• Stars
    star
    123
  • Rank 290,145 (Top 6 %)
  • Language
    Python
  • Created over 8 years ago
  • Updated over 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Automate repetitive tasks for fuzzing

Daily Build Trigger

Warning

Completely re-writing this right now. Focus will be on interactive Linux apps that only take input from stdin for starters. Attempting to use Shellphish's Driller and Fuzzer functionality.

autoPwn in it's current state will do this in limited form. Simply run autoPwn ./binary then select the Start option.

Installing

Given all the dependency issues here, the easiest way to get autoPwn up and running is to use the Docker build. Note, you can remove the --security-opt and --cap-add statement, but some fuzzing aspects might not work.

$ sudo docker pull bannsec/autoPwn
$ sudo docker run -it -v $PWD:/mount --security-opt="apparmor=unconfined" --cap-add=SYS_PTRACE -e DISPLAY=$DISPLAY -v /tmp/.X11-unix/:/tmp/.X11-unix/ bannsec/autopwn

In the Docker build, everything should be ready to go. You can simply start up the tool with:

$ autoPwn ./file

Compiling source for fuzzing

autoPwn attempts to make compiling source for fuzzing a project easier. To help with this, autoPwnCompile was created. Just point it at your source code, and give it options and it will output an executable ready to be fuzzed.

usage: autoPwnCompile [-h] [--file FILE] [--ASAN | --MSAN] [--UBSAN]
                      [--fuzzer FUZZER]

Compile source to binaries for use in autoPwn.

optional arguments:
  -h, --help       show this help message and exit
  --file FILE      Single file to compile.
  --ASAN           Enable ASAN (default off)
  --MSAN           Enable MSAN (default off)
  --UBSAN          Enable UBSAN (default off)
  --fuzzer FUZZER  (optional) What fuzzer to compile for. Options are:
                   ['AFL']. Default is AFL.

The below is from the OLD version of autoPwn..

Overview

autoPwn is a lofty name for a simple script. When working with fuzzing and afl-fuzz, I noticed that I would do the same tasks over and over. With this in mind, I wanted to create a script that would accomplish the following:

  1. Automate and simplify the task of starting the fuzzer through smart prompts
  2. Automate and simplify the task of restarting the fuzzer through a config file
  3. Fully automate the process of afl queue minimizations
  4. Fully automate the process of extracting and minimizing all possible exploitable paths
  5. Fully automate the process of extracting and minimizing all possible paths in general.
  6. Fully or partially automate the generation of initial path values.

So far, the script is able to the first 5. Part 6 is speculative and attempting development right now. It would leverage the angr symbolic execution engine to create possible initial paths. At that point, the script could theoretically fully automate simple fuzzing tasks.

Example

Let's take a look at a recent TUCTF challenge called "WoO2". While it doesn't necessarily find the needed exploit, it does show how autoPwn can be used to simplify path discovery.

Here's a basic run through the program:

$ ./e67eb287f23011a40ef5bd5c2ad2f48ca97834cf 
Welcome! I don't think we're in Kansas anymore.
We're about to head off on an adventure!
Select some animals you want to bring along.

Menu Options:
1: Bring a lion
2: Bring a tiger
3: Bring a bear
4: Delete Animal
5: Exit

Enter your choice:
1
Choose the type of lion you want:
1: Congo Lion
2: Barbary Lion
1
Enter name of lion:
Test
Menu Options:
1: Bring a lion
2: Bring a tiger
3: Bring a bear
4: Delete Animal
5: Exit

Enter your choice:
5

Let's create a simple input test case:

$ cat in/1 
1
1
Test
5

Now we can easily start up the fuzzer:

$ autoPwn 
Setting up fuzz configuration
Target Binary (full or relative path): e67eb287f23011a40ef5bd5c2ad2f48ca97834cf
Command line args: 
Number of cores (default: 8): 
Test Case Dir (default: 'in/'): 
Test Case Dir (default: 'out/'): 
Max memory (default: 200): 4096
Starting fuzz
autoPwn> s
status check tool for afl-fuzz by <[email protected]>

