AFL fuzz工具初探

下载 && 安装

wget http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz
tar -xvf ./afl-latest.tgz
cd afl-2.52b/
sudo make && sudo make install

安装成功

root@giant:~# afl-fuzz 
afl-fuzz 2.52b by <lcamtuf@google.com>

afl-fuzz [ options ] -- /path/to/fuzzed_app [ ... ]

Required parameters:

  -i dir        - input directory with test cases
  -o dir        - output directory for fuzzer findings

Execution control settings:

  -f file       - location read by the fuzzed program (stdin)
  -t msec       - timeout for each run (auto-scaled, 50-1000 ms)
  -m megs       - memory limit for child process (50 MB)
  -Q            - use binary-only instrumentation (QEMU mode)

Fuzzing behavior settings:

  -d            - quick & dirty mode (skips deterministic steps)
  -n            - fuzz without instrumentation (dumb mode)
  -x dir        - optional fuzzer dictionary (see README)

Other stuff:

  -T text       - text banner to show on the screen
  -M / -S id    - distributed mode (see parallel_fuzzing.txt)
  -C            - crash exploration mode (the peruvian rabbit thing)

For additional tips, please consult /usr/local/share/doc/afl/README.

有源码fuzz——upx

由于我们用afl来fuzz，这个有源码的要用afl-gcc来编译，所以编辑Makefile文件

git clone https://github.com/upx/upx.git
cd upx/
vim Makefile

添加：CC = /usr/local/bin/afl-gcc （我直接在第一行加）

cd ./src
vim Makefile

修改： CXX ?= /usr/local/bin/afl-g++ （应该在31行）

此外，我们还需要安装编译依赖的东西，github文档有说：https://github.com/upx/upx/blob/master/README.SRC

那个zlib一般都会有的，很多linux其实默认自带upx了

如果没有的话，ubuntu是这个

apt install zlib1g zlib1g-dev

安装lzma-sdk

root@giant:~/aflfuzz/fuzztarget/upx# git submodule update --init --recursive
Submodule 'src/lzma-sdk' (https://github.com/upx/upx-lzma-sdk.git) registered for path 'src/lzma-sdk'
Cloning into 'src/lzma-sdk'...
remote: Counting objects: 439, done.
remote: Total 439 (delta 0), reused 0 (delta 0), pack-reused 439
Receiving objects: 100% (439/439), 334.46 KiB | 0 bytes/s, done.
Resolving deltas: 100% (151/151), done.
Checking connectivity... done.
Submodule path 'src/lzma-sdk': checked out '426fe82d122e2cf140a86751055ee523378fe2ef'

安装ucl

wget http://www.oberhumer.com/opensource/ucl/download/ucl-1.03.tar.gz
tar -xvf ./ucl-1.03.tar.gz
cd ucl-1.03/
./configure && sudo make && sudo make install
export UPX_UCLDIR=/path/to/ucl-1.03    # ！！！！！你自己的路径啊

最后到我们编译upx了

root@giant:~/aflfuzz/fuzztarget/upx# make all

最后编译生成的文件在src目录下的upx.out

我们用ida打开就可以看到不同了

开始fuzz（下面用file文件作为样本）

root@giant:~/aflfuzz/fuzztarget/upx# mkdir afl_in afl_out
root@giant:~/aflfuzz/fuzztarget/upx# cp /usr/bin/file afl_in
root@giant:~/aflfuzz/fuzztarget/upx# afl-fuzz -i afl_in -o afl_out ./src/upx.out @@

对了，还需要开启core dump

echo core >/proc/sys/kernel/core_pattern

刚开跑就15个崩溃了

无源码fuzz

对无源码的程序进行fuzz一般有两种方法:

1. 对二进制文件进行插桩
2. 使用-n选项进行传统的fuzz测试

第一种由afl-qemu实现，如果使用第二种方法，把-Q改成-n就行

编译一个AFL版的qemu

root@giant:~/aflfuzz/afl-2.52b# cd qemu_mode/
root@giant:~/aflfuzz/afl-2.52b/qemu_mode# ls
build_qemu_support.sh  patches  README.qemu
root@giant:~/aflfuzz/afl-2.52b/qemu_mode# ./build_qemu_support.sh 
root@giant:~/aflfuzz/afl-2.52b/qemu_mode#cp ../afl-qemu-trace /usr/local/bin/

如果缺少libtool

apt install libtool-bin

无源码fuzz —— readelf

同样也是创建文件夹，放入原始样本（test你自己准备吧）

mkdir afl_in afl_out
mv test ./afl_in/
cp /usr/bin/readelf .
afl-fuzz -i afl_in -o afl_out -Q ./readelf -a @@

reference

http://pwn4.fun/2017/09/21/AFL%E6%8A%80%E6%9C%AF%E4%BB%8B%E7%BB%8D/
https://www.cnblogs.com/WangAoBo/p/8280352.html