Added Dharma fuzzer and dobin#6 :

- Readme.md : Linked the grammar based fuzzer tutorial
- docs/tutorial-grammar-based.md : Added the grammar based fuzzer tutorial for Dharma
- fuzzer/fuzzer_list.py : Created a py file to have the fuzzer list there (easy config)
- fuzzer/fuzzingiterationdata.py : Changes for issue 6
- fuzzer/fuzzingmaster.py : Changes for issue 6
- fuzzer/fuzzingslave.py : Changes for issue 6
- template/fuzzing.py : Added the grammars file to fuzzing.py

README.md

@@ -60,6 +60,7 @@ Steps involved in setting up a fuzzing project:
 
 For a step-by-step guide:
 * [Setup the sample project tutorial](https://github.com/dobin/ffw/blob/master/docs/tutorial-sample-project.md)
+* [Setup the Grammar based fuzzer](https://github.com/dobin/ffw/blob/master/docs/tutorial-grammar-based.md)
 * [Setup the feedback-driven fuzzing project tutorial](https://github.com/dobin/ffw/blob/master/docs/tutorial-honggmode.md)
 * [Some fuzzing help and infos](https://github.com/dobin/ffw/blob/master/docs/notes.md)
 

docs/tutorial-grammar-based.md

@@ -0,0 +1,28 @@
+
+## Grammar base fuzzing
+
+These assume you have set up the directory structure as explained in tutorial-sample-project.md
+
+### Dharma
+
+Pull Dharma in ffw:
+
+    git pull https://github.com/MozillaSecurity/dharma.git
+
+Open fuzzing.py and change the fuzzer variable:
+
+    "fuzzer": "Dharma"
+
+Add your grammars to the grammars file in the project. For example from the ffw root folder:
+
+    cp dharma/dharma/grammars/grammar.dg vulnserver/grammars
+
+
+You can specify a different grammars file in fuzzing.py
+
+Do not run the interceptor. Your testcases will be generated by the grammar fuzzer using the grammar you provided.
+
+To run the fuzzer:
+
+    cd vulnserver
+    ./fuzzing.py --fuzz --debug

fuzzer/fuzzer_list.py

@@ -0,0 +1,32 @@
+fuzzers = {
+    "Dumb":
+    {
+        "name": "Dumb",
+        "file": "fuzzer_dumb.py",
+        "args": '%(seed)s "%(input)s" %(output)s',
+        "type": "mut"
+    },
+    "Radamsa":
+    {
+        "name": "Radamsa",
+        "file": "radamsa/bin/radamsa",
+        "args": '-s %(seed)s -o %(output)s "%(input)s"',
+        "type": "mut"
+    },
+    "Zzuf":
+    {
+        "name": "Zzuf",
+        "file": "zzuf/src/zzuf",
+        "args": '-r 0.01 -s %(seed)s -v -d < "%(input)s" > %(output)s',
+        "type": "mut"
+    },
+    "Dharma":
+    {
+        "name": "Dharma",
+        "file": "dharma/dharma/dharma.py",
+        "args": '-grammars %(grammar)s -seed %(seed)s > %(output)s',
+        "type": "mut"
+    }
+}
+
+

fuzzer/fuzzingiterationdata.py

@@ -7,28 +7,9 @@
 import copy
 import time
 import sys
+import IPython
 
-fuzzers = {
-    "Dumb":
-    {
-        "name": "Dumb",
-        "file": "fuzzer_dumb.py",
-        "args": '%(seed)s "%(input)s" %(output)s',
-    },
-    "Radamsa":
-    {
-        "name": "Radamsa",
-        "file": "radamsa/bin/radamsa",
-        "args": '-s %(seed)s -o %(output)s "%(input)s"',
-    },
-    "Zzuf":
-    {
-        "name": "Zzuf",
-        "file": "zzuf/src/zzuf",
-        "args": '-r 0.01 -s %(seed)s -v -d < "%(input)s" > %(output)s'
-    }
-}
-
+from fuzzer_list import fuzzers
 
 class FuzzingIterationData(object):
     """
@@ -87,10 +68,10 @@ def fuzzData(self):
         logging.debug("Fuzzing the data")
 
         self._generateSeed()
-        self._chooseInput()
-
-        if not self.choice:
-            return False
+	if fuzzers[self.config["fuzzer"]]["type"] == "gen" :
+            self._chooseInput()
+            if not self.choice:
+                return False
 
         self.fuzzingInFile = os.path.join(self.config["temp_dir"], str(self.seed) + ".in.raw")
         self.fuzzingOutFile = os.path.join(self.config["temp_dir"], str(self.seed) + ".out.raw")
@@ -110,10 +91,10 @@ def fuzzData(self):
     def _writeFuzzingFile(self):
         """Write the data to be fuzzed to a file."""
         file = open(self.fuzzingInFile, "w")
-        file.write(self.choice["data"])
-        #logging.debug("urllib.quote_plus: " + str(self.choice["data"]))
+        if self.choice:
+            file.write(self.choice["data"])
+            #logging.debug("urllib.quote_plus: " + str(self.choice["data"]))
         file.close()
-
         return True
 
