Breaking Bits
Breaking Bits
What this gitbook is
Vulnerability Discovery
Reverse Engineering
Emulation
Fuzzing with AFL
Automated Vulnerability Discovery
CTF
UMDCTF 2020
US CyberGames RE-Cruise 4
Firmware Emulator
Interactive Firmware Emulator Usage
Recreating CVE-2015-1187 in the DIR-820L
Powered by GitBook

Fuzzing with AFL

AFL for cross architecture blackbox binaries

#Pull AFL and install QEMU support
git clone https://github.com/mcarpenter/afl
cd afl
make
cd qemu_mode/
sudo apt install libtool-bin
export CPU_TARGET=mips
./build_qemu_support.sh
sudo -i
#Stop coredumps from being sent to an external utility
echo core > /proc/sys/kernel/core_pattern
exit
 
QEMU_LD_PREFIX=$(pwd) AFL_PATH=/home/$USER/afl afl-fuzz -i testcases/ -o output/ -Q -- ./myBinaryWithSTDIN

If you get issues on Ubuntu 18.04, add the following to the qemu_mode/patches directory:

From 75e5b70e6b5dcc4f2219992d7cffa462aa406af0 Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <[email protected]>
Date: Tue, 28 Nov 2017 11:51:27 +0100
Subject: [PATCH] memfd: fix configure test
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit
Recent glibc added memfd_create in sys/mman.h.  This conflicts with
the definition in util/memfd.c:
    /builddir/build/BUILD/qemu-2.11.0-rc1/util/memfd.c:40:12: error: static declaration of memfd_create follows non-static declaration
Fix the configure test, and remove the sys/memfd.h inclusion since the
file actually does not exist---it is a typo in the memfd_create(2) man
page.
Cc: Marc-André Lureau <[email protected]>
Signed-off-by: Paolo Bonzini <[email protected]>
---
 configure    | 2 +-
 util/memfd.c | 4 +---
 2 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/configure b/configure
index 9c8aa5a..99ccc17 100755
--- a/configure
+++ b/configure
@@ -3923,7 +3923,7 @@ fi
 # check if memfd is supported
 memfd=no
 cat > $TMPC << EOF
-#include <sys/memfd.h>
+#include <sys/mman.h>
 
 int main(void)
 {
diff --git a/util/memfd.c b/util/memfd.c
index 4571d1a..412e94a 100644
--- a/util/memfd.c
+++ b/util/memfd.c
@@ -31,9 +31,7 @@
 
 #include "qemu/memfd.h"
 
-#ifdef CONFIG_MEMFD
-#include <sys/memfd.h>
-#elif defined CONFIG_LINUX
+#if defined CONFIG_LINUX && !defined CONFIG_MEMFD
 #include <sys/syscall.h>
 #include <asm/unistd.h>
 
-- 
1.8.3.1

And add patch -p1 <../patches/mman.diff || exit 1 to line 129 of build_qemu_support.sh

Use RAMdisks for input since, we don't want to destroy harddrives

#Make a 1GB ramdisk file from which AFL can read input
mkdir -p inputFiles
mount -t tmpfs -o size=1024M tmpfs inputFiles/

AFL for source

This part uses the afl-clang-fast to build instrumented binaries.

#Ubuntu does not have clang 5, and I don't like building it from source
wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | sudo apt-key add -
sudo apt-add-repository "deb http://apt.llvm.org/xenial/ llvm-toolchain-xenial-5.0 main"
sudo apt-get update
sudo apt-get install -y clang-5.0 llvm-5.0
 
#Ubuntu doesn't like adding "clang" and "llvm-config" to the /usr/bin
sudo ln -s /usr/bin/clang-5.0 /usr/bin/clang
sudo ln -s /usr/bin/clang++-5.0 /usr/bin/clang++
sudo ln -s /usr/bin/llvm-config-5.0 /usr/bin/llvm-config
#Pull AFL and install llvm mode
git clone https://github.com/mcarpenter/afl
cd afl
make
cd llvm_mode
 
#This part is important. Clang5 support WILL NOT WORK without this change
vim Makefile
#Change CLANG_CFL from
#CLANG_CFL    = `$(LLVM_CONFIG) --cxxflags` -fno-rtti -fpic $(CXXFLAGS)
# To
#CLANG_CFL    = -I/usr/lib/llvm-5.0/include -std=c++0x -fuse-ld=gold -Wl,--no-keep-files-mapped -Wl,--no-map-whole-files -fPIC -Werror=date-time -std=c++11 -Wall -W -Wno-unused-parameter -Wwrite-strings -Wcast-qual -Wno-missing-field-initializers -pedantic -Wno-long-long -Wno-maybe-uninitialized -Wdelete-non-virtual-dtor -Wno-comment -ffunction-sections -fdata-sections -O2 -DNDEBUG  -fno-exceptions -DLLVM_BUILD_GLOBAL_ISEL -D_GNU_SOURCE -D__STDC_CONSTANT_MACROS -D__STDC_FORMAT_MACROS -D__STDC_LIMIT_MACROS -fno-rtti -fpic $(CXXFLAGS)
 
#`llvm-config --cxxflags` includes the `-fvisibility-inlines-hidden` flag which WILL BREAK AFL INSTRUMENTATION.
make
cd ..
sudo make install
cd /path/to/source/code
./configure CC=afl-clang-fast
make

Setting up and using Preeny

Makes fuzzing binaries with socket/alarm/fork etc so much easier

git clone https://github.com/zardus/preeny.git
cd preeny
 
#Your architecture libs
make
#32 bit libs
CFLAGS=-m32 make
#Cross architecture libs
CC=mips-malta-linux-gnu-gcc make -i
 
#Standard usage:
LD_PRELOAD="/home/$USER/preeny/x86_64-linux-gnu/defork.so" ./myFavoriteForkingBinary
 
#AFL usage:
AFL_PRELOAD="/home/$USER/preeny/x86_64-linux-gnu/desock.so" afl-fuzz -i i/ -o o/ -m 200 ./myFavoriteSocketBinary

Useful environment variables for AFL

#This disables fork server which stops before main() and issues forked processes from there
AFL_NO_FORKSRV=1
#Send your LD_PRELOAD stuff only to the binary. This way you don't mess with AFL's fork server
AFL_PRELOAD="/home/$USER/preeny/x86_64-linux-gnu/defork.so"
Previous
QEMU Usermode
Next - Vulnerability Discovery
Automated Vulnerability Discovery
Last updated 2 years ago
Contents
AFL for cross architecture blackbox binaries
Use RAMdisks for input since, we don't want to destroy harddrives
AFL for source
Setting up and using Preeny
Useful environment variables for AFL