git clone --depth 1 https://github.com/AFLplusplus/AFLplusplus
cd AFLplusplus
make
Build Summary:
[+] afl-fuzz and supporting tools successfully built
[+] LLVM basic mode successfully built
[-] LLVM mode could not be build, please install at least llvm-11 and clang-11 or newer, see docs/INSTALL.md
[-] LLVM LTO mode could not be build, it is optional, if you want it, please install LLVM 11-14. More information at instrumentation/README.lto.md on how to build it
[-] gcc_mode could not be built, it is optional, install gcc-VERSION-plugin-dev to enable this
cd qemu_mode
./build_qemu_support.sh
ERROR: glib-2.48 gthread-2.0 is required to compile QEMU
sudo apt-get install -y build-essential python3-dev automake cmake git flex bison libglib2.0-dev libpixman-1-dev python3-setuptools cargo libgtk-3-dev
建议使用以下设置来使用 QEMU 模式:
使用 CMPLOG 运行 1 个 afl-fuzz -Q 实例 (-c 0 + AFL_COMPCOV_LEVEL=2)
使用 QASAN 运行 1 个 afl-fuzz -Q 实例 (AFL_USE_QASAN=1)
运行 1 个带有 LAF ( + ) 的 afl-fuzz -Q 实例,或者您可以使用 FRIDA 模式,只需切换并删除 LAF 实例AFL_PRELOAD=libcmpcov.soAFL_COMPCOV_LEVEL=2-Q-O
然后运行尽可能多的实例,只要你有-Q模式的内核,或者 - 甚至更好 - 使用二进制重写器,如Dyninst,RetroWrite,ZAFL等。二进制重写器都有自己的优点和警告。ZAFL是最好的,但不能在商业/商业环境中使用。
如果二进制重写器适用于您的目标,那么您可以正常使用afl-fuzz,并且它的速度将是QEMU模式的两倍(但比QEMU持久模式慢)。
QEMU模式的速度下降约为50%。但是,存在各种选项来提高速度:
使用AFL_ENTRYPOINT将 forkserver 条目移动到二进制文件中较后的基本块(+5-10% 速度)
使用持久模式qemu_mode/README.persistent.md,这将导致整体速度提高150-300% - 因此是原始QEMU模式速度的3-8倍!
使用AFL_CODE_START/AFL_CODE_END仅检测特定部件
有关其他说明和注意事项,请参阅qemu_mode/README.md。如果可能,应使用持久模式,请参阅qemu_mode/README.persistent.md。该模式比编译时检测慢约 2-5 倍,并且不太有利于并行化。
请注意,还有洪格夫兹:https://github.com/google/honggfuzz 现在具有QEMU模式,但其性能仅为1.5%…
如果您喜欢在不做太多工作的情况下编写自定义模糊器,我们强烈建议您查看我们的姊妹项目libafl,它也支持QEMU:https://github.com/AFLplusplus/LibAFL
Non-AFL++ solutions
There are many binary-only fuzzing frameworks. Some are great for CTFs but don’t work with large binaries, others are very slow but have good path discovery, some are very hard to set-up…
Jackalope: https://github.com/googleprojectzero/Jackalope
Manticore: https://github.com/trailofbits/manticore
QSYM: https://github.com/sslab-gatech/qsym
S2E: https://github.com/S2E
TinyInst: https://github.com/googleprojectzero/TinyInst (Mac/Windows only)
… please send me any missing that are good
脚本
#! /bin/sh
# file1 is the target executable file(e.g. vuln),file2 is the dictionnary file(e.g. webp.dict)
cores=$1
file_dir=$2
#total=`ls $file_dir | wc -l`
files=$(ls $file_dir)
for filename in $files
do
if [ ! -d $filename ];then
mkdir $filename
else
rm -rf $filename
mkdir $filename
cd $filename
echo "cd $filename"
for k in `seq 1 1 $cores`
do
mkdir $k
cd $k
echo "cd $k"
cp /home/yan/blackbox/pdf/targets/$filename ./
if [ ! -d in -a -d out ];then
mkdir in out
else
rm -rf in out
mkdir in out
fi
cp '/home/yan/blackbox/pdf/seeds_cmin/veraPDF test suite 6-6-2-1-t01-fail-a.pdf' ./in/
#/home/yan/fuzz/AFLplusplus/afl-fuzz -Q -D -i ./in/ -o out -- ./$filename @@
screen -dmS $filename$k /home/yan/fuzz/AFLplusplus/afl-fuzz -Q -D -i ./in/ -o out -- ./$filename @@
#gnome-terminal -- /home/yan/fuzz/AFLplusplus/afl-fuzz -Q -D -i ./in/ -o out -- ./$filename @@
echo "test done"
cd ..
done
cd ..
fi
done
结束脚本
#!/bin/bash
file_dir=$1
namelist=(1 2 3 4 5)
files=$(ls $file_dir)
for filename in $files
do
for((i=0;i<5;i++))do
name=${namelist[i]}
screenName=$filename$name
echo kill screen $screenName
screen -r $screenName -X quit
done
done
779
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
