turborex 0.1.1

data/lib/turborex/cstruct/struct_helper.rb

@@ -0,0 +1,7 @@
+module TurboRex
+  module CStruct
+    module Helper
+
+    end
+  end
+end

data/lib/turborex/exception.rb

@@ -0,0 +1,65 @@
+module TurboRex
+  module Exception
+
+    module ALPC
+      include Exception
+
+      class BufferTooSmall < RuntimeError
+        def to_s
+          "The length of Buffer is too small."
+        end
+      end
+
+      class TooManyRetries < RuntimeError
+        def to_s
+          "Too many retries."
+        end
+      end
+
+      class UnknownPayloadType < RuntimeError
+        def to_s
+          "The payload type is invalid."
+        end
+      end
+
+      class ReplyMessageMismatch < RuntimeError
+        def to_s
+          "An attempt was made to reply to an LPC message, but the thread specified by the client ID in the message was not waiting on that message."
+        end
+      end
+
+      class UnableToAcceptConnection < RuntimeError
+
+      end
+    end
+
+    module MSRPC
+      class InvalidParamDescriptor < StandardError
+      end
+
+      class InvalidTypeFormatString < StandardError
+
+      end
+
+      class UnknownSymbolName < StandardError
+
+      end
+    end
+
+    class UnknownError < StandardError
+      def to_s
+        "An unknown error occurred."
+      end
+    end
+
+    class NotNTSuccess < StandardError
+      def initialize(ntstatus='')
+        @message = "The return value isn't one of NT_SUCCESS： #{ntstatus}"
+      end
+
+      def to_s
+        @message
+      end
+    end
+  end
+end

data/lib/turborex/fuzzer.rb

@@ -0,0 +1,204 @@
+require 'turborex/windows/com'
+require 'turborex/fuzzer/containers'
+require 'turborex/fuzzer/mutators'
+require 'turborex/fuzzer/coverage'
+require 'turborex/fuzzer/seed'
+
+module TurboRex
+  module Fuzzer
+    class InputBase
+
+    end
+
+    class FuzzerBase
+
+    end
+
+    class COMFuzzer < FuzzerBase
+      class Config
+        attr_reader :target
+
+        def new_target(&block)
+          @target = Docile.dsl_eval(TargetBuilder.new, &block).build
+        end
+
+        def build
+          self
+        end
+      end
+      
+      Target = Struct.new(:clsid, :interface, :method, :params, :context)
+      Parameter = Struct.new(:index, :container, :mutator, :fixed, :seed, :depends_on, :relationship)
+
+      class ParamBuilder
+        def initialize(index, args)
+          @args = args
+          @struct = Parameter.new
+          @struct.index = index
+        end
+
+        def container(c)
+          @struct.container = c
+        end
+
+        def seed(s, opts = {})
+
+          if s.is_a?(Array)
+          elsif s.is_a?(TurboRex::Fuzzer::Seed)
+            s = [s]
+          else
+            raise "Invalid seed type: #{s.class}"
+          end
+
+          @struct.seed = s
+
+          if opts[:depends_on] && opts[:relationship]
+            depends_arg = @args.find {|a| a.name == opts[:depends_on].to_s}
+            unless depends_arg
+              raise "No such parameter: #{opts[:depends_on]}"
+            end
+
+            @struct.depends_on = opts[:depends_on]
+            @struct.relationship = opts[:relationship]
+          end
+        end
+
+        def mutator(m)
+          @struct.mutator = m
+        end
+
+        def fixed(value)
+          @struct.fixed = value
+        end
+
+        def build
+          @struct
+        end
+      end
+
+      class TargetBuilder
+        def initialize
+          @params = []
+        end
+
+        def interface(iface)
+          @interface = iface
+        end
+
+        def clsid(clsid)
+          @clsid = clsid
+        end
+
+        def context(context)
+          @context = context
+        end
+
+        def method(name)
+          method = @interface.methods.find {|m| m.name == name.to_s}
+          raise "No such method #{name}" unless method
+
+          @method = method
+        end
+
+        def build
+          Target.new(@clsid, @interface, @method, @params, @context)
+        end
+
+        def method_missing(m, *args, &block)
+          if m.to_s.start_with?('param_')
+            name = m.to_s.split('param_')[-1]
+
+            index = @method.type.args.index {|a| a.name == name}
+            raise "No such parameter #{name}" unless index
+            arg = @method.type.args[index]
+            raise "The THIS pointer can't be specified." if index == 0
+            @params[index-1] = Docile.dsl_eval(ParamBuilder.new(index-1, @method.type.args), &block).build
+          else
+            super(m, *args, &block)
+          end
+        end
+      end
+
+      class Input < InputBase
+        def initialize(config)
+          configure = config.fuzzer_configure
+          target = configure.target
+          @clsid = target.clsid
+          @interface = target.interface
+          @method = target.method
+          @method_name = @method.name.to_sym
+
+          @client = TurboRex::Windows::COM::Client.new(@clsid)
+          @client.create_instance cls_context: target.context, interface: @interface
+        end
+
+        def feed(*args)
+          #raw_args = args.map {|a| a.buf}
+          #feed_raw(*raw_args)
+          @interface.send(@method_name, *args)
+        end
+
+        # def feed_raw(*args)
+        #   @interface.send(@method_name, *args)
+        # end
+      end
+
+      attr_reader :input
+      attr_reader :config
+
+      def initialize(config)
+        @config = config
+        @input = Input.new(config)
+        @growth_medium = []
+
+        params = config.fuzzer_configure.target.params
+        params.each do |p|
+          if p.fixed
+            p.container.fixed = p.fixed
+          end
+
+          TurboRex::Fuzzer::SeedGroup.new()
+          @growth_medium << p.container
+        end
+
+        params.map {|p| p.seed }
+      end
+
+      def generate
+        @growth_medium.map {|c| c.padding }
+      end
+
+    end
+
+    class Config
+      attr_reader :mechanism
+      attr_reader :fuzzer_configure
+
+      def mechanism=(m)
+        raise "Should be one of these values: 'rpc', 'com'" unless [:com, :rpc].include?(m.to_sym)
+        @mechanism = m
+      end
+
+      def configure(&block)
+        case mechanism.to_sym
+        when :rpc
+          raise NotImplementedError
+        when :com
+          @fuzzer_configure = Docile.dsl_eval(COMFuzzer::Config.new, &block).build
+        end
+      end
+    end
+
+    def self.create_fuzzer(&block)
+      config = Config.new
+      yield(config)
+
+      case config.mechanism.to_sym
+      when :com
+        COMFuzzer.new(config)
+      when :rpc
+        #RPCFuzzer.new(config)
+      end
+    end
+  end
+end