 
@@ -122,9 +103,9 @@ def _readFuzzingFile(self):
         file = open(self.fuzzingOutFile, "r")
         data = file.read()
         file.close()
-
-        self.choice["data"] = data
-        self.choice["isFuzzed"] = True
+        if self.choice:
+            self.choice["data"] = data
+            self.choice["isFuzzed"] = True
 
         try:
             os.remove(self.fuzzingInFile)
@@ -150,8 +131,14 @@ def _runFuzzer(self):
             print("Could not find fuzzer binary: " + fuzzerBin)
             sys.exit()
 
+	grammars_string = ""
+	for root,dirs,files in os.walk(self.config["grammars"]):                     
+	    for element in files:                                                    
+		grammars_string += self.config["grammars"] + element + " "
+
         args = fuzzerData["args"] % ({
             "seed": self.seed,
+	    "grammar": grammars_string,
             "input": self.fuzzingInFile,
             "output": self.fuzzingOutFile})
         subprocess.call(fuzzerBin + " " + args, shell=True)

fuzzer/fuzzingmaster.py

@@ -7,6 +7,7 @@
 from multiprocessing import Process, Queue
 
 from . import fuzzingslave
+from fuzzer_list import fuzzers
 import utils
 
 
@@ -23,7 +24,10 @@ def doFuzz(config, useCurses):
     orig = signal.signal(signal.SIGINT, signal.SIG_IGN)
 
     printConfig(config)
-    inputs = utils.loadInputs(config)
+    if fuzzers[config["fuzzer"]]["type"] == "mut" :
+        inputs = utils.loadInputs(config)
+    else:
+        inputs = None
 
     procs = []
     n = 0

fuzzer/fuzzingslave.py

@@ -205,21 +205,22 @@ def printFuzzData(self, fuzzData):
 
     def sendPreData(self, networkManager, fuzzingIterationData):
         logging.info("Send pre data: ")
+
+        if fuzzingIterationData.fuzzedData:
+            for message in fuzzingIterationData.fuzzedData:
+                if message == fuzzingIterationData.choice:
+                    break
 
-        for message in fuzzingIterationData.fuzzedData:
-            if message == fuzzingIterationData.choice:
-                break
-
-            if message["from"] == "srv":
-                r = networkManager.receiveData(message)
-                if not r:
-                    return False
+                if message["from"] == "srv":
+                    r = networkManager.receiveData(message)
+                    if not r:
+                        return False
 
-            if message["from"] == "cli":
-                logging.debug("  Sending pre message: " + str(fuzzingIterationData.fuzzedData.index(message)))
-                ret = networkManager.sendData(message)
-                if not ret:
-                    return False
+                if message["from"] == "cli":
+                    logging.debug("  Sending pre message: " + str(fuzzingIterationData.fuzzedData.index(message)))
+                    ret = networkManager.sendData(message)
+                    if not ret:
+                        return False
 
         return True
 
@@ -228,25 +229,26 @@ def sendData(self, networkManager, fuzzingIterationData):
         logging.info("Send data: ")
 
         s = False
-        for message in fuzzingIterationData.fuzzedData:
-            # skip pre messages
-            if message == fuzzingIterationData.choice:
-                s = True
+        if fuzzingIterationData.fuzzedData:
+            for message in fuzzingIterationData.fuzzedData:
+                # skip pre messages
+                if message == fuzzingIterationData.choice:
+                    s = True
 
             if s:
-                if message["from"] == "srv":
-                    r = networkManager.receiveData(message)
-                    if not r:
-                        return False
-
-                if message["from"] == "cli":
-                    if "isFuzzed" in message:
-                        logging.debug("  Sending fuzzed message: " + str(fuzzingIterationData.fuzzedData.index(message)))
-                    else:
-                        logging.debug("  Sending post message: " + str(fuzzingIterationData.fuzzedData.index(message)))
-                    res = networkManager.sendData(message)
-                    if res is False:
-                        return False
+                    if message["from"] == "srv":
+                        r = networkManager.receiveData(message)
+                        if not r:
+                            return False
+
+                    if message["from"] == "cli":
+                        if "isFuzzed" in message:
+                            logging.debug("  Sending fuzzed message: " + str(fuzzingIterationData.fuzzedData.index(message)))
+                        else:
+                            logging.debug("  Sending post message: " + str(fuzzingIterationData.fuzzedData.index(message)))
+                        res = networkManager.sendData(message)
+                        if res is False:
+                            return False
 
         return True
 

template/fuzzing.py

@@ -72,6 +72,9 @@
     # currently basically only radamsa
     "fuzzer": "Radamsa",
 
+    #Dharma grammars
+    "grammars": PROJDIR + "grammars/",
+
     # Directory of input files
     "inputs": PROJDIR + "in",