From 6553e24b228459eac8f5c2deeec768b88c73426f Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 30 Oct 2022 15:26:17 +0100 Subject: add env --- include/envs.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include') diff --git a/include/envs.h b/include/envs.h index 0731e86e..68d83f8c 100644 --- a/include/envs.h +++ b/include/envs.h @@ -42,6 +42,7 @@ static char *afl_environment_variables[] = { "AFL_DEBUG", "AFL_DEBUG_CHILD", "AFL_DEBUG_GDB", + "AFL_DEBUG_UNICORN", "AFL_DISABLE_TRIM", "AFL_DISABLE_LLVM_INSTRUMENTATION", "AFL_DONT_OPTIMIZE", -- cgit 1.4.1 From c5f8869778b237f89cc4c12c1961a9ef559179b8 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 11 Nov 2022 10:46:45 +0100 Subject: afl_custom_fuzz_send added --- docs/Changelog.md | 8 ++++++-- docs/custom_mutators.md | 10 ++++++++++ include/afl-fuzz.h | 13 +++++++++++++ src/afl-fuzz-mutators.c | 8 ++++++++ src/afl-fuzz-python.c | 45 +++++++++++++++++++++++++++++++++++++++++++++ src/afl-fuzz-run.c | 42 +++++++++++++++++++++++++++++++++++++----- utils/afl_proxy/README.md | 5 +++++ 7 files changed, 124 insertions(+), 7 deletions(-) (limited to 'include') diff --git a/docs/Changelog.md b/docs/Changelog.md index 38e2e6bc..b975fa76 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -4,8 +4,12 @@ release of the tool. See README.md for the general instruction manual. ### Version ++4.05a (dev) - - your PR? :) - + - afl-fuzz: + - added afl_custom_fuzz_send custom mutator feature. Now your can + send fuzz data to the target as you need, e.g. via IPC. + - afl-showmap/afl-cmin + - -t none now translates to -t 120000 (120 seconds) + - unicorn_mode updated ### Version ++4.04c (release) - fix gramatron and grammar_mutator build scripts diff --git a/docs/custom_mutators.md b/docs/custom_mutators.md index ffd3cce8..ecc004e2 100644 --- a/docs/custom_mutators.md +++ b/docs/custom_mutators.md @@ -57,6 +57,7 @@ int afl_custom_post_trim(void *data, unsigned char success); size_t afl_custom_havoc_mutation(void *data, unsigned char *buf, size_t buf_size, unsigned char **out_buf, size_t max_size); unsigned char afl_custom_havoc_mutation_probability(void *data); unsigned char afl_custom_queue_get(void *data, const unsigned char *filename); +void (*afl_custom_fuzz_send)(void *data, const u8 *buf, size_t buf_size); u8 afl_custom_queue_new_entry(void *data, const unsigned char *filename_new_queue, const unsigned int *filename_orig_queue); const char* afl_custom_introspection(my_mutator_t *data); void afl_custom_deinit(void *data); @@ -98,6 +99,9 @@ def havoc_mutation_probability(): def queue_get(filename): return True +def fuzz_send(buf): + pass + def queue_new_entry(filename_new_queue, filename_orig_queue): return False @@ -168,6 +172,12 @@ def deinit(): # optional for Python to the target, e.g. if it is too short, too corrupted, etc. If so, return a NULL buffer and zero length (or a 0 length string in Python). +- `fuzz_send` (optional): + + This method can be used if you want to send data to the target yourself, + e.g. via IPC. This replaces some usage of utils/afl_proxy but requires + that you start the target with afl-fuzz. + - `queue_new_entry` (optional): This methods is called after adding a new test case to the queue. If the diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index c8ca8e9b..a63b7493 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -968,6 +968,19 @@ struct custom_mutator { */ u8 (*afl_custom_queue_get)(void *data, const u8 *filename); + /** + * This method can be used if you want to send data to the target yourself, + * e.g. via IPC. This replaces some usage of utils/afl_proxy but requires + * that you start the target with afl-fuzz. + * + * (Optional) + * + * @param data pointer returned in afl_custom_init by this custom mutator + * @param buf Buffer containing the test case + * @param buf_size Size of the test case + */ + void (*afl_custom_fuzz_send)(void *data, const u8 *buf, size_t buf_size); + /** * Allow for additional analysis (e.g. calling a different tool that does a * different kind of coverage and saves this for the custom