dumb fuzzer

fuzzer.py

import sys
import os
import shutil
from resource import setrlimit, RLIMIT_CORE, RLIM_INFINITY
from multiprocessing import Pool
from subprocess import Popen

fpath = sys.argv.pop()
args = sys.argv[1:]

limit_offset = 0x1000

with open(fpath, 'rb') as f:
    data = bytearray(f.read())

setrlimit(RLIMIT_CORE, (RLIM_INFINITY, RLIM_INFINITY))
devnull = open('/dev/null', 'w')

def fuzz(i):
    print "0x%x/0x%x" % (i, trial-1)

    dirname = "fuzz_%x" % i
    testfile = 'fuzzdata'
    os.mkdir(dirname)
    os.chdir(dirname)

    mutated = data[:]
    mutated[i] = 0xff
    with open(testfile, 'wb') as f:
        f.write(mutated)

    p = Popen(args + [testfile], stdin=devnull, stdout=devnull, stderr=devnull)
    p.wait()
    ret = p.returncode

    if ret < 0:
        print "0x%x: crashed by signal %d" % (i, -ret)
        os.chdir("..")
    else:
        os.chdir("..")
        shutil.rmtree(dirname)

trial = min(len(data), limit_offset)
p = Pool(4)
p.map(fuzz, xrange(trial))

devnull.close()

result.txt

$ python fuzzer.py objdump -x /bin/sh
0x0/0xfff
0x100/0xfff
0x200/0xfff
0x300/0xfff
0x201/0xfff
0x301/0xfff
0x202/0xfff
0x1/0xfff
(snip)
0xefa/0xfff
0xffe/0xfff
0xefb/0xfff
0xfff/0xfff
0xefc/0xfff
0xefd/0xfff
0xefe/0xfff
0xeff/0xfff