data/lib/turborex/fuzzer/containers.rb

@@ -0,0 +1,115 @@
+require 'turborex/windows'
+
+module TurboRex
+  module Fuzzer
+    module Container
+      class ContainerBase
+        attr_reader :buf
+
+        def fixed=(v)
+          @fixed = true
+          set_data v
+        end
+
+        def mutate(mutator)
+          return @buf if @fixed
+          set_data mutator.mutate(@buf)
+        end
+      end
+
+      class BooleanContainer
+
+      end
+
+      class ByteContainer
+
+      end
+
+      class SmallContainer
+
+      end
+
+      class ShortContainer
+
+      end
+
+      class LongContainer
+
+      end
+
+      class HyperContainer
+
+      end
+
+      class FloatContainer
+
+      end
+
+      class DoubleContainer
+
+      end
+
+      class CharContainer
+
+      end
+
+      class WchartContainer
+
+      end
+
+      class OLESTRContainer < ContainerBase
+        def set_data(data)
+          wchar = TurboRex::Windows::Utils.multibyte_to_widechar(data)
+          @buf = TurboRex::Windows::Win32API.alloc_c_ary('WCHAR', @length / 2)
+          @buf.str = wchar
+          @buf
+        end
+      end
+
+      class BSTRContainer
+        def set_data(data)
+          if data.is_a? OLESTRContainer
+
+          else
+
+          end
+        end
+      end
+
+      class FixedSizeBufferContainer < ContainerBase
+        def initialize(size, opts = {})
+          @size = size
+          @offset = @opts[:offset]
+          @buf = TurboRex::Windows::Win32API.alloc_c_ary('BYTE', @size)
+        end
+
+        def set_data(data)
+          @offset ? @buf.str[@offset] = data : @buf.str = data
+        end
+      end
+
+      class VariantSizeBufferContainer < ContainerBase
+        def set_data(data)
+          @buf = TurboRex::Windows::Win32API.alloc_c_ary('BYTE', data.bytesize)
+          @buf.str = data
+          @buf
+        end
+      end
+
+      class StructureContainer < ContainerBase
+        def initialize(name, typedef=nil, opts = {})
+          if typedef
+            TurboRex::Windows::Win32API.parse_c(typedef)
+          end
+
+          @buf = TurboRex::Windows::Win32API.alloc_c_struct(name)
+          @member = opts[:member]
+        end
+
+        def set_data(data)
+          @member ? @buf.send("#{@member}=", data) : @buf.str = data
+        end
+      end
+    end
+  end
+end

data/lib/turborex/fuzzer/coverage.rb

@@ -0,0 +1,67 @@
+module TurboRex
+  module Fuzzer
+    class CoverageClient
+      def initialize(mapping_name, buf_size=65536)
+        setting_mapping(mapping_name, buf_size)
+        @virgin_bits = [0xFF] * buf_size
+        @view_size = buf_size
+        @bitmap_size = 0
+      end
+
+      def trace_bits
+        page = [0].pack('C')*@view_size
+        return if TurboRex::Windows::Win32API.readprocessmemory(-1, @buf, page, @view_size, 0) == 0
+        page
+      end
+
+      # def has_new_bits?(trace_bits=trace_bits, virgin_bits=@virgin_bits)
+      #   ret = false
+      #   trace_bits.bytes.to_a.each do |b, i|
+      #     virgin_bit = virgin_bits[i]
+      #     unless (b & virgin_bit).zero?
+      #       unless ret
+      #         if virgin_bit == 0xFF
+      #           ret = true
+      #           @bitmap_size += 1
+      #         else
+      #           ret = :new_hit
+      #         end
+      #       end
+
+      #       virgin_byte = virgin_byte & ~b
+      #       virgin_bits[i] = virgin_bit
+      #     end
+      #   end
+
+      #   ret
+      # end
+
+      private
+
+      def setting_mapping(mapping_name, buf_size)
+        @mapping_name = mapping_name
+
+        @hmap = TurboRex::Windows::Win32API.openfilemappinga(
+          TurboRex::Windows::Win32API::FILE_MAP_ALL_ACCESS,
+          false,
+          mapping_name
+        )
+
+        raise "Error opening file mapping" unless @hmap
+
+        @buf = TurboRex::Windows::Win32API.mapviewoffile(
+          @hmap,
+          TurboRex::Windows::Win32API::FILE_MAP_ALL_ACCESS,
+          0,
+          0,
+          buf_size
+        )
+
+        unless @buf
+          TurboRex::Windows::Win32API.closehandle(@hmap)
+          raise "Error mapping view of file"
+        end
+      end
+    end
+  end
+end