0

我一直在尝试使用 American Fuzzy Lop,但我无法通过这样的简单示例使其工作:

#include <stdio.h>
#include <string.h>

int main(int argc, char * argv[]){
char name[10];

if ( argc > 1 ){
strcpy(name, argv[1]);

printf("HELLO %s\n", name);
}

return 0;
}

我使用常规 gcc 编译此代码的一个版本,使用 afl-clang 编译另一个版本。然后将 gcc 版本放在输入文件夹中,我以这种方式调用 fuzzer:

afl-fuzz -i input/ -o output/ -m 2G ./a.out @@

但它不起作用。

[*] Attempting dry run with 'id:000000,orig:a.out'...
[*] Spinning up the fork server...

[-] Whoops, the target binary crashed suddenly, before receiving any input
    from the fuzzer! There are several probable explanations:

    - The current memory limit (2.00 GB) is too restrictive, causing the
      target to hit an OOM condition in the dynamic linker. Try bumping up
      the limit with the -m setting in the command line. A simple way confirm
      this diagnosis would be:

      ( ulimit -Sv $[2047 << 10]; /path/to/fuzzed_app )

      Tip: you can use http://jwilk.net/software/recidivm to quickly
      estimate the required amount of virtual memory for the binary.

    - The binary is just buggy and explodes entirely on its own. If so, you
      need to fix the underlying problem or find a better replacement.

    - Less likely, there is a horrible bug in the fuzzer. If other options
      fail, poke <lcamtuf@coredump.cx> for troubleshooting tips.

[-] PROGRAM ABORT : Fork server crashed with signal 6
         Location : init_forkserver(), afl-fuzz.c:2056

我究竟做错了什么?

4

2 回答 2

3

第一个问题是您将输入作为带有“@@”命令的文件传递给 afl-fuzz,而程序采用命令行参数。afl 接受来自标准输入或文件的输入。 http://lcamt​​uf.coredump.cx/afl/README.txt

导致启动时崩溃的第二个问题是 afl 给测试用例文件名的自动名称:

[*] Attempting dry run with 'id:000000,orig:a.out'...

这足以溢出缓冲区并导致段错误。

于 2016-03-14T01:01:03.980 回答
1

要完成 Wintermute 响应,如果您想尝试 AFL 或证明它有效,您可以执行以下操作:

path变量是您的 @@ 参数的路径

char *buff;

if ((buff = malloc(10)) == NULL)
  abort();

if ((fd = fopen(path, "r")) == NULL)
  abort();
fread(buff, 10, 1, fd);

if (strncmp(buff, "h", 1) == 0)
{
  if (strncmp(buff, "he", 2) == 0)
  {
    if (strncmp(buff, "hel", 3) == 0)
    {
      if (strncmp(buff, "hell", 4) == 0)
      {
        if (strncmp(buff, "hello", 5) == 0)
        {
          buff[9] = 0; //just to be sure...
          fprintf(stderr, "Nailed it ! input file is %s\n", buff);
          abort();
        }
      }
      else
      {
        abort(); // it should be found quick
      }
    }
  }
}
free(buff);
fclose(fd);

使用abort()将导致非法指令,即被 AFL 视为崩溃。所以在这个例子中,你会遇到多个不同的崩溃。

于 2016-07-08T13:55:04.440 回答