AFL++ Frida-Mode: Usecases for testing and debugging

Fuzz , , , Comments

Fuzzing

明确指明需要加载的AFL_PRELOAD=环境变量值为/usr/local/lib/afl/afl-frida-trace.so、且需要加载的harness javascript文件为afl.js时:

1
AFL_PRELOAD=/usr/local/lib/afl/afl-frida-trace.so AFL_FRIDA_JS_SCRIPT=fuzz.js afl-fuzz -D -O -i in -o out -t 10000+ -- ./build/test ./build/dummy

由于afl-frida-trace.soPATH中,且AFL++ Frida_Mode默认寻找二进制同目录下的afl.js加载。因此以上可简写为:

1
afl-fuzz -D -O -i in -o out -t 10000+ -- ./build/test ./build/dummy

(注意有时在persistent时,有时用dummy input作为输入文件。以防止初始运行时找不到out/default/.cur_input文件而报错)

当需要输出forkserver的子进程的以便调试时:

1
AFL_CHILD_DEBUG=1 afl-fuzz -O -D -i in -o out -- ./build/testinstr @@

GDB Debugging

命令如下:

Example 1: 开启AFL_DEBUG_CHILD

1
2
3
4
5
6
gdb \
    --ex 'set environment LD_PRELOAD=/usr/local/lib/afl/afl-frida-trace.so' \
    --ex 'set environment AFL_FRIDA_JS_SCRIPT=afl.js' \
    --ex 'set environment AFL_DEBUG_CHILD=1' \
    --ex 'set disassembly-flavor intel' \
    --args ./build/testinstr ./build/in/in

Example 2:

1
2
3
4
5
gdb \
    --ex 'set environment LD_PRELOAD=/usr/local/lib/afl/afl-frida-trace.so' \
    --ex 'set environment AFL_FRIDA_JS_SCRIPT=afl.js' \
    --ex 'set disassembly-flavor intel' \
    --args ./build/testinstr ./build/in/in

Scripting

一个简单且方便调试的harnessjs 脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
Afl.print("----------------------------------------");
Afl.print("|             4x7 = 28                 |");
Afl.print("----------------------------------------");

Afl.print("pid: " + Process.id);
const name = Process.enumerateModules()[0].name;
Afl.print(`Name: ${name}`);

new ModuleMap().values().forEach(m => {
    Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`);
});


//address of testinstr
// var testinstr_addr = Module.findExportByName(null, "testinstr");
// var testinstr_addr = DebugSymbol.forName("testinstr").address;
const module = Process.enumerateModules()[0];
Afl.print("Module.base: " + module.base);
const testinstr_addr = module.base.add(0x8ca);
Afl.print("testinstr_addr: " + testinstr_addr);

const cm = new CModule(`
    extern unsigned char * __afl_fuzz_ptr;
    extern unsigned int * __afl_fuzz_len;
    extern void testinstr(char *buf, int len);
    void fuzz(char *buf, int len) {
        __afl_fuzz_ptr[*__afl_fuzz_len] = 0;
        testinstr(__afl_fuzz_ptr, *__afl_fuzz_len);
    }
`, {
    testinstr: testinstr_addr,
    __afl_fuzz_ptr: Afl.getAflFuzzPtr(),
    __afl_fuzz_len: Afl.getAflFuzzLen()
});

Afl.setEntryPoint(cm.fuzz);
Afl.setPersistentAddress(cm.fuzz);
Afl.setInMemoryFuzzing();
Afl.setJsMainHook(cm.fuzz);
Afl.print("done");
Afl.done();

大和尚Developer & Security

老码农