Skip to content

Instantly share code, notes, and snippets.

@mylamour
Last active February 20, 2022 13:30
Show Gist options
  • Save mylamour/640622641ee39edf3701544a4303cb2e to your computer and use it in GitHub Desktop.
Save mylamour/640622641ee39edf3701544a4303cb2e to your computer and use it in GitHub Desktop.
#Fuzzing#

Artical

brew install afl-fuzz

MacOS with AFL Fuzz

SL=/System/Library; PL=com.apple.ReportCrash
launchctl unload -w ${SL}/LaunchAgents/${PL}.plist
sudo launchctl unload -w ${SL}/LaunchDaemons/${PL}.Root.plist

repos and tools

Other

问题来了:

  • fuzzing原理是什么

先看下AFL的原理 http://lcamtuf.coredump.cx/afl/technical_details.txt

  • 怎么写fuzzing的代码?
  • 怎么根据fuzzing 后的结果写POC代码?
  • 怎么自动化fuzzing?
  • 怎么使用机器学习生成,并去攻击?
  • 怎么进行内核的fuzzing windows kernel, linux kernel osx kernel?

https://github.com/RUB-SysSec/kAFL https://github.com/nccgroup/TriforceAFL https://github.com/google/syzkaller

@mylamour
Copy link
Author

pdf fuzzzing

  • mutool

@mylamour
Copy link
Author

mylamour commented Sep 10, 2018

libfuzzer tutorial

image

fuzz_me.c

#include <stdint.h>
#include <stddef.h>

bool FuzzMe(const uint8_t *Data, size_t DataSize) {
  return DataSize >= 3 &&
      Data[0] == 'F' &&
      Data[1] == 'U' &&
      Data[2] == 'Z' &&
      Data[3] == 'Z';  // :‑<
}

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
  FuzzMe(Data, Size);
  return 0;
}

@mylamour
Copy link
Author

DynamoRIO Tutorial

@mylamour
Copy link
Author

honggfuzz tutorial

@mylamour
Copy link
Author

mylamour commented Sep 12, 2018

@mylamour
Copy link
Author

mylamour commented Sep 12, 2018

WinAFL fuzzing VLC with DynamoIRO

afl-fuzz.exe -i C:\Users\i\Desktop\Fuzzing\db -o C:\Users\i\Desktop\Fuzzing\results -D C:\Users\i\Desktop\Fuzzing\DynamoRIO\bin64 -t 20000 -- -fuzz_iterations 5000 -target_module "D:\Program Files (x86)\VideoLAN\VLC\vlc.exe" -target_offset 0x532a0 -nargs 2 -m 1024 -- "D:\Program Files (x86)\VideoLAN\VLC\vlc.exe" @@

image
image

image

@mylamour
Copy link
Author

mylamour commented Jul 22, 2019

QEMU With AFL

(本教程主要以cnetos为主)

  • 安装QEMU依赖
    ubuntu
sudo apt-get install -y git libglib2.0-dev libfdt-dev libpixman-1-dev zlib1g-dev git-email libaio-dev libbluetooth-dev libbrlapi-dev libbz2-dev libcap-dev libcap-ng-dev libcurl4-gnutls-dev libgtk-3-dev  libibverbs-dev libjpeg8-dev libncurses5-dev libnuma-dev librbd-dev librdmacm-dev libsasl2-dev libsdl1.2-dev libseccomp-dev libsnappy-dev libssh2-1-dev  libvde-dev libvdeplug-dev libxen-dev liblzo2-dev valgrind xfslibs-dev  libnfs-dev libiscsi-dev

centos

yum install git glib2-devel libfdt-devel pixman-devel zlib-devel  qemu-kvm libvirt libvirt-python libguestfs-tools virt-install
  • clone并编译TriforceAFL
git clone https://github.com/nccgroup/TriforceAFL
cd TriforceAFL
make

如果编译不通过,进入qemu_mode/修改脚本,然后重新make

./configure --target-list="aarch64-softmmu,microblazeel-softmmu" --enable-fdt --disable-kvm --disable-xen 

image
事实证明还是在Centos上搞定了。

  • 跑个测试
    然后跑个实验先,注意TriforceLinuxSyscallFuzzer和TriforceAFL在同一目录:
  1. 下载示例项目
git clone https://github.com/nccgroup/TriforceLinuxSyscallFuzzer
yum install glibc-static
cd TriforceLinuxSyscallFuzzer
make
  1. 编译内核
    步骤基本如下:
  • 下载代码 wget https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.2.2.tar.xz
  • 安装依赖(如果还缺少其他依赖的话继续安装)

yum install ncurses-devel elfutils-libelf-devel
yum install -y ncurses-devel make gcc bc bison flex elfutils-libelf-devel openssl-devel grub2

  • 编译
tar -xf linux-5.2.2.tar.xz && cd linux-5.2.2
cp /boot/config-$(uname -r) .config  # 使用这个你需要一路回车很久,不如用make menuconfig吧,更方便
make

此处本来尝试了采用afl-gcc和afl-g++去编译,但是没有成功。
更改install的路径vim Makefile在大概919行的位置,更改目录为自己的。此处为``

image

然后运行make install
就可以看到对应的文件已经在目录下了
然后查看ls /proc/kallsyms 。这个文件包含了kernel image和动态加载模块的符号表。 如果没有该文件,可以通过sudo sh -c "echo 0 > /proc/sys/kernel/kptr_restrict"进行开启。

把对应的文件拷贝到你的kern目录下

cp /proc/kallsyms  .
cp arch/x86/boot/bzImage /home/ops/fuzz_learning/tools/kern

image

内核编译就绪,接下来开始运行

make inputs
./runFuzz -M 10

image

  1. OpenSSL
    参考: https://github.com/openssl/openssl/tree/master/fuzz
yum install clang
git clone https://github.com/openssl/openssl
CC=afl-clang ./config enable-fuzz-afl no-shared -DPEDANTIC \
    enable-tls1_3 enable-weak-ssl-ciphers enable-rc5 enable-md2 \
    enable-ssl3 enable-ssl3-method enable-nextprotoneg \
    enable-ec_nistp_64_gcc_128 -fno-sanitize=alignment \
    --debug
make

image

参考资料

@mylamour
Copy link
Author

mylamour commented Jul 26, 2019

Note: Kernel with afl-gcc

编辑Makefile

HOSTCC = afl-gcc
HOSTCXX = afl-g++
CC = afl-gcc

crypto以及zstd下面的文件似乎不能用afl编译? 编辑crypto/Makefile lib/zstd/Makefile

HOSTCC = gcc
HOSTCXX = g++
CC = gcc

修改install path
image

这个是另外一个图

image

@mylamour
Copy link
Author

mylamour commented Jul 30, 2019

image

需要注意windows下需要修改代码

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment