-
Notifications
You must be signed in to change notification settings - Fork 0
/
barf.py
76 lines (62 loc) · 2.89 KB
/
barf.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
#!/usr/bin/env python3
#
# (c) 2021 Martin "maride" Dessauer
#
# BARF, or the Breakpoint-Assisted Rough Fuzzer, is a tool to do intelligent bruteforcing.
# The "intelligent" part comes from watching breakpoints and counting how often they were hit.
# Input is fed into the target program, character-wise, and the character with the best score wins. ;)
# This is done as long as there is a better score to get, and/or until a "win breakpoint" is hit.
# If that's hard to understand on the first read, see some of the examples. ;)
#
# This script is not designed to be directly called. Instead, it gets imported by gdb, via the -x argument.
# Because passing arguments into gdb-python scripts is not trivial, the script _should_ be called by the barf.sh wrapper.
# If you have any reasons to avoid the wrapper script, ... uh well. Your choice. You can call the barf.py script via gdb like this:
# gdb -nx -ex "py barf_positive_addr=False;barf_negative_addr='0x5555555551c0';barf_win_addr='0x5555555551ec';barf_known_prefix='';barf_known_suffix=''" -x barf.py ./beispiel1
# -nx avoids loading .gdbinit
# -ex throws your arguments into gdb-python (must be specified _before_ handing in the script
# -x specifies the location of the script
# after that comes your executable (./beispiel1 in this case)
#
# In doubt, see https://github.com/maride/barf
# Have fun with the script! :)
# include project path as include path
sys.path.insert(1, barf_path)
from base64 import b64decode
# include project files
from BreakpointManager import BreakpointManager
from TargetManager import TargetManager
from Helper import *
from Bruteforce import *
# main func
def main():
MOTD()
gdb.execute("set pagination off")
# check our args :)
args = getArguments()
# Create our breakpoints, managed by the BreakpointManager
bm = BreakpointManager(args["positiveAddr"], args["negativeAddr"], args["winAddr"], args["loseAddr"])
# Manage the target with the TargetManager
tm = TargetManager(bm, args["persistent"], args["startAddr"], args["endAddr"], args["buffAddr"])
# start the bruteforcing madness ;)
Bruteforce(bm, tm, args["knownPrefix"], args["knownSuffix"], args["chunksize"], args["charset"])
# g'night, gdb
gdb.execute("set confirm off")
gdb.execute("quit")
# getArguments grabs the arguments from pre-defined variables and returns it as a dict
def getArguments():
a = dict()
a["positiveAddr"] = barf_positive_addr
a["negativeAddr"] = barf_negative_addr
a["winAddr"] = barf_win_addr
a["loseAddr"] = barf_lose_addr
a["startAddr"] = barf_start_addr
a["endAddr"] = barf_end_addr
a["buffAddr"] = barf_buff_addr
a["knownPrefix"] = barf_known_prefix
a["knownSuffix"] = barf_known_suffix
a["chunksize"] = barf_chunksize
a["charset"] = b64decode(barf_charset_b64).decode()
a["persistent"] = barf_persistent
return a
# actually execute main function
main()