From bc2e65e4821ef4b8fbc33be6c705adfa1c32e02f Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 29 Apr 2020 15:18:03 +0200 Subject: added afl_network_proxy --- examples/afl_network_proxy/README.md | 44 ++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 examples/afl_network_proxy/README.md (limited to 'examples/afl_network_proxy/README.md') diff --git a/examples/afl_network_proxy/README.md b/examples/afl_network_proxy/README.md new file mode 100644 index 00000000..65012601 --- /dev/null +++ b/examples/afl_network_proxy/README.md @@ -0,0 +1,44 @@ +# afl-network-proxy + +If you want to run afl-fuzz over the network than this is what you need :) +Note that the impact on fuzzing speed will be huge, expect a loss of 90%. + +## When to use this + +1. when you have to fuzz a target that has to run on a system that cannot + contain the fuzzing output (e.g. /tmp too small and file system is read-only) +2. when the target instantly reboots on crashes +3. ... any other reason you would need this + +## how to get it running + +### on the target + +Run `afl-network-server` with your target with the -m and -t values you need. +Important is the -i parameter which is the TCP port to liste on. +e.g.: +``` +$ afl-network-server -i 1111 -m 25M -t 1000 -- /bin/target -f @@ +``` +### on the fuzzing master + +Just run afl-fuzz with your normal options, however the target should be +`afl-network-client` with the IP and PORT of the `afl-network-server` and +increase the -t value: +``` +$ afl-fuzz -i in -o out -t 2000+ -- afl-network-client TARGET-IP 1111 +``` +Note the '+' on the -t parameter value. the afl-network-server will take +care of proper timeouts hence afl-fuzz should not. The '+' increases the timout +and the value itself should be 500-1000 higher than the one on +afl-network-server. + +### networking + +The TARGET can be an IPv4 or IPv6 address, or a host name that resolves to +either. Note that also the outgoing interface can be specified with a '%' for +`afl-network-client`, e.g. `fe80::1234%eth0`. + +## how to compile and install + +`make && sudo make install` -- cgit 1.4.1 From efa9df24c2a5f97c212a5a22dda19dcbbab0b5de Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 30 Apr 2020 17:59:59 +0200 Subject: afl-untracer completed --- docs/Changelog.md | 2 + examples/afl_network_proxy/README.md | 11 +++ examples/afl_network_proxy/afl-network-client.c | 23 +++--- examples/afl_network_proxy/afl-network-server.c | 2 + examples/afl_untracer/Makefile | 2 +- examples/afl_untracer/README.md | 7 +- examples/afl_untracer/afl-untracer.c | 96 +++++++++++-------------- examples/afl_untracer/patches.txt | 23 ++++++ include/forkserver.h | 1 + src/afl-forkserver.c | 14 ++-- 10 files changed, 106 insertions(+), 75 deletions(-) create mode 100644 examples/afl_untracer/patches.txt (limited to 'examples/afl_network_proxy/README.md') diff --git a/docs/Changelog.md b/docs/Changelog.md index faf015c6..565bee72 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -31,6 +31,8 @@ sending a mail to . - added examples/afl_network_proxy which allows to fuzz a target over the network (not fuzzing tcp/ip services but running afl-fuzz on one system and the target being on an embedded device) + - added examples/afl_untracer which does a binary-only fuzzing with the + modifications done in memory - added examples/afl_proxy which can be easily used to fuzz and instrument non-standard things - all: diff --git a/examples/afl_network_proxy/README.md b/examples/afl_network_proxy/README.md index 65012601..c33096be 100644 --- a/examples/afl_network_proxy/README.md +++ b/examples/afl_network_proxy/README.md @@ -20,6 +20,7 @@ e.g.: ``` $ afl-network-server -i 1111 -m 25M -t 1000 -- /bin/target -f @@ ``` + ### on the fuzzing master Just run afl-fuzz with your normal options, however the target should be @@ -42,3 +43,13 @@ either. Note that also the outgoing interface can be specified with a '%' for ## how to compile and install `make && sudo make install` + +## Future + +It would be much faster and more effective if `afl-network-server` does not +send the map data back (64kb or more) but the checksum that `afl-fuzz` would +generate. This change however would make it incompatible with existing +afl spinoffs. + +But in the future this will be implemented and supported as a compile option. + diff --git a/examples/afl_network_proxy/afl-network-client.c b/examples/afl_network_proxy/afl-network-client.c index ede2ff8d..53512286 100644 --- a/examples/afl_network_proxy/afl-network-client.c +++ b/examples/afl_network_proxy/afl-network-client.c @@ -175,7 +175,7 @@ static void __afl_start_forkserver(void) { static u32 __afl_next_testcase(u8 *buf, u32 max_len) { - s32 status, res = 0xffffff; + s32 status, res = 0x0fffffff; // res is a dummy pid /* Wait for parent by reading from the pipe. Abort if read fails. */ if (read(FORKSRV_FD, &status, 4) != 4) return 0; @@ -193,9 +193,7 @@ static u32 __afl_next_testcase(u8 *buf, u32 max_len) { } -static void __afl_end_testcase(void) { - - int status = 0xffffff; +static void __afl_end_testcase(int status) { if (write(FORKSRV_FD + 1, &status, 4) != 4) exit(1); @@ -273,7 +271,7 @@ int main(int argc, char *argv[]) { __afl_map_shm(); __afl_start_forkserver(); - int i = 1, j; + int i = 1, j, status, ret; // fprintf(stderr, "Waiting for first testcase\n"); while ((len = __afl_next_testcase(buf, max_len)) > 0) { @@ -281,17 +279,25 @@ int main(int argc, char *argv[]) { if (send(s, &len, 4, 0) != 4) PFATAL("sending size data %d failed", len); if (send(s, buf, len, 0) != len) PFATAL("sending test data failed"); - int received = 0, ret; + int received = 0; + while (received < 4 && + (ret = recv(s, &status + received, 4 - received, 0)) > 0) + received += ret; + if (received != 4) + FATAL("did not receive waitpid data (%d, %d)", received, ret); + // fprintf(stderr, "Received status\n"); + + int received = 0; while (received < __afl_map_size && (ret = recv(s, __afl_area_ptr + received, __afl_map_size - received, 0)) > 0) received += ret; if (received != __afl_map_size) - FATAL("did not receive valid data (%d, %d)", received, ret); + FATAL("did not receive coverage data (%d, %d)", received, ret); // fprintf(stderr, "Received coverage\n"); /* report the test case is done and wait for the next */ - __afl_end_testcase(); + __afl_end_testcase(status); // fprintf(stderr, "Waiting for next testcase %d\n", ++i); } @@ -299,4 +305,3 @@ int main(int argc, char *argv[]) { return 0; } - diff --git a/examples/afl_network_proxy/afl-network-server.c b/examples/afl_network_proxy/afl-network-server.c index 1bd37560..2f9f8c8e 100644 --- a/examples/afl_network_proxy/afl-network-server.c +++ b/examples/afl_network_proxy/afl-network-server.c @@ -579,6 +579,8 @@ int main(int argc, char **argv_orig, char **envp) { // fprintf(stderr, "received %u\n", in_len); run_target(fsrv, use_argv, in_data, in_len, 1); + if (send(s, fsrv->child_status, 4, 0) != 4) + FATAL("could not send waitpid data"); if (send(s, fsrv->trace_bits, fsrv->map_size, 0) != fsrv->map_size) FATAL("could not send coverage data"); // fprintf(stderr, "sent result\n"); diff --git a/examples/afl_untracer/Makefile b/examples/afl_untracer/Makefile index bfef8fa8..5c525877 100644 --- a/examples/afl_untracer/Makefile +++ b/examples/afl_untracer/Makefile @@ -7,4 +7,4 @@ libtestinstr.so: libtestinstr.c $(CC) -fPIC -o libtestinstr.so -shared libtestinstr.c clean: - rm -f afl-untracer *~ core + rm -f afl-untracer libtestinstr.so *~ core diff --git a/examples/afl_untracer/README.md b/examples/afl_untracer/README.md index 90798028..d3af0ceb 100644 --- a/examples/afl_untracer/README.md +++ b/examples/afl_untracer/README.md @@ -3,9 +3,14 @@ afl-untracer is an example skeleton file which can easily be used to fuzz a closed source library. -It is faster and requires less memory than qemu_mode however it is way +It requires less memory than qemu_mode however it is way more course grained and does not provide interesting features like compcov or cmplog. Read and modify afl-untracer.c then `make` and use it as the afl-fuzz target (or even remote via afl-network-proxy). + +This idea is based on [UnTracer](https://github.com/FoRTE-Research/UnTracer-AFL) +and modified by [Trapfuzz](https://github.com/googleprojectzero/p0tools/tree/master/TrapFuzz). +This implementation is slower because the traps are not patched out with each +run, but on the other hand gives much better coverage information. diff --git a/examples/afl_untracer/afl-untracer.c b/examples/afl_untracer/afl-untracer.c index 420f09a2..4d512356 100644 --- a/examples/afl_untracer/afl-untracer.c +++ b/examples/afl_untracer/afl-untracer.c @@ -76,16 +76,9 @@ static u32 use_stdin = 1; /* This is were the testcase data is written into */ static u8 buf[10000]; // this is the maximum size for a test case! set it! -/* if you want to use fork() then uncomment the following line. Otherwise - threads are used. The differences: - fork() pthread() - speed slow fast - coverage detailed minimal - memory leaks no problem an issue */ -//#define USE_FORK - -/* If you want to have debug output set this to 1 */ -static u32 debug = 1; +/* If you want to have debug output set this to 1, can also be set with + AFL_DEBUG */ +static u32 debug = 0; // END STEP 1 @@ -130,7 +123,7 @@ void read_library_information() { if (debug) fprintf(stderr, "Library list:\n"); while (fgets(buf, sizeof(buf), f)) { - if (strstr(buf, " r-xp ")) { + if (strstr(buf, " r-x")) { if (liblist_cnt >= MAX_LIB_COUNT) { @@ -159,9 +152,9 @@ void read_library_information() { liblist[liblist_cnt].addr_start = strtoull(b, NULL, 16); liblist[liblist_cnt].addr_end = strtoull(m, NULL, 16); if (debug) - fprintf(stderr, "%s:%x (%x-%x)\n", liblist[liblist_cnt].name, + fprintf(stderr, "%s:%x (%lx-%lx)\n", liblist[liblist_cnt].name, liblist[liblist_cnt].addr_end - liblist[liblist_cnt].addr_start, - liblist[liblist_cnt].addr_start, liblist[liblist_cnt].addr_end); + liblist[liblist_cnt].addr_start, liblist[liblist_cnt].addr_end - 1); liblist_cnt++; } @@ -367,17 +360,13 @@ static u32 __afl_next_testcase(u8 *buf, u32 max_len) { if (write(FORKSRV_FD + 1, &pid, 4) != 4) do_exit = 1; // fprintf(stderr, "write1 %d\n", do_exit); - if (!do_exit) - __afl_area_ptr[0] = 1; // otherwise afl-fuzz will exit with NOINST return status; } -static void __afl_end_testcase(void) { +static void __afl_end_testcase(int status) { - s32 res = 0xffffff; - if (write(FORKSRV_FD + 1, &res, 4) != 4) do_exit = 1; - // if (write(FORKSRV_FD + 1, &pid, 4) != 4) do_exit = 1; + if (write(FORKSRV_FD + 1, &status, 4) != 4) do_exit = 1; // fprintf(stderr, "write2 %d\n", do_exit); if (do_exit) exit(0); @@ -455,6 +444,19 @@ void setup_trap_instrumentation() { // It's an offset, parse it and do the patching. unsigned long offset = strtoul(line, NULL, 16); + + // I dont know what it is. /proc//maps shows the right start address + // and the offsets generated by the python scripts are fine as well. + // And loading the library into gdb also shows the offsets generated + // by the script are correct. However when loaded via dlopen the first + // 0x1000 are skipped ... +#if defined(__linux__) + if (offset >= 0x1000) + offset -= 0x1000; + else + fprintf(stderr, "Warning: offset is < 0x1000: %x\n", offset); +#endif + if (offset > lib_size) FATAL("Invalid offset: 0x%lx. Current library is 0x%zx bytes large", offset, lib_size); @@ -482,11 +484,10 @@ void setup_trap_instrumentation() { // this will be ARM and AARCH64 // for ARM we will need to identify if the code is in thumb or ARM #error "non x86_64 not supported yet" - //__arm__ + //__arm__: // linux thumb: 0xde01 - // linux thumb2: 0xf7f0a000 // linux arm: 0xe7f001f0 - //__aarch64__ + //__aarch64__: // linux aarch64: 0xd4200000 #endif @@ -510,6 +511,8 @@ void setup_trap_instrumentation() { } +/* the signal handler for the traps / debugging interrupts + No debug output here because this would cost speed */ static void sigtrap_handler(int signum, siginfo_t *si, void *context) { uint64_t addr; @@ -525,31 +528,25 @@ static void sigtrap_handler(int signum, siginfo_t *si, void *context) { #error "Unsupported platform" #endif - if (debug) - fprintf(stderr, "TRAP at context addr = %lx, fault addr = %lx\n", addr, - si->si_addr); + //fprintf(stderr, "TRAP at context addr = %lx, fault addr = %lx\n", addr, si->si_addr); // If the trap didn't come from our instrumentation, then we probably will // just segfault here uint8_t *faultaddr; - if (si->si_addr) + if (unlikely(si->si_addr)) faultaddr = (u8 *)si->si_addr - 1; else faultaddr = (u8 *)addr; - // u8 *loc = SHADOW(faultaddr); - if (debug) - fprintf(stderr, "Shadow location: %p\n", SHADOW(faultaddr)); + //if (debug) fprintf(stderr, "Shadow location: %p\n", SHADOW(faultaddr)); uint32_t shadow = *SHADOW(faultaddr); uint8_t orig_byte = shadow & 0xff; uint32_t index = shadow >> 8; - if (debug) - fprintf(stderr, "shadow data: %x, orig_byte %02x, index %d\n", shadow, - orig_byte, index); + //if (debug) fprintf(stderr, "shadow data: %x, orig_byte %02x, index %d\n", shadow, orig_byte, index); // Index zero is invalid so that it is still possible to catch actual trap // instructions in instrumented libraries. - if (index == 0) abort(); + if (unlikely(index == 0)) abort(); // Restore original instruction *faultaddr = orig_byte; @@ -561,6 +558,7 @@ static void sigtrap_handler(int signum, siginfo_t *si, void *context) { /* here you need to specify the parameter for the target function */ static void *(*o_function)(u8 *buf, int len); +/* the MAIN function */ int main(int argc, char *argv[]) { pid = getpid(); @@ -579,11 +577,11 @@ int main(int argc, char *argv[]) { // inclusive of the cleanup functions // NOTE: above the main() you have to define the functions! - /* setup the target */ void *dl = dlopen("./libtestinstr.so", RTLD_LAZY); if (!dl) FATAL("could not find target library"); o_function = dlsym(dl, "testinstr"); if (!o_function) FATAL("could not resolve target function from library"); + if (debug) fprintf(stderr, "Function address: %p\n", o_function); // END STEP 2 @@ -595,42 +593,33 @@ int main(int argc, char *argv[]) { while (1) { -#ifdef USE_FORK if ((pid = fork()) == -1) PFATAL("fork failed"); + if (pid) { u32 status; if (waitpid(pid, &status, 0) < 0) exit(1); + /* report the test case is done and wait for the next */ + __afl_end_testcase(status); } else { -#endif pid = getpid(); while ((len = __afl_next_testcase(buf, sizeof(buf))) > 0) { -#ifdef USE_FORK + // in this function the fuzz magic happens, this is STEP 3 fuzz(); -#else - if (pthread_create(&__afl_thread, NULL, (void *)fuzz, NULL) != 0) - PFATAL("cannot create thread"); - pthread_join(__afl_thread, NULL); -#endif - /* report the test case is done and wait for the next */ - __afl_end_testcase(); -#ifdef USE_FORK - exit(0); -#endif + // we can use _exit which is faster because our target library + // was loaded via dlopen and there cannot have deconstructors + // registered. + _exit(0); } -#ifdef USE_FORK - } -#endif - } return 0; @@ -651,9 +640,4 @@ static void fuzz() { // END STEP 3 -#ifndef USE_FORK - pthread_exit(NULL); -#endif - } - diff --git a/examples/afl_untracer/patches.txt b/examples/afl_untracer/patches.txt new file mode 100644 index 00000000..b3063e3a --- /dev/null +++ b/examples/afl_untracer/patches.txt @@ -0,0 +1,23 @@ +libtestinstr.so:0x2000L +0x1050L +0x1063L +0x106fL +0x1078L +0x1080L +0x10a4L +0x10b0L +0x10b8L +0x10c0L +0x10c9L +0x10d7L +0x10e3L +0x10f8L +0x1100L +0x1105L +0x111aL +0x1135L +0x1143L +0x114eL +0x115cL +0x116aL +0x116bL diff --git a/include/forkserver.h b/include/forkserver.h index 3c473572..7e7784f5 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -43,6 +43,7 @@ typedef struct afl_forkserver { s32 fsrv_pid, /* PID of the fork server */ child_pid, /* PID of the fuzzed program */ + child_status, /* waitpid result for the child */ out_dir_fd; /* FD of the lock file */ s32 out_fd, /* Persistent fd for fsrv->out_file */ diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index d5a60077..a9e2175d 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -790,8 +790,6 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, s32 res; u32 exec_ms; - int status = 0; - /* After this memset, fsrv->trace_bits[] are effectively volatile, so we must prevent any earlier operations from venturing into that territory. */ @@ -821,7 +819,7 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, if (fsrv->child_pid <= 0) { FATAL("Fork server is misbehaving (OOM?)"); } - exec_ms = read_timed(fsrv->fsrv_st_fd, &status, 4, timeout, stop_soon_p); + exec_ms = read_timed(fsrv->fsrv_st_fd, &fsrv->child_status, 4, timeout, stop_soon_p); if (exec_ms > timeout) { @@ -830,7 +828,7 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, kill(fsrv->child_pid, SIGKILL); fsrv->last_run_timed_out = 1; - if (read(fsrv->fsrv_st_fd, &status, 4) < 4) { exec_ms = 0; } + if (read(fsrv->fsrv_st_fd, &fsrv->child_status, 4) < 4) { exec_ms = 0; } } @@ -862,7 +860,7 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, } - if (!WIFSTOPPED(status)) { fsrv->child_pid = 0; } + if (!WIFSTOPPED(fsrv->child_status)) { fsrv->child_pid = 0; } fsrv->total_execs++; @@ -874,9 +872,9 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, /* Report outcome to caller. */ - if (WIFSIGNALED(status) && !*stop_soon_p) { + if (WIFSIGNALED(fsrv->child_status) && !*stop_soon_p) { - fsrv->last_kill_signal = WTERMSIG(status); + fsrv->last_kill_signal = WTERMSIG(fsrv->child_status); if (fsrv->last_run_timed_out && fsrv->last_kill_signal == SIGKILL) { @@ -891,7 +889,7 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, /* A somewhat nasty hack for MSAN, which doesn't support abort_on_error and must use a special exit code. */ - if (fsrv->uses_asan && WEXITSTATUS(status) == MSAN_ERROR) { + if (fsrv->uses_asan && WEXITSTATUS(fsrv->child_status) == MSAN_ERROR) { fsrv->last_kill_signal = 0; return FSRV_RUN_CRASH; -- cgit 1.4.1 From 1c53bbea52cfecf6c886bb441f1c99c1ae28b0e6 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 3 May 2020 14:09:32 +0200 Subject: doubled the speed of afl_network_proxy --- examples/afl_network_proxy/Makefile | 24 +---- examples/afl_network_proxy/README.md | 21 ++-- examples/afl_network_proxy/afl-network-client.c | 119 ++++++++++++++++++-- examples/afl_network_proxy/afl-network-server.c | 138 +++++++++++++++++++++--- 4 files changed, 246 insertions(+), 56 deletions(-) (limited to 'examples/afl_network_proxy/README.md') diff --git a/examples/afl_network_proxy/Makefile b/examples/afl_network_proxy/Makefile index eeee1178..0b306dde 100644 --- a/examples/afl_network_proxy/Makefile +++ b/examples/afl_network_proxy/Makefile @@ -1,22 +1,2 @@ -PREFIX ?= /usr/local -BIN_PATH = $(PREFIX)/bin -DOC_PATH = $(PREFIX)/share/doc/afl - -PROGRAMS = afl-network-client afl-network-server - -all: $(PROGRAMS) - -afl-network-client: afl-network-client.c - $(CC) -I../../include -o afl-network-client afl-network-client.c - -afl-network-server: afl-network-server.c - $(CC) -I../../include -o afl-network-server afl-network-server.c ../../src/afl-forkserver.c ../../src/afl-sharedmem.c ../../src/afl-common.c -DBIN_PATH=\"$(BIN_PATH)\" - -clean: - rm -f $(PROGRAMS) *~ core - -install: all - install -d -m 755 $${DESTDIR}$(BIN_PATH) $${DESTDIR}$(DOC_PATH) - install -m 755 $(PROGRAMS) $${DESTDIR}$(BIN_PATH) - install -m 644 README.md $${DESTDIR}$(DOC_PATH)/README.network_proxy.md - \ No newline at end of file +all: + @echo please use GNU make, thanks! diff --git a/examples/afl_network_proxy/README.md