mutator). diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index b9daebfa..f3d0bc96 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -314,6 +314,14 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) { } + /* "afl_custom_fuzz_send", optional */ + mutator->afl_custom_fuzz_send = dlsym(dh, "afl_custom_fuzz_send"); + if (!mutator->afl_custom_fuzz_send) { + + ACTF("optional symbol 'afl_custom_fuzz_send' not found."); + + } + /* "afl_custom_queue_new_entry", optional */ mutator->afl_custom_queue_new_entry = dlsym(dh, "afl_custom_queue_new_entry"); if (!mutator->afl_custom_queue_new_entry) { diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index a43d80bb..54b05978 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -246,6 +246,8 @@ static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) { PyObject_GetAttrString(py_module, "havoc_mutation_probability"); py_functions[PY_FUNC_QUEUE_GET] = PyObject_GetAttrString(py_module, "queue_get"); + py_functions[PY_FUNC_FUZZ_SEND] = + PyObject_GetAttrString(py_module, "fuzz_send"); py_functions[PY_FUNC_QUEUE_NEW_ENTRY] = PyObject_GetAttrString(py_module, "queue_new_entry"); py_functions[PY_FUNC_INTROSPECTION] = @@ -466,6 +468,12 @@ struct custom_mutator *load_custom_mutator_py(afl_state_t *afl, } + if (py_functions[PY_FUNC_FUZZ_SEND]) { + + mutator->afl_custom_fuzz_send = fuzz_send_py; + + } + if (py_functions[PY_FUNC_QUEUE_NEW_ENTRY]) { mutator->afl_custom_queue_new_entry = queue_new_entry_py; @@ -893,6 +901,43 @@ u8 queue_get_py(void *py_mutator, const u8 *filename) { } +void fuzz_send_py(void *py_mutator, const u8 *buf, size_t buf_size) { + + PyObject *py_args, *py_value; + + py_args = PyTuple_New(1); + py_value = PyByteArray_FromStringAndSize(buf, buf_size); + if (!py_value) { + + Py_DECREF(py_args); + FATAL("Failed to convert arguments"); + + } + + PyTuple_SetItem(py_args, 0, py_value); + + py_value = PyObject_CallObject( + ((py_mutator_t *)py_mutator)->py_functions[PY_FUNC_FUZZ_SEND], py_args); + Py_DECREF(py_args); + + if (py_value != NULL) { + + #if PY_MAJOR_VERSION >= 3 + u32 retcnt = (u32)PyLong_AsLong(py_value); + #else + u32 retcnt = PyInt_AsLong(py_value); + #endif + Py_DECREF(py_value); + + } else { + + PyErr_Print(); + FATAL("Call failed"); + + } + +} + u8 queue_new_entry_py(void *py_mutator, const u8 *filename_new_queue, const u8 *filename_orig_queue) { diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index ee4a3298..a680228d 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -133,9 +133,25 @@ write_to_testcase(afl_state_t *afl, void **mem, u32 len, u32 fix) { if (new_mem != *mem) { *mem = new_mem; } - /* everything as planned. use the potentially new data. */ - afl_fsrv_write_to_testcase(&afl->fsrv, *mem, new_size); - len = new_size; + if (unlikely(afl->custom_mutators_count)) { + + LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, { + + if (el->afl_custom_fuzz_send) { + + el->afl_custom_fuzz_send(el->data, *mem, new_size); + + } + + }); + + } else { + + /* everything as planned. use the potentially new data. */ + afl_fsrv_write_to_testcase(&afl->fsrv, *mem, new_size); + len = new_size; + + } } else { @@ -149,8 +165,24 @@ write_to_testcase(afl_state_t *afl, void **mem, u32 len, u32 fix) { } - /* boring uncustom. */ - afl_fsrv_write_to_testcase(&afl->fsrv, *mem, len); + if (unlikely(afl->custom_mutators_count)) { + + LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, { + + if (el->afl_custom_fuzz_send) { + + el->afl_custom_fuzz_send(el->data, *mem, len); + + } + + }); + + } else { + + /* boring uncustom. */ + afl_fsrv_write_to_testcase(&afl->fsrv, *mem, len); + + } } diff --git a/utils/afl_proxy/README.md b/utils/afl_proxy/README.md index 3c768a19..7965659d 100644 --- a/utils/afl_proxy/README.md +++ b/utils/afl_proxy/README.md @@ -7,3 +7,8 @@ You only need to change the while() loop of the main() to send the data of buf[] with length len to the target and write the coverage information to __afl_area_ptr[__afl_map_size] +UPDATE: you can also use [custom mutators](../../docs/custom_mutators.md) with +afl_custom_fuzz_send