/* .--------------------------------------------. UWkfuzz.c [Tue Jan 2 23:28:19 CET 2007] """"""""" a simple syscall/ioctl fuzzer. you may want to run it several times until smth breaks... this is the new single from the album called "GinFuzz". if you want to add a check: o increment NUMOFCHECKS o in do_check add your parameter value to the checks array o compile: gcc -lutil -o kfuzz kfuzz.c -DBSD or gcc -lutil -o kfuzz kfuzz.c -DLINUX / -DSUNOS o getting it to run on other systems is fairly easy, you mostly have to fix includes and (un)define constants TODO: o clean this historically grown UGLY code ...maybe :p o use a map of argument count for each syscall o fuzz socket stuff: socket, [g,s]etsockopt, send .. BUG: o ioctl: on linux we reach max open fd limit => ulimit o sometimes it segfaults because the kernel copies data to 'bad' locations. this is 'normal' because of fuzzed addresses.. Gallery: o freebsd 6.1-10 / ioctl o fc6 / ioctl o openbsd 4.0 / ioctl, syscall good luck --qobaiashi/UberWall */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef PAGE_SIZE #define PAGE_SIZE 4096 #endif #define VERSION "1.2" #define UPTO 10 // .--inc this one #define NUMOFCHECKS 22+UPTO #define CHAOS_RUNS 5 #define IOCTLCHECKS 21 #define TMPFILE "/tmp/kfuzz.tmp" #ifdef BSD #include #define SYSCALLCOUNT SYS_MAXSYSCALL #endif #ifdef LINUX #include #define SYSCALLCOUNT 340 // guess, sys_ni_syscall get skipped anyway #endif #ifdef SUNOS #include #define SYSCALLCOUNT NSYSCALL #endif /**************\ |* prototypes *| \**************/ void sigstfu(); int do_check(int call, int filefd); void usage(char *path); void build_ammo(char *buf, size_t len); void sead(); unsigned int givelen(unsigned int max); void stateinit(); int getstate(); int get_file(char *path, int *fd); int put_file(char *path, char *data, size_t len); void prepare_ioctl(int start); void do_ioctl(int fd); /*************\ |* globals *| \*************/ char ammo_buffer[5*1024]; char *file = NULL; char *statefile = NULL; int callstate = 0; int ioctlstate = 0; int *invalid = (int *)0xc0000020; int *negative = (int *)0x80000020; int direct = 0; int neverend = 0; int trackstate = 0; int domains[] = { #ifdef BSD PF_LOCAL, // Host-internal protocols, formerly called PF_UNIX, PF_UNIX, // Host-internal protocols, deprecated, use PF_LOCAL, PF_INET, // Internet version 4 protocols, PF_PUP, // PUP protocols, like BSP, PF_APPLETALK, // AppleTalk protocols, PF_ROUTE, // Internal Routing protocol, PF_LINK, // Link layer interface, PF_IPX, // Novell Internet Packet eXchange protocol, PF_RTIP, // Help Identify RTIP packets, PF_PIP, // Help Identify PIP packets, PF_ISDN, // Integrated Services Digital Network, PF_KEY, // Internal key-management function, PF_INET6, // Internet version 6 protocols, PF_NATM, // Native ATM access, PF_ATM, // ATM, PF_NETGRAPH // Netgraph sockets #endif #ifdef LINUX PF_UNIX,PF_LOCAL, PF_INET, PF_INET6, PF_IPX, PF_NETLINK, PF_X25, PF_AX25, PF_ATMPVC, PF_APPLETALK, PF_PACKET #endif }; int types[] = { SOCK_STREAM, // Stream socket, SOCK_DGRAM, // Datagram socket, SOCK_RAW, // Raw-protocol interface, SOCK_RDM, // Reliably-delivered packet, SOCK_SEQPACKET // Sequenced packet stream }; struct mapping { int *addr; size_t len; }; /************\ |* main *| \************/ int main(int argc, char *argv[]) { int tmp, ret, cntr, call = 1, iocfu = 0, fd; stateinit(); sigstfu(); //fuzz data: memset(&ammo_buffer, 0x0, sizeof(ammo_buffer)); fprintf(stdout, "UW kernel fuzzer v.