shellcode
def M(prefix, body):
if len(body) == 1:
body = ''.join(body)
elif len(body) == 2:
key, value = body
if value <= 0xffffffff:
value = '0x%08x'%(value)
else:
value = '0x%016x'%(value)
body = '%s: %s'%(key, value)
elif len(body) >= 3:
body = '%s:%s'%(body[0], body[1:])
text = '[{prefix}] {body}'.format(prefix=prefix, body=body)
print text
def W(*body): M('!', body)
def N(*body): M('*', body)
def I(*body): M('+', body)
def D(body):
print '[D] %s'%(body)
### user-defined
'''
>help
Welcome to the helper
print all (print all your town)
create (create a person or animal)
kill (kill someone)
married (get married)
divorce (get a divorce)
'''
class Client:
rgx_parse_failed = r'What do you mean i can\'t understand you \?\?\?\?\?\?\?\?\?\?\?\?'
__data = ''
def __when_debug(self, debug):
if debug:
ignored_count = len(re.findall(self.rgx_parse_failed, self.__data))
message = ''.join((
'Ignored Count: %d\n'%(ignored_count),
self.__data,#.replace('What do you mean i can\'t understand you ????????????\n\n>', ''),
))
D(message)
self.__data = ''
def __init__(self, io):
self.fr, self.fw = io
def enter(self, city_name='TestCity', debug=False):
self.__data += read_until(self.fr, 'city\n')
wn(self.fw, city_name)
self.fw.flush()
self.__data += read_until(self.fr, '>')
self.__when_debug(debug)
def print_all(self, delim='>'):
wn(self.fw, 'print all')
self.fw.flush()
self.__data += read_until(self.fr, delim)
self.__data = ''
#self.__when_debug(False)
def create(self, name, attribute='character governor', debug=False, **kwargs):
wn(self.fw, 'create')
self.fw.flush()
self.__data += read_until(self.fr, '?\n')
wn(self.fw, attribute)
self.fw.flush()
if 'animal' in attribute:
self.__data += read_until(self.fr, ': ')
wn(self.fw, kwargs['owner'])
self.fw.flush()
self.__data += read_until(self.fr, ': ')
wn(self.fw, name)
self.fw.flush()
self.__data += read_until(self.fr, '>')
self.__when_debug(debug)
self.__data = ''
def kill(self, assassin, target, debug=False):
wn(self.fw, 'kill')
self.fw.flush()
self.__data += read_until(self.fr, ': ')
wn(self.fw, assassin)
self.fw.flush()
self.__data += read_until(self.fr, ': ')
wn(self.fw, target)
self.fw.flush()
self.__data += read_until(self.fr, '>')
self.__when_debug(debug)
self.__data = ''
def married(self, character1, character2, debug=False):
wn(self.fw, 'married')
self.fw.flush()
#self.__data += read_until(self.fr, ': ')
self.__when_debug(debug)
wn(self.fw, character1)
self.fw.flush()
#self.__data += read_until(self.fr, ': ')
self.__when_debug(debug)
wn(self.fw, character2)
self.fw.flush()
self.__data += read_until(self.fr, '>')
self.__when_debug(debug)
self.__data = ''
def divorce(self, character, debug=False):
wn(self.fw, 'divorce')
self.fw.flush()
self.__data += read_until(self.fr, ': ')
wn(self.fw, character)
self.fw.flush()
self.__data += read_until(self.fr, '>')
self.__when_debug(debug)
self.__data = ''
def pattern0(client):
client.create('test', attribute='character governor\0'.ljust(0x7b0, 'A'))
client.print_all()
def pattern1(client):
client.create('gov1')
client.create('gov2', attribute='character governor')
client.print_all()
client.married('gov1', 'gov2')
client.create('gov3', attribute='character governor')
client.married('gov2', 'gov3')
client.create('ass', attribute='character assassin')
client.kill('ass', 'gov1')
class Animal:
animal_attrs = (
'dog',
'cat',
)
def __init__(self, name, master, attr=None):
self.name = name
if attr:
self.attr = attr
else:
self.attr = random.choice(self.animal_attrs)
self.master = master
class Character:
character_attrs = (
'engineer',
'paysan',
'tekos',
'governor',
'assassin',
)
def __init__(self, name, attr=None):
self.name = name
if attr:
self.attr = attr
else:
self.attr = random.choice(self.character_attrs)
self.killable = self.attr is 'assassin'
self.married_with = None
self.has_pet = False
self.should_be_ignored = False
self.prev_choice = None
class Fuzzer:
def __init__(self, client):
self.client = client
self.characters = []
self.animals = []
self.table = table
