barf/barf.py

#!/usr/bin/env python3
#
# (c) 2021 Martin "maride" Dessauer
#
# BARF, or the Breakpoint-Assisted Rough Fuzzer, is a tool to do intelligent bruteforcing.
# The "intelligent" part comes from watching breakpoints and counting how often they were hit.
# Input is fed into the target program, character-wise, and the character with the best score wins. ;)
# This is done as long as there is a better score to get, and/or until a "win breakpoint" is hit.
# If that's hard to understand on the first read, see some of the examples. ;)
#
# This script is not designed to be directly called. Instead, it gets imported by gdb, via the -x argument.
# Because passing arguments into gdb-python scripts is not trivial, the script _should_ be called by the barf.sh wrapper.
# If you have any reasons to avoid the wrapper script, ... uh well. Your choice. You can call the barf.py script via gdb like this:
# gdb -nx -ex "py barf_positive_addr=False;barf_negative_addr='0x5555555551c0';barf_win_addr='0x5555555551ec';barf_known_prefix='';barf_known_suffix=''" -x barf.py ./beispiel1
#  -nx avoids loading .gdbinit
#  -ex throws your arguments into gdb-python (must be specified _before_ handing in the script
#  -x specifies the location of the script
#  after that comes your executable (./beispiel1 in this case)
#
# In doubt, see https://github.com/maride/barf
# Have fun with the script! :)

# include project path as include path
sys.path.insert(1, barf_path)

# include project files
from BreakpointManager import BreakpointManager
from TargetManager import TargetManager
from Helper import *
from Bruteforce import *

# main func
def main():
    MOTD()
    gdb.execute("set pagination off")

    # check our args :)
    args = getArguments()

    # Create our breakpoints, managed by the BreakpointManager
    bm = BreakpointManager(args["positiveAddr"], args["negativeAddr"], args["winAddr"], args["loseAddr"])

    # Manage the target with the TargetManager
    tm = TargetManager(bm, args["persistent"], args["startAddr"], args["endAddr"], args["buffAddr"])

    # start the bruteforcing madness ;)
    Bruteforce(bm, tm, args["knownPrefix"], args["knownSuffix"], args["chunksize"])

    # g'night, gdb
    gdb.execute("set confirm off")
    gdb.execute("quit")


# getArguments grabs the arguments from pre-defined variables and returns it as a dict
def getArguments():
    a = dict()
    a["positiveAddr"] = barf_positive_addr
    a["negativeAddr"] = barf_negative_addr
    a["winAddr"] = barf_win_addr
    a["loseAddr"] = barf_lose_addr
    a["startAddr"] = barf_start_addr
    a["endAddr"] = barf_end_addr
    a["buffAddr"] = barf_buff_addr
    a["knownPrefix"] = barf_known_prefix
    a["knownSuffix"] = barf_known_suffix
    a["chunksize"] = barf_chunksize
    a["persistent"] = barf_persistent
    return a


# actually execute main function
main()
Init commit 2021-05-30 19:13:17 +00:00			`#!/usr/bin/env python3`
			`#`
			`# (c) 2021 Martin "maride" Dessauer`
			`#`
			`# BARF, or the Breakpoint-Assisted Rough Fuzzer, is a tool to do intelligent bruteforcing.`
			`# The "intelligent" part comes from watching breakpoints and counting how often they were hit.`
			`# Input is fed into the target program, character-wise, and the character with the best score wins. ;)`
			`# This is done as long as there is a better score to get, and/or until a "win breakpoint" is hit.`
			`# If that's hard to understand on the first read, see some of the examples. ;)`
			`#`
			`# This script is not designed to be directly called. Instead, it gets imported by gdb, via the -x argument.`
			`# Because passing arguments into gdb-python scripts is not trivial, the script _should_ be called by the barf.sh wrapper.`
			`# If you have any reasons to avoid the wrapper script, ... uh well. Your choice. You can call the barf.py script via gdb like this:`
			`# gdb -nx -ex "py barf_positive_addr=False;barf_negative_addr='0x5555555551c0';barf_win_addr='0x5555555551ec';barf_known_prefix='';barf_known_suffix=''" -x barf.py ./beispiel1`
			`# -nx avoids loading .gdbinit`
			`# -ex throws your arguments into gdb-python (must be specified _before_ handing in the script`
			`# -x specifies the location of the script`
			`# after that comes your executable (./beispiel1 in this case)`
			`#`
			`# In doubt, see https://github.com/maride/barf`
			`# Have fun with the script! :)`

