#Fuzzing#

start_fuzzing.md

Artical

• https://medium.com/@coolx28/security-oriented-open-source-continuous-fuzzing-101-from-start-to-finish-637eaceb9acb
• https://foxglovesecurity.com/2016/03/15/fuzzing-workflows-a-fuzz-job-from-start-to-finish/
• https://research.aurainfosec.io/hunting-for-bugs-101/
• https://labsblog.f-secure.com/2017/06/22/super-awesome-fuzzing-part-one/
• https://thecyberrecce.net/2017/03/20/software-exploit-development-fuzzing-with-afl/
• https://www.sec-consult.com/wp-content/uploads/files/vulnlab/the_art_of_fuzzing_slides.pdf
• https://hackernoon.com/afl-unicorn-fuzzing-arbitrary-binary-code-563ca28936bf

brew install afl-fuzz

MacOS with AFL Fuzz

SL=/System/Library; PL=com.apple.ReportCrash
launchctl unload -w ${SL}/LaunchAgents/${PL}.plist
sudo launchctl unload -w ${SL}/LaunchDaemons/${PL}.Root.plist

• fuzzing python https://tomforb.es/segfaulting-python-with-afl-fuzz

repos and tools

• https://www.owasp.org/index.php/Fuzzing OWASP Fuzzing

• https://github.com/secfigo/Awesome-Fuzzing

• https://github.com/trailofbits/echidna ETH fuzzing tools

• https://fuzzing.info/papers/

• https://www.youtube.com/playlist?list=PLtPrYlwXDImiO_hzK7npBi4eKQQBgygLD 视频播放列表，关于fuzzing

• https://github.com/fuzzdb-project/fuzzdb fuzz的db

• http://llvm.org/docs/LibFuzzer.html

• fuzzer-test-suite: https://github.com/google/fuzzer-test-suite 学着玩玩

• AFL: http://lcamtuf.coredump.cx/afl/ (https://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz)

• AFL python interface : https://github.com/shellphish/fuzzer

• AFL Unicorn: https://github.com/Battelle/afl-unicorn

• AFL training: https://github.com/ThalesIgnite/afl-training

• AFL go version: https://github.com/dvyukov/go-fuzz

• AFL rust version: https://github.com/rust-fuzz/afl.rs

• AFL python version: http://jwilk.net/software/python-afl

• WAFL

• Morph

• Os-fuzz

• zzuf 使用过了

• honggfuzz

• OSXFuzz

• sCFF分布式。py2.7 + AWS https://github.com/softscheck/sCFF

Other

• fuzzing初尝试 ，跟着 https://github.com/google/fuzzer-test-suite 的教程
• heartbleed 也是通过fuzzing发现的。厉害了卧槽。
• 微软研究院Seurity Risk Detection中关于fuzzing with machine learning , 但是这个视频只是使用。https://docs.microsoft.com/en-us/security-risk-detection/how-to/

问题来了：

• fuzzing原理是什么

先看下AFL的原理 http://lcamtuf.coredump.cx/afl/technical_details.txt

• 怎么写fuzzing的代码?
• 怎么根据fuzzing 后的结果写POC代码?
• 怎么自动化fuzzing?
• 怎么使用机器学习生成，并去攻击?
• 怎么进行内核的fuzzing windows kernel, linux kernel osx kernel?

https://github.com/RUB-SysSec/kAFL https://github.com/nccgroup/TriforceAFL https://github.com/google/syzkaller

tutorial fuzz-test-suite

1. openssl demo
   $ docker run --cap-add SYS_PTRACE -ti libfuzzertutorial/prebuilt

$ ./openssl-1.0.2d-fsanitize_fuzzer
# then you would get a new crash sample
$ ./openssl-1.0.2d-fsanitize_fuzzer ./crash-9e656109d00645c7048519a19c83363c4222719e

• openssl fuzzing ssh： http://www.vegardno.net/2017/03/fuzzing-openssh-daemon-using-afl.html

https://arxiv.org/pdf/1807.03932 fuzzing 智能合约

解决办法:
先看问题出在哪里：

LSAN_OPTIONS=verbosity=1:log_threads=1 ./fuzzing ./testcase

AFL fuzzing ssh In my ubuntu 16.04 lts

$ sudo apt-get install clang-3.8 build-essential llvm-3.8-dev gnuplot-nox
$ sudo update-alternatives --install /usr/bin/clang clang `which clang-3.8` 1
$ sudo update-alternatives --install /usr/bin/clang++ clang++ `which clang++-3.8` 1
$ sudo update-alternatives --install /usr/bin/llvm-config llvm-config `which llvm-config-3.8` 1
$ sudo update-alternatives --install /usr/bin/llvm-symbolizer llvm-symbolizer `which llvm-symbolizer-3.8` 1

wget http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz
tar -xf afl-latest.tgz

$ cd afl-2.52b 
$ make
$ make -C llvm_mode

编译qemu模式的话，需要去单独的到qemu_mode下面编译，对于没有源码的，利用QEMU翻译block做instrumentation

$ git clone --depth 1 https://github.com/openssh/openssh-portable openssh
$ cd openssh
$ CC=~/afl-2.52b/afl-clang-fast AFL_HARDEN=1 make

修改代码: 该部分参考该链接

1. 减少随机vim openbsd-compat/arc4random.c
   

2. 禁止mac vim mac.c
   

3. deferred forkserver mode”
   vim sshd.c
   

编译:

$ ~/afl-2.52b/afl-fuzz -i ~/fuzzdb/attack -o ./res -M 0 ./sshd -d -e -p 2100 -r -f /etc/config/sshd_config -i

Q:

• 编译时还会报一个错，去makefile里找到那行，然后删除掉这个选项就行了

• [-] PROGRAM ABORT : Pipe at the beginning of 'core_pattern'
  Location : check_crash_handling(), afl-fuzz.c:7275
  

echo core >/proc/sys/kernel/core_pattern

References

• fuzzing openssh daemon using afl

fuzzing python

https://tomforb.es/segfaulting-python-with-afl-fuzz

clong -> configure -> afl make -> write testcase -> run it

CC=afl-gcc ./configure && make

然后写testcase 即可， 进行fuzzing

afl-fuzz -i cpython/testcases -o fuzz cpython/python @@

怎么用机器学习生成好的fuzzing 样本

ToDo

• gn用法
• ninja 用法

Chromium fuzzing tutorial

ubuntu16.04:

git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git
export PATH="$PATH:/path/to/depot_tools"             #使用绝对路径
mkdir ~/chromium && cd ~/chromium
fetch --nohooks chromium                           # 大概下载10G左右
cd src 
./build/install-build-deps.sh                     # 安装依赖
gclient runhooks                            # 运行  Chromium-specifices
# 准备构建
gn gen out/Default                   # 生成ninja文件准备构建

#mount -t tmpfs -o size=20G,nr_inodes=40k,mode=1777 tmpfs /root/chromium/src/out  
# 20G小了，编译没有够用，空间不够重新开大点。

# 构建
autoninja -C out/Default chrome  

8核8G的机器，前面的基本上一秒编译一个，看来可能要9个小时后才能编译完。运气好的话

编译结束,大小也变成了49G

构建libfuzzer

 $ gn gen out/libfuzzer '--args=use_libfuzzer=true is_asan=true is_ubsan_security=true is_debug=false enable_nacl=false' --check
 $ ninja -C out/libfuzzer v8_json_parser_fuzzer

$ ./out/libfuzzer/v8_json_parser_fuzzer ~/chromium/testcases/json_parser_corpus/ --dict=json.dict -jobs=6 -workers=6

• 采用AFL-fuzz 的QEMU进行fuzzing

~/afl-2.52b/afl-fuzz -i ~/fuzzdb/attack/all-attacks -o ./hehehehe -m 1024 -Q ./chrome --no-sandbox

为毛，内心崩溃。不科学 -t 100也不行

References

• 安装步骤
• chromium fuzzing 教程
• v8 testcases

Fuzzing智能合约： https://github.com/trailofbits/echidna ， 暂时不是很了解。接着看看

$ git clone https://github.com/trailofbits/echidna
$ docker build -t echidna .
$ docker run --rm -it echidna bash
$ echidna-test solidity/cli.sol

mutators

radamsa tutorial

radamsa用于生成随机的fuzz向量

1. 克隆代码并编译
   git clone https://gitlab.com/akihe/radamsa.git && cd radamsa && make && sudo make install

2. 使用：echo 随便什么 | radamsa 生成攻击载荷

3. 其他用法

• 生成多个testcase
  echo "岁月神偷"| radamsa -d 2 -n 10
  生成10个，每2毫秒一次，可以调整一下。比如说-d 600 ，随意喽。

• 针对文件生成testcase
  radamsa -r guest.jpg -o ./1.png

以上为对原图的改变
针对文件的缩放和同一行排版在markdown中可以使用如下的操作。

<img  align="right" src="https://xxx.png" width="200" height="200" />

NI

https://github.com/aoh/ni

引用

• Radamsa的常规用法

pdf fuzzzing

• mutool

libfuzzer tutorial

fuzz_me.c

#include <stdint.h>
#include <stddef.h>

bool FuzzMe(const uint8_t *Data, size_t DataSize) {
  return DataSize >= 3 &&
      Data[0] == 'F' &&
      Data[1] == 'U' &&
      Data[2] == 'Z' &&
      Data[3] == 'Z';  // :‑<
}

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
  FuzzMe(Data, Size);
  return 0;
}

DynamoRIO Tutorial

https://www.sec-consult.com/en/blog/2017/09/hack-the-hacker-fuzzing-mimikatz-on-windows-with-winafl-heatmaps-0day/index.html

WinAFL Fuzzing Minikatz

honggfuzz tutorial

其他基础

• 动态二进制修改入门
• 初探Windows Fuzzing神器—-Winafl

WinAFL fuzzing VLC with DynamoIRO

afl-fuzz.exe -i C:\Users\i\Desktop\Fuzzing\db -o C:\Users\i\Desktop\Fuzzing\results -D C:\Users\i\Desktop\Fuzzing\DynamoRIO\bin64 -t 20000 -- -fuzz_iterations 5000 -target_module "D:\Program Files (x86)\VideoLAN\VLC\vlc.exe" -target_offset 0x532a0 -nargs 2 -m 1024 -- "D:\Program Files (x86)\VideoLAN\VLC\vlc.exe" @@

QEMU With AFL

(本教程主要以cnetos为主)

• 安装QEMU依赖
  ubuntu

sudo apt-get install -y git libglib2.0-dev libfdt-dev libpixman-1-dev zlib1g-dev git-email libaio-dev libbluetooth-dev libbrlapi-dev libbz2-dev libcap-dev libcap-ng-dev libcurl4-gnutls-dev libgtk-3-dev  libibverbs-dev libjpeg8-dev libncurses5-dev libnuma-dev librbd-dev librdmacm-dev libsasl2-dev libsdl1.2-dev libseccomp-dev libsnappy-dev libssh2-1-dev  libvde-dev libvdeplug-dev libxen-dev liblzo2-dev valgrind xfslibs-dev  libnfs-dev libiscsi-dev

centos

yum install git glib2-devel libfdt-devel pixman-devel zlib-devel  qemu-kvm libvirt libvirt-python libguestfs-tools virt-install

• clone并编译TriforceAFL

git clone https://github.com/nccgroup/TriforceAFL
cd TriforceAFL
make

如果编译不通过，进入qemu_mode/修改脚本，然后重新make

./configure --target-list="aarch64-softmmu,microblazeel-softmmu" --enable-fdt --disable-kvm --disable-xen 

事实证明还是在Centos上搞定了。

• 跑个测试
  然后跑个实验先,注意TriforceLinuxSyscallFuzzer和TriforceAFL在同一目录：

1. 下载示例项目

git clone https://github.com/nccgroup/TriforceLinuxSyscallFuzzer
yum install glibc-static
cd TriforceLinuxSyscallFuzzer
make

2. 编译内核
   步骤基本如下：

• 下载代码 wget https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.2.2.tar.xz
• 安装依赖(如果还缺少其他依赖的话继续安装)

yum install ncurses-devel elfutils-libelf-devel
yum install -y ncurses-devel make gcc bc bison flex elfutils-libelf-devel openssl-devel grub2

• 编译

tar -xf linux-5.2.2.tar.xz && cd linux-5.2.2
cp /boot/config-$(uname -r) .config  # 使用这个你需要一路回车很久，不如用make menuconfig吧，更方便
make

此处本来尝试了采用afl-gcc和afl-g++去编译，但是没有成功。
更改install的路径vim Makefile在大概919行的位置，更改目录为自己的。此处为``

然后运行make install
就可以看到对应的文件已经在目录下了
然后查看ls /proc/kallsyms 。这个文件包含了kernel image和动态加载模块的符号表。 如果没有该文件，可以通过sudo sh -c "echo 0 > /proc/sys/kernel/kptr_restrict"进行开启。

把对应的文件拷贝到你的kern目录下

cp /proc/kallsyms  .
cp arch/x86/boot/bzImage /home/ops/fuzz_learning/tools/kern

内核编译就绪，接下来开始运行

make inputs
./runFuzz -M 10

2. OpenSSL
   参考： https://github.com/openssl/openssl/tree/master/fuzz

yum install clang
git clone https://github.com/openssl/openssl
CC=afl-clang ./config enable-fuzz-afl no-shared -DPEDANTIC \
    enable-tls1_3 enable-weak-ssl-ciphers enable-rc5 enable-md2 \
    enable-ssl3 enable-ssl3-method enable-nextprotoneg \
    enable-ec_nistp_64_gcc_128 -fno-sanitize=alignment \
    --debug
make

参考资料

• System.map和kallsyms文件

Note: Kernel with afl-gcc

编辑Makefile

HOSTCC = afl-gcc
HOSTCXX = afl-g++
CC = afl-gcc

crypto以及zstd下面的文件似乎不能用afl编译? 编辑crypto/Makefile lib/zstd/Makefile

HOSTCC = gcc
HOSTCXX = g++
CC = gcc

修改install path

这个是另外一个图

需要注意windows下需要修改代码