/SIOCTLBF

Super IOCTL Basic Fuzzer

Primary LanguageCGNU General Public License v2.0GPL-2.0

SIOCTLBF

Super IOCTL Basic Fuzzer

This is an extended and rewritten version (32 & 64 bits) of the IOCTL fuzzer by koutto. Fundamentally all the test cases and the fuzzer engine was altered to match my needs of performance and resilience, e.g., the fuzzer can report the last operation before a kernel panic (a.k.a Blue Screen of Death).

A tiny UDP client was written to stream all fuzzer output before dispatching the IOCLT. Among other changes, it has a timed and guided test case tunning, including output analysis; which can detect some kind of leaking from kernel side :P. This fuzzer helped me into CVE2018-8060 and CVE2018-8061 \o/, use it with kindness!

Since v.1.8 a private entity convinced me to add particular functionalities in a private release. These functionalities will remain out of public releases unless prior contact is made with me.

   ____                   ________  _____________     ___  ___
  / ____ _____ ___ ____  /  _/ __ \/ ___/_  __/ /    / _ )/ _/
 _\ \/ // / _ / -_/ __/ _/ // /_/ / /__  / / / /__  / _  / _/
/___/\_,_/ .__\__/_/   /___/\____/\___/ /_/ /____/ /____/_/
        /_/
                                                            v1.8 public

[*] Usage:
  Sioctlbf.exe -d <deviceName> -i <code>/-r <code>-<code> [-b] [-c <remote:port>] [-e] [-f] [-h <file>] [-l <rate>] [-n] [-p] [-q <mode>] [-s <stage>] [-t <time>] [-u] [-v]

[*] Options:
    -------
    -b  Ignore most errors and buffer checking and continue anyway.
    -c  Stream (UDP) to remote:port the stdout during fuzzing.
    -d  Symbolic device name (without \\.\).
    -e  Display error codes during IOCTL scanning.
         -> Except: NOT_SUPPORTED
                    ACCESS_DENIED
                    INVALID_FUNCTION
    -f  Filter IOCTLs always successful independently of buffer length
    -i  IOCTL code used as reference for scanning.
    -l  Rate of out-messages to suppress after Step 1. Ex: 100 means only 1/100 msgs will be printed.
    -n  Don't use NULL pointer or buffers.
    -p  Pause and hexdump if out buffer was wrote.
    -q  Quiet level: 1 - don't display hexdumps when fuzzing
                     2 - don't display any extra info
                     3 - display *only* critical/error info
    -r  IOCTL codes range (format: 00004000-00008000) to fuzz.
    -s  Only execute given stage: 1 - trivial buffer data and overflows
                                  2 - predetermined buffer data
                                  3 - random buffer data
    -t  Max time in minutes for fuzzing.
    -v  Use valid buffers address when testing buffer length


[*] Examples:
    --------
    Scanning by Function code + Transfer type bruteforce from given valid IOCTL:
     > Sioctlbf.exe -d deviceName -i 00004000

    Scanning a given IOCTL codes range (filter enabled):
     > Sioctlbf.exe -d deviceName -r 00004000-00004fff -f

    Fuzzing only a given IOCTL (quiet mode):
     > Sioctlbf.exe -d deviceName -i 00004000  -q 1

    Fuzzing only a given IOCTL (stage 3 only):
     > Sioctlbf.exe -d deviceName -i 00004000 -s 3