Skip to content

Instantly share code, notes, and snippets.

@inaz2

inaz2/tinyfuzz.py

Last active September 25, 2016 19:01
Show Gist options
  • Save inaz2/2f55682a6e028b2e073999291ea51592 to your computer and use it in GitHub Desktop.
Save inaz2/2f55682a6e028b2e073999291ea51592 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
$ python tinyfuzz.py
< ''
oooooooo8 oooo o88 o8
888 888ooooo oooo o888oo oooooooo8 ooooooo ooooooo
888oooooo 888 888 888 888 888ooooooo 888 888 888 888
888 888 888 888 888 888 888 888 888
o88oooo888 o888o o888o o888o 888o 88oooooo88 88ooo888 88ooo88
Welcome to Shitsco Internet Operating System (IOS)
For a command list, enter ?
$
< 'show\n'
$
< 'set c AAAAAAAAAAAAAAA\n'
$
< 'set b \n'
You must set a value for b
$
< 'show\n'
c: AAAAAAAAAAAAAAA
$
< 'set a AAAAAAAAAAAAAAA\n'
$
< 'set b \n'
You must set a value for b
$
< 'set c AAAAAAAAAAAAAAAAA\n'
$
< 'show\n'
c: AAAAAAAAAAAAAAAAA
a: AAAAAAAAAAAAAAA
$
(snip)
$
< 'show\n'
c: AAAAAAAAAAAAAAAAAA
a: AA
c: AAAAAAAAAAA
$
< 'set c AA\n'
$
< 'set a \n'
$
< 'set c AAAAAAAAAAAA\n'
$
< 'show\n'
None
Traceback (most recent call last):
File "tinyfuzz.py", line 82, in <module>
sr(p, gen(), '$ ')
File "tinyfuzz.py", line 64, in sr
TinyFuzz.poll(p)
File "tinyfuzz.py", line 19, in poll
raise Exception("crashed (%d)" % returncode)
Exception: crashed (-11)
$ ls
core shitsco_c8b1aa31679e945ee64bde1bdb19d035* tinyfuzz.py
$ gdb ./shitsco_c8b1aa31679e945ee64bde1bdb19d035 core
Reading symbols from ./shitsco_c8b1aa31679e945ee64bde1bdb19d035...(no debugging symbols found)...done.
warning: core file may not match specified executable file.
[New LWP 3845]
Core was generated by `./shitsco_c8b1aa31679e945ee64bde1bdb19d035'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0xf7601a8f in vfprintf () from /lib32/libc.so.6
(gdb) bt
#0 0xf7601a8f in vfprintf () from /lib32/libc.so.6
#1 0xf76b1c90 in __printf_chk () from /lib32/libc.so.6
#2 0x08048ebd in ?? ()
#3 0x08048b96 in ?? ()
#4 0x080488c7 in ?? ()
#5 0xf75d3a63 in __libc_start_main () from /lib32/libc.so.6
#6 0x08048935 in ?? ()
(gdb) i r
eax 0x0 0
ecx 0xffffffff -1
edx 0x53 83
ebx 0xf7761000 -143257600
esp 0xff966480 0xff966480
ebp 0xff966998 0xff966998
esi 0xf7761ac0 -143254848
edi 0x41414141 1094795585
eip 0xf7601a8f 0xf7601a8f <vfprintf+18687>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb) x/i $pc
=> 0xf7601a8f <vfprintf+18687>: repnz scas al,BYTE PTR es:[edi]
(gdb) quit
Raw
tinyfuzz.py
from subprocess import Popen, PIPE
from resource import setrlimit, RLIMIT_CORE, RLIM_INFINITY
import random
import struct
setrlimit(RLIMIT_CORE, (RLIM_INFINITY, RLIM_INFINITY))
class TinyFuzz(object):
def __init__(self):
self.s = ''
@classmethod
def poll(self, p):
returncode = p.poll()
if returncode is not None:
if returncode >= 0:
raise Exception("exited (%d)" % returncode)
else:
raise Exception("crashed (%d)" % returncode)
def dump(self):
return self.s
def APPEND(self, s):
self.s += s
return s
def CHOICE(self, L):
s = random.choice(L)
self.s += s
return s
def STRING(self, *args):
s = 'A' * random.randrange(*args)
self.s += s
return s
def UINT32(self):
L = [(1<<(4*i))-1 for i in xrange(9)]
n = self.CHOICE(L)
self.s += struct.pack('<I', n)
return n
def UINT64(self):
L = [(1<<(4*i))-1 for i in xrange(17)]
n = self.CHOICE(L)
self.s += struct.pack('<Q', n)
return n
def readuntil(p, term):
s = ''
while not s.endswith(term):
c = p.stdout.read(1)
if not c:
return
s += c
return s
def sr(p, s, term):
print "< %r" % s
p.stdin.write(s)
print readuntil(p, term)
TinyFuzz.poll(p)
def gen():
g = TinyFuzz()
command = g.CHOICE(['set', 'show'])
if command == 'set':
g.APPEND(' ')
g.CHOICE(['a', 'b', 'c'])
g.APPEND(' ')
g.STRING(20)
g.APPEND('\n')
return g.dump()
if __name__ == '__main__':
p = Popen('./shitsco_c8b1aa31679e945ee64bde1bdb19d035', stdin=PIPE, stdout=PIPE)
sr(p, '', '$ ')
while True:
sr(p, gen(), '$ ')
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment