From a7c3f252d57707ca2c0035be6cbe80635cf8857b Mon Sep 17 00:00:00 2001 From: David CARLIER Date: Mon, 24 Aug 2020 11:06:04 +0100 Subject: unicorn build warning for MUSL based linux distros. (#510) --- unicorn_mode/build_unicorn_support.sh | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'unicorn_mode') diff --git a/unicorn_mode/build_unicorn_support.sh b/unicorn_mode/build_unicorn_support.sh index 841728d7..b4d2058f 100755 --- a/unicorn_mode/build_unicorn_support.sh +++ b/unicorn_mode/build_unicorn_support.sh @@ -70,6 +70,11 @@ MAKECMD=make TARCMD=tar if [ "$PLT" = "Linux" ]; then + MUSL=`ldd --version 2>&1 | head -n 1 | cut -f 1 -d " "` + if [ "musl" = $MUSL ]; then + echo "[-] Error: Unicorn instrumentation is unsupported with the musl's libc." + exit 1 + fi CORES=`nproc` fi -- cgit 1.4.1 From 13f2ac83a90aa8a6826c8c642a2b64118ac53430 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 8 Sep 2020 11:48:31 +0200 Subject: fix GNUmakefile for new qemuafl --- .gitignore | 1 + .travis.yml | 1 - GNUmakefile | 19 ++++++++----------- qemu_mode/build_qemu_support.sh | 2 +- unicorn_mode/build_unicorn_support.sh | 2 +- 5 files changed, 11 insertions(+), 14 deletions(-) (limited to 'unicorn_mode') diff --git a/.gitignore b/.gitignore index 5b7e22ba..fb6a94c1 100644 --- a/.gitignore +++ b/.gitignore @@ -61,6 +61,7 @@ afl-lto++.8 afl-lto.8 qemu_mode/libcompcov/compcovtest qemu_mode/qemu-* +qemu_mode/qemuafl unicorn_mode/samples/*/\.test-* unicorn_mode/samples/*/output/ unicorn_mode/unicornafl diff --git a/.travis.yml b/.travis.yml index ccfc7743..c82c8c26 100644 --- a/.travis.yml +++ b/.travis.yml @@ -6,7 +6,6 @@ branches: only: - stable - dev - - llvm_merge matrix: include: diff --git a/GNUmakefile b/GNUmakefile index 92046ffd..30a219a4 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -470,7 +470,6 @@ code-format: ./.custom-format.py -i examples/*/*.c ./.custom-format.py -i examples/*/*.h ./.custom-format.py -i test/*.c - ./.custom-format.py -i qemu_mode/patches/*.h ./.custom-format.py -i qemu_mode/libcompcov/*.c ./.custom-format.py -i qemu_mode/libcompcov/*.cc ./.custom-format.py -i qemu_mode/libcompcov/*.h @@ -510,8 +509,7 @@ all_done: test_build .PHONY: clean clean: - rm -f $(PROGS) libradamsa.so afl-fuzz-document afl-as as afl-g++ afl-clang afl-clang++ *.o src/*.o *~ a.out core core.[1-9][0-9]* *.stackdump .test .test1 .test2 test-instr .test-instr0 .test-instr1 afl-qemu-trace afl-gcc-fast afl-gcc-pass.so afl-g++-fast ld *.so *.8 test/unittests/*.o test/unittests/unit_maybe_alloc test/unittests/preallocable .afl-* afl-gcc afl-g++ - rm -rf out_dir qemu_mode/qemu-3.1.1 *.dSYM */*.dSYM + rm -f $(PROGS) libradamsa.so afl-fuzz-document afl-as as afl-g++ afl-clang afl-clang++ *.o src/*.o *~ a.out core core.[1-9][0-9]* *.stackdump .test .test1 .test2 test-instr .test-instr0 .test-instr1 afl-qemu-trace afl-gcc-fast afl-gcc-pass.so afl-g++-fast ld *.so *.8 test/unittests/*.o test/unittests/unit_maybe_alloc test/unittests/preallocable .afl-* afl-gcc afl-g++ test/unittests/unit_hash test/unittests/unit_rand -$(MAKE) -f GNUmakefile.llvm clean -$(MAKE) -f GNUmakefile.gcc_plugin clean $(MAKE) -C libdislocator clean @@ -521,18 +519,18 @@ clean: $(MAKE) -C examples/argv_fuzzing clean $(MAKE) -C qemu_mode/unsigaction clean $(MAKE) -C qemu_mode/libcompcov clean - rm -rf qemu_mode/qemu-3.1.1 ifeq "$(IN_REPO)" "1" + test -e qemu_mode/qemuafl/Makefile && $(MAKE) -C qemu_mode/qemuafl clean || true test -e unicorn_mode/unicornafl/Makefile && $(MAKE) -C unicorn_mode/unicornafl clean || true else - rm -rf qemu_mode/qemu-3.1.1.tar.xz + rm -rf qemu_mode/qemuafl rm -rf unicorn_mode/unicornafl endif .PHONY: deepclean deepclean: clean - rm -rf qemu_mode/qemu-3.1.1.tar.xz rm -rf unicorn_mode/unicornafl + rm -rf qemu_mode/qemuafl # NEVER EVER ACTIVATE THAT!!!!! git reset --hard >/dev/null 2>&1 || true .PHONY: distrib @@ -541,11 +539,12 @@ distrib: all -$(MAKE) -f GNUmakefile.gcc_plugin $(MAKE) -C libdislocator $(MAKE) -C libtokencap + $(MAKE) -C examples/aflpp_driver $(MAKE) -C examples/afl_network_proxy $(MAKE) -C examples/socket_fuzzing $(MAKE) -C examples/argv_fuzzing -cd qemu_mode && sh ./build_qemu_support.sh - cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh + -cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh .PHONY: binary-only binary-only: all @@ -555,7 +554,7 @@ binary-only: all $(MAKE) -C examples/socket_fuzzing $(MAKE) -C examples/argv_fuzzing -cd qemu_mode && sh ./build_qemu_support.sh - cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh + -cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh .PHONY: source-only source-only: all @@ -563,9 +562,7 @@ source-only: all -$(MAKE) -f GNUmakefile.gcc_plugin $(MAKE) -C libdislocator $(MAKE) -C libtokencap - @#$(MAKE) -C examples/afl_network_proxy - @#$(MAKE) -C examples/socket_fuzzing - @#$(MAKE) -C examples/argv_fuzzing + $(MAKE) -C examples/aflpp_driver %.8: % @echo .TH $* 8 $(BUILD_DATE) "afl++" > $@ diff --git a/qemu_mode/build_qemu_support.sh b/qemu_mode/build_qemu_support.sh index 5d9f5be7..342f16b3 100755 --- a/qemu_mode/build_qemu_support.sh +++ b/qemu_mode/build_qemu_support.sh @@ -121,7 +121,7 @@ else CNT=1 while [ '!' -d qemuafl -a "$CNT" -lt 4 ]; do echo "Trying to clone qemuafl (attempt $CNT/3)" - git clone https://github.com/AFLplusplus/qemuafl + git clone --depth 1 https://github.com/AFLplusplus/qemuafl CNT=`expr "$CNT" + 1` done } diff --git a/unicorn_mode/build_unicorn_support.sh b/unicorn_mode/build_unicorn_support.sh index b4d2058f..f75b3b8d 100755 --- a/unicorn_mode/build_unicorn_support.sh +++ b/unicorn_mode/build_unicorn_support.sh @@ -156,7 +156,7 @@ else CNT=1 while [ '!' -d unicornafl -a "$CNT" -lt 4 ]; do echo "Trying to clone unicornafl (attempt $CNT/3)" - git clone https://github.com/AFLplusplus/unicornafl + git clone --depth 1 https://github.com/AFLplusplus/unicornafl CNT=`expr "$CNT" + 1` done } -- cgit 1.4.1 From 43cb626ad3d36024529ddc459032e664282f3cab Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 8 Sep 2020 14:03:53 +0200 Subject: revert for unicorn_mode --- unicorn_mode/build_unicorn_support.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'unicorn_mode') diff --git a/unicorn_mode/build_unicorn_support.sh b/unicorn_mode/build_unicorn_support.sh index f75b3b8d..b4d2058f 100755 --- a/unicorn_mode/build_unicorn_support.sh +++ b/unicorn_mode/build_unicorn_support.sh @@ -156,7 +156,7 @@ else CNT=1 while [ '!' -d unicornafl -a "$CNT" -lt 4 ]; do echo "Trying to clone unicornafl (attempt $CNT/3)" - git clone --depth 1 https://github.com/AFLplusplus/unicornafl + git clone https://github.com/AFLplusplus/unicornafl CNT=`expr "$CNT" + 1` done } -- cgit 1.4.1 From f34fe1f81e804bccdda5315968f6a73a47184822 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 21 Sep 2020 13:13:03 +0200 Subject: updated unicornafl --- unicorn_mode/UNICORNAFL_VERSION | 2 +- unicorn_mode/unicornafl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'unicorn_mode') diff --git a/unicorn_mode/UNICORNAFL_VERSION b/unicorn_mode/UNICORNAFL_VERSION index 02736b77..87c5f419 100644 --- a/unicorn_mode/UNICORNAFL_VERSION +++ b/unicorn_mode/UNICORNAFL_VERSION @@ -1 +1 @@ -c6d66471 +0bf26f6c diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index c6d66471..0bf26f6c 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit c6d6647161a32bae88785a618fcd828d1711d9e6 +Subproject commit 0bf26f6c2601e1c1c84998551ed7d50b4108fbdf -- cgit 1.4.1 From e85fde201e988cf9e7cf608be394977f7c045a75 Mon Sep 17 00:00:00 2001 From: David CARLIER Date: Sat, 26 Sep 2020 18:02:19 +0100 Subject: OpenBSD build fix (#566) * OpenBSD build fix proposal. Mainly the gcc plugin, using one of the egcc/eg++ version available. Needs pthread flag to r/w lock api. * README update --- GNUmakefile | 5 +++++ GNUmakefile.gcc_plugin | 8 ++++++++ GNUmakefile.llvm | 2 +- README.md | 1 + unicorn_mode/unicornafl | 2 +- 5 files changed, 16 insertions(+), 2 deletions(-) (limited to 'unicorn_mode') diff --git a/GNUmakefile b/GNUmakefile index 9e8b1a47..889c0e7d 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -218,6 +218,11 @@ ifneq "$(findstring NetBSD, $(shell uname))" "" LDFLAGS += -lpthread endif +ifneq "$(findstring OpenBSD, $(shell uname))" "" + override CFLAGS += -pthread + LDFLAGS += -lpthread +endif + TEST_CC = afl-gcc COMM_HDR = include/alloc-inl.h include/config.h include/debug.h include/types.h diff --git a/GNUmakefile.gcc_plugin b/GNUmakefile.gcc_plugin index 55b79182..e3108511 100644 --- a/GNUmakefile.gcc_plugin +++ b/GNUmakefile.gcc_plugin @@ -75,11 +75,19 @@ ifeq "$(TEST_MMAP)" "1" endif ifneq "$(shell uname -s)" "Haiku" +ifneq "$(shell uname -s)" "OpenBSD" LDFLAGS += -lrt +endif else CFLAGS_SAFE += -DUSEMMAP=1 endif +ifeq "$(shell uname -s)" "OpenBSD" + CC = egcc + CXX = eg++ + PLUGIN_FLAGS += -I/usr/local/include +endif + ifeq "$(shell uname -s)" "SunOS" PLUGIN_FLAGS += -I/usr/include/gmp endif diff --git a/GNUmakefile.llvm b/GNUmakefile.llvm index ef2a1f68..da0a6298 100644 --- a/GNUmakefile.llvm +++ b/GNUmakefile.llvm @@ -279,7 +279,7 @@ ifeq "$(shell uname)" "OpenBSD" CLANG_CPPFL += -mno-retpoline CFLAGS += -mno-retpoline # Needed for unwind symbols - LDFLAGS += -lc++abi + LDFLAGS += -lc++abi -lpthread endif ifeq "$(shell echo '$(HASH)include @$(HASH)include @int main() { int _id = shmget(IPC_PRIVATE, 65536, IPC_CREAT | IPC_EXCL | 0600); shmctl(_id, IPC_RMID, 0); return 0;}' | tr @ '\n' | $(CC) -x c - -o .test2 2>/dev/null && echo 1 || echo 0 ; rm -f .test2 )" "1" diff --git a/README.md b/README.md index d3066e9b..f63b0c1e 100644 --- a/README.md +++ b/README.md @@ -1081,6 +1081,7 @@ without feedback, bug reports, or patches from: Andrea Biondo Vincent Le Garrec Khaled Yakdan Kuang-che Wu Josephine Calliotte Konrad Welc + David Carlier ``` Thank you! diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index 0bf26f6c..c6d66471 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit 0bf26f6c2601e1c1c84998551ed7d50b4108fbdf +Subproject commit c6d6647161a32bae88785a618fcd828d1711d9e6 -- cgit 1.4.1 From 7c8b0af84aa7d2005e32a8bd0f00ece92635b0e0 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 29 Oct 2020 08:12:24 +0100 Subject: updated unicorn/next --- unicorn_mode/UNICORNAFL_VERSION | 2 +- unicorn_mode/unicornafl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'unicorn_mode') diff --git a/unicorn_mode/UNICORNAFL_VERSION b/unicorn_mode/UNICORNAFL_VERSION index 87c5f419..c5569fbd 100644 --- a/unicorn_mode/UNICORNAFL_VERSION +++ b/unicorn_mode/UNICORNAFL_VERSION @@ -1 +1 @@ -0bf26f6c +f44ec48f diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index c6d66471..f44ec48f 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit c6d6647161a32bae88785a618fcd828d1711d9e6 +Subproject commit f44ec48f8d5929f243522c1152b5b3c0985a5548 -- cgit 1.4.1 From 9e3b818c35efc3c35be728c88c4d4b2b66b52f8e Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Thu, 29 Oct 2020 18:47:00 +0100 Subject: fix warning on Debian 32 bit --- instrumentation/afl-gcc-pass.so.cc | 2 +- unicorn_mode/unicornafl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'unicorn_mode') diff --git a/instrumentation/afl-gcc-pass.so.cc b/instrumentation/afl-gcc-pass.so.cc index 04d606cc..f94bb57f 100644 --- a/instrumentation/afl-gcc-pass.so.cc +++ b/instrumentation/afl-gcc-pass.so.cc @@ -408,7 +408,7 @@ struct afl_pass : gimple_opt_pass { predecessors. */ inline bool instrument_block_p(basic_block bb) { - if (R(100) >= inst_ratio) return false; + if (R(100) >= (long int)inst_ratio) return false; edge e; edge_iterator ei; diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index f44ec48f..0bf26f6c 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit f44ec48f8d5929f243522c1152b5b3c0985a5548 +Subproject commit 0bf26f6c2601e1c1c84998551ed7d50b4108fbdf -- cgit 1.4.1 From f8bbbf31ec6b307407f3c67e745f772bb2fcc557 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Thu, 5 Nov 2020 22:45:07 +0100 Subject: remove duplicate headers, make '#include VirtualFileSystems.h' version dependent --- instrumentation/SanitizerCoveragePCGUARD.so.cc | 10 ++++------ unicorn_mode/unicornafl | 2 +- 2 files changed, 5 insertions(+), 7 deletions(-) (limited to 'unicorn_mode') diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index 772a6f60..5065f20e 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -10,11 +10,6 @@ // //===----------------------------------------------------------------------===// -#include "llvm/IR/Module.h" -#include "llvm/IR/PassManager.h" -#include "llvm/Support/SpecialCaseList.h" -#include "llvm/Support/VirtualFileSystem.h" -#include "llvm/Transforms/Instrumentation.h" #include "llvm/ADT/ArrayRef.h" #include "llvm/ADT/SmallVector.h" #include "llvm/Analysis/EHPersonalities.h" @@ -34,13 +29,16 @@ #include "llvm/IR/MDBuilder.h" #include "llvm/IR/Mangler.h" #include "llvm/IR/Module.h" +#include "llvm/IR/PassManager.h" #include "llvm/IR/Type.h" #include "llvm/InitializePasses.h" #include "llvm/Support/CommandLine.h" #include "llvm/Support/Debug.h" +#include "llvm/Support/raw_ostream.h" #include "llvm/Support/SpecialCaseList.h" +#if LLVM_MAJOR > 10 || (LLVM_MAJOR == 10 && LLVM_MINOR > 0) #include "llvm/Support/VirtualFileSystem.h" -#include "llvm/Support/raw_ostream.h" +#endif #include "llvm/Transforms/Instrumentation.h" #include "llvm/Transforms/Utils/BasicBlockUtils.h" #include "llvm/Transforms/Utils/ModuleUtils.h" diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index 0bf26f6c..f44ec48f 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit 0bf26f6c2601e1c1c84998551ed7d50b4108fbdf +Subproject commit f44ec48f8d5929f243522c1152b5b3c0985a5548 -- cgit 1.4.1 From 665802673d669634fa1142fc9f99f759bebbf664 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Thu, 5 Nov 2020 22:58:55 +0100 Subject: typo fixed --- test/test-basic.sh | 2 +- unicorn_mode/unicornafl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'unicorn_mode') diff --git a/test/test-basic.sh b/test/test-basic.sh index 0d16ebd1..d63f01cf 100755 --- a/test/test-basic.sh +++ b/test/test-basic.sh @@ -118,7 +118,7 @@ test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc INCOMPLETE=1 } } || { - $ECHO "$GREY[[*] not an intel platform, skipped tests of afl-gcc" + $ECHO "$GREY[*] not an intel platform, skipped tests of afl-gcc" #this is not incomplete as this feature doesnt exist, so all good AFL_TEST_COUNT=$((AFL_TEST_COUNT-1)) } diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index f44ec48f..0bf26f6c 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit f44ec48f8d5929f243522c1152b5b3c0985a5548 +Subproject commit 0bf26f6c2601e1c1c84998551ed7d50b4108fbdf -- cgit 1.4.1 From ffe41e6fcec3e6228770c8fe11ec67b8cfb4878c Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Thu, 12 Nov 2020 20:26:53 +0100 Subject: fix two mem leaks detected by cppcheck --- custom_mutators/honggfuzz/honggfuzz.c | 1 + custom_mutators/libfuzzer/libfuzzer.cpp | 1 + unicorn_mode/unicornafl | 2 +- 3 files changed, 3 insertions(+), 1 deletion(-) (limited to 'unicorn_mode') diff --git a/custom_mutators/honggfuzz/honggfuzz.c b/custom_mutators/honggfuzz/honggfuzz.c index bde922c6..b4f07258 100644 --- a/custom_mutators/honggfuzz/honggfuzz.c +++ b/custom_mutators/honggfuzz/honggfuzz.c @@ -37,6 +37,7 @@ my_mutator_t *afl_custom_init(afl_state_t *afl, unsigned int seed) { if ((data->mutator_buf = malloc(MAX_FILE)) == NULL) { + free(data); perror("mutator_buf alloc"); return NULL; diff --git a/custom_mutators/libfuzzer/libfuzzer.cpp b/custom_mutators/libfuzzer/libfuzzer.cpp index a4f94328..dc1fbeb2 100644 --- a/custom_mutators/libfuzzer/libfuzzer.cpp +++ b/custom_mutators/libfuzzer/libfuzzer.cpp @@ -50,6 +50,7 @@ extern "C" my_mutator_t *afl_custom_init(afl_state_t *afl, unsigned int seed) { if ((data->mutator_buf = (u8 *)malloc(MAX_FILE)) == NULL) { + free(data); perror("mutator_buf alloc"); return NULL; diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index 0bf26f6c..c6d66471 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit 0bf26f6c2601e1c1c84998551ed7d50b4108fbdf +Subproject commit c6d6647161a32bae88785a618fcd828d1711d9e6 -- cgit 1.4.1 From 54a312a5fe7d83fcee8b420868bc918622e9b3a6 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Fri, 13 Nov 2020 00:44:08 +0100 Subject: more small fixes --- qemu_mode/libcompcov/pmparser.h | 2 +- qemu_mode/qemuafl | 1 - src/afl-common.c | 2 +- src/afl-fuzz-python.c | 1 + .../samples/persistent/simple_target_noncrashing.c | 16 ++++++++++------ 5 files changed, 13 insertions(+), 9 deletions(-) delete mode 160000 qemu_mode/qemuafl (limited to 'unicorn_mode') diff --git a/qemu_mode/libcompcov/pmparser.h b/qemu_mode/libcompcov/pmparser.h index 9421d47e..1a3d8834 100644 --- a/qemu_mode/libcompcov/pmparser.h +++ b/qemu_mode/libcompcov/pmparser.h @@ -108,7 +108,6 @@ void pmparser_print(procmaps_struct *map, int order); procmaps_iterator *pmparser_parse(int pid) { - procmaps_iterator *maps_it = malloc(sizeof(procmaps_iterator)); char maps_path[500]; if (pid >= 0) { @@ -129,6 +128,7 @@ procmaps_iterator *pmparser_parse(int pid) { } + procmaps_iterator *maps_it = malloc(sizeof(procmaps_iterator)); int ind = 0; char buf[PROCMAPS_LINE_MAX_LENGTH]; // int c; diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl deleted file mode 160000 index d66c9e26..00000000 --- a/qemu_mode/qemuafl +++ /dev/null @@ -1 +0,0 @@ -Subproject commit d66c9e2654efa8939f0fe6995d11a72b98a4da3e diff --git a/src/afl-common.c b/src/afl-common.c index 19c9419b..8cf1a444 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -342,7 +342,7 @@ u8 *find_binary(u8 *fname) { if (stat(target_path, &st) || !S_ISREG(st.st_mode) || !(st.st_mode & 0111) || st.st_size < 4) { - free(target_path); + ck_free(target_path); FATAL("Program '%s' not found or not executable", fname); } diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index fe16bc46..596b733e 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -214,6 +214,7 @@ static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) { PyErr_Print(); fprintf(stderr, "Failed to load \"%s\"\n", module_name); + free(py); return NULL; } diff --git a/unicorn_mode/samples/persistent/simple_target_noncrashing.c b/unicorn_mode/samples/persistent/simple_target_noncrashing.c index 00764473..9257643b 100644 --- a/unicorn_mode/samples/persistent/simple_target_noncrashing.c +++ b/unicorn_mode/samples/persistent/simple_target_noncrashing.c @@ -10,7 +10,7 @@ * Written by Nathan Voss * Adapted by Lukas Seidel */ - +#include int main(int argc, char** argv) { if(argc < 2){ @@ -19,15 +19,19 @@ int main(int argc, char** argv) { char *data_buf = argv[1]; - if len(data_buf < 20) { - if (data_buf[20] != 0) { + if (strlen(data_buf) >= 21 && data_buf[20] != 0) { printf("Not crashing"); - } else if (data_buf[0] > 0x10 && data_buf[0] < 0x20 && data_buf[1] > data_buf[2]) { + } else if (strlen(data_buf) > 1 + && data_buf[0] > 0x10 && data_buf[0] < 0x20 && data_buf[1] > data_buf[2]) { printf("Also not crashing with databuf[0] == %c", data_buf[0]) - } else if (data_buf[9] == 0x00 && data_buf[10] != 0x00 && data_buf[11] == 0x00) { + } +#if 0 + // not possible with argv (zero terminated strings) (hexcoder-) + // do not try to access data_buf[10] and beyond + else if (data_buf[9] == 0x00 && data_buf[10] != 0x00 && data_buf[11] == 0x00) { // Cause a crash if data[10] is not zero, but [9] and [11] are zero unsigned char invalid_read = *(unsigned char *) 0x00000000; } - +#endif return 0; } -- cgit 1.4.1 From 30cd8a8397419b3eedb6ee939e290b4c6b8c2cf1 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sat, 14 Nov 2020 12:28:51 +0100 Subject: fix non instrumented mode, fix check_binary --- qemu_mode/qemuafl | 2 +- src/afl-fuzz-init.c | 6 ------ src/afl-fuzz.c | 10 +++++++++- unicorn_mode/unicornafl | 2 +- 4 files changed, 11 insertions(+), 9 deletions(-) (limited to 'unicorn_mode') diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl index d66c9e26..21ff3438 160000 --- a/qemu_mode/qemuafl +++ b/qemu_mode/qemuafl @@ -1 +1 @@ -Subproject commit d66c9e2654efa8939f0fe6995d11a72b98a4da3e +Subproject commit 21ff34383764a8c6f66509b3b8d5282468c721e1 diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 19a8d77b..01929a0a 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -2300,12 +2300,6 @@ void fix_up_sync(afl_state_t *afl) { u8 *x = afl->sync_id; - if (afl->non_instrumented_mode) { - - FATAL("-S / -M and -n are mutually exclusive"); - - } - while (*x) { if (!isalnum(*x) && *x != '_' && *x != '-') { diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 59772b3f..f662b308 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -435,6 +435,7 @@ int main(int argc, char **argv_orig, char **envp) { u8 *c; + if (afl->non_instrumented_mode) { FATAL("-M is not supported in non-instrumented mode "); } if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); } afl->sync_id = ck_strdup(optarg); afl->skip_deterministic = 0; // force determinsitic fuzzing @@ -464,6 +465,7 @@ int main(int argc, char **argv_orig, char **envp) { case 'S': /* secondary sync id */ + if (afl->non_instrumented_mode) { FATAL("-S is not supported in non-instrumented mode "); } if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); } afl->sync_id = ck_strdup(optarg); afl->is_secondary_node = 1; @@ -620,6 +622,12 @@ int main(int argc, char **argv_orig, char **envp) { case 'n': /* dumb mode */ + if (afl->is_main_node || afl->is_secondary_node) { + + FATAL("Non instrumented mode is not supported with -M / -S"); + + } + if (afl->non_instrumented_mode) { FATAL("Multiple -n options not supported"); @@ -1342,7 +1350,7 @@ int main(int argc, char **argv_orig, char **envp) { } - if (afl->non_instrumented_mode) check_binary(afl, argv[optind]); + if (!afl->non_instrumented_mode) check_binary(afl, argv[optind]); if (afl->shmem_testcase_mode) { setup_testcase_shmem(afl); } diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index c6d66471..f44ec48f 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit c6d6647161a32bae88785a618fcd828d1711d9e6 +Subproject commit f44ec48f8d5929f243522c1152b5b3c0985a5548 -- cgit 1.4.1 From f0e81b230146dba93ac265485bbbc5b5c77a0343 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 3 Dec 2020 22:26:28 +0100 Subject: updated unicorn --- unicorn_mode/UNICORNAFL_VERSION | 2 +- unicorn_mode/unicornafl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'unicorn_mode') diff --git a/unicorn_mode/UNICORNAFL_VERSION b/unicorn_mode/UNICORNAFL_VERSION index c5569fbd..99025a06 100644 --- a/unicorn_mode/UNICORNAFL_VERSION +++ b/unicorn_mode/UNICORNAFL_VERSION @@ -1 +1 @@ -f44ec48f +8cca4801 diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index f44ec48f..8cca4801 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit f44ec48f8d5929f243522c1152b5b3c0985a5548 +Subproject commit 8cca4801adb767dce7cf72202d7d25bdb420cf7d -- cgit 1.4.1 From 330f33a4356f46f25d0930aa61ef18c78a559fea Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Fri, 4 Dec 2020 15:40:38 +0100 Subject: updated helper_scripts from battelle/afl-unicorn --- unicorn_mode/helper_scripts/unicorn_dumper_gdb.py | 64 ++--- unicorn_mode/helper_scripts/unicorn_dumper_ida.py | 2 +- unicorn_mode/helper_scripts/unicorn_loader.py | 271 ++++++++++++++++------ 3 files changed, 240 insertions(+), 97 deletions(-) (limited to 'unicorn_mode') diff --git a/unicorn_mode/helper_scripts/unicorn_dumper_gdb.py b/unicorn_mode/helper_scripts/unicorn_dumper_gdb.py index 22b9fd47..8c8f9641 100644 --- a/unicorn_mode/helper_scripts/unicorn_dumper_gdb.py +++ b/unicorn_mode/helper_scripts/unicorn_dumper_gdb.py @@ -1,13 +1,13 @@ """ unicorn_dumper_gdb.py - + When run with GDB sitting at a debug breakpoint, this dumps the current state (registers/memory/etc) of - the process to a directory consisting of an index - file with register and segment information and + the process to a directory consisting of an index + file with register and segment information and sub-files containing all actual process memory. - - The output of this script is expected to be used + + The output of this script is expected to be used to initialize context for Unicorn emulation. ----------- @@ -44,6 +44,7 @@ MAX_SEG_SIZE = 128 * 1024 * 1024 # Name of the index file INDEX_FILE_NAME = "_index.json" + #---------------------- #---- Helper Functions @@ -59,14 +60,14 @@ def map_arch(): return "arm64be" elif 'armeb' in arch: # check for THUMB mode - cpsr = get_register('cpsr') + cpsr = get_register('$cpsr') if (cpsr & (1 << 5)): return "armbethumb" else: return "armbe" elif 'arm' in arch: # check for THUMB mode - cpsr = get_register('cpsr') + cpsr = get_register('$cpsr') if (cpsr & (1 << 5)): return "armlethumb" else: @@ -88,19 +89,15 @@ def dump_regs(): reg_state = {} for reg in current_arch.all_registers: reg_val = get_register(reg) - # current dumper script looks for register values to be hex strings -# reg_str = "0x{:08x}".format(reg_val) -# if "64" in get_arch(): -# reg_str = "0x{:016x}".format(reg_val) -# reg_state[reg.strip().strip('$')] = reg_str reg_state[reg.strip().strip('$')] = reg_val + return reg_state def dump_process_memory(output_dir): # Segment information dictionary final_segment_list = [] - + # GEF: vmmap = get_process_maps() if not vmmap: @@ -110,7 +107,7 @@ def dump_process_memory(output_dir): for entry in vmmap: if entry.page_start == entry.page_end: continue - + seg_info = {'start': entry.page_start, 'end': entry.page_end, 'name': entry.path, 'permissions': { "r": entry.is_readable() > 0, "w": entry.is_writable() > 0, @@ -129,7 +126,7 @@ def dump_process_memory(output_dir): compressed_seg_content = zlib.compress(seg_content) md5_sum = hashlib.md5(compressed_seg_content).hexdigest() + ".bin" seg_info["content_file"] = md5_sum - + # Write the compressed contents to disk out_file = open(os.path.join(output_dir, md5_sum), 'wb') out_file.write(compressed_seg_content) @@ -143,12 +140,27 @@ def dump_process_memory(output_dir): # Add the segment to the list final_segment_list.append(seg_info) - + return final_segment_list +#--------------------------------------------- +#---- ARM Extention (dump floating point regs) + +def dump_float(rge=32): + reg_convert = "" + if map_arch() == "armbe" or map_arch() == "armle" or map_arch() == "armbethumb" or map_arch() == "armbethumb": + reg_state = {} + for reg_num in range(32): + value = gdb.selected_frame().read_register("d" + str(reg_num)) + reg_state["d" + str(reg_num)] = int(str(value["u64"]), 16) + value = gdb.selected_frame().read_register("fpscr") + reg_state["fpscr"] = int(str(value), 16) + + return reg_state + #---------- -#---- Main - +#---- Main + def main(): print("----- Unicorn Context Dumper -----") print("You must be actively debugging before running this!") @@ -159,32 +171,32 @@ def main(): print("!!! GEF not running in GDB. Please run gef.py by executing:") print('\tpython execfile ("/gef.py")') return - + try: - + # Create the output directory timestamp = datetime.datetime.fromtimestamp(time.time()).strftime('%Y%m%d_%H%M%S') output_path = "UnicornContext_" + timestamp if not os.path.exists(output_path): os.makedirs(output_path) print("Process context will be output to {}".format(output_path)) - + # Get the context context = { "arch": dump_arch_info(), - "regs": dump_regs(), + "regs": dump_regs(), + "regs_extended": dump_float(), "segments": dump_process_memory(output_path), } # Write the index file index_file = open(os.path.join(output_path, INDEX_FILE_NAME), 'w') index_file.write(json.dumps(context, indent=4)) - index_file.close() + index_file.close() print("Done.") - + except Exception as e: print("!!! ERROR:\n\t{}".format(repr(e))) - + if __name__ == "__main__": main() - diff --git a/unicorn_mode/helper_scripts/unicorn_dumper_ida.py b/unicorn_mode/helper_scripts/unicorn_dumper_ida.py index 6cf9f30f..3f955a5c 100644 --- a/unicorn_mode/helper_scripts/unicorn_dumper_ida.py +++ b/unicorn_mode/helper_scripts/unicorn_dumper_ida.py @@ -206,4 +206,4 @@ def main(): print("!!! ERROR:\n\t{}".format(str(e))) if __name__ == "__main__": - main() + main() \ No newline at end of file diff --git a/unicorn_mode/helper_scripts/unicorn_loader.py b/unicorn_mode/helper_scripts/unicorn_loader.py index adf21b64..1914a83d 100644 --- a/unicorn_mode/helper_scripts/unicorn_loader.py +++ b/unicorn_mode/helper_scripts/unicorn_loader.py @@ -1,8 +1,8 @@ """ unicorn_loader.py - - Loads a process context dumped created using a - Unicorn Context Dumper script into a Unicorn Engine + + Loads a process context dumped created using a + Unicorn Context Dumper script into a Unicorn Engine instance. Once this is performed emulation can be started. """ @@ -26,6 +26,13 @@ from unicorn.arm64_const import * from unicorn.x86_const import * from unicorn.mips_const import * +# If Capstone libraries are availible (only check once) +try: + from capstone import * + CAPSTONE_EXISTS = 1 +except: + CAPSTONE_EXISTS = 0 + # Name of the index file INDEX_FILE_NAME = "_index.json" @@ -86,7 +93,7 @@ class UnicornSimpleHeap(object): total_chunk_size = UNICORN_PAGE_SIZE + ALIGN_PAGE_UP(size) + UNICORN_PAGE_SIZE # Gross but efficient way to find space for the chunk: chunk = None - for addr in xrange(self.HEAP_MIN_ADDR, self.HEAP_MAX_ADDR, UNICORN_PAGE_SIZE): + for addr in range(self.HEAP_MIN_ADDR, self.HEAP_MAX_ADDR, UNICORN_PAGE_SIZE): try: self._uc.mem_map(addr, total_chunk_size, UC_PROT_READ | UC_PROT_WRITE) chunk = self.HeapChunk(addr, total_chunk_size, size) @@ -97,7 +104,7 @@ class UnicornSimpleHeap(object): continue # Something went very wrong if chunk == None: - return 0 + return 0 self._chunks.append(chunk) return chunk.data_addr @@ -112,8 +119,8 @@ class UnicornSimpleHeap(object): old_chunk = None for chunk in self._chunks: if chunk.data_addr == ptr: - old_chunk = chunk - new_chunk_addr = self.malloc(new_size) + old_chunk = chunk + new_chunk_addr = self.malloc(new_size) if old_chunk != None: self._uc.mem_write(new_chunk_addr, str(self._uc.mem_read(old_chunk.data_addr, old_chunk.data_size))) self.free(old_chunk.data_addr) @@ -184,39 +191,27 @@ class AflUnicornEngine(Uc): # Load the registers regs = context['regs'] reg_map = self.__get_register_map(self._arch_str) - for register, value in regs.iteritems(): - if debug_print: - print("Reg {0} = {1}".format(register, value)) - if not reg_map.has_key(register.lower()): - if debug_print: - print("Skipping Reg: {}".format(register)) - else: - reg_write_retry = True - try: - self.reg_write(reg_map[register.lower()], value) - reg_write_retry = False - except Exception as e: - if debug_print: - print("ERROR writing register: {}, value: {} -- {}".format(register, value, repr(e))) + self.__load_registers(regs, reg_map, debug_print) + # If we have extra FLOATING POINT regs, load them in! + if 'regs_extended' in context: + if context['regs_extended']: + regs_extended = context['regs_extended'] + reg_map = self.__get_registers_extended(self._arch_str) + self.__load_registers(regs_extended, reg_map, debug_print) + + # For ARM, sometimes the stack pointer is erased ??? (I think I fixed this (issue with ordering of dumper.py, I'll keep the write anyways) + if self.__get_arch_and_mode(self.get_arch_str())[0] == UC_ARCH_ARM: + self.reg_write(UC_ARM_REG_SP, regs['sp']) - if reg_write_retry: - if debug_print: - print("Trying to parse value ({}) as hex string".format(value)) - try: - self.reg_write(reg_map[register.lower()], int(value, 16)) - except Exception as e: - if debug_print: - print("ERROR writing hex string register: {}, value: {} -- {}".format(register, value, repr(e))) - # Setup the memory map and load memory content self.__map_segments(context['segments'], context_directory, debug_print) - + if enable_trace: self.hook_add(UC_HOOK_BLOCK, self.__trace_block) self.hook_add(UC_HOOK_CODE, self.__trace_instruction) self.hook_add(UC_HOOK_MEM_WRITE | UC_HOOK_MEM_READ, self.__trace_mem_access) self.hook_add(UC_HOOK_MEM_WRITE_UNMAPPED | UC_HOOK_MEM_READ_INVALID, self.__trace_mem_invalid_access) - + if debug_print: print("Done loading context.") @@ -228,7 +223,7 @@ class AflUnicornEngine(Uc): def get_arch_str(self): return self._arch_str - + def force_crash(self, uc_error): """ This function should be called to indicate to AFL that a crash occurred during emulation. You can pass the exception received from Uc.emu_start @@ -253,21 +248,76 @@ class AflUnicornEngine(Uc): for reg in sorted(self.__get_register_map(self._arch_str).items(), key=lambda reg: reg[0]): print(">>> {0:>4}: 0x{1:016x}".format(reg[0], self.reg_read(reg[1]))) + def dump_regs_extended(self): + """ Dumps the contents of all the registers to STDOUT """ + try: + for reg in sorted(self.__get_registers_extended(self._arch_str).items(), key=lambda reg: reg[0]): + print(">>> {0:>4}: 0x{1:016x}".format(reg[0], self.reg_read(reg[1]))) + except Exception as e: + print("ERROR: Are extended registers loaded?") + # TODO: Make this dynamically get the stack pointer register and pointer width for the current architecture """ def dump_stack(self, window=10): + arch = self.get_arch() + mode = self.get_mode() + # Get stack pointers and bit sizes for given architecture + if arch == UC_ARCH_X86 and mode == UC_MODE_64: + stack_ptr_addr = self.reg_read(UC_X86_REG_RSP) + bit_size = 8 + elif arch == UC_ARCH_X86 and mode == UC_MODE_32: + stack_ptr_addr = self.reg_read(UC_X86_REG_ESP) + bit_size = 4 + elif arch == UC_ARCH_ARM64: + stack_ptr_addr = self.reg_read(UC_ARM64_REG_SP) + bit_size = 8 + elif arch == UC_ARCH_ARM: + stack_ptr_addr = self.reg_read(UC_ARM_REG_SP) + bit_size = 4 + elif arch == UC_ARCH_ARM and mode == UC_MODE_THUMB: + stack_ptr_addr = self.reg_read(UC_ARM_REG_SP) + bit_size = 4 + elif arch == UC_ARCH_MIPS: + stack_ptr_addr = self.reg_read(UC_MIPS_REG_SP) + bit_size = 4 + print("") print(">>> Stack:") stack_ptr_addr = self.reg_read(UC_X86_REG_RSP) for i in xrange(-window, window + 1): addr = stack_ptr_addr + (i*8) print("{0}0x{1:016x}: 0x{2:016x}".format( \ - 'SP->' if i == 0 else ' ', addr, \ + 'SP->' if i == 0 else ' ', addr, \ struct.unpack('>> Write: addr=0x{0:016x} size={1} data=0x{2:016x}".format(address, size, value)) else: - print(" >>> Read: addr=0x{0:016x} size={1}".format(address, size)) + print(" >>> Read: addr=0x{0:016x} size={1}".format(address, size)) def __trace_mem_invalid_access(self, uc, access, address, size, value, user_data): if access == UC_MEM_WRITE_UNMAPPED: print(" >>> INVALID Write: addr=0x{0:016x} size={1} data=0x{2:016x}".format(address, size, value)) else: - print(" >>> INVALID Read: addr=0x{0:016x} size={1}".format(address, size)) - + print(" >>> INVALID Read: addr=0x{0:016x} size={1}".format(address, size)) + + def bit_size_arch(self): + arch = self.get_arch() + mode = self.get_mode() + # Get bit sizes for given architecture + if arch == UC_ARCH_X86 and mode == UC_MODE_64: + bit_size = 8 + elif arch == UC_ARCH_X86 and mode == UC_MODE_32: + bit_size = 4 + elif arch == UC_ARCH_ARM64: + bit_size = 8 + elif arch == UC_ARCH_ARM: + bit_size = 4 + elif arch == UC_ARCH_MIPS: + bit_size = 4 + return bit_size -- cgit 1.4.1 From 9a7d045897befd0388966ffd1d9c532e4158d096 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Fri, 4 Dec 2020 17:59:11 +0100 Subject: build_unicorn_support no longer fetches qemuafl --- unicorn_mode/build_unicorn_support.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'unicorn_mode') diff --git a/unicorn_mode/build_unicorn_support.sh b/unicorn_mode/build_unicorn_support.sh index b4d2058f..f1306a06 100755 --- a/unicorn_mode/build_unicorn_support.sh +++ b/unicorn_mode/build_unicorn_support.sh @@ -149,7 +149,7 @@ git status 1>/dev/null 2>/dev/null if [ $? -eq 0 ]; then echo "[*] initializing unicornafl submodule" git submodule init || exit 1 - git submodule update 2>/dev/null # ignore errors + git submodule update ./unicornafl 2>/dev/null # ignore errors else echo "[*] cloning unicornafl" test -d unicornafl || { -- cgit 1.4.1 From eda068751e1876797e1ec481ece356ecfb63f0cc Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Tue, 8 Dec 2020 10:09:35 +0100 Subject: streamlined grammar mutator submodule --- .gitmodules | 2 +- custom_mutators/grammar_mutator | 1 - custom_mutators/grammar_mutator/GRAMMAR_VERSION | 1 + custom_mutators/grammar_mutator/README.md | 6 + .../grammar_mutator/build_grammar_mutator.sh | 141 +++++++++++++++++++++ custom_mutators/grammar_mutator/grammar_mutator | 1 + .../grammar_mutator/update_grammar_ref.sh | 50 ++++++++ qemu_mode/build_qemu_support.sh | 2 +- unicorn_mode/build_unicorn_support.sh | 2 +- 9 files changed, 202 insertions(+), 4 deletions(-) delete mode 160000 custom_mutators/grammar_mutator create mode 100644 custom_mutators/grammar_mutator/GRAMMAR_VERSION create mode 100644 custom_mutators/grammar_mutator/README.md create mode 100644 custom_mutators/grammar_mutator/build_grammar_mutator.sh create mode 160000 custom_mutators/grammar_mutator/grammar_mutator create mode 100644 custom_mutators/grammar_mutator/update_grammar_ref.sh (limited to 'unicorn_mode') diff --git a/.gitmodules b/.gitmodules index 78e9f439..c787ec0e 100644 --- a/.gitmodules +++ b/.gitmodules @@ -2,7 +2,7 @@ path = unicorn_mode/unicornafl url = https://github.com/AFLplusplus/unicornafl [submodule "custom_mutators/grammar_mutator"] - path = custom_mutators/grammar_mutator + path = custom_mutators/grammar_mutator/grammar_mutator url = https://github.com/AFLplusplus/Grammar-Mutator [submodule "qemu_mode/qemuafl"] path = qemu_mode/qemuafl diff --git a/custom_mutators/grammar_mutator b/custom_mutators/grammar_mutator