diff options
Diffstat (limited to 'frida_mode/test/js')
| -rw-r--r-- | frida_mode/test/js/GNUmakefile | 28 | ||||
| -rw-r--r-- | frida_mode/test/js/fuzz.js | 41 | ||||
| -rw-r--r-- | frida_mode/test/js/main.js | 44 |
3 files changed, 113 insertions, 0 deletions
diff --git a/frida_mode/test/js/GNUmakefile b/frida_mode/test/js/GNUmakefile index aad81d08..c702ad98 100644 --- a/frida_mode/test/js/GNUmakefile +++ b/frida_mode/test/js/GNUmakefile @@ -10,6 +10,7 @@ TESTINSTSRC:=$(PWD)test.c TESTINSTBIN2:=$(BUILD_DIR)test2 TESTINSTSRC2:=$(PWD)test2.c +AFLPP_DRIVER_DUMMY_INPUT:=$(BUILD_DIR)dummy QEMU_OUT:=$(BUILD_DIR)qemu-out FRIDA_OUT:=$(BUILD_DIR)frida-out @@ -40,9 +41,36 @@ $(TESTINSTBIN): $(TESTINSTSRC) | $(BUILD_DIR) $(TESTINSTBIN2): $(TESTINSTSRC2) | $(BUILD_DIR) $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< +$(AFLPP_DRIVER_DUMMY_INPUT): | $(BUILD_DIR) + dd if=/dev/zero bs=1048576 count=1 of=$@ + clean: rm -rf $(BUILD_DIR) +frida_js_main: $(TESTINSTBIN) $(TEST_DATA_FILE) $(AFLPP_DRIVER_DUMMY_INPUT) + AFL_PRELOAD=$(AFL_PRELOAD) \ + AFL_FRIDA_JS_SCRIPT=main.js \ + $(ROOT)afl-fuzz \ + -D \ + -O \ + -i $(TEST_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -t 10000+ \ + -- \ + $(TESTINSTBIN) $(AFLPP_DRIVER_DUMMY_INPUT) + +frida_js_fuzz: $(TESTINSTBIN) $(TEST_DATA_FILE) $(AFLPP_DRIVER_DUMMY_INPUT) + AFL_PRELOAD=$(AFL_PRELOAD) \ + AFL_FRIDA_JS_SCRIPT=fuzz.js \ + $(ROOT)afl-fuzz \ + -D \ + -O \ + -i $(TEST_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -t 10000+ \ + -- \ + $(TESTINSTBIN) $(AFLPP_DRIVER_DUMMY_INPUT) + frida_js_entry: $(TESTINSTBIN) $(TEST_DATA_FILE) AFL_PRELOAD=$(AFL_PRELOAD) \ AFL_FRIDA_JS_SCRIPT=entry.js \ diff --git a/frida_mode/test/js/fuzz.js b/frida_mode/test/js/fuzz.js new file mode 100644 index 00000000..24eca2b6 --- /dev/null +++ b/frida_mode/test/js/fuzz.js @@ -0,0 +1,41 @@ +Afl.print('******************'); +Afl.print('* AFL FRIDA MODE *'); +Afl.print('******************'); +Afl.print(''); + +Afl.print(`PID: ${Process.id}`); + +const name = Process.enumerateModules()[0].name; +Afl.print(`Name: ${name}`); + +new ModuleMap().values().forEach(m => { + Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`); +}); + +const LLVMFuzzerTestOneInput = DebugSymbol.fromName('LLVMFuzzerTestOneInput').address; +Afl.print(`LLVMFuzzerTestOneInput: ${LLVMFuzzerTestOneInput}`); + +const cm = new CModule(` + + extern unsigned char * __afl_fuzz_ptr; + extern unsigned int * __afl_fuzz_len; + extern void LLVMFuzzerTestOneInput(char *buf, int len); + + void My_LLVMFuzzerTestOneInput(char *buf, int len) { + + LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len); + + } + `, + { + LLVMFuzzerTestOneInput: LLVMFuzzerTestOneInput, + __afl_fuzz_ptr: Afl.getAflFuzzPtr(), + __afl_fuzz_len: Afl.getAflFuzzLen() + }); + +Afl.setEntryPoint(cm.My_LLVMFuzzerTestOneInput); +Afl.setPersistentAddress(cm.My_LLVMFuzzerTestOneInput); +Afl.setInMemoryFuzzing(); +Interceptor.replace(LLVMFuzzerTestOneInput, cm.My_LLVMFuzzerTestOneInput); +Afl.print("done"); +Afl.done(); diff --git a/frida_mode/test/js/main.js b/frida_mode/test/js/main.js new file mode 100644 index 00000000..06306fc4 --- /dev/null +++ b/frida_mode/test/js/main.js @@ -0,0 +1,44 @@ +Afl.print('******************'); +Afl.print('* AFL FRIDA MODE *'); +Afl.print('******************'); +Afl.print(''); + +Afl.print(`PID: ${Process.id}`); + +const name = Process.enumerateModules()[0].name; +Afl.print(`Name: ${name}`); + +new ModuleMap().values().forEach(m => { + Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`); +}); + +const main = DebugSymbol.fromName('main').address; +Afl.print(`main: ${main}`); + +const LLVMFuzzerTestOneInput = DebugSymbol.fromName('LLVMFuzzerTestOneInput').address; +Afl.print(`LLVMFuzzerTestOneInput: ${LLVMFuzzerTestOneInput}`); + +const cm = new CModule(` + + extern unsigned char * __afl_fuzz_ptr; + extern unsigned int * __afl_fuzz_len; + extern void LLVMFuzzerTestOneInput(char *buf, int len); + + int main(int argc, char **argv) { + + LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len); + + } + `, + { + LLVMFuzzerTestOneInput: LLVMFuzzerTestOneInput, + __afl_fuzz_ptr: Afl.getAflFuzzPtr(), + __afl_fuzz_len: Afl.getAflFuzzLen() + }); + +Afl.setEntryPoint(cm.main); +Afl.setPersistentAddress(cm.main); +Afl.setInMemoryFuzzing(); +Afl.setJsMainHook(cm.main); +Afl.print("done"); +Afl.done(); |