New CLI arguments and experimental code coverage

boofuzz/blocks/request.py

@@ -23,7 +23,7 @@ class Request(FuzzableBlock, Node):
 
     def __init__(self, name=None, children=None):
         FuzzableBlock.__init__(self, name=name, request=self)
-        Node.__init__(self)
+        Node.__init__(self, node_id=name)
         self.label = name  # node label for graph rendering.
         self.stack = []  # the request stack.
         self.block_stack = []  # list of open blocks, -1 is last open block.

boofuzz/cli.py

@@ -2,7 +2,9 @@
 from __future__ import print_function
 
 import logging
+import platform
 import shlex
+import sys
 import time
 
 import click
@@ -19,17 +21,21 @@
 from .utils.process_monitor_local import ProcessMonitorLocal
 from .utils.debugger_thread_simple import DebuggerThreadSimple
 
+if platform.system() != "Windows":
+    from .utils.debugger_thread_qemu import DebuggerThreadQemu
+    from .utils import debugger_thread_qemu
+
 temp_static_session = None
 temp_static_procmon = None
 temp_static_fuzz_only_one_case = None
 
 
-@click.group(help="boofuzz experimental CLI; usage may change over time")
+@click.group(help="boofuzz experimental CLI; usage may change over time", context_settings=dict(max_content_width=120))
 def cli():
     pass
 
 
-@cli.group(help="Must be run via a fuzz script")
+@cli.group(help="Must be run via a fuzz script", context_settings=dict(show_default=True))
 @click.option("--target", metavar="HOST:PORT", help="Target network address", required=True)
 @click.option("--test-case-index", help="Test case index", type=str)
 @click.option("--test-case-name", help="Name of node or specific test case")
@@ -39,10 +45,15 @@ def cli():
 )
 @click.option("--procmon-host", help="Process monitor port host or IP")
 @click.option("--procmon-port", type=int, default=DEFAULT_PROCMON_PORT, help="Process monitor port")
-@click.option("--procmon-start", help="Process monitor start command")
-@click.option("--procmon-capture", is_flag=True, help="Capture stdout/stderr from target process upon failure")
-@click.option("--tui/--no-tui", help="Enable/disable TUI")
-@click.option("--text-dump/--no-text-dump", help="Enable/disable full text dump of logs", default=False)
+@click.option(
+    "--stdout",
+    type=click.Choice(["HIDE", "CAPTURE", "MIRROR"], case_sensitive=False),
+    default="MIRROR",
+    help="How to handle stdout (and stderr) of target. CAPTURE saves output for crash reporting but can "
+    "slow down fuzzing.",
+)
+@click.option("--tui/--no-tui", help="Enable TUI")
+@click.option("--text-dump/--no-text-dump", help="Enable full text dump of logs", default=False)
 @click.option("--feature-check", is_flag=True, help="Run a feature check instead of a fuzz test", default=False)
 @click.option("--target-cmd", help="Target command and arguments")
 @click.option(
@@ -60,6 +71,18 @@ def cli():
     type=int,
     help="Record this many cases before each failure. Set to 0 to record all test cases (high disk space usage!).",
 )
+@click.option(
+    "--qemu/--no-qemu",
+    is_flag=True,
+    default=False,
+    help="Experimental: Enable QEMU mode with code coverage feedback; requires afl-qemu-trace",
+)
+@click.option("--qemu-path", help="afl-qemu-trace path; looks in PATH by default")
+@click.option("--web-port", type=int, default=constants.DEFAULT_WEB_UI_PORT, help="port for web GUI")
+@click.option("--restart-interval", type=int, help="restart every n test cases")
+@click.option(
+    "--target-start-wait", type=float, default=0, help="wait n seconds for target to settle in before fuzzing"
+)
 @click.pass_context
 def fuzz(
     ctx,
@@ -70,23 +93,41 @@ def fuzz(
     sleep_between_cases,
     procmon_host,
     procmon_port,
-    procmon_start,
-    procmon_capture,
+    stdout,
     tui,
     text_dump,
     feature_check,
     target_cmd,
     keep_web,
     combinatorial,
     record_passes,
+    qemu,
+    qemu_path,
+    web_port,
+    restart_interval,
+    target_start_wait,
 ):
+    if qemu:
+        if platform.system() == "Windows":
+            print(
+                "error: --qemu requires System V interface and is not currently supported on Windows", file=sys.stderr
+            )
+            sys.exit(1)
+        if qemu_path is not None:
+            debugger_thread_qemu.QEMU_PATH = qemu_path
+        if not debugger_thread_qemu.QEMU_PATH:
+            print("afl-qemu-trace not found. Is it available in PATH?", file=sys.stderr)
+            sys.exit(1)
+        debugger = DebuggerThreadQemu
+    else:
+        debugger = DebuggerThreadSimple
     local_procmon = None
     if target_cmd is not None and procmon_host is None:
         local_procmon = ProcessMonitorLocal(
             crash_filename="boofuzz-crash-bin",
             proc_name=None,
             pid_to_ignore=None,
-            debugger_class=DebuggerThreadSimple,
+            debugger_class=debugger,
             level=1,
         )
 