b/examples/afl_network_proxy/README.md index c33096be..84ebfa48 100644 --- a/examples/afl_network_proxy/README.md +++ b/examples/afl_network_proxy/README.md @@ -12,6 +12,14 @@ Note that the impact on fuzzing speed will be huge, expect a loss of 90%. ## how to get it running +### Compiling + +Just type `make` and let the autodetection do everything for you. + +Note that compression is supported but currently disabled. It seems that +sending 64kb of map data over TCP is faster than compressing it with the +fastest algorithm and options to 112 byte and sending this. Weird. + ### on the target Run `afl-network-server` with your target with the -m and -t values you need. @@ -40,16 +48,11 @@ The TARGET can be an IPv4 or IPv6 address, or a host name that resolves to either. Note that also the outgoing interface can be specified with a '%' for `afl-network-client`, e.g. `fe80::1234%eth0`. +Also make sure your middle value of `/proc/sys/net/ipv4/tcp_rmem` is larger +than your MAP_SIZE (130kb is a good value). This is the default TCP window +size value. + ## how to compile and install `make && sudo make install` -## Future - -It would be much faster and more effective if `afl-network-server` does not -send the map data back (64kb or more) but the checksum that `afl-fuzz` would -generate. This change however would make it incompatible with existing -afl spinoffs. - -But in the future this will be implemented and supported as a compile option. - diff --git a/examples/afl_network_proxy/afl-network-client.c b/examples/afl_network_proxy/afl-network-client.c index b9cd88f0..94f6bb42 100644 --- a/examples/afl_network_proxy/afl-network-client.c +++ b/examples/afl_network_proxy/afl-network-client.c @@ -41,6 +41,10 @@ #include #include +#ifdef USE_DEFLATE +#include +#endif + u8 *__afl_area_ptr; #ifdef __ANDROID__ @@ -206,7 +210,12 @@ int main(int argc, char *argv[]) { u8 * interface, *buf, *ptr; s32 s = -1; struct addrinfo hints, *hres, *aip; - u32 len, max_len = 65536; + u32 * lenptr, max_len = 65536; +#ifdef USE_DEFLATE + u8 * buf2; + u32 * lenptr1, *lenptr2, buf2_len, compress_len; + size_t decompress_len; +#endif if (argc < 3 || argc > 4) { @@ -235,8 +244,17 @@ int main(int argc, char *argv[]) { if ((__afl_map_size = atoi(ptr)) < 8) FATAL("illegal map size, may not be < 8 or >= 2^30: %s", ptr); - if ((buf = malloc(max_len)) == NULL) - PFATAL("can not allocate %u memory", max_len); + if ((buf = malloc(max_len + 4)) == NULL) + PFATAL("can not allocate %u memory", max_len + 4); + lenptr = (u32 *)buf; + +#ifdef USE_DEFLATE + buf2_len = (max_len > __afl_map_size ? max_len : __afl_map_size); + if ((buf2 = malloc(buf2_len + 8)) == NULL) + PFATAL("can not allocate %u memory", buf2_len + 8); + lenptr1 = (u32 *)buf2; + lenptr2 = (u32 *)(buf2 + 4); +#endif memset(&hints, 0, sizeof(hints)); hints.ai_socktype = SOCK_STREAM; @@ -258,28 +276,81 @@ int main(int argc, char *argv[]) { fprintf(stderr, "Warning: binding to interface is not supported for your OS\n"); #endif + +#ifdef SO_PRIORITY + int priority = 7; + if (setsockopt(s, SOL_SOCKET, SO_PRIORITY, &priority, sizeof(priority)) < + 0) { + + priority = 6; + if (setsockopt(s, SOL_SOCKET, SO_PRIORITY, &priority, + sizeof(priority)) < 0) + WARNF("could not set priority on socket"); + + } + +#endif + if (connect(s, aip->ai_addr, aip->ai_addrlen) == -1) s = -1; } } +#ifdef USE_DEFLATE + struct libdeflate_compressor *compressor; + compressor = libdeflate_alloc_compressor(1); + struct libdeflate_decompressor *decompressor; + decompressor = libdeflate_alloc_decompressor(); + fprintf(stderr, "Compile with compression support\n"); +#endif + if (s == -1) FATAL("could not connect to target tcp://%s:%s", argv[1], argv[2]); + else + fprintf(stderr, "Connected to target tcp://%s:%s\n", argv[1], argv[2]); /* we initialize the shared memory map and start the forkserver */ __afl_map_shm(); __afl_start_forkserver(); - int i = 1, j, status, ret; + int i = 1, j, status, ret, received; + // fprintf(stderr, "Waiting for first testcase\n"); - while ((len = __afl_next_testcase(buf, max_len)) > 0) { + while ((*lenptr = __afl_next_testcase(buf + 4, max_len)) > 0) { + + // fprintf(stderr, "Sending testcase with len %u\n", *lenptr); +#ifdef USE_DEFLATE + // we only compress the testcase if it does not fit in the TCP packet + if (*lenptr > 1500 - 20 - 32 - 4) { + + // set highest byte to signify compression + *lenptr1 = (*lenptr | 0xff000000); + *lenptr2 = (u32)libdeflate_deflate_compress(compressor, buf + 4, *lenptr, + buf2 + 8, buf2_len); + if (send(s, buf2, *lenptr2 + 8, 0) != *lenptr2 + 8) + PFATAL("sending test data failed"); + fprintf(stderr, "COMPRESS (%u->%u):\n", *lenptr, *lenptr2); + for (u32 i = 0; i < *lenptr; i++) + fprintf(stderr, "%02x", buf[i + 4]); + fprintf(stderr, "\n"); + for (u32 i = 0; i < *lenptr2; i++) + fprintf(stderr, "%02x", buf2[i + 8]); + fprintf(stderr, "\n"); + + } else { - // fprintf(stderr, "Sending testcase with len %u\n", len); - if (send(s, &len, 4, 0) != 4) PFATAL("sending size data %d failed", len); - if (send(s, buf, len, 0) != len) PFATAL("sending test data failed"); +#endif + if (send(s, buf, *lenptr + 4, 0) != *lenptr + 4) + PFATAL("sending test data failed"); +#ifdef USE_DEFLATE + // fprintf(stderr, "unCOMPRESS (%u)\n", *lenptr); - int received = 0; + } + +#endif + + received = 0; while (received < 4 && (ret = recv(s, &status + received, 4 - received, 0)) > 0) received += ret; @@ -288,12 +359,37 @@ int main(int argc, char *argv[]) { // fprintf(stderr, "Received status\n"); received = 0; +#ifdef USE_DEFLATE + while (received < 4 && + (ret = recv(s, &compress_len + received, 4 - received, 0)) > 0) + received += ret; + if (received != 4) + FATAL("did not receive compress_len (%d, %d)", received, ret); + // fprintf(stderr, "Received status\n"); + + received = 0; + while (received < compress_len && + (ret = recv(s, buf2 + received, buf2_len - received, 0)) > 0) + received += ret; + if (received != compress_len) + FATAL("did not receive coverage data (%d, %d)", received, ret); + + if (libdeflate_deflate_decompress(decompressor, buf2, compress_len, + __afl_area_ptr, __afl_map_size, + &decompress_len) != LIBDEFLATE_SUCCESS || + decompress_len != __afl_map_size) + FATAL("decompression failed"); +// fprintf(stderr, "DECOMPRESS (%u->%u): ", compress_len, decompress_len); +// for (u32 i = 0; i < __afl_map_size; i++) fprintf(stderr, "%02x", +// __afl_area_ptr[i]); fprintf(stderr, "\n"); +#else while (received < __afl_map_size && (ret = recv(s, __afl_area_ptr + received, __afl_map_size - received, 0)) > 0) received += ret; if (received != __afl_map_size) FATAL("did not receive coverage data (%d, %d)", received, ret); +#endif // fprintf(stderr, "Received coverage\n"); /* report the test case is done and wait for the next */ @@ -302,6 +398,11 @@ int main(int argc, char *argv[]) { } +#ifdef USE_DEFLATE + libdeflate_free_compressor(compressor); + libdeflate_free_decompressor(decompressor); +#endif + return 0; } diff --git a/examples/afl_network_proxy/afl-network-server.c b/examples/afl_network_proxy/afl-network-server.c index e069af3d..e4c3bc6d 100644 --- a/examples/afl_network_proxy/afl-network-server.c +++ b/examples/afl_network_proxy/afl-network-server.c @@ -61,13 +61,21 @@ #include #include +#ifdef USE_DEFLATE +#include +struct libdeflate_compressor * compressor; +struct libdeflate_decompressor *decompressor; +#endif + static u8 *in_file, /* Minimizer input test case */ *out_file; static u8 *in_data; /* Input data for trimming */ +static u8 *buf2; -static s32 in_len; -static u32 map_size = MAP_SIZE; +static s32 in_len; +static u32 map_size = MAP_SIZE; +static size_t buf2_len; static volatile u8 stop_soon; /* Ctrl-C pressed? */ @@ -335,25 +343,64 @@ static void usage(u8 *argv0) { int recv_testcase(int s, void **buf, size_t *max_len) { - int size, received = 0, ret; + u32 size; + s32 ret; + size_t received; + received = 0; while (received < 4 && (ret = recv(s, &size + received, 4 - received, 0)) > 0) received += ret; - if (received != 4) FATAL("did not receive size information"); - if (size < 1) FATAL("did not receive valid size information"); + if (size == 0) FATAL("did not receive valid size information"); // fprintf(stderr, "received size information of %d\n", size); - *buf = maybe_grow(buf, max_len, size); - // fprintf(stderr, "receiving testcase %p %p max %u\n", buf, *buf, *max_len); - received = 0; - while (received < size && - (ret = recv(s, ((char *)*buf) + received, size - received, 0)) > 0) - received += ret; + if ((size && 0xff000000) != 0xff000000) { + + *buf = maybe_grow(buf, max_len, size); + received = 0; + // fprintf(stderr, "unCOMPRESS (%u)\n", size); + while (received < size && + (ret = recv(s, ((char *)*buf) + received, size - received, 0)) > 0) + received += ret; + + } else { + +#ifdef USE_DEFLATE + u32 clen; + size = (size & 0x00ffffff); + *buf = maybe_grow(buf, max_len, size); + received = 0; + while (received < 4 && + (ret = recv(s, &clen + received, 4 - received, 0)) > 0) + received += ret; + if (received != 4) FATAL("did not receive size information"); + // fprintf(stderr, "received clen information of %d\n", clen); + if (clen < 1) + FATAL("did not receive valid compressed len information: %u", clen); + buf2 = maybe_grow((void **)&buf2, &buf2_len, clen); + received = 0; + while (received < clen && + (ret = recv(s, buf2 + received, clen - received, 0)) > 0) + received += ret; + if (received != clen) FATAL("did not receive compressed information"); + if (libdeflate_deflate_decompress(decompressor, buf2, clen, (char *)*buf, + *max_len, + &received) != LIBDEFLATE_SUCCESS) + FATAL("decompression failed"); + // fprintf(stderr, "DECOMPRESS (%u->%u):\n", clen, received); + // for (u32 i = 0; i < clen; i++) fprintf(stderr, "%02x", buf2[i]); + // fprintf(stderr, "\n"); + // for (u32 i = 0; i < received; i++) fprintf(stderr, "%02x", + // ((u8*)(*buf))[i]); fprintf(stderr, "\n"); +#else + FATAL("Received compressed data but not compiled with compression support"); +#endif + + } + // fprintf(stderr, "receiving testcase %p %p max %u\n", buf, *buf, *max_len); if (received != size) FATAL("did not receive testcase data %u != %u, %d", received, size, ret); - // fprintf(stderr, "received testcase\n"); return size; @@ -371,6 +418,10 @@ int main(int argc, char **argv_orig, char **envp) { int addrlen = sizeof(clientaddr); char str[INET6_ADDRSTRLEN]; char ** argv = argv_cpy_dup(argc, argv_orig); + u8 * send_buf; +#ifdef USE_DEFLATE + u32 *lenptr; +#endif afl_forkserver_t fsrv_var = {0}; afl_forkserver_t *fsrv = &fsrv_var; @@ -378,6 +429,8 @@ int main(int argc, char **argv_orig, char **envp) { map_size = get_map_size(); fsrv->map_size = map_size; + if ((send_buf = malloc(map_size + 4)) == NULL) PFATAL("malloc"); + while ((opt = getopt(argc, argv, "+i:f:m:t:QUWh")) > 0) { switch (opt) { @@ -553,6 +606,21 @@ int main(int argc, char **argv_orig, char **envp) { } #endif + +#ifdef SO_PRIORITY + int priority = 7; + if (setsockopt(sock, SOL_SOCKET, SO_PRIORITY, &priority, sizeof(priority)) < + 0) { + + priority = 6; + if (setsockopt(sock, SOL_SOCKET, SO_PRIORITY, &priority, sizeof(priority)) < + 0) + WARNF("could not set priority on socket"); + + } + +#endif + memset(&serveraddr, 0, sizeof(serveraddr)); serveraddr.sin6_family = AF_INET6; serveraddr.sin6_port = htons(port); @@ -566,6 +634,14 @@ int main(int argc, char **argv_orig, char **envp) { afl_fsrv_start(fsrv, use_argv, &stop_soon, get_afl_env("AFL_DEBUG_CHILD_OUTPUT") ? 1 : 0); +#ifdef USE_DEFLATE + compressor = libdeflate_alloc_compressor(1); + decompressor = libdeflate_alloc_decompressor(); + buf2 = maybe_grow((void **)&buf2, &buf2_len, map_size + 16); + lenptr = (u32 *)(buf2 + 4); + fprintf(stderr, "Compiled with compression support\n"); +#endif + fprintf(stderr, "Waiting for incoming connection from afl-network-client on port %d " "...\n", @@ -574,15 +650,40 @@ int main(int argc, char **argv_orig, char **envp) { if ((s = accept(sock, NULL, NULL)) < 0) { PFATAL("accept() failed"); } fprintf(stderr, "Received connection, starting ...\n"); +#ifdef SO_PRIORITY + priority = 7; + if (setsockopt(s, SOL_SOCKET, SO_PRIORITY, &priority, sizeof(priority)) < 0) { + + priority = 6; + if (setsockopt(s, SOL_SOCKET, SO_PRIORITY, &priority, sizeof(priority)) < 0) + WARNF("could not set priority on socket"); + + } + +#endif + while ((in_len = recv_testcase(s, (void **)&in_data, &max_len)) > 0) { // fprintf(stderr, "received %u\n", in_len); run_target(fsrv, use_argv, in_data, in_len, 1); - if (send(s, &fsrv->child_status, 4, 0) != 4) - FATAL("could not send waitpid data"); - if (send(s, fsrv->trace_bits, fsrv->map_size, 0) != fsrv->map_size) - FATAL("could not send coverage data"); + memcpy(send_buf + 4, fsrv->trace_bits, fsrv->map_size); + +#ifdef USE_DEFLATE + memcpy(buf2, &fsrv->child_status, 4); + *lenptr = (u32)libdeflate_deflate_compress( + compressor, send_buf + 4, fsrv->map_size, buf2 + 8, buf2_len - 8); + // fprintf(stderr, "COMPRESS (%u->%u): ", fsrv->map_size, *lenptr); + // for (u32 i = 0; i < fsrv->map_size; i++) fprintf(stderr, "%02x", + // fsrv->trace_bits[i]); fprintf(stderr, "\n"); + if (send(s, buf2, *lenptr + 8, 0) != 8 + *lenptr) + FATAL("could not send data"); +#else + memcpy(send_buf, &fsrv->child_status, 4); + if (send(s, send_buf, fsrv->map_size + 4, 0) != 4 + fsrv->map_size) + FATAL("could not send data"); +#endif + // fprintf(stderr, "sent result\n"); } @@ -595,6 +696,11 @@ int main(int argc, char **argv_orig, char **envp) { afl_fsrv_deinit(fsrv); if (fsrv->target_path) { ck_free(fsrv->target_path); } if (in_data) { ck_free(in_data); } +#if USE_DEFLATE + if (buf2) { ck_free(buf2); } + libdeflate_free_compressor(compressor); + libdeflate_free_decompressor(decompressor); +#endif argv_cpy_free(argv); -- cgit 1.4.1 From 945e00b73fde56f98235a03472b4af1539983f80 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 4 May 2020 12:51:38 +0200 Subject: final touches for afl_network_proxy --- examples/afl_network_proxy/GNUmakefile | 24 ++++++++---------------- examples/afl_network_proxy/README.md | 11 +++++++---- 2 files changed, 15 insertions(+), 20 deletions(-) (limited to 'examples/afl_network_proxy/README.md') diff --git a/examples/afl_network_proxy/GNUmakefile b/examples/afl_network_proxy/GNUmakefile index 93eee4c1..99221d10 100644 --- a/examples/afl_network_proxy/GNUmakefile +++ b/examples/afl_network_proxy/GNUmakefile @@ -10,27 +10,19 @@ ifdef STATIC CFLAGS += -static endif -ifdef USE_DEFLATE - CFLAGS += -DUSE_DEFLATE=1 - LDFLAGS += -ldeflate - $(info activating libdeflate-dev for compressing) +ifeq "$(shell echo '$(HASH)include @int main() { struct libdeflate_compressor *d = libdeflate_alloc_compressor(1); return 0;}' | tr @ '\n' | $(CC) $(CFLAGS) -x c - -o .test2 -ldeflate 2>/dev/null && echo 1 || echo 0 ; rm -f .test2 )" "1" + CFLAGS += -ldeflate -DUSE_DEFLATE=1 + $(info libdeflate-dev was detected, using compressing) +else + $(warn did not find libdeflate-dev, cannot use compression) endif -# Disables because compression is slower -# sending 64kb instead of compressing to 112bytes is slower? weird ... -#ifeq "$(shell echo '$(HASH)include @int main() { struct libdeflate_compressor *d = libdeflate_alloc_compressor(1); return 0;}' | tr @ '\n' | $(CC) $(CFLAGS) -x c - -o .test2 -ldeflate 2>/dev/null && echo 1 || echo 0 ; rm -f .test2 )" "1" -# CFLAGS += -ldeflate -DUSE_DEFLATE=1 -# $(info libdeflate-dev was detected, using compressing) -#else -# $(warn did not find libdeflate-dev, cannot use compression) -#endif - all: $(PROGRAMS) help: @echo make options: - echo STATIC - build as static binaries - echo USE_DEFLATE - build with compression library + @echo STATIC - build as static binaries + @echo COMPRESS_TESTCASES - compress test cases afl-network-client: afl-network-client.c $(CC) $(CFLAGS) -I../../include -o afl-network-client afl-network-client.c $(LDFLAGS) @@ -44,5 +36,5 @@ clean: install: all install -d -m 755 $${DESTDIR}$(BIN_PATH) $${DESTDIR}$(DOC_PATH) install -m 755 $(PROGRAMS) $${DESTDIR}$(BIN_PATH) - install -m 644 README.md $${DESTDIR}$(DOC_PATH)/README.network_proxy.md + install -T -m 644 README.md $${DESTDIR}$(DOC_PATH)/README.network_proxy.md diff --git a/examples/afl_network_proxy/README.md b/examples/afl_network_proxy/README.md index 84ebfa48..255be0d8 100644 --- a/examples/afl_network_proxy/README.md +++ b/examples/afl_network_proxy/README.md @@ -16,9 +16,12 @@ Note that the impact on fuzzing speed will be huge, expect a loss of 90%. Just type `make` and let the autodetection do everything for you. -Note that compression is supported but currently disabled. It seems that -sending 64kb of map data over TCP is faster than compressing it with the -fastest algorithm and options to 112 byte and sending this. Weird. +Note that you will get a 40-50% performance increase if you have libdeflate-dev +installed. The GNUmakefile will autodetect it if present. + +If your target has large test cases (10+kb) that are ascii only or large chunks +of zero blocks then set `CFLAGS=-DCOMPRESS_TESTCASES=1` to compress them. +For most targets this hurts performance though so it is disabled by default. ### on the target @@ -29,7 +32,7 @@ e.g.: $ afl-network-server -i 1111 -m 25M -t 1000 -- /bin/target -f @@ ``` -### on the fuzzing master +### on the (afl-fuzz) master Just run afl-fuzz with your normal options, however the target should be `afl-network-client` with the IP and PORT of the `afl-network-server` and -- cgit 1.4.1 From dc795331910bb0f0b31a3eb66ccb71432d0a4e22 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 5 May 2020 20:29:40 +0200 Subject: more typos fixed --- examples/afl_network_proxy/README.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'examples/afl_network_proxy/README.md') diff --git a/examples/afl_network_proxy/README.md b/examples/afl_network_proxy/README.md index 255be0d8..42c0b71b 100644 --- a/examples/afl_network_proxy/README.md +++ b/examples/afl_network_proxy/README.md @@ -26,7 +26,7 @@ For most targets this hurts performance though so it is disabled by default. ### on the target Run `afl-network-server` with your target with the -m and -t values you need. -Important is the -i parameter which is the TCP port to liste on. +Important is the -i parameter which is the TCP port to listen on. e.g.: ``` $ afl-network-server -i 1111 -m 25M -t 1000 -- /bin/target -f @@ @@ -40,9 +40,9 @@ increase the -t value: ``` $ afl-fuzz -i in -o out -t 2000+ -- afl-network-client TARGET-IP 1111 ``` -Note the '+' on the -t parameter value. the afl-network-server will take -care of proper timeouts hence afl-fuzz should not. The '+' increases the timout -and the value itself should be 500-1000 higher than the one on +Note the '+' on the -t parameter value. The afl-network-server will take +care of proper timeouts hence afl-fuzz should not. The '+' increases the +timeout and the value itself should be 500-1000 higher than the one on afl-network-server. ### networking @@ -51,9 +51,9 @@ The TARGET can be an IPv4 or IPv6 address, or a host name that resolves to either. Note that also the outgoing interface can be specified with a '%' for `afl-network-client`, e.g. `fe80::1234%eth0`. -Also make sure your middle value of `/proc/sys/net/ipv4/tcp_rmem` is larger -than your MAP_SIZE (130kb is a good value). This is the default TCP window -size value. +Also make sure your default TCP window size is larger than your MAP_SIZE +(130kb is a good value). +On Linux that is the middle value of `/proc/sys/net/ipv4/tcp_rmem` ## how to compile and install -- cgit 1.4.1