Scribd
Upload
46 views12 pages

DDIF Day2 RunBook 22 April

Uploaded by

Khadeijah almurshidi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
46 views12 pages

DDIF Day2 RunBook 22 April

Uploaded by

Khadeijah almurshidi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

Deep Dive into Fuzzing

- Day 2 (Run book)


- BruCON
Local System Information (OVA)
Sr.No Custom OS Username Password
1 Ubuntu 20.04 LTS fuzzing fuzzing!
2 Windows 10 x64 fuzzing fuzzing@

Server System Information


Sr.No Custom OS IP Address Username Password
1 Ubuntu 20.04 LTS <> fuzzing <>

Note: The above server will be valid till 30th April only.

Server System Information


The above is a dedicated server for you, with a basic hardening done on SSH
service, you are requested to change password for username `fuzzing`; `root`
over SSH is currently not permitted.

Download the local copy of the OS from here,


https://drive.google.com/file/d/1V_uOY0Pl0aSvR7_SQNVatLlpDMy2guzI/view
?usp=sharing

Download the local copy of the OS from here, (Windows)


https://drive.google.com/file/d/1mQ5XnO1pmSJNH8r13d88vm6cQ_T9zSEB/vi
ew?usp=sharing

(The link will expire on 22nd April)


Day #2 Installation
Prerequisites

1. DynamoRIO:
https://github.com/DynamoRIO/dynamorio/wiki/Downloads
2. Git Client: https://git-scm.com/download/win
3. WinAFL Git: https://github.com/googleprojectzero/winafl
4. Visual Studio 2019: https://visualstudio.microsoft.com/downloads/
5. WinDbg: https://developer.microsoft.com/en-
us/windows/downloads/windows-10-sdk/
6. x64dbg http://snapshots.x64dbg.com/
7. Ghidra https://ghidra-sre.org/ghidra_9.1.2_PUBLIC_20200212.zip
8. IDA https://www.hex-
rays.com/products/ida/support/download_freeware/
9. Dragondance Plugin for Ghidra
https://github.com/0ffffffffh/dragondance/
10. Java JRE https://www.oracle.com/java/technologies/javase-
jre8-downloads.html
11. Java JDK https://www.oracle.com/java/technologies/javase-
jdk15-downloads.html
12. Firefox https://www.mozilla.org/en-US/firefox/new/
13. Sublime Text Editor https://www.sublimetext.com/3
14. WinRAR https://www.win-rar.com/download.html?L=5
Installing WinAFL

$ cd C:\ && mkdir fuzzing


$ cd fuzzing && git clone
https://github.com/googleprojectzero/winafl
$ cd winafl
$ git submodule update --init –recursive
$ mkdir build32 && mkdir build64
(from inside x64 Developer Tools)
$ cmake -G"Visual Studio 16 2019" -A x64 .. -
DDynamoRIO_DIR=C:\fuzzing\DynamoRIO\cmake -DUSE_COLOR=1 -
DUSE_DRSYMS=1
$ cmake --build . --config Release

Installing AFL QEMU

$ cd qemu_mode
$ ./build_qemu_support.sh

Network Fuzzing

$ git clone https://github.com/zardus/preeny.git


$ cd preeny/
#if ini files missing dependency error
$ sudo apt install libini-config-dev -y
#if seccomp missing dependency error
$ sudo apt install libseccomp-dev -y
$ make
Day #2 Exercises
AFL Persistence (Problem statement 1)

cd ~/persis/
cat bof.c

Add while statement just below the char buffer[20];

while (__AFL_LOOP(10000)) {
….
printf("You entered: %s\n", buffer);
}
}

Close the statement just after printf() statement

NOTE: To make this work, the library and this shim need to be compiled in
LLVMmode using afl-clang-fast or afl-clang (other compiler wrappers will
*not* work).

AFL Persistence (Problem statement 2)

cd ~/persis/
cat poc.c

Add while statement just below the char buffer[100];

while (__AFL_LOOP(10000)) {
….
}

Close it just after return 0; statement.

Compile both above programs with afl-clang or afl-clang-fast and fuzz, you
would be able to see the difference in execution speed.

AFL Deferred (Problem statement 1)

cd ~/persis/
cat poc.c

Add the deferred statement after char buffer[100];

#ifdef __AFL_HAVE_MANUAL_CONTROL
__AFL_INIT();
#endif
Fuzzing OpenSSL

$ git clone https://github.com/openssl/openssl.git


$ CC=afl-cc CXX=afl-c++ ./config no-shared
$ make -j4
$ cd apps/
$ mkdir in; mkdir out
$ cd in; wget
https://github.com/RootUp/PersonalStuff/raw/master/GoDaddyRootCertif
icateAuthority-G2.crt
$ afl-fuzz -m none -i in -o out -D -- ./openssl x509 -in @@ -out
/dev/null.pem

AFL QEMU

Fuzzing readelf

$ cd ~/qemu
$ mkdir in; mkdir out
$ ./readelf
(to verify)
$ cp ~/corpus/ps in/
$ afl-fuzz -i in/ -o out/ -Q -m none ./readelf -h @@

Fuzzing busybox unzip

$ cd ~/qemu
$ wget https://busybox.net/downloads/busybox-1.32.0.tar.bz2
$ tar xvf busybox-1.32.0.tar.bz2
$ cd busybox-1.32.0
$ make menuconfig
(select save to a alternative configuration file, save
configuration)
$ make -j4
$ mkdir in; mkdir out
(Create test.zip by compressing test.txt containing AAAA)
$ ./busybox unzip -q -n in/test.zip
(to verify usage)
$ afl-fuzz -i in -o out -Q -D -c 0 -m none -x ~/AFLplusplus-
3.12c/dictionaries/zip.dict ./busybox unzip -n -q @@
(add with specific corpus – if required)
AFL QEMU Persistent

Fuzzing a binary

$ cd ~/qemu
$ ./sof
$ sudo apt install devscripts
$ hardening-check ./sof
(PIE detected)
$ AFL_QEMU_DEBUG_MAPS=1 afl-qemu-trace ./sof
$ nm sof | grep "main"
$ export AFL_QEMU_PERSISTENT_ADDR=0x4000001189
$ mkdir in1; mkdir out1
$ echo "AAAAA" > in1/test
$ printenv | grep "AFL"

Few additional variables:


$ export AFL_SKIP_CPUFREQ=1
$ export AFL_QEMU_PERSISTENT_GPR=1

$ afl-fuzz -i in1/ -o out1/ -Q -m none -D -- ./sof


$ cat out1/default/crashes/*id* | ./sof
AFL QEMU - ARM

Enabling QEMU for ARM:


$ cd ~/AFLplusplus/qemu_mode/
$ export CPU_TARGET=arm
$ ./build_qemu_support.sh
(notice - building for CPU target arm)
$ cd ..
$ sudo make install

Fuzzing a binary
$ cd ~/arm
$ mkdir in; mkdir out
(Create test.zip by compressing test.txt containing AAAA in the in/
folder)
$ chmod +x busybox-armv7l unzip
$ afl-fuzz -i in/ -o out/ -Q -m none -D -- ./busybox-armv7l unzip -q
-n @@
Network Fuzzing

Fuzzing wget

$ wget https://ftp.gnu.org/gnu/wget/wget-1.19.1.tar.gz
$ tar zxvf wget-1.19.1.tar.gz
$ cd wget-1.19.1
$ sudo apt-get update && sudo apt install libgnutls28-dev
libseccomp-dev libini-config-dev
$ CC=afl-cc CXX=afl-c++ ./configure --prefix=/home/zubin/
$ AFL_USE_ASAN=1 make
$ cd src
$ (echo "It Works!") | LD_PRELOAD="/home/fuzzing/preeny/x86_64-
linux-gnu/desock.so" ./wget localhost:6666 -q -O result
$ mkdir in; mkdir out
$ cd in;
$ echo "AAAAABB1234" > test
$ cd ..
$ AFL_PRELOAD="/home/fuzzing/preeny/x86_64-linux-gnu/desock.so" afl-
fuzz -i in/ -o out/ -D -m none ./wget localhost:6666 -q -O result
Or
$ AFL_PRELOAD="/home/fuzzing/preeny/x86_64-linux-gnu/desock.so" afl-
fuzz -i in/ -o out/ -D -m none ./wget localhost:6666 -t 1 -q -O
/dev/null
WinAFL Fuzzing Example (test)

Target from C:\fuzzing\winafl\bin64 (test.exe)

Debug Mode

$ copy test.exe test.pdb C:\fuzzing\DynamoRIO\bin64


$ copy test.pdb C:\fuzzing\DynamoRIO\bin64
$ copy C:\fuzzing\winafl\build64\bin\Release\winafl.dll
C:\fuzzing\DynamoRIO\bin64

From directory C:\fuzzing\DynamoRIO\bin64>

$ drrun.exe -c winafl.dll -debug -target_module test.exe -


coverage_module test.exe -target_offset 0x1610 -nargs 2 -
fuzz_iterations 10 -- test.exe test.txt

Fuzzing using WinAFL

Copy test.exe, test.pdb & inputs to


C:\fuzzing\winafl\build64\bin\Release

From directory C:\fuzzing\winafl\build64\bin\Release


Ø Create in-test & out-test folders.

