-
Notifications
You must be signed in to change notification settings - Fork 4
/
exploitablerunner.py
98 lines (91 loc) · 3.67 KB
/
exploitablerunner.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
import sys
import subprocess
import re
import os
import time
import shutil
import shlex
import traceback
data = [
[None, "gdk-pixbuf-pixdata", "@@ /dev/null", "pixbuf"],
[None, "cflow", "@@", "cflow"],
[None, "nm-new", "-A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D @@", "nm"],
[None, "sqlite3", " < @@", "sql"],
[None, "lame3.99.5", "@@ /dev/null", "lame3.99.5"],
[None, "jhead", "@@", "jhead"],
[None, "imginfo", "-f @@", "imginfo"],
[None, "pngimage", "@@", "pngimage"],
[None, "jq", ". @@", "json"],
[None, "mujs", "@@", "mujs"], #mujs 1.0.2
]
progcmd = {i[1]: "gdb -ex 'r {CMD}' -ex 'exploitable' -ex 'bt' -ex 'quit' /d/p/justafl/{NAME}".format(CMD=i[2], ID=i[0], NAME=i[1]) for i in data}
progcmd["mujs"] = progcmd["mujs"].replace("mujs", "mujs_debug")
fuzzername = sys.argv[1].replace("/","")
T = -1
N = int(sys.argv[2])
M = int(sys.argv[3])
openfilename = fuzzername+"/crasheslist.txt"
assert os.path.exists("/c")
GDB_OUTPUT_FOLDER = "/c/GDB_OUTPUT/"+os.getcwd().replace("/","_")[1:]+"/"
x=None
total_lines = len(open(openfilename).readlines())
for line in open(openfilename):
try:
T+=1
if T%M != N:
continue
line = fuzzername+line[1:-1]
l = line.split("/")
prog = l[1]
if "bad" not in prog and "_" in prog:
prog = prog.split("_")[0]
dupN = l[2].split("_")[-1]
if prog not in progcmd:
print("[prog not in cmd]", prog)
continue
if os.path.exists(GDB_OUTPUT_FOLDER+line+".stdout"):
continue
tmpfile = shutil.copy(line, "/tmp/gdb_{fuzzername}_cur_{N}".format(**locals()))
#if "who" not in prog:
# continue # only test who
cmd = shlex.split(progcmd[prog].replace("@@", "/tmp/gdb_{fuzzername}_cur_{N}".format(**locals())))
#print(cmd)
starttime = time.time()
#print(" ".join(cmd))
#exit()
try:
x = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, timeout=10)
except subprocess.TimeoutExpired as e:
print("[timeout]", line)
#print(e.stdout)
#print("=============")
#print(e.stderr)
#print("=============")
err = e.stdout.decode(errors="ignore")+"\n"+e.stderr.decode(errors="ignore")
if "\nShort description: " in err:
## record err to GDB_OUTPUT_FOLDER
if not os.path.isdir(GDB_OUTPUT_FOLDER+os.path.dirname(line)):
os.makedirs(GDB_OUTPUT_FOLDER+os.path.dirname(line),exist_ok=True)
with open(GDB_OUTPUT_FOLDER+line+".stdout", "wb") as errfp:
errfp.write(e.stdout)
with open(GDB_OUTPUT_FOLDER+line+".stderr", "wb") as errfp:
errfp.write(e.stderr)
open(GDB_OUTPUT_FOLDER+line+".timeouted", "wb").write(b'1')
#with open("gdbtimeout_{fuzzername}_{prog}.log".format(**locals()), "a") as tmp:
# tmp.write(line+"\n")
continue
endtime = time.time()
runtime = endtime - starttime
err = x.stdout.decode(errors="ignore")+"\n"+x.stderr.decode(errors="ignore")
## record err to GDB_OUTPUT_FOLDER
if not os.path.isdir(GDB_OUTPUT_FOLDER+os.path.dirname(line)):
os.makedirs(GDB_OUTPUT_FOLDER+os.path.dirname(line),exist_ok=True)
with open(GDB_OUTPUT_FOLDER+line+".stdout", "wb") as errfp:
errfp.write(x.stdout)
with open(GDB_OUTPUT_FOLDER+line+".stderr", "wb") as errfp:
errfp.write(x.stderr)
if "\nShort description: " in err:
print("%.1f"%(100*T/total_lines), line)
except Exception as e:
traceback.print_exc()
open("gdbrunner_error.log", "a").write(line+"\t"+str(e)+"\n")