From 6fe38b2138ed993f3af28fc5ab92fda8f7542ef7 Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Tue, 27 Dec 2022 15:39:47 +0100 Subject: argv fuzz persistent --- utils/argv_fuzzing/argv-fuzz-inl.h | 43 ++++++++++++++++++++++++++ utils/argv_fuzzing/argv_fuzz_demo.c | 16 ++++++++++ utils/argv_fuzzing/argv_fuzz_persistent_demo.c | 28 +++++++++++++++++ 3 files changed, 87 insertions(+) create mode 100644 utils/argv_fuzzing/argv_fuzz_demo.c create mode 100644 utils/argv_fuzzing/argv_fuzz_persistent_demo.c (limited to 'utils') diff --git a/utils/argv_fuzzing/argv-fuzz-inl.h b/utils/argv_fuzzing/argv-fuzz-inl.h index ec22c53b..d3440799 100644 --- a/utils/argv_fuzzing/argv-fuzz-inl.h +++ b/utils/argv_fuzzing/argv-fuzz-inl.h @@ -29,6 +29,10 @@ If you would like to always preserve argv[0], use this instead: AFL_INIT_SET0("prog_name"); + To enable persistent fuzzing, use the AFL_INIT_ARGV_PERSISTENT macro with + buf as argument, or use AFL_INIT_SET0_PERSISTENT("prog_name", buf) + to preserver argv[0]. buf should be defined as: + unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF; */ #ifndef _HAVE_ARGV_FUZZ_INL @@ -53,6 +57,20 @@ \ } while (0) +#define AFL_INIT_ARGV_PERSISTENT(persistent_buff) \ + do { \ + argv = afl_init_argv_persistent(&argc, persistent_buff); \ + } while (0) + +#define AFL_INIT_SET0_PERSISTENT(_p, persistent_buff) \ + do { \ + \ + argv = afl_init_argv_persistent(&argc, persistent_buff); \ + argv[0] = (_p); \ + if (!argc) argc = 1; \ + \ + } while (0) + #define MAX_CMDLINE_LEN 100000 #define MAX_CMDLINE_PAR 50000 @@ -87,6 +105,31 @@ static char **afl_init_argv(int *argc) { } +static char **afl_init_argv_persistent(int *argc, unsigned char *persistent_buff) { + + static char *ret[MAX_CMDLINE_PAR]; + + unsigned char *ptr = persistent_buff; + int rc = 0; + + while (*ptr && rc < MAX_CMDLINE_PAR) { + + ret[rc] = (char *)ptr; + if (ret[rc][0] == 0x02 && !ret[rc][1]) ret[rc]++; + rc++; + + while (*ptr) + ptr++; + ptr++; + + } + + *argc = rc; + + return ret; + +} + #undef MAX_CMDLINE_LEN #undef MAX_CMDLINE_PAR diff --git a/utils/argv_fuzzing/argv_fuzz_demo.c b/utils/argv_fuzzing/argv_fuzz_demo.c new file mode 100644 index 00000000..f4375316 --- /dev/null +++ b/utils/argv_fuzzing/argv_fuzz_demo.c @@ -0,0 +1,16 @@ +#include +#include +#include "argv-fuzz-inl.h" + +int main(int argc, char **argv) { +AFL_INIT_ARGV(); + if (argc > 1 && strcmp(argv[1], "XYZ") == 0) { + if (strcmp(argv[2], "TEST2") == 0) { + abort(); + } + } else { + printf("Bad number of arguments!\n"); + } + + return 0; +} \ No newline at end of file diff --git a/utils/argv_fuzzing/argv_fuzz_persistent_demo.c b/utils/argv_fuzzing/argv_fuzz_persistent_demo.c new file mode 100644 index 00000000..5ecda22b --- /dev/null +++ b/utils/argv_fuzzing/argv_fuzz_persistent_demo.c @@ -0,0 +1,28 @@ +#include +#include +#include "argv-fuzz-inl.h" + +__AFL_FUZZ_INIT(); + +int main(int argc, char **argv) { +#ifdef __AFL_HAVE_MANUAL_CONTROL + __AFL_INIT(); +#endif + unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF; + + while (__AFL_LOOP(100000)) { + int len = __AFL_FUZZ_TESTCASE_LEN; + + if (len < 8) continue; + + AFL_INIT_ARGV_P(buf); + + if (argc > 1 && strcmp(argv[1], "XYZ") == 0) { + if (strcmp(argv[2], "TEST2") == 0) { abort(); } + } else { + printf("Bad number of arguments!\n"); + } + } + + return 0; +} \ No newline at end of file -- cgit 1.4.1 From a0eee2bd92cb819758e54bbac9b8d8ec7daa0764 Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Tue, 27 Dec 2022 15:44:49 +0100 Subject: makefile update --- utils/argv_fuzzing/Makefile | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'utils') diff --git a/utils/argv_fuzzing/Makefile b/utils/argv_fuzzing/Makefile index 183f6bf8..dfdd0f8e 100644 --- a/utils/argv_fuzzing/Makefile +++ b/utils/argv_fuzzing/Makefile @@ -56,3 +56,7 @@ install: argvfuzz32.so argvfuzz64.so clean: rm -f argvfuzz32.so argvfuzz64.so + +demo: + ../../afl-clang-fast -o argv_fuzz_demo argv_fuzz.c + ../../afl-clang-fast -o argv_fuzz_persistent_demo argv_fuzz_persistent_demo.c \ No newline at end of file -- cgit 1.4.1 From 0062a14aa32ffbf38c10a15b3cae97a63a6b3272 Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Tue, 27 Dec 2022 15:48:06 +0100 Subject: makefile update --- utils/argv_fuzzing/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/Makefile b/utils/argv_fuzzing/Makefile index dfdd0f8e..bf4ae81d 100644 --- a/utils/argv_fuzzing/Makefile +++ b/utils/argv_fuzzing/Makefile @@ -58,5 +58,5 @@ clean: rm -f argvfuzz32.so argvfuzz64.so demo: - ../../afl-clang-fast -o argv_fuzz_demo argv_fuzz.c + ../../afl-clang-fast -o argv_fuzz_demo argv_fuzz_demo.c ../../afl-clang-fast -o argv_fuzz_persistent_demo argv_fuzz_persistent_demo.c \ No newline at end of file -- cgit 1.4.1 From 67ae1d583902a7e0a8a39c2b17321ffde045cd6d Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Tue, 27 Dec 2022 15:49:22 +0100 Subject: makefile update --- utils/argv_fuzzing/argv_fuzz_persistent_demo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/argv_fuzz_persistent_demo.c b/utils/argv_fuzzing/argv_fuzz_persistent_demo.c index 5ecda22b..1e96ade1 100644 --- a/utils/argv_fuzzing/argv_fuzz_persistent_demo.c +++ b/utils/argv_fuzzing/argv_fuzz_persistent_demo.c @@ -15,7 +15,7 @@ int main(int argc, char **argv) { if (len < 8) continue; - AFL_INIT_ARGV_P(buf); + AFL_INIT_ARGV_PERSISTENT(buf); if (argc > 1 && strcmp(argv[1], "XYZ") == 0) { if (strcmp(argv[2], "TEST2") == 0) { abort(); } -- cgit 1.4.1 From 6e5c08b653d7d55c5d544601d9fb19fcc16edfd6 Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Tue, 27 Dec 2022 15:50:53 +0100 Subject: makefile update --- utils/argv_fuzzing/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/Makefile b/utils/argv_fuzzing/Makefile index bf4ae81d..140a53de 100644 --- a/utils/argv_fuzzing/Makefile +++ b/utils/argv_fuzzing/Makefile @@ -55,7 +55,7 @@ install: argvfuzz32.so argvfuzz64.so if [ -f argvfuzz64.so ]; then set -e; install -m 755 argvfuzz64.so $(DESTDIR)$(HELPER_PATH)/; fi clean: - rm -f argvfuzz32.so argvfuzz64.so + rm -f argvfuzz32.so argvfuzz64.so argv_fuzz_demo argv_fuzz_persistent_demo demo: ../../afl-clang-fast -o argv_fuzz_demo argv_fuzz_demo.c -- cgit 1.4.1 From 3a134edd889ed1bf4f8d11e8e37ebba31460fb3e Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Tue, 27 Dec 2022 15:51:50 +0100 Subject: makefile update --- utils/argv_fuzzing/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/Makefile b/utils/argv_fuzzing/Makefile index 140a53de..3ebde54b 100644 --- a/utils/argv_fuzzing/Makefile +++ b/utils/argv_fuzzing/Makefile @@ -41,7 +41,7 @@ __M32FLAG=$(_M32FLAG:00=-mbe32) ___M32FLAG=$(__M32FLAG:$(CC_IS_GCC)$(CC_IS_ARMCOMPILER)=-m32) M32FLAG=$(___M32FLAG) -all: argvfuzz32.so argvfuzz64.so +all: argvfuzz32.so argvfuzz64.so demo argvfuzz32.so: argvfuzz.c -@$(CC) $(M32FLAG) $(CFLAGS) $^ $(LDFLAGS) -o $@ 2>/dev/null || echo "argvfuzz32 build failure (that's fine)" -- cgit 1.4.1 From 3d031f93a6366ee157cfd9a27fbb6d485d328d8e Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Tue, 27 Dec 2022 16:15:52 +0100 Subject: update --- utils/argv_fuzzing/argv_fuzz_demo.c | 9 ++++++++- utils/argv_fuzzing/argv_fuzz_persistent_demo.c | 23 ++++++++++++++++++++++- 2 files changed, 30 insertions(+), 2 deletions(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/argv_fuzz_demo.c b/utils/argv_fuzzing/argv_fuzz_demo.c index f4375316..5fe4d704 100644 --- a/utils/argv_fuzzing/argv_fuzz_demo.c +++ b/utils/argv_fuzzing/argv_fuzz_demo.c @@ -3,7 +3,14 @@ #include "argv-fuzz-inl.h" int main(int argc, char **argv) { -AFL_INIT_ARGV(); + // Initialize the argv array for use with the AFL (American Fuzzy Lop) tool + AFL_INIT_ARGV(); + + /* Check the number of command line arguments and + compare the values of the first two arguments to specific strings. + If the number of arguments is not correct or the values do not match, + an error message is printed. If the values do match, the program + calls the abort() function. */ if (argc > 1 && strcmp(argv[1], "XYZ") == 0) { if (strcmp(argv[2], "TEST2") == 0) { abort(); diff --git a/utils/argv_fuzzing/argv_fuzz_persistent_demo.c b/utils/argv_fuzzing/argv_fuzz_persistent_demo.c index 1e96ade1..a96cf1fe 100644 --- a/utils/argv_fuzzing/argv_fuzz_persistent_demo.c +++ b/utils/argv_fuzzing/argv_fuzz_persistent_demo.c @@ -1,28 +1,49 @@ +/* +This file contains a simple fuzzer for testing command line argument parsing +using persistent mode. +*/ + #include #include #include "argv-fuzz-inl.h" __AFL_FUZZ_INIT(); +/* The main function is an entry point for a program. + The argc parameter is an integer that indicates the number of arguments + passed to the program. The argv parameter is an array of character pointers, + with each element pointing to a null-terminated string that represents + one of the arguments. + */ int main(int argc, char **argv) { #ifdef __AFL_HAVE_MANUAL_CONTROL __AFL_INIT(); #endif unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF; + /* __AFL_LOOP() limits the maximum number of iterations before exiting + the loop and allowing the program to terminate. It protects against + accidental memory leaks and similar issues. */ while (__AFL_LOOP(100000)) { int len = __AFL_FUZZ_TESTCASE_LEN; + // Check that the length of the test case is at least 8 bytes if (len < 8) continue; + // Initialize the command line arguments using the testcase buffer AFL_INIT_ARGV_PERSISTENT(buf); + /* Check if the first argument is "XYZ" and the second argument is "TEST2" + If so, call the "abort" function to terminate the program. + Otherwise, print an error message. */ if (argc > 1 && strcmp(argv[1], "XYZ") == 0) { if (strcmp(argv[2], "TEST2") == 0) { abort(); } } else { printf("Bad number of arguments!\n"); } } - + /* Exiting the loop allows the program to terminate normally. AFL will restart + the process with a clean slate for allocated memory, file descriptors, etc. + */ return 0; } \ No newline at end of file -- cgit 1.4.1 From b189640a927e9ed17347b26f6579b0e41dcdda38 Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Tue, 27 Dec 2022 16:54:36 +0100 Subject: cleanup --- .custom-format.py | 15 +++++++------ utils/argv_fuzzing/README.md | 4 ++-- utils/argv_fuzzing/argv-fuzz-inl.h | 31 ++++++++++++++------------ utils/argv_fuzzing/argv_fuzz_demo.c | 13 +++++++---- utils/argv_fuzzing/argv_fuzz_persistent_demo.c | 11 ++++++++- 5 files changed, 46 insertions(+), 28 deletions(-) (limited to 'utils') diff --git a/.custom-format.py b/.custom-format.py index 428d7b0d..00f6280f 100755 --- a/.custom-format.py +++ b/.custom-format.py @@ -26,15 +26,16 @@ import shutil with open(".clang-format") as f: fmt = f.read() -CURRENT_LLVM = os.getenv('LLVM_VERSION', 14) -CLANG_FORMAT_BIN = os.getenv("CLANG_FORMAT_BIN", "") +#CURRENT_LLVM = os.getenv('LLVM_VERSION', 14) +#CLANG_FORMAT_BIN = os.getenv("CLANG_FORMAT_BIN", "") -if shutil.which(CLANG_FORMAT_BIN) is None: - CLANG_FORMAT_BIN = f"clang-format-{CURRENT_LLVM}" +#if shutil.which(CLANG_FORMAT_BIN) is None: +# CLANG_FORMAT_BIN = f"clang-format-{CURRENT_LLVM}" -if shutil.which(CLANG_FORMAT_BIN) is None: - print(f"[!] clang-format-{CURRENT_LLVM} is needed. Aborted.") - exit(1) +#if shutil.which(CLANG_FORMAT_BIN) is None: +# print(f"[!] clang-format-{CURRENT_LLVM} is needed. Aborted.") +# exit(1) +CLANG_FORMAT_BIN = "clang-format" COLUMN_LIMIT = 80 for line in fmt.split("\n"): diff --git a/utils/argv_fuzzing/README.md b/utils/argv_fuzzing/README.md index e9224995..bcf388c7 100644 --- a/utils/argv_fuzzing/README.md +++ b/utils/argv_fuzzing/README.md @@ -1,4 +1,4 @@ -# argvfuzz +#argvfuzz AFL++ supports fuzzing file inputs or stdin. When source is available, `argv-fuzz-inl.h` can be used to change `main()` to build argv from stdin. @@ -13,4 +13,4 @@ A few conditions need to be fulfilled for this mechanism to work correctly: 2. If the target binary does not use the default libc's `_start` implementation (crt1.o), the hook may not run. 3. The hook will replace argv with pointers to `.data` of `argvfuzz.so`. If the - target binary expects argv to be living on the stack, things may go wrong. \ No newline at end of file + target binary expects argv to be living on the stack, things may go wrong. diff --git a/utils/argv_fuzzing/argv-fuzz-inl.h b/utils/argv_fuzzing/argv-fuzz-inl.h index d3440799..bb8f2813 100644 --- a/utils/argv_fuzzing/argv-fuzz-inl.h +++ b/utils/argv_fuzzing/argv-fuzz-inl.h @@ -57,18 +57,20 @@ \ } while (0) -#define AFL_INIT_ARGV_PERSISTENT(persistent_buff) \ - do { \ - argv = afl_init_argv_persistent(&argc, persistent_buff); \ - } while (0) - -#define AFL_INIT_SET0_PERSISTENT(_p, persistent_buff) \ - do { \ - \ - argv = afl_init_argv_persistent(&argc, persistent_buff); \ - argv[0] = (_p); \ - if (!argc) argc = 1; \ - \ +#define AFL_INIT_ARGV_PERSISTENT(persistent_buff) \ + do { \ + \ + argv = afl_init_argv_persistent(&argc, persistent_buff); \ + \ + } while (0) + +#define AFL_INIT_SET0_PERSISTENT(_p, persistent_buff) \ + do { \ + \ + argv = afl_init_argv_persistent(&argc, persistent_buff); \ + argv[0] = (_p); \ + if (!argc) argc = 1; \ + \ } while (0) #define MAX_CMDLINE_LEN 100000 @@ -105,12 +107,13 @@ static char **afl_init_argv(int *argc) { } -static char **afl_init_argv_persistent(int *argc, unsigned char *persistent_buff) { +static char **afl_init_argv_persistent(int *argc, + unsigned char *persistent_buff) { static char *ret[MAX_CMDLINE_PAR]; unsigned char *ptr = persistent_buff; - int rc = 0; + int rc = 0; while (*ptr && rc < MAX_CMDLINE_PAR) { diff --git a/utils/argv_fuzzing/argv_fuzz_demo.c b/utils/argv_fuzzing/argv_fuzz_demo.c index 5fe4d704..6ab1e2e5 100644 --- a/utils/argv_fuzzing/argv_fuzz_demo.c +++ b/utils/argv_fuzzing/argv_fuzz_demo.c @@ -3,6 +3,7 @@ #include "argv-fuzz-inl.h" int main(int argc, char **argv) { + // Initialize the argv array for use with the AFL (American Fuzzy Lop) tool AFL_INIT_ARGV(); @@ -12,12 +13,16 @@ int main(int argc, char **argv) { an error message is printed. If the values do match, the program calls the abort() function. */ if (argc > 1 && strcmp(argv[1], "XYZ") == 0) { - if (strcmp(argv[2], "TEST2") == 0) { - abort(); - } + + if (strcmp(argv[2], "TEST2") == 0) { abort(); } + } else { + printf("Bad number of arguments!\n"); + } return 0; -} \ No newline at end of file + +} + diff --git a/utils/argv_fuzzing/argv_fuzz_persistent_demo.c b/utils/argv_fuzzing/argv_fuzz_persistent_demo.c index a96cf1fe..08a62c62 100644 --- a/utils/argv_fuzzing/argv_fuzz_persistent_demo.c +++ b/utils/argv_fuzzing/argv_fuzz_persistent_demo.c @@ -16,6 +16,7 @@ __AFL_FUZZ_INIT(); one of the arguments. */ int main(int argc, char **argv) { + #ifdef __AFL_HAVE_MANUAL_CONTROL __AFL_INIT(); #endif @@ -25,6 +26,7 @@ int main(int argc, char **argv) { the loop and allowing the program to terminate. It protects against accidental memory leaks and similar issues. */ while (__AFL_LOOP(100000)) { + int len = __AFL_FUZZ_TESTCASE_LEN; // Check that the length of the test case is at least 8 bytes @@ -37,13 +39,20 @@ int main(int argc, char **argv) { If so, call the "abort" function to terminate the program. Otherwise, print an error message. */ if (argc > 1 && strcmp(argv[1], "XYZ") == 0) { + if (strcmp(argv[2], "TEST2") == 0) { abort(); } + } else { + printf("Bad number of arguments!\n"); + } + } + /* Exiting the loop allows the program to terminate normally. AFL will restart the process with a clean slate for allocated memory, file descriptors, etc. */ return 0; -} \ No newline at end of file + +} -- cgit 1.4.1 From 3188cac1d074352e9110d83c7ad5c3d5684d90f8 Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Tue, 27 Dec 2022 16:57:30 +0100 Subject: cleanup --- utils/argv_fuzzing/README.md | 2 +- utils/argv_fuzzing/argv-fuzz-inl.h | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/README.md b/utils/argv_fuzzing/README.md index bcf388c7..ca90f26c 100644 --- a/utils/argv_fuzzing/README.md +++ b/utils/argv_fuzzing/README.md @@ -1,4 +1,4 @@ -#argvfuzz +# argvfuzz feature AFL++ supports fuzzing file inputs or stdin. When source is available, `argv-fuzz-inl.h` can be used to change `main()` to build argv from stdin. diff --git a/utils/argv_fuzzing/argv-fuzz-inl.h b/utils/argv_fuzzing/argv-fuzz-inl.h index bb8f2813..abe86d3c 100644 --- a/utils/argv_fuzzing/argv-fuzz-inl.h +++ b/utils/argv_fuzzing/argv-fuzz-inl.h @@ -29,10 +29,10 @@ If you would like to always preserve argv[0], use this instead: AFL_INIT_SET0("prog_name"); - To enable persistent fuzzing, use the AFL_INIT_ARGV_PERSISTENT macro with - buf as argument, or use AFL_INIT_SET0_PERSISTENT("prog_name", buf) - to preserver argv[0]. buf should be defined as: - unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF; + To enable persistent fuzzing, use the AFL_INIT_ARGV_PERSISTENT macro with + buf as argument, or use AFL_INIT_SET0_PERSISTENT("prog_name", buf) + to preserver argv[0]. buf should be defined as: + unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF; */ #ifndef _HAVE_ARGV_FUZZ_INL -- cgit 1.4.1 From 51e0707d4d5b65cf4245b7350986c66bf639f3cd Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Wed, 28 Dec 2022 09:27:22 +0100 Subject: readme update --- utils/argv_fuzzing/README.md | 30 ++++++++++++++++++++++++++---- 1 file changed, 26 insertions(+), 4 deletions(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/README.md b/utils/argv_fuzzing/README.md index ca90f26c..e22fbe4e 100644 --- a/utils/argv_fuzzing/README.md +++ b/utils/argv_fuzzing/README.md @@ -1,15 +1,37 @@ -# argvfuzz feature +# argv_fuzzing feature +AFL++ supports fuzzing file inputs or stdin. The argv_fuzzing feature allows for fuzzing of arguments passed to a program from the command line interface, rather than from standard input. -AFL++ supports fuzzing file inputs or stdin. When source is available, -`argv-fuzz-inl.h` can be used to change `main()` to build argv from stdin. +## With source code +When source is available, a macro from the `argv-fuzz-inl.h` header file can be used to change the program's behavior to build argv from STDIN. +### Without persistent mode +Conditions needed to use the argv_fuzzing feature: +1. Include `argv-fuzz-inl.h` header file (`#include "argv-fuzz-inl.h"`) +2. Identify your main function that parses arguments (for example, `int