Individual fuzzers
==================

>>> SESSION007 (0 days, 0 hrs) <<<

  cycle 1, lifetime speed 1 execs/sec, path 0/1 (0%)
  pending 1/1, coverage 0.15%, no crashes yet

>>> SESSION000 (0 days, 0 hrs) <<<

  cycle 1, lifetime speed 1 execs/sec, path 0/1 (0%)
  pending 1/1, coverage 0.15%, no crashes yet

>>> SESSION002 (0 days, 0 hrs) <<<

  cycle 1, lifetime speed 1 execs/sec, path 0/1 (0%)
  pending 1/1, coverage 0.15%, no crashes yet

>>> SESSION006 (0 days, 0 hrs) <<<

  cycle 1, lifetime speed 1 execs/sec, path 0/1 (0%)
  pending 1/1, coverage 0.15%, no crashes yet

>>> SESSION004 (0 days, 0 hrs) <<<

  cycle 1, lifetime speed 1 execs/sec, path 0/1 (0%)
  pending 1/1, coverage 0.15%, no crashes yet

>>> SESSION001 (0 days, 0 hrs) <<<

  cycle 1, lifetime speed 1 execs/sec, path 0/1 (0%)
  pending 1/1, coverage 0.15%, no crashes yet

>>> SESSION005 (0 days, 0 hrs) <<<

  cycle 1, lifetime speed 1 execs/sec, path 0/1 (0%)
  pending 1/1, coverage 0.15%, no crashes yet

>>> SESSION003 (0 days, 0 hrs) <<<

  cycle 1, lifetime speed 1 execs/sec, path 0/1 (0%)
  pending 1/1, coverage 0.15%, no crashes yet

Summary stats
=============

       Fuzzers alive : 8
      Total run time : 0 days, 0 hours
         Total execs : 0 million
    Cumulative speed : 8 execs/sec
       Pending paths : 8 faves, 8 total
  Pending per fuzzer : 1 faves, 1 total (on average)
       Crashes found : 0 locally unique


autoPwn> h
autoPwn
     s == fuzzer (s)tatus
     e == collect (e)xploits
     a == collect (a)ll paths
     m == (m)inimize corpus
     q == (q)uit

So what happened here was that the script created some default values (including determining the number of cores available). We changed one default value due to needing extra memory to run this in QEMU. autoPwn created a config file that it then gave to afl-utils (https://github.com/rc0r/afl-utils). In the config file, it also set up CPU affinities, so the fuzzing would be default optimal.

At this point, your computer is chucking away at fuzzing. However, one key aspect of fuzzing is minimizing the corpus. With this in mind, autoPwn is watching the afl-fuzz instance to monitor for when a series of the mutations are completed. When this happens, it will stop fuzzing (non-optimal, but fine for now), minimize the corpus, then re-start fuzzing. It does this without any human intervention so you can fire and forget.

At some point you might want to take a look at what paths afl has found. By executing the "a" command, autoPwn will copy all the known paths, minimize the corpus and then minimize the cases themselves and provide them in an output directory.

