diff options
| -rw-r--r-- | frida_mode/test/osx-lib/GNUmakefile | 58 | ||||
| -rw-r--r-- | frida_mode/test/osx-lib/harness2.c | 43 | ||||
| -rw-r--r-- | frida_mode/test/osx-lib/harness3.c | 40 | ||||
| -rw-r--r-- | frida_mode/test/osx-lib/lib2.c | 61 |
4 files changed, 193 insertions, 9 deletions
diff --git a/frida_mode/test/osx-lib/GNUmakefile b/frida_mode/test/osx-lib/GNUmakefile index fb99fd6a..8ff379e0 100644 --- a/frida_mode/test/osx-lib/GNUmakefile +++ b/frida_mode/test/osx-lib/GNUmakefile @@ -11,9 +11,15 @@ HARNESS_SRC:=$(PWD)harness.c HARNESS2_BIN:=$(BUILD_DIR)harness2 HARNESS2_SRC:=$(PWD)harness2.c +HARNESS3_BIN:=$(BUILD_DIR)harness3 +HARNESS3_SRC:=$(PWD)harness3.c + LIB_BIN:=$(BUILD_DIR)libcrashme.dylib LIB_SRC:=$(PWD)lib.c +LIB2_BIN:=$(BUILD_DIR)libcrashme2.dylib +LIB2_SRC:=$(PWD)lib2.c + QEMU_OUT:=$(BUILD_DIR)qemu-out FRIDA_OUT:=$(BUILD_DIR)frida-out @@ -22,8 +28,10 @@ LIB_CFLAGS:=-dynamiclib GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/get_symbol_addr.sh AFL_FRIDA_MAIN_ADDR=$(shell $(GET_SYMBOL_ADDR) $(HARNESS_BIN) main 0x0) +AFL_FRIDA_MAIN_ADDR2=$(shell $(GET_SYMBOL_ADDR) $(HARNESS2_BIN) main 0x0) AFL_FRIDA_FUZZ_ADDR=$(shell $(GET_SYMBOL_ADDR) $(HARNESS_BIN) LLVMFuzzerTestOneInput 0x0) AFL_FRIDA_FUZZ_ADDR2=$(shell $(GET_SYMBOL_ADDR) $(HARNESS2_BIN) LLVMFuzzerTestOneInput 0x0) +AFL_FRIDA_FUZZ_ADDR3=$(shell $(GET_SYMBOL_ADDR) $(HARNESS3_BIN) LLVMFuzzerTestOneInput 0x0) AFLPP_FRIDA_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/frida_hook.so @@ -52,12 +60,20 @@ $(HARNESS_BIN): $(HARNESS_SRC) | $(BUILD_DIR) $(LIB_BIN): $(LIB_SRC) | $(BUILD_DIR) $(CC) $(CFLAGS) $(LDFLAGS) $(LIB_CFLAGS) -o $@ $< +$(LIB2_BIN): $(LIB2_SRC) | $(BUILD_DIR) + $(CC) $(CFLAGS) $(LDFLAGS) $(LIB_CFLAGS) -o $@ $< + $(HARNESS2_BIN): $(HARNESS2_SRC) $(LIB_BIN) | $(BUILD_DIR) + $(CC) $(CFLAGS) $(LDFLAGS) $(HARNESS_LDFLAGS) -o $@ $< + +$(HARNESS3_BIN): $(HARNESS3_SRC) $(LIB_BIN) | $(BUILD_DIR) $(CC) $(CFLAGS) $(LDFLAGS) $(HARNESS_LDFLAGS) -L$(BUILD_DIR) -lcrashme -o $@ $< clean: rm -rf $(BUILD_DIR) +LIBASAN?=/usr/local/opt/llvm/lib/clang/10.0.1/lib/darwin/libclang_rt.asan_osx_dynamic.dylib + .ONESHELL: frida_persistent: $(HARNESS_BIN) $(LIB_BIN) $(TESTINSTR_DATA_FILE) cd $(BUILD_DIR) && \ @@ -75,6 +91,25 @@ frida_persistent: $(HARNESS_BIN) $(LIB_BIN) $(TESTINSTR_DATA_FILE) $(HARNESS_BIN) $(TEST_FILE) .ONESHELL: +frida_persistent_asan: $(HARNESS2_BIN) $(LIB2_BIN) $(TESTINSTR_DATA_FILE) + cd $(BUILD_DIR) && \ + AFL_PRELOAD=$(LIBASAN) \ + AFL_USE_FASAN=1 \ + AFL_INST_LIBS=1 \ + AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_MAIN_ADDR2) \ + AFL_FRIDA_PERSISTENT_CNT=1000000 \ + AFL_ENTRYPOINT=$(AFL_FRIDA_MAIN_ADDR2) \ + AFL_FRIDA_INST_RANGES=libcrashme2.dylib,harness2 \ + $(ROOT)afl-fuzz \ + -D \ + -O \ + -i $(TESTINSTR_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -f $(TEST_FILE) \ + -- \ + $(HARNESS2_BIN) $(TEST_FILE) + +.ONESHELL: frida_persistent_hook: $(HARNESS_BIN) $(LIB_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) $(TESTINSTR_DATA_FILE) cd $(BUILD_DIR) && \ AFL_INST_LIBS=1 \ @@ -92,14 +127,16 @@ frida_persistent_hook: $(HARNESS_BIN) $(LIB_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) $(T $(HARNESS_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) .ONESHELL: -frida_persistent_hook2: $(HARNESS2_BIN) $(LIB_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) $(TESTINSTR_DATA_FILE) +frida_persistent_hook_asan: $(HARNESS2_BIN) $(LIB2_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) $(TESTINSTR_DATA_FILE) cd $(BUILD_DIR) && \ + AFL_PRELOAD=$(LIBASAN) \ + AFL_USE_FASAN=1 \ AFL_INST_LIBS=1 \ AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_FUZZ_ADDR2) \ AFL_FRIDA_PERSISTENT_CNT=1000000 \ AFL_ENTRYPOINT=$(AFL_FRIDA_FUZZ_ADDR2) \ AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_FRIDA_DRIVER_HOOK_OBJ) \ - AFL_FRIDA_INST_RANGES=libcrashme.dylib,harness2 \ + AFL_FRIDA_INST_RANGES=libcrashme2.dylib,harness2 \ $(ROOT)afl-fuzz \ -D \ -O \ @@ -107,3 +144,20 @@ frida_persistent_hook2: $(HARNESS2_BIN) $(LIB_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) $ -o $(FRIDA_OUT) \ -- \ $(HARNESS2_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) + +.ONESHELL: +frida_persistent_hook3: $(HARNESS3_BIN) $(LIB_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) $(TESTINSTR_DATA_FILE) + cd $(BUILD_DIR) && \ + AFL_INST_LIBS=1 \ + AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_FUZZ_ADDR3) \ + AFL_FRIDA_PERSISTENT_CNT=1000000 \ + AFL_ENTRYPOINT=$(AFL_FRIDA_FUZZ_ADDR3) \ + AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_FRIDA_DRIVER_HOOK_OBJ) \ + AFL_FRIDA_INST_RANGES=libcrashme.dylib,harness3 \ + $(ROOT)afl-fuzz \ + -D \ + -O \ + -i $(TESTINSTR_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -- \ + $(HARNESS3_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) diff --git a/frida_mode/test/osx-lib/harness2.c b/frida_mode/test/osx-lib/harness2.c index 83983c99..464614ee 100644 --- a/frida_mode/test/osx-lib/harness2.c +++ b/frida_mode/test/osx-lib/harness2.c @@ -5,15 +5,21 @@ #include <dlfcn.h> -extern void crashme(const uint8_t *Data, size_t Size); +//typedef for our exported target function. +typedef void (*CRASHME)(const uint8_t *Data, size_t Size); + +//globals +CRASHME fpn_crashme = NULL; + int LLVMFuzzerTestOneInput(const unsigned char* data, size_t size){ - crashme(data, size); + fpn_crashme(data, size); return 0; } -void run (int argc, const char * argv[]) +int main(int argc, const char * argv[]) { + for (int i = 1; i < argc; i++) { fprintf(stderr, "Running: %s\n", argv[i]); FILE *f = fopen(argv[i], "r"); @@ -29,12 +35,35 @@ void run (int argc, const char * argv[]) free(buf); fprintf(stderr, "Done: %s: (%zd bytes)\n", argv[i], n_read); } + + return 0; } -int main(int argc, const char * argv[]) -{ +__attribute__((constructor())) +void constructor(void) { + // handles to required libs + void *dylib = NULL; - run(argc, argv); + dylib = dlopen("./libcrashme2.dylib", RTLD_NOW); + if (dylib == NULL) + { - return 0; + printf("[-] Failed to load lib\n"); + printf("[-] Dlerror: %s\n", dlerror()); + exit(1); + + } + + printf("[+] Resolve function\n"); + + fpn_crashme = (CRASHME)dlsym(dylib, "crashme"); + if (!fpn_crashme) + { + + printf("[-] Failed to find function\n"); + exit(1); + + } + + printf("[+] Found function.\n"); } diff --git a/frida_mode/test/osx-lib/harness3.c b/frida_mode/test/osx-lib/harness3.c new file mode 100644 index 00000000..83983c99 --- /dev/null +++ b/frida_mode/test/osx-lib/harness3.c @@ -0,0 +1,40 @@ +#include <string.h> +#include <assert.h> +#include <stdio.h> +#include <stdlib.h> +#include <dlfcn.h> + + +extern void crashme(const uint8_t *Data, size_t Size); + +int LLVMFuzzerTestOneInput(const unsigned char* data, size_t size){ + crashme(data, size); + return 0; +} + +void run (int argc, const char * argv[]) +{ + for (int i = 1; i < argc; i++) { + fprintf(stderr, "Running: %s\n", argv[i]); + FILE *f = fopen(argv[i], "r"); + assert(f); + fseek(f, 0, SEEK_END); + size_t len = ftell(f); + fseek(f, 0, SEEK_SET); + unsigned char *buf = (unsigned char*)malloc(len); + size_t n_read = fread(buf, 1, len, f); + fclose(f); + assert(n_read == len); + LLVMFuzzerTestOneInput(buf, len); + free(buf); + fprintf(stderr, "Done: %s: (%zd bytes)\n", argv[i], n_read); + } +} + +int main(int argc, const char * argv[]) +{ + + run(argc, argv); + + return 0; +} diff --git a/frida_mode/test/osx-lib/lib2.c b/frida_mode/test/osx-lib/lib2.c new file mode 100644 index 00000000..ba207210 --- /dev/null +++ b/frida_mode/test/osx-lib/lib2.c @@ -0,0 +1,61 @@ +#include <stdio.h> +#include <stdlib.h> +#include <stdint.h> +#include <string.h> + + +void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) { + + if (Size < 1) return; + + char *buf = malloc(10); + + if (buf == NULL) return; + + switch (Data[0]) { + + /* Underflow */ + case 'U': + printf("Underflow\n"); + buf[-1] = '\0'; + free(buf); + break; + /* Overflow */ + case 'O': + printf("Overflow\n"); + buf[10] = '\0'; + free(buf); + break; + /* Double free */ + case 'D': + printf("Double free\n"); + free(buf); + free(buf); + break; + /* Use after free */ + case 'A': + printf("Use after free\n"); + free(buf); + buf[0] = '\0'; + break; + /* Test Limits (OK) */ + case 'T': + printf("Test-Limits - No Error\n"); + buf[0] = 'A'; + buf[9] = 'I'; + free(buf); + break; + case 'M': + printf("Memset too many\n"); + memset(buf, '\0', 11); + free(buf); + break; + default: + printf("Nop - No Error\n"); + break; + + } + + +} + |