main(int argc, char **argv)`) +3. Use the one of the following macros (near the beginning of the main function) to initialize argv with the fuzzer's input: + - `AFL_INIT_ARGV();` or + - `AFL_INIT_SET0("prog_name");` to preserve `argv[0]` (the name of the program being executed) + +see: [argv_fuzz_demo.c](argv_fuzz_demo.c) + +### With persistent mode +Conditions needed to use the argv_fuzzing feature with persistent mode: +1. Ensure your target can handle persistent mode fuzzing +2. Follow instructions in the [llvm_mode persistent mode](https://github.com/AFLplusplus/AFLplusplus/blob/stable/instrumentation/README.persistent_mode.md) +3. Use the one of the following macro near the beginning of the main function and after the buffer initialization (`unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF`): + - `AFL_INIT_ARGV_PERSISTENT(buf)`, if you want to + - `AFL_INIT_SET0_PERSISTENT("name_of_binary", buf)` + +see: [argv_fuzz_persistent_demo.c](argv_fuzz_persistent_demo.c) + +## Binary only `argvfuzz` tries to provide the same functionality for binaries. When loaded using `LD_PRELOAD`, it will hook the call to `__libc_start_main` and replace argv using the same logic of `argv-fuzz-inl.h`. A few conditions need to be fulfilled for this mechanism to work correctly: -1. As it relies on hooking the loader, it cannot work on static binaries. +1. As it relies on hooking the loader, it cannot work on static binaries 2. If the target binary does not use the default libc's `_start` implementation (crt1.o), the hook may not run. 3. The hook will replace argv with pointers to `.data` of `argvfuzz.so`. If the -- cgit 1.4.1 From f28f6adbce0b803b80938518ca9c559e428ef9cf Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Wed, 28 Dec 2022 09:41:22 +0100 Subject: update --- utils/argv_fuzzing/Makefile | 8 +++++--- utils/argv_fuzzing/README.md | 15 +++++++++------ 2 files changed, 14 insertions(+), 9 deletions(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/Makefile b/utils/argv_fuzzing/Makefile index 3ebde54b..fca46b09 100644 --- a/utils/argv_fuzzing/Makefile +++ b/utils/argv_fuzzing/Makefile @@ -11,7 +11,7 @@ # http://www.apache.org/licenses/LICENSE-2.0 # -.PHONY: all install clean +.PHONY: all install clean demo PREFIX ?= /usr/local BIN_PATH = $(PREFIX)/bin @@ -58,5 +58,7 @@ clean: rm -f argvfuzz32.so argvfuzz64.so argv_fuzz_demo argv_fuzz_persistent_demo demo: - ../../afl-clang-fast -o argv_fuzz_demo argv_fuzz_demo.c - ../../afl-clang-fast -o argv_fuzz_persistent_demo argv_fuzz_persistent_demo.c \ No newline at end of file + CC = afl-clang-fast + CFLAGS = -fsanitize=address + -@$(CC) $(CFLAGS) -o argv_fuzz_demo argv_fuzz_demo.c + -@$(CC) $(CFLAGS) -o argv_fuzz_persistent_demo argv_fuzz_persistent_demo.c \ No newline at end of file diff --git a/utils/argv_fuzzing/README.md b/utils/argv_fuzzing/README.md index e22fbe4e..d248cf93 100644 --- a/utils/argv_fuzzing/README.md +++ b/utils/argv_fuzzing/README.md @@ -1,14 +1,16 @@ # argv_fuzzing feature -AFL++ supports fuzzing file inputs or stdin. The argv_fuzzing feature allows for fuzzing of arguments passed to a program from the command line interface, rather than from standard input. +AFL++ supports fuzzing file inputs or stdin. The argv_fuzzing feature allows for the fuzzing of arguments +passed to a program from the command line interface rather than from standard input. ## With source code -When source is available, a macro from the `argv-fuzz-inl.h` header file can be used to change the program's behavior to build argv from STDIN. +When the source code is available, a specific macro from the `argv-fuzz-inl.h` header file can be used to change +the program's behavior to build argv from STDIN. ### Without persistent mode Conditions needed to use the argv_fuzzing feature: 1. Include `argv-fuzz-inl.h` header file (`#include "argv-fuzz-inl.h"`) 2. Identify your main function that parses arguments (for example, `int main(int argc, char **argv)`) -3. Use the one of the following macros (near the beginning of the main function) to initialize argv with the fuzzer's input: +3. Use one of the following macros (near the beginning of the main function) to initialize argv with the fuzzer's input: - `AFL_INIT_ARGV();` or - `AFL_INIT_SET0("prog_name");` to preserve `argv[0]` (the name of the program being executed) @@ -18,7 +20,8 @@ see: [argv_fuzz_demo.c](argv_fuzz_demo.c) Conditions needed to use the argv_fuzzing feature with persistent mode: 1. Ensure your target can handle persistent mode fuzzing 2. Follow instructions in the [llvm_mode persistent mode](https://github.com/AFLplusplus/AFLplusplus/blob/stable/instrumentation/README.persistent_mode.md) -3. Use the one of the following macro near the beginning of the main function and after the buffer initialization (`unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF`): +3. Use one of the following macros near the beginning of the main function and after +the buffer initialization (`unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF`): - `AFL_INIT_ARGV_PERSISTENT(buf)`, if you want to - `AFL_INIT_SET0_PERSISTENT("name_of_binary", buf)` @@ -34,5 +37,5 @@ A few conditions need to be fulfilled for this mechanism to work correctly: 1. As it relies on hooking the loader, it cannot work on static binaries 2. If the target binary does not use the default libc's `_start` implementation (crt1.o), the hook may not run. -3. The hook will replace argv with pointers to `.data` of `argvfuzz.so`. If the - target binary expects argv to be living on the stack, things may go wrong. +3. The hook will replace argv with pointers to `.data` of `argvfuzz.so`. +Things may go wrong if the target binary expects argv to live on the stack. -- cgit 1.4.1 From c0c985a2781f84313db80eea3662ec88fb264292 Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Wed, 28 Dec 2022 09:48:10 +0100 Subject: minor changes --- utils/argv_fuzzing/argv-fuzz-inl.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/argv-fuzz-inl.h b/utils/argv_fuzzing/argv-fuzz-inl.h index abe86d3c..cb0af2bc 100644 --- a/utils/argv_fuzzing/argv-fuzz-inl.h +++ b/utils/argv_fuzzing/argv-fuzz-inl.h @@ -31,7 +31,8 @@ To enable persistent fuzzing, use the AFL_INIT_ARGV_PERSISTENT macro with buf as argument, or use AFL_INIT_SET0_PERSISTENT("prog_name", buf) - to preserver argv[0]. buf should be defined as: + to preserver argv[0]. buf is a pointer to a buffer containing + the input data for the current test case being processed defined as: unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF; */ -- cgit 1.4.1 From 86ec1b9d71d1d2679f85676c65947324779016b3 Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Wed, 28 Dec 2022 09:55:14 +0100 Subject: makefile update --- utils/argv_fuzzing/Makefile | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/Makefile b/utils/argv_fuzzing/Makefile index fca46b09..ba811de6 100644 --- a/utils/argv_fuzzing/Makefile +++ b/utils/argv_fuzzing/Makefile @@ -11,7 +11,7 @@ # http://www.apache.org/licenses/LICENSE-2.0 # -.PHONY: all install clean demo +.PHONY: all install clean argv_fuzz_persistent_demo argv_fuzz_demo PREFIX ?= /usr/local BIN_PATH = $(PREFIX)/bin @@ -41,7 +41,7 @@ __M32FLAG=$(_M32FLAG:00=-mbe32) ___M32FLAG=$(__M32FLAG:$(CC_IS_GCC)$(CC_IS_ARMCOMPILER)=-m32) M32FLAG=$(___M32FLAG) -all: argvfuzz32.so argvfuzz64.so demo +all: argvfuzz32.so argvfuzz64.so argv_fuzz_persistent_demo argv_fuzz_demo argvfuzz32.so: argvfuzz.c -@$(CC) $(M32FLAG) $(CFLAGS) $^ $(LDFLAGS) -o $@ 2>/dev/null || echo "argvfuzz32 build failure (that's fine)" @@ -57,8 +57,8 @@ install: argvfuzz32.so argvfuzz64.so clean: rm -f argvfuzz32.so argvfuzz64.so argv_fuzz_demo argv_fuzz_persistent_demo -demo: - CC = afl-clang-fast - CFLAGS = -fsanitize=address - -@$(CC) $(CFLAGS) -o argv_fuzz_demo argv_fuzz_demo.c - -@$(CC) $(CFLAGS) -o argv_fuzz_persistent_demo argv_fuzz_persistent_demo.c \ No newline at end of file +argv_fuzz_persistent_demo: argv_fuzz_persistent_demo.c + $(CC) $(CFLAGS) -o $@ $^ + +argv_fuzz_demo: argv_fuzz_demo.c + $(CC) $(CFLAGS) -o $@ $^ \ No newline at end of file -- cgit 1.4.1 From 4ff37da70923196f6986d64eafdda82590b92207 Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Wed, 28 Dec 2022 10:34:56 +0100 Subject: makefile update --- utils/argv_fuzzing/Makefile | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/Makefile b/utils/argv_fuzzing/Makefile index ba811de6..b6630175 100644 --- a/utils/argv_fuzzing/Makefile +++ b/utils/argv_fuzzing/Makefile @@ -13,11 +13,20 @@ .PHONY: all install clean argv_fuzz_persistent_demo argv_fuzz_demo +CC ?= afl-clang-fast +CFLAGS ?= -fsanitize=address + +argv_fuzz_persistent_demo: argv_fuzz_persistent_demo.c + $(CC) $(CFLAGS) -o $@ $^ + +argv_fuzz_demo: argv_fuzz_demo.c + $(CC) $(CFLAGS) -o $@ $^ + PREFIX ?