@@ -100,12 +141,16 @@ def fuzz(
         fuzz_loggers.append(FuzzLoggerCsv(file_handle=f))
 
     procmon_options = {}
-    if procmon_start is not None:
-        procmon_options["start_commands"] = [procmon_start]
     if target_cmd is not None:
-        procmon_options["start_commands"] = shlex.split(target_cmd)
-    if procmon_capture:
+        procmon_options["start_commands"] = [shlex.split(target_cmd)]
+    if target_start_wait:
+        procmon_options["startup_wait"] = target_start_wait
+    if stdout == "CAPTURE":
         procmon_options["capture_output"] = True
+    elif stdout == "HIDE":
+        procmon_options["hide_output"] = True
+    elif stdout == "MIRROR":
+        pass
 
     if local_procmon is not None or procmon_host is not None:
         if procmon_host is not None:
@@ -152,6 +197,8 @@ def fuzz(
         index_end=end,
         keep_web_open=keep_web,
         fuzz_db_keep_only_n_pass_cases=record_passes,
+        web_port=web_port,
+        restart_interval=restart_interval,
     )
 
     ctx.obj = CliContext(session=session)
@@ -162,13 +209,10 @@ def fuzzcallback(result, *args, **kwargs):
         if feature_check:
             session.feature_check()
         else:
-            session.fuzz(name=test_case_name, max_depth=max_depth)
-
-        if procmon is not None:
-            procmon.stop_target()
+            session.fuzz(name=test_case_name, max_depth=max_depth, qemu=qemu)
 
 
-@cli.command(name="open")
+@cli.command(name="open", context_settings=dict(show_default=True))
 @click.option("--debug", help="Print debug info to console", is_flag=True)
 @click.option(
     "--ui-port",

boofuzz/connections/tcp_socket_connection.py

@@ -21,18 +21,32 @@ class TCPSocketConnection(base_socket_connection.BaseSocketConnection):
         send_timeout (float): Seconds to wait for send before timing out. Default 5.0.
         recv_timeout (float): Seconds to wait for recv before timing out. Default 5.0.
         server (bool): Set to True to enable server side fuzzing.
+        graceful_shutdown (bool): close() method attempts a graceful shutdown. Default: True.
 
     """
 
-    def __init__(self, host, port, send_timeout=5.0, recv_timeout=5.0, server=False):
+    def __init__(self, host, port, send_timeout=5.0, recv_timeout=5.0, server=False, graceful_shutdown=True):
         super(TCPSocketConnection, self).__init__(send_timeout, recv_timeout)
 
         self.host = host
         self.port = port
         self.server = server
         self._serverSock = None
+        self.graceful_shutdown = graceful_shutdown
 
     def close(self):
+        if self.graceful_shutdown:
+            try:
+                self._sock.shutdown(socket.SHUT_RDWR)
+                while len(self._sock.recv(1024)) > 0:
+                    pass
+            except ConnectionError:
+                pass
+            except OSError as e:
+                if e.errno == errno.ENOTCONN:
+                    pass
+                else:
+                    raise
         super(TCPSocketConnection, self).close()
 
         if self.server:
@@ -84,20 +98,25 @@ def _connect_socket(self):
 
     def recv(self, max_bytes):
         """
-        Receive up to max_bytes data from the target.
+        Receive up to max_bytes data from the target. Timeout results in 0 bytes returned.
 
         Args:
             max_bytes (int): Maximum number of bytes to receive.
 
         Returns:
-            Received data.
+            Received data (empty bytes array if timed out).
+
+        Raises:
+            BoofuzzTargetConnectionShutdown: Target shutdown connection (e.g. socket recv returns 0 bytes)
+            BoofuzzTargetConnectionAborted: ECONNABORTED
+            BoofuzzTargetConnectionReset: ECONNRESET, ENETRESET, ETIMEDOUT
         """
         data = b""
 
         try:
             data = self._sock.recv(max_bytes)
-        except socket.timeout:
-            data = b""
+        except socket.timeout as e:
+            raise exception.BoofuzzTargetTimeout(socket_errno=e.errno, socket_errmsg=e.strerror)
         except socket.error as e:
             if e.errno == errno.ECONNABORTED:
                 raise_(
@@ -108,7 +127,7 @@ def recv(self, max_bytes):
             elif (e.errno == errno.ECONNRESET) or (e.errno == errno.ENETRESET) or (e.errno == errno.ETIMEDOUT):
                 raise_(exception.BoofuzzTargetConnectionReset(), None, sys.exc_info()[2])
             elif e.errno == errno.EWOULDBLOCK:  # timeout condition if using SO_RCVTIMEO or SO_SNDTIMEO
-                data = b""
+                raise exception.BoofuzzTargetTimeout(socket_errno=e.errno, socket_errmsg=e.strerror)
             else:
                 raise
 

boofuzz/constants.py

@@ -28,6 +28,7 @@
 )
 
 ERR_CONN_RESET = "Target connection reset."
+ERR_CONN_SHUTDOWN = "Connection shutdown by target."
 
 ERR_CONN_RESET_FAIL = "Target connection reset -- considered a failure case when triggered from post_send"
 

boofuzz/exception.py

@@ -34,6 +34,20 @@ class BoofuzzTargetConnectionReset(BoofuzzError):
     pass
 
 
+class BoofuzzTargetConnectionShutdown(BoofuzzError):
+    pass
+
+
+@attr.s
+class BoofuzzTargetTimeout(BoofuzzError):
+    """
+    Raised on `socket.timeout`.
+    """
+
+    socket_errno = attr.ib()
+    socket_errmsg = attr.ib()
+
+
 @attr.s
 class BoofuzzTargetConnectionAborted(BoofuzzError):
     """

boofuzz/helpers.py

@@ -29,6 +29,10 @@
 COLOR_PAIR_MAGENTA = 6
 COLOR_PAIR_BLACK = 7
 
+sigmap = dict(
+    (k, v) for v, k in reversed(sorted(signal.__dict__.items())) if v.startswith("SIG") and not v.startswith("SIG_")
+)
+
 test_step_info = {
     "test_case": {
         "indent": 0,
@@ -476,3 +480,25 @@ def parse_test_case_name(test_case):
         mutations = match.group(1)
         mutations = re.split(r",\s*", mutations)
         return path, mutations
+
+
+def _reset_shm_map(shm_map):
+    """Reset shared memory map (used with AFL fork server)."""
+    for i in range(0, len(shm_map)):
+        shm_map[i] = 0
+
+
+def crash_reason(exit_status):
+    """Get human readable crash reason from exit status."""
+    reason = "Process died for unknown reason"
+    if exit_status is not None:
+        if os.WCOREDUMP(exit_status):
+            reason = "Segmentation fault"
+        elif os.WIFSTOPPED(exit_status):
+            reason = "Stopped with signal " + str(os.WTERMSIG(exit_status))
+        elif os.WIFSIGNALED(exit_status):
+            sig = os.WTERMSIG(exit_status)
+            reason = "Terminated with signal {0} {1}".format(str(sig), sigmap[sig])
+        elif os.WIFEXITED(exit_status):
+            reason = "Exit with code - " + str(os.WEXITSTATUS(exit_status))
+    return reason

boofuzz/pgraph/edge.py

@@ -43,7 +43,7 @@ def __init__(self, src, dst):
 
         # the unique id for any edge (provided that duplicates are not allowed) is the combination of the source and
         # the destination stored as a long long.
-        self.id = (src << 32) + dst
+        self.id = str(src) + "->" + str(dst)
         self.src = src
         self.dst = dst