Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#Fuzzing#

Artical

brew install afl-fuzz

MacOS with AFL Fuzz

SL=/System/Library; PL=com.apple.ReportCrash
launchctl unload -w ${SL}/LaunchAgents/${PL}.plist
sudo launchctl unload -w ${SL}/LaunchDaemons/${PL}.Root.plist

repos and tools

Other

问题来了:

  • fuzzing原理是什么

先看下AFL的原理 http://lcamtuf.coredump.cx/afl/technical_details.txt

  • 怎么写fuzzing的代码?
  • 怎么根据fuzzing 后的结果写POC代码?
  • 怎么自动化fuzzing?
  • 怎么使用机器学习生成,并去攻击?
  • 怎么进行内核的fuzzing windows kernel, linux kernel osx kernel?

https://github.com/RUB-SysSec/kAFL https://github.com/nccgroup/TriforceAFL https://github.com/google/syzkaller

@mylamour

This comment has been minimized.

Copy link
Owner Author

@mylamour mylamour commented Aug 23, 2018

$ brew install afl-fuzz
$ git clone https://github.com/fuzzdb-project/fuzzdb
$ touch vuln.c

Mac下的OS fork非常慢,不要用Mac去装这个。这也就是最开始fuzzing一个示例的时候,在mac跑了很久没有结果,但是丢到Ubuntu上一会儿就好了
ubuntu下安装的话,默认是没有编译QEMU模式的,如需安装,需要ce qemu_mode && ./build_qemu_support.sh
可能已经安装了libtool但还是提示没有安装,需要安装libtool-bin采用sudo apt-get install libtool-bin安装即可。

afl-fuzzfuzzing一下afl-gcc
~/afl-2.52b/afl-fuzz -i ~/fuzzdb/attack/os-cmd-execution/ -o ./hehehehe -m 2048 -Q afl-gcc

image

输入以下代码

#include <stdio.h>
#include <string.h>

int main(void)
{
        char login[32];
        char passwd[32];

        printf("Login: \n");
        gets(login);
        printf("Password: \n");
        gets(passwd);

        if (strcmp(login, "root") == 0) {
                if (strcmp(passwd, "1qazxsw2") == 0) {
                        printf("Access Granted.\n");
                        return 0;
                }
        }

        printf("Access Denied.\n");
        return 1;
}
$ afl-clang -fno-stack-protector  vuln1.c -o vuln1
$ mkdir res
$ afl-fuzz -i ../../fuzzdb/attack -o ./res ./vuln1

image

@mylamour

This comment has been minimized.

Copy link
Owner Author

@mylamour mylamour commented Aug 23, 2018

tutorial zzuf

@mylamour

This comment has been minimized.

Copy link
Owner Author

@mylamour mylamour commented Aug 23, 2018

tutorial fuzz-test-suite

  1. openssl demo
    $ docker run --cap-add SYS_PTRACE -ti libfuzzertutorial/prebuilt
$ ./openssl-1.0.2d-fsanitize_fuzzer
# then you would get a new crash sample
$ ./openssl-1.0.2d-fsanitize_fuzzer ./crash-9e656109d00645c7048519a19c83363c4222719e

image

image

@mylamour

This comment has been minimized.

Copy link
Owner Author

@mylamour mylamour commented Aug 23, 2018

@mylamour

This comment has been minimized.

Copy link
Owner Author

@mylamour mylamour commented Aug 24, 2018

https://arxiv.org/pdf/1807.03932 fuzzing 智能合约

@mylamour

This comment has been minimized.

Copy link
Owner Author

@mylamour mylamour commented Aug 26, 2018

image
解决办法:
先看问题出在哪里:


LSAN_OPTIONS=verbosity=1:log_threads=1 ./fuzzing ./testcase

@mylamour

This comment has been minimized.

Copy link
Owner Author

@mylamour mylamour commented Aug 26, 2018

AFL fuzzing ssh In my ubuntu 16.04 lts

$ sudo apt-get install clang-3.8 build-essential llvm-3.8-dev gnuplot-nox
$ sudo update-alternatives --install /usr/bin/clang clang `which clang-3.8` 1
$ sudo update-alternatives --install /usr/bin/clang++ clang++ `which clang++-3.8` 1
$ sudo update-alternatives --install /usr/bin/llvm-config llvm-config `which llvm-config-3.8` 1
$ sudo update-alternatives --install /usr/bin/llvm-symbolizer llvm-symbolizer `which llvm-symbolizer-3.8` 1
wget http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz
tar -xf afl-latest.tgz
$ cd afl-2.52b 
$ make
$ make -C llvm_mode

编译qemu模式的话,需要去单独的到qemu_mode下面编译,对于没有源码的,利用QEMU翻译blockinstrumentation

$ git clone --depth 1 https://github.com/openssh/openssh-portable openssh
$ cd openssh
$ CC=~/afl-2.52b/afl-clang-fast AFL_HARDEN=1 make

修改代码: 该部分参考该链接

  1. 减少随机vim openbsd-compat/arc4random.c
    image

  2. 禁止mac vim mac.c
    image

  3. deferred forkserver mode”
    vim sshd.c
    image

编译:

$ ~/afl-2.52b/afl-fuzz -i ~/fuzzdb/attack -o ./res -M 0 ./sshd -d -e -p 2100 -r -f /etc/config/sshd_config -i

Q:

  • 编译时还会报一个错,去makefile里找到那行,然后删除掉这个选项就行了

  • [-] PROGRAM ABORT : Pipe at the beginning of 'core_pattern'
    Location : check_crash_handling(), afl-fuzz.c:7275
    image

echo core >/proc/sys/kernel/core_pattern

References

@mylamour

This comment has been minimized.

Copy link
Owner Author

@mylamour mylamour commented Aug 28, 2018

fuzzing python

https://tomforb.es/segfaulting-python-with-afl-fuzz

clong -> configure -> afl make -> write testcase -> run it

CC=afl-gcc ./configure && make

然后写testcase 即可, 进行fuzzing

afl-fuzz -i cpython/testcases -o fuzz cpython/python @@

image

怎么用机器学习生成好的fuzzing 样本

@mylamour

This comment has been minimized.

Copy link
Owner Author

@mylamour mylamour commented Aug 29, 2018

ToDo

  • gn用法
  • ninja 用法

Chromium fuzzing tutorial

ubuntu16.04:

git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git
export PATH="$PATH:/path/to/depot_tools"             #使用绝对路径
mkdir ~/chromium && cd ~/chromium
fetch --nohooks chromium                           # 大概下载10G左右
cd src 
./build/install-build-deps.sh                     # 安装依赖
gclient runhooks                            # 运行  Chromium-specifices
# 准备构建
gn gen out/Default                   # 生成ninja文件准备构建

#mount -t tmpfs -o size=20G,nr_inodes=40k,mode=1777 tmpfs /root/chromium/src/out  
# 20G小了,编译没有够用,空间不够重新开大点。

# 构建
autoninja -C out/Default chrome  

image
image

8核8G的机器,前面的基本上一秒编译一个,看来可能要9个小时后才能编译完。运气好的话

image
编译结束,大小也变成了49G

image

构建libfuzzer

 $ gn gen out/libfuzzer '--args=use_libfuzzer=true is_asan=true is_ubsan_security=true is_debug=false enable_nacl=false' --check
 $ ninja -C out/libfuzzer v8_json_parser_fuzzer

image

$ ./out/libfuzzer/v8_json_parser_fuzzer ~/chromium/testcases/json_parser_corpus/ --dict=json.dict -jobs=6 -workers=6

image

  • 采用AFL-fuzzQEMU进行fuzzing

~/afl-2.52b/afl-fuzz -i ~/fuzzdb/attack/all-attacks -o ./hehehehe -m 1024 -Q ./chrome --no-sandbox
image

为毛,内心崩溃。不科学 -t 100也不行

image

References

@mylamour

This comment has been minimized.

Copy link
Owner Author

@mylamour mylamour commented Sep 3, 2018

Fuzzing智能合约: https://github.com/trailofbits/echidna , 暂时不是很了解。接着看看

$ git clone https://github.com/trailofbits/echidna
$ docker build -t echidna .
$ docker run --rm -it echidna bash
$ echidna-test solidity/cli.sol

image

@mylamour

This comment has been minimized.

Copy link
Owner Author

@mylamour mylamour commented Sep 3, 2018

mutators

radamsa tutorial

radamsa用于生成随机的fuzz向量

  1. 克隆代码并编译
    git clone https://gitlab.com/akihe/radamsa.git && cd radamsa && make && sudo make install

image

  1. 使用:echo 随便什么 | radamsa 生成攻击载荷

image

image

  1. 其他用法
  • 生成多个testcase
    echo "岁月神偷"| radamsa -d 2 -n 10
    生成10个,每2毫秒一次,可以调整一下。比如说-d 600 ,随意喽。

image

  • 针对文件生成testcase
    radamsa -r guest.jpg -o ./1.png

以上为对原图的改变
针对文件的缩放和同一行排版在markdown中可以使用如下的操作。

<img  align="right" src="https://xxx.png" width="200" height="200" />

NI

https://github.com/aoh/ni

引用

@mylamour

This comment has been minimized.

Copy link
Owner Author

@mylamour mylamour commented Sep 10, 2018

pdf fuzzzing

  • mutool
@mylamour

This comment has been minimized.

Copy link
Owner Author

@mylamour mylamour commented Sep 10, 2018

libfuzzer tutorial

image

fuzz_me.c

#include <stdint.h>
#include <stddef.h>

bool FuzzMe(const uint8_t *Data, size_t DataSize) {
  return DataSize >= 3 &&
      Data[0] == 'F' &&
      Data[1] == 'U' &&
      Data[2] == 'Z' &&
      Data[3] == 'Z';  // :‑<
}

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
  FuzzMe(Data, Size);
  return 0;
}
@mylamour

This comment has been minimized.

Copy link
Owner Author

@mylamour mylamour commented Sep 10, 2018

DynamoRIO Tutorial

@mylamour

This comment has been minimized.

@mylamour

This comment has been minimized.

Copy link
Owner Author

@mylamour mylamour commented Sep 10, 2018

honggfuzz tutorial

@mylamour

This comment has been minimized.

Copy link
Owner Author

@mylamour mylamour commented Sep 12, 2018

@mylamour

This comment has been minimized.

Copy link
Owner Author

@mylamour mylamour commented Sep 12, 2018

WinAFL fuzzing VLC with DynamoIRO

afl-fuzz.exe -i C:\Users\i\Desktop\Fuzzing\db -o C:\Users\i\Desktop\Fuzzing\results -D C:\Users\i\Desktop\Fuzzing\DynamoRIO\bin64 -t 20000 -- -fuzz_iterations 5000 -target_module "D:\Program Files (x86)\VideoLAN\VLC\vlc.exe" -target_offset 0x532a0 -nargs 2 -m 1024 -- "D:\Program Files (x86)\VideoLAN\VLC\vlc.exe" @@

image
image

image

@mylamour

This comment has been minimized.

Copy link
Owner Author

@mylamour mylamour commented Jul 22, 2019

QEMU With AFL

(本教程主要以cnetos为主)

  • 安装QEMU依赖
    ubuntu
sudo apt-get install -y git libglib2.0-dev libfdt-dev libpixman-1-dev zlib1g-dev git-email libaio-dev libbluetooth-dev libbrlapi-dev libbz2-dev libcap-dev libcap-ng-dev libcurl4-gnutls-dev libgtk-3-dev  libibverbs-dev libjpeg8-dev libncurses5-dev libnuma-dev librbd-dev librdmacm-dev libsasl2-dev libsdl1.2-dev libseccomp-dev libsnappy-dev libssh2-1-dev  libvde-dev libvdeplug-dev libxen-dev liblzo2-dev valgrind xfslibs-dev  libnfs-dev libiscsi-dev

centos

yum install git glib2-devel libfdt-devel pixman-devel zlib-devel  qemu-kvm libvirt libvirt-python libguestfs-tools virt-install
  • clone并编译TriforceAFL
git clone https://github.com/nccgroup/TriforceAFL
cd TriforceAFL
make

如果编译不通过,进入qemu_mode/修改脚本,然后重新make

./configure --target-list="aarch64-softmmu,microblazeel-softmmu" --enable-fdt --disable-kvm --disable-xen 

image
事实证明还是在Centos上搞定了。

  • 跑个测试
    然后跑个实验先,注意TriforceLinuxSyscallFuzzer和TriforceAFL在同一目录:
  1. 下载示例项目
git clone https://github.com/nccgroup/TriforceLinuxSyscallFuzzer
yum install glibc-static
cd TriforceLinuxSyscallFuzzer
make
  1. 编译内核
    步骤基本如下:
  • 下载代码 wget https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.2.2.tar.xz
  • 安装依赖(如果还缺少其他依赖的话继续安装)

yum install ncurses-devel elfutils-libelf-devel
yum install -y ncurses-devel make gcc bc bison flex elfutils-libelf-devel openssl-devel grub2

  • 编译
tar -xf linux-5.2.2.tar.xz && cd linux-5.2.2
cp /boot/config-$(uname -r) .config  # 使用这个你需要一路回车很久,不如用make menuconfig吧,更方便
make

此处本来尝试了采用afl-gcc和afl-g++去编译,但是没有成功。
更改install的路径vim Makefile在大概919行的位置,更改目录为自己的。此处为``

image

然后运行make install
就可以看到对应的文件已经在目录下了
然后查看ls /proc/kallsyms 。这个文件包含了kernel image和动态加载模块的符号表。 如果没有该文件,可以通过sudo sh -c "echo 0 > /proc/sys/kernel/kptr_restrict"进行开启。

把对应的文件拷贝到你的kern目录下

cp /proc/kallsyms  .
cp arch/x86/boot/bzImage /home/ops/fuzz_learning/tools/kern

image

内核编译就绪,接下来开始运行

make inputs
./runFuzz -M 10

image

  1. OpenSSL
    参考: https://github.com/openssl/openssl/tree/master/fuzz
yum install clang
git clone https://github.com/openssl/openssl
CC=afl-clang ./config enable-fuzz-afl no-shared -DPEDANTIC \
    enable-tls1_3 enable-weak-ssl-ciphers enable-rc5 enable-md2 \
    enable-ssl3 enable-ssl3-method enable-nextprotoneg \
    enable-ec_nistp_64_gcc_128 -fno-sanitize=alignment \
    --debug
make

image

参考资料

@mylamour

This comment has been minimized.

Copy link
Owner Author

@mylamour mylamour commented Jul 26, 2019

Note: Kernel with afl-gcc

编辑Makefile

HOSTCC = afl-gcc
HOSTCXX = afl-g++
CC = afl-gcc

crypto以及zstd下面的文件似乎不能用afl编译? 编辑crypto/Makefile lib/zstd/Makefile

HOSTCC = gcc
HOSTCXX = g++
CC = gcc

修改install path
image

这个是另外一个图

image

@mylamour

This comment has been minimized.

Copy link
Owner Author

@mylamour mylamour commented Jul 30, 2019

image

需要注意windows下需要修改代码

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment