forked from debasishm89/iofuzz
-
Notifications
You must be signed in to change notification settings - Fork 0
/
iofuzz.py
463 lines (450 loc) · 16.7 KB
/
iofuzz.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
'''
iofuzz.py
Author : Debasish Mandal
Blog : http://www.debasish.in/
This fuzzer attaches it self to given user mode process and hooks DeviceIoControl!Kernel32.
After that,when DeviceIoControl is get called by the process it fuzzes the input/output buffer
content etc inside memory and at the same time logs actual buffer and mutated buffer length / content
in a log file. This log file is helpful when reproducing bugs triggered by this fuzzer.
This tool can operates in three modes:
1. Sniffing Mode - Capture Phase
2. Passive Fuzzing Mode - In-memory Fuzzing Mode
3. Active Fuzzing Mode - Direct operation I/O to Target device driver.
'''
import optparse
import re
import random
import math
from random import randrange,randint
try:
from ctypes import *
from ctypes import wintypes
except ImportError:
'[Error] Could not import ctype'
try:
from win32api import GetLastError;(kernel32,ntdll) = (windll.kernel32,windll.ntdll)
from win32con import NULL,FILE_SHARE_READ,FILE_SHARE_WRITE,OPEN_EXISTING
from win32file import INVALID_HANDLE_VALUE
except ImportError:
print '[Error] Could not import pywin32.Get it from http://sourceforge.net/projects/pywin32/'
try:
import utils
except ImportError:
print '[Error]Could not import utils,Get it from https://github.com/OpenRCE/paimei'
try:
import pydbg
from pydbg import *
from pydbg.defines import *
except ImportError:
print '[Error] Could not import pydbg. Get it from https://github.com/OpenRCE/pydbg'
from datetime import datetime
import signal
import sys
class CMDOptions:
'''
Although optparse has very nice help banner printing options, still I just wanted to customize the help banner little bit.Nothing else :)
'''
def show_passive_help(self):
print '''
When --mode="passive" (in-memory fuzzing mode)
Mandatory switches:
--process (ProcessName to attach and Its mandatory option)
Optional Switches:
--ioctl (Code to log / log all iocode) Ex. --ioctl=0xbadfood or by default it will fuzz all iocodes inside memory!
'''
def show_active_help(self):
print '''
When --mode="active" (Send IOCTL direct to target device given)
Mandatory switches:
--device (Target device name Its mandatory option)
--inputlog (Input log collected after iofuzz sniffer, inputlog.txt and Its mandatory option)
Example : --mode="active" --device="MyDevice" --inputlog="iofuzz_2014_03_23_22_47_10.log" --fuzzinlen --fuzzinbuff
Optional Switches:
--fuzzinbuff (Fuzz input buffer content False by default)
--fuzzinlen (Fuzz input buffer length False by default)
--fuzzoutlen (Fuzz input buffer length False by default)
--sizelimit (Length size limit 100,200 etc etc default is 10K)
--ioctl (Code to log / log all iocode) Ex. --ioctl=0xbadfood by default it will fuzz all iocodes
'''
def show_sniff_help(self):
print '''
When --mode="sniff" (silently log all device IO control request)
Mandatory switches:
--process (Process Name to attach with) Example : --mode="sniff" --process="notepad.exe"
Optional Switches:
--ioctl (Code to log / log all iocode) Ex. --ioctl=0xbadfood or --ioctl="*"
'''
def cmd_option(self):
'''
Parse Options
'''
global mode,log_path,fuzzinbuff,fuzzinlen,fuzzoutlen,size_limit,process,device
fuzzinbuff = False
fuzzoutlen = False
fuzzinlen = False
size_limit = 10000
global input_log_path,ioctl,run_time
parser = optparse.OptionParser()
parser.add_option('--mode', type="string", dest='mode')
parser.add_option('--process', type="string", dest='process')
parser.add_option('--device', type="string", dest='device')
### boolian ######
parser.add_option('--fuzzinbuff', dest='fuzzinbuff',default=False,action="store_true")
parser.add_option('--fuzzinlen', dest='fuzzinlen',default=False,action="store_true")
parser.add_option('--fuzzoutlen', dest='fuzzoutlen',default=False,action="store_true")
#### helper options ####
parser.add_option('--sizelimit', type="int", dest='size_limit')
parser.add_option('--inputlog', type="string", dest='input_log_path')
parser.add_option('--ioctlcode', type="int", dest='ioctl')
(opts, args) = parser.parse_args()
mode = opts.mode
if mode == "passive":
mandatories = ['process']
for m in mandatories:
if not opts.__dict__[m]:
print "[+] Error!! You have missed a mandatory option of mode : ", mode
self.show_passive_help()
exit(-1)
if opts.fuzzinbuff:
fuzzinbuff = True
if opts.fuzzoutlen:
fuzzoutlen = True
if opts.fuzzinlen:
fuzzinlen = True
if opts.ioctl:
ioctl = int(opts.ioctl)
else:
ioctl = "*"
if opts.size_limit:
size_limit = opts.size_limit
process = opts.process
print "Mode:",mode,"Process:",process,"Fuzz input buffer:",fuzzinbuff,"Fuzz output length:",fuzzoutlen,"Fuzz input length:",fuzzinlen,"Ioctl:",ioctl,"Max buffer length limit",size_limit
raw_input('[+] Press Enter to continue..')
elif mode == "active":
mandatories = ['input_log_path','device']
for m in mandatories:
if not opts.__dict__[m]:
print "[+] Error!! You have missed a mandatory option of mode : ", mode
self.show_active_help()
exit(-1)
if opts.fuzzinbuff:
fuzzinbuff = True
if opts.fuzzoutlen:
fuzzoutlen = True
if opts.fuzzinlen:
fuzzinlen = True
if opts.ioctl:
ioctl = int(opts.ioctl)
else:
ioctl = "*"
if opts.size_limit:
size_limit = opts.size_limit
device = opts.device
input_log_path = opts.input_log_path
#if opts.fuzzinlen and opts.fuzzinbuff:
# print '[Error] Please choose any one of --fuzzinlen or --fuzzinbuff switch at a time'
# exit()
print "[+] Mode",mode,"Input Log Path:",input_log_path,"Device Name:",device,"Fuzz input buffer:",fuzzinbuff,"Fuzz output length:",fuzzoutlen,"Fuzz input length:",fuzzinlen,"Ioctl:",ioctl,"Max buffer length limit",size_limit
raw_input('[+] Press Enter to continue..')
elif mode == "sniff":
mandatories = ['process']
for m in mandatories:
if not opts.__dict__[m]:
print "[+] Error!! You have missed a mandatory option Example \n$./iofuzz.py --mode <active / passive /sniff>"
self.show_sniff_help()
exit(-1)
#log = opts.log
process = opts.process
if opts.ioctl:
ioctl = int(opts.ioctl)
else:
ioctl = "*"
print '[+] Mode:',mode,"Process Name:",process
raw_input('[+] Press Enter to continue..')
else:
print '''[+] Invalid or no mode name given. \nExample $./iofuzz.py --mode <active / passive /sniff>
passive => (In-memory fuzzing mode)
active => (Send IOCTL direct to target device given)
sniffer => (Silently log all device IO control request by hooking Kernel32!DeviceIoControl())
'''
exit()
class HelperFunctions:
def startlog(self,logfile_path):
f = open(logfile_path,'w')
f.write('<ioctllog mode="'+ mode +'">')
f.close()
def exit_gracefully(self,signum, frame):
signal.signal(signal.SIGINT, original_sigint)
try:
if raw_input("Really want to stop? (y/n)> ").lower().startswith('y'):
sys.exit(1)
except KeyboardInterrupt:
hookobj.removehook()
print("Ok ok, quitting")
sys.exit(1)
signal.signal(signal.SIGINT, exit_gracefully)
def addtolog(self,ioctl,input_buffer,output_buffer_len,out_buff_address):
log = '<ioentry>'
log += '<iocode>' + hex(ioctl) +'</iocode>'
log += '<inbuffer>'+ input_buffer + '</inbuffer>'
log += '<outlen>' + hex(output_buffer_len) +'</outlen>'
log += '<outpointer>' + hex(out_buff_address) + '</outpointer>'
log += '</ioentry>'
f = open(log_name,'a')
f.write(log)
f.close()
class Fuzzing:
'''
This class is responsible for all fuzzing operations.(generation and mutation)
'''
#Generation Based fuzzing
def get_long_buffer(self):
total_cases = 2
case = randrange(total_cases)
if case == 0:
#send back long strings
chars = ['A','O','Z','!','@','#','$','^','*','+','\\','<','>','?','`','~','\"',"\\'",'%','%s','%d','%x','%u','%p','\xff','\x00']
return chars[randrange(0,26)]*randrange(0,5000)
if case == 1:
#send back dwords
dw = ['\x00\x00\x00\x00','\xFF\xFF\xFF\xFF','\xFF\xFF\x00\x00','\x00\x00\xFF\xFF']
return (random.choice(dw))*randrange(0,10000)
if case == 2:
random_byte = random.randrange(256)
return hex(random_byte)[2:].decode('hex')*randint(0,5000)
#######################################################################
'''
This if for output buffer size and address !
'''
def get_long_len(self):
return randrange(0x0000,0xFFFF)
def get_address(self):
ad_case = randrange(0,1)
if ad_case == 0:
return randrange(0x00000000,0x7FFFFFFF)
if ad_case == 1:
return randrange(0x80000000,0xFFFFFFFF)
##############################################################
def dumbo(self,buf):
'''
Dumbest fuzzer in the whole universe for sure!!!
'''
if len(buf) == 0:
return ""
percent = float(0.05)
b = list(buf)
num2write=random.randrange(math.ceil((float(len(buf))) * percent))+1
for j in range(num2write):
random_byte = random.randrange(256)
random_offset = random.randrange(len(buf))
b[random_offset] = '%c'%(random_byte)
final=''.join(b)
return final
def dwordfuzz(self,buff):
'''
Fuzz only DWORDs of given buffer!!
'''
if len(buff) == 0:
return ""
dwords = ['\x00\x00\x00\x00','\xff\xff\xff\xff','\x00\x00\xff\xff','\xff\xff\x00\x00','\x00\x00\x01\x00']
dword_buff = [buff[i:i+4] for i in range(0, len(buff), 4)]
rand_offset = randrange(len(dword_buff))
dword_buff[rand_offset] = dwords[randrange(0,len(dwords))]
return ''.join(dword_buff)
def fuzzit(self,buff):
'''
It decides which of above defined fuzzer to be used depending on the choosen options!!
'''
if fuzzinlen and mode != "passive":
'''
Its sometime too risky to write long data inside memory. It may corrupt existing data structure.
So for passive mode only mutation based approach will be used.
'''
#Check if buffer length can be manipulated or not
return self.get_long_buffer()
else:
#Length cannot be manipulated then use dumbo() or dwordfuzz()
lot = randint(0,1)
if lot == 0:
return self.dwordfuzz(buff)
if lot == 1:
return self.dumbo(buff)
class SendIoctl:
'''
This Class is responsible for doing all direct I/O operations to target device.
Thanks for levle his work saved lot of my time.
https://github.com/levle/Kfuzz
'''
def sendioctl(self,device,ioctl,input_buffer,output_buf_poi,output_len):
f = open('lastio.log','w')
DeviceIoControl = windll.ntdll.ZwDeviceIoControlFile
input_size = len(input_buffer)
handle = kernel32.CreateFileA("\\\\.\\"+device,FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None)
handleMap = kernel32.CreateFileMappingA(INVALID_HANDLE_VALUE,NULL,0x40,0,input_size,NULL)
address = kernel32.MapViewOfFileEx(handleMap,0x2|0x4|0x8,0,0,input_size,NULL)
kernel32.WriteProcessMemory(-1,address,input_buffer,input_size,byref(c_int(0)))
print '[*] Device: '+str(device)+' Handle: '+hex(handle)+' IOCTL: '+hex(ioctl)+' Buffer(in) Poi: '+hex(address)+' Length: '+hex(input_size)+' Buffer(out): '+hex(output_buf_poi)+' Length: '+hex(output_len)
log = '<device>'+ device +'</device><ioctl>'+ ioctl +'</ioctl><inputbuff>'+ input_buffer +'</inputbuff><outbufpoi>'+ output_buf_poi +'</outbufpoi><outputlen>'+ output_len +'</outputlen>'
f.write(log)
f.close()
ret = DeviceIoControl(handle,NULL,NULL,NULL,byref(c_ulong()),ioctl,address,input_size,output_buf_poi,output_len)
if not ret:
raise IOError('DeviceIoControl() failed!')
kernel32.CloseHandle(handle)
kernel32.UnmapViewOfFile(address)
class HooknSniff:
'''
This class is responsible for actual Hook operation and it changes all DeviceIoControl params on the fly!!
'''
def sniff( self,dbg, args ):
'''
BOOL WINAPI DeviceIoControl(
_In_ HANDLE hDevice,
_In_ DWORD dwIoControlCode,
_In_opt_ LPVOID lpInBuffer,
_In_ DWORD nInBufferSize,
_Out_opt_ LPVOID lpOutBuffer,
_In_ DWORD nOutBufferSize,
_Out_opt_ LPDWORD lpBytesReturned,
_Inout_opt_ LPOVERLAPPED lpOverlapped
);
esp+4 -> 0 -> HANDLE hDevice
esp+8 -> 1 -> DWORD dwIoControlCode
esp+C-> 2 -> LPVOID lpInBuffer
esp+10-> 3 -> DWORD nInBufferSize
esp+14-> 4 -> LPVOID lpOutBuffer pointer
esp+18-> 5 -> DWORD nOutBufferSize
..
..
'''
in_size = args[3]
in_buff_poi = args[2]
input_buffer = dbg.read_process_memory(in_buff_poi, int(in_size))
output_buffer_poi = args[4]
io_code = args[1]
out_size = args[5]
esp = dbg.context.Esp
print '[+] Intercepted IOCTL Code :',hex(io_code)
if mode == "passive":
if ioctl != "*":
#operate on given ioctl
if args[1] == ioctl:
if fuzzinbuff:
fuzzed = fuzz.fuzzit(input_buffer)
length = len(fuzzed)
a = '{0:08X}'.format(length)
dbg.write_process_memory( esp+0x10, a.decode('hex'), 4)
dbg.write_process_memory( args[2], fuzzed, len(fuzzed))
else:
fuzzed = input_buffer
long_length = fuzz.get_long_len()
a = '{0:08X}'.format(long_length)
dbg.write_process_memory( esp+0x18, a.decode('hex'), 4)
rand_addr = addfuzz.get_address()
b = '{0:08X}'.format(rand_addr) #convert int to string represent a 32bit Hex number
raw_length = b.decode('hex')
dbg.write_process_memory( esp+0x14, raw_length, 4)
helper.addtolog(io_code,fuzzed,long_length,rand_addr)
else:
print '[+] Skipping IOCTL..',hex(args[1])
else:
if fuzzinbuff:
fuzzed = fuzz.fuzzit(input_buffer)
length = len(fuzzed)
a = '{0:08X}'.format(length)
dbg.write_process_memory( esp+0x10, a.decode('hex')[::-1], 4)
dbg.write_process_memory( args[2], fuzzed, len(fuzzed))
else:
#Dont fuzz input buffer content
fuzzed = input_buffer
#Long out put size out put buffer len
long_out_length = fuzz.get_long_len()
a = '{0:08X}'.format(long_out_length)
dbg.write_process_memory( esp+0x18,a.decode('hex')[::-1], 4)
#Write an absurd address in output buffer address
rand_addr = fuzz.get_address()
a = '{0:08X}'.format(rand_addr) #convert int to string represent a 32bit Hex number
raw_length = a.decode('hex')
dbg.write_process_memory( esp+0x14, raw_length[::-1], 4)
helper.addtolog(io_code,fuzzed,long_out_length,rand_addr)
if mode == "sniff":
#sniffing mode
if ioctl == "*":
helper.addtolog(io_code,input_buffer,out_size,output_buffer_poi)
else:
if args[1] == ioctl:
#Log only this one
helper.addtolog(io_code,input_buffer,out_size,output_buffer_poi)
else:
print '[+] Not logging',hex(args[1])
print '\n\n'+'*'*50
return DBG_CONTINUE
def removehook(dbg):
#remove_hook_and deattach debugger
print '[+] Rmeoving DeviceIoControlHook'
hooks.remove( dbg, hook_address)
dbg.detach()
if __name__ == "__main__":
cmd = CMDOptions()
cmd.cmd_option()
global helper
helper = HelperFunctions()
global fuzz
fuzz = Fuzzing()
global original_sigint
original_sigint = signal.getsignal(signal.SIGINT)
signal.signal(signal.SIGINT, helper.exit_gracefully)
global log_name
log_name = 'iofuzz_'+datetime.now().strftime("%Y_%m_%d_%H_%M_%S")+".log"
helper.startlog(log_name)
if mode == "passive" or mode == "sniff":
global dbg
dbg = pydbg()
global hooks
hooks = utils.hook_container()
for (pid,name) in dbg.enumerate_processes():
if name == process:
print '[+] Attaching to ',process
try:
dbg.attach(pid)
except Exception,e:
print '[Error] Cannot Attach to process ',process,pid
exit()
global hook_address
hook_address = dbg.func_resolve_debuggee("kernel32.dll","DeviceIoControl")
hookobj = HooknSniff()
hooks.add( dbg, hook_address, 8, hookobj.sniff, None )
dbg.run()
else:
ioobj = SendIoctl()
print '[+] Reading iocltl log file..',input_log_path
f = open(input_log_path,'rb')
xml_data = f.read()
f.close()
match = re.findall('<ioentry>(.*?)</ioentry>',xml_data)
if not len(match):
print '[Error] Make sure provided log is correctly formatted!!'
exit()
while 1:
io = random.choice(match)
iocode = re.findall('<iocode>(.*?)</iocode>',io)
in_buff_data = re.findall('<inbuffer>(.*?)</inbuffer>',io)
if ioctl == "*":
if fuzzinbuff:
fuzzed_data = fuzz.fuzzit(in_buff_data[0])
else:
fuzzed_data = in_buff_data[0]
out_address = fuzz.get_address()
out_len = fuzz.get_long_len()
ioobj.sendioctl(device,int(iocode[0],16),fuzzed_data,out_address,out_len)
else:
if int(iocode[0],16) == ioctl:
if fuzzinbuff:
fuzzed_data = fuzz.fuzzit(in_buff_data[0])
else:
fuzzed_data = in_buff_data[0]
out_address = fuzz.get_address()
out_len = fuzz.get_long_len()
ioobj.sendioctl(device,int(iocode[0],16),fuzzed_data,out_address,out_len)
else:
pass