Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#Fuzzing#

Artical

brew install afl-fuzz

MacOS with AFL Fuzz

SL=/System/Library; PL=com.apple.ReportCrash
launchctl unload -w ${SL}/LaunchAgents/${PL}.plist
sudo launchctl unload -w ${SL}/LaunchDaemons/${PL}.Root.plist

repos and tools

Other

问题来了:

  • fuzzing原理是什么

先看下AFL的原理 http://lcamtuf.coredump.cx/afl/technical_details.txt

  • 怎么写fuzzing的代码?
  • 怎么根据fuzzing 后的结果写POC代码?
  • 怎么自动化fuzzing?
  • 怎么使用机器学习生成,并去攻击?
  • 怎么进行内核的fuzzing windows kernel, linux kernel osx kernel?

https://github.com/RUB-SysSec/kAFL https://github.com/nccgroup/TriforceAFL https://github.com/google/syzkaller

@mylamour

This comment has been minimized.

Copy link
Owner Author

mylamour commented Aug 23, 2018

$ brew install afl-fuzz
$ git clone https://github.com/fuzzdb-project/fuzzdb
$ touch vuln.c

Mac下的OS fork非常慢,不要用Mac去装这个。这也就是最开始fuzzing一个示例的时候,在mac跑了很久没有结果,但是丢到Ubuntu上一会儿就好了
ubuntu下安装的话,默认是没有编译QEMU模式的,如需安装,需要ce qemu_mode && ./build_qemu_support.sh
可能已经安装了libtool但还是提示没有安装,需要安装libtool-bin采用sudo apt-get install libtool-bin安装即可。

afl-fuzzfuzzing一下afl-gcc
~/afl-2.52b/afl-fuzz -i ~/fuzzdb/attack/os-cmd-execution/ -o ./hehehehe -m 2048 -Q afl-gcc

image

输入以下代码

#include <stdio.h>
#include <string.h>

int main(void)
{
        char login[32];
        char passwd[32];

        printf("Login: \n");
        gets(login);
        printf("Password: \n");
        gets(passwd);

        if (strcmp(login, "root") == 0) {
                if (strcmp(passwd, "1qazxsw2") == 0) {
                        printf("Access Granted.\n");
                        return 0;
                }
        }

        printf("Access Denied.\n");
        return 1;
}
$ afl-clang -fno-stack-protector  vuln1.c -o vuln1
$ mkdir res
$ afl-fuzz -i ../../fuzzdb/attack -o ./res ./vuln1

image

@mylamour

This comment has been minimized.

Copy link
Owner Author

mylamour commented Aug 23, 2018

tutorial zzuf

@mylamour

This comment has been minimized.

Copy link
Owner Author

mylamour commented Aug 23, 2018

tutorial fuzz-test-suite

  1. openssl demo
    $ docker run --cap-add SYS_PTRACE -ti libfuzzertutorial/prebuilt
$ ./openssl-1.0.2d-fsanitize_fuzzer
# then you would get a new crash sample
$ ./openssl-1.0.2d-fsanitize_fuzzer ./crash-9e656109d00645c7048519a19c83363c4222719e

image

image

@mylamour

This comment has been minimized.

Copy link
Owner Author

mylamour commented Aug 23, 2018

@mylamour

This comment has been minimized.

Copy link
Owner Author

mylamour commented Aug 24, 2018

https://arxiv.org/pdf/1807.03932 fuzzing 智能合约

@mylamour

This comment has been minimized.

Copy link
Owner Author

mylamour commented Aug 26, 2018

image
解决办法:
先看问题出在哪里:


LSAN_OPTIONS=verbosity=1:log_threads=1 ./fuzzing ./testcase

@mylamour

This comment has been minimized.

Copy link
Owner Author

mylamour commented Aug 26, 2018

AFL fuzzing ssh In my ubuntu 16.04 lts

$ sudo apt-get install clang-3.8 build-essential llvm-3.8-dev gnuplot-nox
$ sudo update-alternatives --install /usr/bin/clang clang `which clang-3.8` 1
$ sudo update-alternatives --install /usr/bin/clang++ clang++ `which clang++-3.8` 1
$ sudo update-alternatives --install /usr/bin/llvm-config llvm-config `which llvm-config-3.8` 1
$ sudo update-alternatives --install /usr/bin/llvm-symbolizer llvm-symbolizer `which llvm-symbolizer-3.8` 1
wget http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz
tar -xf afl-latest.tgz
$ cd afl-2.52b 
$ make
$ make -C llvm_mode

编译qemu模式的话,需要去单独的到qemu_mode下面编译,对于没有源码的,利用QEMU翻译blockinstrumentation

$ git clone --depth 1 https://github.com/openssh/openssh-portable openssh
$ cd openssh
$ CC=~/afl-2.52b/afl-clang-fast AFL_HARDEN=1 make

修改代码: 该部分参考该链接

  1. 减少随机vim openbsd-compat/arc4random.c
    image

  2. 禁止mac vim mac.c
    image

  3. deferred forkserver mode”
    vim sshd.c
    image

编译:

$ ~/afl-2.52b/afl-fuzz -i ~/fuzzdb/attack -o ./res -M 0 ./sshd -d -e -p 2100 -r -f /etc/config/sshd_config -i

Q:

  • 编译时还会报一个错,去makefile里找到那行,然后删除掉这个选项就行了

  • [-] PROGRAM ABORT : Pipe at the beginning of 'core_pattern'
    Location : check_crash_handling(), afl-fuzz.c:7275
    image

echo core >/proc/sys/kernel/core_pattern

References

@mylamour

This comment has been minimized.

Copy link
Owner Author

mylamour commented Aug 28, 2018

fuzzing python

https://tomforb.es/segfaulting-python-with-afl-fuzz

clong -> configure -> afl make -> write testcase -> run it

CC=afl-gcc ./configure && make

然后写testcase 即可, 进行fuzzing

afl-fuzz -i cpython/testcases -o fuzz cpython/python @@

image

怎么用机器学习生成好的fuzzing 样本

@mylamour

This comment has been minimized.

Copy link
Owner Author

mylamour commented Aug 29, 2018

ToDo

  • gn用法
  • ninja 用法

Chromium fuzzing tutorial

ubuntu16.04:

git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git
export PATH="$PATH:/path/to/depot_tools"             #使用绝对路径
mkdir ~/chromium && cd ~/chromium
fetch --nohooks chromium                           # 大概下载10G左右
cd src 
./build/install-build-deps.sh                     # 安装依赖
gclient runhooks                            # 运行  Chromium-specifices
# 准备构建
gn gen out/Default                   # 生成ninja文件准备构建

#mount -t tmpfs -o size=20G,nr_inodes=40k,mode=1777 tmpfs /root/chromium/src/out  
# 20G小了,编译没有够用,空间不够重新开大点。

# 构建
autoninja -C out/Default chrome  

image
image

8核8G的机器,前面的基本上一秒编译一个,看来可能要9个小时后才能编译完。运气好的话

image
编译结束,大小也变成了49G

image

构建libfuzzer

 $ gn gen out/libfuzzer '--args=use_libfuzzer=true is_asan=true is_ubsan_security=true is_debug=false enable_nacl=false' --check
 $ ninja -C out/libfuzzer v8_json_parser_fuzzer

image

$ ./out/libfuzzer/v8_json_parser_fuzzer ~/chromium/testcases/json_parser_corpus/ --dict=json.dict -jobs=6 -workers=6

image

  • 采用AFL-fuzzQEMU进行fuzzing

~/afl-2.52b/afl-fuzz -i ~/fuzzdb/attack/all-attacks -o ./hehehehe -m 1024 -Q ./chrome --no-sandbox
image

为毛,内心崩溃。不科学 -t 100也不行

image

References

@mylamour

This comment has been minimized.

Copy link
Owner Author

mylamour commented Sep 3, 2018

Fuzzing智能合约: https://github.com/trailofbits/echidna , 暂时不是很了解。接着看看

$ git clone https://github.com/trailofbits/echidna
$ docker build -t echidna .
$ docker run --rm -it echidna bash
$ echidna-test solidity/cli.sol

image

@mylamour

This comment has been minimized.

Copy link
Owner Author

mylamour commented Sep 3, 2018

mutators

radamsa tutorial

radamsa用于生成随机的fuzz向量

  1. 克隆代码并编译
    git clone https://gitlab.com/akihe/radamsa.git && cd radamsa && make && sudo make install

image

  1. 使用:echo 随便什么 | radamsa 生成攻击载荷

image

image

  1. 其他用法
  • 生成多个testcase
    echo "岁月神偷"| radamsa -d 2 -n 10
    生成10个,每2毫秒一次,可以调整一下。比如说-d 600 ,随意喽。

image

  • 针对文件生成testcase
    radamsa -r guest.jpg -o ./1.png

以上为对原图的改变
针对文件的缩放和同一行排版在markdown中可以使用如下的操作。

<img  align="right" src="https://xxx.png" width="200" height="200" />

NI

https://github.com/aoh/ni

引用

@mylamour

This comment has been minimized.

Copy link
Owner Author

mylamour commented Sep 10, 2018

pdf fuzzzing

  • mutool
@mylamour

This comment has been minimized.

Copy link
Owner Author

mylamour commented Sep 10, 2018

libfuzzer tutorial

image

fuzz_me.c

#include <stdint.h>
#include <stddef.h>

bool FuzzMe(const uint8_t *Data, size_t DataSize) {
  return DataSize >= 3 &&
      Data[0] == 'F' &&
      Data[1] == 'U' &&
      Data[2] == 'Z' &&
      Data[3] == 'Z';  // :‑<
}

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
  FuzzMe(Data, Size);
  return 0;
}
@mylamour

This comment has been minimized.

Copy link
Owner Author

mylamour commented Sep 10, 2018

DynamoRIO Tutorial

@mylamour

This comment has been minimized.

@mylamour

This comment has been minimized.

Copy link
Owner Author

mylamour commented Sep 10, 2018

honggfuzz tutorial

@mylamour

This comment has been minimized.

Copy link
Owner Author

mylamour commented Sep 12, 2018

@mylamour

This comment has been minimized.

Copy link
Owner Author

mylamour commented Sep 12, 2018

WinAFL fuzzing VLC with DynamoIRO

afl-fuzz.exe -i C:\Users\i\Desktop\Fuzzing\db -o C:\Users\i\Desktop\Fuzzing\results -D C:\Users\i\Desktop\Fuzzing\DynamoRIO\bin64 -t 20000 -- -fuzz_iterations 5000 -target_module "D:\Program Files (x86)\VideoLAN\VLC\vlc.exe" -target_offset 0x532a0 -nargs 2 -m 1024 -- "D:\Program Files (x86)\VideoLAN\VLC\vlc.exe" @@

image
image

image

@mylamour

This comment has been minimized.

Copy link
Owner Author

mylamour commented Jul 22, 2019

QEMU With AFL

(本教程主要以cnetos为主)

  • 安装QEMU依赖
    ubuntu
sudo apt-get install -y git libglib2.0-dev libfdt-dev libpixman-1-dev zlib1g-dev git-email libaio-dev libbluetooth-dev libbrlapi-dev libbz2-dev libcap-dev libcap-ng-dev libcurl4-gnutls-dev libgtk-3-dev  libibverbs-dev libjpeg8-dev libncurses5-dev libnuma-dev librbd-dev librdmacm-dev libsasl2-dev libsdl1.2-dev libseccomp-dev libsnappy-dev libssh2-1-dev  libvde-dev libvdeplug-dev libxen-dev liblzo2-dev valgrind xfslibs-dev  libnfs-dev libiscsi-dev

centos

yum install git glib2-devel libfdt-devel pixman-devel zlib-devel  qemu-kvm libvirt libvirt-python libguestfs-tools virt-install
  • clone并编译TriforceAFL
git clone https://github.com/nccgroup/TriforceAFL
cd TriforceAFL
make

如果编译不通过,进入qemu_mode/修改脚本,然后重新make

./configure --target-list="aarch64-softmmu,microblazeel-softmmu" --enable-fdt --disable-kvm --disable-xen 

image
事实证明还是在Centos上搞定了。

  • 跑个测试
    然后跑个实验先,注意TriforceLinuxSyscallFuzzer和TriforceAFL在同一目录:
  1. 下载示例项目
git clone https://github.com/nccgroup/TriforceLinuxSyscallFuzzer
yum install glibc-static
cd TriforceLinuxSyscallFuzzer
make
  1. 编译内核
    步骤基本如下:
  • 下载代码 wget https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.2.2.tar.xz
  • 安装依赖(如果还缺少其他依赖的话继续安装)

yum install ncurses-devel elfutils-libelf-devel
yum install -y ncurses-devel make gcc bc bison flex elfutils-libelf-devel openssl-devel grub2

  • 编译
tar -xf linux-5.2.2.tar.xz && cd linux-5.2.2
cp /boot/config-$(uname -r) .config  # 使用这个你需要一路回车很久,不如用make menuconfig吧,更方便
make

此处本来尝试了采用afl-gcc和afl-g++去编译,但是没有成功。
更改install的路径vim Makefile在大概919行的位置,更改目录为自己的。此处为``

image

然后运行make install
就可以看到对应的文件已经在目录下了
然后查看ls /proc/kallsyms 。这个文件包含了kernel image和动态加载模块的符号表。 如果没有该文件,可以通过sudo sh -c "echo 0 > /proc/sys/kernel/kptr_restrict"进行开启。

把对应的文件拷贝到你的kern目录下

cp /proc/kallsyms  .
cp arch/x86/boot/bzImage /home/ops/fuzz_learning/tools/kern

image

内核编译就绪,接下来开始运行

make inputs
./runFuzz -M 10

image

  1. OpenSSL
    参考: https://github.com/openssl/openssl/tree/master/fuzz
yum install clang
git clone https://github.com/openssl/openssl
CC=afl-clang ./config enable-fuzz-afl no-shared -DPEDANTIC \
    enable-tls1_3 enable-weak-ssl-ciphers enable-rc5 enable-md2 \
    enable-ssl3 enable-ssl3-method enable-nextprotoneg \
    enable-ec_nistp_64_gcc_128 -fno-sanitize=alignment \
    --debug
make

image

参考资料

@mylamour

This comment has been minimized.

Copy link
Owner Author

mylamour commented Jul 26, 2019

Note: Kernel with afl-gcc

编辑Makefile

HOSTCC = afl-gcc
HOSTCXX = afl-g++
CC = afl-gcc

crypto以及zstd下面的文件似乎不能用afl编译? 编辑crypto/Makefile lib/zstd/Makefile

HOSTCC = gcc
HOSTCXX = g++
CC = gcc

修改install path
image

这个是另外一个图

image

@mylamour

This comment has been minimized.

Copy link
Owner Author

mylamour commented Jul 30, 2019

image

需要注意windows下需要修改代码

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.