Split code into modules 2021-05-30 19:13:49 +00:00			`# include project path as include path`
Dynamically include BARF source 2021-05-30 19:26:13 +00:00			`sys.path.insert(1, barf_path)`
Init commit 2021-05-30 19:13:17 +00:00
Split code into modules 2021-05-30 19:13:49 +00:00			`# include project files`
			`from BreakpointManager import BreakpointManager`
Add persistence mode 2021-06-11 16:39:06 +00:00			`from TargetManager import TargetManager`
Split code into modules 2021-05-30 19:13:49 +00:00			`from Helper import *`
			`from Bruteforce import *`
Init commit 2021-05-30 19:13:17 +00:00
			`# main func`
			`def main():`
			`MOTD()`
			`gdb.execute("set pagination off")`

			`# check our args :)`
			`args = getArguments()`

			`# Create our breakpoints, managed by the BreakpointManager`
Add lose address (counterpart to win address) 2021-06-18 11:54:16 +00:00			`bm = BreakpointManager(args["positiveAddr"], args["negativeAddr"], args["winAddr"], args["loseAddr"])`
Init commit 2021-05-30 19:13:17 +00:00
Add persistence mode 2021-06-11 16:39:06 +00:00			`# Manage the target with the TargetManager`
Properly implement calibration 2021-06-17 00:32:26 +00:00			`tm = TargetManager(bm, args["persistent"], args["startAddr"], args["endAddr"], args["buffAddr"])`
Add persistence mode 2021-06-11 16:39:06 +00:00
Init commit 2021-05-30 19:13:17 +00:00			`# start the bruteforcing madness ;)`
Add persistence mode 2021-06-11 16:39:06 +00:00			`Bruteforce(bm, tm, args["knownPrefix"], args["knownSuffix"], args["chunksize"])`
Init commit 2021-05-30 19:13:17 +00:00
			`# g'night, gdb`
Add persistence mode 2021-06-11 16:39:06 +00:00			`gdb.execute("set confirm off")`
Init commit 2021-05-30 19:13:17 +00:00			`gdb.execute("quit")`


Split code into modules 2021-05-30 19:13:49 +00:00			`# getArguments grabs the arguments from pre-defined variables and returns it as a dict`
			`def getArguments():`
			`a = dict()`
			`a["positiveAddr"] = barf_positive_addr`
			`a["negativeAddr"] = barf_negative_addr`
			`a["winAddr"] = barf_win_addr`
Add lose address (counterpart to win address) 2021-06-18 11:54:16 +00:00			`a["loseAddr"] = barf_lose_addr`
Add persistence mode 2021-06-11 16:39:06 +00:00			`a["startAddr"] = barf_start_addr`
			`a["endAddr"] = barf_end_addr`
			`a["buffAddr"] = barf_buff_addr`
Split code into modules 2021-05-30 19:13:49 +00:00			`a["knownPrefix"] = barf_known_prefix`
			`a["knownSuffix"] = barf_known_suffix`
Add chunk support 2021-05-31 13:15:42 +00:00			`a["chunksize"] = barf_chunksize`
Add persistence mode 2021-06-11 16:39:06 +00:00			`a["persistent"] = barf_persistent`
Split code into modules 2021-05-30 19:13:49 +00:00			`return a`


Init commit 2021-05-30 19:13:17 +00:00			`# actually execute main function`
			`main()`