e32b3eae93
* introducing Launcher::overcommit * removing unnecessary cfg restrictions and clippy allows * improving warning for wrong clang-format version * installing black in the format CI * Enforcing python formatting in CI * extending formatting using black on all python files * printing diff on black failure * preferring python's black over system black * moving to LLVM 19 for formatting
46 lines
1.1 KiB
Python
46 lines
1.1 KiB
Python
# from the maturin venv, after running 'maturin develop' in the pylibafl directory
|
|
|
|
from pylibafl import sugar, qemu
|
|
import lief
|
|
|
|
MAX_SIZE = 0x100
|
|
BINARY_PATH = "./a.out"
|
|
|
|
emu = qemu.Qemu(["qemu-x86_64", BINARY_PATH], [])
|
|
|
|
elf = lief.parse(BINARY_PATH)
|
|
test_one_input = elf.get_function_address("LLVMFuzzerTestOneInput")
|
|
if elf.is_pie:
|
|
test_one_input += emu.load_addr()
|
|
print("LLVMFuzzerTestOneInput @ 0x%x" % test_one_input)
|
|
|
|
emu.set_breakpoint(test_one_input)
|
|
emu.run()
|
|
|
|
sp = emu.read_reg(qemu.regs.Rsp)
|
|
print("SP = 0x%x" % sp)
|
|
|
|
retaddr = int.from_bytes(emu.read_mem(sp, 8), "little")
|
|
print("RET = 0x%x" % retaddr)
|
|
|
|
inp = emu.map_private(0, MAX_SIZE, qemu.mmap.ReadWrite)
|
|
assert inp > 0
|
|
|
|
emu.remove_breakpoint(test_one_input)
|
|
emu.set_breakpoint(retaddr)
|
|
|
|
|
|
def harness(b):
|
|
if len(b) > MAX_SIZE:
|
|
b = b[:MAX_SIZE]
|
|
emu.write_mem(inp, b)
|
|
emu.write_reg(qemu.regs.Rsi, len(b))
|
|
emu.write_reg(qemu.regs.Rdi, inp)
|
|
emu.write_reg(qemu.regs.Rsp, sp)
|
|
emu.write_reg(qemu.regs.Rip, test_one_input)
|
|
emu.run()
|
|
|
|
|
|
fuzz = sugar.QemuBytesCoverageSugar(["./in"], "./out", 3456, [0, 1, 2, 3])
|
|
fuzz.run(emu, harness)
|