n30m1nd/apatching_for_AFL_Persistent_fuzzing.diff

## apatching_for_AFL_Persistent_fuzzing.diff
Index: server/main.c
===================================================================
--- server/main.c	(revision 1794475)
+++ server/main.c	(working copy)
@@ -434,11 +434,157 @@
     ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, NULL,
                  "  -X                 : debug mode (only one worker, do not detach)");

-    destroy_and_exit_process(process, 1);
+    destroy_and_exit_process(process, 0);
 }

-int main(int argc, const char * const argv[])
+#include <sched.h>
+#include <linux/sched.h>
+#include <arpa/inet.h>
+#include <errno.h>
+#include <net/if.h>
+#include <net/route.h>
+#include <netinet/ip6.h>
+#include <netinet/tcp.h>
+#include <sched.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <strings.h>
+#include <sys/ioctl.h>
+#include <sys/resource.h>
+#include <sys/socket.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+static void netIfaceUp(const char *ifacename)
 {
+    int sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
+    if (sock == -1) {
+        perror("socket(AF_INET, SOCK_STREAM, IPPROTO_IP)");
+        _exit(1);
+    }
+
+    struct ifreq ifr;
+    memset(&ifr, '\0', sizeof(ifr));
+    snprintf(ifr.ifr_name, IF_NAMESIZE, "%s", ifacename);
+
+    if (ioctl(sock, SIOCGIFFLAGS, &ifr) == -1) {
+        perror("ioctl(iface='lo', SIOCGIFFLAGS, IFF_UP)");
+        _exit(1);
+    }
+
+    ifr.ifr_flags |= (IFF_UP | IFF_RUNNING);
+
+    if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1) {
+        perror("ioctl(iface='lo', SIOCSIFFLAGS, IFF_UP)");
+        _exit(1);
+    }
+
+    close(sock);
+}
+
+void unsh(void)
+{
+    unshare(CLONE_NEWUSER | CLONE_NEWNET | CLONE_NEWNS);
+
+    if (mount("tmpfs", "/tmp", "tmpfs", 0, "") == -1) {
+        perror("tmpfs");
+        _exit(1);
+    }
+    netIfaceUp("lo");
+}
+
+static void GETDATA(process_rec *process)
+{
+    int BUFSIZE=1024*1024;
+    usleep(10000);
+    char buf[BUFSIZE+1];
+    while ( __AFL_LOOP(10000)){
+        printf("[+] Looping\n");
+        memset(buf, 0, BUFSIZE);
+        size_t read_bytes = read(0, buf, BUFSIZE);
+        buf[BUFSIZE-2] = '\r';
+        buf[BUFSIZE-1] = '\n';
+        buf[BUFSIZE] = '\0';
+
+        int sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
+        if (sockfd == -1) {
+            perror("socket");
+            _exit(1);
+        }
+
+        int sz = (1024 * 1024);
+        if (setsockopt(sockfd, SOL_SOCKET, SO_SNDBUF, &sz, sizeof(sz)) == -1) {
+            perror("setsockopt");
+            exit(1);
+        }
+
+        printf("[+] Connecting\n", buf);
+
+        struct sockaddr_in saddr;
+        saddr.sin_family = AF_INET;
+        saddr.sin_port = htons(80);
+        saddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+        if (connect(sockfd, &saddr, sizeof(saddr)) == -1) {
+            printf("[-] Connect failed\n");
+            perror("connect");
+            continue;
+        }
+
+        printf("[+] Sending buf %s\n", buf);
+
+        if (send(sockfd, buf, read_bytes, MSG_NOSIGNAL) != read_bytes) {
+            perror("send() failed 1");
+            exit(1);
+        }
+
+        printf("[+] Buf sent %s\n", &buf);
+
+        if (shutdown(sockfd, SHUT_WR) == -1) {
+            perror("shutdown");
+            exit(1);
+        }
+
+        char b[1024 * 1024];
+        while (recv(sockfd, b, sizeof(b), MSG_WAITALL) > 0) ;
+
+        printf("[+] Received %s\n", b);
+
+        close(sockfd);
+        printf("[+] Nice run\n");
+    }
+    printf("[+] Whew lad!\n");
+    usleep(100000);
+    _exit(0);
+    exit(0);
+}
+
+static void LAUNCHTHR(process_rec *process)
+{
+    pthread_t t;
+    pthread_attr_t attr;
+
+    pthread_attr_init(&attr);
+    pthread_attr_setstacksize(&attr, 1024 * 1024 * 8);
+    pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED);
+
+    pthread_create(&t, &attr, GETDATA, process);
+}
+
+int main(int argc, const char *const argv[])
+{
+
+    process_rec *process; // Needed to finish apache
+    if (getenv("NO_FUZZ") == NULL) {
+        unsh();
+        LAUNCHTHR(process);
+        printf("[+] Launched loop\n");
+    }
+    printf("[+] I did follow\n");
+
     char c;
     int showcompile = 0, showdirectives = 0;
     const char *confname = SERVER_CONFIG_FILE;
@@ -445,7 +591,6 @@
     const char *def_server_root = HTTPD_ROOT;
     const char *temp_error_log = NULL;
     const char *error;
-    process_rec *process;
     apr_pool_t *pconf;
     apr_pool_t *plog; /* Pool of log streams, reset _after_ each read of conf */
     apr_pool_t *ptemp; /* Pool for temporary config stuff, reset often */
@@ -688,7 +833,8 @@

     /* If our config failed, deal with that here. */
     if (rv != OK) {
-        destroy_and_exit_process(process, 1);
+        printf("[-] Config failed...\n");
+        destroy_and_exit_process(process, 0);
     }

     signal_server = APR_RETRIEVE_OPTIONAL_FN(ap_signal_server);
@@ -696,6 +842,7 @@
         int exit_status;

         if (signal_server(&exit_status, pconf) != 0) {
+            printf("[-] Server signaled out\n");
             destroy_and_exit_process(process, exit_status);
         }
     }
	Index: server/main.c
	===================================================================
	--- server/main.c (revision 1794475)
	+++ server/main.c (working copy)
	@@ -434,11 +434,157 @@
	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, NULL,
	" -X : debug mode (only one worker, do not detach)");

	- destroy_and_exit_process(process, 1);
	+ destroy_and_exit_process(process, 0);
	}

	-int main(int argc, const char * const argv[])
	+#include <sched.h>
	+#include <linux/sched.h>
	+#include <arpa/inet.h>
	+#include <errno.h>
	+#include <net/if.h>
	+#include <net/route.h>
	+#include <netinet/ip6.h>
	+#include <netinet/tcp.h>
	+#include <sched.h>
	+#include <stdio.h>
	+#include <stdint.h>
	+#include <stdlib.h>
	+#include <string.h>
	+#include <strings.h>
	+#include <sys/ioctl.h>
	+#include <sys/resource.h>
	+#include <sys/socket.h>
	+#include <sys/time.h>
	+#include <sys/types.h>
	+#include <sys/wait.h>
	+#include <unistd.h>
	+
	+static void netIfaceUp(const char *ifacename)
	{
	+ int sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
	+ if (sock == -1) {
	+ perror("socket(AF_INET, SOCK_STREAM, IPPROTO_IP)");
	+ _exit(1);
	+ }
	+
	+ struct ifreq ifr;
	+ memset(&ifr, '\0', sizeof(ifr));
	+ snprintf(ifr.ifr_name, IF_NAMESIZE, "%s", ifacename);
	+
	+ if (ioctl(sock, SIOCGIFFLAGS, &ifr) == -1) {
	+ perror("ioctl(iface='lo', SIOCGIFFLAGS, IFF_UP)");
	+ _exit(1);
	+ }
	+
	+ ifr.ifr_flags \|= (IFF_UP \| IFF_RUNNING);
	+
	+ if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1) {
	+ perror("ioctl(iface='lo', SIOCSIFFLAGS, IFF_UP)");
	+ _exit(1);
	+ }
	+
	+ close(sock);
	+}
	+
	+void unsh(void)
	+{
	+ unshare(CLONE_NEWUSER \| CLONE_NEWNET \| CLONE_NEWNS);
	+
	+ if (mount("tmpfs", "/tmp", "tmpfs", 0, "") == -1) {
	+ perror("tmpfs");
	+ _exit(1);
	+ }
	+ netIfaceUp("lo");
	+}
	+
	+static void GETDATA(process_rec *process)
	+{
	+ int BUFSIZE=1024*1024;
	+ usleep(10000);
	+ char buf[BUFSIZE+1];
	+ while ( __AFL_LOOP(10000)){
	+ printf("[+] Looping\n");
	+ memset(buf, 0, BUFSIZE);
	+ size_t read_bytes = read(0, buf, BUFSIZE);
	+ buf[BUFSIZE-2] = '\r';
	+ buf[BUFSIZE-1] = '\n';
	+ buf[BUFSIZE] = '\0';
	+
	+ int sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
	+ if (sockfd == -1) {
	+ perror("socket");
	+ _exit(1);
	+ }
	+
	+ int sz = (1024 * 1024);
	+ if (setsockopt(sockfd, SOL_SOCKET, SO_SNDBUF, &sz, sizeof(sz)) == -1) {
	+ perror("setsockopt");
	+ exit(1);
	+ }
	+
	+ printf("[+] Connecting\n", buf);
	+
	+ struct sockaddr_in saddr;
	+ saddr.sin_family = AF_INET;
	+ saddr.sin_port = htons(80);
	+ saddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
	+ if (connect(sockfd, &saddr, sizeof(saddr)) == -1) {
	+ printf("[-] Connect failed\n");
	+ perror("connect");
	+ continue;
	+ }
	+
	+ printf("[+] Sending buf %s\n", buf);
	+
	+ if (send(sockfd, buf, read_bytes, MSG_NOSIGNAL) != read_bytes) {
	+ perror("send() failed 1");
	+ exit(1);
	+ }
	+
	+ printf("[+] Buf sent %s\n", &buf);
	+
	+ if (shutdown(sockfd, SHUT_WR) == -1) {
	+ perror("shutdown");
	+ exit(1);
	+ }
	+
	+ char b[1024 * 1024];
	+ while (recv(sockfd, b, sizeof(b), MSG_WAITALL) > 0) ;
	+
	+ printf("[+] Received %s\n", b);
	+
	+ close(sockfd);
	+ printf("[+] Nice run\n");
	+ }
	+ printf("[+] Whew lad!\n");
	+ usleep(100000);
	+ _exit(0);
	+ exit(0);
	+}
	+
	+static void LAUNCHTHR(process_rec *process)
	+{
	+ pthread_t t;
	+ pthread_attr_t attr;
	+
	+ pthread_attr_init(&attr);
	+ pthread_attr_setstacksize(&attr, 1024 * 1024 * 8);
	+ pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED);
	+
	+ pthread_create(&t, &attr, GETDATA, process);
	+}
	+
	+int main(int argc, const char *const argv[])
	+{
	+
	+ process_rec *process; // Needed to finish apache
	+ if (getenv("NO_FUZZ") == NULL) {
	+ unsh();
	+ LAUNCHTHR(process);
	+ printf("[+] Launched loop\n");
	+ }
	+ printf("[+] I did follow\n");
	+
	char c;
	int showcompile = 0, showdirectives = 0;
	const char *confname = SERVER_CONFIG_FILE;
	@@ -445,7 +591,6 @@
	const char *def_server_root = HTTPD_ROOT;
	const char *temp_error_log = NULL;
	const char *error;
	- process_rec *process;
	apr_pool_t *pconf;
	apr_pool_t plog; / Pool of log streams, reset _after_ each read of conf */
	apr_pool_t ptemp; / Pool for temporary config stuff, reset often */
	@@ -688,7 +833,8 @@

	/* If our config failed, deal with that here. */
	if (rv != OK) {
	- destroy_and_exit_process(process, 1);
	+ printf("[-] Config failed...\n");
	+ destroy_and_exit_process(process, 0);
	}

	signal_server = APR_RETRIEVE_OPTIONAL_FN(ap_signal_server);
	@@ -696,6 +842,7 @@
	int exit_status;

	if (signal_server(&exit_status, pconf) != 0) {
	+ printf("[-] Server signaled out\n");
	destroy_and_exit_process(process, exit_status);
	}
	}