More Repositories

1

stegoVeritas

Yet another Stego Tool
Python
308
star
2

winevt

Windows Event Interactions in Python
Python
66
star
3

pySym

Python Symbolic Execution
Python
63
star
4

revenge

REVerse ENGineering Environment
Python
55
star
5

formatStringExploiter

Helper script for working with format string bugs
Python
55
star
6

pyThaw

Python Application to Reverse Freezing
Python
36
star
7

NetTK

Network Tool Kit
Python
32
star
8

angr-Windows

Windows builds for use with angr framework
27
star
9

gallimaufry

Command Line Parsing Library for USB PCAP Files
Python
23
star
10

autopsy_docker

Docker build for autopsy
Dockerfile
21
star
11

cosmosocks

Socks server written in Cosmopolitan libc
C
20
star
12

edex-ui-docker

Docker install for edex-ui
Dockerfile
15
star
13

linux-kernel-lab

Lab Environment For Learning About The Linux Kernel
Shell
9
star
14

CTF

CTF Archives and Solutions
Vim Script
8
star
15

EasyKLEE

Repo to ease the pain of installing KLEE
Shell
8
star
16

volatility_profile_builder

Python script to auto-build linux volatility profiles
Python
6
star
17

scapyshark

Wireshark like implementation with Scapy
Python
6
star
18

hashcat

pip install wrapper around hashcat
Python
4
star
19

altEnv

altEnv is an Alternate Environment manager
Python
4
star
20

hashcrack

Hash cracking python wrapper
Perl
4
star
21

bloodhound_docker

Docker build for BloodHound
Dockerfile
4
star
22

arm_now_docker

Dockerization of the arm_now tool
Dockerfile
4
star
23

larissa

A user wrapper around the Triton Symbolic Execution Engine
Python
4
star
24

pyCoW

Attempt at creating Copy-On-Write library for Python
Python
3
star
25

pyvagrant

Python wrapper for Vagrant
Python
3
star
26

frida_build_env

Helper container for building and testing Frida compiles
Dockerfile
3
star
27

autoPwn-stage-Ghidra

Ghidra build for autoPwn container
Dockerfile
3
star
28

extractor

Universal extraction tool
Python
3
star
29

ilspy_docker

Simple docker build for ilspycmd
Dockerfile
3
star
30

mpv_windows_builder

Dockerfile and scripts for cross-compiling mpv for Windows
Dockerfile
2
star
31

r2symbion

angr symbion integration for r2
Python
2
star
32

xss_catcher

Pure python simple XSS Catcher
Python
2
star
33

enableAPKDebugging

Application to simplify apk->apk w/ debugging enabled
Shell
2
star
34

simple_menu

Defunct attempt at a text menu
Python
2
star
35

hashcat-beta

Beta build of hashcat
Python
2
star
36

gef_venv

GEF in a Python Virtual Environment
Shell
2
star
37

advent_of_code

https://adventofcode.com
Python
2
star
38

mingw-w64-cross-x86_64

Cross compile using Mingw x86_64
Dockerfile
1
star
39

altEnv_preBuilt

Pre-Built Images for altEnv
1
star
40

larissa_boost

Boost pip library installer for Larissa
Python
1
star
41

frida-android-m2crypto

Because m2crypto has a painful bug right now.
C
1
star
42

revenge_testenv_android-29_default_x86_64

revenge test harness for Android-10
Dockerfile
1
star
43

pyBlackJackOld

A Python Library and Application For BlackJack Simulation And Learning
Python
1
star
44

hashcrack-jtr

John The Ripper for hashcrack
Python
1
star
45

s2e

S2E Helpers
C++
1
star
46

autoPwn-stage-gdb

GDB builder stage
Dockerfile
1
star
47

BigBuckBunny_Dash

For sharing a problem I've discovered with Dash-mpd and Google Chromecast
1
star
48

OpenBSD_BashRC

My silly bashrc and setup scripts for OpenBSD.
Shell
1
star
49

sharePlayer

Python Library for Syncronized Playback of Video and Audio
Python
1
star
50

ajar

Chess Opening Creator
Python
1
star
51

autoPwn-tmp

Temp place for deps
1
star
52

stupidcast

Stupid TUI tool for controlling chromecast
Python
1
star
53

autoPwn-stage-radamsa

Radamsa build stage for autopwn
Dockerfile
1
star
54

android_toolkit

Dockerfile for working with Android devices
Dockerfile
1
star
55

autoPwn-stage-libcxx-msan

Dockerfile
1
star
56

htb_static

helpful hack-the-box static binaries
1
star
57

musl-cross-x86_64-linux

Cross Compiler musl x64->x64
Dockerfile
1
star
58

socks.pl

A repository for a socks server implementation in Perl
Perl
1
star