1#!/usr/bin/python 2 3# Simple fuzzing tool by disassembling random code. By Nguyen Anh Quynh, 2014 4# Syntax: 5# ./suite/fuzz.py --> Fuzz all archs 6# ./suite/fuzz.py x86 --> Fuzz all X86 (all 16bit, 32bit, 64bit) 7# ./suite/fuzz.py x86-16 --> Fuzz X86-32 arch only 8# ./suite/fuzz.py x86-32 --> Fuzz X86-32 arch only 9# ./suite/fuzz.py x86-64 --> Fuzz X86-64 arch only 10# ./suite/fuzz.py arm --> Fuzz all ARM (arm, thumb) 11# ./suite/fuzz.py aarch64 --> Fuzz ARM-64 12# ./suite/fuzz.py mips --> Fuzz all Mips (32bit, 64bit) 13# ./suite/fuzz.py ppc --> Fuzz PPC 14 15from capstone import * 16 17from time import time 18from random import randint 19import sys 20 21 22# file providing code to disassemble 23FILE = '/usr/bin/python' 24 25TIMES = 64 26INTERVALS = (4, 5, 7, 9, 11, 13) 27 28all_tests = ( 29 (CS_ARCH_X86, CS_MODE_16, "X86-16bit (Intel syntax)", 0), 30 (CS_ARCH_X86, CS_MODE_16, "X86-16bit (ATT syntax)", CS_OPT_SYNTAX_ATT), 31 (CS_ARCH_X86, CS_MODE_32, "X86-32 (Intel syntax)", 0), 32 (CS_ARCH_X86, CS_MODE_32, "X86-32 (ATT syntax)", CS_OPT_SYNTAX_ATT), 33 (CS_ARCH_X86, CS_MODE_64, "X86-64 (Intel syntax)", 0), 34 (CS_ARCH_X86, CS_MODE_64, "X86-64 (ATT syntax)", CS_OPT_SYNTAX_ATT), 35 (CS_ARCH_ARM, CS_MODE_ARM, "ARM", 0), 36 (CS_ARCH_ARM, CS_MODE_THUMB, "THUMB (ARM)", 0), 37 (CS_ARCH_MIPS, CS_MODE_MIPS32 + CS_MODE_BIG_ENDIAN, "MIPS-32 (Big-endian)", 0), 38 (CS_ARCH_MIPS, CS_MODE_MIPS64 + CS_MODE_LITTLE_ENDIAN, "MIPS-64-EL (Little-endian)", 0), 39 (CS_ARCH_ARM64, CS_MODE_ARM, "ARM-64 (AArch64)", 0), 40 (CS_ARCH_PPC, CS_MODE_BIG_ENDIAN, "PPC", 0), 41 (CS_ARCH_PPC, CS_MODE_BIG_ENDIAN, "PPC, print register with number only", CS_OPT_SYNTAX_NOREGNAME), 42 (CS_ARCH_SPARC, CS_MODE_BIG_ENDIAN, "Sparc", 0), 43 (CS_ARCH_SYSZ, 0, "SystemZ", 0), 44 (CS_ARCH_XCORE, 0, "XCore", 0), 45 ) 46 47 48# for debugging 49def to_hex(s): 50 return " ".join("0x" + "{0:x}".format(ord(c)).zfill(2) for c in s) # <-- Python 3 is OK 51 52 53# read @size bytes from @f & return data. 54# return None when there is not enough data 55def get_code(f, size): 56 code = f.read(size) 57 if len(code) != size: # reached end-of-file? 58 # then reset file position to begin-of-file 59 f.seek(0) 60 return None 61 62 return code 63 64 65def cs(md, code): 66 insns = md.disasm(code, 0) 67 for i in insns: 68 if i.address == 0x100000: 69 print i 70 71 72def cs_lite(md, code): 73 insns = md.disasm_lite(code, 0) 74 for (addr, size, mnem, ops) in insns: 75 if addr == 0x100000: 76 print i 77 78 79cfile = open(FILE) 80 81for (arch, mode, comment, syntax) in all_tests: 82 try: 83 request = sys.argv[1] 84 if not request in comment.lower(): 85 continue 86 except: 87 pass 88 89 try: 90 md = Cs(arch, mode) 91 md.detail = True 92 93 if syntax != 0: 94 md.syntax = syntax 95 96 # test disasm() 97 print("\nFuzzing disasm() @platform: %s" %comment) 98 for ii in INTERVALS: 99 print("Interval: %u" %ii) 100 for j in xrange(1, TIMES): 101 while (True): 102 code = get_code(cfile, j * ii) 103 if code is None: 104 # EOF? break 105 break 106 #print to_hex(code) 107 cs(md, code) 108 109 # test disasm_lite() 110 print("Fuzzing disasm_lite() @platform: %s" %comment) 111 for ii in INTERVALS: 112 print("Interval: %u" %ii) 113 for j in xrange(1, TIMES): 114 while (True): 115 code = get_code(cfile, j * ii) 116 if code is None: 117 # EOF? break 118 break 119 #print to_hex(code) 120 cs_lite(md, code) 121 122 except CsError as e: 123 print("ERROR: %s" %e) 124