Nosy Newt is a simple concolic execution tool for exploring the input space of a binary executable programs. I created this POC because i could not find any better tool for this. It is extensively using Triton for almost everything (hooking, solving constrains, etc).
Nosy Newt is designed to discover new inputs to trigger different paths in your binary using concolic execution. It requires to:
- Select a program that reads a file.
- Create a "inputs" directory with at least one file.
- Launch nosy newt indicating the input file in the argument using "@@".
- Wait for more inputs to be discover.
- Triton
- Some dedicated RAM memory (at least 4 GB).
- Time.
- Install Triton with PIN support
- Install the Triton python module locally
- Copy the "triton" script to your PATH (usually ~/.local/bin)
- Install Nosy Newt:
$ git clone https://github.com/CIFASIS/nosy-newt
$ cd nosy-newt
$ python setup.py install --user
$ mkdir inputs
$ python -c "print 'a'*24" > inputs/input.dat
$ ./newt.py -n 3 -i inputs "unzip -l @@"
Using ['unzip', '-l', 'test.dat'] as arguments
Exploring inputs/input.dat executing unzip
Archive: test.dat
Hooking read of test.dat
symbolized 0x71af20L with 0x61L
...
symbolized 0x71af38L with 0xaL
End-of-central-directory signature not found. Either this file is not
a zipfile, or it constitutes one disk of a multi-part archive. In the
latter case the central directory and zipfile comment will be found on
the last disk(s) of this archive.
unzip: cannot find zipfile directory in one of test.dat or
test.dat.zip, and cannot find test.dat.ZIP, period.
Solving path conditions..
Dumping inputs/-7819407262199667705.dat with 'aaaPaaaaaaaaaaaaaaaaaaaa\n'
Solving path conditions..
Dumping inputs/-43234624507741908.dat with 'aaP\xafaaaaaaaaaaaaaaaaaaaa\n'
Solving path conditions..
Dumping inputs/-8008955989580669208.dat with 'aP\xaf\xafaaaaaaaaaaaaaaaaaaaa\n'
Solving path conditions..
Dumping inputs/-1547994686380196427.dat with 'P\xaf\xaf\xafaaaaaaaaaaaaaaaaaaaa\n'
Exploring inputs/-8008955989580669208.dat executing unzip
...
- Add explicit support for x86
- Better exploration system (now just random)
- Shared library support
- Emulated syscalls (for detecting I/O)
- open
- read
- mmap (basic)
- close
- seek
- Website + Documentation