self.initialized = False
self.married_count = 0
self.num = 0x100
def reset_ignore(self):
if all((character.should_be_ignored for character in self.characters)):
for character in self.characters:
character.should_be_ignored = False
def ignore_fuzzily(self):
filtered = filter(lambda sb: not sb.should_be_ignored, self.characters)
if not filtered:
return
not_ignored = random.choice(filtered)
if abs(random.gauss(mu=0, sigma=0.2)) >= 0.05:
not_ignored.should_be_ignored = True
def random_action(self, tab):
# create character randomly
if len(self.characters) or not self.initialized or abs(random.gauss(mu=0, sigma=0.2)) >= 0.05:
randge = range(random.randint(0, self.num-1))
name = ''.join(map(lambda x: random.choice(self.table), randge))
character = Character(name)
self.characters.append(character)
self.client.create(character.name)
I('%screated %s: %s'%(tab, character.attr, character.name[:10]))
if not self.initialized:
randge = range(random.randint(0, self.num-1))
while name in [sb.name for sb in self.characters]:
name = ''.join(map(lambda x: random.choice(self.table), randge))
character = Character(name)
self.characters.append(character)
self.client.create(character.name)
I('%screated %s: %s'%(tab, character.attr, character.name[:10]))
self.initialized = True
return
# create animal randomly
if abs(random.gauss(mu=0, sigma=0.2)) >= 0.2:
if len(self.characters) != 0 and not all([sb.has_pet for sb in self.characters]):
filtered = filter(lambda sb: not sb.has_pet, self.characters)
if not filtered:
return
master = random.choice(filtered)
randge = range(random.randint(0, self.num-1))
animal = Animal(name, master)
self.animals.append(animal)
self.client.create(animal.name, master=animal.master)
I('%screated %s(%s): %s'%(tab, animal.attr, master.name[:10], animal.name[:10]))
#D("Yo")
#D([sb.name for sb in self.characters])
#D([st.name for st in self.animals])
# print all
if random.randint(1, 6) == 6:
self.client.print_all()
return
# random action for character
succeeded = False
while not succeeded:
self.reset_ignore()
self.ignore_fuzzily()
filtered = filter(lambda sb: not sb.should_be_ignored, self.characters)
if not filtered:
return
somebody = random.choice(filtered)
another = random.choice(filter(lambda sb: sb != somebody, self.characters))
result = random.choice(xrange(3))
# married with
if result == 0 and abs(random.gauss(mu=0, sigma=0.2)) >= 0.2:
somebody.married_with = another.name
another.married_with = somebody.name
D('married: %d'%(self.married_count))
self.married_count += 1
self.client.married(somebody.name, another.name, debug=True)
I('%s%s has married with %s'%(tab, somebody.name[:10], another.name[:10]))
succeeded = True
# divorce
elif result == 1:
if not somebody.married_with:
return
I('%s%s will devorced'%(tab,somebody.name[:10]))
for sb in self.characters:
if somebody.married_with == sb.name:
somebody.married_with = None
if sb.married_with == somebody.name:
sb.married_with = None
break
self.client.divorce(somebody.name)
I('%s%s has divorced'%(tab, somebody.name[:10]))
succeeded = True
# kill
elif result == 2:
if not somebody.killable:
continue
I('%swill do to kill'%(tab))
self.client.kill(somebody.name, another.name)
I('%s%s killed %s'%(tab, somebody.name, another.name[:10]))
succeeded = True
if __name__ == '__main__':
target = subprocess.Popen(
'./CrazyTownFamous'.split(),
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
)
table = string.ascii_letters + string.digits
randge = xrange(random.randint(0, 0xfff))
client = Client((target.stdout, target.stdin))
client.enter(city_name=''.join(map(lambda x: random.choice(table), randge)))
fuzzer = Fuzzer(client)
tab = ''
for i in xrange(0x800):
fuzzer.random_action(tab)
tab += ' '
'''
[+] created governor: BdrkN1N02T
[+] created governor: FIqk4t
[+] created tekos: jhgpuF4C4r
[D] married: 0
[D] Ignored Count: 0
[D] Ignored Count: 0
[D] Ignored Count: 0
married who?
enter the name plz :
with who?
enter the name plz :
Oh my god I love you we will be together for eternity
Your my Love!