to send data to a target, which is much more efficient! +But you can only use this feature if you start the target via afl-fuzz and +a forkserver is active (e.g. via -Q qemu_mode or source compiled). + -- cgit 1.4.1 From bb81fb784e7c855fe230136a4878f68c33d0f98f Mon Sep 17 00:00:00 2001 From: guyf2010 Date: Sun, 13 Nov 2022 14:37:33 +0000 Subject: Add option for random cmplog colorization --- include/afl-fuzz.h | 2 +- src/afl-fuzz-redqueen.c | 13 ++++++++++++- src/afl-fuzz.c | 9 +++++++-- 3 files changed, 20 insertions(+), 4 deletions(-) (limited to 'include') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index a63b7493..76d7f3f9 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -656,7 +656,7 @@ typedef struct afl_state { u32 cmplog_max_filesize; u32 cmplog_lvl; u32 colorize_success; - u8 cmplog_enable_arith, cmplog_enable_transform; + u8 cmplog_enable_arith, cmplog_enable_transform, cmplog_random_colorization; struct afl_pass_stat *pass_stats; struct cmp_map *orig_cmp_map; diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 337f124d..aa0b3210 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -167,6 +167,13 @@ static u8 get_exec_checksum(afl_state_t *afl, u8 *buf, u32 len, u64 *cksum) { } +/* replace everything with different values */ +static void random_replace(afl_state_t *afl, u8 *buf, u32 len){ + for(u32 i=0; i < len; i++){ + buf[i] = rand_below(afl, 256); + } +} + /* replace everything with different values but stay in the same type */ static void type_replace(afl_state_t *afl, u8 *buf, u32 len) { @@ -293,7 +300,11 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, memcpy(backup, buf, len); memcpy(changed, buf, len); - type_replace(afl, changed, len); + if (afl->cmplog_random_colorization) { + random_replace(afl, changed, len); + } else { + type_replace(afl, changed, len); + } while ((rng = pop_biggest_range(&ranges)) != NULL && afl->stage_cur < afl->stage_max) { diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index acb0b2ec..a81cab7d 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -171,10 +171,11 @@ static void usage(u8 *argv0, int more_help) { " if using QEMU/FRIDA or the fuzzing target is " "compiled\n" " for CmpLog then just use -c 0.\n" - " -l cmplog_opts - CmpLog configuration values (e.g. \"2AT\"):\n" + " -l cmplog_opts - CmpLog configuration values (e.g. \"2ATR\"):\n" " 1=small files, 2=larger files (default), 3=all " "files,\n" - " A=arithmetic solving, T=transformational solving.\n\n" + " A=arithmetic solving, T=transformational solving,\n" + " R=random colorization bytes.\n\n" "Fuzzing behavior settings:\n" " -Z - sequential queue selection instead of weighted " "random\n" @@ -1113,6 +1114,10 @@ int main(int argc, char **argv_orig, char **envp) { case 'T': afl->cmplog_enable_transform = 1; break; + case 'r': + case 'R': + afl->cmplog_random_colorization = 1; + break; default: FATAL("Unknown option value '%c' in -l %s", *c, optarg); -- cgit 1.4.1 From e2ebebce83fd77cde020de35c723f14dd9d811df Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 14 Nov 2022 21:37:08 +0100 Subject: fix python --- include/afl-fuzz.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index a63b7493..811417c9 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -333,6 +333,7 @@ enum { /* 11 */ PY_FUNC_QUEUE_NEW_ENTRY, /* 12 */ PY_FUNC_INTROSPECTION, /* 13 */ PY_FUNC_DESCRIBE, + /* 14 */ PY_FUNC_FUZZ_SEND, PY_FUNC_COUNT }; -- cgit 1.4.1 From 57257ce6564b4bf418f92318a4ecaf69a8269d1b Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 14 Nov 2022 21:41:07 +0100 Subject: fix python --- include/afl-fuzz.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 811417c9..cae7fae0 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -1036,6 +1036,7 @@ struct custom_mutator *load_custom_mutator_py(afl_state_t *, char *); void finalize_py_module(void *); u32 fuzz_count_py(void *, const u8 *, size_t); +void fuzz_send_py(void *, const u8 *, size_t); size_t post_process_py(void *, u8 *, size_t, u8 **); s32 init_trim_py(void *, u8 *, size_t); s32 post_trim_py(void *, u8); -- cgit 1.4.1