GithubHelp home page GithubHelp logo

coldsnap's Introduction

Coldsnap - Python Snapshot Fuzzer Example

Welcome to coldsnap! This example was inspired by @gamozolabs love for snapshot fuzzing and based on @h0mbre_ blog Fuzzing Like A Caveman 4

Introduction

coldsnap.py is a python-based snapshot-based ptrace-based fuzzer example. The purpose of this example is to test the performance of snapshot fuzzing entirely in python and to provide education example of a snapshot fuzzer. Coldsnap uses ptrace to control the program state for saving state and for guiding the fuzzer through ptrace-applied breakpoints. This example is not meant to be a production ready fuzzer. Instead this example should be used as educational material on how to put together a simple snapshot-based fuzzer with coverage guidance in python.

Overview

This fuzzer forks "target" as a child process with ptrace attached as a debugger. It leverages nm, objdump and /proc/id/maps to locate the .text section of "target", derive all necessary breakpoint positions in memory, locate the start and stop snapshot points and control the saving/loading of target memory. I made an effort to comment as much as I could so the python should serve as good documentation on how to build a snapshot-based fuzzer (@h0mbre_ blog Fuzzing Like A Caveman 4 is also good supplemental material). When the fuzzer first executes it applies as many breakpoints as possible, it then continues execution to the startpoint deleting all breakpoints along the way. It then saves program state at the start point and starts the fuzzing operation. The fuzzing loop creates a fuzzing payload, writes the payload in target memory and continues execution until it hits the endpoint. At the endpoint the fuzzer reloads the program state back to the startpoint and creates a new mutation to test. For every test case that results in a new breakpoint hit, the fuzzer captures the mutation into its corpus pool, removes the break point and continues execution. The mutation in this example is extremely trivial, it is just a byte flip of 2 random payload bytes and good enough to find the crashes. The target example contains 2 unique crashes.

Performance

10,000 - 20,000 Fuzz cases per second depending on your CPU. The fuzzer should find the 2 unique crashes within 10-60 seconds of fuzz time.

The goal of snapshot fuzzing is performance and determinism, While snapshot fuzzing does improve performance by quite an amount, this example is written in python and thus implementations in C or Rust should perform better.

How to install and run (Ubuntu)

Install

  1. clone this repo and change directory into it
  2. sudo apt update
  3. sudo apt install python3 python3-pip build-essential
  4. sudo pip3 install python-ptrace

Run

  1. make

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.