Your my Love!
>
[+] jhgpuF4C4r has married with BdrkN1N02T
[+] created assassin: M8rHV33HUW
[+] created engineer: vFQETK5O
[+] created tekos: tCfdihjunY
[+] created paysan: 9Q9PxzBTKI
[+] created engineer: 3phdPesAGp
[+] created governor: j038qMlqrs
[+] created engineer: hTxGxgUsGQ
[+] created paysan: gzIVAoo5vo
[+] created tekos: lCRprR7PoE
[+] created cat(3phdPesAGp): lCRprR7PoE
[+] created paysan: nlVY8WZIz8
[+] created cat(lCRprR7PoE): nlVY8WZIz8
[+] created governor: b59Sza4DuI
[+] created governor: Ia1KxGFpxJ
[+] created governor: kUIeWaprnZ
[+] created engineer: 532lJjJHIs
[+] created tekos: sIHijeTd3A
[+] created paysan: ywjxZs33tr
[+] created dog(532lJjJHIs): ywjxZs33tr
[+] created engineer: iBKCsHpDeb
[+] created paysan: JhVrPVCo5j
[+] created tekos: A34WSjahoQ
[+] created tekos: OBd081qJns
[+] created governor: GRw9o2QdJM
[+] created engineer: rYrapztpgG
[+] created tekos: UhMurVrOUj
[+] created cat(gzIVAoo5vo): UhMurVrOUj
[+] created governor: vXCPAKWKuh
[+] created cat(kUIeWaprnZ): vXCPAKWKuh
[+] created tekos: 9CtnkW6D6i
[+] created engineer: IBQq99ku2B
[+] created cat(j038qMlqrs): IBQq99ku2B
[+] created tekos: eoLOQry889
[D] married: 1
[D] Ignored Count: 0
[D] Ignored Count: 0
[D] Ignored Count: 0
married who?
enter the name plz :
with who?
enter the name plz :
Oh my god I love you we will be together for eternity
Your my Love!
Your my Love!
>
[+] eoLOQry889 has married with sIHijeTd3A
[+] created tekos: bUs3csRzj4
[+] created tekos: 4LUNErPfp0
[+] created paysan: xMF771hMYw
[D] married: 2
[D] Ignored Count: 0
[D] Ignored Count: 0
[D] Ignored Count: 0
married who?
enter the name plz :
No man the character doesn't exist
>
[+] 4LUNErPfp0 has married with jhgpuF4C4r
[+] created assassin: neJtM0VP9g
[D] married: 3
[D] Ignored Count: 0
[D] Ignored Count: 0
[D] Ignored Count: 0
married who?
enter the name plz :
with who?
enter the name plz :
Oh my god I love you we will be together for eternity
Your my Love!
Your my Love!
>
[+] IBQq99ku2B has married with gzIVAoo5vo
[+] created engineer: giv6oTBYVl
[+] created assassin: SUM63ZVNFY
[D] married: 4
[D] Ignored Count: 0
[D] Ignored Count: 0
[D] Ignored Count: 0
married who?
enter the name plz :
with who?
enter the name plz :
Oh my god I love you we will be together for eternity
Your my Love!
Your my Love!
>
[+] neJtM0VP9g has married with tCfdihjunY
[+] created assassin: MYamY9gJvs
[D] married: 5
[D] Ignored Count: 0
[D] Ignored Count: 0
[D] Ignored Count: 0
married who?
enter the name plz :
with who?
enter the name plz :
Oh my god I love you we will be together for eternity
Your my Love!
Your my Love!
>
[+] neJtM0VP9g has married with giv6oTBYVl
[+] created engineer: 3NCGhp6vvZ
[+] created engineer: tfwIz9MhkS
[+] created cat(hTxGxgUsGQ): tfwIz9MhkS
[+] 4LUNErPfp0 will devorced
# Null dereference was found.
'''
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment