Bug fixes and additional testing

.gitignore

@@ -3,3 +3,6 @@ src/espro/.theos
 src/esplios/.theos
 .keys
 downloads
+payloads
+*.log
+.vagrant

README.md

@@ -24,6 +24,26 @@ Follow me on twitter: @neoneggplant
 
 <hr style="height:1px; background:#9EA4A9">
 
+## Running Tests
+- Install [Vagrant](https://www.vagrantup.com/downloads.html)
+- Install [VirtualBox](https://www.virtualbox.org/wiki/Downloads)
+- Install `pwntools`: `pip install pwntools`
+- Install `expect`: (choose your package manager)
+  - `apt install expect`
+  - `yum install expect`
+  - `pacman -S expect`
+- `python test_eggshell.py`
+
+## Running Mutation Testing
+- Install `cosmic-ray`: `pip install cosmic-ray`
+- `cosmic-ray exec mut_session.sqlite`
+
+## Running Fuzzer
+- Install `afl` (see [afl website](/usr/local/share/doc/afl/perf_tips.txt) for instructions)
+- Install `python-afl`: `pip install python-afl`
+- `afl-fuzz -m 2000 -i fuzzing/in -o fuzzing/out -- python fuzz_eggshell.py`
+
+<hr style="height:1px; background:#9EA4A9">
 
 ## Getting Started
 - Requires python 2.7

Vagrantfile

@@ -0,0 +1,21 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+Vagrant.configure("2") do |config|
+  config.vm.box = "ubuntu/xenial64"
+
+  # mount shared folder to test file upload/download with known hashes
+  config.vm.synced_folder "test/victim_files", "/home/vagrant/my_files"
+
+  # disable default file share
+  config.vm.synced_folder ".", "/vagrant", disabled: true
+
+  config.vm.provision "shell", inline: <<-SHELL
+    # enable password auth (default vagrant:vagrant)
+    sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/g' /etc/ssh/sshd_config
+    systemctl restart sshd
+
+    # install python
+    apt install -y python-minimal
+  SHELL
+end

fuzz_eggshell.py

@@ -0,0 +1,12 @@
+#!/usr/bin/python
+from modules import server
+from modules import helper as h
+import sys, os
+from eggshell import EggShell
+import afl
+
+
+if __name__ == "__main__":
+    afl.init()
+    eggshell = EggShell()
+    eggshell.menu()

fuzzing/afl_out/crashes/README.txt

@@ -0,0 +1,17 @@
+Command line used to find this crash:
+
+afl-fuzz -m 2000 -i fuzzing/in -o fuzzing/out -- python fuzz_eggshell.py
+
+If you can't reproduce a bug outside of afl-fuzz, be sure to set the same
+memory limit. The limit used for this fuzzing session was 1.95 GB.
+
+Need a tool to minimize test cases before investigating the crashes or sending
+them to a vendor? Check out the afl-tmin that comes with the fuzzer!
+
+Found any cool bugs in open-source tools using afl-fuzz? If yes, please drop
+me a mail at <[email protected]> once the issues are fixed - I'd love to
+add your finds to the gallery at:
+
+  http://lcamtuf.coredump.cx/afl/
+
+Thanks :-)

fuzzing/afl_out/crashes/id:000000,sig:10,src:000000,op:flip1,pos:0

@@ -0,0 +1,7 @@
+2
+1
+
+
+n
+4
+

fuzzing/afl_out/crashes/id:000001,sig:10,src:000000,op:flip1,pos:3

@@ -0,0 +1,6 @@
+3
+1
+
+n
+4
+

fuzzing/afl_out/crashes/id:000002,sig:10,src:000000,op:flip1,pos:4

@@ -0,0 +1,6 @@
+3
+1
+�
+n
+4
+

fuzzing/afl_out/crashes/id:000003,sig:10,src:000000,op:flip1,pos:8

@@ -0,0 +1,7 @@
+3
+1
+
+
+n
+t
+

fuzzing/afl_out/crashes/id:000004,sig:10,src:000000,op:flip2,pos:8

@@ -0,0 +1,7 @@
+3
+1
+
+
+n
+2
+

fuzzing/afl_out/crashes/id:000005,sig:10,src:000000,op:flip32,pos:6

@@ -0,0 +1,5 @@
+3
+1
+
+
+����

fuzzing/afl_out/crashes/id:000006,sig:10,src:000000,op:arith8,pos:8,val:-1

@@ -0,0 +1,7 @@
+3
+1
+
+
+n
+3
+

fuzzing/afl_out/crashes/id:000007,sig:10,src:000000,op:arith8,pos:8,val:-3

@@ -0,0 +1,7 @@
+3
+1
+
+
+n
+1
+

fuzzing/afl_out/crashes/id:000008,sig:10,src:000000,op:havoc,rep:4

@@ -0,0 +1,4 @@
+3
+1�
+
+u,4�

fuzzing/afl_out/crashes/id:000009,sig:10,src:000000,op:havoc,rep:64

@@ -0,0 +1 @@
+1�

fuzzing/afl_out/crashes/id:000010,sig:10,src:000000,op:havoc,rep:128

@@ -0,0 +1 @@
+1

fuzzing/afl_out/crashes/id:000011,sig:10,src:000002,op:flip1,pos:6

@@ -0,0 +1,7 @@
+3
+2
+
+
+�
+n
+4

fuzzing/afl_out/crashes/id:000012,sig:10,src:000002,op:flip1,pos:7

@@ -0,0 +1,6 @@
+3
+2
+
+
+n�n
+4

fuzzing/afl_out/crashes/id:000014,sig:10,src:000009,op:flip1,pos:9

@@ -0,0 +1,6 @@
+3
+2
+
+
+y
+n�4

fuzzing/afl_out/fuzzer_stats

@@ -0,0 +1,28 @@
+start_time        : 1551750128
+last_update       : 1551847879
+fuzzer_pid        : 2626
+cycles_done       : 9
+execs_done        : 1024136
+execs_per_sec     : 10.36
+paths_total       : 70
+paths_favored     : 7
+paths_found       : 67
+paths_imported    : 0
+max_depth         : 7
+cur_path          : 63
+pending_favs      : 0
+pending_total     : 15
+variable_paths    : 0
+stability         : 100.00%
+bitmap_cvg        : 1.63%
+unique_crashes    : 17
+unique_hangs      : 6
+last_path         : 1551831995
+last_crash        : 1551784448
+last_hang         : 1551751166
+execs_since_crash : 647021
+exec_timeout      : 180
+afl_banner        : python
+afl_version       : 2.52b
+target_mode       : default
+command_line      : afl-fuzz -m 2000 -i fuzzing/in -o fuzzing/out -- python fuzz_eggshell.py

fuzzing/afl_out/hangs/id:000000,src:000000,op:flip1,pos:0

@@ -0,0 +1,7 @@
+�
+1
+
+
+n
+4
+

fuzzing/afl_out/hangs/id:000001,src:000000,op:flip1,pos:0

@@ -0,0 +1,7 @@
+1
+1
+
+
+n
+4
+

fuzzing/afl_out/hangs/id:000002,src:000000,op:flip1,pos:2

@@ -0,0 +1,7 @@
+3
+0
+
+
+n
+4
+

fuzzing/afl_out/hangs/id:000003,src:000000,op:flip1,pos:6

@@ -0,0 +1,7 @@
+3
+1
+
+
+�
+4
+

fuzzing/afl_out/hangs/id:000005,src:000009,op:flip1,pos:8

@@ -0,0 +1,7 @@
+3
+2
+
+
+y
+�
+4