4 个版本

0.1.3	2022年12月26日
0.1.2	2022年7月14日
0.1.1	2022年7月5日
0.1.0	2022年5月16日

#1249 在命令行工具

925 每月下载量

GPL-3.0-only

25KB
294 代码行

FlipperBit

Flipperbit 通过在选定的字节范围内随机翻转比特，生成输入文件的多个损坏版本。

Flipperbit 允许指定多个字节范围和比特翻转概率。

flipperbit 的输出可以作为软件的输入（例如，批量文件处理应用程序、文件解析实用程序）作为简单模糊测试的一种形式。

安装

使用 cargo 安装 flipperbit

cargo install flipperbit

构建

克隆仓库并使用以下命令构建 flipperbit

git clone https://github.com/0xor0ne/flipperbit && cd flipperbit
cargo build --release

flipperbit 构建的执行文件位于 ./target/release/flipperbit。

用法

以下是 flipperbit 的 help 信息

>>> ./target/release/flipperbit -h
flipperbit 0.1.0
0xor0ne
Corrupted files generator. Random bits flipper.

USAGE:
    flipperbit [OPTIONS] --infile <INFILE> --outdir <OUTDIR>

OPTIONS:
        --fprob <FPROB>      Probability of flipping a bit [default: 0.2]
    -h, --help               Print help information
        --infile <INFILE>    Original file
        --nflips <NFLIPS>    Probability of flipping a bit [default: 1]
        --outdir <OUTDIR>    Output directory where the corrupted files will be saved
        --range <RANGES>     Bytes range to corrupt. E.g., '4,30', '4,' or ',30'
    -V, --version            Print version information

--infile: (必选) 原始文件的路径，其内容将在为每个生成的输出文件随机损坏。
--outdir: (必选) 由 flipperbit 生成的损坏文件的保存输出目录。
--nflips: (可选) 要生成的损坏文件变体数量。默认情况下仅生成 1 个输出文件。
--fprob: (可选) 翻转单个比特的概率。默认为 0.2。
--range: 要损坏的字节范围（字节是从 0 开始计数的）。该范围内的每个比特都有 --fprob 的概率被翻转。此选项可以指定多次以定义不同的字节范围。范围由两个逗号分隔的整数指定（例如，“4,63”）。范围内的第一个值必须小于或等于第二个值。flipperbit 将损坏从范围第一个值开始的字节，直到包括第二个值。如果未指定第一个值（例如，“,63”）flipperbit 假设为 0。如果未指定第二个值（例如，“4,”）flipperbit 假设为输入文件大小减 1。

注意：由 flipperbit 生成并保存到 --outdir 的文件将被命名为 <idx>_<input_file_name>，其中 idx 从 0 到 --nflips - 1。已存在于 --outdir 中的同名文件将被覆盖。

示例

ELF 文件损坏

以下示例（假设 Linux）展示了如何生成 10000 个损坏的 /bin/ls（ELF 文件）版本。这 10000 个损坏的 ELF 文件被保存到 /tmp/elf_ls_corrupted。这个特定的示例生成了具有损坏头的 ELF 文件。指定的字节范围跳过了前 24 个字节，以避免损坏头字段 e_ident、e_type、e_machine 和 e_version。

flipperit --infile /bin/ls \
  --outdir /tmp/elf_ls_corrupted \
  --range "24,63" \
  --fprob 0.05 \
  --nflips 10000

在生成的 ELF 上运行 file 命令的输出显示它们确实已损坏

>>> file /tmp/elf_ls_corrupted/*
...
/tmp/elf_ls_corrupted/1004_ls: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), corrupted program header size, corrupted section header size
/tmp/elf_ls_corrupted/1005_ls: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), corrupted program header size, missing section headers at 72057594039114192
/tmp/elf_ls_corrupted/1006_ls: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), too many program (8207)
/tmp/elf_ls_corrupted/1007_ls: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), can't read elf program headers at 3298535161936, missing section headers at 19140302778533328
/tmp/elf_ls_corrupted/1008_ls: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), corrupted program header size, corrupted section header size
/tmp/elf_ls_corrupted/1009_ls: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), can't read elf program headers at 81065892804296768, corrupted section header size
/tmp/elf_ls_corrupted/100_ls:  ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), corrupted program header size, corrupted section header size
/tmp/elf_ls_corrupted/1010_ls: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), corrupted program header size, missing section headers at 15764797720238800
/tmp/elf_ls_corrupted/1011_ls: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), too many program (16429)
...

在第二个示例中，我们只损坏了第 18 个和第 19 个字节，这对应于 ELF 头中的字段 e_machine。

flipperit --infile /bin/ls \
  --outdir /tmp/elf_ls_corrupted \
  --range "18,19" \
  --fprob 0.3 \
  --nflips 10000

在生成的每个输出文件中，运行 file 命令的输出显示“ELF 架构”具有不同的随机值

>>> file /tmp/elf_ls_corrupted/*
...
/tmp/elf_ls_corrupted/1001_ls: ELF 64-bit LSB pie executable, *unknown arch 0xffff8e36* version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=6193e7eab54665ca319fbbf164b4e40abdab62bc, for GNU/Linux 4.4.0, stripped
/tmp/elf_ls_corrupted/1002_ls: ELF 64-bit LSB pie executable, *unknown arch 0x5033* version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=6193e7eab54665ca319fbbf164b4e40abdab62bc, for GNU/Linux 4.4.0, stripped
/tmp/elf_ls_corrupted/1003_ls: ELF 64-bit LSB pie executable, *unknown arch 0x401a* version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=6193e7eab54665ca319fbbf164b4e40abdab62bc, for GNU/Linux 4.4.0, stripped
/tmp/elf_ls_corrupted/1004_ls: ELF 64-bit LSB pie executable, *unknown arch 0x4c2a* version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=6193e7eab54665ca319fbbf164b4e40abdab62bc, for GNU/Linux 4.4.0, stripped
/tmp/elf_ls_corrupted/1005_ls: ELF 64-bit LSB pie executable, *unknown arch 0x409a* version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=6193e7eab54665ca319fbbf164b4e40abdab62bc, for GNU/Linux 4.4.0, stripped
/tmp/elf_ls_corrupted/1006_ls: ELF 64-bit LSB pie executable, *unknown arch 0xffff8c5c* version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=6193e7eab54665ca319fbbf164b4e40abdab62bc, for GNU/Linux 4.4.0, stripped
/tmp/elf_ls_corrupted/1007_ls: ELF 64-bit LSB pie executable, *unknown arch 0xcd* version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=6193e7eab54665ca319fbbf164b4e40abdab62bc, for GNU/Linux 4.4.0, stripped
/tmp/elf_ls_corrupted/1008_ls: ELF 64-bit LSB pie executable, *unknown arch 0x863* version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=6193e7eab54665ca319fbbf164b4e40abdab62bc, for GNU/Linux 4.4.0, stripped
/tmp/elf_ls_corrupted/1009_ls: ELF 64-bit LSB pie executable, *unknown arch 0x226e* version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=6193e7eab54665ca319fbbf164b4e40abdab62bc, for GNU/Linux 4.4.0, stripped
/tmp/elf_ls_corrupted/100_ls:  ELF 64-bit LSB pie executable, *unknown arch 0x293e* version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=6193e7eab54665ca319fbbf164b4e40abdab62bc, for GNU/Linux 4.4.0, stripped
/tmp/elf_ls_corrupted/1010_ls: ELF 64-bit LSB pie executable, *unknown arch 0x5ab6* version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=6193e7eab54665ca319fbbf164b4e40abdab62bc, for GNU/Linux 4.4.0, stripped
/tmp/elf_ls_corrupted/1011_ls: ELF 64-bit LSB pie executable, *unknown arch 0x1225* version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=6193e7eab54665ca319fbbf164b4e40abdab62bc, for GNU/Linux 4.4.0, stripped
/tmp/elf_ls_corrupted/1012_ls: ELF 64-bit LSB pie executable, *unknown arch 0xffffb076* version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=6193e7eab54665ca319fbbf164b4e40abdab62bc, for GNU/Linux 4.4.0, stripped
...

PCAP 文件损坏

此示例展示了如何使用 flipperbit 生成损坏的 pcap 文件。在这种情况下，使用范围 "20,20"。这意味着仅随机损坏输入文件的第 20 个字节。在 pcap 文件中，第 20 个字节对应于数据链路类型字段的最低有效字节。

wget https://www.malware-traffic-analysis.net/2022/05/10/2022-05-10-Contact-Forms-IcedID-infection-with-Cobalt-Strike.pcap.zip
unzip -Pinfected 2022-05-10-Contact-Forms-IcedID-infection-with-Cobalt-Strike.pcap.zip
flipperit --infile 2022-05-10-Contact-Forms-IcedID-infection-with-Cobalt-Strike.pcap \
  --outdir /tmp/pcap_corrupted \
  --range "20,20" \
  --fprob 0.5 \
  --nflips 256

tcpdump 的输出显示数据链路类型确实已随机化

>>> find /tmp/pcap_corrupted -type f -exec tcpdump -nn -c1 -r {} \;
...
reading from file /tmp/pcap_corrupted/112_2022-05-10-Contact-Forms-IcedID-infection-with-Cobalt-Strike.pcap, link-type ARCNET_LINUX (Linux ARCNET), snapshot length 65535
reading from file /tmp/pcap_corrupted/111_2022-05-10-Contact-Forms-IcedID-infection-with-Cobalt-Strike.pcap, link-type NULL (BSD loopback), snapshot length 65535
reading from file /tmp/pcap_corrupted/110_2022-05-10-Contact-Forms-IcedID-infection-with-Cobalt-Strike.pcap, link-type 5, snapshot length 65535
tcpdump: unknown data link type 5
reading from file /tmp/pcap_corrupted/109_2022-05-10-Contact-Forms-IcedID-infection-with-Cobalt-Strike.pcap, link-type ARCNET_LINUX (Linux ARCNET), snapshot length 65535
reading from file /tmp/pcap_corrupted/108_2022-05-10-Contact-Forms-IcedID-infection-with-Cobalt-Strike.pcap, link-type EN10MB (Ethernet), snapshot length 65535
reading from file /tmp/pcap_corrupted/107_2022-05-10-Contact-Forms-IcedID-infection-with-Cobalt-Strike.pcap, link-type 5, snapshot length 65535
...

待办事项

通过异步创建文件来提高性能。

参考资料

Fuzzing Radare2 For 0days In About 30 Lines Of Code.

依赖项

~3.5MB
~68K SLoC