From 6fe38b2138ed993f3af28fc5ab92fda8f7542ef7 Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Tue, 27 Dec 2022 15:39:47 +0100 Subject: argv fuzz persistent --- utils/argv_fuzzing/argv_fuzz_persistent_demo.c | 28 ++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 utils/argv_fuzzing/argv_fuzz_persistent_demo.c (limited to 'utils/argv_fuzzing/argv_fuzz_persistent_demo.c') diff --git a/utils/argv_fuzzing/argv_fuzz_persistent_demo.c b/utils/argv_fuzzing/argv_fuzz_persistent_demo.c new file mode 100644 index 00000000..5ecda22b --- /dev/null +++ b/utils/argv_fuzzing/argv_fuzz_persistent_demo.c @@ -0,0 +1,28 @@ +#include +#include +#include "argv-fuzz-inl.h" + +__AFL_FUZZ_INIT(); + +int main(int argc, char **argv) { +#ifdef __AFL_HAVE_MANUAL_CONTROL + __AFL_INIT(); +#endif + unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF; + + while (__AFL_LOOP(100000)) { + int len = __AFL_FUZZ_TESTCASE_LEN; + + if (len < 8) continue; + + AFL_INIT_ARGV_P(buf); + + if (argc > 1 && strcmp(argv[1], "XYZ") == 0) { + if (strcmp(argv[2], "TEST2") == 0) { abort(); } + } else { + printf("Bad number of arguments!\n"); + } + } + + return 0; +} \ No newline at end of file -- cgit 1.4.1 From 67ae1d583902a7e0a8a39c2b17321ffde045cd6d Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Tue, 27 Dec 2022 15:49:22 +0100 Subject: makefile update --- utils/argv_fuzzing/argv_fuzz_persistent_demo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'utils/argv_fuzzing/argv_fuzz_persistent_demo.c') diff --git a/utils/argv_fuzzing/argv_fuzz_persistent_demo.c b/utils/argv_fuzzing/argv_fuzz_persistent_demo.c index 5ecda22b..1e96ade1 100644 --- a/utils/argv_fuzzing/argv_fuzz_persistent_demo.c +++ b/utils/argv_fuzzing/argv_fuzz_persistent_demo.c @@ -15,7 +15,7 @@ int main(int argc, char **argv) { if (len < 8) continue; - AFL_INIT_ARGV_P(buf); + AFL_INIT_ARGV_PERSISTENT(buf); if (argc > 1 && strcmp(argv[1], "XYZ") == 0) { if (strcmp(argv[2], "TEST2") == 0) { abort(); } -- cgit 1.4.1 From 3d031f93a6366ee157cfd9a27fbb6d485d328d8e Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Tue, 27 Dec 2022 16:15:52 +0100 Subject: update --- utils/argv_fuzzing/argv_fuzz_demo.c | 9 ++++++++- utils/argv_fuzzing/argv_fuzz_persistent_demo.c | 23 ++++++++++++++++++++++- 2 files changed, 30 insertions(+), 2 deletions(-) (limited to 'utils/argv_fuzzing/argv_fuzz_persistent_demo.c') diff --git a/utils/argv_fuzzing/argv_fuzz_demo.c b/utils/argv_fuzzing/argv_fuzz_demo.c index f4375316..5fe4d704 100644 --- a/utils/argv_fuzzing/argv_fuzz_demo.c +++ b/utils/argv_fuzzing/argv_fuzz_demo.c @@ -3,7 +3,14 @@ #include "argv-fuzz-inl.h" int main(int argc, char **argv) { -AFL_INIT_ARGV(); + // Initialize the argv array for use with the AFL (American Fuzzy Lop) tool + AFL_INIT_ARGV(); + + /* Check the number of command line arguments and + compare the values of the first two arguments to specific strings. + If the number of arguments is not correct or the values do not match, + an error message is printed. If the values do match, the program + calls the abort() function. */ if (argc > 1 && strcmp(argv[1], "XYZ") == 