Adding i386 support for #16

bannsec · Sep 5, 2018 · 4f87556 · 4f87556
1 parent 2c66175
commit 4f87556
Show file tree

Hide file tree

Showing 2 changed files with 62 additions and 2 deletions.
diff --git a/autoPwn/autoPwn.py b/autoPwn/autoPwn.py
@@ -59,15 +59,15 @@ def setup_argv_fuzzing():
 
     # Supported archs
     arch = proj.loader.main_object.arch.name
-    if arch == "AMD64":
+    if arch in ["AMD64", "X86"]:
         logger.warn("Fuzzing argv requires a little binary modification. Creating and fuzzing .patched.")
         logger.warn("Fuzzer->Driller handoff for argv fuzzing is likely broken. Recommend using '--disable-drill' option for now.") # TODO: Make driller handoff work...
 
         # Set environment vars
         os.environ['AUTOPWN_ARGV'] = ",".join(str(i) for i in args.fuzzed_argument)
         os.environ['AUTOPWN_ARGV_SIZE'] = ",".join([str(AUTOPWN_ARGV_SIZE)] * len(args.fuzzed_argument)) # TODO: Maybe this should be an optional variable?
 
-        subprocess.check_output(['patch', target, os.path.join(HERE, "patches", "argv_amd64.py")], env=os.environ)
+        subprocess.check_output(['patch', target, os.path.join(HERE, "patches", "argv_{}.py".format(arch.lower()))], env=os.environ)
 
         # Overwrite the calling args
         args.binary[0] = target + ".patched"

diff --git a/autoPwn/patches/argv_x86.py b/autoPwn/patches/argv_x86.py
@@ -0,0 +1,60 @@
+import os
+
+#
+# Written by BannSec
+# Be sure to set environment variable to specify which argv to fuzz and the size
+# 
+# Example: AUTOPWN_ARGV=1,2 AUTOPWN_ARGV_SIZE=16,16 patch <binary> argv_x86.py
+#
+
+asm_intro = r"""
+# Save regs
+push eax
+push edi
+push esi
+push edx
+"""
+
+asm_outro = r"""
+pop edx
+pop esi
+pop edi
+pop eax
+ret
+"""
+
+asm_read = r"""
+# Read in stuff
+mov eax, 3                   # SYS_read
+xor ebx, ebx                 # fd
+mov ecx, [esp + {offset:d}]  # buf
+mov edx, {size:d}            # size
+int 0x80
+
+# Null terminate
+xor edx, edx                 # patchkit quirk. can't move immediate for now.
+mov [ecx + eax - 1], dl      # TODO: Assuming newline for now.. Probably shouldn't assume that.
+"""
+
+def patch(pt):
+    argv_offset = 0x18
+
+    # Which argv to fuzz. I.e.: 0,1,2,3
+    argv = [int(v,0) for v in os.environ['AUTOPWN_ARGV'].split(",")]
+
+    # Size to fuzz
+    size = [int(s,0) for s in os.environ['AUTOPWN_ARGV_SIZE'].split(",")]
+
+    # Save off regs
+    asm = asm_intro
+
+    for a, s in zip(argv, size):
+        # Read input from stdin
+        asm += asm_read.format(size=s, offset=(argv_offset + 4*a))
+
+    # Restore regs
+    asm += asm_outro
+
+    base = pt.binary.next_alloc()
+    addr = pt.inject(asm=asm)
+    pt.hook(pt.entry, addr)