Using target offset

$ afl-fuzz.exe -i in-test/ -o out-test/ -t 20000+ -D


C:\fuzzing\DynamoRIO\bin64 -- -target_module test.exe -
coverage_module test.exe -target_offset 0x1610 -fuzz_iterations 1000
-nargs 3 -- test.exe @@

Using symbols

$ afl-fuzz.exe -i in-test/ -o out-test/ -t 20000+ -D


C:\fuzzing\DynamoRIO\bin64 -- -coverage_module test.exe -
target_module test.exe -target_method main -fuzz_iterations 1000 -
nargs 2 -call_convention thiscall -covtype edge -- test.exe @@

$ afl-fuzz.exe -i in-test/ -o out-test/ -t 20000+ -D


C:\fuzzing\DynamoRIO\bin64 -- -coverage_module test.exe -
target_module test.exe -target_method test_target -fuzz_iterations
1000 -nargs 2 -call_convention thiscall -covtype bb -- test.exe @@
WinAFL Fuzzing Imgread

Copy inp directory, imgread.exe, imgread.pdb from Desktop to the WinAFL


build64 directory as well as bin64 folder inside DynamoRIO.

Debug Mode

From directory C:\fuzzing\DynamoRIO\bin64

$ drrun.exe -c winafl.dll -debug -target_module imgread.exe -


coverage_module imgread.exe -target_offset 0x70e0 -nargs 2 -
fuzz_iterations 10 -- imgread.exe index.jpg

$ drrun.exe -c winafl.dll -debug -target_module imgread.exe -


coverage_module imgread.exe -target_offset 0x6ee0 -nargs 2 -
fuzz_iterations 10 -- imgread.exe index.jpg

Fuzzing using WinAFL

Copy target executable along with input to directory


C:\fuzzing\winafl\build64\bin\Release

Ø Create inp-img & out-img folders.

$ afl-fuzz.exe -i inp -o out -t 5000+ -D C:\fuzzing\DynamoRIO\bin64


-- -target_module imgread.exe -coverage_module imgread.exe -
target_offset 0x70e0 -nargs 2 -fuzz_iterations 1000 -- imgread.exe
@@

$ afl-fuzz.exe -i inp -o out -t 20000+ -D C:\fuzzing\DynamoRIO\bin64


-- -target_module imgread.exe -coverage_module imgread.exe -
target_offset 0x70e0 -nargs 2 -fuzz_iterations 1000 -covtype edge -
call_convention fastcall -- imgread.exe @@

$ afl-fuzz.exe -i inp -o out -t 20000+ -D C:\fuzzing\DynamoRIO\bin64


-- -target_module imgread.exe -coverage_module imgread.exe -
target_offset 0x6ee0 -nargs 2 -fuzz_iterations 1000 -covtype edge -
call_convention fastcall -- imgread.exe @@

$ afl-fuzz.exe -i inp -o out -t 20000+ -D C:\fuzzing\DynamoRIO\bin64


-- -target_module imgread.exe -coverage_module imgread.exe -
target_method main -nargs 2 -fuzz_iterations 1000 -covtype edge -
call_convention fastcall -- imgread.exe @@

$ afl-fuzz.exe -i inp -o out -t 20000+ -D C:\fuzzing\DynamoRIO\bin64


-- -target_module imgread.exe -coverage_module imgread.exe -
target_method ProcessImage -nargs 2 -fuzz_iterations 1000 -covtype
edge -call_convention fastcall -- imgread.exe @@
Code Coverage

Move imgread.exe and inputs to DynamoRIO\bin64

$ drrun.exe -t drcov -- imgread.exe objects.jpg


$ drrun.exe -t drcov -- imgread.exe index.jpg

Miscellaneous

Main and secondary technique,

afl-fuzz -M main -m none -i in -o out -- ./binary @@


afl-fuzz -S secondary -m none -i in -o out -- ./binary @@

Enable Power schedulers for secondary jobs.

afl-fuzz -S secondary -p exploit -m none -i in -o out -- ./binary @@

Parallel fuzzing

seq 2 | parallel afl-fuzz -m none -d -S {} -i in -o out --


./wav_info @@

Fuzzing on RAMDISK

$ sudo mkdir /mnt/ramdisk


$ sudo chown fuzzing:fuzzing /mnt/ramdisk
$ sudo mount -t tmpfs -o size=256M tmpfs /mnt/ramdisk
$ df -h | tail -n1
$ mkdir /mnt/ramdisk/inputs /mnt/ramdisk/outputs

You might also like