search

nccgroup / umap2

Umap2 is the second revision of NCC Group's python based USB host security assessment tool.
GNU Affero General Public License v3.0
252 stars 70 forks source link

Cannot replay tests #25

Closed alexdetrano closed 5 years ago

alexdetrano commented 5 years ago

I recorded a fuzzing session using umap2kitty. When I try to replay, I get the following error:

>umap2kitty -s stages/keyboard.stage -k "-r fuzz/keyboard.fuzz"
Waiting for a client to connect to url http://localhost:26007/
[INFO    ][base._load_session] No session loaded

On the fuzzer side, I get some kind of nasty RPC error, mutation count exceeds maximum. 

>umap2fuzz -P rd -C keyboard
Traceback (most recent call last):
  File "/usr/local/bin/umap2fuzz", line 11, in <module>
    load_entry_point('umap2==2.0.1', 'console_scripts', 'umap2fuzz')()
  File "build/bdist.linux-armv6l/egg/umap2/apps/fuzz.py", line 110, in main
  File "build/bdist.linux-armv6l/egg/umap2/apps/emulate.py", line 34, in run
  File "build/bdist.linux-armv6l/egg/umap2/apps/fuzz.py", line 43, in get_fuzzer
  File "/usr/local/lib/python2.7/dist-packages/kittyfuzzer-0.7.1-py2.7.egg/kitty/remote/rpc.py", line 169, in _
    raise Exception('Got error from RPC server when called "%s" error: %s' % (method, response['error']))
Exception: Got error from RPC server when called "start" error: {u'message': u'exception in call "start({})" -> Specified test range exceeds the maximum mutation count', u'code': -32603}

Any idea how to get past this?

BinyaminSharet commented 5 years ago

Recording the stages (creating the stage file) is done using umap2stages. Did you use it? Also, please share the contents of your keyboard.stage file.

BinyaminSharet commented 5 years ago

I seem to misunderstood the issue when I first replied. If fuzz/keyboard.fuzz exists, then I will need to investigate it. It will take me a couple of weeks to do so, in the meantime, please confirm that you have both files (fuzz, stages) in the expected locations and post the contents of the stages file.

alexdetrano commented 5 years ago 
>ls fuzz/keyboard.fuzz
fuzz/keyboard.fuzz

>ls stages/keyboard.stage
stages/keyboard.stage

>cat stages/keyboard.stage
device_descriptor
device_descriptor
configuration_descriptor
interface_descriptor
hid_descriptor
hid_report_descriptor
endpoint_descriptor
configuration_descriptor
interface_descriptor
hid_descriptor
hid_report_descriptor
endpoint_descriptor
string_descriptor_zero
string_descriptor
string_descriptor
string_descriptor
string_descriptor
string_descriptor
hid_set_idle_response
hid_report_descriptor
hid_get_report_response
alexdetrano commented 5 years ago

Doing some digging myself, it looks like the fuzzer is able to read the session file correctly, and extract the failed tests.

This is in /umap2/fuzz/fuzz_engine.py just before remote.start() is called

(Pdb) fuzzer._test_list.as_test_list_str()
'58,640,646,1158,1164,3320,3475,4679,4710,4915,6007,6028,7562,7847,8566,9353,9612,10099,10121,10175'
BinyaminSharet commented 5 years ago

Thanks for the input. Did you have any progress with this issue? If not - do you mind sharing the session file so I can try and reproduce that on my setup?

alexdetrano commented 5 years ago

Sorry, this fell off the radar. I think I had modified some code and forgot about it. I restarted with a fresh repo and it worked. I will mark this as closed. Thanks for the help!