# Fuzzing with AFL ### AFL for cross architecture blackbox binaries ```bash #Pull AFL and install QEMU support git clone https://github.com/mcarpenter/afl cd afl make cd qemu_mode/ sudo apt install libtool-bin export CPU_TARGET=mips ./build_qemu_support.sh sudo -i #Stop coredumps from being sent to an external utility echo core > /proc/sys/kernel/core_pattern exit QEMU_LD_PREFIX=$(pwd) AFL_PATH=/home/$USER/afl afl-fuzz -i testcases/ -o output/ -Q -- ./myBinaryWithSTDIN ``` If you get issues on Ubuntu 18.04, add the following to the `qemu_mode/patches` directory: ``` From 75e5b70e6b5dcc4f2219992d7cffa462aa406af0 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Tue, 28 Nov 2017 11:51:27 +0100 Subject: [PATCH] memfd: fix configure test MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Recent glibc added memfd_create in sys/mman.h. This conflicts with the definition in util/memfd.c: /builddir/build/BUILD/qemu-2.11.0-rc1/util/memfd.c:40:12: error: static declaration of memfd_create follows non-static declaration Fix the configure test, and remove the sys/memfd.h inclusion since the file actually does not exist---it is a typo in the memfd_create(2) man page. Cc: Marc-André Lureau Signed-off-by: Paolo Bonzini --- configure | 2 +- util/memfd.c | 4 +--- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/configure b/configure index 9c8aa5a..99ccc17 100755 --- a/configure +++ b/configure @@ -3923,7 +3923,7 @@ fi # check if memfd is supported memfd=no cat > $TMPC << EOF -#include +#include int main(void) { diff --git a/util/memfd.c b/util/memfd.c index 4571d1a..412e94a 100644 --- a/util/memfd.c +++ b/util/memfd.c @@ -31,9 +31,7 @@ #include "qemu/memfd.h" -#ifdef CONFIG_MEMFD -#include -#elif defined CONFIG_LINUX +#if defined CONFIG_LINUX && !defined CONFIG_MEMFD #include #include -- 1.8.3.1 ``` And add `patch -p1 <../patches/mman.diff || exit 1` to line 129 of `build_qemu_support.sh` ### Use RAMdisks for input since, we don't want to destroy harddrives ```bash #Make a 1GB ramdisk file from which AFL can read input mkdir -p inputFiles mount -t tmpfs -o size=1024M tmpfs inputFiles/ ``` ### AFL for source This part uses the afl-clang-fast to build instrumented binaries. ```bash #Ubuntu does not have clang 5, and I don't like building it from source wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | sudo apt-key add - sudo apt-add-repository "deb http://apt.llvm.org/xenial/ llvm-toolchain-xenial-5.0 main" sudo apt-get update sudo apt-get install -y clang-5.0 llvm-5.0 #Ubuntu doesn't like adding "clang" and "llvm-config" to the /usr/bin sudo ln -s /usr/bin/clang-5.0 /usr/bin/clang sudo ln -s /usr/bin/clang++-5.0 /usr/bin/clang++ sudo ln -s /usr/bin/llvm-config-5.0 /usr/bin/llvm-config #Pull AFL and install llvm mode git clone https://github.com/mcarpenter/afl cd afl make cd llvm_mode #This part is important. Clang5 support WILL NOT WORK without this change vim Makefile #Change CLANG_CFL from #CLANG_CFL = `$(LLVM_CONFIG) --cxxflags` -fno-rtti -fpic $(CXXFLAGS) # To #CLANG_CFL = -I/usr/lib/llvm-5.0/include -std=c++0x -fuse-ld=gold -Wl,--no-keep-files-mapped -Wl,--no-map-whole-files -fPIC -Werror=date-time -std=c++11 -Wall -W -Wno-unused-parameter -Wwrite-strings -Wcast-qual -Wno-missing-field-initializers -pedantic -Wno-long-long -Wno-maybe-uninitialized -Wdelete-non-virtual-dtor -Wno-comment -ffunction-sections -fdata-sections -O2 -DNDEBUG -fno-exceptions -DLLVM_BUILD_GLOBAL_ISEL -D_GNU_SOURCE -D__STDC_CONSTANT_MACROS -D__STDC_FORMAT_MACROS -D__STDC_LIMIT_MACROS -fno-rtti -fpic $(CXXFLAGS) #`llvm-config --cxxflags` includes the `-fvisibility-inlines-hidden` flag which WILL BREAK AFL INSTRUMENTATION. make cd .. sudo make install cd /path/to/source/code ./configure CC=afl-clang-fast make ``` ### Setting up and using Preeny Makes fuzzing binaries with socket/alarm/fork etc so much easier ```bash git clone https://github.com/zardus/preeny.git cd preeny #Your architecture libs make #32 bit libs CFLAGS=-m32 make #Cross architecture libs CC=mips-malta-linux-gnu-gcc make -i #Standard usage: LD_PRELOAD="/home/$USER/preeny/x86_64-linux-gnu/defork.so" ./myFavoriteForkingBinary #AFL usage: AFL_PRELOAD="/home/$USER/preeny/x86_64-linux-gnu/desock.so" afl-fuzz -i i/ -o o/ -m 200 ./myFavoriteSocketBinary ``` ### Useful environment variables for AFL ```bash #This disables fork server which stops before main() and issues forked processes from there AFL_NO_FORKSRV=1 #Send your LD_PRELOAD stuff only to the binary. This way you don't mess with AFL's fork server AFL_PRELOAD="/home/$USER/preeny/x86_64-linux-gnu/defork.so" ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://breaking-bits.gitbook.io/breaking-bits/vulnerability-discovery/fuzzing-with-afl.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.