From 62306f5ce87916396f8245db508dff889894f54c Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Tue, 2 Jun 2020 14:10:40 +0200 Subject: minor fixes --- unicorn_mode/samples/c/harness.c | 2 +- unicorn_mode/samples/persistent/Makefile | 2 +- unicorn_mode/samples/persistent/harness.c | 32 +++++++++++++++---------------- 3 files changed, 18 insertions(+), 18 deletions(-) (limited to 'unicorn_mode/samples') diff --git a/unicorn_mode/samples/c/harness.c b/unicorn_mode/samples/c/harness.c index 18c59c3f..4bda6e2d 100644 --- a/unicorn_mode/samples/c/harness.c +++ b/unicorn_mode/samples/c/harness.c @@ -184,7 +184,7 @@ int main(int argc, char **argv, char **envp) { // Map memory. mem_map_checked(uc, BASE_ADDRESS, len, UC_PROT_ALL); - printf("Len: %lx", len); + printf("Len: %lx\n", len); fflush(stdout); // write machine code to be emulated to memory diff --git a/unicorn_mode/samples/persistent/Makefile b/unicorn_mode/samples/persistent/Makefile index 9596facc..cd43bf02 100644 --- a/unicorn_mode/samples/persistent/Makefile +++ b/unicorn_mode/samples/persistent/Makefile @@ -44,7 +44,7 @@ harness: harness.o ${MYCC} -L${LIBDIR} harness.o ../../unicornafl/libunicornafl.a $(LDFLAGS) -o $@ debug: harness-debug.o - ${MYCC} -L${LIBDIR} harness.o ../../unicornafl/libunicornafl.a $(LDFLAGS) -o harness-debug + ${MYCC} -L${LIBDIR} harness-debug.o ../../unicornafl/libunicornafl.a $(LDFLAGS) -o harness-debug fuzz: harness ../../../afl-fuzz -m none -i sample_inputs -o out -- ./harness @@ diff --git a/unicorn_mode/samples/persistent/harness.c b/unicorn_mode/samples/persistent/harness.c index 3d379f46..2a27e39b 100644 --- a/unicorn_mode/samples/persistent/harness.c +++ b/unicorn_mode/samples/persistent/harness.c @@ -68,7 +68,7 @@ static void hook_code(uc_engine *uc, uint64_t address, uint32_t size, void *user /* The sample uses strlen, since we don't have a loader or libc, we'll fake it. -We know the strlen will return the lenght of argv[1] that we just planted. +We know the strlen will return the length of argv[1] that we just planted. It will be a lot faster than an actual strlen for this specific purpose. */ static void hook_strlen(uc_engine *uc, uint64_t address, uint32_t size, void *user_data) { @@ -86,7 +86,7 @@ static void hook_strlen(uc_engine *uc, uint64_t address, uint32_t size, void *us static uint64_t pad(uint64_t size) { if (size % ALIGNMENT == 0) return size; return ((size / ALIGNMENT) + 1) * ALIGNMENT; -} +} /* returns the filesize in bytes, -1 or error. */ static off_t afl_mmap_file(char *filename, char **buf_ptr) { @@ -100,9 +100,9 @@ static off_t afl_mmap_file(char *filename, char **buf_ptr) { off_t in_len = st.st_size; if (in_len == -1) { - /* This can only ever happen on 32 bit if the file is exactly 4gb. */ - fprintf(stderr, "Filesize of %s too large\n", filename); - goto exit; + /* This can only ever happen on 32 bit if the file is exactly 4gb. */ + fprintf(stderr, "Filesize of %s too large\n", filename); + goto exit; } *buf_ptr = mmap(0, in_len, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); @@ -117,10 +117,10 @@ exit: /* Place the input at the right spot inside unicorn */ static bool place_input_callback( - uc_engine *uc, - char *input, - size_t input_len, - uint32_t persistent_round, + uc_engine *uc, + char *input, + size_t input_len, + uint32_t persistent_round, void *data ){ // printf("Placing input with len %ld to %x\n", input_len, DATA_ADDRESS); @@ -134,7 +134,7 @@ static bool place_input_callback( // Set up the function parameters accordingly RSI, RDI (see calling convention/disassembly) uc_reg_write(uc, UC_X86_REG_RSI, &INPUT_LOCATION); // argv uc_reg_write(uc, UC_X86_REG_RDI, &EMULATED_ARGC); // argc == 2 - + // We need a valid c string, make sure it never goes out of bounds. input[input_len-1] = '\0'; // Write the testcase to unicorn. @@ -188,13 +188,13 @@ int main(int argc, char **argv, char **envp) { return -2; } if (len == 0) { - fprintf(stderr, "File at '%s' is empty\n", BINARY_FILE); - return -3; + fprintf(stderr, "File at '%s' is empty\n", BINARY_FILE); + return -3; } // Map memory. mem_map_checked(uc, BASE_ADDRESS, len, UC_PROT_ALL); - printf("Len: %lx", len); + printf("Len: %lx\n", len); fflush(stdout); // write machine code to be emulated to memory @@ -209,7 +209,7 @@ int main(int argc, char **argv, char **envp) { uint64_t start_address = CODE_ADDRESS; // address of entry point of main() uint64_t end_address = END_ADDRESS; // Address of last instruction in main() uc_reg_write(uc, UC_X86_REG_RIP, &start_address); // address of entry point of main() - + // Setup the Stack mem_map_checked(uc, STACK_ADDRESS - STACK_SIZE, STACK_SIZE, UC_PROT_READ | UC_PROT_WRITE); uint64_t stack_val = STACK_ADDRESS; @@ -219,7 +219,7 @@ int main(int argc, char **argv, char **envp) { // reserve some space for our input data mem_map_checked(uc, INPUT_LOCATION, INPUT_SIZE_MAX, UC_PROT_READ); - // build a "dummy" argv with lenth 2 at 0x10000: + // build a "dummy" argv with lenth 2 at 0x10000: // 0x10000 argv[0] NULL // 0x10008 argv[1] (char *)0x10016 --. points to the next offset. // 0x10016 argv[1][0], ... <-^ contains the acutal input data. (INPUT_LOCATION + INPUT_OFFSET) @@ -264,6 +264,6 @@ int main(int argc, char **argv, char **envp) { break; default: break; - } + } return 0; } -- cgit 1.4.1 From c2c128dd679f1bce6f2f476c6882041184113a25 Mon Sep 17 00:00:00 2001 From: Toralf Förster Date: Sat, 6 Jun 2020 16:41:40 +0200 Subject: unicorn_mode/samples/persistent/harness.c: fix comment MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Toralf Förster --- unicorn_mode/samples/persistent/harness.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'unicorn_mode/samples') diff --git a/unicorn_mode/samples/persistent/harness.c b/unicorn_mode/samples/persistent/harness.c index 2a27e39b..a30af109 100644 --- a/unicorn_mode/samples/persistent/harness.c +++ b/unicorn_mode/samples/persistent/harness.c @@ -219,7 +219,7 @@ int main(int argc, char **argv, char **envp) { // reserve some space for our input data mem_map_checked(uc, INPUT_LOCATION, INPUT_SIZE_MAX, UC_PROT_READ); - // build a "dummy" argv with lenth 2 at 0x10000: + // build a "dummy" argv with length 2 at 0x10000: // 0x10000 argv[0] NULL // 0x10008 argv[1] (char *)0x10016 --. points to the next offset. // 0x10016 argv[1][0], ... <-^ contains the acutal input data. (INPUT_LOCATION + INPUT_OFFSET) -- cgit 1.4.1 From 92b8c5bb6037cb6626682653eacaa124504c592b Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Tue, 9 Jun 2020 03:03:21 +0200 Subject: fixed shmap fuzzing --- llvm_mode/afl-llvm-rt.o.c | 19 ++++++++------- qemu_mode/patches/afl-qemu-cpu-inl.h | 14 ++++++----- src/afl-forkserver.c | 2 +- src/afl-fuzz-init.c | 28 +++++++++------------- unicorn_mode/UNICORNAFL_VERSION | 2 +- .../samples/compcov_x64/compcov_test_harness.py | 12 +++++----- unicorn_mode/samples/persistent/Makefile | 2 +- unicorn_mode/samples/persistent/harness.c | 10 ++++++++ unicorn_mode/unicornafl | 2 +- 9 files changed, 50 insertions(+), 41 deletions(-) (limited to 'unicorn_mode/samples') diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index e039d42e..cc1c7c20 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -122,6 +122,8 @@ static void __afl_map_shm_fuzz() { if (id_str) { + u8 *map = NULL; + #ifdef USEMMAP const char * shm_file_path = id_str; int shm_fd = -1; @@ -137,26 +139,29 @@ static void __afl_map_shm_fuzz() { } - __afl_fuzz_len = (u32 *)mmap(0, MAX_FILE, PROT_READ, MAP_SHARED, shm_fd, 0); + map = (u8 *)mmap(0, MAX_FILE, PROT_READ, MAP_SHARED, shm_fd, 0); #else u32 shm_id = atoi(id_str); - - __afl_fuzz_len = (u32 *)shmat(shm_id, NULL, 0); + map = (u8 *)shmat(shm_id, NULL, 0); #endif /* Whooooops. */ - if (__afl_fuzz_len == (void *)-1) { + if (!map || map == (void *)-1) { - fprintf(stderr, "Error: could not access fuzzing shared memory\n"); + perror("Could not access fuzzign shared memory"); exit(1); } - if (getenv("AFL_DEBUG")) + __afl_fuzz_len = (u32 *)map; + __afl_fuzz_ptr = (u8 *)(map + sizeof(u32)); + + if (getenv("AFL_DEBUG")) { fprintf(stderr, "DEBUG: successfully got fuzzing shared memory\n"); + } } else { @@ -165,8 +170,6 @@ static void __afl_map_shm_fuzz() { } - __afl_fuzz_ptr = (u8 *)(__afl_fuzz_len + sizeof(int)); - } /* SHM setup. */ diff --git a/qemu_mode/patches/afl-qemu-cpu-inl.h b/qemu_mode/patches/afl-qemu-cpu-inl.h index e4953cb1..8dea004e 100644 --- a/qemu_mode/patches/afl-qemu-cpu-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-inl.h @@ -147,20 +147,22 @@ static void afl_map_shm_fuzz(void) { if (id_str) { u32 shm_id = atoi(id_str); - shared_buf_len = (u32 *)shmat(shm_id, NULL, 0); - shared_buf = (u8 *)(shared_buf_len + sizeof(int)); - + u8 *map = (u8 *)shmat(shm_id, NULL, 0); /* Whooooops. */ - if (shared_buf == (void *)-1) { + if (!map || map == (void *)-1) { - fprintf(stderr, "[AFL] ERROR: could not access fuzzing shared memory\n"); + perror("[AFL] ERROR: could not access fuzzing shared memory"); exit(1); } - if (getenv("AFL_DEBUG")) + shared_buf_len = (u32 *)map; + shared_buf = map + sizeof(u32); + + if (getenv("AFL_DEBUG")) { fprintf(stderr, "[AFL] DEBUG: successfully got fuzzing shared memory\n"); + } } else { diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 505fb7a3..36126aa7 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -835,7 +835,7 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { *fsrv->shmem_fuzz_len = len; memcpy(fsrv->shmem_fuzz, buf, len); - // fprintf(stderr, "test case len: %u\n", *fsrv->shmem_fuzz_len); + //printf("test case len: %u [0]:0x%02x\n", *fsrv->shmem_fuzz_len, buf[0]); fflush(stdout); } else { diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 96d4fc46..54d65b9e 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1960,28 +1960,22 @@ void setup_testcase_shmem(afl_state_t *afl) { afl->shm_fuzz = ck_alloc(sizeof(sharedmem_t)); // we need to set the non-instrumented mode to not overwrite the SHM_ENV_VAR - if ((afl->fsrv.shmem_fuzz_len = - (u32 *)afl_shm_init(afl->shm_fuzz, MAX_FILE + sizeof(int), 1))) { + u8 *map = afl_shm_init(afl->shm_fuzz, MAX_FILE + sizeof(u32), 1); + + if (!map) { FATAL("BUG: Zero return from afl_shm_init."); } #ifdef USEMMAP - setenv(SHM_FUZZ_ENV_VAR, afl->shm_fuzz->g_shm_file_path, 1); + setenv(SHM_FUZZ_ENV_VAR, afl->shm_fuzz->g_shm_file_path, 1); #else - u8 *shm_str; - shm_str = alloc_printf("%d", afl->shm_fuzz->shm_id); - setenv(SHM_FUZZ_ENV_VAR, shm_str, 1); - ck_free(shm_str); + u8 *shm_str = alloc_printf("%d", afl->shm_fuzz->shm_id); + setenv(SHM_FUZZ_ENV_VAR, shm_str, 1); + ck_free(shm_str); #endif - afl->fsrv.support_shmem_fuzz = 1; - afl->fsrv.shmem_fuzz = (u8 *)(afl->fsrv.shmem_fuzz_len + sizeof(int)); - - } else { - - ck_free(afl->shm_fuzz); - afl->shm_fuzz = NULL; + afl->fsrv.support_shmem_fuzz = 1; + afl->fsrv.shmem_fuzz_len = (u32 *)map; + afl->fsrv.shmem_fuzz = map + sizeof(u32); - } - -} + } /* Do a PATH search and find target binary to see that it exists and isn't a shell script - a common and painful mistake. We also check for diff --git a/unicorn_mode/UNICORNAFL_VERSION b/unicorn_mode/UNICORNAFL_VERSION index 5d10f094..a8527cd5 100644 --- a/unicorn_mode/UNICORNAFL_VERSION +++ b/unicorn_mode/UNICORNAFL_VERSION @@ -1 +1 @@ -9e9b72a +e30e3eb diff --git a/unicorn_mode/samples/compcov_x64/compcov_test_harness.py b/unicorn_mode/samples/compcov_x64/compcov_test_harness.py index 3861f205..b9ebb61d 100644 --- a/unicorn_mode/samples/compcov_x64/compcov_test_harness.py +++ b/unicorn_mode/samples/compcov_x64/compcov_test_harness.py @@ -1,5 +1,5 @@ #!