Skip to content

Instantly share code, notes, and snippets.

@mylamour mylamour/start_fuzzing.md
Last active Jan 29, 2019

Embed
What would you like to do?
#Fuzzing#

Artical

brew install afl-fuzz

MacOS with AFL Fuzz

SL=/System/Library; PL=com.apple.ReportCrash
launchctl unload -w ${SL}/LaunchAgents/${PL}.plist
sudo launchctl unload -w ${SL}/LaunchDaemons/${PL}.Root.plist

repos and tools

Other

问题来了:

  • fuzzing原理是什么

先看下AFL的原理 http://lcamtuf.coredump.cx/afl/technical_details.txt

  • 怎么写fuzzing的代码?
  • 怎么根据fuzzing 后的结果写POC代码?
  • 怎么自动化fuzzing?
  • 怎么使用机器学习生成,并去攻击?
  • 怎么进行内核的fuzzing windows kernel, linux kernel osx kernel?

https://github.com/google/syzkaller

@mylamour

This comment has been minimized.

Copy link
Owner Author

mylamour commented Aug 23, 2018

$ brew install afl-fuzz
$ git clone https://github.com/fuzzdb-project/fuzzdb
$ touch vuln.c

Mac下的OS fork非常慢,不要用Mac去装这个。这也就是最开始fuzzing一个示例的时候,在mac跑了很久没有结果,但是丢到Ubuntu上一会儿就好了
ubuntu下安装的话,默认是没有编译QEMU模式的,如需安装,需要ce qemu_mode && ./build_qemu_support.sh
可能已经安装了libtool但还是提示没有安装,需要安装libtool-bin采用sudo apt-get install libtool-bin安装即可。

afl-fuzzfuzzing一下afl-gcc
~/afl-2.52b/afl-fuzz -i ~/fuzzdb/attack/os-cmd-execution/ -o ./hehehehe -m 2048 -Q afl-gcc

image

输入以下代码

#include <stdio.h>
#include <string.h>

int main(void)
{
        char login[32];
        char passwd[32];

        printf("Login: \n");
        gets(login);
        printf("Password: \n");
        gets(passwd);

        if (strcmp(login, "root") == 0) {
                if (strcmp(passwd, "1qazxsw2") == 0) {
                        printf("Access Granted.\n");
                        return 0;
                }
        }

        printf("Access Denied.\n");
        return 1;
}
$ afl-clang -fno-stack-protector  vuln1.c -o vuln1
$ mkdir res
$ afl-fuzz -i ../../fuzzdb/attack -o ./res ./vuln1

image

@mylamour

This comment has been minimized.

Copy link
Owner Author

mylamour commented Aug 23, 2018

tutorial zzuf

@mylamour

This comment has been minimized.

Copy link
Owner Author

mylamour commented Aug 23, 2018

tutorial fuzz-test-suite

  1. openssl demo
    $ docker run --cap-add SYS_PTRACE -ti libfuzzertutorial/prebuilt
$ ./openssl-1.0.2d-fsanitize_fuzzer
# then you would get a new crash sample
$ ./openssl-1.0.2d-fsanitize_fuzzer ./crash-9e656109d00645c7048519a19c83363c4222719e

image

image

@mylamour

This comment has been minimized.

Copy link
Owner Author

mylamour commented Aug 23, 2018

@mylamour

This comment has been minimized.

Copy link
Owner Author

mylamour commented Aug 24, 2018

https://arxiv.org/pdf/1807.03932 fuzzing 智能合约

@mylamour

This comment has been minimized.

Copy link
Owner Author

mylamour commented Aug 26, 2018

image
解决办法:
先看问题出在哪里:


LSAN_OPTIONS=verbosity=1:log_threads=1 ./fuzzing ./testcase

@mylamour

This comment has been minimized.

Copy link
Owner Author

mylamour commented Aug 26, 2018

AFL fuzzing ssh In my ubuntu 16.04 lts

$ sudo apt-get install clang-3.8 build-essential llvm-3.8-dev gnuplot-nox
$ sudo update-alternatives --install /usr/bin/clang clang `which clang-3.8` 1
$ sudo update-alternatives --install /usr/bin/clang++ clang++ `which clang++-3.8` 1
$ sudo update-alternatives --install /usr/bin/llvm-config llvm-config `which llvm-config-3.8` 1
$ sudo update-alternatives --install /usr/bin/llvm-symbolizer llvm-symbolizer `which llvm-symbolizer-3.8` 1
wget http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz
tar -xf afl-latest.tgz
$ cd afl-2.52b 
$ make
$ make -C llvm_mode

编译qemu模式的话,需要去单独的到qemu_mode下面编译,对于没有源码的,利用QEMU翻译blockinstrumentation

$ git clone --depth 1 https://github.com/openssh/openssh-portable openssh
$ cd openssh
$ CC=~/afl-2.52b/afl-clang-fast AFL_HARDEN=1 make

修改代码: 该部分参考该链接

  1. 减少随机vim openbsd-compat/arc4random.c
    image

  2. 禁止mac vim mac.c
    image

  3. deferred forkserver mode”
    vim sshd.c
    image

编译:

$ ~/afl-2.52b/afl-fuzz -i ~/fuzzdb/attack -o ./res -M 0 ./sshd -d -e -p 2100 -r -f /etc/config/sshd_config -i

Q:

  • 编译时还会报一个错,去makefile里找到那行,然后删除掉这个选项就行了

  • [-] PROGRAM ABORT : Pipe at the beginning of 'core_pattern'
    Location : check_crash_handling(), afl-fuzz.c:7275
    image

echo core >/proc/sys/kernel/core_pattern

References

@mylamour

This comment has been minimized.

Copy link
Owner Author

mylamour commented Aug 28, 2018

fuzzing python

https://tomforb.es/segfaulting-python-with-afl-fuzz

clong -> configure -> afl make -> write testcase -> run it

CC=afl-gcc ./configure && make

然后写testcase 即可, 进行fuzzing

afl-fuzz -i cpython/testcases -o fuzz cpython/python @@

image

怎么用机器学习生成好的fuzzing 样本

@mylamour

This comment has been minimized.

Copy link
Owner Author

mylamour commented Aug 29, 2018

ToDo

  • gn用法
  • ninja 用法

Chromium fuzzing tutorial

ubuntu16.04:

git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git
export PATH="$PATH:/path/to/depot_tools"             #使用绝对路径
mkdir ~/chromium && cd ~/chromium
fetch --nohooks chromium                           # 大概下载10G左右
cd src 
./build/install-build-deps.sh                     # 安装依赖
gclient runhooks                            # 运行  Chromium-specifices
# 准备构建
gn gen out/Default                   # 生成ninja文件准备构建

#mount -t tmpfs -o size=20G,nr_inodes=40k,mode=1777 tmpfs /root/chromium/src/out  
# 20G小了,编译没有够用,空间不够重新开大点。

# 构建
autoninja -C out/Default chrome  

image
image

8核8G的机器,前面的基本上一秒编译一个,看来可能要9个小时后才能编译完。运气好的话

image
编译结束,大小也变成了49G

image

构建libfuzzer

 $ gn gen out/libfuzzer '--args=use_libfuzzer=true is_asan=true is_ubsan_security=true is_debug=false enable_nacl=false' --check
 $ ninja -C out/libfuzzer v8_json_parser_fuzzer

image

$ ./out/libfuzzer/v8_json_parser_fuzzer ~/chromium/testcases/json_parser_corpus/ --dict=json.dict -jobs=6 -workers=6

image

  • 采用AFL-fuzzQEMU进行fuzzing

~/afl-2.52b/afl-fuzz -i ~/fuzzdb/attack/all-attacks -o ./hehehehe -m 1024 -Q ./chrome --no-sandbox
image

为毛,内心崩溃。不科学 -t 100也不行

image

References

@mylamour

This comment has been minimized.

Copy link
Owner Author

mylamour commented Sep 3, 2018

Fuzzing智能合约: https://github.com/trailofbits/echidna , 暂时不是很了解。接着看看

$ git clone https://github.com/trailofbits/echidna
$ docker build -t echidna .
$ docker run --rm -it echidna bash
$ echidna-test solidity/cli.sol

image

@mylamour

This comment has been minimized.

Copy link
Owner Author

mylamour commented Sep 3, 2018

mutators

radamsa tutorial

radamsa用于生成随机的fuzz向量

  1. 克隆代码并编译
    git clone https://gitlab.com/akihe/radamsa.git && cd radamsa && make && sudo make install

image

  1. 使用:echo 随便什么 | radamsa 生成攻击载荷

image

image

  1. 其他用法
  • 生成多个testcase
    echo "岁月神偷"| radamsa -d 2 -n 10
    生成10个,每2毫秒一次,可以调整一下。比如说-d 600 ,随意喽。

image

  • 针对文件生成testcase
    radamsa -r guest.jpg -o ./1.png

以上为对原图的改变
针对文件的缩放和同一行排版在markdown中可以使用如下的操作。

<img  align="right" src="https://xxx.png" width="200" height="200" />

NI

https://github.com/aoh/ni

引用

@mylamour

This comment has been minimized.

Copy link
Owner Author

mylamour commented Sep 10, 2018

pdf fuzzzing

  • mutool
@mylamour

This comment has been minimized.

Copy link
Owner Author

mylamour commented Sep 10, 2018

libfuzzer tutorial

image

fuzz_me.c

#include <stdint.h>
#include <stddef.h>

bool FuzzMe(const uint8_t *Data, size_t DataSize) {
  return DataSize >= 3 &&
      Data[0] == 'F' &&
      Data[1] == 'U' &&
      Data[2] == 'Z' &&
      Data[3] == 'Z';  // :‑<
}

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
  FuzzMe(Data, Size);
  return 0;
}
@mylamour

This comment has been minimized.

Copy link
Owner Author

mylamour commented Sep 10, 2018

DynamoRIO Tutorial

@mylamour

This comment has been minimized.

@mylamour

This comment has been minimized.

Copy link
Owner Author

mylamour commented Sep 10, 2018

honggfuzz tutorial

@mylamour

This comment has been minimized.

Copy link
Owner Author

mylamour commented Sep 12, 2018

@mylamour

This comment has been minimized.

Copy link
Owner Author

mylamour commented Sep 12, 2018

WinAFL fuzzing VLC with DynamoIRO

afl-fuzz.exe -i C:\Users\i\Desktop\Fuzzing\db -o C:\Users\i\Desktop\Fuzzing\results -D C:\Users\i\Desktop\Fuzzing\DynamoRIO\bin64 -t 20000 -- -fuzz_iterations 5000 -target_module "D:\Program Files (x86)\VideoLAN\VLC\vlc.exe" -target_offset 0x532a0 -nargs 2 -m 1024 -- "D:\Program Files (x86)\VideoLAN\VLC\vlc.exe" @@

image
image

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.