= /usr/local BIN_PATH = $(PREFIX)/bin HELPER_PATH = $(PREFIX)/lib/afl -CFLAGS = -fPIC -Wall -Wextra +CFLAGS += -fPIC -Wall -Wextra LDFLAGS = -shared UNAME_SAYS_LINUX=$(shell uname | grep -E '^Linux|^GNU' >/dev/null; echo $$?) @@ -57,8 +66,3 @@ install: argvfuzz32.so argvfuzz64.so clean: rm -f argvfuzz32.so argvfuzz64.so argv_fuzz_demo argv_fuzz_persistent_demo -argv_fuzz_persistent_demo: argv_fuzz_persistent_demo.c - $(CC) $(CFLAGS) -o $@ $^ - -argv_fuzz_demo: argv_fuzz_demo.c - $(CC) $(CFLAGS) -o $@ $^ \ No newline at end of file -- cgit 1.4.1 From 107ebb7d49aefe87bd9b610b5b6a82c85d740ab7 Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Wed, 28 Dec 2022 10:40:17 +0100 Subject: makefile update --- utils/argv_fuzzing/Makefile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/Makefile b/utils/argv_fuzzing/Makefile index b6630175..ef719e9a 100644 --- a/utils/argv_fuzzing/Makefile +++ b/utils/argv_fuzzing/Makefile @@ -22,6 +22,8 @@ argv_fuzz_persistent_demo: argv_fuzz_persistent_demo.c argv_fuzz_demo: argv_fuzz_demo.c $(CC) $(CFLAGS) -o $@ $^ +demo: argv_fuzz_persistent_demo argv_fuzz_demo + PREFIX ?= /usr/local BIN_PATH = $(PREFIX)/bin HELPER_PATH = $(PREFIX)/lib/afl @@ -50,7 +52,7 @@ __M32FLAG=$(_M32FLAG:00=-mbe32) ___M32FLAG=$(__M32FLAG:$(CC_IS_GCC)$(CC_IS_ARMCOMPILER)=-m32) M32FLAG=$(___M32FLAG) -all: argvfuzz32.so argvfuzz64.so argv_fuzz_persistent_demo argv_fuzz_demo +all: argvfuzz32.so argvfuzz64.so demo argvfuzz32.so: argvfuzz.c -@$(CC) $(M32FLAG) $(CFLAGS) $^ $(LDFLAGS) -o $@ 2>/dev/null || echo "argvfuzz32 build failure (that's fine)" -- cgit 1.4.1 From c090abb00d93e60a0643f6fb9c42816bc75846e3 Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Wed, 28 Dec 2022 10:44:02 +0100 Subject: makefile update --- utils/argv_fuzzing/Makefile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/Makefile b/utils/argv_fuzzing/Makefile index ef719e9a..2b30b18c 100644 --- a/utils/argv_fuzzing/Makefile +++ b/utils/argv_fuzzing/Makefile @@ -13,14 +13,14 @@ .PHONY: all install clean argv_fuzz_persistent_demo argv_fuzz_demo -CC ?= afl-clang-fast -CFLAGS ?= -fsanitize=address +#CC ?= afl-clang-fast +#CFLAGS ?= -fsanitize=address argv_fuzz_persistent_demo: argv_fuzz_persistent_demo.c - $(CC) $(CFLAGS) -o $@ $^ + CC=afl-clang-fast CFLAGS=-fsanitize=address $(CC) $(CFLAGS) -o $@ $^ argv_fuzz_demo: argv_fuzz_demo.c - $(CC) $(CFLAGS) -o $@ $^ + CC=afl-clang-fast CFLAGS=-fsanitize=address $(CC) $(CFLAGS) -o $@ $^ demo: argv_fuzz_persistent_demo argv_fuzz_demo -- cgit 1.4.1 From 0710e4f17ca9224beaf3424c2cc6f07083ab7c1e Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Wed, 28 Dec 2022 10:47:08 +0100 Subject: makefile update --- utils/argv_fuzzing/Makefile | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/Makefile b/utils/argv_fuzzing/Makefile index 2b30b18c..dce092d6 100644 --- a/utils/argv_fuzzing/Makefile +++ b/utils/argv_fuzzing/Makefile @@ -11,18 +11,11 @@ # http://www.apache.org/licenses/LICENSE-2.0 # -.PHONY: all install clean argv_fuzz_persistent_demo argv_fuzz_demo +.PHONY: all install clean argv_fuzz_persistent_demo argv_fuzz_demo demo -#CC ?= afl-clang-fast -#CFLAGS ?= -fsanitize=address -argv_fuzz_persistent_demo: argv_fuzz_persistent_demo.c - CC=afl-clang-fast CFLAGS=-fsanitize=address $(CC) $(CFLAGS) -o $@ $^ -argv_fuzz_demo: argv_fuzz_demo.c - CC=afl-clang-fast CFLAGS=-fsanitize=address $(CC) $(CFLAGS) -o $@ $^ -demo: argv_fuzz_persistent_demo argv_fuzz_demo PREFIX ?= /usr/local BIN_PATH = $(PREFIX)/bin @@ -65,6 +58,14 @@ install: argvfuzz32.so argvfuzz64.so if [ -f argvfuzz32.so ]; then set -e; install -m 755 argvfuzz32.so $(DESTDIR)$(HELPER_PATH)/; fi if [ -f argvfuzz64.so ]; then set -e; install -m 755 argvfuzz64.so $(DESTDIR)$(HELPER_PATH)/; fi +argv_fuzz_persistent_demo: argv_fuzz_persistent_demo.c + afl-clang-fast -fsanitize=address -g -o $@ $^ + +argv_fuzz_demo: argv_fuzz_demo.c + afl-clang-fast -fsanitize=address -g -o $@ $^ + +demo: argv_fuzz_persistent_demo argv_fuzz_demo + clean: rm -f argvfuzz32.so argvfuzz64.so argv_fuzz_demo argv_fuzz_persistent_demo -- cgit 1.4.1 From 489f2d4d97c8497d6e259e9e50c27628ad075126 Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Wed, 28 Dec 2022 10:49:31 +0100 Subject: makefile update --- utils/argv_fuzzing/Makefile | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/Makefile b/utils/argv_fuzzing/Makefile index dce092d6..1bc6b223 100644 --- a/utils/argv_fuzzing/Makefile +++ b/utils/argv_fuzzing/Makefile @@ -13,10 +13,6 @@ .PHONY: all install clean argv_fuzz_persistent_demo argv_fuzz_demo demo - - - - PREFIX ?