#Fuzzing#

start_fuzzing.md

Artical

• https://medium.com/@coolx28/security-oriented-open-source-continuous-fuzzing-101-from-start-to-finish-637eaceb9acb
• https://foxglovesecurity.com/2016/03/15/fuzzing-workflows-a-fuzz-job-from-start-to-finish/
• https://research.aurainfosec.io/hunting-for-bugs-101/
• https://labsblog.f-secure.com/2017/06/22/super-awesome-fuzzing-part-one/
• https://thecyberrecce.net/2017/03/20/software-exploit-development-fuzzing-with-afl/
• https://www.sec-consult.com/wp-content/uploads/files/vulnlab/the_art_of_fuzzing_slides.pdf
• https://hackernoon.com/afl-unicorn-fuzzing-arbitrary-binary-code-563ca28936bf

brew install afl-fuzz

MacOS with AFL Fuzz

SL=/System/Library; PL=com.apple.ReportCrash
launchctl unload -w ${SL}/LaunchAgents/${PL}.plist
sudo launchctl unload -w ${SL}/LaunchDaemons/${PL}.Root.plist

• fuzzing python https://tomforb.es/segfaulting-python-with-afl-fuzz

repos and tools

• https://www.owasp.org/index.php/Fuzzing OWASP Fuzzing

• https://github.com/secfigo/Awesome-Fuzzing

• https://github.com/trailofbits/echidna ETH fuzzing tools

• https://fuzzing.info/papers/

• https://www.youtube.com/playlist?list=PLtPrYlwXDImiO_hzK7npBi4eKQQBgygLD 视频播放列表，关于fuzzing

• https://github.com/fuzzdb-project/fuzzdb fuzz的db

• http://llvm.org/docs/LibFuzzer.html

• fuzzer-test-suite: https://github.com/google/fuzzer-test-suite 学着玩玩

• AFL: http://lcamtuf.coredump.cx/afl/ (https://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz)

• AFL python interface : https://github.com/shellphish/fuzzer

• AFL Unicorn: https://github.com/Battelle/afl-unicorn

• AFL training: https://github.com/ThalesIgnite/afl-training

• AFL go version: https://github.com/dvyukov/go-fuzz

• AFL rust version: https://github.com/rust-fuzz/afl.rs

• AFL python version: http://jwilk.net/software/python-afl

• WAFL

• Morph

• Os-fuzz

• zzuf 使用过了

• honggfuzz

• OSXFuzz

• sCFF分布式。py2.7 + AWS https://github.com/softscheck/sCFF

Other

• fuzzing初尝试 ，跟着 https://github.com/google/fuzzer-test-suite 的教程
• heartbleed 也是通过fuzzing发现的。厉害了卧槽。
• 微软研究院Seurity Risk Detection中关于fuzzing with machine learning , 但是这个视频只是使用。https://docs.microsoft.com/en-us/security-risk-detection/how-to/

问题来了：

• fuzzing原理是什么

先看下AFL的原理 http://lcamtuf.coredump.cx/afl/technical_details.txt

• 怎么写fuzzing的代码?
• 怎么根据fuzzing 后的结果写POC代码?
• 怎么自动化fuzzing?
• 怎么使用机器学习生成，并去攻击?
• 怎么进行内核的fuzzing windows kernel, linux kernel osx kernel?

https://github.com/RUB-SysSec/kAFL https://github.com/nccgroup/TriforceAFL https://github.com/google/syzkaller

DynamoRIO Tutorial

https://www.sec-consult.com/en/blog/2017/09/hack-the-hacker-fuzzing-mimikatz-on-windows-with-winafl-heatmaps-0day/index.html

WinAFL Fuzzing Minikatz

honggfuzz tutorial

其他基础

• 动态二进制修改入门
• 初探Windows Fuzzing神器—-Winafl

WinAFL fuzzing VLC with DynamoIRO

afl-fuzz.exe -i C:\Users\i\Desktop\Fuzzing\db -o C:\Users\i\Desktop\Fuzzing\results -D C:\Users\i\Desktop\Fuzzing\DynamoRIO\bin64 -t 20000 -- -fuzz_iterations 5000 -target_module "D:\Program Files (x86)\VideoLAN\VLC\vlc.exe" -target_offset 0x532a0 -nargs 2 -m 1024 -- "D:\Program Files (x86)\VideoLAN\VLC\vlc.exe" @@

QEMU With AFL

(本教程主要以cnetos为主)

• 安装QEMU依赖
  ubuntu

sudo apt-get install -y git libglib2.0-dev libfdt-dev libpixman-1-dev zlib1g-dev git-email libaio-dev libbluetooth-dev libbrlapi-dev libbz2-dev libcap-dev libcap-ng-dev libcurl4-gnutls-dev libgtk-3-dev  libibverbs-dev libjpeg8-dev libncurses5-dev libnuma-dev librbd-dev librdmacm-dev libsasl2-dev libsdl1.2-dev libseccomp-dev libsnappy-dev libssh2-1-dev  libvde-dev libvdeplug-dev libxen-dev liblzo2-dev valgrind xfslibs-dev  libnfs-dev libiscsi-dev

centos

yum install git glib2-devel libfdt-devel pixman-devel zlib-devel  qemu-kvm libvirt libvirt-python libguestfs-tools virt-install

• clone并编译TriforceAFL

git clone https://github.com/nccgroup/TriforceAFL
cd TriforceAFL
make

如果编译不通过，进入qemu_mode/修改脚本，然后重新make

./configure --target-list="aarch64-softmmu,microblazeel-softmmu" --enable-fdt --disable-kvm --disable-xen 

事实证明还是在Centos上搞定了。

• 跑个测试
  然后跑个实验先,注意TriforceLinuxSyscallFuzzer和TriforceAFL在同一目录：

1. 下载示例项目

git clone https://github.com/nccgroup/TriforceLinuxSyscallFuzzer
yum install glibc-static
cd TriforceLinuxSyscallFuzzer
make

2. 编译内核
   步骤基本如下：

• 下载代码 wget https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.2.2.tar.xz
• 安装依赖(如果还缺少其他依赖的话继续安装)

yum install ncurses-devel elfutils-libelf-devel
yum install -y ncurses-devel make gcc bc bison flex elfutils-libelf-devel openssl-devel grub2

• 编译

tar -xf linux-5.2.2.tar.xz && cd linux-5.2.2
cp /boot/config-$(uname -r) .config  # 使用这个你需要一路回车很久，不如用make menuconfig吧，更方便
make

此处本来尝试了采用afl-gcc和afl-g++去编译，但是没有成功。
更改install的路径vim Makefile在大概919行的位置，更改目录为自己的。此处为``

然后运行make install
就可以看到对应的文件已经在目录下了
然后查看ls /proc/kallsyms 。这个文件包含了kernel image和动态加载模块的符号表。 如果没有该文件，可以通过sudo sh -c "echo 0 > /proc/sys/kernel/kptr_restrict"进行开启。

把对应的文件拷贝到你的kern目录下

cp /proc/kallsyms  .
cp arch/x86/boot/bzImage /home/ops/fuzz_learning/tools/kern

内核编译就绪，接下来开始运行

make inputs
./runFuzz -M 10

2. OpenSSL
   参考： https://github.com/openssl/openssl/tree/master/fuzz

yum install clang
git clone https://github.com/openssl/openssl
CC=afl-clang ./config enable-fuzz-afl no-shared -DPEDANTIC \
    enable-tls1_3 enable-weak-ssl-ciphers enable-rc5 enable-md2 \
    enable-ssl3 enable-ssl3-method enable-nextprotoneg \
    enable-ec_nistp_64_gcc_128 -fno-sanitize=alignment \
    --debug
make

参考资料

• System.map和kallsyms文件

Note: Kernel with afl-gcc

编辑Makefile

HOSTCC = afl-gcc
HOSTCXX = afl-g++
CC = afl-gcc

crypto以及zstd下面的文件似乎不能用afl编译? 编辑crypto/Makefile lib/zstd/Makefile

HOSTCC = gcc
HOSTCXX = g++
CC = gcc

修改install path

这个是另外一个图

需要注意windows下需要修改代码