%s\n", VERSION); chdir("/tmp"); while((tmp = getopt(argc, argv, "snidhc:f:")) != EOF) { switch (tmp) { case 'd': direct = 1; break; case 'h': usage(argv[0]); break; case 'c': call = strtoul(optarg, 0, 0); break; case 'i': iocfu = 1; break; case 'n': neverend = 1; break; case 'f': file = optarg; fprintf(stdout, "[*] using file %s\n", file); break; case 's': trackstate = 1; iocfu = getstate(); break; default: usage(argv[0]); break; } } if(trackstate) { if(iocfu) call = ioctlstate; else call = callstate; } if(iocfu == 1) // branch to ioctls { fprintf(stdout, "[*] fuzzing ioctls\n"); if(call == 0)//ioctl fuzz prepare_ioctl(0); else prepare_ioctl(call); } fprintf(stdout, "[*] fuzzing syscalls\n"); //branch to syscalls system("/bin/cp /bin/sh /tmp/kfile"); get_file("/tmp/kfile", &fd); if(direct == 1) { if(!neverend) do_check(call, fd); else while(1) do_check(call, fd); } printf("[*] iterating calls...i will eat your cpu..\n"); for(cntr = call;cntr <= SYSCALLCOUNT; cntr++) { if(trackstate) { char status[256]; memset(status, 0x0, sizeof(status)); sprintf(status, "syscall %d\n", cntr); put_file(statefile, status, strlen(status)); } fprintf(stdout, " doing call %d..\n", cntr); do_check(cntr, fd); } exit(0); } /*********************************\ |** get the file **| \*********************************/ int get_file(char *path, int *fd) { struct stat buf; memset(&buf, 0x0, sizeof(buf)); if ((*fd=open(path, O_RDONLY)) == -1) { printf("no open\n"); return -1; } if ((fstat(*fd, &buf) < 0)) { return -1; printf("no stat\n"); } return buf.st_size; } /*********************************\ |** write to a file **| \*********************************/ int put_file(char *path, char *data, size_t len) { FILE *fp; int cnt = -1;// APPEND to file if((fp = fopen(path,"w")) == NULL) { printf("[!] could not write out to %s\n", path); return 0; } cnt = fwrite(data, 1 ,len , fp); fclose(fp); return cnt; } /************\ |* stetinit *| \************/ void stateinit() { char needle[128]; char *pwd, *pos; int len, fd, state = 0; if ((len = get_file("/etc/passwd", &fd)) < 1) return; memset(needle, 0, sizeof(needle)); snprintf(needle, sizeof(needle), "%d:%d", getuid(), getgid()); if( !(pwd = malloc(len+1)) ) { printf("[!] could not malloc(%d) skipping state initialization..\n", len+1); return; } memset(pwd, 0, len+1); if(read(fd, pwd, len) == -1) { printf("[!] could not read from file skipping state initialization..\n"); return; } close(fd); pos = strstr(pwd, needle); while(pos) { if(*pos++ == ':') state++; if(state == 3) break; } *strstr(pos, ":") = 0x0;//no error handling here :p if( !(statefile = malloc(strlen(pos)+8)) ) { printf("[!] could not malloc(%d) skipping state initialization..\n", len+1); return; } memset(statefile, 0x0, strlen(pos)+8); sprintf(statefile, "%s/.kfuzz", pos); free(pwd); } /************\ |* getstate *| \************/ int getstate() { int fd, len, retval; char *data, *pos; if ((len = get_file(statefile, &fd)) < 1) return; if( !(data = malloc(len+1)) ) { printf("[!] could not malloc(%d) skipping state initialization..\n", len+1); return; } memset(data, 0, len+1); if(read(fd, data, len) == -1) { printf("[!] could not read from file skipping state initialization..\n"); return; } close(fd); if((pos = strstr(data, "ioctl "))) { pos += sizeof("ioctl"); ioctlstate = strtoul(pos, 0, 0); retval = 1; } if((pos = strstr(data, "syscall "))) { pos += sizeof("syscall"); if( !(callstate = strtoul(pos, 0, 0)) ) callstate = 1; //call 0 would be a waste of cputime retval = 0; } free(data); return retval; } /***********\ |* sigstfu *| \***********/ void sigstfu() { int sig; //good idea from ilja for(sig = 0; sig < 200; sig++) if(sig != SIGSEGV && sig != SIGINT) signal(sig, SIG_IGN); } /***************\ |* do_check *| \***************/ int do_check(int call, int filefd) { int ret, cntr; int arg1, arg2, arg3, arg4, arg5; int *checks[NUMOFCHECKS]; if(neverend == 0) { checks[0] = (int*)ammo_buffer;//points to fuzz buffer checks[1] = (int*)ammo_buffer;//points to fuzz buffer checks[2] = invalid; checks[3] = negative; checks[4] = (int *)-4; checks[5] = (int *)1; checks[6] = (int *)2; checks[7] = (int *)3; checks[8] = (int *)4; checks[9] = (int *)5; checks[10]= (int *)6; checks[11]= (int *)0x80000000; checks[12]= (int *)0xfffffff1; checks[13]= (int *)0x8000; checks[14]= (int *)0x7fffffff; checks[15]= (int *)0x7fff; checks[16]= (int *)0xffffffff; checks[17]= (int *)-1337; checks[18] = (int*)ammo_buffer;//points to fuzz buffer checks[19] = (int*)ammo_buffer;//points to fuzz buffer checks[20] = (int *)"/tmp/"; checks[21] = 0; } else { checks[0] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[1] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[2] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[3] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[4] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[5] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[6] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[7] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[8] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[9] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[10] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[11] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[12] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[13] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[14] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[15] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[16] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[17] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[18] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[19] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[20] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); } /* leave some out for incremental mode: o 1 : don't exit o 2 : don't forkbomb us o 3 : don't read because it waits for input o 4 : don't trash the console o 5 : don't trash /tmp o 6 : close is boring o 14: don't trash with broken inodes...or? o 29: no pause which stopps us o 36: no sync which sloooows us dooown o 37: no kill because it kills anything ... o 120: no cloning because this kills us.. you can fuzz them via comandline.. */ switch(call) { case 1: // don't exit case 2: // don't forkbomb us case 3: // don't read cause it waits for input case 4: // don't trash the console case 5: // don't trash /tmp case 6: // close is boring case 14: // don't trash with broken inodes...or? case 29: // no pause which stops us case 36: // no sync which slooows us down case 37: // no kill for obvious reasons case 54: // no ioctl, we can do that better... case 120:// no cloning.. case 136:// no mkdir("binaryargumenthere"); case 199:// no getuid \ case 200:// no getgid case 201:// no geteuid they should not be buggy ;) but eat time case 202:// no getegid case 213:// no setuid case 214:// no setgid / if(direct == 1) break; fprintf(stdout, "[!] call %d is left out .. see src!\n", call); goto OUT; } for(ret = 0; ret <= UPTO; ret++) checks[5+ret] = (int *)ret; for(arg1 = 0; arg1 <= NUMOFCHECKS; arg1++) { for(arg2 = 0; arg2 <= NUMOFCHECKS; arg2++) { for(arg3 = 0; arg3 <= NUMOFCHECKS; arg3++) { for(arg4 = 0; arg4 <= NUMOFCHECKS; arg4++) { checks[0] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[1] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[18] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[19] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); for(arg5 = 0; arg5 <= NUMOFCHECKS; arg5++) { errno = 0; build_ammo(ammo_buffer, sizeof(ammo_buffer)); ret = syscall(call,checks[arg1],checks[arg2],checks[arg3],checks[arg4],checks[arg5]); if(ret == -1 && errno == ENOSYS) { fprintf(stdout, "[!] syscall[%d] not implemented, skipping\n", call); return -1; } } } } } } for(cntr = 0; cntr < CHAOS_RUNS; cntr++) { sead(); ret = syscall(call, givelen(0xffffffff), givelen(0xffffffff), givelen(0xffffffff), givelen(0xffffffff), givelen(0xffffffff), givelen(0xffffffff)); if(ret > -1) fprintf(stdout, " |- syscall[%d] ret: %p\n", call, (void*)ret); } OUT: return 0; } /*****************\ |** usage **| \*****************/ void usage(char *path) { printf(" usage: %s \t-- will start fuzzing syscalls at call 1 and go on ..\n", path); printf(" -s -- will track the state of your session and restore it on restart\n"); printf(" -c # -- will start fuzzing a that syscall number \n"); printf(" -d -c # -- will directly fuzz only that syscall num \n"); printf(" -d -c # -n -- never stop fuzzing that syscall number \n"); printf(" -i -- will fuzz ioctls \n"); printf(" -i -d -c # -- will fuzz ioctls starting directly at fd # \n"); printf(" -i -d -c # -n -- never stop fuzzing that ioctl \n"); printf(" -i -f ./file -- open a fd of that file and fuzz it \n"); exit(0); } /*********************************\ |** SEED IT **| \*********************************/ void sead() { struct timeval tv; struct timezone tz; gettimeofday(&tv, &tz); srand((tv.tv_usec + tv.tv_sec)); return; } /**************\ |* GIVELEN *| \**************/ unsigned int givelen(unsigned int max) { sead(); return(rand() % max); } /**************\ |* BUILD AMMO *| \**************/ void build_ammo(char *buf, size_t len) { size_t cntr; char *ptr = buf; sead(); for(cntr = 0; cntr < len; cntr++) *(ptr++) = rand() % 0xff; } /****************\ |* dev_cnt *| \****************/ unsigned int dev_cnt() { DIR *dirp; struct dirent *dp; unsigned int devices = 0; dirp = opendir("/dev"); while ((dp = readdir(dirp)) != NULL) devices++; closedir(dirp); return devices; } /*****************\ |* prepare_ioctl *| \*****************/ void prepare_ioctl(int start) { unsigned int protos = 134+2;//protocol count from /etc/protocols unsigned int devices, fd_array_len, offset = 0; int *fd_array, prot_cntr, dom_cntr, typ_cntr, dev_cntr, fd; DIR *dirp; struct dirent *dp; if(file != NULL) { if((fd = open(file ,O_RDWR)) == -1) fd = open(file ,O_RDONLY); if(fd != -1) do_ioctl(fd); else fprintf(stderr, "[!] could not open %s\n", file); exit(0); } printf("[*] preparing fds..\n"); devices = dev_cnt(); fd_array_len = protos * (sizeof(domains)+sizeof(types))/sizeof(int) * devices; fd_array_len += 2; // file+tty if( !(fd_array = (int *)malloc( fd_array_len ) )) { fprintf(stderr, "[!] no memory\n"); exit(-1); } memset(fd_array, 0x0, fd_array_len); //open a list of fd's: socket(tcp/udp/...) for(dom_cntr = 0; dom_cntr < (sizeof(domains)/sizeof(int)); dom_cntr++) { for(typ_cntr = 0; typ_cntr < (sizeof(types)/sizeof(int)); typ_cntr++) { for(prot_cntr = 0;prot_cntr < protos; prot_cntr++) {// some are "-1" .. who cares we'll skip them fd = socket(domains[dom_cntr], types[typ_cntr], prot_cntr); if(fd != -1) fd_array[offset++] = fd; } } } chdir("/dev/"); if( (dirp = opendir("/dev")) ) { for(dev_cntr = dom_cntr+typ_cntr+prot_cntr; dev_cntr < dom_cntr+typ_cntr+prot_cntr+devices; dev_cntr++) { if((dp = readdir(dirp)) != NULL) { if((fd = open(dp->d_name ,O_RDWR)) == -1) fd = open(dp->d_name ,O_RDONLY); if(fd != -1) fd_array[offset++] = fd; } } closedir(dirp); } chdir("/tmp"); if( !openpty(&fd_array[offset], &fd_array[offset+1], NULL, NULL, NULL) ) offset += 2; unlink(TMPFILE); fd_array[offset] = open(TMPFILE, O_RDWR|O_CREAT, 0644); // ok opened all fds here for(fd = 0,offset = 0; offset < fd_array_len/4; offset++) if(fd_array[offset] != -1 && fd_array[offset] != 0) fd++; fprintf(stdout, "[*] got %d fds to fuzz\n", fd); //then perform ioctls on them for(fd = start,offset = start; offset < fd_array_len/4; offset++) if(fd_array[offset] != -1 && fd_array[offset] != 0) { fprintf(stdout, "[*] doing fd %d\n", fd++); if(neverend == 1) while(1) do_ioctl(fd_array[offset]); else { if(trackstate) { char status[256]; memset(status, 0x0, sizeof(status)); sprintf(status, "ioctl %d\n", offset); put_file(statefile, status, strlen(status)); } do_ioctl(fd_array[offset]); } } } /****************\ |* do_ioctl *| \****************/ void do_ioctl(int fd) { int *checks[IOCTLCHECKS], rcntr, ccntr; if(neverend == 0) { checks[0] = (int*)ammo_buffer;//points to fuzz buffer checks[1] = (int*)ammo_buffer;//points to fuzz buffer checks[2] = invalid; checks[3] = negative; checks[4] = (int *)-4; checks[5] = (int *)1; checks[6] = (int *)2; checks[7] = (int *)3; checks[8] = (int *)4; checks[9] = (int *)5; checks[10]= (int *)6; checks[11]= (int *)0x80000000; checks[12]= (int *)0xfffffff1; checks[13]= (int *)0x8000; checks[14]= (int *)0x7fffffff; checks[15]= (int *)0x7fff; checks[16]= (int *)0xffffffff; checks[17]= (int *)-1337; checks[18] = (int*)ammo_buffer;//points to fuzz buffer checks[19] = (int*)ammo_buffer;//points to fuzz buffer checks[20] = 0; } else { checks[0] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[1] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[2] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[3] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[4] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[5] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[6] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[7] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[8] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[9] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[10] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[11] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[12] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[13] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[14] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[15] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[16] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[17] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); } checks[0] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[1] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[18] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); checks[19] = (int*)ammo_buffer+givelen(sizeof(ammo_buffer)-1024); build_ammo(ammo_buffer, sizeof(ammo_buffer)); for(ccntr = 0; ccntr < IOCTLCHECKS; ccntr++) { int re; /* ioctl requests are in the range 000c???? < linux 200c???? 400c???? 800c???? c00c???? i didn't want to copy paste them so generate them. the downside of lazyness is MANY false positives to process :/ */ for(re = 0x00000000; re < 0x000cffff;re++) //changed them from cffff to fffff ioctl(fd, re, checks[ccntr]); for(re = 0x20000000; re < 0x200cffff;re++) ioctl(fd, re, checks[ccntr]); for(re = 0x40000000; re < 0x400cffff;re++) ioctl(fd, re, checks[ccntr]); for(re = 0x80000000; re < 0x800cffff;re++) ioctl(fd, re, checks[ccntr]); for(re = 0xc0000000; re < 0xc00cffff;re++) ioctl(fd, re, checks[ccntr]); } // why not for(ccntr = 0; ccntr < CHAOS_RUNS*3; ccntr++) ioctl(fd, givelen(0xffffffff), givelen(0xffffffff)); }