0) { if (strcmp(argv[2], "TEST2") == 0) { abort(); diff --git a/utils/argv_fuzzing/argv_fuzz_persistent_demo.c b/utils/argv_fuzzing/argv_fuzz_persistent_demo.c index 1e96ade1..a96cf1fe 100644 --- a/utils/argv_fuzzing/argv_fuzz_persistent_demo.c +++ b/utils/argv_fuzzing/argv_fuzz_persistent_demo.c @@ -1,28 +1,49 @@ +/* +This file contains a simple fuzzer for testing command line argument parsing +using persistent mode. +*/ + #include #include #include "argv-fuzz-inl.h" __AFL_FUZZ_INIT(); +/* The main function is an entry point for a program. + The argc parameter is an integer that indicates the number of arguments + passed to the program. The argv parameter is an array of character pointers, + with each element pointing to a null-terminated string that represents + one of the arguments. + */ int main(int argc, char **argv) { #ifdef __AFL_HAVE_MANUAL_CONTROL __AFL_INIT(); #endif unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF; + /* __AFL_LOOP() limits the maximum number of iterations before exiting + the loop and allowing the program to terminate. It protects against + accidental memory leaks and similar issues. */ while (__AFL_LOOP(100000)) { int len = __AFL_FUZZ_TESTCASE_LEN; + // Check that the length of the test case is at least 8 bytes if (len < 8) continue; + // Initialize the command line arguments using the testcase buffer AFL_INIT_ARGV_PERSISTENT(buf); + /* Check if the first argument is "XYZ" and the second argument is "TEST2" + If so, call the "abort" function to terminate the program. + Otherwise, print an error message. */ if (argc > 1 && strcmp(argv[1], "XYZ") == 0) { if (strcmp(argv[2], "TEST2") == 0) { abort(); } } else { printf("Bad number of arguments!\n"); } } - + /* Exiting the loop allows the program to terminate normally. AFL will restart + the process with a clean slate for allocated memory, file descriptors, etc. + */ return 0; } \ No newline at end of file -- cgit 1.4.1 From b189640a927e9ed17347b26f6579b0e41dcdda38 Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Tue, 27 Dec 2022 16:54:36 +0100 Subject: cleanup --- .custom-format.py | 15 +++++++------ utils/argv_fuzzing/README.md | 4 ++-- utils/argv_fuzzing/argv-fuzz-inl.h | 31 ++++++++++++++------------ utils/argv_fuzzing/argv_fuzz_demo.c | 13 +++++++---- utils/argv_fuzzing/argv_fuzz_persistent_demo.c | 11 ++++++++- 5 files changed, 46 insertions(+), 28 deletions(-) (limited to 'utils/argv_fuzzing/argv_fuzz_persistent_demo.c') diff --git a/.custom-format.py b/.custom-format.py index 428d7b0d..00f6280f 100755 --- a/.custom-format.py +++ b/.custom-format.py @@ -26,15 +26,16 @@ import shutil with open(".clang-format") as f: fmt = f.read() -CURRENT_LLVM = os.getenv('LLVM_VERSION', 14) -CLANG_FORMAT_BIN = os.getenv("CLANG_FORMAT_BIN", "") +#CURRENT_LLVM = os.getenv('LLVM_VERSION', 14) +#CLANG_FORMAT_BIN = os.getenv("CLANG_FORMAT_BIN", "") -if shutil.which(CLANG_FORMAT_BIN) is None: - CLANG_FORMAT_BIN = f"clang-format-{CURRENT_LLVM}" +#if shutil.which(CLANG_FORMAT_BIN) is None: +# CLANG_FORMAT_BIN = f"clang-format-{CURRENT_LLVM}" -if shutil.which(CLANG_FORMAT_BIN) is None: - print(f"[!] clang-format-{CURRENT_LLVM} is needed. Aborted.") - exit(1) +#if shutil.which(CLANG_FORMAT_BIN) is None: +# print(f"[!] clang-format-{CURRENT_LLVM} is needed. Aborted.") +# exit(1) +CLANG_FORMAT_BIN = "clang-format" COLUMN_LIMIT = 80 for line in fmt.split("\n"): diff --git a/utils/argv_fuzzing/README.md b/utils/argv_fuzzing/README.md index e9224995..bcf388c7 100644 --- a/utils/argv_fuzzing/README.md +++ b/utils/argv_fuzzing/README.md @@ -1,4 +1,4 @@ -# argvfuzz +#argvfuzz AFL++ supports fuzzing file inputs or stdin. When source is available, `argv-fuzz-inl.h` can be used to change `main()` to build argv from stdin. @@ -13,4 +13,4 @@ A few conditions need to be fulfilled for this mechanism to work correctly: 2. If the target binary does not use the default libc's `_start` implementation (crt1.o), the hook may not run. 3. The hook will replace argv with pointers to `.data` of `argvfuzz.so`. If the - target binary expects argv to be living on the stack, things may go wrong. \ No newline at end of file + target binary expects argv to be living on the stack, things may go wrong. diff --git a/utils/argv_fuzzing/argv-fuzz-inl.h b/utils/argv_fuzzing/argv-fuzz-inl.h index d3440799..bb8f2813 100644 --- a/utils/argv_fuzzing/argv-fuzz-inl.h +++ b/utils/argv_fuzzing/argv-fuzz-inl.h @@ -57,18 +57,20 @@ \ } while (0) -#define AFL_INIT_ARGV_PERSISTENT(persistent_buff) \ - do { \ - argv = afl_init_argv_persistent(&argc, persistent_buff); \ - } while (0) - -#define AFL_INIT_SET0_PERSISTENT(_p, persistent_buff) \ - do { \ - \ - argv = afl_init_argv_persistent(&argc, persistent_buff); \ - argv[0] = (_p); \ - if (!argc) argc = 1; \ - \ +#define AFL_INIT_ARGV_PERSISTENT(persistent_buff) \ + do { \ + \ + argv = afl_init_argv_persistent(&argc, persistent_buff); \ + \ + } while (0) + +#define AFL_INIT_SET0_PERSISTENT(_p, persistent_buff) \ + do { \ + \ + argv = afl_init_argv_persistent(&argc, persistent_buff); \ + argv[0] = (_p); \ + if (!argc) argc = 1; \ + \ } while (0) #define MAX_CMDLINE_LEN 100000 @@ -105,12 +107,13 @@ static char **afl_init_argv(int *argc) { } -static char **afl_init_argv_persistent(int *argc, unsigned char *persistent_buff) { +static char **afl_init_argv_persistent(int *argc, + unsigned char *persistent_buff) { static char *ret[MAX_CMDLINE_PAR]; unsigned char *ptr = persistent_buff; - int rc = 0; + int rc = 0; while (*ptr && rc < MAX_CMDLINE_PAR) { diff --git a/utils/argv_fuzzing/argv_fuzz_demo.c b/utils/argv_fuzzing/argv_fuzz_demo.c index 5fe4d704..6ab1e2e5 100644 --- a/utils/argv_fuzzing/argv_fuzz_demo.c +++ b/utils/argv_fuzzing/argv_fuzz_demo.c @@ -3,6 +3,7 @@ #include "argv-fuzz-inl.h" int main(int argc, char **argv) { + // Initialize the argv array for use with the AFL (American Fuzzy Lop) tool AFL_INIT_ARGV(); @@ -12,12 +13,16 @@ int main(int argc, char **argv) { an error message is printed. If the values do match, the program calls the abort() function. */ if (argc > 1 && strcmp(argv[1], "XYZ") == 0) { - if (strcmp(argv[2], "TEST2") == 0) { - abort(); - } + + if (strcmp(argv[2], "TEST2") == 0) { abort(); } + } else { + printf("Bad number of arguments!\n"); + } return 0; -} \ No newline at end of file + +} + diff --git a/utils/argv_fuzzing/argv_fuzz_persistent_demo.c b/utils/argv_fuzzing/argv_fuzz_persistent_demo.c index a96cf1fe..08a62c62 100644 --- a/utils/argv_fuzzing/argv_fuzz_persistent_demo.c +++ b/utils/argv_fuzzing/argv_fuzz_persistent_demo.c @@ -16,6 +16,7 @@ __AFL_FUZZ_INIT(); one of the arguments. */ int main(int argc, char **argv) { + #ifdef __AFL_HAVE_MANUAL_CONTROL __AFL_INIT(); #endif @@ -25,6 +26,7 @@ int main(int argc, char **argv) { the loop and allowing the program to terminate. It protects against accidental memory leaks and similar issues. */ while (__AFL_LOOP(100000)) { + int len = __AFL_FUZZ_TESTCASE_LEN; // Check that the length of the test case is at least 8 bytes @@ -37,13 +39,20 @@ int main(int argc, char **argv) { If so, call the "abort" function to terminate the program. Otherwise, print an error message. */ if (argc > 1 && strcmp(argv[1], "XYZ") == 0) { + if (strcmp(argv[2], "TEST2") == 0) { abort(); } + } else { + printf("Bad number of arguments!\n"); + } + } + /* Exiting the loop allows the program to terminate normally. AFL will restart the process with a clean slate for allocated memory, file descriptors, etc. */ return 0; -} \ No newline at end of file + +} -- cgit 1.4.1 From 1c91d8ca79e8177b0a0d08527a29a28a2fc86522 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 4 Jan 2023 17:08:29 +0100 Subject: code format --- src/afl-showmap.c | 3 +-- utils/afl_untracer/afl-untracer.c | 3 ++- utils/argv_fuzzing/argv_fuzz_persistent_demo.c | 1 + 3 files changed, 4 insertions(+), 3 deletions(-) (limited to 'utils/argv_fuzzing/argv_fuzz_persistent_demo.c') diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 776f77db..4e019794 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -1284,8 +1284,7 @@ int main(int argc, char **argv_orig, char **envp) { fsrv->shmem_fuzz = map + sizeof(u32); configure_afl_kill_signals( - fsrv, NULL, NULL, - (fsrv->qemu_mode || unicorn_mode) ? SIGKILL : SIGTERM); + fsrv, NULL, NULL, (fsrv->qemu_mode || unicorn_mode) ? SIGKILL : SIGTERM); if (!fsrv->cs_mode && !fsrv->qemu_mode && !unicorn_mode) { diff --git a/utils/afl_untracer/afl-untracer.c b/utils/afl_untracer/afl-untracer.c index ee40d252..a18e314e 100644 --- a/utils/afl_untracer/afl-untracer.c +++ b/utils/afl_untracer/afl-untracer.c @@ -217,7 +217,8 @@ void read_library_information(void) { if (debug) { fprintf(stderr, "%s:%lx (%lx-%lx)\n", liblist[liblist_cnt].name, - (unsigned long)(liblist[liblist_cnt].addr_end - liblist[liblist_cnt].addr_start), + (unsigned long)(liblist[liblist_cnt].addr_end - + liblist[liblist_cnt].addr_start), (unsigned long)liblist[liblist_cnt].addr_start, (unsigned long)(liblist[liblist_cnt].addr_end - 1)); diff --git a/utils/argv_fuzzing/argv_fuzz_persistent_demo.c b/utils/argv_fuzzing/argv_fuzz_persistent_demo.c index 08a62c62..016c3d35 100644 --- a/utils/argv_fuzzing/argv_fuzz_persistent_demo.c +++ b/utils/argv_fuzzing/argv_fuzz_persistent_demo.c @@ -56,3 +56,4 @@ int main(int argc, char **argv) { return 0; } + -- cgit 1.4.1