deleted file mode 160000 index b3c4fcfa..00000000 --- a/custom_mutators/grammar_mutator +++ /dev/null @@ -1 +0,0 @@ -Subproject commit b3c4fcfa6ae28918bc410f7747135eafd4fb7263 diff --git a/custom_mutators/grammar_mutator/GRAMMAR_VERSION b/custom_mutators/grammar_mutator/GRAMMAR_VERSION new file mode 100644 index 00000000..a3fe6bb1 --- /dev/null +++ b/custom_mutators/grammar_mutator/GRAMMAR_VERSION @@ -0,0 +1 @@ +b3c4fcf diff --git a/custom_mutators/grammar_mutator/README.md b/custom_mutators/grammar_mutator/README.md new file mode 100644 index 00000000..a015744c --- /dev/null +++ b/custom_mutators/grammar_mutator/README.md @@ -0,0 +1,6 @@ +# Grammar-Mutator + +This is just a stub directory that will clone the real grammar mutator +directory. + +Execute `./build_grammar_mutator.sh` to set everything up. diff --git a/custom_mutators/grammar_mutator/build_grammar_mutator.sh b/custom_mutators/grammar_mutator/build_grammar_mutator.sh new file mode 100644 index 00000000..b097ebd3 --- /dev/null +++ b/custom_mutators/grammar_mutator/build_grammar_mutator.sh @@ -0,0 +1,141 @@ +#!/bin/sh +# +# american fuzzy lop++ - unicorn mode build script +# ------------------------------------------------ +# +# Originally written by Nathan Voss +# +# Adapted from code by Andrew Griffiths and +# Michal Zalewski +# +# Adapted for AFLplusplus by Dominik Maier +# +# CompareCoverage and NeverZero counters by Andrea Fioraldi +# +# +# Copyright 2017 Battelle Memorial Institute. All rights reserved. +# Copyright 2019-2020 AFLplusplus Project. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# This script downloads, patches, and builds a version of Unicorn with +# minor tweaks to allow Unicorn-emulated binaries to be run under +# afl-fuzz. +# +# The modifications reside in patches/*. The standalone Unicorn library +# will be written to /usr/lib/libunicornafl.so, and the Python bindings +# will be installed system-wide. +# +# You must make sure that Unicorn Engine is not already installed before +# running this script. If it is, please uninstall it first. + +GRAMMAR_VERSION="$(cat ./GRAMMAR_VERSION)" +GRAMMAR_REPO="https://github.com/AFLplusplus/grammar-mutator" + +echo "=================================================" +echo "Grammar Mutator build script" +echo "=================================================" +echo + +echo "[*] Performing basic sanity checks..." + +PLT=`uname -s` + +if [ ! -f "../../config.h" ]; then + + echo "[-] Error: key files not found - wrong working directory?" + exit 1 + +fi + +PYTHONBIN=`command -v python3 || command -v python || command -v python2 || echo python3` +MAKECMD=make +TARCMD=tar + +if [ "$PLT" = "Darwin" ]; then + CORES=`sysctl -n hw.ncpu` + TARCMD=tar +fi + +if [ "$PLT" = "FreeBSD" ]; then + MAKECMD=gmake + CORES=`sysctl -n hw.ncpu` + TARCMD=gtar +fi + +if [ "$PLT" = "NetBSD" ] || [ "$PLT" = "OpenBSD" ]; then + MAKECMD=gmake + CORES=`sysctl -n hw.ncpu` + TARCMD=gtar +fi + +PREREQ_NOTFOUND= +for i in git $MAKECMD $TARCMD; do + + T=`command -v "$i" 2>/dev/null` + + if [ "$T" = "" ]; then + + echo "[-] Error: '$i' not found. Run 'sudo apt-get install $i' or similar." + PREREQ_NOTFOUND=1 + + fi + +done + +if echo "$CC" | grep -qF /afl-; then + + echo "[-] Error: do not use afl-gcc or afl-clang to compile this tool." + PREREQ_NOTFOUND=1 + +fi + +if [ "$PREREQ_NOTFOUND" = "1" ]; then + exit 1 +fi + +echo "[+] All checks passed!" + +echo "[*] Making sure grammar mutator is checked out" + +git status 1>/dev/null 2>/dev/null +if [ $? -eq 0 ]; then + echo "[*] initializing grammar mutator submodule" + git submodule init || exit 1 + git submodule update ./grammar_mutator 2>/dev/null # ignore errors +else + echo "[*] cloning grammar mutator" + test -d grammar_mutator || { + CNT=1 + while [ '!' -d grammar_mutator -a "$CNT" -lt 4 ]; do + echo "Trying to clone grammar_mutator (attempt $CNT/3)" + git clone --depth=1 "$GRAMMAR_REPO" + CNT=`expr "$CNT" + 1` + done + } +fi + +test -d grammar_mutator || { echo "[-] not checked out, please install git or check your internet connection." ; exit 1 ; } +echo "[+] Got grammar mutator." + +cd "grammar_mutator" || exit 1 +echo "[*] Checking out $GRAMMAR_VERSION" +sh -c 'git stash && git stash drop' 1>/dev/null 2>/dev/null +git checkout "$GRAMMAR_VERSION" || exit 1 +cd .. + +echo "[*] Downloading antlr..." +wget -c https://www.antlr.org/download/antlr-4.8-complete.jar + +echo +echo +echo "[+] All successfully prepared!" +echo "[!] To build for your grammar just do:" +echo " `cd grammar_mutator`" +echo " `make GRAMMAR_FILE=/path/to/your/grammar`" +echo "[+] You will find a JSON and RUBY grammar in grammar_mutator/grammars to play with." +echo diff --git a/custom_mutators/grammar_mutator/grammar_mutator b/custom_mutators/grammar_mutator/grammar_mutator new file mode 160000 index 00000000..b3c4fcfa --- /dev/null +++ b/custom_mutators/grammar_mutator/grammar_mutator @@ -0,0 +1 @@ +Subproject commit b3c4fcfa6ae28918bc410f7747135eafd4fb7263 diff --git a/custom_mutators/grammar_mutator/update_grammar_ref.sh b/custom_mutators/grammar_mutator/update_grammar_ref.sh new file mode 100644 index 00000000..478a73a8 --- /dev/null +++ b/custom_mutators/grammar_mutator/update_grammar_ref.sh @@ -0,0 +1,50 @@ +#/bin/sh + +################################################## +# AFL++ tool to update a git ref. +# Usage: ./