使用brew/apt方式安装的afl没有afl-qemu-trace(不支持使用QEMU模式),所以我们需要下载afl的源码自己编译。
0x1 安装配置
编译完成后,需要配置qemu环境。不过,afl提供了一个脚本,在
qemu-mode
文件夹下的build_qemu_support.sh
。运行这个脚本来配置qemu环境,但qemu-mode只支持linux,macOS可以在docker上使用,docker使用参考macOS上使用kali-linux for docker:$ ./build_qemu_support.sh
=================================================
AFL binary-only instrumentation QEMU build script
=================================================
[*] Performing basic sanity checks...
[-] Error: QEMU instrumentation is supported only on Linux.
编译成功信息如下:
[+] Build process successful!
[*] Copying binary...
-rwxr-xr-x 1 root root 10956864 Dec 13 12:26 ../afl-qemu-trace
[+] Successfully created '../afl-qemu-trace'.
[*] Testing the build...
[+] Instrumentation tests passed.
[+] All set, you can now use the -Q mode in afl-fuzz!
遇到的坑
- 运行后会提示libtool等资源库没有安装,使用
sudo apt install
安装即可:$ ./build_qemu_support.sh ================================================= AFL binary-only instrumentation QEMU build script ================================================= [*] Performing basic sanity checks... [-] Error: 'libtool' not found, please install first. $ apt-get install libtool-bin
- 安装一些软件包时,有时会出现找不到glib2的错误:
查看$ apt install glib2 Reading package lists... Done Building dependency tree Reading state information... Done E: Unable to locate package glib2
build_qemu_support.sh
相关代码,需要在/usr/include/glib-2.0/
或者/usr/local/include/glib-2.0/
有相关库:
可通过安装以下工具来解决:if [ ! -d "/usr/include/glib-2.0/" -a ! -d "/usr/local/include/glib-2.0/" ]; then echo "[-] Error: devel version of 'glib2' not found, please install first." exit 1
sudo apt-get install libgtk2.0-dev
- qemu编译错误:
afl默认qemu版本太老,官方已经patch:util/memfd.c:40:12: error: static declaration of 'memfd_create' follows non-static declaration static int memfd_create(const char *name, unsigned int flags) ^~~~~~~~~~~~ In file included from /usr/include/x86_64-linux-gnu/bits/mman-linux.h:115, from /usr/include/x86_64-linux-gnu/bits/mman.h:45, from /usr/include/x86_64-linux-gnu/sys/mman.h:41, from /root/afl-2.52b/qemu_mode/qemu-2.10.0/include/sysemu/os-posix.h:29, from /root/afl-2.52b/qemu_mode/qemu-2.10.0/include/qemu/osdep.h:104, from util/memfd.c:28:
./configure:
./util/memfd.c:@@ -3923,7 +3923,7 @@ fi # check if memfd is supported memfd=no cat > $TMPC << EOF -#include <sys/memfd.h> +#include <sys/mman.h>
修改完成后使用如下指令重打包,再修改@@ -31,9 +31,7 @@ #include "qemu/memfd.h" -#ifdef CONFIG_MEMFD -#include <sys/memfd.h> -#elif defined CONFIG_LINUX +#if defined CONFIG_LINUX && !defined CONFIG_MEMFD
build_qemu_support.sh
里的QEMU_SHA384
重新编译即可,SHA384
值可以使用sha384sum
获取:$ tar -Jcf qemu-2.10.0.tar.xz qemu-2.10.0/ $ sha384sum qemu-2.10.0.tar.xz
更换qemu版本
如果想使用更新版本qemu,可以直接将
build_qemu_support.sh
设置的版本换成官方的较新版本,但更换版本后问题较多:#VERSION="2.10.0"
VERSION="2.12.1"
#QEMU_SHA384="68216c935487bc8c0596ac309e1e3ee75c2c4ce898aab796faa321db5740609ced365fedda025678d0"
QEMU_SHA384="92957551a3a21b1ed48dc70d9dd91905859a5565ec98492ed709a3b64daf7c5a0265d670030ee7e6d16da96436795435"
- patch错误:
patch针对的是上层路径的文件更新,可以直接注释掉patching file linux-user/elfload.c Hunk #2 succeeded at 2233 (offset 146 lines). Hunk #3 succeeded at 2268 (offset 146 lines). patching file accel/tcg/cpu-exec.c Hunk #1 succeeded at 37 (offset 1 line). Hunk #2 succeeded at 147 with fuzz 2 (offset 1 line). Hunk #3 FAILED at 369. 1 out of 3 hunks FAILED -- saving rejects to file accel/tcg/cpu-exec.c.rej
#patch -p1 <../patches/cpu-exec.diff || exit 1
- 缺少pixman,安装即可
apt-get install libpixman*
- LINK错误:
上层patch中对源码文件做了修改,导致部分外部变量没有导入,注释掉相关patch即可:LINK x86_64-linux-user/qemu-x86_64 linux-user/syscall.o: In function `do_syscall': /root/afl-2.52b/qemu_mode/qemu-2.12.0/linux-user/syscall.c:11983: undefined reference to `afl_forksrv_pid' linux-user/elfload.o: In function `load_elf_image': /root/afl-2.52b/qemu_mode/qemu-2.12.0/linux-user/elfload.c:2236: undefined reference to `afl_entry_point' /root/afl-2.52b/qemu_mode/qemu-2.12.0/linux-user/elfload.c:2236: undefined reference to `afl_entry_point' /root/afl-2.52b/qemu_mode/qemu-2.12.0/linux-user/elfload.c:2271: undefined reference to `afl_start_code' /root/afl-2.52b/qemu_mode/qemu-2.12.0/linux-user/elfload.c:2271: undefined reference to `afl_start_code' /root/afl-2.52b/qemu_mode/qemu-2.12.0/linux-user/elfload.c:2275: undefined reference to `afl_end_code' /root/afl-2.52b/qemu_mode/qemu-2.12.0/linux-user/elfload.c:2275: undefined reference to `afl_end_code' /root/afl-2.52b/qemu_mode/qemu-2.12.0/linux-user/elfload.c:2236: undefined reference to `afl_entry_point' /root/afl-2.52b/qemu_mode/qemu-2.12.0/linux-user/elfload.c:2236: undefined reference to `afl_entry_point' /root/afl-2.52b/qemu_mode/qemu-2.12.0/linux-user/elfload.c:2271: undefined reference to `afl_start_code' /root/afl-2.52b/qemu_mode/qemu-2.12.0/linux-user/elfload.c:2271: undefined reference to `afl_start_code' /root/afl-2.52b/qemu_mode/qemu-2.12.0/linux-user/elfload.c:2275: undefined reference to `afl_end_code' /root/afl-2.52b/qemu_mode/qemu-2.12.0/linux-user/elfload.c:2275: undefined reference to `afl_end_code' collect2: error: ld returned 1 exit status Makefile:193: recipe for target 'qemu-x86_64' failed make[1]: *** [qemu-x86_64] Error 1 Makefile:478: recipe for target 'subdir-x86_64-linux-user' failed make: *** [subdir-x86_64-linux-user] Error 2
# patch -p1 <../patches/elfload.diff || exit 1 # patch -p1 <../patches/syscall.diff || exit 1
afl-qemu-trace
测试失败
应该是用64位[+] Successfully created '../afl-qemu-trace'. [*] Testing the build... [-] Error: afl-qemu-trace instrumentation doesn't seem to work!
afl-qemu-trace
工具测试32位程序引起的,忽略即可,或者通过如下指令指定32位架构:
结果如下,实际也是忽略了测试:$ CPU_TARGET=i386 ./build_qemu_support.sh
[+] Successfully created '../afl-qemu-trace'. [!] Note: can't test instrumentation when CPU_TARGET set. [+] All set, you can now (hopefully) use the -Q mode in afl-fuzz!
0x2 使用afl-qemu fuzz
0x21 同cpu架构程序
以系统中
wget
指令为例,使用如下指令执行fuzz,-Q
参数表示使用qemu模式;-m
参数设置使用内存大小,不设置则默认200MB:$ afl-fuzz -i fuzz_in -o fuzz_out -m 200 -Q wget @@
0x22 不同cpu架构程序
0x221 获取目标文件
Android adbd程序为例,获取adbd文件:
$ file /system/bin/adbd
/system/bin/adbd: ELF executable, 64-bit LSB arm64, static, for Android 28, BuildID=2ef781f7497eaad0b8ba145996afd9a1, not stripped
$ adb pull /system/bin/adbd ./
0x222 编译目标架构qemu模式
如果fuzz的程序与qemu架构不同,则可能出现如下错误,需要用之前方式指定正确架构进行编译qemu模式:
$ afl-fuzz -i fuzz_in -o fuzz_out/ -Q ./adbd @@
...
[-] Hmm, looks like the target binary terminated before we could complete a
handshake with the injected code. There are two probable explanations:
- The current memory limit (200 MB) is too restrictive, causing an OOM
fault in the dynamic linker. This can be fixed with the -m option. A
simple way to confirm the diagnosis may be:
( ulimit -Sv $[199 << 10]; /path/to/fuzzed_app )
Tip: you can use http://jwilk.net/software/recidivm to quickly
estimate the required amount of virtual memory for the binary.
- Less likely, there is a horrible bug in the fuzzer. If other options
fail, poke <lcamtuf@coredump.cx> for troubleshooting tips.
[-] PROGRAM ABORT : Fork server handshake failed
Location : init_forkserver(), afl-fuzz.c:2253
编译arm64版本工具,qemu支持的架构类型见
./qemu-2.10.0/linux-user/host/
目录,其中arm为32位arm,aarch64为64位arm:$ ls ./qemu-2.10.0/linux-user/host/
aarch64 arm i386 ia64 mips ppc ppc64 s390 s390x sparc sparc64 x32 x86_64
以64位arm为例,编译指令如下:
$ CPU_TARGET=aarch64 ./build_qemu_support.sh
编译aarch64版本后,继续执行fuzz:
$ ../afl-2.52b/afl-fuzz -i fuzz_in/ -o fuzz_out/ -Q ./adbd
依然错误:
[-] PROGRAM ABORT : Test case 'id:000000,orig:testcase' results in a crash
Location : perform_dry_run(), afl-fuzz.c:2852
0x223 qemu user mode检查
由于可执行文件的架构不一样,所以需要按照QEMU user mode仿真做一下检查,运行成功后再进行fuzz,详情参考:IoT(七)通过qemu调试IoT固件和程序里的用户模式调试程序。
在该文中,adbd程序由于缺少外部资源依然执行失败(如需对有外部资源依赖的程序进行fuzz,可在该平台编译对应版本的fuzz工具),故重新选取能够执行成功的静态编译工具,如Android上的三方工具busybox:
$ file busybox
busybox: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, stripped
$ qemu-aarch64 busybox
BusyBox v1.25.0-NetHunter (2016-03-19 19:36:31 EDT) multi-call binary.
BusyBox is copyrighted by many authors between 1998-2015.
Licensed under GPLv2. See source distribution for detailed
copyright notices.
Usage: busybox [function [arguments]...]
or: busybox --list[-full]
or: busybox --install [-s] [DIR]
or: function [arguments]...
....
此处可成功对busybox进行fuzz:
../afl-2.52b/afl-fuzz -i fuzz_in/ -o fuzz_out/ -Q ./busybox @@