Showing preview only (1,134K chars total). Download the full file or copy to clipboard to get everything.
Repository: schumilo/vUSBf
Branch: master
Commit: bc1fb14551bb
Files: 119
Total size: 1.1 MB
Directory structure:
gitextract_rkudgb21/
├── .gitignore
├── COPYING.md
├── README.md
├── changelog
├── clustering/
│ ├── __init__.py
│ ├── network_task_distributor.py
│ ├── network_task_requester.py
│ └── protocol.py
├── config.py
├── configurations/
│ ├── centos6.config
│ ├── debian7.config
│ ├── debian7_2.config
│ ├── debian7_3.config
│ ├── freebsd10_1.config
│ ├── ubuntu1404.config
│ └── ubuntu1404_updated.config
├── descFuzzer.py
├── dev_desc/
│ ├── desc.txt
│ ├── desc1.txt
│ ├── desc10.txt
│ ├── desc2.txt
│ ├── desc3.txt
│ ├── desc3.txt_tmp
│ ├── desc4.txt
│ ├── desc5.txt
│ ├── desc6.txt
│ └── desc9.txt
├── emulator/
│ ├── __init__.py
│ ├── emulator.py
│ ├── enumeration.py
│ ├── enumeration_abortion.py
│ └── hid.py
├── fileParser.py
├── fuzzer.py
├── help.txt
├── log/
│ ├── deadlock_check.sh
│ ├── freebsd_monitor.sh
│ └── linux_monitor.sh
├── monitor/
│ ├── __init__.py
│ ├── freebsd_monitor.py
│ ├── linux_monitor.py
│ └── monitor.py
├── payload/
│ ├── i2400m_usb_bug.info
│ ├── i2400m_usb_bug.obj
│ ├── keyspan_null_ptr.info
│ ├── keyspan_null_ptr.obj
│ ├── mal_payload.obj
│ ├── mal_payload2.obj
│ ├── old_payload/
│ │ ├── i2400m_usb_bug.info
│ │ ├── i2400m_usb_bug.obj
│ │ ├── keyspan_null_ptr.info
│ │ ├── keyspan_null_ptr.obj
│ │ ├── mal_payload.obj
│ │ ├── panic_1.info
│ │ ├── panic_1.obj
│ │ ├── panic_2.info
│ │ ├── panic_2.obj
│ │ ├── panic_3.obj
│ │ ├── smsusb_null_ptr.info
│ │ ├── smsusb_null_ptr.obj
│ │ ├── udlfb.info
│ │ ├── udlfb.obj
│ │ ├── usbserial_bug.info
│ │ ├── usbserial_bug.obj
│ │ ├── usbserial_null_ptr.info
│ │ ├── usbserial_null_ptr.obj
│ │ └── windows_bod.obj
│ ├── panic_1.info
│ ├── panic_1.obj
│ ├── panic_2.info
│ ├── panic_2.obj
│ ├── panic_3.obj
│ ├── smsusb_null_ptr.info
│ ├── smsusb_null_ptr.obj
│ ├── tests/
│ │ ├── test.obj
│ │ ├── test2.obj
│ │ └── test3.obj
│ ├── udlfb.info
│ ├── udlfb.obj
│ ├── usbserial_bug.info
│ ├── usbserial_bug.obj
│ ├── usbserial_null_ptr.info
│ ├── usbserial_null_ptr.obj
│ ├── windows_bos.obj
│ └── windows_bos2.obj
├── process/
│ ├── __init__.py
│ ├── client_process.py
│ ├── distributor_process.py
│ ├── execute_object.py
│ ├── multi_process.py
│ ├── only_payload.py
│ ├── print_performance_process.py
│ └── process.py
├── qemu-2.1.1.patch
├── qemu.py
├── report_desc_reader.py
├── test_generation/
│ ├── Sequence.py
│ ├── Testcase.py
│ ├── TestcaseLoader.py
│ ├── XMLParser.py
│ ├── __init__.py
│ ├── execution.xml
│ ├── location.conf
│ ├── test.xml
│ └── testcase.xml
├── tools/
│ ├── __init__.py
│ ├── extract_class_ids.py
│ ├── extract_vp_ids.py
│ ├── gen_reproduce_key.py
│ ├── output_information.txt
│ └── port_old_payload.py
├── usbEmulator.py
├── usb_ids/
│ ├── class.ids
│ ├── usb.ids
│ ├── vendor_product.ids
│ └── vendor_product_backup.ids
├── usbparser.py
├── usbscapy.py
└── vusbf.py
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitignore
================================================
*.pyc
================================================
FILE: COPYING.md
================================================
The GNU General Public License, Version 2, June 1991 (GPLv2)
============================================================
> Copyright (C) 1989, 1991 Free Software Foundation, Inc.
> 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
Everyone is permitted to copy and distribute verbatim copies of this license
document, but changing it is not allowed.
Preamble
--------
The licenses for most software are designed to take away your freedom to share
and change it. By contrast, the GNU General Public License is intended to
guarantee your freedom to share and change free software--to make sure the
software is free for all its users. This General Public License applies to most
of the Free Software Foundation's software and to any other program whose
authors commit to using it. (Some other Free Software Foundation software is
covered by the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not price. Our
General Public Licenses are designed to make sure that you have the freedom to
distribute copies of free software (and charge for this service if you wish),
that you receive source code or can get it if you want it, that you can change
the software or use pieces of it in new free programs; and that you know you can
do these things.
To protect your rights, we need to make restrictions that forbid anyone to deny
you these rights or to ask you to surrender the rights. These restrictions
translate to certain responsibilities for you if you distribute copies of the
software, or if you modify it.
For example, if you distribute copies of such a program, whether gratis or for a
fee, you must give the recipients all the rights that you have. You must make
sure that they, too, receive or can get the source code. And you must show them
these terms so they know their rights.
We protect your rights with two steps: (1) copyright the software, and (2) offer
you this license which gives you legal permission to copy, distribute and/or
modify the software.
Also, for each author's protection and ours, we want to make certain that
everyone understands that there is no warranty for this free software. If the
software is modified by someone else and passed on, we want its recipients to
know that what they have is not the original, so that any problems introduced by
others will not reflect on the original authors' reputations.
Finally, any free program is threatened constantly by software patents. We wish
to avoid the danger that redistributors of a free program will individually
obtain patent licenses, in effect making the program proprietary. To prevent
this, we have made it clear that any patent must be licensed for everyone's free
use or not licensed at all.
The precise terms and conditions for copying, distribution and modification
follow.
Terms And Conditions For Copying, Distribution And Modification
---------------------------------------------------------------
**0.** This License applies to any program or other work which contains a notice
placed by the copyright holder saying it may be distributed under the terms of
this General Public License. The "Program", below, refers to any such program or
work, and a "work based on the Program" means either the Program or any
derivative work under copyright law: that is to say, a work containing the
Program or a portion of it, either verbatim or with modifications and/or
translated into another language. (Hereinafter, translation is included without
limitation in the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not covered by
this License; they are outside its scope. The act of running the Program is not
restricted, and the output from the Program is covered only if its contents
constitute a work based on the Program (independent of having been made by
running the Program). Whether that is true depends on what the Program does.
**1.** You may copy and distribute verbatim copies of the Program's source code
as you receive it, in any medium, provided that you conspicuously and
appropriately publish on each copy an appropriate copyright notice and
disclaimer of warranty; keep intact all the notices that refer to this License
and to the absence of any warranty; and give any other recipients of the Program
a copy of this License along with the Program.
You may charge a fee for the physical act of transferring a copy, and you may at
your option offer warranty protection in exchange for a fee.
**2.** You may modify your copy or copies of the Program or any portion of it,
thus forming a work based on the Program, and copy and distribute such
modifications or work under the terms of Section 1 above, provided that you also
meet all of these conditions:
* **a)** You must cause the modified files to carry prominent notices stating
that you changed the files and the date of any change.
* **b)** You must cause any work that you distribute or publish, that in whole
or in part contains or is derived from the Program or any part thereof, to
be licensed as a whole at no charge to all third parties under the terms of
this License.
* **c)** If the modified program normally reads commands interactively when
run, you must cause it, when started running for such interactive use in the
most ordinary way, to print or display an announcement including an
appropriate copyright notice and a notice that there is no warranty (or
else, saying that you provide a warranty) and that users may redistribute
the program under these conditions, and telling the user how to view a copy
of this License. (Exception: if the Program itself is interactive but does
not normally print such an announcement, your work based on the Program is
not required to print an announcement.)
These requirements apply to the modified work as a whole. If identifiable
sections of that work are not derived from the Program, and can be reasonably
considered independent and separate works in themselves, then this License, and
its terms, do not apply to those sections when you distribute them as separate
works. But when you distribute the same sections as part of a whole which is a
work based on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the entire whole,
and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest your
rights to work written entirely by you; rather, the intent is to exercise the
right to control the distribution of derivative or collective works based on the
Program.
In addition, mere aggregation of another work not based on the Program with the
Program (or with a work based on the Program) on a volume of a storage or
distribution medium does not bring the other work under the scope of this
License.
**3.** You may copy and distribute the Program (or a work based on it, under
Section 2) in object code or executable form under the terms of Sections 1 and 2
above provided that you also do one of the following:
* **a)** Accompany it with the complete corresponding machine-readable source
code, which must be distributed under the terms of Sections 1 and 2 above on
a medium customarily used for software interchange; or,
* **b)** Accompany it with a written offer, valid for at least three years, to
give any third party, for a charge no more than your cost of physically
performing source distribution, a complete machine-readable copy of the
corresponding source code, to be distributed under the terms of Sections 1
and 2 above on a medium customarily used for software interchange; or,
* **c)** Accompany it with the information you received as to the offer to
distribute corresponding source code. (This alternative is allowed only for
noncommercial distribution and only if you received the program in object
code or executable form with such an offer, in accord with Subsection b
above.)
The source code for a work means the preferred form of the work for making
modifications to it. For an executable work, complete source code means all the
source code for all modules it contains, plus any associated interface
definition files, plus the scripts used to control compilation and installation
of the executable. However, as a special exception, the source code distributed
need not include anything that is normally distributed (in either source or
binary form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component itself
accompanies the executable.
If distribution of executable or object code is made by offering access to copy
from a designated place, then offering equivalent access to copy the source code
from the same place counts as distribution of the source code, even though third
parties are not compelled to copy the source along with the object code.
**4.** You may not copy, modify, sublicense, or distribute the Program except as
expressly provided under this License. Any attempt otherwise to copy, modify,
sublicense or distribute the Program is void, and will automatically terminate
your rights under this License. However, parties who have received copies, or
rights, from you under this License will not have their licenses terminated so
long as such parties remain in full compliance.
**5.** You are not required to accept this License, since you have not signed
it. However, nothing else grants you permission to modify or distribute the
Program or its derivative works. These actions are prohibited by law if you do
not accept this License. Therefore, by modifying or distributing the Program (or
any work based on the Program), you indicate your acceptance of this License to
do so, and all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
**6.** Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the original
licensor to copy, distribute or modify the Program subject to these terms and
conditions. You may not impose any further restrictions on the recipients'
exercise of the rights granted herein. You are not responsible for enforcing
compliance by third parties to this License.
**7.** If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues), conditions
are imposed on you (whether by court order, agreement or otherwise) that
contradict the conditions of this License, they do not excuse you from the
conditions of this License. If you cannot distribute so as to satisfy
simultaneously your obligations under this License and any other pertinent
obligations, then as a consequence you may not distribute the Program at all.
For example, if a patent license would not permit royalty-free redistribution of
the Program by all those who receive copies directly or indirectly through you,
then the only way you could satisfy both it and this License would be to refrain
entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under any
particular circumstance, the balance of the section is intended to apply and the
section as a whole is intended to apply in other circumstances.
It is not the purpose of this section to induce you to infringe any patents or
other property right claims or to contest validity of any such claims; this
section has the sole purpose of protecting the integrity of the free software
distribution system, which is implemented by public license practices. Many
people have made generous contributions to the wide range of software
distributed through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing to
distribute software through any other system and a licensee cannot impose that
choice.
This section is intended to make thoroughly clear what is believed to be a
consequence of the rest of this License.
**8.** If the distribution and/or use of the Program is restricted in certain
countries either by patents or by copyrighted interfaces, the original copyright
holder who places the Program under this License may add an explicit
geographical distribution limitation excluding those countries, so that
distribution is permitted only in or among countries not thus excluded. In such
case, this License incorporates the limitation as if written in the body of this
License.
**9.** The Free Software Foundation may publish revised and/or new versions of
the General Public License from time to time. Such new versions will be similar
in spirit to the present version, but may differ in detail to address new
problems or concerns.
Each version is given a distinguishing version number. If the Program specifies
a version number of this License which applies to it and "any later version",
you have the option of following the terms and conditions either of that version
or of any later version published by the Free Software Foundation. If the
Program does not specify a version number of this License, you may choose any
version ever published by the Free Software Foundation.
**10.** If you wish to incorporate parts of the Program into other free programs
whose distribution conditions are different, write to the author to ask for
permission. For software which is copyrighted by the Free Software Foundation,
write to the Free Software Foundation; we sometimes make exceptions for this.
Our decision will be guided by the two goals of preserving the free status of
all derivatives of our free software and of promoting the sharing and reuse of
software generally.
No Warranty
-----------
**11.** BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR
THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE
STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM
"AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
**12.** IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR
INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA
BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A
FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER
OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
================================================
FILE: README.md
================================================
vusbf-Framework
===========
_ __ __ __ _______ ____
_ __(_)____/ /___ ______ _/ / / / / / ___// __ )
| | / / / ___/ __/ / / / __ `/ / / / / /\__ \/ __ |
| |/ / / / / /_/ /_/ / /_/ / / / /_/ /___/ / /_/ /
|_______/ \__/\__,_/\__,_/_/ \____//____/_____/
/ __/_ __________ ___ _____
/ /_/ / / /_ /_ / / _ \/ ___/
/ __/ /_/ / / /_/ /_/ __/ /
/_/ \__,_/ /___/___/\___/_/
A KVM/QEMU based USB-fuzzing framework.
Sergej Schumilo, OpenSource Security Spenneberg 2015
Version: 0.2
GENERAL
===========
A USB-fuzzer which takes advantage of massive usage of virtual machines and also offers high reproducibility.
This framework was initially released at Black Hat Europe 2014.
https://www.blackhat.com/docs/eu-14/materials/eu-14-Schumilo-Dont-Trust-Your-USB-How-To-Find-Bugs-In-USB-Device-Drivers-wp.pdf
This software is under heavy development. Get a copy of the actual version at github:
www.github.com/schumilo
This software is licensed under GPLv2.
This framework provides:
- USB-fuzzing in practical time frames
- multiprocessing and clustering
- export sequences of payloads and replay them for debugging or investigation
- XML-based dynamic testcase generating
- expandable by writing new testcases, USB-emulators or monitoring-modules
vUSBf was written in python2 and requires the Scapy-framework.
PREPARATIONS
==========
First of all we've to build a compatible version of QEMU! Get the newest version of QEMU and usbredir:
QEMU: http://www.qemu.org
usbredir: https://github.com/SPICE/usbredir
Be sure that you compile QEMU with the option "usb_redir" and you also patch the file /hw/usb/redirection.c.
If you're using the QEMU version 2.1.1, you can apply our patch (qemu-2.1.1.patch).
QEMU 2.2.x is currently unsupported by vUSBf!
vUSBf requires some prepared QCOW2-images for fuzzing!
At first you've to create a QCOW2-image for your virtual machine. You can do this by using the following command:
qemu-img create -f qcow2 vm.qcow2 10G
Install your preferred operating system on that image. You've to configure a TTY which is available at the (virtual) serial port.
The next step is to create a backing-file (overlay which contains all of the future delta) and an image which will contain a snapshot of the VM (the size should be larger than your virtual memory you have configured):
qemu-img create -b vm.img -f qcow2 overlay.qcow2
qemu-img create -f qcow2 ram.qcow2 1G
Start your VM with the following command, wait until the kernel is loaded, log in and change the verbosity of printk by entering "echo '7' > /proc/sys/kernel/printk".
Now you can take a snapshot by entering the QEMU console (press ctrl+a and c) and type savevm <name>. You should start the VM by the following command:
qemu-system-x86_64 --enable-kvm -m 1024 -hdb ram.qcow2 -hda overlay.qcow2 -serial mon:stdio -device nec-usb-xhci -device usb-redir,chardev=usbchardev,debug=0 -chardev socket,server,id=usbchardev,nowait,host=127.0.0.1,port=1336
Create a customized configuration in the "vusbf/configurations/" folder. You'll find there some examples. Modify the following information:
- location of your QEMU-binary you want to use
- KVM support (write yes or no)
- size of your memory (the unit is MB)
- location of your ram-file
- location of your overlay-file
- location where your overlay duplicates should be stored
- configured USB-host-controller (if you have no idea just write nec-usb-xhci)
- some extra parameters for QEMU (if you need some)
- the name of the snapshot
That's all. Now your VM is ready for some fuzzing.
RUNNING VUSBF
==========
Take a look at help.txt or run vusbf with the parameter -h for help :-)
BUGS
==========
There are some known bugs like the buggy support for Windows systems. We are working on these issues, so be sure you are using the newest version.
Moreover the lack of USB-emulators is another point we are working on.
Furthermore some inline comments have been written in my native language (german). They will be translated later ;-) and the code will be more documented!
Comrade-in-arms are welcome :-)!
There is a lot of work to do!
CONTACT
==========
Feel free to send us an email:
schumilo@fh-muenster.de
info@os-t.net
================================================
FILE: changelog
================================================
Version 0.2:
- code clean up
- complete rewrite of testcase generation related code (generation works now on the fly, less memory usage)
- add configuration file which includes all "tweakable" variables
- deadlocks during long runtimes fixed
- change payload format (base64 strings)
- add tools for porting old payloads to new payload format
- add pdb interface for certain processes
- optimise performance
- add execute payload without external QEMU process
- add nightly windows support
Version 0.1:
- initial commit
================================================
FILE: clustering/__init__.py
================================================
"""
vUSBf: A KVM/QEMU based USB-fuzzing framework.
Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf Spenneberg
This file is part of vUSBf.
See the file LICENSE for copying permission.
"""
__author__ = 'Sergej Schumilo'
================================================
FILE: clustering/network_task_distributor.py
================================================
"""
vUSBf: A KVM/QEMU based USB-fuzzing framework.
Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf Spenneberg
This file is part of vUSBf.
See the file LICENSE for copying permission.
"""
__author__ = 'Sergej Schumilo'
from protocol import *
import select
import threading
from threading import Lock
import cPickle
import config
import signal
exit_flag = False
controller = None
timeout = 0
def signal_handler(signal, frame):
global timeout, controller
print "SIGHANDLER"
if controller is not None:
try:
controller.stop_sync_callback()
finally:
print "Exit..."
class network_task_distributor:
number_of_finished_tasks = 0
# print some verbose stuff
def print_verbose(self, data, verbose_level, verbose):
if verbose_level >= verbose:
print data
# send synchronize request packet
def synchronize(self):
#print "REQ"
# atomic block
self.connection_lock.acquire()
data = vusbf_proto_header()
data.Type = 3
data.Length = 0
try:
self.connection.send(str(data))
except:
# print "ERR"
global exit_flag
exit_flag = True
self.connection_lock.release()
# atomic block end
self.timer = threading.Timer(self.sync_timeout, self.synchronize)
self.timer.start()
# constructor
def __init__(self, connection, sync_timeout, md5_vm, md5_overlay, sm_num_of_fin_tasks, info_queue, data_queue,
verbose_level):
self.connection = connection
self.sync_timeout = sync_timeout
self.md5_vm = md5_vm
self.md5_overlay = md5_overlay
self.sm_num_of_fin_tasks = sm_num_of_fin_tasks
self.info_queue = info_queue
self.data_queue = data_queue
self.verbose_level = verbose_level
self.connection_lock = Lock()
self.__connect()
# init connection to client (part of the constructor)
def __connect(self):
# recv and response hello packet
# 8Byte + 4Byte = 12Byte
raw_data = self.connection.recv(8)
hello = vusbf_proto_header(raw_data)
self.print_verbose("recv hello", self.verbose_level, 2)
if not (hello.Type == 0 and hello.Length == 0):
raise Exception("Wrong type recv")
self.connection.send(str(hello))
self.print_verbose("send hello", self.verbose_level, 2)
# send check packet and wait for response
check = vusbf_proto_header()
check.Type = 5
# LongField x 2 = 16Byte
check.Length = 16
check_layer = vusbf_check_request()
check_layer.MD5_VM = self.md5_vm
check_layer.MD5_Overlay = self.md5_overlay
self.connection.send(str(check) + str(check_layer))
self.print_verbose("send check", self.verbose_level, 2)
raw_data = self.connection.recv(8)
check_response = vusbf_proto_header(raw_data)
if not (check_response.Type == 6 and check_response.Length != 0):
raise Exception("Wrong type recv")
raw_data = self.connection.recv(check_response.Length)
self.print_verbose("recv check", self.verbose_level, 2)
if vusbf_check_response(raw_data).Test_passed == 0:
raise Exception("Test not passed")
self.print_verbose("connection established", self.verbose_level, 2)
# wait for incoming data
def connection_loop(self):
while True:
fd = select.select([self.connection], [], [], self.sync_timeout)
fd = fd[0]
if fd:
if exit_flag:
return
if len(fd) > 0:
try:
# atomic block
self.connection_lock.acquire()
data = fd[0].recv(8)
#print "DATA: "+ str(data)
#print len(data)
#data.show()
if not len(data) == 8:
# atomic block end
self.connection_lock.release()
break
header = vusbf_proto_header(data)
if config.CLUSTERING_DEBUG_SERVER:
header.show()
if header.Type is None:
# atomic block end
self.connection_lock.release()
break
# end
elif header.Type == 7:
#print "RECV END"
self.connection_lock.release()
break
# task request
elif header.Type == 1:
#print "RECV TASK_REQUEST"
extra_data = fd[0].recv(header.Length)
header.Type = 2
# self.connection.send(str(header) + extra_data)
response = vusbf_proto_header()
response.Type = 2
reponse_extra = vusbf_task()
reponse_extra.Number_of_tasks = 100
response_payload = self.__request_data_from_queue()
#response_payload = Raw("fdfdsggfdfgddfdgdddfdfdf")
response.Length = len(str(reponse_extra)) + len(str(response_payload))
#response.show()
self.connection.send(str(response) + str(reponse_extra) + str(response_payload))
# sync response
elif header.Type == 4:
extra_data = self.connection.recv(header.Length)
self.__update_sm_value(vusbf_sync(extra_data).Number_of_fin_tasks)
#print "RECV SYNC RESPONSE " + str(vusbf_sync(extra_data).Number_of_fin_tasks)
# atomic block end
self.connection_lock.release()
except:
print "Oops"
#global exit_flag
#exit_flag = True
break
else:
print "NOPE"
def start_sync_callback(self):
self.timer = threading.Timer(self.sync_timeout, self.synchronize)
self.timer.start()
def stop_sync_callback(self):
self.timer.cancel()
# #### process data exchange stuff #####
def __request_data_from_queue(self):
self.info_queue.put(-300)
data = self.data_queue.get()
#data = self.data_queue
#print data
#print "SEND"
return Raw(cPickle.dumps(data))
# put request in the info_queue
# wait for data from data_queue
# return data object
pass
def __return_data_to_queue(self):
# TODO LATER
#self.info_queue.put()
# put request in the info_queue
# send data to data_queue
# fin
pass
def __update_sm_value(self, value):
self.sm_num_of_fin_tasks.value = value
#self.sm_num_of_fin_tasks.value("i", value)
#print "GOT " + str(value)
#update sem_value :-)
pass
# data = fuzzer(100).gen_data(sys.argv[3], sys.argv[4])
# INFO QUEUE NEGATIVE WERT -> ENTSPRICHT DER ANZAHL DER BENOETIGTEN PACKETE
# WARTE AUF DATEN
# RACE CONDITION MOEGLICH...DUERFTE ABER ZU KEINEN PROBLEMEN FUEHREN
def process(Connection, sync_timeout, md5_vm, md5_overlay, sm_num_of_fin_tasks, info_queue, payload_queue, verbose_level):
global timeout, controller
signal.signal(signal.SIGTERM, signal_handler)
timeout = sync_timeout
if config.CLUSTERING_DEBUG_SERVER:
verbose_level = 5
controller = network_task_distributor(Connection, sync_timeout, md5_vm, md5_overlay, sm_num_of_fin_tasks,
info_queue, payload_queue, verbose_level)
controller.start_sync_callback()
controller.connection_loop()
#time.sleep(100)
#print "EXXXX"
controller.stop_sync_callback()
# PROCESS KOMMUNIKATION:
# Positive worker_id -> Datenanfrage
# Negative worker_id -> Daten werden zurueck gegeben (communications error)
# sharedmemory variable dient zum Abgleich der Anzahl der aktuell erledigen Aufgaben
# Datenqueue (max_packet x max_num_of_packtes)
#sync_timeout, md5_vm, md5_overlay, verbose_level)
================================================
FILE: clustering/network_task_requester.py
================================================
"""
vUSBf: A KVM/QEMU based USB-fuzzing framework.
Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf Spenneberg
This file is part of vUSBf.
See the file LICENSE for copying permission.
"""
__author__ = 'Sergej Schumilo'
from protocol import *
import signal
from threading import Lock
import threading
import select
import config
Socket = None
controller = None
# currently not in usage :-)
def signal_handler(signal, frame):
global controller
if controller is not None:
controller.kill_listing_thread()
sys.exit(0)
class network_task_requester():
cancel = False
def __init__(self, ip, port, md5_vm, md5_overlay, sm_num_of_fin_tasks, info_queue, data_queue, worker_id,
verbose_level):
self.md5_vm = md5_vm
self.md5_overlay = md5_overlay
self.sm_num_of_fin_tasks = sm_num_of_fin_tasks
self.info_queue = info_queue
self.data_queue = data_queue
self.verbose_level = verbose_level
self.connection_lock = Lock()
self.thread = None
self.worker_id = worker_id
try:
self.connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.connection.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
self.connection.connect((ip, port))
except socket.error:
self.__put_error_code_to_queue("server not found")
self.__connect()
def __connect(self):
# hello packet exchange
data = vusbf_proto_header()
data.Length = 0
data.Type = 0
self.__send_data(str(data))
raw_data = self.__recv_data(self.connection, 8)
hello = vusbf_proto_header(raw_data)
# self.print_verbose("recv hello", self.verbose_level, 2)
if not (hello.Type == 0 and hello.Length == 0):
self.__put_error_code_to_queue("wrong type recv")
# check TODO
data = self.__recv_data(self.connection, 4 + 8)
header = vusbf_proto_header(data)
data = self.__recv_data(self.connection, header.Length)
data = vusbf_proto_header()
data.Length = 1
data.Type = 6
extra_data = vusbf_check_response("\x01")
self.__send_data(str(data) + str(extra_data))
# print "DONE"
def send_data_request(self, number_of_tasks):
# atomic block
self.connection_lock.acquire()
data = vusbf_proto_header()
data.Type = 1
data.Length = 4
extra_data = vusbf_task()
extra_data.Number_of_tasks = number_of_tasks
#data.show()
#print len(extra_data)
#extra_data.show()
self.__send_data(str(data) + str(extra_data))
# atomic block end
self.connection_lock.release()
def start_listing_thread(self):
if self.thread:
return
self.cancel = False
self.thread = threading.Thread(target=self.connection_loop, args=())
self.thread.start()
def kill_listing_thread(self):
self.cancel = True
self.thread.join()
self.thread = None
def close_connection(self):
try:
self.kill_listing_thread()
except:
pass
self.connection.close()
def connection_loop(self):
while True:
fd = select.select([self.connection], [], [], 0.5)[0]
if self.cancel:
return
if fd:
if len(fd) > 0:
# atomic block
self.connection_lock.acquire()
raw_data = self.__recv_data(fd[0], 8)
#raw_data = fd[0].recv(8)
if len(raw_data) == 0:
# atomic block end
self.connection_lock.release()
return
header = vusbf_proto_header(raw_data)
if config.CLUSTERING_DEBUG_CLIENT:
header.show()
# task response
if header.Type == 2:
#print "RESPONSE"
extra_data = None
# Keine Daten mehr
if not header.Length == 4:
raw_extra_data = self.__recv_all(fd[0], header.Length)
extra_data = cPickle.loads(raw_extra_data[4:])
self.__put_data_to_queue(extra_data)
#print "RECV TASK RESPONSE"
# sync request
elif header.Type == 3:
# print "RECV SYNC REQUEST"
data = vusbf_proto_header()
data.Type = 4
data.Length = 4
extra_data = vusbf_sync()
extra_data.Number_of_fin_tasks = self.__get_sm_value()
self.__send_data(str(data) + str(extra_data))
# close connection
elif header.Type == 7:
#print "RECV END"
# atomic block end
self.connection_lock.release()
return
elif header.Type == None:
self.connection_lock.release()
return
# atomic block end
self.connection_lock.release()
def __recv_all(self, fd, Length):
data = ""
recv_length = 0
while True:
# print len(data)
data += self.__recv_data(fd, (Length - len(data)))
#data += fd.recv(Length-len(data))
if len(data) == Length:
return data
# TODO Falls die Verbindung abbricht, sollen nur noch Nones in die Queue getan werden.
# Gegebenenfalls sogar ein kompletter Abbruch des Programms
# z.B info_queue.put(-1) --> EXIT
# geprueft wird das am besten mit send/recv Wrapper methoden die exceptions abfangen
# Das gilt uebrigens fuer alle Exceptions
def __recv_data(self, fd, length):
try:
return fd.recv(length)
except:
self.__put_error_code_to_queue(sys.exc_info()[0])
def __send_data(self, data):
try:
return self.connection.send(data)
except:
self.__put_error_code_to_queue(sys.exc_info()[0])
def __put_data_to_queue(self, obj):
# negativ - also Daten einfuegen
#self.info_queue.put((self.worker_id*(-1)))
self.data_queue.put(obj)
#self.info_queue_lock.release()
def __get_sm_value(self):
return self.sm_num_of_fin_tasks.value
def __put_error_code_to_queue(self, err_msg):
self.data_queue.put(-1)
print err_msg
#raise Exception(err_msg)
sys.exit(0)
def start_network_task_requester(server, port, md5_vm, md5_overlay, sm_num_of_fin_tasks, info_queue, data_queue, request_queue, worker_id, verbose_level):
global controller
signal.signal(signal.SIGTERM, signal_handler)
controller = network_task_requester(server, port, md5_vm, md5_overlay, sm_num_of_fin_tasks, info_queue, data_queue, worker_id, verbose_level)
#print "START"
controller.start_listing_thread()
# WAIT FOR REQUEST FROM MAIN PROCESS
# SEND REQUEST TO MASTER
# RECV DATA AND PUT THEM TO DATA QUEUE
while True:
value = request_queue.get()
#print value
#print "REQUEST"
if value == 0:
controller.close()
break
else:
controller.send_data_request(value)
#print "EXIT"
================================================
FILE: clustering/protocol.py
================================================
"""
vUSBf: A KVM/QEMU based USB-fuzzing framework.
Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf Spenneberg
This file is part of vUSBf.
See the file LICENSE for copying permission.
"""
__author__ = 'Sergej Schumilo'
from scapy.all import *
vusbf_type_enum = {
0: "hello", # This packet initialize the communication
1: "task_request", # This packet can be sent from the client to request new testcases
2: "task_response", # Response from the server, which contains testcases as pickle obj
3: "sync_request", # Heartbeat request from the server. It's needed for synchronization of the number of finished tasks
4: "sync_response", # Response from the client. Contains the number of finished tasks
5: "check_request", # Request to check the given environment (VM , Overlay etc.)
6: "check_response", # Response for check_request
7: "close_connection"} # as the name says :-)
# Protocol header
class vusbf_proto_header(Packet):
name = "VUSBF_ProtoHeader"
fields_desc = [IntEnumField("Type", None, vusbf_type_enum),
IntField("Length", None)
]
# Protocol subheader (for task_request and task_response)
class vusbf_task(Packet):
name = "VUSBF_Task"
fields_desc = [IntField("Number_of_tasks", None)]
# Protocol subheader (for sync_request and sync_response)
class vusbf_sync(Packet):
name = "VUSBF_Sync"
fields_desc = [IntField("Number_of_fin_tasks", None)]
# Protocol subheader (no usage at the moment)
class vusbf_get(Packet):
name = "VUSBF_Get"
fields_desc = [XByteField("Drop_data", None)]
# Protocol subheader (for check_request)
class vusbf_check_request(Packet):
name = "VUSBF_Check"
fields_desc = [LongField("MD5_VM", None),
LongField("MD5_Overlay", None)
]
# Protocol subheader (for check_response)
class vusbf_check_response(Packet):
name = "VUSBF_Check"
fields_desc = [XByteField("Test_passed", None)]
================================================
FILE: config.py
================================================
"""
vUSBf: A KVM/QEMU based USB-fuzzing framework.
Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf Spenneberg
This file is part of vUSBf.
See the file LICENSE for copying permission.
"""
__author__ = 'Sergej Schumilo'
# monitor specific ######
# serial port read timeout (select timeout)
SERIAL_READ_TIMEOUT = 0.45
# maximal number of lines reading in
SERIAL_READ_MAX_LINES = 1024
# maximal number of read retries
SERIAL_READ_RETRIES = 1
# fuzzing test print delimiter
DELIMITER = "\n#######################################################\n\n"
# fuzzing test SERIAL_READ_MAX_LINES message
MESSAGE_READ_MAX_LINES = "\n ------->>>>> MESSAGE_READ_MAX_LINES <<<<<-------"
# VM reload message
MESSAGE_VM_RELOAD = "====================\tRELOAD\t====================\n"
# log message for 'too much data to process' case
MESSAGE_TOO_MUCH_DATA = "\n ------->>>>> TOO MUCH DATA FROM STDOUT! <<<<<-------"
PRINT_VERBOSE_TEST_INFO = True
# usbemulator specific ######
# number of reconnects (QEMU usbredir interface)
NUMBER_OF_RECONNECTS = 3
# timeout between reconnects
TIME_BETWEEN_RECONNECTS = 0
# defined content of usbredir hello_packet
USB_REDIR_HELLO_PACKET = 'usbredirserver 0.6\x00\x00\x00\x00\x00\x00\xc0\x1f@\x00\x00\x00\x00\x00\x00\x9dj\x00\x00\x00\x00\x00uB\xe8h:\x7f\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\xfe\x00\x00\x00'
# path to folder, which contains all available devices descriptors
DEV_DESC_FOLDER = "dev_desc/"
# unix socket timeout
UNIX_SOCKET_TIMEOUT = 0.5
# tcp socket timeout
TCP_SOCKET_TIMEOUT = 0.75
# connection to victim timeout
# (Linux: 0.2 - 0,75 / FreeBSD: 1.25 - 2.0)
CONNECTION_TO_VICTIM_TIMEOUT = 1.35
# max redir packet recv (deadlock prevention)
MAX_PACKETS = 500
# execution process specific ######
# fail counter
PROCESS_FAIL_COUNTER = 4
PROCESS_FAIL_REPAIR_COUNTER = 5
PROCESS_FAIL_SLEEP_A = 0.1
PROCESS_FAIL_SLEEP_B = 0.4
PROCESS_NOTIFY_SHARED_MEMORY = 1
PROCESS_TIMOUT_AFTER_REPAIR = 1.0
# threshold number of succesful testcases until qemu loadvm is used
PROCESS_SLOW_START_THRESHOLD = 5
PROCESS_SLOW_START_THRESHOLD_FAIL_COUNTER = 100
PROCESS_REPAIR_SEMAPHORE = 5
# debug specific ######
# define verbose level distinctions
VERBOSE_LEVEL_PRINT_ERROR_MESSAGES = 4
VERBOSE_LEVEL_PRINT_RECV_DATA = 3
VERBOSE_LEVEL_PRINT_SEND_DATA = 2
VERBOSE_LEVEL_PRINT_INFO = 1
VERBOSE_LEVEL_PRINT_NOTHING = 0
# SIGUSR1 debug option
ENABLE_DEBUG_PROCESS = False
VERBOSE_LEVEL = 0
# performance process ######
PRINT_PERFORMANCE_TIMEOUT = 5.0
PRINT_PERFORMANCE_SERVER_TIMEOUT = 10.0
# multiprocessing specific ######
NUMBER_OF_JOBS_PER_PROCESS = 2048
PROCESS_STARTUP_TIME = 5.0
PROCESS_STARTUP_RATE = 0.5
# qemu specific #####
OVERLAY_FILE_PREFIX = "overlay_"
OVERLAY_FILE_POSTFIX = ".qcow2"
# non multiprocessing specifc #####
NUMBER_OF_JOBS_PER_PROCESS_NM = 100000
SLEEP_BETWEEN_TESTS = 0.2
# clustering specific #####
CLUSTERING_DEBUG_SERVER = False
CLUSTERING_DEBUG_CLIENT = False
CLUSTERING_CHUNK_SIZE = 2
CLUSTERING_CONNECTION_RETRY_TIME = 1
# execute mode specific #####
SERIAL_READ_RETRIES_EXECUTE_MODE = 8
PROCESS_SLOW_START_THRESHOLD_EXECUTE_MODE = 0
PROCESS_SLOW_START_THRESHOLD_FAIL_COUNTER_EXECUTE_MODE = 0
PROCESS_FAIL_REPAIR_COUNTER_EXECUTE_MODE = 2
# options #####
PRINT_DEVICE_DESCRIPTORS = False
================================================
FILE: configurations/centos6.config
================================================
# vusbf qemu-config file
#
# QEMU BINARAY
qemu_bin: /home/sergej/qemu/x86_64-softmmu/qemu-system-x86_64
# KVM SUPPORT
kvm: yes
# MEMORY SIZE (MB)
memory: 150
# RAM FILE
ram_file: /home/sergej/final/testkernel/ram.qcow2
# OVERLAY FILE
overlay_file: /home/sergej/final/testkernel/overlay.qcow2
# OVERLAY FOLDER
overlay_folder: /home/sergej/final/testkernel/
# USB DEVICE TYPE
device_type: nec-usb-xhci
# EXTRA QEMU PARAMETER
qemu_extra: ""
# SNAPSHOT
snapshot: replay
================================================
FILE: configurations/debian7.config
================================================
# vusbf qemu-config file
#
# QEMU BINARAY
qemu_bin: /home/sergej/qemu/x86_64-softmmu/qemu-system-x86_64
# KVM SUPPORT
kvm: yes
# MEMORY SIZE (MB)
memory: 150
# RAM FILE
ram_file: /home/sergej/workspace/Debian7/ram.qcow2
# OVERLAY FILE
overlay_file: /home/sergej/workspace/Debian7/overlay.qcow2
# OVERLAY FOLDER
overlay_folder: /home/sergej/workspace/Debian7
# USB DEVICE TYPE
device_type: nec-usb-xhci
# EXTRA QEMU PARAMETER
qemu_extra: ""
# SNAPSHOT
snapshot: replay
================================================
FILE: configurations/debian7_2.config
================================================
# vusbf qemu-config file
#
# QEMU BINARAY
qemu_bin: /home/sergej/Dokumente/vUSBf/Testing/qemu-2.1.2/qemu-2.0.2/x86_64-softmmu/qemu-system-x86_64
# KVM SUPPORT
kvm: yes
# MEMORY SIZE (MB)
memory: 150
# RAM FILE
ram_file: /home/sergej/Dokumente/vUSBf/18.02.15/kernel-3.15_new_qemu/ram.qcow2
# OVERLAY FILE
overlay_file: /home/sergej/Dokumente/vUSBf/18.02.15/kernel-3.15_new_qemu/overlay.qcow2
# OVERLAY FOLDER
overlay_folder: /home/sergej/Dokumente/vUSBf/18.02.15/kernel-3.15_new_qemu
# USB DEVICE TYPE
device_type: nec-usb-xhci
# EXTRA QEMU PARAMETER
qemu_extra: ""
# SNAPSHOT
snapshot: replay
================================================
FILE: configurations/debian7_3.config
================================================
# vusbf qemu-config file
#
# QEMU BINARAY
qemu_bin: /home/sergej/Dokumente/vUSBf/Testing/qemu-2.2.0/qemu-2.2.0/x86_64-softmmu/qemu-system-x86_64
# KVM SUPPORT
kvm: yes
# MEMORY SIZE (MB)
memory: 150
# RAM FILE
ram_file: /home/sergej/Dokumente/vUSBf/18.02.15/kernel-3.15/ram.qcow2
# OVERLAY FILE
overlay_file: /home/sergej/Dokumente/vUSBf/18.02.15/kernel-3.15/overlay.qcow2
# OVERLAY FOLDER
overlay_folder: /home/sergej/Dokumente/vUSBf/18.02.15/kernel-3.15
# USB DEVICE TYPE
device_type: nec-usb-xhci
# EXTRA QEMU PARAMETER
qemu_extra: ""
# SNAPSHOT
snapshot: replay
================================================
FILE: configurations/freebsd10_1.config
================================================
# vusbf qemu-config file
#
# QEMU BINARAY
qemu_bin: /home/sergej/qemu/x86_64-softmmu/qemu-system-x86_64
# KVM SUPPORT
kvm: yes
# MEMORY SIZE (MB)
memory: 120
# RAM FILE
ram_file: /home/sergej/workspace/FreeBSD-10.1/ram.qcow2
# OVERLAY FILE
overlay_file: /home/sergej/workspace/FreeBSD-10.1/overlay.qcow2
# OVERLAY FOLDER
overlay_folder: /home/sergej/workspace/FreeBSD-10.1
# USB DEVICE TYPE
device_type: ich9-usb-ehci1
# EXTRA QEMU PARAMETER
qemu_extra: ""
# SNAPSHOT
snapshot: replay
================================================
FILE: configurations/ubuntu1404.config
================================================
# vusbf qemu-config file
#
# QEMU BINARAY
qemu_bin: /home/sergej/qemu/x86_64-softmmu/qemu-system-x86_64
# KVM SUPPORT
kvm: yes
# MEMORY SIZE (MB)
memory: 150
# RAM FILE
ram_file: /home/sergej/workspace/ubuntu14042/ram.qcow2
# OVERLAY FILE
overlay_file: /home/sergej/workspace/ubuntu14042/overlay.qcow2
# OVERLAY FOLDER
overlay_folder: /home/sergej/workspace/ubuntu14042/
# USB DEVICE TYPE
device_type: nec-usb-xhci
# EXTRA QEMU PARAMETER
qemu_extra: ""
# SNAPSHOT
snapshot: replay
================================================
FILE: configurations/ubuntu1404_updated.config
================================================
# vusbf qemu-config file
#
# QEMU BINARAY
qemu_bin: /home/sergej/qemu/x86_64-softmmu/qemu-system-x86_64
# KVM SUPPORT
kvm: yes
# MEMORY SIZE (MB)
memory: 400
# RAM FILE
ram_file: /home/sergej/workspace/ubuntu1404_2/ram.qcow2
# OVERLAY FILE
overlay_file: /home/sergej/workspace/ubuntu1404_2/overlay.qcow2
# OVERLAY FOLDER
overlay_folder: /home/sergej/workspace/ubuntu1404_2
# USB DEVICE TYPE
device_type: nec-usb-xhci
# EXTRA QEMU PARAMETER
qemu_extra: ""
# SNAPSHOT
snapshot: replay
================================================
FILE: descFuzzer.py
================================================
"""
vUSBf: A KVM/QEMU based USB-fuzzing framework.
Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf Spenneberg
This file is part of vUSBf.
See the file LICENSE for copying permission.
"""
from usbscapy import *
def print_descriptor(descriptor):
if descriptor == None:
return
descriptor[0].show()
for confDesc in descriptor[1]:
confDesc[0].show()
for ifDesc in confDesc[1]:
ifDesc[0].show()
for e in ifDesc[1]:
e.show()
def patch_descriptor_length_fields(descriptor):
if descriptor == None:
return
for configuration_num in range(len(descriptor[1])):
patch_configuration_descriptor_length_field(descriptor, configuration_num)
def patch_configuration_descriptor_length_field(descriptor, configuration_num):
confDesc = get_configuration_descriptor(descriptor, configuration_num)
conf_length = 0
for ifDesc in confDesc[1]:
if_length = 0
for e in ifDesc[1]:
if_length += e.bLength
conf_length += 9 + if_length
confDesc[0].wTotalLength = 9 + conf_length
def get_configuration_descriptor(descriptor, configuration_num):
# check Device Descriptor
if descriptor == None:
return None
if descriptor[1] == None:
return None
if len(descriptor[1]) - 1 < configuration_num:
return None
return descriptor[1][configuration_num]
def get_interface_descriptor(descriptor, configuration_num, interface_num):
configuration_descriptor = get_configuration_descriptor(descriptor, configuration_num)
if configuration_descriptor == None:
return None
if configuration_descriptor[1] == None:
return None
if len(configuration_descriptor[1]) - 1 < interface_num:
return None
return configuration_descriptor[1][interface_num]
def add_new_descriptor_to_interface(descriptor, configuration_num, interface_num, new_descriptor):
if new_descriptor == None:
return False
if not (type(new_descriptor) == usb_endpoint_descriptor or type(new_descriptor) == usb_hid_descriptor):
return False
interface_descriptor = get_interface_descriptor(descriptor, configuration_num, interface_num)
if interface_descriptor == None:
return False
if interface_descriptor[1] == None:
return False
if interface_descriptor[0] == None:
return False
if interface_descriptor[0].bNumEndpoints == 255:
return False
if interface_descriptor[0].bNumEndpoints == None:
interface_descriptor[0] = 0
if type(new_descriptor) == usb_endpoint_descriptor:
interface_descriptor[0].bNumEndpoints += 1
interface_descriptor[1].append(new_descriptor)
patch_descriptor_length_fields(descriptor)
return True
def add_new_interface_to_configuration(descriptor, configuration_num, new_interface):
if new_interface == None:
return False
if not type(new_interface) == usb_interface_descriptor:
return False
configuration_descriptor = get_configuration_descriptor(descriptor, configuration_num)
if configuration_descriptor == None:
return False
if configuration_descriptor[1] == None:
return False
if configuration_descriptor[0] == None:
return False
if configuration_descriptor[0].bNumInterfaces == 255:
return False
if configuration_descriptor[0].bNumInterfaces == None:
configuration_descriptor[0].bNumInterfaces = 0
configuration_descriptor[0].bNumInterfaces += 1
length = len(configuration_descriptor[1])
configuration_descriptor[1].append([new_interface, []])
configuration_descriptor[1][length - 1][0].bInterfaceNumber = length
patch_descriptor_length_fields(descriptor)
return True
def add_new_configuration_to_device_descriptor(descriptor, new_configuration):
if new_configuration == None:
return False
if not type(new_configuration) == usb_configuration_descriptor:
return False
if descriptor == None:
return False
if descriptor[1] == None:
return False
if descriptor[0].bNumConfigurations == 255:
return False
if descriptor[0].bNumConfigurations == None:
descriptor[0].bNumConfigurations = 0
descriptor[0].bNumConfigurations += 1
descriptor[1].append([new_configuration, []])
patch_descriptor_length_fields(descriptor)
return True
def del_interface_descriptor_object(descriptor, configuration_num, interface_num, object_num):
interface_descriptor = get_interface_descriptor(descriptor, configuration_num, interface_num)
if interface_descriptor == None:
return False
if interface_descriptor[1] == None:
return False
if interface_descriptor[0] == None:
return False
if len(interface_descriptor[1]) - 1 < object_num:
return False
# if you delete an endpointdescriptor, you also have to decrement bEndpointNum
if interface_descriptor[1][object_num].bDescriptorType == 0x05:
interface_descriptor[0].bNumEndpoints -= 1
del interface_descriptor[1][object_num]
patch_descriptor_length_fields(descriptor)
return True
def del_interface_descriptor(descriptor, configuration_num, interface_num):
interface_descriptor = get_interface_descriptor(descriptor, configuration_num, interface_num)
if interface_descriptor == None:
return False
configuration_descriptor = get_configuration_descriptor(descriptor, configuration_num)
configuration_descriptor[0].bNumInterfaces -= 1
length = len(configuration_descriptor[1])
del configuration_descriptor[1][interface_num]
for i in range(length - 1 - interface_num):
configuration_descriptor[1][i + interface_num][0].bInterfaceNumber -= 1
return True
def del_configuration_descriptor(descriptor, configuration_num):
if descriptor == None:
return False
if descriptor[0] == None:
return False
if descriptor[1] == None:
return False
length = len(descriptor[1])
if length - 1 < configuration_num:
return False
del descriptor[1][configuration_num]
descriptor[0].bNumConfigurations = length - 1
return True
================================================
FILE: dev_desc/desc.txt
================================================
Speed High
Bus 001 Device 043: ID 1307:0165 Transcend Information, Inc. 2GB/4GB Flash Drive
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 0 (Defined at Interface level)
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
idVendor 0x3340 Transcend Information, Inc.
idProduct 0x3457 2GB/4GB Flash Drive
bcdDevice 1.00
iManufacturer 1
iProduct 2
iSerial 3
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 39
bNumInterfaces 1
bConfigurationValue 1
iConfiguration 0
bmAttributes 0x80
(Bus Powered)
MaxPower 98mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 3
bInterfaceClass 0 Mass Storage
bInterfaceSubClass 0 SCSI
bInterfaceProtocol 0 Bulk-Only
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x01 EP 1 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 1
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x82 EP 2 IN
bmAttributes 3
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 1
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x83 EP 3 IN
bmAttributes 0
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 8
================================================
FILE: dev_desc/desc1.txt
================================================
Bus 007 Device 012: ID 046d:c218 Logitech, Inc. Logitech RumblePad 2 USB
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 1.10
bDeviceClass 0 (Defined at Interface level)
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 8
idVendor 0x046d Logitech, Inc.
idProduct 0xc218 Logitech RumblePad 2 USB
bcdDevice 1.00
iManufacturer 1 Logitech
iProduct 2 Logitech RumblePad 2 USB
iSerial 0
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 41
bNumInterfaces 1
bConfigurationValue 1
iConfiguration 0
bmAttributes 0x80
(Bus Powered)
MaxPower 500mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 3 Human Interface Device
bInterfaceSubClass 0 No Subclass
bInterfaceProtocol 0 None
iInterface 0
-----
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0008 1x 8 bytes
bInterval 10
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x01 EP 1 OUT
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0008 1x 8 bytes
bInterval 10
================================================
FILE: dev_desc/desc10.txt
================================================
Speed Full
Bus 003 Device 007: ID 05ac:12aa Apple, Inc. iPod Touch 5.Gen [A1421]
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 0 (Defined at Interface level)
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
idVendor 0x05ac Apple, Inc.
idProduct 0x12aa iPod Touch 5.Gen [A1421]
bcdDevice 5.10
iManufacturer 1 Apple Inc.
iProduct 2 iPod
iSerial 3 ef15d6f0a30eabf9924d3e5a364cc8fc80c2ba0d
bNumConfigurations 4
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 39
bNumInterfaces 1
bConfigurationValue 1
iConfiguration 5 PTP
bmAttributes 0xc0
Self Powered
MaxPower 500mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 3
bInterfaceClass 6 Imaging
bInterfaceSubClass 1 Still Image Capture
bInterfaceProtocol 1 Picture Transfer Protocol (PIMA 15470)
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x02 EP 2 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 10
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 10
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x83 EP 3 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 10
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 149
bNumInterfaces 3
bConfigurationValue 2
iConfiguration 6 iPod USB Interface
bmAttributes 0xc0
Self Powered
MaxPower 500mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 0
bInterfaceClass 1 Audio
bInterfaceSubClass 1 Control Device
bInterfaceProtocol 0
iInterface 0
AudioControl Interface Descriptor:
bLength 9
bDescriptorType 36
bDescriptorSubtype 1 (HEADER)
bcdADC 1.00
wTotalLength 30
bInCollection 1
baInterfaceNr( 0) 1
AudioControl Interface Descriptor:
bLength 12
bDescriptorType 36
bDescriptorSubtype 2 (INPUT_TERMINAL)
bTerminalID 1
wTerminalType 0x0201 Microphone
bAssocTerminal 2
bNrChannels 2
wChannelConfig 0x0003
Left Front (L)
Right Front (R)
iChannelNames 0
iTerminal 0
AudioControl Interface Descriptor:
bLength 9
bDescriptorType 36
bDescriptorSubtype 3 (OUTPUT_TERMINAL)
bTerminalID 2
wTerminalType 0x0101 USB Streaming
bAssocTerminal 1
bSourceID 1
iTerminal 0
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 1
bAlternateSetting 0
bNumEndpoints 0
bInterfaceClass 1 Audio
bInterfaceSubClass 2 Streaming
bInterfaceProtocol 0
iInterface 0
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 1
bAlternateSetting 1
bNumEndpoints 1
bInterfaceClass 1 Audio
bInterfaceSubClass 2 Streaming
bInterfaceProtocol 0
iInterface 0
AudioStreaming Interface Descriptor:
bLength 7
bDescriptorType 36
bDescriptorSubtype 1 (AS_GENERAL)
bTerminalLink 2
bDelay 1 frames
wFormatTag 1 PCM
AudioStreaming Interface Descriptor:
bLength 35
bDescriptorType 36
bDescriptorSubtype 2 (FORMAT_TYPE)
bFormatType 1 (FORMAT_TYPE_I)
bNrChannels 2
bSubframeSize 2
bBitResolution 16
bSamFreqType 9 Discrete
tSamFreq[ 0] 8000
tSamFreq[ 1] 11025
tSamFreq[ 2] 12000
tSamFreq[ 3] 16000
tSamFreq[ 4] 22050
tSamFreq[ 5] 24000
tSamFreq[ 6] 32000
tSamFreq[ 7] 44100
tSamFreq[ 8] 48000
Endpoint Descriptor:
bLength 9
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 1
Transfer Type Isochronous
Synch Type None
Usage Type Data
wMaxPacketSize 0x00c0 1x 192 bytes
bInterval 4
bRefresh 0
bSynchAddress 0
AudioControl Endpoint Descriptor:
bLength 7
bDescriptorType 37
bDescriptorSubtype 1 (EP_GENERAL)
bmAttributes 0x01
Sampling Frequency
bLockDelayUnits 0 Undefined
wLockDelay 0 Undefined
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 2
bAlternateSetting 0
bNumEndpoints 1
bInterfaceClass 3 Human Interface Device
bInterfaceSubClass 0 No Subclass
bInterfaceProtocol 0 None
iInterface 0
HID Device Descriptor:
bLength 9
bDescriptorType 33
bcdHID 1.11
bCountryCode 0 Not supported
bNumDescriptors 1
bDescriptorType 34 Report
wDescriptorLength 208
Warning: incomplete report descriptor
Report Descriptor: (length is 9)
Item(Main ): (null), data=none
Item(Main ): (null), data=none
Item(Main ): (null), data=none
Item(Main ): (null), data=none
Item(Main ): (null), data=none
Item(Main ): (null), data=none
Item(Main ): (null), data=none
Item(Main ): (null), data=none
Item(Local ): (null), data= [ 0xa5 0x33 0xff 0x18 ] 419378085
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x83 EP 3 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 62
bNumInterfaces 2
bConfigurationValue 3
iConfiguration 7 PTP + Apple Mobile Device
bmAttributes 0xc0
Self Powered
MaxPower 500mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 3
bInterfaceClass 6 Imaging
bInterfaceSubClass 1 Still Image Capture
bInterfaceProtocol 1 Picture Transfer Protocol (PIMA 15470)
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x02 EP 2 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 10
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 10
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x83 EP 3 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 10
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 1
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 255 Vendor Specific Class
bInterfaceSubClass 254
bInterfaceProtocol 2
iInterface 9 Apple USB Multiplexor
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x04 EP 4 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x85 EP 5 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 117
bNumInterfaces 3
bConfigurationValue 4
iConfiguration 8 PTP + Apple Mobile Device + Apple USB Ethernet
bmAttributes 0xc0
Self Powered
MaxPower 500mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 3
bInterfaceClass 6 Imaging
bInterfaceSubClass 1 Still Image Capture
bInterfaceProtocol 1 Picture Transfer Protocol (PIMA 15470)
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x02 EP 2 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 10
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 10
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x83 EP 3 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 10
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 1
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 255 Vendor Specific Class
bInterfaceSubClass 254
bInterfaceProtocol 2
iInterface 9 Apple USB Multiplexor
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x04 EP 4 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x85 EP 5 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 2
bAlternateSetting 0
bNumEndpoints 0
bInterfaceClass 255 Vendor Specific Class
bInterfaceSubClass 253
bInterfaceProtocol 1
iInterface 0
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 2
bAlternateSetting 1
bNumEndpoints 2
bInterfaceClass 255 Vendor Specific Class
bInterfaceSubClass 253
bInterfaceProtocol 1
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x86 EP 6 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x05 EP 5 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 2
bAlternateSetting 2
bNumEndpoints 2
bInterfaceClass 255 Vendor Specific Class
bInterfaceSubClass 253
bInterfaceProtocol 1
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x86 EP 6 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x05 EP 5 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Device Qualifier (for other device speed):
bLength 10
bDescriptorType 6
bcdUSB 2.00
bDeviceClass 0 (Defined at Interface level)
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
bNumConfigurations 4
Device Status: 0x0000
(Bus Powered)
================================================
FILE: dev_desc/desc2.txt
================================================
Speed Full
Bus 001 Device 043: ID 1307:0165 Transcend Information, Inc. 2GB/4GB Flash Drive
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 0 (Defined at Interface level)
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
idVendor 0x3340 Transcend Information, Inc.
idProduct 0x3457 2GB/4GB Flash Drive
bcdDevice 1.00
iManufacturer 1
iProduct 2
iSerial 3
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 39
bNumInterfaces 1
bConfigurationValue 1
iConfiguration 0
bmAttributes 0x80
(Bus Powered)
MaxPower 98mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 3
bInterfaceClass 0 Mass Storage
bInterfaceSubClass 0 SCSI
bInterfaceProtocol 0 Bulk-Only
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0404 1x 4 bytes
bInterval 12
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x01 EP 1 IN
bmAttributes 2
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0004 1x 4 bytes
bInterval 12
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x82 EP 1 IN
bmAttributes 1
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0004 1x 4 bytes
bInterval 12
================================================
FILE: dev_desc/desc3.txt
================================================
Speed Full
Bus 001 Device 043: ID 1307:0165 Transcend Information, Inc. 2GB/4GB Flash Drive
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 0 (Defined at Interface level)
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
idVendor 0x3340 Transcend Information, Inc.
idProduct 0x3457 2GB/4GB Flash Drive
bcdDevice 1.00
iManufacturer 1
iProduct 2
iSerial 3
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 48
bNumInterfaces 1
bConfigurationValue 1
iConfiguration 0
bmAttributes 0x80
(Bus Powered)
MaxPower 98mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 3
bInterfaceClass 0 Mass Storage
bInterfaceSubClass 0 SCSI
bInterfaceProtocol 0 Bulk-Only
iInterface 0
iInterface 0
HID Device Descriptor:
bLength 9
bDescriptorType 33
bcdHID 1.10
bCountryCode 0 Not supported
bNumDescriptors 1
bDescriptorType 34 Report
wDescriptorLength 119
Report Descriptors:
** UNAVAILABLE **
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x0A EP 1 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 512 bytes
bInterval 1
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x8C EP 2 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 512 bytes
bInterval 1
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x85 EP 3 IN
bmAttributes 1
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 8
================================================
FILE: dev_desc/desc3.txt_tmp
================================================
Speed Full
Bus 001 Device 043: ID 1307:0165 Transcend Information, Inc. 2GB/4GB Flash Drive
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 0 (Defined at Interface level)
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
idVendor 0x3340 Transcend Information, Inc.
idProduct 0x3457 2GB/4GB Flash Drive
bcdDevice 1.00
iManufacturer 1
iProduct 2
iSerial 3
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 48
bNumInterfaces 1
bConfigurationValue 1
iConfiguration 0
bmAttributes 0x80
(Bus Powered)
MaxPower 98mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 3
bInterfaceClass 0 Mass Storage
bInterfaceSubClass 0 SCSI
bInterfaceProtocol 0 Bulk-Only
iInterface 0
iInterface 0
HID Device Descriptor:
bLength 9
bDescriptorType 33
bcdHID 1.10
bCountryCode 0 Not supported
bNumDescriptors 1
bDescriptorType 34 Report
wDescriptorLength 119
Report Descriptors:
** UNAVAILABLE **
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x0A EP 1 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 512 bytes
bInterval 1
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x8C EP 2 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 512 bytes
bInterval 1
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x85 EP 3 IN
bmAttributes 1
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 8
================================================
FILE: dev_desc/desc4.txt
================================================
Speed High
Bus 001 Device 004: ID 05e3:0745 Genesys Logic, Inc.
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 0 (Defined at Interface level)
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
idVendor 0x05e3 Genesys Logic, Inc.
idProduct 0x0745
bcdDevice 9.02
iManufacturer 0
iProduct 1
iSerial 2
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 32
bNumInterfaces 1
bConfigurationValue 1
iConfiguration 0
bmAttributes 0x80
(Bus Powered)
MaxPower 500mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 8 Mass Storage
bInterfaceSubClass 6 SCSI
bInterfaceProtocol 80 Bulk-Only
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x02 EP 2 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
================================================
FILE: dev_desc/desc5.txt
================================================
Speed High
Bus 001 Device 047: ID 17e9:02ee DisplayLink
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 0 (Defined at Interface level)
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 8
idVendor 0x17e9 DisplayLink
idProduct 0x02ee
bcdDevice 1.03
iManufacturer 1
iProduct 2
iSerial 3
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 66
bNumInterfaces 1
bConfigurationValue 1
iConfiguration 0
bmAttributes 0x80
(Bus Powered)
MaxPower 500mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 3
bInterfaceClass 255 Vendor Specific Class
bInterfaceSubClass 0
bInterfaceProtocol 0
iInterface 0
** UNRECOGNIZED: 1b 5f 01 00 19 05 00 01 03 00 04 04 01 00 03 d0 00 02 04 00 bd 1f 00 01 04 01 02
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x02 EP 1 OUT
bmAttributes 3
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0800 1x 512 bytes
bInterval 5
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x82 EP 2 IN
bmAttributes 0
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0800 1x 8 bytes
bInterval 4
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x0a EP 10 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x1000 1x 512 bytes
bInterval 2
================================================
FILE: dev_desc/desc6.txt
================================================
Bus 007 Device 012: ID 046d:c218 Logitech, Inc. Logitech RumblePad 2 USB
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 1.10
bDeviceClass 0 (Defined at Interface level)
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 8
idVendor 0x046d Logitech, Inc.
idProduct 0xc218 Logitech RumblePad 2 USB
bcdDevice 2.00
iManufacturer 1 Logitech
iProduct 2 Logitech RumblePad 2 USB
iSerial 0
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 41
bNumInterfaces 1
bConfigurationValue 1
iConfiguration 0
bmAttributes 0x80
(Bus Powered)
MaxPower 500mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 3 Human Interface Device
bInterfaceSubClass 0 No Subclass
bInterfaceProtocol 0 None
iInterface 0
HID Device Descriptor:
bLength 9
bDescriptorType 33
bcdHID 1.10
bCountryCode 0 Not supported
bNumDescriptors 1
bDescriptorType 34 Report
wDescriptorLength 122
Report Descriptors:
** UNAVAILABLE **
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0008 1x 8 bytes
bInterval 10
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x01 EP 1 OUT
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0008 1x 8 bytes
bInterval 10
================================================
FILE: dev_desc/desc9.txt
================================================
Speed High
Bus 004 Device 003: ID 0bdb:1911
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 2 Communications
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
idVendor 0x0bdb
idProduct 0x1911
bcdDevice 0.00
iManufacturer 1
iProduct 2
iSerial 3
bNumConfigurations 3
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 371
bNumInterfaces 11
bConfigurationValue 1
iConfiguration 4
bmAttributes 0xe0
Self Powered
Remote Wakeup
bMaxPower 0mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 0
bInterfaceClass 2 Communications
bInterfaceSubClass 8
bInterfaceProtocol 0
iInterface 5
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 1
bAlternateSetting 0
bNumEndpoints 1
bInterfaceClass 2 Communications
bInterfaceSubClass 2
bInterfaceProtocol 1
iInterface 6
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x8a EP 10 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 16
bInterval 8
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 2
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 10 Data
bInterfaceSubClass 0
bInterfaceProtocol 0
iInterface 7
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x01 EP 1 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 512
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 512
bInterval 0
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 3
bAlternateSetting 0
bNumEndpoints 1
bInterfaceClass 2 Communications
bInterfaceSubClass 2
bInterfaceProtocol 1
iInterface 8
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x89 EP 9 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 16
bInterval 8
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 4
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 10 Data
bInterfaceSubClass 0
bInterfaceProtocol 0
iInterface 9
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x02 EP 2 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 512
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x82 EP 2 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 512
bInterval 0
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 5
bAlternateSetting 0
bNumEndpoints 1
bInterfaceClass 2 Communications
bInterfaceSubClass 9
bInterfaceProtocol 1
iInterface 10
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x88 EP 8 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 16
bInterval 8
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 6
bAlternateSetting 0
bNumEndpoints 1
bInterfaceClass 2 Communications
bInterfaceSubClass 13
bInterfaceProtocol 0
iInterface 11
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x86 EP 6 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 8
bInterval 7
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 7
bAlternateSetting 0
bNumEndpoints 0
bInterfaceClass 10 Data
bInterfaceSubClass 0
bInterfaceProtocol 0
iInterface 14
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 8
bAlternateSetting 0
bNumEndpoints 1
bInterfaceClass 2 Communications
bInterfaceSubClass 9
bInterfaceProtocol 1
iInterface 16
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x87 EP 7 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 16
bInterval 8
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 9
bAlternateSetting 0
bNumEndpoints 1
bInterfaceClass 2 Communications
bInterfaceSubClass 2
bInterfaceProtocol 1
iInterface 17
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x84 EP 4 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 16
bInterval 8
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 10
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 10 Data
bInterfaceSubClass 0
bInterfaceProtocol 0
iInterface 18
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x03 EP 3 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 512
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x83 EP 3 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 512
bInterval 0
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 311
bNumInterfaces 9
bConfigurationValue 2
iConfiguration 19
bmAttributes 0xe0
Self Powered
Remote Wakeup
bMaxPower 0mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 0
bInterfaceClass 2 Communications
bInterfaceSubClass 8
bInterfaceProtocol 0
iInterface 5
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 1
bAlternateSetting 0
bNumEndpoints 1
bInterfaceClass 2 Communications
bInterfaceSubClass 2
bInterfaceProtocol 1
iInterface 6
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x8a EP 10 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 16
bInterval 8
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 2
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 10 Data
bInterfaceSubClass 0
bInterfaceProtocol 0
iInterface 7
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x01 EP 1 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 512
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 512
bInterval 0
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 3
bAlternateSetting 0
bNumEndpoints 1
bInterfaceClass 2 Communications
bInterfaceSubClass 2
bInterfaceProtocol 1
iInterface 8
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x89 EP 9 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 16
bInterval 8
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 4
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 10 Data
bInterfaceSubClass 0
bInterfaceProtocol 0
iInterface 9
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x02 EP 2 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 512
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x82 EP 2 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 512
bInterval 0
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 5
bAlternateSetting 0
bNumEndpoints 1
bInterfaceClass 2 Communications
bInterfaceSubClass 9
bInterfaceProtocol 1
iInterface 10
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x88 EP 8 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 16
bInterval 8
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 6
bAlternateSetting 0
bNumEndpoints 1
bInterfaceClass 2 Communications
bInterfaceSubClass 13
bInterfaceProtocol 0
iInterface 11
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x86 EP 6 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 8
bInterval 7
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 7
bAlternateSetting 0
bNumEndpoints 0
bInterfaceClass 10 Data
bInterfaceSubClass 0
bInterfaceProtocol 0
iInterface 14
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 8
bAlternateSetting 0
bNumEndpoints 1
bInterfaceClass 2 Communications
bInterfaceSubClass 9
bInterfaceProtocol 1
iInterface 16
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x87 EP 7 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 16
bInterval 8
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 32
bNumInterfaces 1
bConfigurationValue 3
iConfiguration 20
bmAttributes 0xe0
Self Powered
Remote Wakeup
bMaxPower 0mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 8 Mass Storage
bInterfaceSubClass 6
bInterfaceProtocol 80
iInterface 21
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x85 EP 5 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 512
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x05 EP 5 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 512
bInterval 0
================================================
FILE: emulator/__init__.py
================================================
"""
vUSBf: A KVM/QEMU based USB-fuzzing framework.
Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf Spenneberg
This file is part of vUSBf.
See the file LICENSE for copying permission.
"""
__author__ = 'Sergej Schumilo'
================================================
FILE: emulator/emulator.py
================================================
"""
vUSBf: A KVM/QEMU based USB-fuzzing framework.
Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf Spenneberg
This file is part of vUSBf.
See the file LICENSE for copying permission.
"""
__author__ = 'Sergej Schumilo'
import config
class emulator(object):
def __init__(self, fuzzer):
if fuzzer == None:
raise Exception("fuzzer object null pointer")
# TODO type check fuzzer object
self.fuzzer = fuzzer
# fuzz data and return data as string
def _fuzz_data(self, scapy_data):
if scapy_data == None:
return ""
else:
return self.fuzzer.post_fuzzing(scapy_data)
def get_response(self, data):
response = self._calc_response(data)
response = self._fuzz_data(response)
if config.PRINT_DEVICE_DESCRIPTORS:
print config.DELIMITER
response.show()
return response
def _calc_response(self, data):
pass
================================================
FILE: emulator/enumeration.py
================================================
"""
vUSBf: A KVM/QEMU based USB-fuzzing framework.
Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf Spenneberg
This file is part of vUSBf.
See the file LICENSE for copying permission.
"""
__author__ = 'Sergej Schumilo'
import os.path, sys, time, random
from emulator import emulator
sys.path.append(os.path.abspath('../'))
from usbparser import *
from fileParser import *
from descFuzzer import *
class enumeration(emulator):
def __init__(self, fuzzer):
super(enumeration, self).__init__(fuzzer)
self.descriptor = self.fuzzer.get_descriptor()
#print self.descriptor
self.string_descriptor = self.fuzzer.get_string_descriptor()
def __get_complete_configuration_descriptor(self, configuration_num):
configuration = get_configuration_descriptor(self.descriptor, configuration_num)
if configuration == None:
return None
extra_payload = configuration[0]
for ifDesc in configuration[1]:
extra_payload = extra_payload / ifDesc[0]
for e in ifDesc[1]:
extra_payload = extra_payload / e
return extra_payload
def _calc_response(self, data):
scapy_data = usbredir_parser(data).getScapyPacket()
packet_length = 0
extra_payload = None
# check if data comes from control endpoint
if scapy_data.Htype != 100:
return None
# check if data comes from endpoint 0 (output)
if scapy_data.endpoint != 0x80:
return scapy_data
descriptor_request = scapy_data.value >> (8)
descriptor_num = scapy_data.value % 256
request = scapy_data.request
# device descriptor
if descriptor_request == 0x01:
extra_payload = self.descriptor[0]
packet_length = len(str(extra_payload))
# configuration descriptor
elif descriptor_request == 0x02:
if scapy_data.length <= 9:
configuration = get_configuration_descriptor(self.descriptor, descriptor_num)
if configuration == None:
extra_payload == None
else:
packet_length = scapy_data.length
extra_payload = configuration[0]
else:
extra_payload = self.__get_complete_configuration_descriptor(descriptor_num)
packet_length = len(str(extra_payload))
# string descriptor
elif descriptor_request == 0x03:
if descriptor_num < len(self.string_descriptor) + 1:
extra_payload = self.string_descriptor[descriptor_num - 1]
else:
extra_payload = usb_string_descriptor('\x04\x03\x09\04')
packet_length = len(str(extra_payload))
#extra_payload.show()
# redir stuff
scapy_data.HLength = 10 + len(str(extra_payload))
scapy_data.status = 0
scapy_data.length = packet_length
if extra_payload is None:
scapy_data.HLength = 10
return scapy_data
return (scapy_data / extra_payload)
================================================
FILE: emulator/enumeration_abortion.py
================================================
"""
vUSBf: A KVM/QEMU based USB-fuzzing framework.
Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf Spenneberg
This file is part of vUSBf.
See the file LICENSE for copying permission.
"""
__author__ = 'Sergej Schumilo'
import os.path, sys
from enumeration import enumeration
lib_path = os.path.abspath('../')
sys.path.append(lib_path)
class abortion_enumeration(enumeration):
max_number_of_packets = 13
def __init__(self, fuzzer):
super(abortion_enumeration, self).__init__(fuzzer)
self.count = 0
def _calc_response(self, data):
if self.count == self.max_number_of_packets:
return ""
else:
self.count += 1
return super(abortion_enumeration, self)._calc_response(data)
================================================
FILE: emulator/hid.py
================================================
"""
vUSBf: A KVM/QEMU based USB-fuzzing framework.
Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf Spenneberg
This file is part of vUSBf.
See the file LICENSE for copying permission.
"""
__author__ = 'Sergej Schumilo'
import os.path, sys
from enumeration import enumeration
sys.path.append(os.path.abspath('../'))
from usbparser import *
from descFuzzer import *
class hid(enumeration):
def __init__(self, fuzzer):
super(hid, self).__init__(fuzzer)
def __read_reports(self, reports_file):
return "\x00\x00\x00\x00\x00\x00\x00\x00\x00"
def __read_report_descriptor(self, report_descriptor_file):
raw_data = ""
f = open(report_descriptor_file)
try:
for line in f:
raw_data += line
finally:
f.close()
raw_data = raw_data.replace("\n", "").replace(" ", "\\x")
if raw_data.endswith("\\x"):
raw_data = data[:-2]
raw_data = raw_data.decode('string-escape')
Raw(raw_data).show()
return raw_data
def _calc_response(self, data):
scapy_data = usbredir_parser(data).getScapyPacket()
packet_length = 0
extra_payload = None
try:
descriptor_request = scapy_data.value >> (8)
descriptor_num = scapy_data.value % 256
request = scapy_data.request
# report request
if request == 1:
report = ""
for i in range(scapy_data.length):
report += chr(random.randint(0, 255))
scapy_data.HLength = 10 + scapy_data.length
return (scapy_data / extra_payload)
# report_descriptor request
elif descriptor_request == 0x22:
scapy_data.status = 0
scapy_data.HLength = 10 + scapy_data.length
extra_payload = self.report_desc
return (scapy_data / extra_payload)
else:
return super(hid, self)._calc_response(data)
except:
return super(hid, self)._calc_response(data)
================================================
FILE: fileParser.py
================================================
"""
vUSBf: A KVM/QEMU based USB-fuzzing framework.
Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf Spenneberg
This file is part of vUSBf.
See the file LICENSE for copying permission.
"""
from usbscapy import *
class usbdescFileParser:
descriptor_types = ["Device Descriptor:",
"Configuration Descriptor:",
"Interface Descriptor:",
"Endpoint Descriptor:",
"HID Descriptor:",
"** UNRECOGNIZED:"
]
data = ""
speed = 2
def __init__(self, filePath):
try:
f = open(filePath)
data = ""
for line in f:
if not line.startswith("Bus") and not line.startswith("Speed"):
data = data + line
elif line.startswith("Speed"):
value = line.split("Speed")[1].replace(" ", "").replace("\t", "").replace("\n", "")
if value == "Low":
self.speed = 0
elif value == "Full":
self.speed = 1
elif value == "High":
self.speed = 2
elif value == "Super":
self.speed = 3
elif value == "Unkown":
self.speed = 255
else:
self.speed = 255
f.close()
self.data = data.replace("HID Device Descriptor:", "HID Descriptor:")
except:
raise Exception("file not found")
def parse(self):
data = self.data
descriptor_types = self.descriptor_types
data = data.replace("HID Device Descriptor:", "HID Descriptor:")
for descriptor_type in descriptor_types:
data = data.replace(descriptor_type, "; " + descriptor_type)
data = data.split(";")
connectPacket = connect_redir_header()
interface_info = if_info_redir_header()
endpoint_info = ep_info_redir_header()
scapyPacket = None
devDesc = None
confDesc = None
# build payload
for line in data:
newLayer = self.__parseDescriptor(line)
# add device descriptor to list
if type(newLayer) == usb_device_descriptor:
devDesc = [newLayer, []]
# add donfiguration descriptor to list
elif type(newLayer) == usb_configuration_descriptor and devDesc != None:
devDesc[1].append([newLayer, []])
# add interface descriptor to list
elif type(newLayer) == usb_interface_descriptor and devDesc[1] != None:
devDesc[1][len(devDesc[1]) - 1][1].append([newLayer, []])
# add endpoint / HID descriptor to list
elif (type(newLayer) == usb_endpoint_descriptor or type(newLayer) == usb_hid_descriptor) and devDesc[
1] != None:
if devDesc[1][len(devDesc[1]) - 1] != None:
devDesc[1][len(devDesc[1]) - 1][1][len(devDesc[1][len(devDesc[1]) - 1][1]) - 1][1].append(newLayer)
# scapyPacket
if newLayer != None:
if scapyPacket == None:
scapyPacket = newLayer
else:
scapyPacket = scapyPacket / newLayer
# connect packet
connectPacket.speed = self.speed
connectPacket.device_class = scapyPacket.bDeviceClass
connectPacket.device_subclass = scapyPacket.bDeviceSubClass
connectPacket.device_protocol = scapyPacket.bDeviceProtocol
connectPacket.vendor_id = scapyPacket.isVendor
connectPacket.product_id = scapyPacket.idProduct
connectPacket.device_version_bcd = scapyPacket.bcdDevice
# interface info
tmp = scapyPacket
interface = []
interface_class = []
interface_subclass = []
interface_protocol = []
while True:
if tmp.haslayer(usb_interface_descriptor):
if tmp[usb_interface_descriptor].bInterfaceNumber != None:
interface.append(tmp[usb_interface_descriptor].bInterfaceNumber)
interface_class.append(tmp[usb_interface_descriptor].bInterfaceClass)
interface_subclass.append(tmp[usb_interface_descriptor].bInterfaceSubClass)
interface_protocol.append(tmp[usb_interface_descriptor].bInterfaceProtocol)
tmp = tmp[usb_interface_descriptor].payload
else:
break
interface_count = len(interface)
for i in range(32 - interface_count):
interface.append(0)
interface_class.append(0)
interface_subclass.append(0)
interface_protocol.append(0)
interface_info.interface_count = interface_count
interface_info.interface = interface
interface_info.interface_class = interface_class
interface_info.interface_subclass = interface_subclass
interface_info.interface_protocol = interface_protocol
# endpoint_info
datacopy = copy.deepcopy(scapyPacket)
interface_num = 0
# bmAttributes Bits 0..1 Transfer Type
# 00 = Control
# 01 = Isochronous
# 10 = Bulk
# 11 = Interrupt
ep_info_type = []
ep_info_interval = []
ep_info_interface = []
ep_info_max_packet_size = []
for i in range(32):
ep_info_type.append(255) # INVALID
ep_info_interval.append(0)
ep_info_interface.append(0)
ep_info_max_packet_size.append(0)
# DEFAULT CONTROL EP
ep_info_type[0] = 0
ep_info_type[16] = 0
while True:
if type(datacopy) == usb_interface_descriptor:
interface_num = datacopy.bInterfaceNumber
elif type(datacopy) == usb_endpoint_descriptor:
if not (datacopy.bmAttribut == None or datacopy.bInterval == None or datacopy.wMaxPacketSize == None):
# CALC POSITION
pos = 0
if datacopy.bEndpointAddress >= 0x80:
pos = (datacopy.bEndpointAddress - 0x80) + 16
else:
pos = datacopy.bEndpointAddress
ep_info_type[pos] = (datacopy.bmAttribut % 4)
ep_info_interval[pos] = datacopy.bInterval
ep_info_interface[pos] = interface_num
ep_info_max_packet_size[pos] = datacopy.wMaxPacketSize
datacopy = datacopy.payload
if str(datacopy) == "":
break
endpoint_info.ep_type = ep_info_type
endpoint_info.interval = ep_info_interval
endpoint_info.interface = ep_info_interface
endpoint_info.max_packet_size = ep_info_max_packet_size
return devDesc, confDesc, connectPacket, interface_info, endpoint_info
def __parser(self, desc, data):
data = data.split("\n")
i = 1
while i < len(data):
split = filter(None, (data[i].split(" ")))
if len(split) >= 2:
# HEX VALUES
if split[1].startswith("0x"):
split[1] = int(split[1], 16)
# OTHER HEX VALUES
elif "." in split[1]:
split[1] = split[1].replace(".", "")
if len(split[1]) != 4:
split[1] = "0" + split[1]
split[1] = "0x" + split[1]
split[1] = int(split[1], 16)
# mA VALUES
elif "mA" in split[1]:
split[1] = int(split[1].replace("mA", ""), 10) / 2
# INT VALUES
else:
try:
split[1] = int(split[1], 10)
except:
split[1] = "VOID"
# SOME FIXES
if split[0] == "idVendor":
split[0] = "isVendor"
elif split[0] == "bMaxPacketSize0":
split[0] = "bMaxPacketSize"
elif split[0] == "MaxPower":
split[0] = "bMaxPower"
elif split[0] == "bmAttributes":
split[0] = "bmAttribut"
elif split[0] == "iSerial":
split[0] = "iSerialNumber"
if split[0] == "bDescriptorType":
pass
setattr(desc, split[0], split[1])
i += 1
return desc
def __parseDescriptor(self, data):
descriptor_types = self.descriptor_types
# RAW DATA
if "** UNRECOGNIZED:" in data:
rawData = data.split(":")[1].replace(" ", "").replace("\n", "")
i = 0
newRawData = ""
while i < len(rawData):
newRawData = newRawData + chr(int(rawData[i:i + 2], 16))
i += 2
return Raw(newRawData)
desctypes = str(descriptor_types)
desctype = data.split(":")[0][1:] + ":"
if not desctype in desctypes:
return None
else:
if desctype == descriptor_types[0]:
desc = usb_device_descriptor()
return self.__parser(desc, data)
elif desctype == descriptor_types[1]:
desc = usb_configuration_descriptor()
return self.__parser(desc, data)
elif desctype == descriptor_types[2]:
desc = usb_interface_descriptor()
return self.__parser(desc, data)
elif desctype == descriptor_types[3]:
desc = usb_endpoint_descriptor()
return self.__parser(desc, data)
elif desctype == descriptor_types[4]:
desc = usb_hid_descriptor()
self.__parser(desc, data)
desc.bDescriptorType = 33
desc.bDescriptorType2 = 34
return desc
#test = usbdescFileParser("./dev_desc/desc3.txt").parse()
================================================
FILE: fuzzer.py
================================================
"""
vUSBf: A KVM/QEMU based USB-fuzzing framework.
Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf Spenneberg
This file is part of vUSBf.
See the file LICENSE for copying permission.
"""
from usbscapy import usb_string_descriptor
class fuzzer(object):
def __init__(self, test):
self.test = test
self.string_descriptor = None
def set_descriptor(self, descriptor):
self.descriptor = descriptor
def set_string_descriptor(self, string_descriptor):
self.string_descriptor = string_descriptor
def get_descriptor(self):
return self.descriptor
def get_string_descriptor(self):
# if self.string_descriptor is None:
min_d = usb_string_descriptor('\x04\x03\x09\01')
max_d = usb_string_descriptor(
'\xfe\x03\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P\x00P')
format_string = usb_string_descriptor(
'\xfe\x03%\x00\x00\x00%\x00\x01\x00%\x00\x02\x00%\x00\x03\x00%\x00\x04\x00%\x00\x05\x00%\x00\x06\x00%\x00\x07\x00%\x00\x08\x00%\x00\t\x00%\x00\n\x00%\x00\x0b\x00%\x00\x0c\x00%\x00\r\x00%\x00\x0e\x00%\x00\x0f\x00%\x00\x10\x00%\x00\x11\x00%\x00\x12\x00%\x00\x13\x00%\x00\x14\x00%\x00\x15\x00%\x00\x16\x00%\x00\x17\x00%\x00\x18\x00%\x00\x19\x00%\x00\x1a\x00%\x00\x1b\x00%\x00\x1c\x00%\x00\x1d\x00%\x00\x1e\x00%\x00\x1f\x00%\x00 \x00%\x00!\x00%\x00"\x00%\x00#\x00%\x00$\x00%\x00%\x00%\x00&\x00%\x00\'\x00%\x00(\x00%\x00)\x00%\x00*\x00%\x00+\x00%\x00,\x00%\x00-\x00%\x00.\x00%\x00/\x00%\x000\x00%\x001\x00%\x002\x00%\x003\x00%\x004\x00%\x005\x00%\x006\x00%\x007\x00%\x008\x00%\x009\x00%\x00:\x00%\x00;\x00%\x00<\x00%\x00=\x00%\x00>\x00')
string_descriptor_list = []
string_descriptor_list.append(min_d)
string_descriptor_list.append(min_d)
string_descriptor_list.append(format_string)
return string_descriptor_list
def post_fuzzing(self, scapy_data):
# return scapy_data
if self.test is None:
raise Exception('Test is not set')
test_elements = self.test.get_testcases()
tmp = scapy_data
i = 0
while len(str(tmp)) != 0:
try:
for i in range(len(test_elements)):
if True:
if test_elements[i].get_packet_type() == "ALL":
try:
setattr(tmp, test_elements[i].get_field(), test_elements[i].get_value())
except:
pass
elif test_elements[i].get_packet_type().lower() == str(type(tmp)).split(".")[1].split("'")[0]:
setattr(tmp, test_elements[i].get_field(), test_elements[i].get_value())
i += 1
except:
pass
tmp = tmp.payload
return scapy_data
================================================
FILE: help.txt
================================================
Usage: vusbf.py [Running Type] [Fuzzing Type] [Target Type]
Target Specification:
-o <target.conf>: name of a target configuration file (stored at ./configurations/)
Fuzzing Specification:
-e <execution-name>: name of an execution name (stored at execution.xml) which should be executed
(default xml files are stored in ./fuzz_configuration)
-ef <execution.xml>: path of an alternativ execution-xml file
-tf <test.xml>: path of an alternativ test-xml file
-cf <testcase.xml>: path of an alternativ testcase-xml file
(the following options could be used multiple times. However it's not possible to used them with clustering options)
-n <execution-number>: execute a specific test (could be useful for reproducing an error)
-nr <execution-range>: same as described above, but specifices a range of numbers [NOT IMPLEMENTED YET :-)]
Running Specification:
-eon <ip> <port> <payl> sending specified payload (NETWORK)
-eo <payl> sending specified payload
-v1 verbose level 1 (output device descriptor & control data)
-v2 verbose level 2 (raw redir data)
-sp <ip> <port> single core mode (but sending data to an external process)
(automatic mode)
-r single core mode
-rm multiprocessing mode
(clustering mode)
(Warning: These features are experimental and could cause deadlocks!)
-s <ip> <port> starting a test-distributor-server
-sc <ip> <port> starting a hybrid client-server [NOT IMPLEMENTED YET :-)]
-c <ip> <port> starting a client
-p specify number of processes
Extras:
-l list all available payloads
-L list all supported emulators
-h print help message
-sh shuffle job list
-rl reload mode (disable burst mode)
Example:
LIST ALL AVAILABLE PAYLOADS:
python vusbf.py -l
SEND PAYLOAD TO EXTERNAL QEMU INSTANCE:
python vusbf.py -eon 127.0.0.1 1235 panic_1.obj
EXECUTE PAYLOAD:
python vusbf.py -eo panic_1.obj -o ubuntu1404.config -v1
RUN SINGLECORE MODE (EXTERN VM):
python vusbf.py -sp 127.0.0.1 1235 -e ex2
RUN SINGLECORE MODE:
python vusbf.py -r -e ex1 -o ubuntu1404.config -rl
RUN MULTICORE MODE (20 PROCESSES):
python vusbf.py -rm -p 20 -e ex1 -o ubuntu1404.config -rl
================================================
FILE: log/deadlock_check.sh
================================================
watch -n 30 "find -cmin +2 -cmin -100000"
================================================
FILE: log/freebsd_monitor.sh
================================================
cat vusbf_log_* | egrep 'Fatal trap|panic:|#1 |#2 |#3 |#4 |#5 |#6 |#7 |#8 ' | grep -v " savecore: reboot after panic:" | sort -u;
echo "";
printf 'TEST:\t' ;
cat vusbf_log_* | grep -i 'TEST #' | wc -l ;
printf 'Fatal trap:\t' ;
cat vusbf_log_* | grep 'Fatal trap' | wc -l;
printf 'Kernel Panics:\t' ;
cat vusbf_log_* | grep -i 'panic' | wc -l
================================================
FILE: log/linux_monitor.sh
================================================
cat vusbf_log_* | egrep 'BUG|segfault|panic|recursive|Segmentation' | cut -c 16- | sort -u;
echo "";
printf 'TEST:\t' ;
cat vusbf_log_* | grep -i 'TEST #' | wc -l ;
printf 'Bugs:\t' ;
cat vusbf_log_* | grep 'BUG' | wc -l;
printf 'Kernel Panics:\t' ;
cat vusbf_log_* | grep -i 'panic' | wc -l
printf 'Reboot needed:\t' ;
cat vusbf_log_* | grep -i 'recursive' | wc -l
printf 'Segfault:\t'
cat vusbf_log_* | grep -i 'seg' | wc -l
================================================
FILE: monitor/__init__.py
================================================
"""
vUSBf: A KVM/QEMU based USB-fuzzing framework.
Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf Spenneberg
This file is part of vUSBf.
See the file LICENSE for copying permission.
"""
__author__ = 'Sergej Schumilo'
================================================
FILE: monitor/freebsd_monitor.py
================================================
"""
vUSBf: A KVM/QEMU based USB-fuzzing framework.
Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf Spenneberg
This file is part of vUSBf.
See the file LICENSE for copying permission.
"""
__author__ = 'Sergej Schumilo'
from monitor import linux_monitor
# TODO include me :-)
class freebsd_monitor(linux_monitor):
def __init__(self, qemu, filename):
self.qemu = qemu
super(linux_monitor, self).__init__(qemu, filename)
def monitor(self, title):
_tmp = super(linux_monitor, self).__monitor(title)
if "Automatic reboot in " in _tmp[1]:
self.qemu.repair_image()
return _tmp[0]
================================================
FILE: monitor/linux_monitor.py
================================================
"""
vUSBf: A KVM/QEMU based USB-fuzzing framework.
Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf Spenneberg
This file is part of vUSBf.
See the file LICENSE for copying permission.
"""
__author__ = 'Sergej Schumilo'
from monitor import monitor
import fcntl
from scapy.all import *
sys.path.append(os.path.abspath('../'))
import config
class linux_monitor(monitor):
def __init__(self, qemu, filename):
super(linux_monitor, self).__init__(qemu, filename)
def monitor(self, title):
return self.__monitor(title)[0]
def __non_block_read(self, output):
fd = output.fileno()
fl = fcntl.fcntl(fd, fcntl.F_GETFL)
fcntl.fcntl(fd, fcntl.F_SETFL, fl | os.O_NONBLOCK)
try:
return output.read()
except:
return ""
def __monitor(self, title):
data = ""
try_to_read = 0
while True:
if data.count('\n') >= config.SERIAL_READ_MAX_LINES:
data = data + config.MESSAGE_TOO_MUCH_DATA
self.qemu.kill()
self.qemu.start()
break
fd = select([self.qemu.process.stdout], [], [], config.SERIAL_READ_TIMEOUT)
fd = fd[0]
if len(fd) != 0:
if fd[0]:
tmp = self.__non_block_read(fd[0])
if tmp == "":
break
else:
data = data + tmp
try_to_read = 0
else:
break
#else:
# pass
try_to_read += 1
if try_to_read >= config.SERIAL_READ_RETRIES:
break
try:
tmp_data = data.split("\r")[1].translate(None, "\n ").replace("(qemu)", "").replace("replay", "").replace(
"loadvm", "")
except:
return False, ""
if len(tmp_data) == 0:
return False, ""
tmp_data = tmp_data.translate(None, "\x6c\x5b\x4b\x44\x6f\x61\x64\x76\x72\x65\x70")
if len(tmp_data) == 0:
return False, ""
if str(Raw(tmp_data.replace("\x1b", ""))).encode("hex") == "":
return False, ""
_tmp = data
data = data.split("\n")
data2 = title + "\n" # + data + delimiter
f = open(self.filename, "a")
f.write(data2)
for line in data:
if not line.startswith("(qemu)") and not line.startswith(
"QEMU ") and not "Clocksource tsc unstable (delta" in line:
f.write(line + "\n")
f.write(config.DELIMITER + "\n")
f.close()
return True, _tmp
================================================
FILE: monitor/monitor.py
================================================
"""
vUSBf: A KVM/QEMU based USB-fuzzing framework.
Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf Spenneberg
This file is part of vUSBf.
See the file LICENSE for copying permission.
"""
__author__ = 'Sergej Schumilo'
import sys
import os
sys.path.append(os.path.abspath('../'))
import config
class monitor(object):
def __init__(self, qemu, filename):
if qemu == None:
raise Exception("qemu null pointer")
self.qemu = qemu
if filename == None:
raise Exception("filename null pointer")
self.filename = filename
def log_reload(self):
if self.filename != "":
f = open(self.filename, "a")
f.write(config.MESSAGE_VM_RELOAD)
f.close()
def monitor(self, title):
pass
================================================
FILE: payload/i2400m_usb_bug.info
================================================
This payload results in an endless printk loop.
@ Linux ubuntu-victim 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
================================================
FILE: payload/i2400m_usb_bug.obj
================================================
REPRODUCE_KEY:
MQoKMzI5MDL/aXNWZW5kb3L/QUxMCjUxMjb/aWRQcm9kdWN0/0FMTAoy/2JEZXZpY2VDbGFzc/9BTEwKMv9iSW50ZXJmYWNlQ2xhc3P/QUxMCjEw/2JOdW1FbmRwb2ludHP/VVNCX0ludGVyZmFjZV9EZXNjcmlwdG9yCjEwMP9iTnVtSW50ZXJmYWNlc/9VU0JfQ29uZmlndXJhdGlvbl9EZXNjcmlwdG9yCgpkZXNjcmlwdG9y/2Rlc2MzLnR4dAplbXVsYXRvcv9lbnVtZXJhdGlvbgo=
REPRODUCE_KEY:
MgoKMzI5MDL/aXNWZW5kb3L/QUxMCjUxMjb/aWRQcm9kdWN0/0FMTAoy/2JEZXZpY2VDbGFzc/9BTEwKMv9iSW50ZXJmYWNlQ2xhc3P/QUxMCjEw/2JOdW1FbmRwb2ludHP/VVNCX0ludGVyZmFjZV9EZXNjcmlwdG9yCjEwMP9iTnVtSW50ZXJmYWNlc/9VU0JfQ29uZmlndXJhdGlvbl9EZXNjcmlwdG9yCgpkZXNjcmlwdG9y/2Rlc2MzLnR4dAplbXVsYXRvcv9lbnVtZXJhdGlvbgo=
================================================
FILE: payload/keyspan_null_ptr.info
================================================
This payload results in a NULL pointer dereference (NULL) @ keyspan_open.
@ Linux ubuntu-victim 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
================================================
FILE: payload/keyspan_null_ptr.obj
================================================
REPRODUCE_KEY:
MQoKMTc0Mf9pc1ZlbmRvcv9BTEwKMjY4/2lkUHJvZHVjdP9BTEwKMjU1/2JEZXZpY2VDbGFzc/9BTEwKMjU1/2JJbnRlcmZhY2VDbGFzc/9BTEwKMTj/Yk51bUVuZHBvaW50c/9VU0JfSW50ZXJmYWNlX0Rlc2NyaXB0b3IKMTAw/2JOdW1JbnRlcmZhY2Vz/1VTQl9Db25maWd1cmF0aW9uX0Rlc2NyaXB0b3IKCmRlc2NyaXB0b3L/ZGVzYzMudHh0CmVtdWxhdG9y/2VudW1lcmF0aW9uCg==
================================================
FILE: payload/mal_payload.obj
================================================
REPRODUCE_KEY:
MQoKMf9pc1ZlbmRvcv9BTEwKNTE2M/9pZFByb2R1Y3T/QUxMCjH/YkRldmljZUNsYXNz/0FMTAox/2JJbnRlcmZhY2VDbGFzc/9BTEwKCmRlc2NyaXB0b3L/ZGVzYzMudHh0CmVtdWxhdG9y/2VudW1lcmF0aW9uCg==
REPRODUCE_KEY:
MgoKMf9pc1ZlbmRvcv9BTEwKNTE2M/9pZFByb2R1Y3T/QUxMCjL/YkRldmljZUNsYXNz/0FMTAoy/2JJbnRlcmZhY2VDbGFzc/9BTEwKCmRlc2NyaXB0b3L/ZGVzYzMudHh0CmVtdWxhdG9y/2VudW1lcmF0aW9uCg==
================================================
FILE: payload/mal_payload2.obj
================================================
NDQ5MTUKCjg0NTf/aWRQcm9kdWN0/0FMTAoxMDAz/2lzVmVuZG9y/0FMTAoxMf9iRGV2aWNlQ2xhc3P/dXNiX2RldmljZV9kZXNjcmlwdG9yCjEx/2JJbnRlcmZhY2VDbGFzc/91c2JfaW50ZXJmYWNlX2Rlc2NyaXB0b3IKMP9iTnVtRW5kcG9pbnRz/3VzYl9pbnRlcmZhY2VfZGVzY3JpcHRvcgoKZGVzY3JpcHRvcv9kZXNjMi50eHQKZW11bGF0b3L/ZW51bWVyYXRpb24KcmVsb2FkLXZt/25vCg==
================================================
FILE: payload/old_payload/i2400m_usb_bug.info
================================================
This payload results in an endless printk loop.
@ Linux ubuntu-victim 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
================================================
FILE: payload/old_payload/i2400m_usb_bug.obj
================================================
(lp0
(lp1
I11675604
a(lp2
(lp3
S'name'
p4
aS'enumeration'
p5
aa(lp6
S'descriptor'
p7
aS'desc3.txt'
p8
aa(lp9
S'reload'
p10
aI01
aaa(ifuzz_configuration.test
test_package
p11
(dp12
S'raw_data'
p13
(I32902
I5126
I2
I2
I10
I100
tp14
sS'operation_list'
p15
(lp16
(lp17
I0
aS'fuzz'
p18
aS'isVendor'
p19
aS'ALL'
p20
aa(lp21
I0
ag18
aS'idProduct'
p22
aS'ALL'
p23
aa(lp24
I1
ag18
aS'bDeviceClass'
p25
aS'ALL'
p26
aa(lp27
I1
ag18
aS'bInterfaceClass'
p28
aS'ALL'
p29
aa(lp30
I2
ag18
aS'bNumEndpoints'
p31
aS'USB_Interface_Descriptor'
p32
aa(lp33
I3
ag18
aS'bNumInterfaces'
p34
aS'USB_Configuration_Descriptor'
p35
aasS'name_list'
p36
(lp37
S'all_vender_product_ids'
p38
aS'all_class_ids'
p39
aS'dev_desc_blength_invalid'
p40
aS'conf_bNum_Interface_invalid'
p41
asS'emulator'
p42
Nsbaag1
a.
================================================
FILE: payload/old_payload/keyspan_null_ptr.info
================================================
This payload results in a NULL pointer dereference (NULL) @ keyspan_open.
@ Linux ubuntu-victim 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
================================================
FILE: payload/old_payload/keyspan_null_ptr.obj
================================================
(lp0
(lp1
I5773444
a(lp2
(lp3
S'name'
p4
aS'enumeration'
p5
aa(lp6
S'descriptor'
p7
aS'desc3.txt'
p8
aa(lp9
S'reload'
p10
aI01
aaa(ifuzz_configuration.test
test_package
p11
(dp12
S'raw_data'
p13
(I1741
I268
I255
I255
I18
I100
tp14
sS'operation_list'
p15
(lp16
(lp17
I0
aS'fuzz'
p18
aS'isVendor'
p19
aS'ALL'
p20
aa(lp21
I0
ag18
aS'idProduct'
p22
aS'ALL'
p23
aa(lp24
I1
ag18
aS'bDeviceClass'
p25
aS'ALL'
p26
aa(lp27
I1
ag18
aS'bInterfaceClass'
p28
aS'ALL'
p29
aa(lp30
I2
ag18
aS'bNumEndpoints'
p31
aS'USB_Interface_Descriptor'
p32
aa(lp33
I3
ag18
aS'bNumInterfaces'
p34
aS'USB_Configuration_Descriptor'
p35
aasS'name_list'
p36
(lp37
S'all_vender_product_ids'
p38
aS'all_class_ids'
p39
aS'dev_desc_blength_invalid'
p40
aS'conf_bNum_Interface_invalid'
p41
asS'emulator'
p42
Nsbaa.
================================================
FILE: payload/old_payload/mal_payload.obj
================================================
(lp0
(lp1
I1
a(lp2
(lp3
S'name'
p4
aS'enumeration'
p5
aa(lp6
S'descriptor'
p7
aS'desc3.txt'
p8
aa(lp9
S'reload'
p10
aI01
aaa(ifuzz_configuration.test
test_package
p11
(dp12
S'raw_data'
p13
(I1
I5163
I1
I1
tp14
sS'operation_list'
p15
(lp16
(lp17
I0
aS'fuzz'
p18
aS'isVendor'
p19
aS'ALL'
p20
aa(lp21
I0
ag18
aS'idProduct'
p22
aS'ALL'
p23
aa(lp24
I1
ag18
aS'bDeviceClass'
p25
aS'ALL'
p26
aa(lp27
I1
ag18
aS'bInterfaceClass'
p28
aS'ALL'
p29
aasS'name_list'
p30
(lp31
S'all_vender_product_ids'
p32
aS'all_class_ids'
p33
asS'emulator'
p34
Nsbaa(lp35
I2
ag2
a(ifuzz_configuration.test
test_package
p36
(dp37
g13
(I1
I5163
I2
I2
tp38
sg15
g16
sg30
g31
sg34
Nsbaa.
================================================
FILE: payload/old_payload/panic_1.info
================================================
This payload cause a kernel panic.
@ Linux ubuntu-victim 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
================================================
FILE: payload/old_payload/panic_1.obj
================================================
(lp0
(lp1
I2715386
a(lp2
(lp3
S'name'
p4
aS'enumeration'
p5
aa(lp6
S'descriptor'
p7
aS'desc3.txt'
p8
aa(lp9
S'reload'
p10
aI01
aaa(ifuzz_configuration.test
test_package
p11
(dp12
S'raw_data'
p13
(I1193
I12889
I2
I2
I17
I5
tp14
sS'operation_list'
p15
(lp16
(lp17
I0
aS'fuzz'
p18
aS'isVendor'
p19
aS'ALL'
p20
aa(lp21
I0
ag18
aS'idProduct'
p22
aS'ALL'
p23
aa(lp24
I1
ag18
aS'bDeviceClass'
p25
aS'ALL'
p26
aa(lp27
I1
ag18
aS'bInterfaceClass'
p28
aS'ALL'
p29
aa(lp30
I2
ag18
aS'bNumEndpoints'
p31
aS'USB_Interface_Descriptor'
p32
aa(lp33
I3
ag18
aS'bNumInterfaces'
p34
aS'USB_Configuration_Descriptor'
p35
aasS'name_list'
p36
(lp37
S'all_vender_product_ids'
p38
aS'all_class_ids'
p39
aS'dev_desc_blength_invalid'
p40
aS'conf_bNum_Interface_invalid'
p41
asS'emulator'
p42
Nsbaa(lp43
I9287541
ag2
a(ifuzz_configuration.test
test_package
p44
(dp45
g13
(I4184
I4112
I1
I1
I28
I5
tp46
sg15
g16
sg36
g37
sg42
Nsbaa(lp47
I2626827
ag2
a(ifuzz_configuration.test
test_package
p48
(dp49
g13
(I1193
I12602
I2
I2
I5
I10
tp50
sg15
g16
sg36
g37
sg42
Nsbaa(lp51
I9511744
ag2
a(ifuzz_configuration.test
test_package
p52
(dp53
g13
(I4454
I43981
I1
I1
I18
I100
tp54
sg15
g16
sg36
g37
sg42
Nsbaa(lp55
I6059954
ag2
a(ifuzz_configuration.test
test_package
p56
(dp57
g13
(I1891
I4147
I255
I255
I20
I100
tp58
sg15
g16
sg36
g37
sg42
Nsbaa(lp59
I8455766
ag2
a(ifuzz_configuration.test
test_package
p60
(dp61
g13
(I3294
I26
I1
I1
I23
I5
tp62
sg15
g16
sg36
g37
sg42
Nsbaa(lp63
I9581823
ag2
a(ifuzz_configuration.test
test_package
p64
(dp65
g13
(I4611
I320
I3
I3
I24
I25
tp66
sg15
g16
sg36
g37
sg42
Nsbaa.
================================================
FILE: payload/old_payload/panic_2.info
================================================
This payload cause a kernel panic.
@ Linux ubuntu-victim 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
================================================
FILE: payload/old_payload/panic_2.obj
================================================
(lp0
(lp1
I7841715
a(lp2
(lp3
S'name'
p4
aS'enumeration'
p5
aa(lp6
S'descriptor'
p7
aS'desc3.txt'
p8
aa(lp9
S'reload'
p10
aI01
aaa(ifuzz_configuration.test
test_package
p11
(dp12
S'raw_data'
p13
(I2991
I235
I3
I3
I3
I0
tp14
sS'operation_list'
p15
(lp16
(lp17
I0
aS'fuzz'
p18
aS'isVendor'
p19
aS'ALL'
p20
aa(lp21
I0
ag18
aS'idProduct'
p22
aS'ALL'
p23
aa(lp24
I1
ag18
aS'bDeviceClass'
p25
aS'ALL'
p26
aa(lp27
I1
ag18
aS'bInterfaceClass'
p28
aS'ALL'
p29
aa(lp30
I2
ag18
aS'bNumEndpoints'
p31
aS'USB_Interface_Descriptor'
p32
aa(lp33
I3
ag18
aS'bNumInterfaces'
p34
aS'USB_Configuration_Descriptor'
p35
aasS'name_list'
p36
(lp37
S'all_vender_product_ids'
p38
aS'all_class_ids'
p39
aS'dev_desc_blength_invalid'
p40
aS'conf_bNum_Interface_invalid'
p41
asS'emulator'
p42
Nsbaa(lp43
I8622576
ag2
a(ifuzz_configuration.test
test_package
p44
(dp45
g13
(I3469
I1362
I3
I3
I25
I5
tp46
sg15
g16
sg36
g37
sg42
Nsbaa(lp47
I6056107
ag2
a(ifuzz_configuration.test
test_package
p48
(dp49
g13
(I1891
I4117
I255
I255
I1
I10
tp50
sg15
g16
sg36
g37
sg42
Nsbaa(lp51
I3901060
ag2
a(ifuzz_configuration.test
test_package
p52
(dp53
g13
(I1323
I5396
I2
I2
I2
I0
tp54
sg15
g16
sg36
g37
sg42
Nsbaa(lp55
I2396484
ag2
a(ifuzz_configuration.test
test_package
p56
(dp57
g13
(I1193
I4263
I1
I1
I16
I100
tp58
sg15
g16
sg36
g37
sg42
Nsbaa(lp59
I9789142
ag2
a(ifuzz_configuration.test
test_package
p60
(dp61
g13
(I4931
I5
I0
I0
I28
I10
tp62
sg15
g16
sg36
g37
sg42
Nsbaa(lp63
I5006486
ag2
a(ifuzz_configuration.test
test_package
p64
(dp65
g13
(I1496
I16393
I1
I1
I17
I5
tp66
sg15
g16
sg36
g37
sg42
Nsbaa(lp67
I10230879
ag2
a(ifuzz_configuration.test
test_package
p68
(dp69
g13
(I5640
I276
I0
I0
I25
I100
tp70
sg15
g16
sg36
g37
sg42
Nsbaa(lp71
I10845869
ag2
a(ifuzz_configuration.test
test_package
p72
(dp73
g13
(I6916
I24703
I0
I0
I23
I100
tp74
sg15
g16
sg36
g37
sg42
Nsbaa(lp75
I6711721
ag2
a(ifuzz_configuration.test
test_package
p76
(dp77
g13
(I2125
I25
I255
I255
I24
I5
tp78
sg15
g16
sg36
g37
sg42
Nsbaa(lp79
I5170052
ag2
a(ifuzz_configuration.test
test_package
p80
(dp81
g13
(I1507
I769
I2
I2
I0
I10
tp82
sg15
g16
sg36
g37
sg42
Nsbaa.
================================================
FILE: payload/old_payload/panic_3.obj
================================================
(lp0
(lp1
I6056107
a(lp2
(lp3
S'name'
p4
aS'enumeration'
p5
aa(lp6
S'descriptor'
p7
aS'desc3.txt'
p8
aa(lp9
S'reload'
p10
aI01
aaa(ifuzz_configuration.test
test_package
p11
(dp12
S'raw_data'
p13
(I1891
I4117
I255
I255
I1
I10
tp14
sS'operation_list'
p15
(lp16
(lp17
I0
aS'fuzz'
p18
aS'isVendor'
p19
aS'ALL'
p20
aa(lp21
I0
ag18
aS'idProduct'
p22
aS'ALL'
p23
aa(lp24
I1
ag18
aS'bDeviceClass'
p25
aS'ALL'
p26
aa(lp27
I1
ag18
aS'bInterfaceClass'
p28
aS'ALL'
p29
aa(lp30
I2
ag18
aS'bNumEndpoints'
p31
aS'USB_Interface_Descriptor'
p32
aa(lp33
I3
ag18
aS'bNumInterfaces'
p34
aS'USB_Configuration_Descriptor'
p35
aasS'name_list'
p36
(lp37
S'all_vender_product_ids'
p38
aS'all_class_ids'
p39
aS'dev_desc_blength_invalid'
p40
aS'conf_bNum_Interface_invalid'
p41
asS'emulator'
p42
Nsbaag1
a.
================================================
FILE: payload/old_payload/smsusb_null_ptr.info
================================================
This payload results in a NULL pointer dereference (0000000000000004) @ smsusb_probe.
@ Linux ubuntu-victim 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
================================================
FILE: payload/old_payload/smsusb_null_ptr.obj
================================================
(lp0
(lp1
I10609166
a(lp2
(lp3
S'name'
p4
aS'enumeration'
p5
aa(lp6
S'descriptor'
p7
aS'desc3.txt'
p8
aa(lp9
S'reload'
p10
aI01
aaa(ifuzz_configuration.test
test_package
p11
(dp12
S'raw_data'
p13
(I6271
I769
I2
I2
I23
I5
tp14
sS'operation_list'
p15
(lp16
(lp17
I0
aS'fuzz'
p18
aS'isVendor'
p19
aS'ALL'
p20
aa(lp21
I0
ag18
aS'idProduct'
p22
aS'ALL'
p23
aa(lp24
I1
ag18
aS'bDeviceClass'
p25
aS'ALL'
p26
aa(lp27
I1
ag18
aS'bInterfaceClass'
p28
aS'ALL'
p29
aa(lp30
I2
ag18
aS'bNumEndpoints'
p31
aS'USB_Interface_Descriptor'
p32
aa(lp33
I3
ag18
aS'bNumInterfaces'
p34
aS'USB_Configuration_Descriptor'
p35
aasS'name_list'
p36
(lp37
S'all_vender_product_ids'
p38
aS'all_class_ids'
p39
aS'dev_desc_blength_invalid'
p40
aS'conf_bNum_Interface_invalid'
p41
asS'emulator'
p42
Nsbaa.
================================================
FILE: payload/old_payload/udlfb.info
================================================
Abort transmission of the 3th payload to cause a kernel panic.
@ Linux debian-7 3.15.0-rc5 #2 SMP Mon May 19 15:57:11 CEST 2014 x86_64 GNU/Linux
================================================
FILE: payload/old_payload/udlfb.obj
================================================
(lp0
(lp1
I7624473
a(lp2
(lp3
S'name'
p4
aS'enumeration'
p5
aa(lp6
S'descriptor'
p7
aS'desc3.txt'
p8
aa(lp9
S'reload'
p10
aI01
aaa(ifuzz_configuration.test
test_package
p11
(dp12
S'raw_data'
p13
(I2761
I16
I255
I255
I24
I25
tp14
sS'operation_list'
p15
(lp16
(lp17
I0
aS'fuzz'
p18
aS'isVendor'
p19
aS'ALL'
p20
aa(lp21
I0
ag18
aS'idProduct'
p22
aS'ALL'
p23
aa(lp24
I1
ag18
aS'bDeviceClass'
p25
aS'ALL'
p26
aa(lp27
I1
ag18
aS'bInterfaceClass'
p28
aS'ALL'
p29
aa(lp30
I2
ag18
aS'bNumEndpoints'
p31
aS'USB_Interface_Descriptor'
p32
aa(lp33
I3
ag18
aS'bNumInterfaces'
p34
aS'USB_Configuration_Descriptor'
p35
aasS'name_list'
p36
(lp37
S'all_vender_product_ids'
p38
aS'all_class_ids'
p39
aS'dev_desc_blength_invalid'
p40
aS'conf_bNum_Interface_invalid'
p41
asS'emulator'
p42
Nsbaa(lp43
I8853246
ag2
a(ifuzz_configuration.test
test_package
p44
(dp45
g13
(I3649
I16976
I1
I1
I19
I5
tp46
sg15
g16
sg36
g37
sg42
Nsbaa(lp47
I10557746
ag2
a(ifuzz_configuration.test
test_package
p48
(dp49
g13
(I6121
I17170
I255
I255
I29
I5
tp50
sg15
g16
sg36
g37
sg42
Nsbaa.
================================================
FILE: payload/old_payload/usbserial_bug.info
================================================
This payload results in an endless printk loop.
@ Handspring Visor / Palm OS
@ Linux ubuntu-victim 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
================================================
FILE: payload/old_payload/usbserial_bug.obj
================================================
(lp0
(lp1
I6600289
a(lp2
(lp3
S'name'
p4
aS'enumeration'
p5
aa(lp6
S'descriptor'
p7
aS'desc3.txt'
p8
aa(lp9
S'reload'
p10
aI01
aaa(ifuzz_configuration.test
test_package
p11
(dp12
S'raw_data'
p13
(I2093
I256
I1
I1
I27
I100
tp14
sS'operation_list'
p15
(lp16
(lp17
I0
aS'fuzz'
p18
aS'isVendor'
p19
aS'ALL'
p20
aa(lp21
I0
ag18
aS'idProduct'
p22
aS'ALL'
p23
aa(lp24
I1
ag18
aS'bDeviceClass'
p25
aS'ALL'
p26
aa(lp27
I1
ag18
aS'bInterfaceClass'
p28
aS'ALL'
p29
aa(lp30
I2
ag18
aS'bNumEndpoints'
p31
aS'USB_Interface_Descriptor'
p32
aa(lp33
I3
ag18
aS'bNumInterfaces'
p34
aS'USB_Configuration_Descriptor'
p35
aasS'name_list'
p36
(lp37
S'all_vender_product_ids'
p38
aS'all_class_ids'
p39
aS'dev_desc_blength_invalid'
p40
aS'conf_bNum_Interface_invalid'
p41
asS'emulator'
p42
Nsbaa.
================================================
FILE: payload/old_payload/usbserial_null_ptr.info
================================================
This payload results in a NULL pointer dereference (0000000000000260) @ usb_serial_probe.
@ Linux ubuntu-victim 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
================================================
FILE: payload/old_payload/usbserial_null_ptr.obj
================================================
(lp0
(lp1
I5938371
a(lp2
(lp3
S'name'
p4
aS'enumeration'
p5
aa(lp6
S'descriptor'
p7
aS'desc3.txt'
p8
aa(lp9
S'reload'
p10
aI01
aaa(ifuzz_configuration.test
test_package
p11
(dp12
S'raw_data'
p13
(I1808
I32769
I255
I255
I4
I5
tp14
sS'operation_list'
p15
(lp16
(lp17
I0
aS'fuzz'
p18
aS'isVendor'
p19
aS'ALL'
p20
aa(lp21
I0
ag18
aS'idProduct'
p22
aS'ALL'
p23
aa(lp24
I1
ag18
aS'bDeviceClass'
p25
aS'ALL'
p26
aa(lp27
I1
ag18
aS'bInterfaceClass'
p28
aS'ALL'
p29
aa(lp30
I2
ag18
aS'bNumEndpoints'
p31
aS'USB_Interface_Descriptor'
p32
aa(lp33
I3
ag18
aS'bNumInterfaces'
p34
aS'USB_Configuration_Descriptor'
p35
aasS'name_list'
p36
(lp37
S'all_vender_product_ids'
p38
aS'all_class_ids'
p39
aS'dev_desc_blength_invalid'
p40
aS'conf_bNum_Interface_invalid'
p41
asS'emulator'
p42
Nsbaa.
================================================
FILE: payload/old_payload/windows_bod.obj
================================================
(lp0
(lp1
I48814
a(lp2
(lp3
S'name'
p4
aS'enumeration'
p5
aa(lp6
S'descriptor'
p7
aS'desc2.txt'
p8
aa(lp9
S'reload'
p10
aI01
aaa(ifuzz_configuration.test
test_package
p11
(dp12
S'raw_data'
p13
(I1133
I50959
I3
I3
tp14
sS'operation_list'
p15
(lp16
(lp17
I0
aS'fuzz'
p18
aS'isVendor'
p19
aS'ALL'
p20
aa(lp21
I0
ag18
aS'idProduct'
p22
aS'ALL'
p23
aa(lp24
I1
ag18
aS'bDeviceClass'
p25
aS'ALL'
p26
aa(lp27
I1
ag18
aS'bInterfaceClass'
p28
aS'ALL'
p29
aasS'name_list'
p30
(lp31
S'all_vender_product_ids'
p32
aS'all_class_ids'
p33
asS'emulator'
p34
Nsbaa(lp35
I93598
ag2
a(ifuzz_configuration.test
test_package
p36
(dp37
g13
(I1273
I482
I5
I5
tp38
sg15
g16
sg30
g31
sg34
Nsbaa(lp39
I206806
ag2
a(ifuzz_configuration.test
test_package
p40
(dp41
g13
(I3110
I24
I11
I11
tp42
sg15
g16
sg30
g31
sg34
Nsbaa.
================================================
FILE: payload/panic_1.info
================================================
This payload cause a kernel panic.
@ Linux ubuntu-victim 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
================================================
FILE: payload/panic_1.obj
================================================
REPRODUCE_KEY:
MQoKMTE5M/9pc1ZlbmRvcv9BTEwKMTI4ODn/aWRQcm9kdWN0/0FMTAoy/2JEZXZpY2VDbGFzc/9BTEwKMv9iSW50ZXJmYWNlQ2xhc3P/QUxMCjE3/2JOdW1FbmRwb2ludHP/VVNCX0ludGVyZmFjZV9EZXNjcmlwdG9yCjX/Yk51bUludGVyZmFjZXP/VVNCX0NvbmZpZ3VyYXRpb25fRGVzY3JpcHRvcgoKZGVzY3JpcHRvcv9kZXNjMy50eHQKZW11bGF0b3L/ZW51bWVyYXRpb24K
REPRODUCE_KEY:
MgoKNDE4NP9pc1ZlbmRvcv9BTEwKNDExMv9pZFByb2R1Y3T/QUxMCjH/YkRldmljZUNsYXNz/0FMTAox/2JJbnRlcmZhY2VDbGFzc/9BTEwKMjj/Yk51bUVuZHBvaW50c/9VU0JfSW50ZXJmYWNlX0Rlc2NyaXB0b3IKNf9iTnVtSW50ZXJmYWNlc/9VU0JfQ29uZmlndXJhdGlvbl9EZXNjcmlwdG9yCgpkZXNjcmlwdG9y/2Rlc2MzLnR4dAplbXVsYXRvcv9lbnVtZXJhdGlvbgo=
REPRODUCE_KEY:
MwoKMTE5M/9pc1ZlbmRvcv9BTEwKMTI2MDL/aWRQcm9kdWN0/0FMTAoy/2JEZXZpY2VDbGFzc/9BTEwKMv9iSW50ZXJmYWNlQ2xhc3P/QUxMCjX/Yk51bUVuZHBvaW50c/9VU0JfSW50ZXJmYWNlX0Rlc2NyaXB0b3IKMTD/Yk51bUludGVyZmFjZXP/VVNCX0NvbmZpZ3VyYXRpb25fRGVzY3JpcHRvcgoKZGVzY3JpcHRvcv9kZXNjMy50eHQKZW11bGF0b3L/ZW51bWVyYXRpb24K
REPRODUCE_KEY:
NAoKNDQ1NP9pc1ZlbmRvcv9BTEwKNDM5ODH/aWRQcm9kdWN0/0FMTAox/2JEZXZpY2VDbGFzc/9BTEwKMf9iSW50ZXJmYWNlQ2xhc3P/QUxMCjE4/2JOdW1FbmRwb2ludHP/VVNCX0ludGVyZmFjZV9EZXNjcmlwdG9yCjEwMP9iTnVtSW50ZXJmYWNlc/9VU0JfQ29uZmlndXJhdGlvbl9EZXNjcmlwdG9yCgpkZXNjcmlwdG9y/2Rlc2MzLnR4dAplbXVsYXRvcv9lbnVtZXJhdGlvbgo=
REPRODUCE_KEY:
NQoKMTg5Mf9pc1ZlbmRvcv9BTEwKNDE0N/9pZFByb2R1Y3T/QUxMCjI1Nf9iRGV2aWNlQ2xhc3P/QUxMCjI1Nf9iSW50ZXJmYWNlQ2xhc3P/QUxMCjIw/2JOdW1FbmRwb2ludHP/VVNCX0ludGVyZmFjZV9EZXNjcmlwdG9yCjEwMP9iTnVtSW50ZXJmYWNlc/9VU0JfQ29uZmlndXJhdGlvbl9EZXNjcmlwdG9yCgpkZXNjcmlwdG9y/2Rlc2MzLnR4dAplbXVsYXRvcv9lbnVtZXJhdGlvbgo=
REPRODUCE_KEY:
NgoKMzI5NP9pc1ZlbmRvcv9BTEwKMjb/aWRQcm9kdWN0/0FMTAox/2JEZXZpY2VDbGFzc/9BTEwKMf9iSW50ZXJmYWNlQ2xhc3P/QUxMCjIz/2JOdW1FbmRwb2ludHP/VVNCX0ludGVyZmFjZV9EZXNjcmlwdG9yCjX/Yk51bUludGVyZmFjZXP/VVNCX0NvbmZpZ3VyYXRpb25fRGVzY3JpcHRvcgoKZGVzY3JpcHRvcv9kZXNjMy50eHQKZW11bGF0b3L/ZW51bWVyYXRpb24K
REPRODUCE_KEY:
NwoKNDYxMf9pc1ZlbmRvcv9BTEwKMzIw/2lkUHJvZHVjdP9BTEwKM/9iRGV2aWNlQ2xhc3P/QUxMCjP/YkludGVyZmFjZUNsYXNz/0FMTAoyNP9iTnVtRW5kcG9pbnRz/1VTQl9JbnRlcmZhY2VfRGVzY3JpcHRvcgoyNf9iTnVtSW50ZXJmYWNlc/9VU0JfQ29uZmlndXJhdGlvbl9EZXNjcmlwdG9yCgpkZXNjcmlwdG9y/2Rlc2MzLnR4dAplbXVsYXRvcv9lbnVtZXJhdGlvbgo=
================================================
FILE: payload/panic_2.info
================================================
This payload cause a kernel panic.
@ Linux ubuntu-victim 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
================================================
FILE: payload/panic_2.obj
================================================
REPRODUCE_KEY:
MQoKMjk5Mf9pc1ZlbmRvcv9BTEwKMjM1/2lkUHJvZHVjdP9BTEwKM/9iRGV2aWNlQ2xhc3P/QUxMCjP/YkludGVyZmFjZUNsYXNz/0FMTAoz/2JOdW1FbmRwb2ludHP/VVNCX0ludGVyZmFjZV9EZXNjcmlwdG9yCjD/Yk51bUludGVyZmFjZXP/VVNCX0NvbmZpZ3VyYXRpb25fRGVzY3JpcHRvcgoKZGVzY3JpcHRvcv9kZXNjMy50eHQKZW11bGF0b3L/ZW51bWVyYXRpb24K
REPRODUCE_KEY:
MgoKMzQ2Of9pc1ZlbmRvcv9BTEwKMTM2Mv9pZFByb2R1Y3T/QUxMCjP/YkRldmljZUNsYXNz/0FMTAoz/2JJbnRlcmZhY2VDbGFzc/9BTEwKMjX/Yk51bUVuZHBvaW50c/9VU0JfSW50ZXJmYWNlX0Rlc2NyaXB0b3IKNf9iTnVtSW50ZXJmYWNlc/9VU0JfQ29uZmlndXJhdGlvbl9EZXNjcmlwdG9yCgpkZXNjcmlwdG9y/2Rlc2MzLnR4dAplbXVsYXRvcv9lbnVtZXJhdGlvbgo=
REPRODUCE_KEY:
MwoKMTg5Mf9pc1ZlbmRvcv9BTEwKNDExN/9pZFByb2R1Y3T/QUxMCjI1Nf9iRGV2aWNlQ2xhc3P/QUxMCjI1Nf9iSW50ZXJmYWNlQ2xhc3P/QUxMCjH/Yk51bUVuZHBvaW50c/9VU0JfSW50ZXJmYWNlX0Rlc2NyaXB0b3IKMTD/Yk51bUludGVyZmFjZXP/VVNCX0NvbmZpZ3VyYXRpb25fRGVzY3JpcHRvcgoKZGVzY3JpcHRvcv9kZXNjMy50eHQKZW11bGF0b3L/ZW51bWVyYXRpb24K
REPRODUCE_KEY:
NAoKMTMyM/9pc1ZlbmRvcv9BTEwKNTM5Nv9pZFByb2R1Y3T/QUxMCjL/YkRldmljZUNsYXNz/0FMTAoy/2JJbnRlcmZhY2VDbGFzc/9BTEwKMv9iTnVtRW5kcG9pbnRz/1VTQl9JbnRlcmZhY2VfRGVzY3JpcHRvcgow/2JOdW1JbnRlcmZhY2Vz/1VTQl9Db25maWd1cmF0aW9uX0Rlc2NyaXB0b3IKCmRlc2NyaXB0b3L/ZGVzYzMudHh0CmVtdWxhdG9y/2VudW1lcmF0aW9uCg==
REPRODUCE_KEY:
NQoKMTE5M/9pc1ZlbmRvcv9BTEwKNDI2M/9pZFByb2R1Y3T/QUxMCjH/YkRldmljZUNsYXNz/0FMTAox/2JJbnRlcmZhY2VDbGFzc/9BTEwKMTb/Yk51bUVuZHBvaW50c/9VU0JfSW50ZXJmYWNlX0Rlc2NyaXB0b3IKMTAw/2JOdW1JbnRlcmZhY2Vz/1VTQl9Db25maWd1cmF0aW9uX0Rlc2NyaXB0b3IKCmRlc2NyaXB0b3L/ZGVzYzMudHh0CmVtdWxhdG9y/2VudW1lcmF0aW9uCg==
REPRODUCE_KEY:
NgoKNDkzMf9pc1ZlbmRvcv9BTEwKNf9pZFByb2R1Y3T/QUxMCjD/YkRldmljZUNsYXNz/0FMTAow/2JJbnRlcmZhY2VDbGFzc/9BTEwKMjj/Yk51bUVuZHBvaW50c/9VU0JfSW50ZXJmYWNlX0Rlc2NyaXB0b3IKMTD/Yk51bUludGVyZmFjZXP/VVNCX0NvbmZpZ3VyYXRpb25fRGVzY3JpcHRvcgoKZGVzY3JpcHRvcv9kZXNjMy50eHQKZW11bGF0b3L/ZW51bWVyYXRpb24K
REPRODUCE_KEY:
NwoKMTQ5Nv9pc1ZlbmRvcv9BTEwKMTYzOTP/aWRQcm9kdWN0/0FMTAox/2JEZXZpY2VDbGFzc/9BTEwKMf9iSW50ZXJmYWNlQ2xhc3P/QUxMCjE3/2JOdW1FbmRwb2ludHP/VVNCX0ludGVyZmFjZV9EZXNjcmlwdG9yCjX/Yk51bUludGVyZmFjZXP/VVNCX0NvbmZpZ3VyYXRpb25fRGVzY3JpcHRvcgoKZGVzY3JpcHRvcv9kZXNjMy50eHQKZW11bGF0b3L/ZW51bWVyYXRpb24K
REPRODUCE_KEY:
OAoKNTY0MP9pc1ZlbmRvcv9BTEwKMjc2/2lkUHJvZHVjdP9BTEwKMP9iRGV2aWNlQ2xhc3P/QUxMCjD/YkludGVyZmFjZUNsYXNz/0FMTAoyNf9iTnVtRW5kcG9pbnRz/1VTQl9JbnRlcmZhY2VfRGVzY3JpcHRvcgoxMDD/Yk51bUludGVyZmFjZXP/VVNCX0NvbmZpZ3VyYXRpb25fRGVzY3JpcHRvcgoKZGVzY3JpcHRvcv9kZXNjMy50eHQKZW11bGF0b3L/ZW51bWVyYXRpb24K
REPRODUCE_KEY:
OQoKNjkxNv9pc1ZlbmRvcv9BTEwKMjQ3MDP/aWRQcm9kdWN0/0FMTAow/2JEZXZpY2VDbGFzc/9BTEwKMP9iSW50ZXJmYWNlQ2xhc3P/QUxMCjIz/2JOdW1FbmRwb2ludHP/VVNCX0ludGVyZmFjZV9EZXNjcmlwdG9yCjEwMP9iTnVtSW50ZXJmYWNlc/9VU0JfQ29uZmlndXJhdGlvbl9EZXNjcmlwdG9yCgpkZXNjcmlwdG9y/2Rlc2MzLnR4dAplbXVsYXRvcv9lbnVtZXJhdGlvbgo=
REPRODUCE_KEY:
MTAKCjIxMjX/aXNWZW5kb3L/QUxMCjI1/2lkUHJvZHVjdP9BTEwKMjU1/2JEZXZpY2VDbGFzc/9BTEwKMjU1/2JJbnRlcmZhY2VDbGFzc/9BTEwKMjT/Yk51bUVuZHBvaW50c/9VU0JfSW50ZXJmYWNlX0Rlc2NyaXB0b3IKNf9iTnVtSW50ZXJmYWNlc/9VU0JfQ29uZmlndXJhdGlvbl9EZXNjcmlwdG9yCgpkZXNjcmlwdG9y/2Rlc2MzLnR4dAplbXVsYXRvcv9lbnVtZXJhdGlvbgo=
REPRODUCE_KEY:
MTEKCjE1MDf/aXNWZW5kb3L/QUxMCjc2Of9pZFByb2R1Y3T/QUxMCjL/YkRldmljZUNsYXNz/0FMTAoy/2JJbnRlcmZhY2VDbGFzc/9BTEwKMP9iTnVtRW5kcG9pbnRz/1VTQl9JbnRlcmZhY2VfRGVzY3JpcHRvcgoxMP9iTnVtSW50ZXJmYWNlc/9VU0JfQ29uZmlndXJhdGlvbl9EZXNjcmlwdG9yCgpkZXNjcmlwdG9y/2Rlc2MzLnR4dAplbXVsYXRvcv9lbnVtZXJhdGlvbgo=
================================================
FILE: payload/panic_3.obj
================================================
REPRODUCE_KEY:
MQoKMTg5Mf9pc1ZlbmRvcv9BTEwKNDExN/9pZFByb2R1Y3T/QUxMCjI1Nf9iRGV2aWNlQ2xhc3P/QUxMCjI1Nf9iSW50ZXJmYWNlQ2xhc3P/QUxMCjH/Yk51bUVuZHBvaW50c/9VU0JfSW50ZXJmYWNlX0Rlc2NyaXB0b3IKMTD/Yk51bUludGVyZmFjZXP/VVNCX0NvbmZpZ3VyYXRpb25fRGVzY3JpcHRvcgoKZGVzY3JpcHRvcv9kZXNjMy50eHQKZW11bGF0b3L/ZW51bWVyYXRpb24K
REPRODUCE_KEY:
MgoKMTg5Mf9pc1ZlbmRvcv9BTEwKNDExN/9pZFByb2R1Y3T/QUxMCjI1Nf9iRGV2aWNlQ2xhc3P/QUxMCjI1Nf9iSW50ZXJmYWNlQ2xhc3P/QUxMCjH/Yk51bUVuZHBvaW50c/9VU0JfSW50ZXJmYWNlX0Rlc2NyaXB0b3IKMTD/Yk51bUludGVyZmFjZXP/VVNCX0NvbmZpZ3VyYXRpb25fRGVzY3JpcHRvcgoKZGVzY3JpcHRvcv9kZXNjMy50eHQKZW11bGF0b3L/ZW51bWVyYXRpb24K
================================================
FILE: payload/smsusb_null_ptr.info
================================================
This payload results in a NULL pointer dereference (0000000000000004) @ smsusb_probe.
@ Linux ubuntu-victim 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
================================================
FILE: payload/smsusb_null_ptr.obj
================================================
REPRODUCE_KEY:
MQoKNjI3Mf9pc1ZlbmRvcv9BTEwKNzY5/2lkUHJvZHVjdP9BTEwKMv9iRGV2aWNlQ2xhc3P/QUxMCjL/YkludGVyZmFjZUNsYXNz/0FMTAoyM/9iTnVtRW5kcG9pbnRz/1VTQl9JbnRlcmZhY2VfRGVzY3JpcHRvcgo1/2JOdW1JbnRlcmZhY2Vz/1VTQl9Db25maWd1cmF0aW9uX0Rlc2NyaXB0b3IKCmRlc2NyaXB0b3L/ZGVzYzMudHh0CmVtdWxhdG9y/2VudW1lcmF0aW9uCg==
================================================
FILE: payload/tests/test.obj
================================================
REPRODUCE_KEY:
Mzg3NDE5OQoKMzA0/2lkUHJvZHVjdP9BTEwKMTQxMP9pc1ZlbmRvcv9BTEwKNf9iRGV2aWNlQ2xhc3P/dXNiX2RldmljZV9kZXNjcmlwdG9yCjX/YkludGVyZmFjZUNsYXNz/3VzYl9pbnRlcmZhY2VfZGVzY3JpcHRvcgow/2JOdW1FbmRwb2ludHP/dXNiX2ludGVyZmFjZV9kZXNjcmlwdG9yCgpkZXNjcmlwdG9y/2Rlc2MyLnR4dAplbXVsYXRvcv9lbnVtZXJhdGlvbgpyZWxvYWQtdm3/bm8K
REPRODUCE_KEY:
Mzg3NDA5NAoKMzA0/2lkUHJvZHVjdP9BTEwKMTQxMP9pc1ZlbmRvcv9BTEwKMP9iRGV2aWNlQ2xhc3P/dXNiX2RldmljZV9kZXNjcmlwdG9yCjD/YkludGVyZmFjZUNsYXNz/3VzYl9pbnRlcmZhY2VfZGVzY3JpcHRvcgow/2JMZW5ndGj/dXNiX2VuZHBvaW50X2Rlc2NyaXB0b3IKCmRlc2NyaXB0b3L/ZGVzYzIudHh0CmVtdWxhdG9y/2VudW1lcmF0aW9uCnJlbG9hZC12bf9ubwo=
REPRODUCE_KEY:
Mzg3NDA0NgoKMzAz/2lkUHJvZHVjdP9BTEwKMTQxMP9pc1ZlbmRvcv9BTEwKMjU1/2JEZXZpY2VDbGFzc/91c2JfZGV2aWNlX2Rlc2NyaXB0b3IKMjU1/2JJbnRlcmZhY2VDbGFzc/91c2JfaW50ZXJmYWNlX2Rlc2NyaXB0b3IKMTM3/2JtQXR0cmlidXRlc/91c2JfY29uZmlndXJhdGlvbl9kZXNjcmlwdG9yCgpkZXNjcmlwdG9y/2Rlc2MyLnR4dAplbXVsYXRvcv9lbnVtZXJhdGlvbgpyZWxvYWQtdm3/bm8K
REPRODUCE_KEY:
Mzg3NDE5OQoKMzA0/2lkUHJvZHVjdP9BTEwKMTQxMP9pc1ZlbmRvcv9BTEwKNf9iRGV2aWNlQ2xhc3P/dXNiX2RldmljZV9kZXNjcmlwdG9yCjX/YkludGVyZmFjZUNsYXNz/3VzYl9pbnRlcmZhY2VfZGVzY3JpcHRvcgow/2JOdW1FbmRwb2ludHP/dXNiX2ludGVyZmFjZV9kZXNjcmlwdG9yCgpkZXNjcmlwdG9y/2Rlc2MyLnR4dAplbXVsYXRvcv9lbnVtZXJhdGlvbgpyZWxvYWQtdm3/bm8K
REPRODUCE_KEY:
Mzg3NDE5OQoKMzA0/2lkUHJvZHVjdP9BTEwKMTQxMP9pc1ZlbmRvcv9BTEwKNf9iRGV2aWNlQ2xhc3P/dXNiX2RldmljZV9kZXNjcmlwdG9yCjX/YkludGVyZmFjZUNsYXNz/3VzYl9pbnRlcmZhY2VfZGVzY3JpcHRvcgow/2JOdW1FbmRwb2ludHP/dXNiX2ludGVyZmFjZV9kZXNjcmlwdG9yCgpkZXNjcmlwdG9y/2Rlc2MyLnR4dAplbXVsYXRvcv9lbnVtZXJhdGlvbgpyZWxvYWQtdm3/bm8K
REPRODUCE_KEY:
Mzg3NDE5OQoKMzA0/2lkUHJvZHVjdP9BTEwKMTQxMP9pc1ZlbmRvcv9BTEwKNf9iRGV2aWNlQ2xhc3P/dXNiX2RldmljZV9kZXNjcmlwdG9yCjX/YkludGVyZmFjZUNsYXNz/3VzYl9pbnRlcmZhY2VfZGVzY3JpcHRvcgow/2JOdW1FbmRwb2ludHP/dXNiX2ludGVyZmFjZV9kZXNjcmlwdG9yCgpkZXNjcmlwdG9y/2Rlc2MyLnR4dAplbXVsYXRvcv9lbnVtZXJhdGlvbgpyZWxvYWQtdm3/bm8K
================================================
FILE: payload/tests/test2.obj
================================================
REPRODUCE_KEY:
MTkxOTUyCgo4NDUy/2lkUHJvZHVjdP9BTEwKMTAwOP9pc1ZlbmRvcv9BTEwKMv9iRGV2aWNlQ2xhc3P/dXNiX2RldmljZV9kZXNjcmlwdG9yCjL/YkludGVyZmFjZUNsYXNz/3VzYl9pbnRlcmZhY2VfZGVzY3JpcHRvcgoyNTX/YkludGVyZmFjZU51bWJlcv9VU0JfSW50ZXJmYWNlX0Rlc2NyaXB0b3IKCmRlc2NyaXB0b3L/ZGVzYzIudHh0CmVtdWxhdG9y/2VudW1lcmF0aW9uCnJlbG9hZC12bf9ubwo=
REPRODUCE_KEY:
MTkxOTg3Cgo4NDUy/2lkUHJvZHVjdP9BTEwKMTAwOP9pc1ZlbmRvcv9BTEwKM/9iRGV2aWNlQ2xhc3P/dXNiX2RldmljZV9kZXNjcmlwdG9yCjP/YkludGVyZmFjZUNsYXNz/3VzYl9pbnRlcmZhY2VfZGVzY3JpcHRvcgow/2JBbHRlcm5hdGVTZXR0aW5n/1VTQl9JbnRlcmZhY2VfRGVzY3JpcHRvcgoKZGVzY3JpcHRvcv9kZXNjMi50eHQKZW11bGF0b3L/ZW51bWVyYXRpb24KcmVsb2FkLXZt/25vCg==
REPRODUCE_KEY:
MTkxODMyCgo4NDUw/2lkUHJvZHVjdP9BTEwKMTAwOP9pc1ZlbmRvcv9BTEwKMjU1/2JEZXZpY2VDbGFzc/91c2JfZGV2aWNlX2Rlc2NyaXB0b3IKMjU1/2JJbnRlcmZhY2VDbGFzc/91c2JfaW50ZXJmYWNlX2Rlc2NyaXB0b3IKMzH/Yk51bUVuZHBvaW50c/91c2JfaW50ZXJmYWNlX2Rlc2NyaXB0b3IKCmRlc2NyaXB0b3L/ZGVzYzIudHh0CmVtdWxhdG9y/2VudW1lcmF0aW9uCnJlbG9hZC12bf9ubwo=
REPRODUCE_KEY:
MTkxOTUyCgo4NDUy/2lkUHJvZHVjdP9BTEwKMTAwOP9pc1ZlbmRvcv9BTEwKMv9iRGV2aWNlQ2xhc3P/dXNiX2RldmljZV9kZXNjcmlwdG9yCjL/YkludGVyZmFjZUNsYXNz/3VzYl9pbnRlcmZhY2VfZGVzY3JpcHRvcgoyNTX/YkludGVyZmFjZU51bWJlcv9VU0JfSW50ZXJmYWNlX0Rlc2NyaXB0b3IKCmRlc2NyaXB0b3L/ZGVzYzIudHh0CmVtdWxhdG9y/2VudW1lcmF0aW9uCnJlbG9hZC12bf9ubwo=
REPRODUCE_KEY:
MTkxOTg3Cgo4NDUy/2lkUHJvZHVjdP9BTEwKMTAwOP9pc1ZlbmRvcv9BTEwKM/9iRGV2aWNlQ2xhc3P/dXNiX2RldmljZV9kZXNjcmlwdG9yCjP/YkludGVyZmFjZUNsYXNz/3VzYl9pbnRlcmZhY2VfZGVzY3JpcHRvcgow/2JBbHRlcm5hdGVTZXR0aW5n/1VTQl9JbnRlcmZhY2VfRGVzY3JpcHRvcgoKZGVzY3JpcHRvcv9kZXNjMi50eHQKZW11bGF0b3L/ZW51bWVyYXRpb24KcmVsb2FkLXZt/25vCg==
REPRODUCE_KEY:
MTkxODMyCgo4NDUw/2lkUHJvZHVjdP9BTEwKMTAwOP9pc1ZlbmRvcv9BTEwKMjU1/2JEZXZpY2VDbGFzc/91c2JfZGV2aWNlX2Rlc2NyaXB0b3IKMjU1/2JJbnRlcmZhY2VDbGFzc/91c2JfaW50ZXJmYWNlX2Rlc2NyaXB0b3IKMzH/Yk51bUVuZHBvaW50c/91c2JfaW50ZXJmYWNlX2Rlc2NyaXB0b3IKCmRlc2NyaXB0b3L/ZGVzYzIudHh0CmVtdWxhdG9y/2VudW1lcmF0aW9uCnJlbG9hZC12bf9ubwo=
================================================
FILE: payload/tests/test3.obj
================================================
REPRODUCE_KEY:
ODk5Njc5CgoxNTUy/2lkUHJvZHVjdP9BTEwKMTA1N/9pc1ZlbmRvcv9BTEwKODj/YkRldmljZUNsYXNz/3VzYl9kZXZpY2VfZGVzY3JpcHRvcgo4OP9iSW50ZXJmYWNlQ2xhc3P/dXNiX2ludGVyZmFjZV9kZXNjcmlwdG9yCjI1Nf9iTnVtRW5kcG9pbnRz/3VzYl9pbnRlcmZhY2VfZGVzY3JpcHRvcgoKZGVzY3JpcHRvcv9kZXNjMi50eHQKZW11bGF0b3L/ZW51bWVyYXRpb24KcmVsb2FkLXZt/25vCg==
REPRODUCE_KEY:
ODk5Njc5CgoxNTUy/2lkUHJvZHVjdP9BTEwKMTA1N/9pc1ZlbmRvcv9BTEwKODj/YkRldmljZUNsYXNz/3VzYl9kZXZpY2VfZGVzY3JpcHRvcgo4OP9iSW50ZXJmYWNlQ2xhc3P/dXNiX2ludGVyZmFjZV9kZXNjcmlwdG9yCjI1Nf9iTnVtRW5kcG9pbnRz/3VzYl9pbnRlcmZhY2VfZGVzY3JpcHRvcgoKZGVzY3JpcHRvcv9kZXNjMi50eHQKZW11bGF0b3L/ZW51bWVyYXRpb24KcmVsb2FkLXZt/25vCg==
REPRODUCE_KEY:
ODk5Njc5CgoxNTUy/2lkUHJvZHVjdP9BTEwKMTA1N/9pc1ZlbmRvcv9BTEwKODj/YkRldmljZUNsYXNz/3VzYl9kZXZpY2VfZGVzY3JpcHRvcgo4OP9iSW50ZXJmYWNlQ2xhc3P/dXNiX2ludGVyZmFjZV9kZXNjcmlwdG9yCjI1Nf9iTnVtRW5kcG9pbnRz/3VzYl9pbnRlcmZhY2VfZGVzY3JpcHRvcgoKZGVzY3JpcHRvcv9kZXNjMi50eHQKZW11bGF0b3L/ZW51bWVyYXRpb24KcmVsb2FkLXZt/25vCg==
================================================
FILE: payload/udlfb.info
================================================
Abort transmission of the 3th payload to cause a kernel panic.
@ Linux debian-7 3.15.0-rc5 #2 SMP Mon May 19 15:57:11 CEST 2014 x86_64 GNU/Linux
================================================
FILE: payload/udlfb.obj
================================================
REPRODUCE_KEY:
MQoKMjc2Mf9pc1ZlbmRvcv9BTEwKMTb/aWRQcm9kdWN0/0FMTAoyNTX/YkRldmljZUNsYXNz/0FMTAoyNTX/YkludGVyZmFjZUNsYXNz/0FMTAoyNP9iTnVtRW5kcG9pbnRz/1VTQl9JbnRlcmZhY2VfRGVzY3JpcHRvcgoyNf9iTnVtSW50ZXJmYWNlc/9VU0JfQ29uZmlndXJhdGlvbl9EZXNjcmlwdG9yCgpkZXNjcmlwdG9y/2Rlc2MzLnR4dAplbXVsYXRvcv9lbnVtZXJhdGlvbgo=
REPRODUCE_KEY:
MgoKMzY0Of9pc1ZlbmRvcv9BTEwKMTY5Nzb/aWRQcm9kdWN0/0FMTAox/2JEZXZpY2VDbGFzc/9BTEwKMf9iSW50ZXJmYWNlQ2xhc3P/QUxMCjE5/2JOdW1FbmRwb2ludHP/VVNCX0ludGVyZmFjZV9EZXNjcmlwdG9yCjX/Yk51bUludGVyZmFjZXP/VVNCX0NvbmZpZ3VyYXRpb25fRGVzY3JpcHRvcgoKZGVzY3JpcHRvcv9kZXNjMy50eHQKZW11bGF0b3L/ZW51bWVyYXRpb24K
REPRODUCE_KEY:
MwoKNjEyMf9pc1ZlbmRvcv9BTEwKMTcxNzD/aWRQcm9kdWN0/0FMTAoyNTX/YkRldmljZUNsYXNz/0FMTAoyNTX/YkludGVyZmFjZUNsYXNz/0FMTAoyOf9iTnVtRW5kcG9pbnRz/1VTQl9JbnRlcmZhY2VfRGVzY3JpcHRvcgo1/2JOdW1JbnRlcmZhY2Vz/1VTQl9Db25maWd1cmF0aW9uX0Rlc2NyaXB0b3IKCmRlc2NyaXB0b3L/ZGVzYzMudHh0CmVtdWxhdG9y/2VudW1lcmF0aW9uCg==
REPRODUCE_KEY:
MwoKNjEyMf9pc1ZlbmRvcv9BTEwKMTcxNzD/aWRQcm9kdWN0/0FMTAoyNTX/YkRldmljZUNsYXNz/0FMTAoyNTX/YkludGVyZmFjZUNsYXNz/0FMTAoyOf9iTnVtRW5kcG9pbnRz/1VTQl9JbnRlcmZhY2VfRGVzY3JpcHRvcgo1/2JOdW1JbnRlcmZhY2Vz/1VTQl9Db25maWd1cmF0aW9uX0Rlc2NyaXB0b3IKCmRlc2NyaXB0b3L/ZGVzYzMudHh0CmVtdWxhdG9y/2VudW1lcmF0aW9uCg==
================================================
FILE: payload/usbserial_bug.info
================================================
This payload results in an endless printk loop.
@ Handspring Visor / Palm OS
@ Linux ubuntu-victim 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
================================================
FILE: payload/usbserial_bug.obj
================================================
REPRODUCE_KEY:
MQoKMjA5M/9pc1ZlbmRvcv9BTEwKMjU2/2lkUHJvZHVjdP9BTEwKMf9iRGV2aWNlQ2xhc3P/QUxMCjH/YkludGVyZmFjZUNsYXNz/0FMTAoyN/9iTnVtRW5kcG9pbnRz/1VTQl9JbnRlcmZhY2VfRGVzY3JpcHRvcgoxMDD/Yk51bUludGVyZmFjZXP/VVNCX0NvbmZpZ3VyYXRpb25fRGVzY3JpcHRvcgoKZGVzY3JpcHRvcv9kZXNjMy50eHQKZW11bGF0b3L/ZW51bWVyYXRpb24K
================================================
FILE: payload/usbserial_null_ptr.info
================================================
This payload results in a NULL pointer dereference (0000000000000260) @ usb_serial_probe.
@ Linux ubuntu-victim 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
================================================
FILE: payload/usbserial_null_ptr.obj
================================================
REPRODUCE_KEY:
MQoKMTgwOP9pc1ZlbmRvcv9BTEwKMzI3Njn/aWRQcm9kdWN0/0FMTAoyNTX/YkRldmljZUNsYXNz/0FMTAoyNTX/YkludGVyZmFjZUNsYXNz/0FMTAo0/2JOdW1FbmRwb2ludHP/VVNCX0ludGVyZmFjZV9EZXNjcmlwdG9yCjX/Yk51bUludGVyZmFjZXP/VVNCX0NvbmZpZ3VyYXRpb25fRGVzY3JpcHRvcgoKZGVzY3JpcHRvcv9kZXNjMy50eHQKZW11bGF0b3L/ZW51bWVyYXRpb24K
================================================
FILE: payload/windows_bos.obj
================================================
REPRODUCE_KEY:
MQoKMTEzM/9pc1ZlbmRvcv9BTEwKNTA5NTn/aWRQcm9kdWN0/0FMTAoz/2JEZXZpY2VDbGFzc/9BTEwKM/9iSW50ZXJmYWNlQ2xhc3P/QUxMCgpkZXNjcmlwdG9y/2Rlc2MyLnR4dAplbXVsYXRvcv9lbnVtZXJhdGlvbgo=
REPRODUCE_KEY:
MgoKMTI3M/9pc1ZlbmRvcv9BTEwKNDgy/2lkUHJvZHVjdP9BTEwKNf9iRGV2aWNlQ2xhc3P/QUxMCjX/YkludGVyZmFjZUNsYXNz/0FMTAoKZGVzY3JpcHRvcv9kZXNjMi50eHQKZW11bGF0b3L/ZW51bWVyYXRpb24K
REPRODUCE_KEY:
MwoKMzExMP9pc1ZlbmRvcv9BTEwKMjT/aWRQcm9kdWN0/0FMTAoxMf9iRGV2aWNlQ2xhc3P/QUxMCjEx/2JJbnRlcmZhY2VDbGFzc/9BTEwKCmRlc2NyaXB0b3L/ZGVzYzIudHh0CmVtdWxhdG9y/2VudW1lcmF0aW9uCg==
================================================
FILE: payload/windows_bos2.obj
================================================
REPRODUCE_KEY:
MQoKMTEzM/9pc1ZlbmRvcv9BTEwKNTA5NTn/aWRQcm9kdWN0/0FMTAoz/2JEZXZpY2VDbGFzc/9BTEwKM/9iSW50ZXJmYWNlQ2xhc3P/QUxMCgpkZXNjcmlwdG9y/2Rlc2MyLnR4dAplbXVsYXRvcv9lbnVtZXJhdGlvbgo=
REPRODUCE_KEY:
MQoKMTEzM/9pc1ZlbmRvcv9BTEwKNTA5NTn/aWRQcm9kdWN0/0FMTAoz/2JEZXZpY2VDbGFzc/9BTEwKM/9iSW50ZXJmYWNlQ2xhc3P/QUxMCgpkZXNjcmlwdG9y/2Rlc2MyLnR4dAplbXVsYXRvcv9lbnVtZXJhdGlvbgo=
REPRODUCE_KEY:
MQoKMTEzM/9pc1ZlbmRvcv9BTEwKNTA5NTn/aWRQcm9kdWN0/0FMTAoz/2JEZXZpY2VDbGFzc/9BTEwKM/9iSW50ZXJmYWNlQ2xhc3P/QUxMCgpkZXNjcmlwdG9y/2Rlc2MyLnR4dAplbXVsYXRvcv9lbnVtZXJhdGlvbgo=
REPRODUCE_KEY:
MQoKMTEzM/9pc1ZlbmRvcv9BTEwKNTA5NTn/aWRQcm9kdWN0/0FMTAoz/2JEZXZpY2VDbGFzc/9BTEwKM/9iSW50ZXJmYWNlQ2xhc3P/QUxMCgpkZXNjcmlwdG9y/2Rlc2MyLnR4dAplbXVsYXRvcv9lbnVtZXJhdGlvbgo=
================================================
FILE: process/__init__.py
================================================
"""
vUSBf: A KVM/QEMU based USB-fuzzing framework.
Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf Spenneberg
This file is part of vUSBf.
See the file LICENSE for copying permission.
"""
__author__ = 'Sergej Schumilo'
================================================
FILE: process/client_process.py
================================================
"""
vUSBf: A KVM/QEMU based USB-fuzzing framework.
Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf Spenneberg
This file is part of vUSBf.
See the file LICENSE for copying permission.
"""
__author__ = 'Sergej Schumilo'
from multiprocessing import Process, Value, Queue, Semaphore
from qemu import qemu
from process import process
from print_performance_process import *
import signal
import time
from clustering.network_task_requester import start_network_task_requester
process_list = None
printPerf_process = None
network_requester_process = None
def signal_handler(signal, frame):
kill_all()
def kill_all():
global process_list
global network_requester_process
if process_list is not None:
for p in process_list:
if p.is_alive:
p.terminate()
if network_requester_process is not None:
if network_requester_process.is_alive:
try:
network_requester_process.terminate()
network_requester_process.join()
except AttributeError:
pass
sys.exit(0)
def client(process_number, target_object, host, port, reload_test):
global process_list
global network_requester_process
signal.signal(signal.SIGINT, signal_handler)
number_of_threads = process_number
max_tasks = 100000
sm_num_of_tasks = Value('i', 0)
info_queue = Queue()
queue_list = []
process_list = []
process_lock = Semaphore(process_number)
for i in range(process_number):
process_lock.acquire()
sem = Semaphore(config.PROCESS_REPAIR_SEMAPHORE)
for i in range(number_of_threads):
queue_list.append(Queue())
qemu_object = qemu("configurations/" + target_object, "/tmp/vusbf_" + str(i) + "_socket", i)
process_list.append(Process(target=process, args=("t" + str(i), qemu_object, sm_num_of_tasks, i, info_queue, queue_list[i], reload_test, sem, process_lock)))
printPerf_process = Process(target=printPerf, args=(0, sm_num_of_tasks))
payload_queue = Queue()
request_queue = Queue()
request_queue.put(config.CLUSTERING_CHUNK_SIZE)
j = 0
print "[*] Starting processes..."
for e in process_list:
e.start()
time.sleep(0.1)
print "[*] Preparing processes..."
time.sleep(config.PROCESS_STARTUP_TIME)
# start network task requester
network_requester_process = Process(target=start_network_task_requester, args=(host, port, "sdsds", "sasas", sm_num_of_tasks, info_queue, payload_queue, request_queue, 1337, 2))
network_requester_process.start()
num_of_fin = 0
num_of_processes = len(process_list)
j = 0
no_data = False
while True:
if num_of_fin == num_of_processes:
break
if j == num_of_processes-num_of_fin:
print "[*] Done..."
printPerf_process.start()
for i in range(num_of_processes):
time.sleep(config.PROCESS_STARTUP_RATE)
process_lock.release()
process_num = info_queue.get()
if not no_data:
request_queue.put(config.CLUSTERING_CHUNK_SIZE)
data = payload_queue.get()
else:
data = None
if data is not None:
queue_list[process_num].put(data)
j += 1
else:
num_of_fin += 1
queue_list[process_num].put(None)
no_data = True
print "[*] Finished..."
printPerf_process.terminate()
network_requester_process.terminate()
================================================
FILE: process/distributor_process.py
================================================
"""
vUSBf: A KVM/QEMU based USB-fuzzing framework.
Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf Spenneberg
This file is part of vUSBf.
See the file LICENSE for copying permission.
"""
__author__ = 'Sergej Schumilo'
from fileParser import *
from clustering.network_task_distributor import process
from multiprocessing import Process, Value, Queue
from threading import Thread
#from fuzz_configuration.xml_parser import xml_parser
from test_generation.XMLParser import xml_parser
from random import shuffle
from print_performance_process import printPerf_Server
import signal
import config
server_process_list = []
print_perf_process = None
dist_process = None
def signal_handler2(signal, frame):
exit(0)
def signal_handler(signal, frame):
kill_all()
def kill_all_process():
global server_process_list
for e in server_process_list:
if e is not None:
if e.is_alive():
e.terminate()
def kill_all():
global dist_process
print dist_process
if dist_process is not None:
print "A"
if dist_process.is_alive():
print "KILL"
os.kill(dist_process.pid, signal.SIGINT)
print "KILLKILL"
sys.exit(0)
def distributor_process(host, port, info_queue, payload_queue):
global server_process_list, print_perf_process
signal.signal(signal.SIGINT, signal_handler2)
perf_list = []
print_perf_process = Thread(target=printPerf_Server, args=(0, 10, perf_list)).start()
while True:
try:
Socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
Socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
Socket.bind((host, port))
while True:
Socket.listen(1)
Connection, Addr = Socket.accept()
print str(Addr[0]) + " connected..."
sm = Value('i', 0)
p = Process(target=process, args=(Connection, 2, 33, 444, sm, info_queue, payload_queue, 5))
server_process_list.append(p)
perf_list.append([Addr[0], sm, p, time.time()])
p.start()
except socket.error:
time.sleep(config.CLUSTERING_CONNECTION_RETRY_TIME)
def server(host, port, exec_name, exec_list, exec_path, testcase_path, test_path, shuffle_test):
global dist_process
signal.signal(signal.SIGINT, signal_handler)
info_queue = Queue()
payload_queue = Queue()
dist_process = Process(target=distributor_process, args=(host, port, info_queue, payload_queue))
dist_process.start()
pos = 0
path_prefix = "test_generation/"
exec_path_value = path_prefix + "execution.xml"
if exec_path != "":
exec_path_value = exec_path
testcase_path_value = path_prefix + "testcase.xml"
if testcase_path != "":
testcase_path_value = testcase_path
test_path_value = path_prefix + "test.xml"
if test_path != "":
test_path_value = test_path
xml_tree = xml_parser(test_path_value, testcase_path_value, exec_path_value)
xml_tree.calc_tests(exec_name)
print "[*] Number of tests: " + str(xml_tree.get_number_of_elements())
xml_tree.print_tree()
while True:
try:
number = info_queue.get()
except:
break
tmp = xml_tree.get_data_chunk(config.CLUSTERING_CHUNK_SIZE)
try:
payload_queue.put(tmp)
except:
break
if tmp is None:
break
pos += len(tmp)
time.sleep(5)
dist_process.terminate()
print "[*] Done"
================================================
FILE: process/execute_object.py
================================================
"""
vUSBf: A KVM/QEMU based USB-fuzzing framework.
Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf Spenneberg
This file is part of vUSBf.
See the file LICENSE for copying permission.
"""
__author__ = 'Sergej Schumilo'
from usbEmulator import usb_emulator
from multi_process import multi_processing
from test_generation.TestcaseLoader import testcase_loader
import config
import os
def execute_object_process(object_file, host="", port=0, target=None):
config.SERIAL_READ_RETRIES = config.SERIAL_READ_RETRIES_EXECUTE_MODE
config.PROCESS_SLOW_START_THRESHOLD = config.PROCESS_SLOW_START_THRESHOLD_EXECUTE_MODE
config.PROCESS_SLOW_START_THRESHOLD_FAIL_COUNTER = config.PROCESS_SLOW_START_THRESHOLD_FAIL_COUNTER_EXECUTE_MODE
config.PROCESS_FAIL_REPAIR_COUNTER = config.PROCESS_FAIL_REPAIR_COUNTER_EXECUTE_MODE
payloads = testcase_loader(object_file)
if host == "" or port == 0:
if target is not None:
try:
os.remove("log/vusbf_log_execute")
except:
pass
multi_processing(1, target, "", "", "", "", "", False, None, payloads=payloads, file_name="execute")
print "[*] Output:"
print ""
for line in open("log/vusbf_log_execute"):
print line,
else:
for e in payloads.payloads:
print e
emu = usb_emulator([host, port], 0)
emu.setup_payload(e)
emu.execute()
================================================
FILE: process/multi_process.py
================================================
"""
vUSBf: A KVM/QEMU based USB-fuzzing framework.
Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf Spenneberg
This file is part of vUSBf.
See the file LICENSE for copying permission.
"""
__author__ = 'Sergej Schumilo'
from multiprocessing import Process, Value, Queue, Semaphore
from qemu import qemu
from process import process
from print_performance_process import *
from test_generation.XMLParser import xml_parser
import signal
import time
import os
sys.path.append(os.path.abspath('../'))
import config
process_list = None
printPerf_process = None
network_requester_process = None
def signal_handler(a,b):
kill_all()
def kill_all():
global process_list, printPerf_process, network_requester_process
if process_list is not None:
for p in process_list:
if p.is_alive:
if type(p.pid) == int:
os.kill(p.pid, signal.SIGINT)
if printPerf_process is not None:
if printPerf_process.is_alive:
if type(printPerf_process.pid) == int:
os.kill(printPerf_process.pid, signal.SIGINT)
if network_requester_process is not None:
if network_requester_process.is_alive:
if type(network_requester_process.pid) == int:
os.kill(network_requester_process.pid, signal.SIGINT)
sys.exit(0)
def multi_processing(process_number, target_object, exec_name, exec_list, exec_path, testcase_path, test_path,
reload_test, shuffle_test, payloads=None, file_name=None):
global process_list
global printPerf_process
signal.signal(signal.SIGINT, signal_handler)
path_prefix = "test_generation/"
exec_path_value = path_prefix + "execution.xml"
if exec_path != "":
exec_path_value = exec_path
testcase_path_value = path_prefix + "testcase.xml"
if testcase_path != "":
testcase_path_value = testcase_path
test_path_value = path_prefix + "test.xml"
if test_path != "":
test_path_value = test_path
if payloads is None:
xml_tree = xml_parser(test_path_value, testcase_path_value, exec_path_value)
xml_tree.calc_tests(exec_name)
print "[*] Number of tests: " + str(xml_tree.get_number_of_elements())
xml_tree.print_tree()
else:
xml_tree = payloads
print "[*] Number of tests: " + str(xml_tree.get_number_of_elements())
max_tasks = xml_tree.get_number_of_elements()
sm_num_of_tasks = Value('i', 0)
info_queue = Queue()
queue_list = []
process_list = []
qemu_list = []
process_lock = Semaphore(process_number)
for i in range(process_number):
process_lock.acquire()
sem = Semaphore(config.PROCESS_REPAIR_SEMAPHORE)
for i in range(process_number):
queue_list.append(Queue())
qemu_object = qemu("configurations/" + target_object, "/tmp/vusbf_" + str(i) + "_socket", i)
qemu_list.append(qemu_object)
if process_number == 1 and file_name is not None:
process_list.append(Process(target=process, args=(
"t" + str(i), qemu_object, sm_num_of_tasks, i, info_queue, queue_list[i], reload_test, sem, process_lock), kwargs={"file_postfix_name": file_name}))
else:
process_list.append(Process(target=process, args=(
"t" + str(i), qemu_object, sm_num_of_tasks, i, info_queue, queue_list[i], reload_test, sem, process_lock)))
printPerf_process = Process(target=printPerf, args=(max_tasks, sm_num_of_tasks))
j = 0
print "[*] Starting processes..."
for e in process_list:
e.start()
time.sleep(0.1)
print "[*] Preparing processes..."
time.sleep(config.PROCESS_STARTUP_TIME)
num_of_fin = 0
num_of_processes = len(process_list)
j = 0
while True:
if num_of_fin == num_of_processes:
break
if j == num_of_processes-num_of_fin:
print "[*] Done..."
printPerf_process.start()
for i in range(num_of_processes):
time.sleep(config.PROCESS_STARTUP_RATE)
process_lock.release()
process_num = info_queue.get()
data = xml_tree.get_data_chunk(config.NUMBER_OF_JOBS_PER_PROCESS)
if data is not None:
queue_list[process_num].put(data)
j += 1
else:
num_of_fin += 1
queue_list[process_num].put(None)
print "[*] Finished..."
================================================
FILE: process/only_payload.py
================================================
"""
vUSBf: A KVM/QEMU based USB-fuzzing framework.
Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf Spenneberg
This file is part of vUSBf.
See the file LICENSE for copying permission.
"""
__author__ = 'Sergej Schumilo'
from usbEmulator import usb_emulator
from test_generation.XMLParser import xml_parser
import sys
import os
import time
sys.path.append(os.path.abspath('../'))
import config
import random
def only_payload_process(host, port, exec_name, exec_list, exec_path, testcase_path, test_path):
path_prefix = "test_generation/"
exec_path_value = path_prefix + "execution.xml"
if exec_path != "":
exec_path_value = exec_path
testcase_path_value = path_prefix + "testcase.xml"
if testcase_path != "":
testcase_path_value = testcase_path
test_path_value = path_prefix + "test.xml"
if test_path != "":
test_path_value = test_path
xml_tree = xml_parser(test_path_value, testcase_path_value, exec_path_value)
xml_tree.calc_tests(exec_name)
print "[*] Number of tests: " + str(xml_tree.get_number_of_elements())
xml_tree.print_tree()
emu = usb_emulator([host, port], 0)
payloads = xml_tree.get_data_chunk(config.NUMBER_OF_JOBS_PER_PROCESS_NM)
random.shuffle(payloads)
while payloads is not None:
for e in payloads:
print e
emu.setup_payload(e)
emu.execute()
time.sleep(config.SLEEP_BETWEEN_TESTS)
payloads = xml_tree.get_data_chunk(config.NUMBER_OF_JOBS_PER_PROCESS_NM)
print "[*] Done..."
================================================
FILE: process/print_performance_process.py
================================================
"""
vUSBf: A KVM/QEMU based USB-fuzzing framework.
Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf Spenneberg
This file is part of vUSBf.
See the file LICENSE for copying permission.
"""
__author__ = 'Sergej Schumilo'
import signal
import sys
import os
import time
import datetime
sys.path.append(os.path.abspath('../'))
import config
def signal_handler(signal, frame):
sys.exit(0)
def getTime(timeValue):
HOUR = 3600
return "[" + str(int(str(datetime.datetime.fromtimestamp(timeValue).strftime('%j')),10)-1) + str(datetime.datetime.fromtimestamp(timeValue-HOUR).strftime(':%H:%M:%S')) + "]"
def getTimeDate(timeValue):
return "[" + str(datetime.datetime.fromtimestamp(timeValue).strftime('%d/%m/%y:%H:%M:%S')) + "]"
def printPerf_Server(max_num_of_tasks, timeout, connection_list):
# print "INFO_THREAD"
start_time = time.time()
while True:
time.sleep(config.PRINT_PERFORMANCE_SERVER_TIMEOUT)
total = 0
for element in connection_list:
total += element[1].value
if total != 0:
new_time = time.time()
raw_value = float(total) / (float(new_time) - float(start_time))
print "Jobs Done: " + str(total) + " \tPerformance: " + str(round(raw_value, 2)) + " t/s"
else:
print "\nClients:"
for element in connection_list:
print "\t" + element[0] + " \t",
if element[2].is_alive():
print "Condition: alive \t",
else:
print "Condition: dead \t",
print "Jobs Done: " + str(element[1].value) + " \t",
print "'Connection Time: " + getTimeDate(element[3])
print ""
#print element[1].value
def printPerf(max_num_of_tasks, sm_tasks_num):
signal.signal(signal.SIGINT, signal_handler)
start_time = time.time()
old = 0
while True:
tmp = sm_tasks_num.value
if tmp == max_num_of_tasks and max_num_of_tasks != 0:
print getTimeDate(time.time()) + "\t Running time: " + getTime(time.time() - start_time )
return
else:
new_time = time.time()
raw_value = float(tmp) / (float(new_time) - float(start_time))
value = round(raw_value, 2)
if raw_value != 0:
remaining_time = (max_num_of_tasks - tmp) / raw_value
else:
remaining_time = 0.0
if remaining_time != 0.0 and max_num_of_tasks != 0:
print getTimeDate(time.time()) + "\t" + str(value) + " t/s " + "\tREAL: " + str(
round(float((tmp - old) / (float(config.PRINT_PERFORMANCE_TIMEOUT))), 2)) + " t/s" + " \t" + str(
tmp) + "/" + str(max_num_of_tasks) + " \t running time: " + getTime(
time.time() - start_time) + "\t remaining time: " + getTime(remaining_time )
else:
value = max_num_of_tasks
if max_num_of_tasks == 0:
value = '-'
print getTimeDate(time.time()) + "\t" + "\tREAL: " + str(
round(float((tmp - old) / (float(config.PRINT_PERFORMANCE_TIMEOUT))), 2)) + " t/s" + " \t" + str(
tmp) + "/" + str(value) + "\t running time: " + getTime(time.time() - start_time )
time.sleep(config.PRINT_PERFORMANCE_TIMEOUT)
old = tmp
================================================
FILE: process/process.py
================================================
"""
vUSBf: A KVM/QEMU based USB-fuzzing framework.
Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf Spenneberg
This file is part of vUSBf.
See the file LICENSE for copying permission.
"""
__author__ = 'Sergej Schumilo'
from fileParser import *
import signal
import os
sys.path.append(os.path.abspath('../'))
import config
import pdb
class ForkedPdb2(pdb.Pdb):
def interaction(self, *args, **kwargs):
_stdin = sys.stdin
try:
sys.stdin = file('/dev/stdin')
pdb.Pdb.interaction(self, *args, **kwargs)
finally:
sys.stdin = _stdin
class ForkedPdb(pdb.Pdb):
def interaction(self, *args, **kwargs):
_stdin = sys.stdin
_stdout = sys.stdout
try:
sys.stdin = open('/home/sergej/log/debug_pipe_in', "r")
sys.stdout = open('/home/sergej/log/debug_pipe_out', "w")
pdb.Pdb(None, sys.stdin, sys.stdout).set_trace()
finally:
sys.stdin = _stdin
sys.stdout = _stdout
def handle_pdb(sig, frame):
print "INTERRUPT"
ForkedPdb2().set_trace(frame)
qemu_obj = None
def signal_handler(signal, frame):
global qemu_obj
if qemu_obj is not None:
qemu_obj.kill()
sys.exit(0)
qemu_obj = None
def process(name, qemu, sm, worker_id, request_queue, response_queue, replay, sema, process_lock, file_postfix_name=None):
global qemu_obj
signal.signal(signal.SIGINT, signal_handler)
signal.signal(signal.SIGUSR1, handle_pdb)
log_postfix = str(worker_id)
if file_postfix_name is not None:
log_postfix = file_postfix_name
f = open("./log/vusbf_log_" + str(worker_id), "a")
f.write("\nPROCESS_ID: " + str(os.getpid()) + "\n")
f.close()
qemu_obj = qemu
qemu_obj.set_file_name("./log/vusbf_log_" + str(worker_id))
qemu_obj.start()
time.sleep(1)
i = 0
tasks = []
restore_counter = 0
repair_counter = 0
slow_start_counter = 0
first_run = True
while True:
if restore_counter >= config.PROCESS_FAIL_COUNTER:
# slow start exeption
if not (
slow_start_counter < config.PROCESS_SLOW_START_THRESHOLD and restore_counter < config.PROCESS_SLOW_START_THRESHOLD_FAIL_COUNTER):
sema.acquire()
restore_counter = 0
repair_counter += 1
slow_start_counter = 0
if repair_counter >= config.PROCESS_FAIL_REPAIR_COUNTER:
qemu.repair_image()
#time.sleep(config.PROCESS_TIMOUT_AFTER_REPAIR)
#qemu.reload()
time.sleep(config.PROCESS_TIMOUT_AFTER_REPAIR)
else:
qemu.reload()
sema.release()
# Abbruchbedingung
if len(tasks) == 0:
request_queue.put(worker_id)
tasks = response_queue.get()
if first_run:
process_lock.acquire()
first_run = False
if tasks is None:
qemu_obj.kill()
return
tmp = tasks.pop(0)
if not qemu.fire(tmp):
tasks.append(tmp)
restore_counter += 1
continue
if not qemu.log_qemu_output_select("./log/vusbf_log_" + log_postfix, str(tmp)):
tasks.append(tmp)
restore_counter += 1
continue
restore_counter = 0
repair_counter = 0
slow_start_counter += 1
if replay:
qemu.reload()
qemu.check_if_image_corrupted()
i += 1
if i == config.PROCESS_NOTIFY_SHARED_MEMORY:
sm.value += i
i = 0
================================================
FILE: qemu-2.1.1.patch
================================================
--- redirect.c 2014-09-18 21:23:12.252000000 +0200
+++ redirect_old.c 2014-09-18 21:26:28.624000000 +0200
@@ -1218,7 +1218,7 @@
usbredirparser_caps_set_cap(caps, usb_redir_cap_connect_device_version);
usbredirparser_caps_set_cap(caps, usb_redir_cap_filter);
usbredirparser_caps_set_cap(caps, usb_redir_cap_ep_info_max_packet_size);
- //usbredirparser_caps_set_cap(caps, usb_redir_cap_64bits_ids);
+ usbredirparser_caps_set_cap(caps, usb_redir_cap_64bits_ids);
usbredirparser_caps_set_cap(caps, usb_redir_cap_32bits_bulk_length);
usbredirparser_caps_set_cap(caps, usb_redir_cap_bulk_receiving);
#if USBREDIR_VERSION >= 0x000700
================================================
FILE: qemu.py
================================================
"""
vUSBf: A KVM/QEMU based USB-fuzzing framework.
Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf Spenneberg
This file is part of vUSBf.
See the file LICENSE for copying permission.
"""
import shutil
from usbEmulator import *
from monitor.linux_monitor import *
import config
class qemu:
file_name = ""
config_args = ["qemu_bin", "kvm", "memory", "ram_file", "overlay_file", "device_type", "snapshot", "qemu_extra",
"overlay_folder"]
call = ""
def __read_config(self, config_file):
if not os.path.isfile(config_file):
print "FILE NOT FOUND " + config_file
return False
f = open(config_file)
try:
for line in f:
if not line.startswith("#") and not line == "" and ":" in line:
arg = line.split(":")[0]
value = line.split(":")[1].replace(" ", "").replace("\t", "").replace("\n", "").replace("\"", "")
# qemu binary
if arg == self.config_args[0]:
if os.path.isfile(value):
self.config_qemu_bin = value
# kvm support
elif arg == self.config_args[1]:
if value == "yes" or value == "no":
if value == "yes":
self.config_kvm = True
else:
self.config_kvm = False
# memory size
elif arg == self.config_args[2]:
if value.isdigit():
self.config_memory_size = int(value)
# ram file
elif arg == self.config_args[3]:
if os.path.isfile(value):
self.config_ram_file = value
# overlay file
elif arg == self.config_args[4]:
if os.path.isfile(value):
self.config_overlay = value
# usb device type
elif arg == self.config_args[5]:
self.config_usb_device_type = value
# snapshot
elif arg == self.config_args[6]:
self.config_snapshot = value
# qemu extra
elif arg == self.config_args[7]:
self.config_qemu_extra = line.split(":")[1].replace("\n", "").replace("\"", "").replace("\t",
" ")
# overlay folder
elif arg == self.config_args[8]:
# print value
if os.path.isdir(value):
self.config_overlay_folder = value
if self.config_overlay_folder.endswith("/"):
self.config_overlay_folder = self.config_overlay_folder[:-1]
finally:
f.close()
if self.config_qemu_bin is None \
or self.config_kvm is None \
or self.config_memory_size is None \
or self.config_ram_file is None \
or self.config_overlay is None \
or self.config_usb_device_type is None \
or self.config_overlay_folder is None \
or self.config_snapshot is None:
print "READ CONFIG ERROR:"
print self.config_qemu_bin
print self.config_kvm
print self.config_memory_size
print self.config_overlay
print self.config_usb_device_type
print self.config_overlay_folder
print self.config_snapshot
return False
else:
return True
def __gen_start_script(self, address):
call = ""
call += self.config_qemu_bin
if self.config_kvm:
call += " --enable-kvm"
call += " -m " + str(self.config_memory_size)
call += " -nographic"
call += " -hdb " + self.config_ram_file
gitextract_rkudgb21/ ├── .gitignore ├── COPYING.md ├── README.md ├── changelog ├── clustering/ │ ├── __init__.py │ ├── network_task_distributor.py │ ├── network_task_requester.py │ └── protocol.py ├── config.py ├── configurations/ │ ├── centos6.config │ ├── debian7.config │ ├── debian7_2.config │ ├── debian7_3.config │ ├── freebsd10_1.config │ ├── ubuntu1404.config │ └── ubuntu1404_updated.config ├── descFuzzer.py ├── dev_desc/ │ ├── desc.txt │ ├── desc1.txt │ ├── desc10.txt │ ├── desc2.txt │ ├── desc3.txt │ ├── desc3.txt_tmp │ ├── desc4.txt │ ├── desc5.txt │ ├── desc6.txt │ └── desc9.txt ├── emulator/ │ ├── __init__.py │ ├── emulator.py │ ├── enumeration.py │ ├── enumeration_abortion.py │ └── hid.py ├── fileParser.py ├── fuzzer.py ├── help.txt ├── log/ │ ├── deadlock_check.sh │ ├── freebsd_monitor.sh │ └── linux_monitor.sh ├── monitor/ │ ├── __init__.py │ ├── freebsd_monitor.py │ ├── linux_monitor.py │ └── monitor.py ├── payload/ │ ├── i2400m_usb_bug.info │ ├── i2400m_usb_bug.obj │ ├── keyspan_null_ptr.info │ ├── keyspan_null_ptr.obj │ ├── mal_payload.obj │ ├── mal_payload2.obj │ ├── old_payload/ │ │ ├── i2400m_usb_bug.info │ │ ├── i2400m_usb_bug.obj │ │ ├── keyspan_null_ptr.info │ │ ├── keyspan_null_ptr.obj │ │ ├── mal_payload.obj │ │ ├── panic_1.info │ │ ├── panic_1.obj │ │ ├── panic_2.info │ │ ├── panic_2.obj │ │ ├── panic_3.obj │ │ ├── smsusb_null_ptr.info │ │ ├── smsusb_null_ptr.obj │ │ ├── udlfb.info │ │ ├── udlfb.obj │ │ ├── usbserial_bug.info │ │ ├── usbserial_bug.obj │ │ ├── usbserial_null_ptr.info │ │ ├── usbserial_null_ptr.obj │ │ └── windows_bod.obj │ ├── panic_1.info │ ├── panic_1.obj │ ├── panic_2.info │ ├── panic_2.obj │ ├── panic_3.obj │ ├── smsusb_null_ptr.info │ ├── smsusb_null_ptr.obj │ ├── tests/ │ │ ├── test.obj │ │ ├── test2.obj │ │ └── test3.obj │ ├── udlfb.info │ ├── udlfb.obj │ ├── usbserial_bug.info │ ├── usbserial_bug.obj │ ├── usbserial_null_ptr.info │ ├── usbserial_null_ptr.obj │ ├── windows_bos.obj │ └── windows_bos2.obj ├── process/ │ ├── __init__.py │ ├── client_process.py │ ├── distributor_process.py │ ├── execute_object.py │ ├── multi_process.py │ ├── only_payload.py │ ├── print_performance_process.py │ └── process.py ├── qemu-2.1.1.patch ├── qemu.py ├── report_desc_reader.py ├── test_generation/ │ ├── Sequence.py │ ├── Testcase.py │ ├── TestcaseLoader.py │ ├── XMLParser.py │ ├── __init__.py │ ├── execution.xml │ ├── location.conf │ ├── test.xml │ └── testcase.xml ├── tools/ │ ├── __init__.py │ ├── extract_class_ids.py │ ├── extract_vp_ids.py │ ├── gen_reproduce_key.py │ ├── output_information.txt │ └── port_old_payload.py ├── usbEmulator.py ├── usb_ids/ │ ├── class.ids │ ├── usb.ids │ ├── vendor_product.ids │ └── vendor_product_backup.ids ├── usbparser.py ├── usbscapy.py └── vusbf.py
SYMBOL INDEX (297 symbols across 31 files)
FILE: clustering/network_task_distributor.py
function signal_handler (line 23) | def signal_handler(signal, frame):
class network_task_distributor (line 32) | class network_task_distributor:
method print_verbose (line 36) | def print_verbose(self, data, verbose_level, verbose):
method synchronize (line 41) | def synchronize(self):
method __init__ (line 62) | def __init__(self, connection, sync_timeout, md5_vm, md5_overlay, sm_n...
method __connect (line 79) | def __connect(self):
method connection_loop (line 115) | def connection_loop(self):
method start_sync_callback (line 191) | def start_sync_callback(self):
method stop_sync_callback (line 196) | def stop_sync_callback(self):
method __request_data_from_queue (line 201) | def __request_data_from_queue(self):
method __return_data_to_queue (line 215) | def __return_data_to_queue(self):
method __update_sm_value (line 223) | def __update_sm_value(self, value):
function process (line 237) | def process(Connection, sync_timeout, md5_vm, md5_overlay, sm_num_of_fin...
FILE: clustering/network_task_requester.py
function signal_handler (line 21) | def signal_handler(signal, frame):
class network_task_requester (line 28) | class network_task_requester():
method __init__ (line 31) | def __init__(self, ip, port, md5_vm, md5_overlay, sm_num_of_fin_tasks,...
method __connect (line 52) | def __connect(self):
method send_data_request (line 79) | def send_data_request(self, number_of_tasks):
method start_listing_thread (line 101) | def start_listing_thread(self):
method kill_listing_thread (line 108) | def kill_listing_thread(self):
method close_connection (line 113) | def close_connection(self):
method connection_loop (line 120) | def connection_loop(self):
method __recv_all (line 183) | def __recv_all(self, fd, Length):
method __recv_data (line 199) | def __recv_data(self, fd, length):
method __send_data (line 205) | def __send_data(self, data):
method __put_data_to_queue (line 211) | def __put_data_to_queue(self, obj):
method __get_sm_value (line 219) | def __get_sm_value(self):
method __put_error_code_to_queue (line 222) | def __put_error_code_to_queue(self, err_msg):
function start_network_task_requester (line 229) | def start_network_task_requester(server, port, md5_vm, md5_overlay, sm_n...
FILE: clustering/protocol.py
class vusbf_proto_header (line 24) | class vusbf_proto_header(Packet):
class vusbf_task (line 31) | class vusbf_task(Packet):
class vusbf_sync (line 36) | class vusbf_sync(Packet):
class vusbf_get (line 41) | class vusbf_get(Packet):
class vusbf_check_request (line 46) | class vusbf_check_request(Packet):
class vusbf_check_response (line 53) | class vusbf_check_response(Packet):
FILE: descFuzzer.py
function print_descriptor (line 11) | def print_descriptor(descriptor):
function patch_descriptor_length_fields (line 24) | def patch_descriptor_length_fields(descriptor):
function patch_configuration_descriptor_length_field (line 32) | def patch_configuration_descriptor_length_field(descriptor, configuratio...
function get_configuration_descriptor (line 44) | def get_configuration_descriptor(descriptor, configuration_num):
function get_interface_descriptor (line 56) | def get_interface_descriptor(descriptor, configuration_num, interface_num):
function add_new_descriptor_to_interface (line 68) | def add_new_descriptor_to_interface(descriptor, configuration_num, inter...
function add_new_interface_to_configuration (line 97) | def add_new_interface_to_configuration(descriptor, configuration_num, ne...
function add_new_configuration_to_device_descriptor (line 127) | def add_new_configuration_to_device_descriptor(descriptor, new_configura...
function del_interface_descriptor_object (line 151) | def del_interface_descriptor_object(descriptor, configuration_num, inter...
function del_interface_descriptor (line 173) | def del_interface_descriptor(descriptor, configuration_num, interface_num):
function del_configuration_descriptor (line 191) | def del_configuration_descriptor(descriptor, configuration_num):
FILE: emulator/emulator.py
class emulator (line 12) | class emulator(object):
method __init__ (line 14) | def __init__(self, fuzzer):
method _fuzz_data (line 21) | def _fuzz_data(self, scapy_data):
method get_response (line 27) | def get_response(self, data):
method _calc_response (line 36) | def _calc_response(self, data):
FILE: emulator/enumeration.py
class enumeration (line 20) | class enumeration(emulator):
method __init__ (line 21) | def __init__(self, fuzzer):
method __get_complete_configuration_descriptor (line 27) | def __get_complete_configuration_descriptor(self, configuration_num):
method _calc_response (line 39) | def _calc_response(self, data):
FILE: emulator/enumeration_abortion.py
class abortion_enumeration (line 18) | class abortion_enumeration(enumeration):
method __init__ (line 21) | def __init__(self, fuzzer):
method _calc_response (line 25) | def _calc_response(self, data):
FILE: emulator/hid.py
class hid (line 18) | class hid(enumeration):
method __init__ (line 19) | def __init__(self, fuzzer):
method __read_reports (line 23) | def __read_reports(self, reports_file):
method __read_report_descriptor (line 26) | def __read_report_descriptor(self, report_descriptor_file):
method _calc_response (line 42) | def _calc_response(self, data):
FILE: fileParser.py
class usbdescFileParser (line 11) | class usbdescFileParser:
method __init__ (line 24) | def __init__(self, filePath):
method parse (line 51) | def parse(self):
method __parser (line 190) | def __parser(self, desc, data):
method __parseDescriptor (line 239) | def __parseDescriptor(self, data):
FILE: fuzzer.py
class fuzzer (line 11) | class fuzzer(object):
method __init__ (line 12) | def __init__(self, test):
method set_descriptor (line 16) | def set_descriptor(self, descriptor):
method set_string_descriptor (line 19) | def set_string_descriptor(self, string_descriptor):
method get_descriptor (line 22) | def get_descriptor(self):
method get_string_descriptor (line 25) | def get_string_descriptor(self):
method post_fuzzing (line 39) | def post_fuzzing(self, scapy_data):
FILE: monitor/freebsd_monitor.py
class freebsd_monitor (line 13) | class freebsd_monitor(linux_monitor):
method __init__ (line 14) | def __init__(self, qemu, filename):
method monitor (line 18) | def monitor(self, title):
FILE: monitor/linux_monitor.py
class linux_monitor (line 17) | class linux_monitor(monitor):
method __init__ (line 18) | def __init__(self, qemu, filename):
method monitor (line 21) | def monitor(self, title):
method __non_block_read (line 24) | def __non_block_read(self, output):
method __monitor (line 33) | def __monitor(self, title):
FILE: monitor/monitor.py
class monitor (line 16) | class monitor(object):
method __init__ (line 17) | def __init__(self, qemu, filename):
method log_reload (line 25) | def log_reload(self):
method monitor (line 31) | def monitor(self, title):
FILE: process/client_process.py
function signal_handler (line 22) | def signal_handler(signal, frame):
function kill_all (line 25) | def kill_all():
function client (line 43) | def client(process_number, target_object, host, port, reload_test):
FILE: process/distributor_process.py
function signal_handler2 (line 25) | def signal_handler2(signal, frame):
function signal_handler (line 28) | def signal_handler(signal, frame):
function kill_all_process (line 31) | def kill_all_process():
function kill_all (line 38) | def kill_all():
function distributor_process (line 49) | def distributor_process(host, port, info_queue, payload_queue):
function server (line 74) | def server(host, port, exec_name, exec_list, exec_path, testcase_path, t...
FILE: process/execute_object.py
function execute_object_process (line 17) | def execute_object_process(object_file, host="", port=0, target=None):
FILE: process/multi_process.py
function signal_handler (line 26) | def signal_handler(a,b):
function kill_all (line 30) | def kill_all():
function multi_processing (line 50) | def multi_processing(process_number, target_object, exec_name, exec_list...
FILE: process/only_payload.py
function only_payload_process (line 19) | def only_payload_process(host, port, exec_name, exec_list, exec_path, te...
FILE: process/print_performance_process.py
function signal_handler (line 21) | def signal_handler(signal, frame):
function getTime (line 25) | def getTime(timeValue):
function getTimeDate (line 29) | def getTimeDate(timeValue):
function printPerf_Server (line 33) | def printPerf_Server(max_num_of_tasks, timeout, connection_list):
function printPerf (line 62) | def printPerf(max_num_of_tasks, sm_tasks_num):
FILE: process/process.py
class ForkedPdb2 (line 20) | class ForkedPdb2(pdb.Pdb):
method interaction (line 21) | def interaction(self, *args, **kwargs):
class ForkedPdb (line 30) | class ForkedPdb(pdb.Pdb):
method interaction (line 31) | def interaction(self, *args, **kwargs):
function handle_pdb (line 43) | def handle_pdb(sig, frame):
function signal_handler (line 51) | def signal_handler(signal, frame):
function process (line 61) | def process(name, qemu, sm, worker_id, request_queue, response_queue, re...
FILE: qemu.py
class qemu (line 15) | class qemu:
method __read_config (line 21) | def __read_config(self, config_file):
method __gen_start_script (line 97) | def __gen_start_script(self, address):
method __init__ (line 128) | def __init__(self, config_file, address, instance_id):
method __del__ (line 163) | def __del__(self):
method start (line 167) | def start(self):
method alive (line 172) | def alive(self):
method set_file_name (line 181) | def set_file_name(self, file_name):
method log_reload (line 184) | def log_reload(self):
method log_qemu_output_select (line 188) | def log_qemu_output_select(self, file_name, title):
method kill (line 196) | def kill(self):
method check_if_image_corrupted (line 210) | def check_if_image_corrupted(self):
method repair_image (line 219) | def repair_image(self):
method reload (line 226) | def reload(self):
method fire (line 235) | def fire(self, payload):
FILE: report_desc_reader.py
class report_desc_reader (line 13) | class report_desc_reader:
method __init__ (line 14) | def __init__(self, file):
method get_raw_data (line 24) | def get_raw_data(self):
FILE: test_generation/Sequence.py
class Sequence (line 11) | class Sequence(object):
method __init__ (line 12) | def __init__(self):
method next (line 15) | def next(self):
method reset (line 18) | def reset(self):
method __mul__ (line 21) | def __mul__(a, b):
method __add__ (line 24) | def __add__(a, b):
method __mod__ (line 27) | def __mod__(a, b):
method __iter__ (line 30) | def __iter__(self):
method __len__ (line 33) | def __len__(self):
class SequenceIter (line 37) | class SequenceIter(object):
method __init__ (line 38) | def __init__(self, seq):
method next (line 42) | def next(self):
method __len__ (line 48) | def __len__(self):
class ListSequence (line 52) | class ListSequence(Sequence):
method __init__ (line 53) | def __init__(self, list):
method next (line 58) | def next(self):
method reset (line 66) | def reset(self):
method __len__ (line 69) | def __len__(self):
class GeneratorSequence (line 73) | class GeneratorSequence(Sequence):
method __init__ (line 74) | def __init__(self, gen):
method next (line 78) | def next(self):
method reset (line 84) | def reset(self):
method __len__ (line 87) | def __len__(self):
class ChainSequence (line 91) | class ChainSequence(GeneratorSequence):
method __init__ (line 92) | def __init__(self, *sequences):
method gen_seq (line 104) | def gen_seq(self, sequences):
method reset (line 112) | def reset(self):
method __len__ (line 117) | def __len__(self):
class LinkSequence (line 121) | class LinkSequence(GeneratorSequence):
method __init__ (line 122) | def __init__(self, *sequences):
method gen_seq (line 138) | def gen_seq(self, sequences):
method reset (line 149) | def reset(self):
method flatten (line 154) | def flatten(self, x):
method __len__ (line 163) | def __len__(self):
class ProductSequence (line 167) | class ProductSequence(GeneratorSequence):
method __init__ (line 168) | def __init__(self, *sequences):
method gen_seq2 (line 185) | def gen_seq2(self, s1, s2):
method gen_seqx (line 202) | def gen_seqx(self, sequences):
method reset (line 212) | def reset(self):
method flatten (line 217) | def flatten(self, x):
method __len__ (line 226) | def __len__(self):
function S (line 230) | def S(*x):
FILE: test_generation/Testcase.py
class Testcase (line 16) | class Testcase(object):
method __init__ (line 17) | def __init__(self, ID):
method S (line 22) | def S(*x):
method add_testcase (line 29) | def add_testcase(self, *testcase):
method print_message (line 36) | def print_message(self):
method encode_base64 (line 48) | def encode_base64(self):
method decode_base64 (line 59) | def decode_base64(self, data):
method load_bas64_strings (line 62) | def load_bas64_strings(self, data):
method get_ID (line 77) | def get_ID(self):
method get_number_of_testcases (line 80) | def get_number_of_testcases(self):
method get_testcase (line 83) | def get_testcase(self, num):
method get_testcases (line 89) | def get_testcases(self):
method add_option (line 92) | def add_option(self, key, value):
method add_options (line 95) | def add_options(self, hm):
method get_option (line 98) | def get_option(self, key):
method get_options (line 101) | def get_options(self):
method __str__ (line 104) | def __str__(self):
class Instruction (line 108) | class Instruction(object):
method __init__ (line 109) | def __init__(self):
method gen_info_string (line 112) | def gen_info_string(self):
class Fuzzing_instruction (line 116) | class Fuzzing_instruction(Testcase):
method __init__ (line 117) | def __init__(self, value, field, packet_type):
method gen_info_string (line 122) | def gen_info_string(self):
method get_value (line 132) | def get_value(self):
method get_field (line 135) | def get_field(self):
method get_packet_type (line 138) | def get_packet_type(self):
method __str__ (line 141) | def __str__(self):
FILE: test_generation/TestcaseLoader.py
class testcase_loader (line 12) | class testcase_loader():
method __init__ (line 13) | def __init__(self, object_file):
method get_number_of_elements (line 27) | def get_number_of_elements(self):
method get_data_chunk (line 30) | def get_data_chunk(self, number_of_elements):
FILE: test_generation/XMLParser.py
class xml_parser (line 44) | class xml_parser(object):
method __init__ (line 46) | def __init__(self, path_test, path_testcase, path_exec):
method get_descriptor (line 53) | def get_descriptor():
method get_reload (line 56) | def get_reload():
method get_number_of_elements (line 59) | def get_number_of_elements(self):
method get_data_chunk (line 64) | def get_data_chunk(self, number_of_elements):
method reset_data (line 92) | def reset_data():
method print_tree (line 95) | def print_tree(self):
method __print_rec (line 101) | def __print_rec(self, list, tab_string):
method __calc_rec (line 127) | def __calc_rec(self, list, operator):
method build_list (line 168) | def build_list(self, test_name):
method __read_value_from_file (line 193) | def __read_value_from_file(self, file_name, delimiter, column, data_ty...
method __value_parser (line 218) | def __value_parser(self, node):
method __get_root (line 244) | def __get_root(self, path):
method __testunit_parser (line 250) | def __testunit_parser(self, node, tab_str):
method __testcase_parser (line 270) | def __testcase_parser(self, testcase_name):
method __execution_parser (line 282) | def __execution_parser(self, execution_name):
method __execution_parser_options (line 291) | def __execution_parser_options(self, execution):
method calc_tests (line 303) | def calc_tests(self, exec_name):
FILE: tools/port_old_payload.py
class test_package (line 16) | class test_package:
method __init__ (line 17) | def __init__(self, raw_data, name_list, operation_list):
method get_raw_data (line 25) | def get_raw_data(self):
method get_name_list (line 28) | def get_name_list(self):
method get_operation_list (line 31) | def get_operation_list(self):
method print_data (line 34) | def print_data(self):
FILE: usbEmulator.py
class usb_emulator (line 19) | class usb_emulator:
method __init__ (line 35) | def __init__(self, victim_address, address_type):
method setup_payload (line 56) | def setup_payload(self, payload):
method execute (line 77) | def execute(self):
method __get_hello_packet (line 87) | def __get_hello_packet(self):
method __get_connect_packet (line 95) | def __get_connect_packet(self):
method __get_if_info_packet (line 103) | def __get_if_info_packet(self):
method __get_ep_info_packet (line 111) | def __get_ep_info_packet(self):
method __get_reset_packet (line 119) | def __get_reset_packet(self):
method __connection_loop (line 126) | def __connection_loop(self, connection_to_victim):
method __print_data (line 210) | def __print_data(self, data, recv):
method __recv_data (line 229) | def __recv_data(self, length, connection_to_victim):
method __recv_data_dont_print (line 236) | def __recv_data_dont_print(self, length, connection_to_victim):
method __send_data (line 240) | def __send_data(self, data, connection_to_victim):
method __print_error (line 247) | def __print_error(self, msg):
method __connect_to_server (line 252) | def __connect_to_server(self):
FILE: usbparser.py
class parser (line 14) | class parser(object):
method __init__ (line 17) | def __init__(self, raw):
method getScapyPacket (line 20) | def getScapyPacket(self):
method _getRaw (line 23) | def _getRaw(self):
class usbredir_parser (line 27) | class usbredir_parser(parser):
method __init__ (line 30) | def __init__(self, raw):
method getScapyPacket (line 44) | def getScapyPacket(self):
method getScapyLayers (line 47) | def getScapyLayers(self):
method modifyLayer (line 58) | def modifyLayer(self, layerType, field, value):
method __parseRaw (line 68) | def __parseRaw(self, raw):
class control_packet_parser (line 141) | class control_packet_parser(parser):
method __init__ (line 145) | def __init__(self, raw, index):
method getScapyPacket (line 152) | def getScapyPacket(self):
method __parseRaw (line 155) | def __parseRaw(self, data, index):
class data_bulk_parser (line 209) | class data_bulk_parser(parser):
FILE: usbscapy.py
class XLEShortField (line 17) | class XLEShortField(LEShortField, XShortField):
method i2repr (line 18) | def i2repr(self, pkt, x):
class XLEIntField (line 23) | class XLEIntField(LEIntField, XIntField):
method i2repr (line 24) | def i2repr(self, pkt, x):
class usbredirheader (line 64) | class usbredirheader(Packet):
class hello_redir_header (line 72) | class hello_redir_header(Packet):
class hello_redir_header_host (line 78) | class hello_redir_header_host(Packet):
class connect_redir_header (line 84) | class connect_redir_header(Packet):
class if_info_redir_header (line 96) | class if_info_redir_header(Packet):
class ep_info_redir_header (line 106) | class ep_info_redir_header(Packet):
class data_control_redir_header (line 119) | class data_control_redir_header(Packet):
class data_bulk_redir_header (line 131) | class data_bulk_redir_header(Packet):
class data_iso_redir_header (line 141) | class data_iso_redir_header(Packet):
class data_interrupt_redir_header (line 149) | class data_interrupt_redir_header(Packet):
class usb_header (line 170) | class usb_header(Packet):
class usb_generic_descriptor_header (line 188) | class usb_generic_descriptor_header(Packet):
class usb_device_descriptor (line 195) | class usb_device_descriptor(Packet):
class usb_configuration_descriptor (line 214) | class usb_configuration_descriptor(Packet):
class usb_interface_descriptor (line 237) | class usb_interface_descriptor(Packet):
class usb_endpoint_descriptor (line 252) | class usb_endpoint_descriptor(Packet):
class usb_string_descriptor_langid (line 264) | class usb_string_descriptor_langid(Packet):
class usb_string_descriptor (line 272) | class usb_string_descriptor(Packet):
class usb_hid_descriptor (line 280) | class usb_hid_descriptor(Packet):
class usb_hid_report_extension (line 292) | class usb_hid_report_extension(Packet):
class usb_hid_report_descriptor (line 299) | class usb_hid_report_descriptor(Packet):
class massstorage_generic (line 339) | class massstorage_generic(Packet):
class massstorage_cbw (line 344) | class massstorage_cbw(Packet):
class massstorage_csw (line 355) | class massstorage_csw(Packet):
class scsi_inquiry (line 373) | class scsi_inquiry(Packet):
class scsi_raw_inquiry (line 390) | class scsi_raw_inquiry(Packet):
class scsi_read_capicity (line 415) | class scsi_read_capicity(Packet):
class scsi_mode_6 (line 421) | class scsi_mode_6(Packet):
FILE: vusbf.py
function parameter_parser (line 79) | def parameter_parser(parameter_list):
function check_parameter (line 214) | def check_parameter(parameter_list):
function main (line 234) | def main():
function print_help (line 255) | def print_help():
function argv_parser (line 261) | def argv_parser():
Condensed preview — 119 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (1,200K chars).
