Build
Jackalope
cd jackalope && mkdir build && cd build
cmake -A Win32 ..
cmake --build . --config Release
Winafl
cd winafl && mkdir build && cd build
cmake -A Win32 .. -DDynamoRIO_DIR=C:\Users\Administrator\Desktop\dynamorio\build\cmake -DUSE_DRSYMS=1 -DUSE_COLOR=1
cmake --build . --config Release
DynamoRIO
cd dynamorio && mkdir build && cd build
cmake -A Win32 ..
cmake --build . --config RelWithDebInfo
AFLplusplus
sudo apt-get update
sudo apt-get install -y build-essential python3-dev automake git flex bison libglib2.0-dev libpixman-1-dev python3-setuptools
sudo apt-get install -y lld-11 llvm-11 llvm-11-dev clang-11 || sudo apt-get install -y lld llvm llvm-dev clang
sudo apt-get install -y gcc-$(gcc --version|head -n1|sed 's/.* //'|sed 's/\..*//')-plugin-dev libstdc++-$(gcc --version|head -n1|sed 's/.* //'|sed 's/\..*//')-dev
cd AFLplusplus
make distrib
sudo make install
Jackalope
Grammar fuzz, share mem
fuzzer.exe -in in -out out -t 1000 -delivery shmem -instrument_module test.exe -target_module test.exe -target_method fuzz -nargs 1 -iterations 10000 -grammar ....\examples\grammar\jsgrammar.txt -persist -loop -cmp_coverage -- test.exe -m @@
Binary fuzz, file/share mem
fuzzer.exe -in in -out out -t 3000 -delivery file -instrument_module msxml6.dll -target_module test.exe -target_method fuzz -nargs 1 -iterations 10000 -persist -loop -cmp_coverage -nthreads 4 -- test.exe -f @@
fuzzer.exe -in in -out out -t 1000 -delivery shmem -instrument_module msxml6.dll -target_module test.exe -target_method fuzz -nargs 1 -iterations 10000 -persist -loop -cmp_coverage -- test.exe -m @@
Multithread
fuzzer.exe -in in -out out -t 1000 -delivery shmem -instrument_module msxml6.dll -target_module test.exe -target_method fuzz -nargs 1 -iterations 10000 -restore -nthreads 16 -persist -loop -cmp_coverage -- test.exe -m @@
WinAFL
Test
drrun -c C:\Users\Administrator\Desktop\winafl\build32\bin\Release\winafl.dll -debug -coverage_module msxml6.dll -target_module test.exe -target_offset 0x1010 -fuzz_iterations 10 -nargs 1 -- test.exe -f fff
Fuzz, share mem
afl-fuzz.exe -s -i - -o out -D C:\Users\Administrator\Desktop\dynamorio\build\bin32 -t 10000 -- -coverage_module msxml6.dll -target_module test.exe -target_offset 0x1010 -fuzz_iterations 10000 -nargs 1 -- test.exe -m @@
Fuzz, Covtype: edge
afl-fuzz.exe -s -i in -o out -D C:\Users\jeff\Desktop\Fuzz\dynamorio\build32\bin32 -t 10000 -- -coverage_module msxml6.dll -target_module test.exe -target_offset 0x1010 -fuzz_iterations 10000 -nargs 1 -covtype edge -- test.exe -m @@
Fuzz, Mater/Slave
afl-fuzz.exe -M/-S fuzzxx -s -i in -o out -D C:\Users\jeff\Desktop\Fuzz\dynamorio\build32\bin32 -t 10000 -- -coverage_module msxml6.dll -target_module test.exe -target_offset 0x1010 -fuzz_iterations 10000 -nargs 1 -covtype edge -- test.exe -m @@
honggfuzz
Compile target
export CC=hfuzz-clang
export CXX=hfuzz-clang++
export CFLAGS="-fsanitize-coverage=trace-pc-guard,indirect-calls,trace-cmp"
export CXXFLAGS="-fsanitize-coverage=trace-pc-guard,indirect-calls,trace-cmp"
./configure --disable-shared
CC=afl-gcc CXX=afl-g++ CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" LDFLAGS=" -g -fsanitize=address -fno-omit-frame-pointer" ./configure --disable-shared
make
Fuzz
honggfuzz -f ~/aflsmart/testcases/aflsmart/wav -W out4 -- ./cli/wavpack -y ___FILE___ -o out4
https://github.com/google/honggfuzz/blob/master/docs/USAGE.md
AFLplusplus
Compile target
CC=afl-clang-lto CXX=afl-clang-lto++ RANLIB=llvm-ranlib AR=llvm-ar ./configure --disable-shared
CC=afl-clang-fast CXX=afl-clang-fast++ ./configure --disable-shared
make
优化
使用sanitizers,编译目标带环境变量: export AFL_USE_ASAN=1 ; export AFL_USE_UBSAN=1 ; export AFL_USE_CFISAN=1
使用Cmplog/Redqueen,正常编译一次,然后再编译一次目标带环境变量:export AFL_LLVM_CMPLOG=1,运行时2个编译版本都要使用:afl-fuzz -i input -o output -c ./program.cmplog -m none -- ./program.afl @@
使用laf-intel/COMPCOV,编译目标带环境变量:export AFL_LLVM_LAF_ALL=1
Fuzz搭配:
- -M模式无要求,-S模式按下面优化
- 1个带sanitizers
- 1-2个带CMPLOG(至少一个带-l AT参数)
- 1-3个带COMPCOV
- 1/4-1/3数量的fuzz开启MOpt变异开关带-L 0参数
- 用不同的power schedule,-p fast (default), explore, coe, lin, quad, exploit and rare参数
- 一些fuzz使用旧队列循环,-Z参数
以下建议上面都使用: - 在fuzz前导入其他fuzz实例的样本:export AFL_IMPORT_FIRST=1
- 大量样本情况下:export AFL_CMPLOG_ONLY_NEW=1 ; export AFL_FAST_CAL=1
提升性能: - 使用持久模式
- 非持久模式下,使用内存盘,降低磁盘消耗,sudo mount -t tmpfs -o size=5g tmpfs /ramdisk, export AFL_TMPDIR=/ramdisk
- linux下关闭安全项sudo afl-persistent-config
- 使用样本缓存,export AFL_TESTCACHE_SIZE=200 (50-500)
系统启动后sudo afl-system-config
Minimize sample set & samples
afl-cmin -i in -o in_min -f t.wav -- ./cli/wavpack -y @@ -o -
for i in in/*; do
afl-tmin -i $i -o tmin_$i -f t_$i -- ./cli/wavpack -y @@ -o - &
doneShowmap
afl-showmap -o /dev/null -- ./cli/wavpack.afl -y tmin_in/low_town_groove.wav -o xx.x
afl-showmap -C -i out5 -o /dev/null -- ./cli/wavpack.afl -o - -fuzz
sudo mount -t tmpfs -o size=10g tmpfs /ramdisk
export AFL_IMPORT_FIRST=1;export AFL_CMPLOG_ONLY_NEW=1;export AFL_FAST_CAL=1;export AFL_TESTCACHE_SIZE=200
mkdir /ramdisk/1 && export AFL_TMPDIR=/ramdisk/1
...
afl-fuzz -M d1 -i tmin_in -o out5 -t 1000 -m none -e wav -L 0 -p fast -- ./cli/wavpack.afl -y -o - -
afl-fuzz -S d2 -i tmin_in -o out5 -t 1000 -m none -e wav -L 0 -- ./cli/wavpack.san -y -o - -
afl-fuzz -S d3 -i tmin_in -o out5 -t 1000 -m none -e wav -c ./cli/wavpack.cmplog -l AT -- ./cli/wavpack.afl -y -o - -
afl-fuzz -S d4 -i tmin_in -o out5 -t 1000 -m none -e wav -c ./cli/wavpack.cmplog -l 2 -- ./cli/wavpack.afl -y -o - -
afl-fuzz -S d5 -i tmin_in -o out5 -t 1000 -m none -e wav -p fast -- ./cli/wavpack.laf -y -o - -
afl-fuzz -S d6 -i tmin_in -o out5 -t 1000 -m none -e wav -p explore -- ./cli/wavpack.laf -y -o - -
afl-fuzz -S d7 -i tmin_in -o out5 -t 1000 -m none -e wav -p coe -L 0 -- ./cli/wavpack.laf -y -o - -
afl-fuzz -S d8 -i tmin_in -o out5 -t 1000 -m none -e wav -p lin -L 0 -Z -- ./cli/wavpack.afl -y -o - -
afl-fuzz -S d9 -i tmin_in -o out5 -t 1000 -m none -e wav -p quad -L 1 -Z -- ./cli/wavpack.afl -y -o - -
afl-fuzz -S d10 -i tmin_in -o out5 -t 1000 -m none -e wav -p exploit -L 2 -- ./cli/wavpack.afl -y -o - -
afl-fuzz -S d11 -i tmin_in -o out5 -t 1000 -m none -e wav -p rare -- ./cli/wavpack.afl -y -o - -
afl-fuzz -S d12 -i tmin_in -o out5 -t 1000 -m none -e wav -p coe -- ./cli/wavpack.afl -y -o - -
AFL_DISABLE_TRIM=1 afl-fuzz -S d13 -i tmin_in -o out5 -t 1000 -m none -e wav -p explore -L 1 -- ./cli/wavpack.afl -y -o - -
AFL_DISABLE_TRIM=1 afl-fuzz -S d14 -i tmin_in -o out5 -t 1000 -m none -e wav -L 2 -Z -- ./cli/wavpack.afl -y -o - -resume
AFL_AUTORESUME=1
Show debug info
AFL_DEBUG=1 afl-fuzz ...
Classify
Install
sudo apt-get install golang
cd ~
git clone https://github.com/jfoote/exploitable.git
mkdir go
export GOPATH=~/go
go get -u github.com/bnagy/crashwalk/cmd/...
Run
export CW_EXPLOITABLE=~/exploitable/exploitable
export ASAN_OPTIONS="abort_on_error=1:symbolize=0"
~/go/bin/cwtriage -root out6/d2/crashes/ -match id -- ./cli/wvunpack.san -o - - -y
~/go/bin/cwtriage -root out6/ -afl
~/go/bin/cwdump crashwalk.db > crash.txt
aflsmart
Compile target
export AFL_USE_ASAN=1; export AFL_USE_CFISAN=1
CC=~/aflsmart/afl-gcc ./configure --disable-shared
make clean all
Fuzz
export AFLSMART=~/aflsmart
cd $AFLSMART
source $AFLSMART/setup_env.sh
$AFLSMART/afl-fuzz -m none -h -d -i $AFLSMART/testcases/aflsmart/wav -o out8 -t 1000 -w peach -g $AFLSMART/input_models/wav.xml -x $AFLSMART/dictionaries/wav.dict -e wav -- ./cli/wavpack -y @@ -o -
$AFLSMART/afl-fuzz -S d1 -m none -h -d -i ~/WavPack2/wav_seed_all -o out9 -t 1000 -w peach -g $AFLSMART/input_models/wav.xml -x $AFLSMART/dictionaries/wav.dict -e wav -- ./cli/wavpack -y @@ -o -
$AFLSMART/afl-fuzz -S d2 -m none -h -d -i ~/WavPack2/wav_seed_all -o out9 -t 1000 -w peach -g $AFLSMART/input_models/wav.xml -x $AFLSMART/dictionaries/wav.dict -e wav -- ./cli/wavpack -y @@ -o -
$AFLSMART/afl-fuzz -S d3 -m none -h -d -i ~/WavPack2/wav_seed_all -o out9 -t 1000 -w peach -g $AFLSMART/input_models/wav.xml -x $AFLSMART/dictionaries/wav.dict -e wav -- ./cli/wavpack -y @@ -o -
$AFLSMART/afl-fuzz -S d4 -m none -h -d -i ~/WavPack2/wav_seed_all -o out9 -t 1000 -w peach -g $AFLSMART/input_models/wav.xml -x $AFLSMART/dictionaries/wav.dict -e wav -- ./cli/wavpack -y @@ -o -
$AFLSMART/afl-fuzz -S d5 -m none -h -d -i ~/WavPack2/wav_seed_all -o out9 -t 1000 -w peach -g $AFLSMART/input_models/wav.xml -x $AFLSMART/dictionaries/wav.dict -e wav -- ./cli/wavpack -y @@ -o -
$AFLSMART/afl-fuzz -S d6 -m none -h -d -i ~/WavPack2/wav_seed_all -o out9 -t 1000 -w peach -g $AFLSMART/input_models/wav.xml -x $AFLSMART/dictionaries/wav.dict -e wav -- ./cli/wavpack -y @@ -o -
Trophy
[CVE-2021-44269] A heap Out-of-bounds Read in WavpackPackSamples (src/pack_utils.c)