= /usr/local BIN_PATH = $(PREFIX)/bin HELPER_PATH = $(PREFIX)/lib/afl @@ -59,10 +55,10 @@ install: argvfuzz32.so argvfuzz64.so if [ -f argvfuzz64.so ]; then set -e; install -m 755 argvfuzz64.so $(DESTDIR)$(HELPER_PATH)/; fi argv_fuzz_persistent_demo: argv_fuzz_persistent_demo.c - afl-clang-fast -fsanitize=address -g -o $@ $^ + CC=afl-clang-fast $(CC) -o $@ $^ argv_fuzz_demo: argv_fuzz_demo.c - afl-clang-fast -fsanitize=address -g -o $@ $^ + CC=afl-clang-fast $(CC) -o $@ $^ demo: argv_fuzz_persistent_demo argv_fuzz_demo -- cgit 1.4.1 From 209527907ff9a843fe9d353ec1a1602f88579982 Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Wed, 28 Dec 2022 10:50:05 +0100 Subject: makefile update --- utils/argv_fuzzing/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/Makefile b/utils/argv_fuzzing/Makefile index 1bc6b223..7e706180 100644 --- a/utils/argv_fuzzing/Makefile +++ b/utils/argv_fuzzing/Makefile @@ -55,10 +55,10 @@ install: argvfuzz32.so argvfuzz64.so if [ -f argvfuzz64.so ]; then set -e; install -m 755 argvfuzz64.so $(DESTDIR)$(HELPER_PATH)/; fi argv_fuzz_persistent_demo: argv_fuzz_persistent_demo.c - CC=afl-clang-fast $(CC) -o $@ $^ + afl-clang-fast -fsanitize=address -g -o $@ $^ argv_fuzz_demo: argv_fuzz_demo.c - CC=afl-clang-fast $(CC) -o $@ $^ + afl-clang-fast -fsanitize=address -g -o $@ $^ demo: argv_fuzz_persistent_demo argv_fuzz_demo -- cgit 1.4.1 From 99c67defb4414c1f207123e2930d0500d338c6b8 Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Wed, 28 Dec 2022 10:58:44 +0100 Subject: readme cleanup --- utils/argv_fuzzing/README.md | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/README.md b/utils/argv_fuzzing/README.md index d248cf93..14fe5e2d 100644 --- a/utils/argv_fuzzing/README.md +++ b/utils/argv_fuzzing/README.md @@ -1,18 +1,22 @@ # argv_fuzzing feature -AFL++ supports fuzzing file inputs or stdin. The argv_fuzzing feature allows for the fuzzing of arguments -passed to a program from the command line interface rather than from standard input. +AFL++ supports fuzzing file inputs or stdin. The argv_fuzzing feature +allows for the fuzzing of arguments passed to a program from the command line +interface rather than from standard input. ## With source code -When the source code is available, a specific macro from the `argv-fuzz-inl.h` header file can be used to change -the program's behavior to build argv from STDIN. +When the source code is available, a specific macro from the `argv-fuzz-inl.h` +header file can be used to change the program's behavior to build argv from STDIN. ### Without persistent mode Conditions needed to use the argv_fuzzing feature: 1. Include `argv-fuzz-inl.h` header file (`#include "argv-fuzz-inl.h"`) -2. Identify your main function that parses arguments (for example, `int main(int argc, char **argv)`) -3. Use one of the following macros (near the beginning of the main function) to initialize argv with the fuzzer's input: +2. Identify your main function that parses arguments +(for example, `int main(int argc, char **argv)`) +3. Use one of the following macros (near the beginning of the main function) +to initialize argv with the fuzzer's input: - `AFL_INIT_ARGV();` or - - `AFL_INIT_SET0("prog_name");` to preserve `argv[0]` (the name of the program being executed) + - `AFL_INIT_SET0("prog_name");` to preserve `argv[0]` + (the name of the program being executed) see: [argv_fuzz_demo.c](argv_fuzz_demo.c) -- cgit 1.4.1 From 5670c847bd2cc619a9d4a11e9f7ccb1f4004a0b0 Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Wed, 28 Dec 2022 11:00:14 +0100 Subject: readme update --- utils/argv_fuzzing/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/README.md b/utils/argv_fuzzing/README.md index 14fe5e2d..a085c098 100644 --- a/utils/argv_fuzzing/README.md +++ b/utils/argv_fuzzing/README.md @@ -1,7 +1,7 @@ # argv_fuzzing feature -AFL++ supports fuzzing file inputs or stdin. The argv_fuzzing feature +AFL++ supports fuzzing file inputs or standard input. The argv_fuzzing feature allows for the fuzzing of arguments passed to a program from the command line -interface rather than from standard input. +interface rather than from STDIN. ## With source code When the source code is available, a specific macro from the `argv-fuzz-inl.h` -- cgit 1.4.1 From fd27b2c9be442c429c215fe57bd5893121795b42 Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Wed, 28 Dec 2022 11:04:53 +0100 Subject: makefile cleanup --- utils/argv_fuzzing/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/Makefile b/utils/argv_fuzzing/Makefile index 7e706180..f016c5a7 100644 --- a/utils/argv_fuzzing/Makefile +++ b/utils/argv_fuzzing/Makefile @@ -17,7 +17,7 @@ PREFIX ?= /usr/local BIN_PATH = $(PREFIX)/bin HELPER_PATH = $(PREFIX)/lib/afl -CFLAGS += -fPIC -Wall -Wextra +CFLAGS = -fPIC -Wall -Wextra LDFLAGS = -shared UNAME_SAYS_LINUX=$(shell uname | grep -E '^Linux|^GNU' >/dev/null; echo $$?) -- cgit 1.4.1