0x00 搭建测试环境
1.docker
2.docker镜像
使用作者已经帮我们搭建好了测试的docker环境
step1:拉取docker镜像
➜ Desktop docker pull mykter/afl-training
Using default tag: latest
latest: Pulling from mykter/afl-training
.....
Status: Downloaded newer image for mykter/afl-training:latest
step2:启动镜像
➜ binder docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
mykter/afl-training latest 1c50ec5b1735 2 weeks ago 1.38GB
➜ binder docker run --privileged -p 22000:22 -e PASSMETHOD=env -e PASS=yourpassword mykter/afl-training
Password set from environment variable
Spawning SSHd
step3:ssh连接镜像
➜ Desktop ssh fuzzer@localhost -p 22000
0x01 quickstart
配好llvm的环境
先cd到afl-2.52b来bulid alf
make
make -C llvm_mode
sudo make install
alf编译含有漏洞的文件:
$ cd quickstart
$ CC=afl-clang-fast AFL_HARDEN=1 make
查看程序的基本逻辑:
fuzzer@f48686888e7a:~/workshop/quickstart$ ./vulnerable
Usage: ./vulnerable
Text utility - accepts commands and data on stdin and prints results to stdout.
Input | Output
------------------+-----------------------
u <N> <string> | Uppercased version of the first <N> bytes of <string>.
head <N> <string> | The first <N> bytes of <string>.
fuzzer@f48686888e7a:~/workshop/quickstart$ ./vulnerable < inputs/u
CAPSme
fuzzer@f48686888e7a:~/workshop/quickstart$ cat inputs/u
u 4 capsme
0x02 开始运行fuzz
quickstart里含有一个demo,里面包含三种漏洞。
fuzzer@f48686888e7a:~/workshop/quickstart$ afl-fuzz -i inputs -o out ./vulnerable
去crash目录查看崩溃的文件:
第一种崩溃为
head 111111111hee:
fuzzer@55a3030afc22:~/workshop/quickstart$ cat /home/fuzzer/workshop/quickstart/out/crashes/id:000001,sig:11,src:000009,op:ext_AO,pos:0
head 111111111hee
使用gdb调试,且通过display来查看一些变量的值:
(gdb) r (gdb) r </home/fuzzer/workshop/quickstart/out/crashes/id:000001,sig:11,src:000009,op:ext_AO,pos:0
Starting program: /home/fuzzer/workshop/quickstart/vulnerable </home/fuzzer/workshop/quickstart/out/crashes/id:000001,sig:11,src:000009,op:ext_AO,pos:0
Breakpoint 1, process (input=0x7fffffffe3e0 "head 111111111hee\n") at vulnerable.c:13
13 if (strncmp(input, "u ", 2) == 0)
(gdb) n
38 else if (strncmp(input, "head ", 5) == 0)
(gdb)
40 if (strlen(input) > 6)
(gdb)
42 len = strtol(input + 4, &rest, 10);
(gdb) display rest
1: rest = 0x603120 <__afl_area_initial> ""
(gdb) display len
2: len = 0
(gdb) n
43 rest += 1; // skip the first char (should be a space)
1: rest = 0x7fffffffe3ee "hee\n"
2: len = 111111111
(gdb) n
44 rest[len] = '\0'; // truncate string at specified offset
1: rest = 0x7fffffffe3ef "ee\n"
2: len = 111111111
(gdb) n
Program received signal SIGSEGV, Segmentation fault.
0x000000000040115c in process (input=0x7fffffffe3e0 "head 111111111hee\n") at vulnerable.c:44
44 rest[len] = '\0'; // truncate string at specified offset
1: rest = 0x7fffffffe3ef "ee\n"
2: len = 111111111
最后的崩溃点在rest[len] = ‘\0’;:
(gdb)n
44 rest[len] = '\0'; // truncate string at specified offset
1: rest = 0x7fffffffe3ef "ee\n"
2: len = 111111111
(gdb) n
Program received signal SIGSEGV, Segmentation fault.
报错为SIGSEGV,因为rest[len]为rest[111111111]=’\0’; 修改了我们没有权限访问的地址。
如果改成head 1hee\n呢?
其中hee\n为rest的值
而加入\n表示rest的结尾。如果len大于rest的长度 就会出现崩溃。
崩溃id:000002,sig:06,src:000009+000001,op:splice,rep:16也符合该规律:
fuzzer@55a3030afc22:~/workshop/quickstart$ cat /home/fuzzer/workshop/quickstart/out/crashes/id:000002,sig:06,src:000009+000001,op:splice,rep:16
head 99
u -111
第二种崩溃分析:
cat /home/fuzzer/workshop/quickstart/out/crashes/id:000000,sig:11,src:000008,op:arith8,pos:6,val:+13
u -11\n
rest访问没有权限访问的地址:
0x7ffffffff000-0x7fffffffe3ea=3094
Program received signal SIGSEGV, Segmentation fault.
0x0000000000400f9d in process (input=0x7fffffffe3e0 "u -11\\n\n") at vulnerable.c:31
31 out[i] = rest[i] - 32; // only handles ASCII
1: input = 0x7fffffffe3e0 "u -11\\n\n"
2: rest = 0x7fffffffe3ea "n\n"
3: len = -11
4: out = 0x614260 "N\352", '\340' <repeats 93 times>, "k\017@淀\032", '\340' <repeats 16 times>, "\260\371 \340\340\340\340\340w;\200\327\337_\340\340\341\340\340\340\340\340\340\340(\305\337\337\337_\340\340\340`\340\340\341\340\340\340p\363 ", '\340' <repeats 13 times>, "\277\375\064\220\237\031\070h\360\354 \340\340\340\340\340 \305\337\337\337_\340\340\340", <incomplete sequence \340>...
5: i = 3094
6: rest[i] = <error: Cannot access memory at address 0x7ffffffff000>
7: out[i] = 0 '\000'
(gdb)
第三种崩溃如下:
fuzzer@55a3030afc22:~/workshop/quickstart$ ./vulnerable
surprise!
Segmentation fault
0x03 开始挑战
3.1 开始挑战一些真实的漏洞fuzz:
fuzzer@55a3030afc22:~/workshop/challenges/cyber-grand-challenge/CROMU_00007
编译:
CC=afl-clang-fast AFL_HARDEN=1 make
afl-fuzz -i input -o output ./CROMU_00007
3.2 fuzz jasper
jasper是一个开放源代码的主动提供的JPEG-2000编解码器的免费软件
前期准备:
git clone https://github.com/mdadams/jasper.git
sudo apt-get -y install cmake #安装依赖的cmake
执行编译命令:
mkdir BUILD &&
cd BUILD &&
//设定编译器,注意在编译前需要把编译器设定为AFL的的编译器
export CC=afl-clang
export CXX=afl-clang++
cmake -DCMAKE_INSTALL_PREFIX=/usr \
-DCMAKE_BUILD_TYPE=Release \
-DCMAKE_SKIP_INSTALL_RPATH=YES \
-DJAS_ENABLE_DOC=NO \
-DCMAKE_INSTALL_DOCDIR=/usr/share/doc/jasper-2.0.14 \
.. &&
make
cd BUILD && make install
开始fuzz:
mkdir inFuzz output
afl-fuzz -i inFuzz -o outFuzz jasper --input @@ --output test.bmp --output-format bmp
跑出crash后,使用valgrind结合源码分析是否是漏洞
valgrind -v --tool=memcheck --leak-check=full jasper --input id:000035,sig:06,src:002011,op:havoc,rep:2
–output test.bmp --output-format bmp
AFL训练1~8:https://blog.csdn.net/qq_36711003/category_10146244.html
3.x测试fuzz kernrl
https://blog.cloudflare.com/a-gentle-introduction-to-linux-kernel-fuzzing/
https://github.com/cloudflare/cloudflare-blog/tree/master/2019-07-kernel-fuzzing
参考:
如何Fuzz ELF文件中的任意函数libfuzz
https://stfpeak.github.io/2017/06/12/AFL-Cautions/
https://paper.seebug.org/842/ AFL 漏洞挖掘技术漫谈(二):Fuzz 结果分析和代码覆盖率
https://github.com/Battelle/afl-unicorn afl-unicorn lets you fuzz any piece of binary that can be emulated by Unicorn Engine.
• [Fuzzing] Fuzzing DNS zone parsers - Cambus.net:
https://www.cambus.net/fuzzing-dns-zone-parsers/
・ 利用 AFL Fuzz statzone DNS Zone Parsers – Jett
https://github.com/rk700/uniFuzzer
A fuzzing tool for closed-source binaries based on Unicorn and LibFuzzer
扫一扫
1419
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
