1#!/usr/bin/python
2# Python3
3
4import socket
5import sys
6import time
7import random
8
9
10class HonggfuzzSocket:
11    def __init__(self, pid):
12        self.sock = None
13        self.pid = pid
14
15
16    def connect(self):
17        self.sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
18
19        server_address = "/tmp/honggfuzz_socket"
20        if self.pid is not None:
21            server_address += "." + str(self.pid)
22        print( 'connecting to %s' % server_address)
23
24        try:
25            self.sock.connect(server_address)
26        except socket.error as msg:
27            print ("Error connecting to honggfuzz socket: " + str(msg))
28            sys.exit(1)
29
30
31    def send(self, data):
32        self.sock.sendall( str.encode(data) )
33
34
35    def recv(self):
36        return self.sock.recv(4).decode()
37
38
39    def disconnect(self):
40        self.sock.close()
41
42
43class TargetSocket:
44    def __init__(self):
45        self.sock = None
46
47    def testServerConnectionTcp(self):
48        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
49        server_address = ('localhost', self.targetPort)
50
51        try:
52            sock.connect(server_address)
53        except socket.error as exc:
54            return False
55
56        sock.close()
57
58        return True
59
60
61    def sendToSocket(self, data):
62        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
63        s.settimeout(1)
64
65        host = 'localhost'
66        port = 5001
67
68        isOpen = False
69
70        n = 0
71        while isOpen is False:
72            try:
73                s.connect((host, port))
74                isOpen = True
75            except Exception as e:
76                time.sleep(0.1)
77                n += 1
78                isOpen = False
79
80            if n == 10:
81                return False
82
83        try:
84            s.send( str.encode(data) )
85        except Exception as e:
86            print( "B: " + str(e))
87
88        s.close()
89        return True
90
91
92    def sendFuzz(self, n):
93        data = ""
94        if n == 1:
95            data = "AAAAAA"
96        if n == 2:
97            data = "BBBBBB"
98        if n == 3:
99            data = "CCCCCC"
100        if n == 4:
101            data = "DDDDDD"
102        if n == 5:
103            data = "EEEEEE"
104        if n == 6:
105            # stack buffer overflow
106            data = "B" * 128
107        if n == 7:
108            # heap buffer overflow
109            data = "C" * 128
110
111        #print "  Send: " + str(data)
112        return self.sendToSocket(data)
113
114
115
116def sendResp(targetSocketRes, hfSocket):
117    if not targetSocketRes:
118        print "  ! Server down. Send: bad!"
119        hfSocket.send("bad!")
120    else:
121        hfSocket.send("okay")
122
123
124
125def auto(pid):
126    print "Auto"
127
128    hfSocket = HonggfuzzSocket(pid)
129    targetSocket = TargetSocket()
130
131    hfSocket.connect()
132
133
134    print ""
135    print "Test: 0 - initial"
136    ret = hfSocket.recv()
137    if ret == "Fuzz":
138        print "  ok: " + ret
139    else:
140        print "  nok: " + ret
141        return
142
143
144    print ""
145    print "Test: 1 - first new BB"
146    ret = targetSocket.sendFuzz(1)
147    sendResp(ret, hfSocket)
148    ret = hfSocket.recv()
149    if ret == "New!" or ret == "Fuzz":
150        print "  ok: " + ret
151    else:
152        print "  nok: " + ret
153        return
154    ret = hfSocket.recv()
155    if ret == "Fuzz":
156        print "  ok: " + ret
157    else:
158        print "  nok: " + ret
159        return
160
161
162    print ""
163    print "Test: 2 - second new BB"
164    targetSocket.sendFuzz(2)
165    sendResp(ret, hfSocket)
166    ret = hfSocket.recv()
167    if ret == "New!":
168        print "  ok: " + ret
169    else:
170        print "  nok: " + ret
171        return
172    ret = hfSocket.recv()
173    if ret == "Fuzz":
174        print "  ok: " + ret
175    else:
176        print "  nok: " + ret
177        return
178
179
180    print ""
181    print "Test: 3 - repeat second msg, no new BB"
182    targetSocket.sendFuzz(2)
183    sendResp(ret, hfSocket)
184    ret = hfSocket.recv()
185    if ret == "Fuzz":
186        print "  ok: " + ret
187    else:
188        print "  nok: " + ret
189        return
190
191    print ""
192    print "Test: 4 - crash stack"
193    targetSocket.sendFuzz(6)
194    sendResp(ret, hfSocket)
195    ret = hfSocket.recv()
196    if ret == "Cras":
197        print "  ok: " + ret
198    else:
199        print "  nok: " + ret
200        return
201    ret = hfSocket.recv()
202    if ret == "Fuzz":
203        print "  ok: " + ret
204    else:
205        print "  nok: " + ret
206        return
207
208    print ""
209    print "Test: 5 - resend second, no new BB"
210    targetSocket.sendFuzz(2)
211    sendResp(ret, hfSocket)
212    ret = hfSocket.recv()
213    if ret == "Fuzz":
214        print "  ok: " + ret
215    else:
216        print "  nok: " + ret
217        return
218
219    print ""
220    print "Test: 6 - send three, new BB"
221    targetSocket.sendFuzz(3)
222    sendResp(ret, hfSocket)
223    ret = hfSocket.recv()
224    if ret == "New!":
225        print "  ok: " + ret
226    else:
227        print "  nok: " + ret
228        return
229    ret = hfSocket.recv()
230    if ret == "Fuzz":
231        print "  ok: " + ret
232    else:
233        print "  nok: " + ret
234        return
235
236
237    print ""
238    print "Test: 7 - send four, new BB"
239    targetSocket.sendFuzz(4)
240    sendResp(ret, hfSocket)
241    ret = hfSocket.recv()
242    if ret == "New!":
243        print "  ok: " + ret
244    else:
245        print "  nok: " + ret
246        return
247    ret = hfSocket.recv()
248    if ret == "Fuzz":
249        print "  ok: " + ret
250    else:
251        print "  nok: " + ret
252        return
253
254
255    print ""
256    print "Test: 8 - send four again, no new BB"
257    targetSocket.sendFuzz(4)
258    sendResp(ret, hfSocket)
259    ret = hfSocket.recv()
260    if ret == "Fuzz":
261        print "  ok: " + ret
262    else:
263        print "  nok: " + ret
264        return
265
266
267def interactive(pid):
268    hfSocket = HonggfuzzSocket(pid)
269    targetSocket = TargetSocket()
270
271    hfSocket.connect()
272
273    while(True):
274        try:
275            recv = hfSocket.recv()
276
277            if recv == "Fuzz":
278                # Send the bad data to the target
279                i = input("--[ Send Msg #: ")
280                #i = random.randint(0, 3)
281                #sendFuzz(int(i))
282                print "Send to target: " + str(i)
283                if not targetSocket.sendFuzz(i):
284                    print "Server down. Send: bad!"
285                    hfSocket.send("bad!")
286                else:
287                    hfSocket.send("okay")
288
289            elif recv == "New!":
290                print ("--[ R Adding file to corpus...")
291                # add the data you sent to the target to your input
292                # corpus, as it reached new basic blocks
293
294            elif recv == "Cras":
295                print ("--[ R Target crashed")
296                # target crashed, store the things you sent to the target
297
298            elif recv == "":
299                print("Hongfuzz quit, exiting too\n")
300                break
301
302            else:
303                print ("--[ Unknown: " + str(recv))
304
305        except Exception as e:
306            print("Exception: " + str(e))
307
308
309
310def main():
311    mode = None
312    pid = None
313
314    if len(sys.argv) >= 2:
315        if sys.argv[1] == "auto":
316            mode = "auto"
317        elif sys.argv[1] == "interactive":
318            mode = "interactive"
319
320    if len(sys.argv) >= 3:
321        pid = int(sys.argv[2])
322    else:
323        print "honggfuzz_socketclient.py [auto/interactive] <pid>"
324
325    if mode is "auto":
326        auto(pid)
327    elif mode is "interactive":
328        interactive(pid)
329
330
331main()
332