[
{
"path": ".gitignore",
"chars": 6,
"preview": "*.pyc\n"
},
{
"path": "COPYING.md",
"chars": 15176,
"preview": "The GNU General Public License, Version 2, June 1991 (GPLv2)\n==========================================================="
},
{
"path": "README.md",
"chars": 4340,
"preview": "vusbf-Framework\n===========\n\t _ __ __ __ _______ ____\n\t _ __(_)____/ /___ ______ _/ / / "
},
{
"path": "changelog",
"chars": 521,
"preview": "Version 0.2:\n\n- code clean up\n- complete rewrite of testcase generation related code (generation works now on the fly, l"
},
{
"path": "clustering/__init__.py",
"chars": 248,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "clustering/network_task_distributor.py",
"chars": 8660,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "clustering/network_task_requester.py",
"chars": 7682,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "clustering/protocol.py",
"chars": 1986,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "config.py",
"chars": 3307,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "configurations/centos6.config",
"chars": 481,
"preview": "# vusbf qemu-config file \n#\n\n\n# QEMU BINARAY\nqemu_bin:\t/home/sergej/qemu/x86_64-softmmu/qemu-system-x86_64\n\n# KVM SUPPOR"
},
{
"path": "configurations/debian7.config",
"chars": 483,
"preview": "# vusbf qemu-config file \n#\n\n\n# QEMU BINARAY\nqemu_bin:\t/home/sergej/qemu/x86_64-softmmu/qemu-system-x86_64\n\n# KVM SUPPOR"
},
{
"path": "configurations/debian7_2.config",
"chars": 609,
"preview": "# vusbf qemu-config file \n#\n\n\n# QEMU BINARAY\nqemu_bin:\t/home/sergej/Dokumente/vUSBf/Testing/qemu-2.1.2/qemu-2.0.2/x86_64"
},
{
"path": "configurations/debian7_3.config",
"chars": 582,
"preview": "# vusbf qemu-config file \n#\n\n\n# QEMU BINARAY\nqemu_bin:\t/home/sergej/Dokumente/vUSBf/Testing/qemu-2.2.0/qemu-2.2.0/x86_64"
},
{
"path": "configurations/freebsd10_1.config",
"chars": 500,
"preview": "# vusbf qemu-config file \n#\n\n\n# QEMU BINARAY\nqemu_bin:\t/home/sergej/qemu/x86_64-softmmu/qemu-system-x86_64\n\n# KVM SUPPOR"
},
{
"path": "configurations/ubuntu1404.config",
"chars": 496,
"preview": "# vusbf qemu-config file \n#\n\n\n# QEMU BINARAY\nqemu_bin:\t/home/sergej/qemu/x86_64-softmmu/qemu-system-x86_64\n\n# KVM SUPPOR"
},
{
"path": "configurations/ubuntu1404_updated.config",
"chars": 498,
"preview": "# vusbf qemu-config file \n#\n\n\n# QEMU BINARAY\nqemu_bin:\t/home/sergej/qemu/x86_64-softmmu/qemu-system-x86_64\n\n# KVM SUPPOR"
},
{
"path": "descFuzzer.py",
"chars": 6279,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "dev_desc/desc.txt",
"chars": 2348,
"preview": "Speed High\nBus 001 Device 043: ID 1307:0165 Transcend Information, Inc. 2GB/4GB Flash Drive\nDevice Descriptor:\n bLength"
},
{
"path": "dev_desc/desc1.txt",
"chars": 2000,
"preview": "Bus 007 Device 012: ID 046d:c218 Logitech, Inc. Logitech RumblePad 2 USB\nDevice Descriptor:\n bLength 18\n"
},
{
"path": "dev_desc/desc10.txt",
"chars": 16793,
"preview": "Speed Full\nBus 003 Device 007: ID 05ac:12aa Apple, Inc. iPod Touch 5.Gen [A1421]\nDevice Descriptor:\n bLength "
},
{
"path": "dev_desc/desc2.txt",
"chars": 2331,
"preview": "Speed Full\nBus 001 Device 043: ID 1307:0165 Transcend Information, Inc. 2GB/4GB Flash Drive\nDevice Descriptor:\n bLength"
},
{
"path": "dev_desc/desc3.txt",
"chars": 2745,
"preview": "Speed Full\nBus 001 Device 043: ID 1307:0165 Transcend Information, Inc. 2GB/4GB Flash Drive\nDevice Descriptor:\n bLength"
},
{
"path": "dev_desc/desc3.txt_tmp",
"chars": 2745,
"preview": "Speed Full\nBus 001 Device 043: ID 1307:0165 Transcend Information, Inc. 2GB/4GB Flash Drive\nDevice Descriptor:\n bLength"
},
{
"path": "dev_desc/desc4.txt",
"chars": 1915,
"preview": "Speed High\nBus 001 Device 004: ID 05e3:0745 Genesys Logic, Inc. \nDevice Descriptor:\n bLength 18\n bDescr"
},
{
"path": "dev_desc/desc5.txt",
"chars": 2368,
"preview": "Speed High\nBus 001 Device 047: ID 17e9:02ee DisplayLink\nDevice Descriptor:\n bLength 18\n bDescriptorType"
},
{
"path": "dev_desc/desc6.txt",
"chars": 2356,
"preview": "Bus 007 Device 012: ID 046d:c218 Logitech, Inc. Logitech RumblePad 2 USB\nDevice Descriptor:\n bLength 18\n"
},
{
"path": "dev_desc/desc9.txt",
"chars": 14725,
"preview": "Speed High\nBus 004 Device 003: ID 0bdb:1911\nDevice Descriptor:\n bLength 18\n bDescriptorType 1"
},
{
"path": "emulator/__init__.py",
"chars": 248,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "emulator/emulator.py",
"chars": 987,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "emulator/enumeration.py",
"chars": 3141,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "emulator/enumeration_abortion.py",
"chars": 786,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "emulator/hid.py",
"chars": 2141,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "fileParser.py",
"chars": 10210,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "fuzzer.py",
"chars": 3466,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "help.txt",
"chars": 2602,
"preview": "Usage: vusbf.py [Running Type] [Fuzzing Type] [Target Type]\n\nTarget Specification:\n -o <target.conf>: name "
},
{
"path": "log/deadlock_check.sh",
"chars": 42,
"preview": "watch -n 30 \"find -cmin +2 -cmin -100000\"\n"
},
{
"path": "log/freebsd_monitor.sh",
"chars": 343,
"preview": "cat vusbf_log_* | egrep 'Fatal trap|panic:|#1 |#2 |#3 |#4 |#5 |#6 |#7 |#8 ' | grep -v \" savecore: reboot after panic:\" |"
},
{
"path": "log/linux_monitor.sh",
"chars": 428,
"preview": "cat vusbf_log_* | egrep 'BUG|segfault|panic|recursive|Segmentation' | cut -c 16- | sort -u;\necho \"\";\nprintf 'TEST:\\t' ;"
},
{
"path": "monitor/__init__.py",
"chars": 248,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "monitor/freebsd_monitor.py",
"chars": 665,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "monitor/linux_monitor.py",
"chars": 2717,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "monitor/monitor.py",
"chars": 816,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "payload/i2400m_usb_bug.info",
"chars": 163,
"preview": "This payload results in an endless printk loop.\n@ Linux ubuntu-victim 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:"
},
{
"path": "payload/i2400m_usb_bug.obj",
"chars": 610,
"preview": "REPRODUCE_KEY:\nMQoKMzI5MDL/aXNWZW5kb3L/QUxMCjUxMjb/aWRQcm9kdWN0/0FMTAoy/2JEZXZpY2VDbGFzc/9BTEwKMv9iSW50ZXJmYWNlQ2xhc3P/Q"
},
{
"path": "payload/keyspan_null_ptr.info",
"chars": 189,
"preview": "This payload results in a NULL pointer dereference (NULL) @ keyspan_open.\n@ Linux ubuntu-victim 3.13.0-24-generic #46-Ub"
},
{
"path": "payload/keyspan_null_ptr.obj",
"chars": 309,
"preview": "REPRODUCE_KEY:\nMQoKMTc0Mf9pc1ZlbmRvcv9BTEwKMjY4/2lkUHJvZHVjdP9BTEwKMjU1/2JEZXZpY2VDbGFzc/9BTEwKMjU1/2JJbnRlcmZhY2VDbGFzc"
},
{
"path": "payload/mal_payload.obj",
"chars": 362,
"preview": "REPRODUCE_KEY:\nMQoKMf9pc1ZlbmRvcv9BTEwKNTE2M/9pZFByb2R1Y3T/QUxMCjH/YkRldmljZUNsYXNz/0FMTAox/2JJbnRlcmZhY2VDbGFzc/9BTEwKC"
},
{
"path": "payload/mal_payload2.obj",
"chars": 302,
"preview": "NDQ5MTUKCjg0NTf/aWRQcm9kdWN0/0FMTAoxMDAz/2lzVmVuZG9y/0FMTAoxMf9iRGV2aWNlQ2xhc3P/dXNiX2RldmljZV9kZXNjcmlwdG9yCjEx/2JJbnRl"
},
{
"path": "payload/old_payload/i2400m_usb_bug.info",
"chars": 163,
"preview": "This payload results in an endless printk loop.\n@ Linux ubuntu-victim 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:"
},
{
"path": "payload/old_payload/i2400m_usb_bug.obj",
"chars": 779,
"preview": "(lp0\n(lp1\nI11675604\na(lp2\n(lp3\nS'name'\np4\naS'enumeration'\np5\naa(lp6\nS'descriptor'\np7\naS'desc3.txt'\np8\naa(lp9\nS'reload'\np"
},
{
"path": "payload/old_payload/keyspan_null_ptr.info",
"chars": 189,
"preview": "This payload results in a NULL pointer dereference (NULL) @ keyspan_open.\n@ Linux ubuntu-victim 3.13.0-24-generic #46-Ub"
},
{
"path": "payload/old_payload/keyspan_null_ptr.obj",
"chars": 776,
"preview": "(lp0\n(lp1\nI5773444\na(lp2\n(lp3\nS'name'\np4\naS'enumeration'\np5\naa(lp6\nS'descriptor'\np7\naS'desc3.txt'\np8\naa(lp9\nS'reload'\np1"
},
{
"path": "payload/old_payload/mal_payload.obj",
"chars": 655,
"preview": "(lp0\n(lp1\nI1\na(lp2\n(lp3\nS'name'\np4\naS'enumeration'\np5\naa(lp6\nS'descriptor'\np7\naS'desc3.txt'\np8\naa(lp9\nS'reload'\np10\naI01"
},
{
"path": "payload/old_payload/panic_1.info",
"chars": 150,
"preview": "This payload cause a kernel panic.\n@ Linux ubuntu-victim 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x"
},
{
"path": "payload/old_payload/panic_1.obj",
"chars": 1572,
"preview": "(lp0\n(lp1\nI2715386\na(lp2\n(lp3\nS'name'\np4\naS'enumeration'\np5\naa(lp6\nS'descriptor'\np7\naS'desc3.txt'\np8\naa(lp9\nS'reload'\np1"
},
{
"path": "payload/old_payload/panic_2.info",
"chars": 150,
"preview": "This payload cause a kernel panic.\n@ Linux ubuntu-victim 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x"
},
{
"path": "payload/old_payload/panic_2.obj",
"chars": 2100,
"preview": "(lp0\n(lp1\nI7841715\na(lp2\n(lp3\nS'name'\np4\naS'enumeration'\np5\naa(lp6\nS'descriptor'\np7\naS'desc3.txt'\np8\naa(lp9\nS'reload'\np1"
},
{
"path": "payload/old_payload/panic_3.obj",
"chars": 779,
"preview": "(lp0\n(lp1\nI6056107\na(lp2\n(lp3\nS'name'\np4\naS'enumeration'\np5\naa(lp6\nS'descriptor'\np7\naS'desc3.txt'\np8\naa(lp9\nS'reload'\np1"
},
{
"path": "payload/old_payload/smsusb_null_ptr.info",
"chars": 201,
"preview": "This payload results in a NULL pointer dereference (0000000000000004) @ smsusb_probe.\n@ Linux ubuntu-victim 3.13.0-24-ge"
},
{
"path": "payload/old_payload/smsusb_null_ptr.obj",
"chars": 771,
"preview": "(lp0\n(lp1\nI10609166\na(lp2\n(lp3\nS'name'\np4\naS'enumeration'\np5\naa(lp6\nS'descriptor'\np7\naS'desc3.txt'\np8\naa(lp9\nS'reload'\np"
},
{
"path": "payload/old_payload/udlfb.info",
"chars": 146,
"preview": "Abort transmission of the 3th payload to cause a kernel panic. \n@ Linux debian-7 3.15.0-rc5 #2 SMP Mon May 19 15:57:11 C"
},
{
"path": "payload/old_payload/udlfb.obj",
"chars": 1045,
"preview": "(lp0\n(lp1\nI7624473\na(lp2\n(lp3\nS'name'\np4\naS'enumeration'\np5\naa(lp6\nS'descriptor'\np7\naS'desc3.txt'\np8\naa(lp9\nS'reload'\np1"
},
{
"path": "payload/old_payload/usbserial_bug.info",
"chars": 192,
"preview": "This payload results in an endless printk loop.\n@ Handspring Visor / Palm OS\n@ Linux ubuntu-victim 3.13.0-24-generic #46"
},
{
"path": "payload/old_payload/usbserial_bug.obj",
"chars": 772,
"preview": "(lp0\n(lp1\nI6600289\na(lp2\n(lp3\nS'name'\np4\naS'enumeration'\np5\naa(lp6\nS'descriptor'\np7\naS'desc3.txt'\np8\naa(lp9\nS'reload'\np1"
},
{
"path": "payload/old_payload/usbserial_null_ptr.info",
"chars": 205,
"preview": "This payload results in a NULL pointer dereference (0000000000000260) @ usb_serial_probe.\n@ Linux ubuntu-victim 3.13.0-2"
},
{
"path": "payload/old_payload/usbserial_null_ptr.obj",
"chars": 775,
"preview": "(lp0\n(lp1\nI5938371\na(lp2\n(lp3\nS'name'\np4\naS'enumeration'\np5\naa(lp6\nS'descriptor'\np7\naS'desc3.txt'\np8\naa(lp9\nS'reload'\np1"
},
{
"path": "payload/old_payload/windows_bod.obj",
"chars": 793,
"preview": "(lp0\n(lp1\nI48814\na(lp2\n(lp3\nS'name'\np4\naS'enumeration'\np5\naa(lp6\nS'descriptor'\np7\naS'desc2.txt'\np8\naa(lp9\nS'reload'\np10\n"
},
{
"path": "payload/panic_1.info",
"chars": 150,
"preview": "This payload cause a kernel panic.\n@ Linux ubuntu-victim 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x"
},
{
"path": "payload/panic_1.obj",
"chars": 2114,
"preview": "REPRODUCE_KEY:\nMQoKMTE5M/9pc1ZlbmRvcv9BTEwKMTI4ODn/aWRQcm9kdWN0/0FMTAoy/2JEZXZpY2VDbGFzc/9BTEwKMv9iSW50ZXJmYWNlQ2xhc3P/Q"
},
{
"path": "payload/panic_2.info",
"chars": 150,
"preview": "This payload cause a kernel panic.\n@ Linux ubuntu-victim 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x"
},
{
"path": "payload/panic_2.obj",
"chars": 3319,
"preview": "REPRODUCE_KEY:\nMQoKMjk5Mf9pc1ZlbmRvcv9BTEwKMjM1/2lkUHJvZHVjdP9BTEwKM/9iRGV2aWNlQ2xhc3P/QUxMCjP/YkludGVyZmFjZUNsYXNz/0FMT"
},
{
"path": "payload/panic_3.obj",
"chars": 610,
"preview": "REPRODUCE_KEY:\nMQoKMTg5Mf9pc1ZlbmRvcv9BTEwKNDExN/9pZFByb2R1Y3T/QUxMCjI1Nf9iRGV2aWNlQ2xhc3P/QUxMCjI1Nf9iSW50ZXJmYWNlQ2xhc"
},
{
"path": "payload/smsusb_null_ptr.info",
"chars": 201,
"preview": "This payload results in a NULL pointer dereference (0000000000000004) @ smsusb_probe.\n@ Linux ubuntu-victim 3.13.0-24-ge"
},
{
"path": "payload/smsusb_null_ptr.obj",
"chars": 300,
"preview": "REPRODUCE_KEY:\nMQoKNjI3Mf9pc1ZlbmRvcv9BTEwKNzY5/2lkUHJvZHVjdP9BTEwKMv9iRGV2aWNlQ2xhc3P/QUxMCjL/YkludGVyZmFjZUNsYXNz/0FMT"
},
{
"path": "payload/tests/test.obj",
"chars": 1883,
"preview": "REPRODUCE_KEY:\nMzg3NDE5OQoKMzA0/2lkUHJvZHVjdP9BTEwKMTQxMP9pc1ZlbmRvcv9BTEwKNf9iRGV2aWNlQ2xhc3P/dXNiX2RldmljZV9kZXNjcmlwd"
},
{
"path": "payload/tests/test2.obj",
"chars": 1927,
"preview": "REPRODUCE_KEY:\nMTkxOTUyCgo4NDUy/2lkUHJvZHVjdP9BTEwKMTAwOP9pc1ZlbmRvcv9BTEwKMv9iRGV2aWNlQ2xhc3P/dXNiX2RldmljZV9kZXNjcmlwd"
},
{
"path": "payload/tests/test3.obj",
"chars": 960,
"preview": "REPRODUCE_KEY:\nODk5Njc5CgoxNTUy/2lkUHJvZHVjdP9BTEwKMTA1N/9pc1ZlbmRvcv9BTEwKODj/YkRldmljZUNsYXNz/3VzYl9kZXZpY2VfZGVzY3Jpc"
},
{
"path": "payload/udlfb.info",
"chars": 146,
"preview": "Abort transmission of the 3th payload to cause a kernel panic. \n@ Linux debian-7 3.15.0-rc5 #2 SMP Mon May 19 15:57:11 C"
},
{
"path": "payload/udlfb.obj",
"chars": 1224,
"preview": "REPRODUCE_KEY:\nMQoKMjc2Mf9pc1ZlbmRvcv9BTEwKMTb/aWRQcm9kdWN0/0FMTAoyNTX/YkRldmljZUNsYXNz/0FMTAoyNTX/YkludGVyZmFjZUNsYXNz/"
},
{
"path": "payload/usbserial_bug.info",
"chars": 192,
"preview": "This payload results in an endless printk loop.\n@ Handspring Visor / Palm OS\n@ Linux ubuntu-victim 3.13.0-24-generic #46"
},
{
"path": "payload/usbserial_bug.obj",
"chars": 302,
"preview": "REPRODUCE_KEY:\nMQoKMjA5M/9pc1ZlbmRvcv9BTEwKMjU2/2lkUHJvZHVjdP9BTEwKMf9iRGV2aWNlQ2xhc3P/QUxMCjH/YkludGVyZmFjZUNsYXNz/0FMT"
},
{
"path": "payload/usbserial_null_ptr.info",
"chars": 205,
"preview": "This payload results in a NULL pointer dereference (0000000000000260) @ usb_serial_probe.\n@ Linux ubuntu-victim 3.13.0-2"
},
{
"path": "payload/usbserial_null_ptr.obj",
"chars": 305,
"preview": "REPRODUCE_KEY:\nMQoKMTgwOP9pc1ZlbmRvcv9BTEwKMzI3Njn/aWRQcm9kdWN0/0FMTAoyNTX/YkRldmljZUNsYXNz/0FMTAoyNTX/YkludGVyZmFjZUNsY"
},
{
"path": "payload/windows_bos.obj",
"chars": 551,
"preview": "REPRODUCE_KEY:\nMQoKMTEzM/9pc1ZlbmRvcv9BTEwKNTA5NTn/aWRQcm9kdWN0/0FMTAoz/2JEZXZpY2VDbGFzc/9BTEwKM/9iSW50ZXJmYWNlQ2xhc3P/Q"
},
{
"path": "payload/windows_bos2.obj",
"chars": 740,
"preview": "REPRODUCE_KEY:\nMQoKMTEzM/9pc1ZlbmRvcv9BTEwKNTA5NTn/aWRQcm9kdWN0/0FMTAoz/2JEZXZpY2VDbGFzc/9BTEwKM/9iSW50ZXJmYWNlQ2xhc3P/Q"
},
{
"path": "process/__init__.py",
"chars": 249,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "process/client_process.py",
"chars": 3554,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "process/distributor_process.py",
"chars": 3622,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "process/execute_object.py",
"chars": 1494,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "process/multi_process.py",
"chars": 4470,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "process/only_payload.py",
"chars": 1579,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "process/print_performance_process.py",
"chars": 3436,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "process/process.py",
"chars": 3738,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "qemu-2.1.1.patch",
"chars": 659,
"preview": "--- redirect.c\t2014-09-18 21:23:12.252000000 +0200\n+++ redirect_old.c\t2014-09-18 21:26:28.624000000 +0200\n@@ -1218,7 +12"
},
{
"path": "qemu.py",
"chars": 8847,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "report_desc_reader.py",
"chars": 823,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "test_generation/Sequence.py",
"chars": 6846,
"preview": "#!/usr/bin/python\n\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSo"
},
{
"path": "test_generation/Testcase.py",
"chars": 4682,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "test_generation/TestcaseLoader.py",
"chars": 1200,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "test_generation/XMLParser.py",
"chars": 8195,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "test_generation/__init__.py",
"chars": 248,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "test_generation/execution.xml",
"chars": 703,
"preview": "<execution>\n\n <execute name=\"ex1\">\n <testcase name=\"testcase_1\"/>\n <option emulator"
},
{
"path": "test_generation/location.conf",
"chars": 75,
"preview": "testfile:\ttest.xml\ntestcasefile:\ttestcase.xml\nexecutionfile:\texecution.xml\n"
},
{
"path": "test_generation/test.xml",
"chars": 5839,
"preview": "<atomic_testcases>\n\t<atomic_test name=\"all_class_ids1\" type=\"fuzz\">\n\t\t<fuzz>\n\t\t\t<packet name=\"usb_device_descriptor\" />\n"
},
{
"path": "test_generation/testcase.xml",
"chars": 2306,
"preview": "<!-- combine tests and define testcase -->\n\n<testcases>\n\n\t<testcase name=\"testcase_1\">\n\t\t<testunit type=\"chain\">\n\t\t\t<!--"
},
{
"path": "tools/__init__.py",
"chars": 250,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "tools/extract_class_ids.py",
"chars": 743,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "tools/extract_vp_ids.py",
"chars": 1047,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "tools/gen_reproduce_key.py",
"chars": 778,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "tools/output_information.txt",
"chars": 732,
"preview": "+---------------------------------------------------------+\nTest #1:\n FT: 5163 idProduct: ALL\n FT: "
},
{
"path": "tools/port_old_payload.py",
"chars": 1760,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "usbEmulator.py",
"chars": 9802,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "usb_ids/class.ids",
"chars": 57,
"preview": "00\n01\n02\n03\n05\n06\n07\n08\n09\n0a\n0b\n0d\n0e\n58\ndc\ne0\nef\nfe\nff\n"
},
{
"path": "usb_ids/usb.ids",
"chars": 526521,
"preview": "#\n#\tList of USB ID's\n#\n#\tMaintained by Stephen J. Gowdy <linux.usb.ids@gmail.com>\n#\tIf you have any new entries, please "
},
{
"path": "usb_ids/vendor_product.ids",
"chars": 156610,
"preview": "0001 142b\n0001 7778\n0002 abcd\n0003 abcd\n0004 abcd\n0011 7788\n0053 5301\n0079 0006\n0079 0011\n0105 145f\n0145 0112\n017c 145f\n"
},
{
"path": "usb_ids/vendor_product_backup.ids",
"chars": 156610,
"preview": "0001 142b\n0001 7778\n0002 ????\n0003 ????\n0004 ????\n0011 7788\n0053 5301\n0079 0006\n0079 0011\n0105 145f\n0145 0112\n017c 145f\n"
},
{
"path": "usbparser.py",
"chars": 7415,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "usbscapy.py",
"chars": 17727,
"preview": "\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSource Security Ralf"
},
{
"path": "vusbf.py",
"chars": 11024,
"preview": "#!/usr/bin/python\n\"\"\"\n vUSBf: A KVM/QEMU based USB-fuzzing framework.\n Copyright (C) 2015 Sergej Schumilo, OpenSo"
}
]
About this extraction
This page contains the full source code of the schumilo/vUSBf GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 119 files (1.1 MB), approximately 479.5k tokens, and a symbol index with 297 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.