AFL使用笔记

AFL使用笔记

1.下载

官网：https://github.com/google/AFL

git命令：

git clone https://github.com/google/AFL.git

2.安装

cd AFL-master
make 
make install

3.编写一个简单的测试用例

AFL将从标准输入流输入变异数据

// main.c 
#include<stdio.h>    
#include<stdlib.h>    
#include<string.h>    
      
int main(int argc, char* argv[]) {    
      char buf[100] = {0};    
      gets(buf);    
      printf("%s\n",buf);    
      return 0;    
 }    

4.插桩编译

afl-gcc main.c

5.创建输入输出文件夹，并初始化首个样本文件

mkdir fuzz_in
mkdir fuzz_out
echo "123" >> fuzz_in/1

6.Fuzz

afl-fuzz -i fuzz_in -o fuzz_iout ./a.out

有可能会出现以下情形，原因是系统不会默认将dump信息转储到文件，输入以下命令修改系统配置即可

echo core > /proc/sys/kernel/core_pattern

dump启动失败

启动成功界面如下图

启动成功

Fuzz界面

运行界面

结束只能使用Ctrl+C

7.查看crash输入

xxd命令功能是将字符串转换为hexdump信息

root@codemiao-virtual-machine:/zhd/aflTeste# cd fuzz_out/
root@codemiao-virtual-machine:/zhd/aflTeste/fuzz_out# ls
crashes  fuzz_bitmap  fuzzer_stats  hangs  plot_data  queue
root@codemiao-virtual-machine:/zhd/aflTeste/fuzz_out# cd crashes/
root@codemiao-virtual-machine:/zhd/aflTeste/fuzz_out/crashes# ls
id:000000,sig:06,src:000000,op:havoc,rep:128  id:000001,sig:06,src:000000,op:havoc,rep:128  README.txt
root@codemiao-virtual-machine:/zhd/aflTeste/fuzz_out/crashes# xxd id\:000001\,sig\:06\,src\:000000\,op\:havoc\,rep\:128 
00000000: 858c 8c94 8c05 ffff 056f 8c8c 8c8c 8c8c  .........o......
00000010: 8c8c 498c 8c05 ffd3 056f 8c8c 8c8c 8c8c  ..I......o......
00000020: 8c8c 8c8c 8c8c 8c05 ffd3 056f 8c8c 8c8c  ...........o....
00000030: 8c8c 8c8c 8c8c 8c8c 8c80 8c8c 8c8c 8c8c  ................
00000040: 8c8c 8c69 8c8c 8c8c 8c8c 8c8c 8c8c 8c8c  ...i............
00000050: 8c69 8c8c 8c8c 8c8c 8c8c 8c8c 8c8c 8c05  .i..............
00000060: ffd3 058c 8c8c 8c8c 8c8c 8c8c 7f8c 8c8c  ................
00000070: 8c 

8.复现问题

手动执行编译好的二进制，并输入crash样本，触发了Aborted

root@codemiao-virtual-machine:/zhd/aflTeste# ls
a.out  fuzz_in  fuzz_out  main.c
root@codemiao-virtual-machine:/zhd/aflTeste# ./a.out 
?????^E??^Eo????????I??^E??^Eo?????????????^E??^Eo???????????????????????i?????????????i?????????????^E??^E?????????^?????
?????^E??^Eo????????I??^E??^Eo?????????????^E??^Eo???????????????????????i?????????????i?????????????^E??^E?????????^?????
*** stack smashing detected ***: terminated
Aborted

9.使用asan定位问题

光是触发进程崩溃是无法定位具体问题行号的，需要给程序加上asan(地址消毒)

afl-gcc main.c -fsanitize=address

成功的话afl会有如下打印提示ASAN/MSAN mode

afl-as 2.57b by <lcamtuf@google.com>
[+] Instrumented 4 locations (64-bit, ASAN/MSAN mode, ratio 33%)

再次输入crash样本，获得崩溃行号及函数调用堆栈，可以看到是因为printf格式化参数引起的问题

root@codemiao-virtual-machine:/zhd/aflTeste# cat main.c -n
     1  #include<stdio.h>
     2  #include<stdlib.h>
     3  #include<string.h>
     4  
     5  int main(int argc, char* argv[]) {
     6          char buf[100] = {0};
     7          gets(buf);
     8          printf("%s\n",buf);
     9          return 0;
    10  }

root@codemiao-virtual-machine:/zhd/aflTeste# ./a.out 
?????^E??^Eo????????I??^E??^Eo?????????????^E??^Eo???????????????????????i?????????????i?????????????^E??^E?????????^?????
=================================================================
==1187408==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe9f552c64 at pc 0x7f47e05c7f6d bp 0x7ffe9f552bc0 sp 0x7ffe9f552368
READ of size 123 at 0x7ffe9f552c64 thread T0
    #0 0x7f47e05c7f6c  (/lib/x86_64-linux-gnu/libasan.so.5+0x4ef6c)
    #1 0x563fd68d83d8 in printf /usr/include/x86_64-linux-gnu/bits/stdio2.h:107
    #2 0x563fd68d83d8 in main /zhd/aflTeste/main.c:8
    #3 0x7f47e03ae0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #4 0x563fd68d852d in _start (/zhd/aflTeste/a.out+0x152d)

Address 0x7ffe9f552c64 is located in stack of thread T0 at offset 148 in frame
    #0 0x563fd68d824f in main /zhd/aflTeste/main.c:5

  This frame has 1 object(s):
    [48, 148) 'buf' (line 6) <== Memory access at offset 148 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/lib/x86_64-linux-gnu/libasan.so.5+0x4ef6c) 
Shadow bytes around the buggy address:
  0x100053ea2530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100053ea2540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100053ea2550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100053ea2560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100053ea2570: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1
=>0x100053ea2580: 00 00 00 00 00 00 00 00 00 00 00 00[04]f3 f3 f3
  0x100053ea2590: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100053ea25a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100053ea25b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100053ea25c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100053ea25d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1187408==ABORTING