droogie · December 11, 2019 17:57
diff --git a/binder-fuzzer.cpp b/binder-fuzzer.cpp
 #include <stdlib.h>

 #include <utils/RefBase.h>
 #include <utils/Log.h>
 #include <binder/TextOutput.h>

 #include <binder/IInterface.h>
 #include <binder/IBinder.h>
 #include <binder/ProcessState.h>
 #include <binder/IServiceManager.h>
 #include <binder/IPCThreadState.h>

 #include <stdio.h>
 #include <fcntl.h>


 using namespace android;

 void DumpHex(const void* data, size_t size) {
 	char ascii[17];
 	size_t i, j;
 	ascii[16] = '\0';
 	for (i = 0; i < size; ++i) {
 		printf("%02X ", ((unsigned char*)data)[i]);
 		
 		if (((unsigned char*)data)[i] >= ' ' && ((unsigned char*)data)[i] <= '~') {
 			ascii[i % 16] = ((unsigned char*)data)[i];
 		} else {
 			ascii[i % 16] = '.';
 		}
 		if ((i+1) % 8 == 0 || i+1 == size) {
 			printf(" ");
 			if ((i+1) % 16 == 0) {
 				printf("|  %s \n", ascii);
 			} else if (i+1 == size) {
 				ascii[(i+1) % 16] = '\0';
 				if ((i+1) % 16 <= 8) {
 					printf(" ");
 				}
 				for (j = (i+1) % 16; j < 16; ++j) {
 					printf("   ");
 				}
 				printf("|  %s \n", ascii);
 			}
 		}
 		
 	}
 	//printf("\n");
 }

 static String16 get_interface_name(sp<IBinder> service)
 {
    if (service != NULL) {
        Parcel data, reply;
        status_t err = service->transact(IBinder::INTERFACE_TRANSACTION, data, &reply);
        if (err == NO_ERROR) {
            return reply.readString16();
        }
    }
    return String16();
 }

 int main() {

 	int binder_code[6] = {IBinder::DUMP_TRANSACTION, IBinder::FIRST_CALL_TRANSACTION, IBinder::FLAG_ONEWAY, IBinder::INTERFACE_TRANSACTION, IBinder::LAST_CALL_TRANSACTION, IBinder::PING_TRANSACTION};
 	sp<IServiceManager> sm = defaultServiceManager();
 	Vector<String16> services = sm->listServices();
 	
 	int fd = open("/dev/urandom", O_RDONLY);
 	if (fd < 0) {
 		printf("fd error\n");
 		exit(0);
 	}
 	
 	while (true) {
 		for (uint32_t i = 0; i < services.size(); i++) {
 			String16 name = services[i];
 			sp<IBinder> service = sm->checkService(name);
 			if (service != NULL) {
 				String16 ifName = get_interface_name(service);
 				//aout << "Name: " << name << " - ifName: " << ifName << endl
 				if (ifName == (String16)"X.X.NAME.X.X") {
 					for (int i=0; i < 256; i++) {
 						Parcel data, reply;
 						if (ifName.size() > 0) {
 							data.writeInterfaceToken(ifName);
 						
 							//for (uint32_t i=0; i < random()%1024; i++) {
 							//	data.writeInt32(random());
 							//}
 						
 							char fuzzbuffer[1000];
 							read(fd, fuzzbuffer, sizeof(fuzzbuffer));
 							int len = (random() % 1000) + 1;

 							data.write(fuzzbuffer, len);
 						
 							aout << "Transaction to " << name << endl;
 							DumpHex(data.data(), (int)data.dataSize());
 							//service->transact(binder_code[random()%8], data, &reply, 1);
 							service->transact(1, data, &reply, 1);
 							if(reply.dataSize() != 0) {
 								DumpHex(reply.data(), (int)reply.dataSize());
 							}
 						}
 					}
 				}
 			}
 		}
 	}
 	
 	return 0;
 }
	#include <stdlib.h>

	#include <utils/RefBase.h>
	#include <utils/Log.h>
	#include <binder/TextOutput.h>

	#include <binder/IInterface.h>
	#include <binder/IBinder.h>
	#include <binder/ProcessState.h>
	#include <binder/IServiceManager.h>
	#include <binder/IPCThreadState.h>

	#include <stdio.h>
	#include <fcntl.h>


	using namespace android;

	void DumpHex(const void* data, size_t size) {
	char ascii[17];
	size_t i, j;
	ascii[16] = '\0';
	for (i = 0; i < size; ++i) {
	printf("%02X ", ((unsigned char*)data)[i]);

	if (((unsigned char)data)[i] >= ' ' && ((unsigned char)data)[i] <= '~') {
	ascii[i % 16] = ((unsigned char*)data)[i];
	} else {
	ascii[i % 16] = '.';
	}
	if ((i+1) % 8 == 0 \|\| i+1 == size) {
	printf(" ");
	if ((i+1) % 16 == 0) {
	printf("\| %s \n", ascii);
	} else if (i+1 == size) {
	ascii[(i+1) % 16] = '\0';
	if ((i+1) % 16 <= 8) {
	printf(" ");
	}
	for (j = (i+1) % 16; j < 16; ++j) {
	printf(" ");
	}
	printf("\| %s \n", ascii);
	}
	}

	}
	//printf("\n");
	}

	static String16 get_interface_name(sp<IBinder> service)
	{
	if (service != NULL) {
	Parcel data, reply;
	status_t err = service->transact(IBinder::INTERFACE_TRANSACTION, data, &reply);
	if (err == NO_ERROR) {
	return reply.readString16();
	}
	}
	return String16();
	}

	int main() {

	int binder_code[6] = {IBinder::DUMP_TRANSACTION, IBinder::FIRST_CALL_TRANSACTION, IBinder::FLAG_ONEWAY, IBinder::INTERFACE_TRANSACTION, IBinder::LAST_CALL_TRANSACTION, IBinder::PING_TRANSACTION};
	sp<IServiceManager> sm = defaultServiceManager();
	Vector<String16> services = sm->listServices();

	int fd = open("/dev/urandom", O_RDONLY);
	if (fd < 0) {
	printf("fd error\n");
	exit(0);
	}

	while (true) {
	for (uint32_t i = 0; i < services.size(); i++) {
	String16 name = services[i];
	sp<IBinder> service = sm->checkService(name);
	if (service != NULL) {
	String16 ifName = get_interface_name(service);
	//aout << "Name: " << name << " - ifName: " << ifName << endl
	if (ifName == (String16)"X.X.NAME.X.X") {
	for (int i=0; i < 256; i++) {
	Parcel data, reply;
	if (ifName.size() > 0) {
	data.writeInterfaceToken(ifName);

	//for (uint32_t i=0; i < random()%1024; i++) {
	// data.writeInt32(random());
	//}

	char fuzzbuffer[1000];
	read(fd, fuzzbuffer, sizeof(fuzzbuffer));
	int len = (random() % 1000) + 1;

	data.write(fuzzbuffer, len);

	aout << "Transaction to " << name << endl;
	DumpHex(data.data(), (int)data.dataSize());
	//service->transact(binder_code[random()%8], data, &reply, 1);
	service->transact(1, data, &reply, 1);
	if(reply.dataSize() != 0) {
	DumpHex(reply.data(), (int)reply.dataSize());
	}
	}
	}
	}
	}
	}
	}

	return 0;
	}