diff options
| -rw-r--r-- | GNUmakefile | 7 | ||||
| -rw-r--r-- | TODO.md | 1 | ||||
| -rwxr-xr-x | afl-addseeds | 54 | ||||
| -rwxr-xr-x | afl-persistent-config | 6 | ||||
| -rw-r--r-- | docs/Changelog.md | 1 | ||||
| -rw-r--r-- | docs/INSTALL.md | 1 | ||||
| -rw-r--r-- | include/config.h | 4 | ||||
| -rw-r--r-- | include/debug.h | 55 | ||||
| -rw-r--r-- | instrumentation/afl-compiler-rt.o.c | 2 | ||||
| m--------- | nyx_mode/QEMU-Nyx | 0 | ||||
| -rw-r--r-- | src/afl-cc.c | 6 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 14 | ||||
| -rw-r--r-- | unicorn_mode/helper_scripts/unicorn_dumper_pwndbg.py | 26 | ||||
| -rwxr-xr-x | utils/qbdi_mode/build.sh | 2 |
14 files changed, 138 insertions, 41 deletions
diff --git a/GNUmakefile b/GNUmakefile index 88816e85..5fd37147 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -32,7 +32,7 @@ VERSION = $(shell grep '^$(HASH)define VERSION ' ../config.h | cut -d '"' -f # PROGS intentionally omit afl-as, which gets installed elsewhere. PROGS = afl-fuzz afl-showmap afl-tmin afl-gotcpu afl-analyze -SH_PROGS = afl-plot afl-cmin afl-cmin.bash afl-whatsup afl-system-config afl-persistent-config afl-cc +SH_PROGS = afl-plot afl-cmin afl-cmin.bash afl-whatsup afl-addseeds afl-system-config afl-persistent-config afl-cc MANPAGES=$(foreach p, $(PROGS) $(SH_PROGS), $(p).8) afl-as.8 ASAN_OPTIONS=detect_leaks=0 @@ -45,6 +45,10 @@ ifdef NO_SPLICING override CFLAGS_OPT += -DNO_SPLICING endif +ifdef NO_UTF + override CFLAGS_OPT += -DFANCY_BOXES_NO_UTF +endif + ifdef ASAN_BUILD $(info Compiling ASAN version of binaries) override CFLAGS += $(ASAN_CFLAGS) @@ -391,6 +395,7 @@ help: @echo INTROSPECTION - compile afl-fuzz with mutation introspection @echo NO_PYTHON - disable python support @echo NO_SPLICING - disables splicing mutation in afl-fuzz, not recommended for normal fuzzing + @echo NO_UTF - do not use UTF-8 for line rendering in status screen (fallback to G1 box drawing, of vanilla AFL) @echo NO_NYX - disable building nyx mode dependencies @echo "NO_CORESIGHT - disable building coresight (arm64 only)" @echo NO_UNICORN_ARM64 - disable building unicorn on arm64 diff --git a/TODO.md b/TODO.md index eb934e3f..ac24fe07 100644 --- a/TODO.md +++ b/TODO.md @@ -4,6 +4,7 @@ - afl-showmap -f support - afl-fuzz multicore wrapper script + - add value_profile but only enable after 15 minutes without finds - afl-crash-analysis - support persistent and deferred fork server in afl-showmap? - better autodetection of shifting runtime timeout values diff --git a/afl-addseeds b/afl-addseeds new file mode 100755 index 00000000..bb2843a8 --- /dev/null +++ b/afl-addseeds @@ -0,0 +1,54 @@ +#!/bin/sh + +test -z "$1" -o "$1" = "-h" -o "$1" = "--help" && { + echo Syntax: afl-addseeds -o afl-out-dir [-i seed_file_or_dir] seed_file_or_seed_dir seed_file_or_seed_dir ... + echo + echo Options: + echo " -o afl-out-dir the output directory being used in the fuzzing campaign" + echo " -i seed_file_or_dir file or directory of files to add" + echo + echo Adds new seeds to an existing AFL++ fuzzing campaign. + exit 0 +} + +for TOOL in find ls; do + X=`which $TOOL` + test -n "$X" || { echo "Error: required tool '$TOOL' not found."; exit 1; } +done + +TEST=`printf %06d 123 2>/dev/null` +test "$TEST" = "000123" || { echo "Error: required tool 'printf' not found."; exit 1; } + +OUT= +NEXT= +for i in $*; do + test -n "$NEXT" && { OUT=$i ; NEXT=""; } + test "$i" = "-o" && { NEXT=1; } +done + +test -d "$OUT" || { echo Error: $OUT is not an existing directory; exit 1; } +OK=`ls $OUT/*/fuzzer_stats 2>/dev/null` +test -n "$OK" || { echo "Error: $OUT is not an 'afl-fuzz -o ... ' output directory" ; exit 1; } + +OUTDIR=$OUT/addseeds/queue +mkdir -p "$OUTDIR" 2>/dev/null +test -d "$OUTDIR" || { echo Error: could not create $OUTDIR ; exit 1 ; } + +echo Adding seeds ... +NEXTID=0 +for i in $*; do + test -z "$i" -o "$i" = "$OUT" -o "$i" = "-i" -o "$i" = "-o" || { + find "$i" -type f | while read FILE; do + N=xxx + while [ -n "$N" ]; do + ID=$NEXTID + N=`ls "$OUTDIR/id:$(printf %06d $ID),"* 2>/dev/null` + NEXTID=$(($NEXTID + 1)) + done + FN=`echo "$FILE" | sed 's/.*\///'` + cp -v "$FILE" "$OUTDIR/id:$(printf %06d $ID),time:0,execs:0,orig:$FN" + done + } +done + +echo Done. diff --git a/afl-persistent-config b/afl-persistent-config index 6d96c196..3abcb866 100755 --- a/afl-persistent-config +++ b/afl-persistent-config @@ -98,9 +98,9 @@ if [[ "$PLATFORM" = "Linux" ]] ; then echo "Checks passed." test -d /etc/sysctl.d || echo Error: /etc/sysctl.d directory not found, cannot install shmem config - test -d /etc/sysctl.d -a '!' -e /etc/sysctl.d/99-fuzzing && { - echo "Installing /etc/sysctl.d/99-fuzzing" - cat << EOF > /etc/sysctl.d/99-fuzzing + test -d /etc/sysctl.d -a '!' -e /etc/sysctl.d/99-fuzzing.conf && { + echo "Installing /etc/sysctl.d/99-fuzzing.conf" + cat << EOF > /etc/sysctl.d/99-fuzzing.conf kernel.core_uses_pid=0 kernel.core_pattern=core kernel.randomize_va_space=0 diff --git a/docs/Changelog.md b/docs/Changelog.md index dfbadea3..101d380b 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -19,6 +19,7 @@ - fix for a few string compare transform functions for LAF - frida_mode: - fixes support for large map offsets + - added new tool afl-addseeds that adds new seeds to a running campaign - added benchmark/benchmark.sh if you want to see how good your fuzzing speed is in comparison to other setups. diff --git a/docs/INSTALL.md b/docs/INSTALL.md index 9005a7eb..41f512ed 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -87,6 +87,7 @@ These build options exist: * INTROSPECTION - compile afl-fuzz with mutation introspection * NO_PYTHON - disable python support * NO_SPLICING - disables splicing mutation in afl-fuzz, not recommended for normal fuzzing +* NO_UTF - do not use UTF-8 for line rendering in status screen (fallback to G1 box drawing, of vanilla AFL) * NO_NYX - disable building nyx mode dependencies * NO_CORESIGHT - disable building coresight (arm64 only) * NO_UNICORN_ARM64 - disable building unicorn on arm64 diff --git a/include/config.h b/include/config.h index 6a75737f..988e536e 100644 --- a/include/config.h +++ b/include/config.h @@ -120,9 +120,9 @@ // #define _WANT_ORIGINAL_AFL_ALLOC -/* Comment out to disable fancy ANSI boxes and use poor man's 7-bit UI: */ +/* Comment out to disable fancy boxes and use poor man's 7-bit UI: */ -#ifndef ANDROID_DISABLE_FANCY // Fancy boxes are ugly from adb +#ifndef DISABLE_FANCY #define FANCY_BOXES #endif diff --git a/include/debug.h b/include/debug.h index cd621a72..234d8fc4 100644 --- a/include/debug.h +++ b/include/debug.h @@ -116,7 +116,7 @@ * Box drawing sequences * *************************/ -#ifdef FANCY_BOXES +#ifdef FANCY_BOXES_NO_UTF #define SET_G1 "\x1b)0" /* Set G1 for box drawing */ #define RESET_G1 "\x1b)B" /* Reset G1 to ASCII */ @@ -136,22 +136,43 @@ #else - #define SET_G1 "" - #define RESET_G1 "" - #define bSTART "" - #define bSTOP "" - #define bH "-" - #define bV "|" - #define bLT "+" - #define bRT "+" - #define bLB "+" - #define bRB "+" - #define bX "+" - #define bVR "+" - #define bVL "+" - #define bHT "+" - #define bHB "+" - + #ifdef FANCY_BOXES + + #define SET_G1 "" + #define RESET_G1 "" + #define bSTART "" + #define bSTOP "" + #define bH "\u2500" /* Horizontal line */ + #define bV "\u2502" /* Vertical line */ + #define bLT "\u250c" /* Left top corner */ + #define bRT "\u2510" /* Right top corner */ + #define bLB "\u2514" /* Left bottom corner */ + #define bRB "\u2518" /* Right bottom corner */ + #define bX "\u253c" /* Cross */ + #define bVR "\u251c" /* Vertical, branch right */ + #define bVL "\u2524" /* Vertical, branch left */ + #define bHT "\u2534" /* Horizontal, branch top */ + #define bHB "\u252c" /* Horizontal, branch bottom */ + + #else + + #define SET_G1 "" + #define RESET_G1 "" + #define bSTART "" + #define bSTOP "" + #define bH "-" + #define bV "|" + #define bLT "+" + #define bRT "+" + #define bLB "+" + #define bRB "+" + #define bX "+" + #define bVR "+" + #define bVL "+" + #define bHT "+" + #define bHB "+" + + #endif #endif /* ^FANCY_BOXES */ /*********************** diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index dd9aae77..723b946b 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -2294,7 +2294,7 @@ void __cmplog_rtn_hook_strn(u8 *ptr1, u8 *ptr2, u64 len) { int len1 = strnlen(ptr1, len0); if (len1 < 31) len1 = area_is_valid(ptr1, len1 + 1); int len2 = strnlen(ptr2, len0); - if (len2 < 31) len2 = area_is_valid(ptr1, len2 + 1); + if (len2 < 31) len2 = area_is_valid(ptr2, len2 + 1); int l = MAX(len1, len2); if (l < 2) return; diff --git a/nyx_mode/QEMU-Nyx b/nyx_mode/QEMU-Nyx -Subproject 874fa033d117a3e9931245cb9e82836a4abc042 +Subproject 92ed7cefc1bd043a1230ca74b263b484825c265 diff --git a/src/afl-cc.c b/src/afl-cc.c index 12707007..037a5c30 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -2118,6 +2118,8 @@ int main(int argc, char **argv, char **envp) { " [LLVM] LLVM: %s%s\n" " PCGUARD %s yes yes module yes yes " "yes\n" + " NATIVE AVAILABLE no yes no no " + "part. yes\n" " CLASSIC %s no yes module yes yes " "yes\n" " - NORMAL\n" @@ -2137,10 +2139,10 @@ int main(int argc, char **argv, char **envp) { "no\n\n", have_llvm ? "AVAILABLE" : "unavailable!", compiler_mode == LLVM ? " [SELECTED]" : "", + have_llvm ? "AVAILABLE" : "unavailable!", + have_llvm ? "AVAILABLE" : "unavailable!", have_lto ? "AVAILABLE" : "unavailable!", compiler_mode == LTO ? " [SELECTED]" : "", - LLVM_MAJOR >= 7 ? "DEFAULT" : " ", - LLVM_MAJOR >= 7 ? " " : "DEFAULT", have_gcc_plugin ? "AVAILABLE" : "unavailable!", compiler_mode == GCC_PLUGIN ? " [SELECTED]" : "", have_gcc ? "AVAILABLE" : "unavailable!", diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index cf57702f..0a6755d7 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -381,6 +381,10 @@ static void usage(u8 *argv0, int more_help) { SAYF("Compiled with NO_SPLICING.\n"); #endif +#ifdef FANCY_BOXES_NO_UTF + SAYF("Compiled without UTF-8 support for line rendering in status screen.\n"); +#endif + #ifdef PROFILING SAYF("Compiled with PROFILING.\n"); #endif @@ -1342,6 +1346,12 @@ int main(int argc, char **argv_orig, char **envp) { } + if (strcmp(afl->sync_id, "addseeds") == 0) { + + FATAL("-M/-S name 'addseeds' is a reserved name, choose something else"); + + } + if (afl->is_main_node == 1 && afl->schedule != FAST && afl->schedule != EXPLORE) { @@ -2822,7 +2832,9 @@ int main(int argc, char **argv_orig, char **envp) { if (likely(afl->switch_fuzz_mode && afl->fuzz_mode == 0 && !afl->non_instrumented_mode) && - unlikely(cur_time > afl->last_find_time + afl->switch_fuzz_mode)) { + unlikely(cur_time > (likely(afl->last_find_time) ? afl->last_find_time + : afl->start_time) + + afl->switch_fuzz_mode)) { if (afl->afl_env.afl_no_ui) { diff --git a/unicorn_mode/helper_scripts/unicorn_dumper_pwndbg.py b/unicorn_mode/helper_scripts/unicorn_dumper_pwndbg.py index eccbc8bf..7e97f6a7 100644 --- a/unicorn_mode/helper_scripts/unicorn_dumper_pwndbg.py +++ b/unicorn_mode/helper_scripts/unicorn_dumper_pwndbg.py @@ -40,10 +40,10 @@ import gdb pwndbg_loaded = False try: - import pwndbg.arch - import pwndbg.regs - import pwndbg.vmmap - import pwndbg.memory + import pwndbg.gdblib.arch + import pwndbg.gdblib.regs + import pwndbg.gdblib.vmmap + import pwndbg.gdblib.memory pwndbg_loaded = True @@ -64,7 +64,7 @@ INDEX_FILE_NAME = "_index.json" def map_arch(): - arch = pwndbg.arch.current # from PWNDBG + arch = pwndbg.gdblib.arch.current # from PWNDBG if "x86_64" in arch or "x86-64" in arch: return "x64" elif "x86" in arch or "i386" in arch: @@ -74,9 +74,9 @@ def map_arch(): elif "aarch64_be" in arch: return "arm64be" elif "arm" in arch: - cpsr = pwndbg.regs["cpsr"] + cpsr = pwndbg.gdblib.regs["cpsr"] # check endianess - if pwndbg.arch.endian == "big": + if pwndbg.gdblib.arch.endian == "big": # check for THUMB mode if cpsr & (1 << 5): return "armbethumb" @@ -89,7 +89,7 @@ def map_arch(): else: return "armle" elif "mips" in arch: - if pwndbg.arch.endian == "little": + if pwndbg.gdblib.arch.endian == "little": return "mipsel" else: return "mips" @@ -109,8 +109,8 @@ def dump_arch_info(): def dump_regs(): reg_state = {} - for reg in pwndbg.regs.all: - reg_val = pwndbg.regs[reg] + for reg in pwndbg.gdblib.regs.all: + reg_val = pwndbg.gdblib.regs[reg] # current dumper script looks for register values to be hex strings # reg_str = "0x{:08x}".format(reg_val) # if "64" in get_arch(): @@ -125,7 +125,7 @@ def dump_process_memory(output_dir): final_segment_list = [] # PWNDBG: - vmmap = pwndbg.vmmap.get() + vmmap = pwndbg.gdblib.vmmap.get() # Pointer to end of last dumped memory segment segment_last_addr = 0x0 @@ -165,7 +165,7 @@ def dump_process_memory(output_dir): if entry.read and not "(deleted)" in entry.objfile: try: # Compress and dump the content to a file - seg_content = pwndbg.memory.read(start, end - start) + seg_content = pwndbg.gdblib.memory.read(start, end - start) if seg_content == None: print( "Segment empty: @0x{0:016x} (size:UNKNOWN) {1}".format( @@ -181,7 +181,7 @@ def dump_process_memory(output_dir): repr(seg_info["permissions"]), ) ) - compressed_seg_content = zlib.compress(str(seg_content)) + compressed_seg_content = zlib.compress(bytes(seg_content)) md5_sum = hashlib.md5(compressed_seg_content).hexdigest() + ".bin" seg_info["content_file"] = md5_sum diff --git a/utils/qbdi_mode/build.sh b/utils/qbdi_mode/build.sh index 29fe0ee4..a92d81bd 100755 --- a/utils/qbdi_mode/build.sh +++ b/utils/qbdi_mode/build.sh @@ -52,6 +52,6 @@ ${compiler_prefix}${CC} -shared -o libdemo.so demo-so.c -w -g echo "[+] Building afl-fuzz for Android" # build afl-fuzz cd ../.. -${compiler_prefix}${CC} -DANDROID_DISABLE_FANCY=1 -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -I include/ -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DDOC_PATH=\"/usr/local/share/doc/afl\" -Wno-unused-function src/afl-fuzz*.c src/afl-common.c src/afl-sharedmem.c src/afl-forkserver.c src/afl-performance.c -o utils/qbdi_mode/afl-fuzz -ldl -lm -w +${compiler_prefix}${CC} -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -I include/ -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DDOC_PATH=\"/usr/local/share/doc/afl\" -Wno-unused-function src/afl-fuzz*.c src/afl-common.c src/afl-sharedmem.c src/afl-forkserver.c src/afl-performance.c -o utils/qbdi_mode/afl-fuzz -ldl -lm -w echo "[+] All done. Enjoy!" |