Last active
September 25, 2016 19:01
-
-
Save inaz2/2f55682a6e028b2e073999291ea51592 to your computer and use it in GitHub Desktop.
fuzzing against Defcon CTF Qual 2014 shitsco / https://github.com/ctfs/write-ups-2014/tree/e572b0ce04ec4343e289ebf612d968118f0697a6/def-con-ctf-qualifier-2014/shitsco
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ python tinyfuzz.py | |
< '' | |
oooooooo8 oooo o88 o8 | |
888 888ooooo oooo o888oo oooooooo8 ooooooo ooooooo | |
888oooooo 888 888 888 888 888ooooooo 888 888 888 888 | |
888 888 888 888 888 888 888 888 888 | |
o88oooo888 o888o o888o o888o 888o 88oooooo88 88ooo888 88ooo88 | |
Welcome to Shitsco Internet Operating System (IOS) | |
For a command list, enter ? | |
$ | |
< 'show\n' | |
$ | |
< 'set c AAAAAAAAAAAAAAA\n' | |
$ | |
< 'set b \n' | |
You must set a value for b | |
$ | |
< 'show\n' | |
c: AAAAAAAAAAAAAAA | |
$ | |
< 'set a AAAAAAAAAAAAAAA\n' | |
$ | |
< 'set b \n' | |
You must set a value for b | |
$ | |
< 'set c AAAAAAAAAAAAAAAAA\n' | |
$ | |
< 'show\n' | |
c: AAAAAAAAAAAAAAAAA | |
a: AAAAAAAAAAAAAAA | |
$ | |
(snip) | |
$ | |
< 'show\n' | |
c: AAAAAAAAAAAAAAAAAA | |
a: AA | |
c: AAAAAAAAAAA | |
$ | |
< 'set c AA\n' | |
$ | |
< 'set a \n' | |
$ | |
< 'set c AAAAAAAAAAAA\n' | |
$ | |
< 'show\n' | |
None | |
Traceback (most recent call last): | |
File "tinyfuzz.py", line 82, in <module> | |
sr(p, gen(), '$ ') | |
File "tinyfuzz.py", line 64, in sr | |
TinyFuzz.poll(p) | |
File "tinyfuzz.py", line 19, in poll | |
raise Exception("crashed (%d)" % returncode) | |
Exception: crashed (-11) | |
$ ls | |
core shitsco_c8b1aa31679e945ee64bde1bdb19d035* tinyfuzz.py | |
$ gdb ./shitsco_c8b1aa31679e945ee64bde1bdb19d035 core | |
Reading symbols from ./shitsco_c8b1aa31679e945ee64bde1bdb19d035...(no debugging symbols found)...done. | |
warning: core file may not match specified executable file. | |
[New LWP 3845] | |
Core was generated by `./shitsco_c8b1aa31679e945ee64bde1bdb19d035'. | |
Program terminated with signal SIGSEGV, Segmentation fault. | |
#0 0xf7601a8f in vfprintf () from /lib32/libc.so.6 | |
(gdb) bt | |
#0 0xf7601a8f in vfprintf () from /lib32/libc.so.6 | |
#1 0xf76b1c90 in __printf_chk () from /lib32/libc.so.6 | |
#2 0x08048ebd in ?? () | |
#3 0x08048b96 in ?? () | |
#4 0x080488c7 in ?? () | |
#5 0xf75d3a63 in __libc_start_main () from /lib32/libc.so.6 | |
#6 0x08048935 in ?? () | |
(gdb) i r | |
eax 0x0 0 | |
ecx 0xffffffff -1 | |
edx 0x53 83 | |
ebx 0xf7761000 -143257600 | |
esp 0xff966480 0xff966480 | |
ebp 0xff966998 0xff966998 | |
esi 0xf7761ac0 -143254848 | |
edi 0x41414141 1094795585 | |
eip 0xf7601a8f 0xf7601a8f <vfprintf+18687> | |
eflags 0x10246 [ PF ZF IF RF ] | |
cs 0x23 35 | |
ss 0x2b 43 | |
ds 0x2b 43 | |
es 0x2b 43 | |
fs 0x0 0 | |
gs 0x63 99 | |
(gdb) x/i $pc | |
=> 0xf7601a8f <vfprintf+18687>: repnz scas al,BYTE PTR es:[edi] | |
(gdb) quit |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from subprocess import Popen, PIPE | |
from resource import setrlimit, RLIMIT_CORE, RLIM_INFINITY | |
import random | |
import struct | |
setrlimit(RLIMIT_CORE, (RLIM_INFINITY, RLIM_INFINITY)) | |
class TinyFuzz(object): | |
def __init__(self): | |
self.s = '' | |
@classmethod | |
def poll(self, p): | |
returncode = p.poll() | |
if returncode is not None: | |
if returncode >= 0: | |
raise Exception("exited (%d)" % returncode) | |
else: | |
raise Exception("crashed (%d)" % returncode) | |
def dump(self): | |
return self.s | |
def APPEND(self, s): | |
self.s += s | |
return s | |
def CHOICE(self, L): | |
s = random.choice(L) | |
self.s += s | |
return s | |
def STRING(self, *args): | |
s = 'A' * random.randrange(*args) | |
self.s += s | |
return s | |
def UINT32(self): | |
L = [(1<<(4*i))-1 for i in xrange(9)] | |
n = self.CHOICE(L) | |
self.s += struct.pack('<I', n) | |
return n | |
def UINT64(self): | |
L = [(1<<(4*i))-1 for i in xrange(17)] | |
n = self.CHOICE(L) | |
self.s += struct.pack('<Q', n) | |
return n | |
def readuntil(p, term): | |
s = '' | |
while not s.endswith(term): | |
c = p.stdout.read(1) | |
if not c: | |
return | |
s += c | |
return s | |
def sr(p, s, term): | |
print "< %r" % s | |
p.stdin.write(s) | |
print readuntil(p, term) | |
TinyFuzz.poll(p) | |
def gen(): | |
g = TinyFuzz() | |
command = g.CHOICE(['set', 'show']) | |
if command == 'set': | |
g.APPEND(' ') | |
g.CHOICE(['a', 'b', 'c']) | |
g.APPEND(' ') | |
g.STRING(20) | |
g.APPEND('\n') | |
return g.dump() | |
if __name__ == '__main__': | |
p = Popen('./shitsco_c8b1aa31679e945ee64bde1bdb19d035', stdin=PIPE, stdout=PIPE) | |
sr(p, '', '$ ') | |
while True: | |
sr(p, gen(), '$ ') |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment