Breaking Bits
Search…
Vulnerability Discovery
CTF
Firmware Emulator
Exploit Development
Fuzzing with AFL
AFL for cross architecture blackbox binaries
1
#Pull AFL and install QEMU support
2
git clone https://github.com/mcarpenter/afl
3
cd afl
4
make
5
cd qemu_mode/
6
sudo apt install libtool-bin
7
export CPU_TARGET=mips
8
./build_qemu_support.sh
9
sudo -i
10
#Stop coredumps from being sent to an external utility
11
echo core > /proc/sys/kernel/core_pattern
12
exit
13
14
QEMU_LD_PREFIX=$(pwd) AFL_PATH=/home/$USER/afl afl-fuzz -i testcases/ -o output/ -Q -- ./myBinaryWithSTDIN
Copied!
If you get issues on Ubuntu 18.04, add the following to the
qemu_mode/patches directory:1
From 75e5b70e6b5dcc4f2219992d7cffa462aa406af0 Mon Sep 17 00:00:00 2001
2
From: Paolo Bonzini <[email protected]>
3
Date: Tue, 28 Nov 2017 11:51:27 +0100
4
Subject: [PATCH] memfd: fix configure test
5
MIME-Version: 1.0
6
Content-Type: text/plain; charset=utf8
7
Content-Transfer-Encoding: 8bit
8
​
9
Recent glibc added memfd_create in sys/mman.h. This conflicts with
10
the definition in util/memfd.c:
11
​
12
/builddir/build/BUILD/qemu-2.11.0-rc1/util/memfd.c:40:12: error: static declaration of memfd_create follows non-static declaration
13
​
14
Fix the configure test, and remove the sys/memfd.h inclusion since the
15
file actually does not exist---it is a typo in the memfd_create(2) man
16
page.
17
​
18
Cc: Marc-André Lureau <[email protected]>
19
Signed-off-by: Paolo Bonzini <[email protected]>
20
---
21
configure | 2 +-
22
util/memfd.c | 4 +---
23
2 files changed, 2 insertions(+), 4 deletions(-)
24
​
25
diff --git a/configure b/configure
26
index 9c8aa5a..99ccc17 100755
27
--- a/configure
28
+++ b/configure
29
@@ -3923,7 +3923,7 @@ fi
30
# check if memfd is supported
31
memfd=no
32
cat > $TMPC << EOF
33
-#include <sys/memfd.h>
34
+#include <sys/mman.h>
35
36
int main(void)
37
{
38
diff --git a/util/memfd.c b/util/memfd.c
39
index 4571d1a..412e94a 100644
40
--- a/util/memfd.c
41
+++ b/util/memfd.c
42
@@ -31,9 +31,7 @@
43
44
#include "qemu/memfd.h"
45
46
-#ifdef CONFIG_MEMFD
47
-#include <sys/memfd.h>
48
-#elif defined CONFIG_LINUX
49
+#if defined CONFIG_LINUX && !defined CONFIG_MEMFD
50
#include <sys/syscall.h>
51
#include <asm/unistd.h>
52
53
--
54
1.8.3.1
55
​
56
​
57
​
Copied!
And add
patch -p1 <../patches/mman.diff || exit 1 to line 129 of build_qemu_support.shUse RAMdisks for input since, we don't want to destroy harddrives
1
#Make a 1GB ramdisk file from which AFL can read input
2
mkdir -p inputFiles
3
mount -t tmpfs -o size=1024M tmpfs inputFiles/
Copied!
AFL for source
This part uses the afl-clang-fast to build instrumented binaries.
1
#Ubuntu does not have clang 5, and I don't like building it from source
2
wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | sudo apt-key add -
3
sudo apt-add-repository "deb http://apt.llvm.org/xenial/ llvm-toolchain-xenial-5.0 main"
4
sudo apt-get update
5
sudo apt-get install -y clang-5.0 llvm-5.0
6
7
#Ubuntu doesn't like adding "clang" and "llvm-config" to the /usr/bin
8
sudo ln -s /usr/bin/clang-5.0 /usr/bin/clang
9
sudo ln -s /usr/bin/clang++-5.0 /usr/bin/clang++
10
sudo ln -s /usr/bin/llvm-config-5.0 /usr/bin/llvm-config
11
​
12
​
13
#Pull AFL and install llvm mode
14
git clone https://github.com/mcarpenter/afl
15
cd afl
16
make
17
cd llvm_mode
18
19
#This part is important. Clang5 support WILL NOT WORK without this change
20
vim Makefile
21
#Change CLANG_CFL from
22
#CLANG_CFL = `$(LLVM_CONFIG) --cxxflags` -fno-rtti -fpic $(CXXFLAGS)
23
# To
24
#CLANG_CFL = -I/usr/lib/llvm-5.0/include -std=c++0x -fuse-ld=gold -Wl,--no-keep-files-mapped -Wl,--no-map-whole-files -fPIC -Werror=date-time -std=c++11 -Wall -W -Wno-unused-parameter -Wwrite-strings -Wcast-qual -Wno-missing-field-initializers -pedantic -Wno-long-long -Wno-maybe-uninitialized -Wdelete-non-virtual-dtor -Wno-comment -ffunction-sections -fdata-sections -O2 -DNDEBUG -fno-exceptions -DLLVM_BUILD_GLOBAL_ISEL -D_GNU_SOURCE -D__STDC_CONSTANT_MACROS -D__STDC_FORMAT_MACROS -D__STDC_LIMIT_MACROS -fno-rtti -fpic $(CXXFLAGS)
25
26
#`llvm-config --cxxflags` includes the `-fvisibility-inlines-hidden` flag which WILL BREAK AFL INSTRUMENTATION.
27
make
28
cd ..
29
sudo make install
30
cd /path/to/source/code
31
./configure CC=afl-clang-fast
32
make
Copied!
Setting up and using Preeny
Makes fuzzing binaries with socket/alarm/fork etc so much easier
1
git clone https://github.com/zardus/preeny.git
2
cd preeny
3
4
#Your architecture libs
5
make
6
#32 bit libs
7
CFLAGS=-m32 make
8
#Cross architecture libs
9
CC=mips-malta-linux-gnu-gcc make -i
10
11
#Standard usage:
12
LD_PRELOAD="/home/$USER/preeny/x86_64-linux-gnu/defork.so" ./myFavoriteForkingBinary
13
14
#AFL usage:
15
AFL_PRELOAD="/home/$USER/preeny/x86_64-linux-gnu/desock.so" afl-fuzz -i i/ -o o/ -m 200 ./myFavoriteSocketBinary
Copied!
Useful environment variables for AFL
1
#This disables fork server which stops before main() and issues forked processes from there
2
AFL_NO_FORKSRV=1
3
#Send your LD_PRELOAD stuff only to the binary. This way you don't mess with AFL's fork server
4
AFL_PRELOAD="/home/$USER/preeny/x86_64-linux-gnu/defork.so"
Copied!