#!/usr/bin/python
# Python3
import socket
import sys
import time
import random
class HonggfuzzSocket:
def __init__(self, pid):
self.sock = None
self.pid = pid
def connect(self):
self.sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
server_address = "/tmp/honggfuzz_socket"
if self.pid is not None:
server_address += "." + str(self.pid)
print( 'connecting to %s' % server_address)
try:
self.sock.connect(server_address)
except socket.error as msg:
print ("Error connecting to honggfuzz socket: " + str(msg))
sys.exit(1)
def send(self, data):
self.sock.sendall( str.encode(data) )
def recv(self):
return self.sock.recv(4).decode()
def disconnect(self):
self.sock.close()
class TargetSocket:
def __init__(self):
self.sock = None
def testServerConnectionTcp(self):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server_address = ('localhost', self.targetPort)
try:
sock.connect(server_address)
except socket.error as exc:
return False
sock.close()
return True
def sendToSocket(self, data):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(1)
host = 'localhost'
port = 5001
isOpen = False
n = 0
while isOpen is False:
try:
s.connect((host, port))
isOpen = True
except Exception as e:
time.sleep(0.1)
n += 1
isOpen = False
if n == 10:
return False
try:
s.send( str.encode(data) )
except Exception as e:
print( "B: " + str(e))
s.close()
return True
def sendFuzz(self, n):
data = ""
if n == 1:
data = "AAAAAA"
if n == 2:
data = "BBBBBB"
if n == 3:
data = "CCCCCC"
if n == 4:
data = "DDDDDD"
if n == 5:
data = "EEEEEE"
if n == 6:
# stack buffer overflow
data = "B" * 128
if n == 7:
# heap buffer overflow
data = "C" * 128
#print " Send: " + str(data)
return self.sendToSocket(data)
def sendResp(targetSocketRes, hfSocket):
if not targetSocketRes:
print " ! Server down. Send: bad!"
hfSocket.send("bad!")
else:
hfSocket.send("okay")
def auto(pid):
print "Auto"
hfSocket = HonggfuzzSocket(pid)
targetSocket = TargetSocket()
hfSocket.connect()
print ""
print "Test: 0 - initial"
ret = hfSocket.recv()
if ret == "Fuzz":
print " ok: " + ret
else:
print " nok: " + ret
return
print ""
print "Test: 1 - first new BB"
ret = targetSocket.sendFuzz(1)
sendResp(ret, hfSocket)
ret = hfSocket.recv()
if ret == "New!" or ret == "Fuzz":
print " ok: " + ret
else:
print " nok: " + ret
return
ret = hfSocket.recv()
if ret == "Fuzz":
print " ok: " + ret
else:
print " nok: " + ret
return
print ""
print "Test: 2 - second new BB"
targetSocket.sendFuzz(2)
sendResp(ret, hfSocket)
ret = hfSocket.recv()
if ret == "New!":
print " ok: " + ret
else:
print " nok: " + ret
return
ret = hfSocket.recv()
if ret == "Fuzz":
print " ok: " + ret
else:
print " nok: " + ret
return
print ""
print "Test: 3 - repeat second msg, no new BB"
targetSocket.sendFuzz(2)
sendResp(ret, hfSocket)
ret = hfSocket.recv()
if ret == "Fuzz":
print " ok: " + ret
else:
print " nok: " + ret
return
print ""
print "Test: 4 - crash stack"
targetSocket.sendFuzz(6)
sendResp(ret, hfSocket)
ret = hfSocket.recv()
if ret == "Cras":
print " ok: " + ret
else:
print " nok: " + ret
return
ret = hfSocket.recv()
if ret == "Fuzz":
print " ok: " + ret
else:
print " nok: " + ret
return
print ""
print "Test: 5 - resend second, no new BB"
targetSocket.sendFuzz(2)
sendResp(ret, hfSocket)
ret = hfSocket.recv()
if ret == "Fuzz":
print " ok: " + ret
else:
print " nok: " + ret
return
print ""
print "Test: 6 - send three, new BB"
targetSocket.sendFuzz(3)
sendResp(ret, hfSocket)
ret = hfSocket.recv()
if ret == "New!":
print " ok: " + ret
else:
print " nok: " + ret
return
ret = hfSocket.recv()
if ret == "Fuzz":
print " ok: " + ret
else:
print " nok: " + ret
return
print ""
print "Test: 7 - send four, new BB"
targetSocket.sendFuzz(4)
sendResp(ret, hfSocket)
ret = hfSocket.recv()
if ret == "New!":
print " ok: " + ret
else:
print " nok: " + ret
return
ret = hfSocket.recv()
if ret == "Fuzz":
print " ok: " + ret
else:
print " nok: " + ret
return
print ""
print "Test: 8 - send four again, no new BB"
targetSocket.sendFuzz(4)
sendResp(ret, hfSocket)
ret = hfSocket.recv()
if ret == "Fuzz":
print " ok: " + ret
else:
print " nok: " + ret
return
def interactive(pid):
hfSocket = HonggfuzzSocket(pid)
targetSocket = TargetSocket()
hfSocket.connect()
while(True):
try:
recv = hfSocket.recv()
if recv == "Fuzz":
# Send the bad data to the target
i = input("--[ Send Msg #: ")
#i = random.randint(0, 3)
#sendFuzz(int(i))
print "Send to target: " + str(i)
if not targetSocket.sendFuzz(i):
print "Server down. Send: bad!"
hfSocket.send("bad!")
else:
hfSocket.send("okay")
elif recv == "New!":
print ("--[ R Adding file to corpus...")
# add the data you sent to the target to your input
# corpus, as it reached new basic blocks
elif recv == "Cras":
print ("--[ R Target crashed")
# target crashed, store the things you sent to the target
elif recv == "":
print("Hongfuzz quit, exiting too\n")
break
else:
print ("--[ Unknown: " + str(recv))
except Exception as e:
print("Exception: " + str(e))
def main():
mode = None
pid = None
if len(sys.argv) >= 2:
if sys.argv[1] == "auto":
mode = "auto"
elif sys.argv[1] == "interactive":
mode = "interactive"
if len(sys.argv) >= 3:
pid = int(sys.argv[2])
else:
print "honggfuzz_socketclient.py [auto/interactive] <pid>"
if mode is "auto":
auto(pid)
elif mode is "interactive":
interactive(pid)
main()