/usr/bin/env python -""" +""" Simple test harness for AFL's Unicorn Mode. This loads the compcov_target.bin binary (precompiled as MIPS code) into @@ -11,7 +11,7 @@ Run under AFL as follows: $ cd /unicorn_mode/samples/simple/ - $ ../../../afl-fuzz -U -m none -i ./sample_inputs -o ./output -- python compcov_test_harness.py @@ + $ AFL_COMPCOV_LEVEL=2 ../../../afl-fuzz -U -m none -i ./sample_inputs -o ./output -- python compcov_test_harness.py @@ """ import argparse @@ -42,22 +42,22 @@ try: print(" Instr: {:#016x}:\t{}\t{}".format(address, cs_mnemonic, cs_opstr)) except ImportError: def unicorn_debug_instruction(uc, address, size, user_data): - print(" Instr: addr=0x{0:016x}, size=0x{1:016x}".format(address, size)) + print(" Instr: addr=0x{0:016x}, size=0x{1:016x}".format(address, size)) def unicorn_debug_block(uc, address, size, user_data): print("Basic Block: addr=0x{0:016x}, size=0x{1:016x}".format(address, size)) - + def unicorn_debug_mem_access(uc, access, address, size, value, user_data): if access == UC_MEM_WRITE: print(" >>> Write: addr=0x{0:016x} size={1} data=0x{2:016x}".format(address, size, value)) else: - print(" >>> Read: addr=0x{0:016x} size={1}".format(address, size)) + print(" >>> Read: addr=0x{0:016x} size={1}".format(address, size)) def unicorn_debug_mem_invalid_access(uc, access, address, size, value, user_data): if access == UC_MEM_WRITE_UNMAPPED: print(" >>> INVALID Write: addr=0x{0:016x} size={1} data=0x{2:016x}".format(address, size, value)) else: - print(" >>> INVALID Read: addr=0x{0:016x} size={1}".format(address, size)) + print(" >>> INVALID Read: addr=0x{0:016x} size={1}".format(address, size)) def main(): diff --git a/unicorn_mode/samples/persistent/Makefile b/unicorn_mode/samples/persistent/Makefile index cd43bf02..80a47550 100644 --- a/unicorn_mode/samples/persistent/Makefile +++ b/unicorn_mode/samples/persistent/Makefile @@ -38,7 +38,7 @@ harness.o: harness.c ../../unicornafl/include/unicorn/*.h ${MYCC} ${CFLAGS} -O3 -c harness.c harness-debug.o: harness.c ../../unicornafl/include/unicorn/*.h - ${MYCC} ${CFLAGS} -g -c harness.c -o $@ + ${MYCC} ${CFLAGS} -DAFL_DEBUG=1 -g -c harness.c -o $@ harness: harness.o ${MYCC} -L${LIBDIR} harness.o ../../unicornafl/libunicornafl.a $(LDFLAGS) -o $@ diff --git a/unicorn_mode/samples/persistent/harness.c b/unicorn_mode/samples/persistent/harness.c index a30af109..30013b4c 100644 --- a/unicorn_mode/samples/persistent/harness.c +++ b/unicorn_mode/samples/persistent/harness.c @@ -129,6 +129,16 @@ static bool place_input_callback( return false; } +#if defined(AFL_DEBUG) + printf("[d] harness: input len=%ld, [ ", input_len); + int i = 0; + for (i = 0; i < input_len && i < 16; i++) { + printf("0x%02x ", (unsigned char) input[i]); + } + if (input_len > 16) printf("... "); + printf("]\n"); +#endif + // For persistent mode, we have to set up stack and memory each time. uc_reg_write(uc, UC_X86_REG_RIP, &CODE_ADDRESS); // Set the instruction pointer back // Set up the function parameters accordingly RSI, RDI (see calling convention/disassembly) diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index 9e9b72a9..e30e3ebb 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit 9e9b72a91f84588defa1984e562cee19b4b49329 +Subproject commit e30e3ebbdba4d170fe9052ce5ce965a85b2e6b7d -- cgit 1.4.1