|
|
@ -16,6 +16,7 @@ AFL++的目标是提供一个稳定的基础,使得未来的模糊测试研究
|
|
|
|
# 二、编译安装
|
|
|
|
# 二、编译安装
|
|
|
|
|
|
|
|
|
|
|
|
项目推荐使用docker直接pull下来,但由于网络问题,本次示例采用在linux虚拟机上编译安装
|
|
|
|
项目推荐使用docker直接pull下来,但由于网络问题,本次示例采用在linux虚拟机上编译安装
|
|
|
|
|
|
|
|
|
|
|
|
```shell
|
|
|
|
```shell
|
|
|
|
git clone https://github.com/AFLplusplus/AFLplusplus # 克隆项目
|
|
|
|
git clone https://github.com/AFLplusplus/AFLplusplus # 克隆项目
|
|
|
|
sudo apt-get install -y build-essential python3-dev automake cmake git flex bison libglib2.0-dev libpixman-1-dev python3-setuptools cargo libgtk-3-dev #安装依赖环境
|
|
|
|
sudo apt-get install -y build-essential python3-dev automake cmake git flex bison libglib2.0-dev libpixman-1-dev python3-setuptools cargo libgtk-3-dev #安装依赖环境
|
|
|
@ -28,13 +29,16 @@ cd AFLplusplus
|
|
|
|
make distrib
|
|
|
|
make distrib
|
|
|
|
sudo make install
|
|
|
|
sudo make install
|
|
|
|
```
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
安装完成后可以在使用afl-fuzz命令测试是否安装成功
|
|
|
|
安装完成后可以在使用afl-fuzz命令测试是否安装成功
|
|
|
|
![[1.png]]
|
|
|
|
![1](1.png)
|
|
|
|
|
|
|
|
|
|
|
|
# 三、运行示例
|
|
|
|
# 三、运行示例
|
|
|
|
|
|
|
|
|
|
|
|
### (一) 目标程序的源码
|
|
|
|
### (一) 目标程序的源码
|
|
|
|
|
|
|
|
|
|
|
|
一个栈溢出案例,代码如下,当输入为abcd时会出现崩溃
|
|
|
|
一个栈溢出案例,代码如下,当输入为abcd时会出现崩溃
|
|
|
|
|
|
|
|
|
|
|
|
```c
|
|
|
|
```c
|
|
|
|
//test.c
|
|
|
|
//test.c
|
|
|
|
#include <stdio.h>
|
|
|
|
#include <stdio.h>
|
|
|
@ -78,13 +82,17 @@ int main()
|
|
|
|
### (二)模糊测试以及准备工作
|
|
|
|
### (二)模糊测试以及准备工作
|
|
|
|
|
|
|
|
|
|
|
|
在模糊测试前先要进行**源码编译插桩**和**创建语料库**
|
|
|
|
在模糊测试前先要进行**源码编译插桩**和**创建语料库**
|
|
|
|
|
|
|
|
|
|
|
|
1. 源码编译插桩:**使用 afl++ 自带的插桩编译器**:afl-gcc
|
|
|
|
1. 源码编译插桩:**使用 afl++ 自带的插桩编译器**:afl-gcc
|
|
|
|
![[2.png]]
|
|
|
|
![2](2.png)
|
|
|
|
2. 准备语料库:作为程序输入的原始材料,必须有才可以运行,原始材料越好漏洞发现的越快
|
|
|
|
2. 准备语料库:作为程序输入的原始材料,必须有才可以运行,原始材料越好漏洞发现的越快
|
|
|
|
|
|
|
|
|
|
|
|
```shell
|
|
|
|
```shell
|
|
|
|
➜ afl echo "abc" >> ./input/seed1
|
|
|
|
➜ afl echo "abc" >> ./input/seed1
|
|
|
|
```
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
3. 开启模糊测试:指定必要的目标文件夹就可以开启模糊测试了
|
|
|
|
3. 开启模糊测试:指定必要的目标文件夹就可以开启模糊测试了
|
|
|
|
|
|
|
|
|
|
|
|
```shell
|
|
|
|
```shell
|
|
|
|
➜ afl afl-fuzz -i input/ -o output/ ./test
|
|
|
|
➜ afl afl-fuzz -i input/ -o output/ ./test
|
|
|
|
afl-fuzz++4.22a based on afl by Michal Zalewski and a large online community
|
|
|
|
afl-fuzz++4.22a based on afl by Michal Zalewski and a large online community
|
|
|
@ -118,11 +126,14 @@ afl-fuzz++4.22a based on afl by Michal Zalewski and a large online community
|
|
|
|
len = 4, map size = 5, exec speed = 157 us, hash = ad4e684fcf34ff0e
|
|
|
|
len = 4, map size = 5, exec speed = 157 us, hash = ad4e684fcf34ff0e
|
|
|
|
[+] All test cases processed.
|
|
|
|
[+] All test cases processed.
|
|
|
|
[+] Here are some useful stats:
|
|
|
|
[+] Here are some useful stats:
|
|
|
|
|
|
|
|
|
|
|
|
Test case count : 1 favored, 0 variable, 0 ignored, 1 total
|
|
|
|
Test case count : 1 favored, 0 variable, 0 ignored, 1 total
|
|
|
|
Bitmap range : 5 to 5 bits (average: 5.00 bits)
|
|
|
|
Bitmap range : 5 to 5 bits (average: 5.00 bits)
|
|
|
|
Exec timing : 157 to 157 us (average: 157 us)
|
|
|
|
Exec timing : 157 to 157 us (average: 157 us)
|
|
|
|
|
|
|
|
|
|
|
|
[*] No -t option specified, so I'll use an exec timeout of 20 ms.
|
|
|
|
[*] No -t option specified, so I'll use an exec timeout of 20 ms.
|
|
|
|
[+] All set and ready to roll!
|
|
|
|
[+] All set and ready to roll!
|
|
|
|
|
|
|
|
|
|
|
|
american fuzzy lop ++4.22a {default} (./test) [explore]
|
|
|
|
american fuzzy lop ++4.22a {default} (./test) [explore]
|
|
|
|
┌─ process timing ────────────────────────────────────┬─ overall results ────┐
|
|
|
|
┌─ process timing ────────────────────────────────────┬─ overall results ────┐
|
|
|
|
│ run time : 0 days, 0 hrs, 0 min, 1 sec │ cycles done : 15 │
|
|
|
|
│ run time : 0 days, 0 hrs, 0 min, 1 sec │ cycles done : 15 │
|
|
|
@ -147,11 +158,13 @@ afl-fuzz++4.22a based on afl by Michal Zalewski and a large online community
|
|
|
|
│py/custom/rq : unused, unused, unused, unused ├───────────────────────┘
|
|
|
|
│py/custom/rq : unused, unused, unused, unused ├───────────────────────┘
|
|
|
|
│ trim/eff : n/a, 25.00% │ [cpu000: 12%]
|
|
|
|
│ trim/eff : n/a, 25.00% │ [cpu000: 12%]
|
|
|
|
└─ strategy: explore ────────── state: started :-) ──┘^C
|
|
|
|
└─ strategy: explore ────────── state: started :-) ──┘^C
|
|
|
|
|
|
|
|
|
|
|
|
+++ Testing aborted by user +++
|
|
|
|
+++ Testing aborted by user +++
|
|
|
|
[*] Writing output//default/fastresume.bin ...
|
|
|
|
[*] Writing output//default/fastresume.bin ...
|
|
|
|
[+] Written fastresume.bin with 295308 bytes!
|
|
|
|
[+] Written fastresume.bin with 295308 bytes!
|
|
|
|
[+] We're done here. Have a nice day!
|
|
|
|
[+] We're done here. Have a nice day!
|
|
|
|
```
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
4. `afl-fuzz`: 这是 AFL++ 的核心工具,用于执行模糊测试。AFL++ 是一个强大的模糊测试工具,它通过自动化生成输入数据来测试目标程序,从而发现潜在的安全漏洞或程序崩溃。
|
|
|
|
4. `afl-fuzz`: 这是 AFL++ 的核心工具,用于执行模糊测试。AFL++ 是一个强大的模糊测试工具,它通过自动化生成输入数据来测试目标程序,从而发现潜在的安全漏洞或程序崩溃。
|
|
|
|
5. `-i input/`: 这个选项指定了 AFL++ 用来开始模糊测试的初始输入种子文件的目录。在这里,`input/` 是包含初始输入数据的目录。AFL++ 会基于这些初始输入生成变异后的测试数据。
|
|
|
|
5. `-i input/`: 这个选项指定了 AFL++ 用来开始模糊测试的初始输入种子文件的目录。在这里,`input/` 是包含初始输入数据的目录。AFL++ 会基于这些初始输入生成变异后的测试数据。
|
|
|
|
6. `-o output/`: 这个选项指定了 AFL++ 将输出模糊测试结果的目录。`output/` 目录将包含测试过程中生成的各种数据,比如发现的崩溃或挂起的输入、统计信息等。
|
|
|
|
6. `-o output/`: 这个选项指定了 AFL++ 将输出模糊测试结果的目录。`output/` 目录将包含测试过程中生成的各种数据,比如发现的崩溃或挂起的输入、统计信息等。
|
|
|
@ -160,6 +173,7 @@ afl-fuzz++4.22a based on afl by Michal Zalewski and a large online community
|
|
|
|
### (三)验证漏洞
|
|
|
|
### (三)验证漏洞
|
|
|
|
|
|
|
|
|
|
|
|
崩溃的输入样本会被保存在output目录下的crashes目录,查看一下,与原先对源码分析的结果一样,也成功使程序崩溃,示例完成
|
|
|
|
崩溃的输入样本会被保存在output目录下的crashes目录,查看一下,与原先对源码分析的结果一样,也成功使程序崩溃,示例完成
|
|
|
|
|
|
|
|
|
|
|
|
```shell
|
|
|
|
```shell
|
|
|
|
➜ afl cat output/default/crashes/id:000000,sig:06,src:000000,time:101,execs:789,op:havoc,rep:2
|
|
|
|
➜ afl cat output/default/crashes/id:000000,sig:06,src:000000,time:101,execs:789,op:havoc,rep:2
|
|
|
|
abcdcccccccccccccccccccccccc
|
|
|
|
abcdcccccccccccccccccccccccc
|
|
|
@ -168,4 +182,3 @@ abcdcccccccccccccccccccccccc
|
|
|
|
*** buffer overflow detected ***: terminated
|
|
|
|
*** buffer overflow detected ***: terminated
|
|
|
|
[1] 1456167 IOT instruction ./test
|
|
|
|
[1] 1456167 IOT instruction ./test
|
|
|
|
```
|
|
|
|
```
|
|
|
|
|
|
|
|
|