-
-
[讨论][原创]如何使用honggfuzz来fuzz apache httpd?
-
发表于: 2018-12-24 16:00
-
2018-12-21 如何使用honggfuzz来fuzz apache httpd?
这是使用honggfuzz来fuzz apache httpd的一个例子。实践的时候遇到了一些问题,暂时绕不过去了,最后fuzz并没有成功。如果有对fuzz或者webserver感兴趣的同学欢迎一起讨论。
此外,对于一些相对成熟的基础设施软件,如apache/nginx/IIS,有点好奇还会存在RCE吗?现在国内还有团队是做这方面的工作吗?
本文主要参考honggfuzz的example:https://github.com/google/honggfuzz/blob/master/examples/apache-httpd/README.md
0x01 安装honggfuzz
下载honggfuzz源码到~/Fuzz/honggfuzz.git目录,安装好依赖后,使用make安装即可。
# 1. change folder cd ~/Fuzz # 2. clone honggfuzz git clone https://github.com/google/honggfuzz.git honggfuzz.git cd honggfuzz.git # 3. install dependency apt-get install libbfd-dev apt-get insall libunwind-dev apt-get install clang-6.0 # apt-cache search clang / 4.0 5.0 6.0 # 4. install make make install
安装完成后,在/usr/local/bin下可以看到编译后的文件:
0x02 源码编译apache httpd-2.4.29
下载源码到目录:/root/Hackit/apache。
- 从git上下载apache源码并切换分支
cd /root/Hackit/apache git clone https://github.com/apache/httpd.git httpd.hackit cd httpd.hackit # 不推荐切换branch 否则patch时会出现错误 # git checkout -b 2.4.29 2.4.29
(不推荐)或者从archives上下载,不推荐的原因是configure.in和 examples patch脚本中的不匹配,所以不能使用。相关inssue https://github.com/google/honggfuzz/issues/238
cd /root/Hackit/apache wget http://archive.apache.org/dist/httpd/httpd-2.4.29.tar.gz tar zxvf httpd-2.4.29.tar.gz cd httpd-2.4.29
- 同时下载相应的最新依赖包
cd /root/Hackit/apache # download url http://apr.apache.org/download.cgi wget https://www-us.apache.org/dist//apr/apr-1.6.5.tar.gz tar zxvf apr-1.6.5.tar.gz # download url wget https://www-eu.apache.org/dist//apr/apr-util-1.6.1.tar.gz tar zxvf apr-util-1.6.1.tar.gz # 下载地址 https://github.com/nghttp2/nghttp2/releases/ wget https://github.com/nghttp2/nghttp2/releases/download/v1.35.1/nghttp2-1.35.1.tar.gz tar zxvf nghttp2-1.35.1.tar.gz # binary sudo apt-get install libpcre3-dev
- 开始编译
cd /root/Hackit/apache/httpd.hackit # patch patch -p1 < /root/Fuzz/honggfuzz.git/examples/apache-httpd/httpd-master.honggfuzz.patch # change path and versions vim hfuzz.compile_and_install.asan.sh # HFUZZ_DIR="/root/Fuzz/honggfuzz.git" # NGHTTP2_VER=1.35.1 # start compile chmod u+x ./hfuzz.compile_and_install.asan.sh export nproc=4 ./hfuzz.compile_and_install.asan.sh
注意patch时一定要关注是否有相应的报错输出:
开始编译
编译成功:
启动apache看下效果,但是并没有启动起来。怀疑是由于patch了httpd导致的server已经不能正常运行了,只能通过honggfuzz来跑?
/root/Hackit/apache/dist/bin/apachectl start
0x03 开始fuzz
复制honggfuzz examples中的配置文件到apache的配置文件中:
cd /root/Hackit/apache/dist/conf cp /root/Fuzz/honggfuzz.git/examples/apache-httpd/httpd.conf.h* ./
开始fuzz:
# 切换 cd /root/Fuzz/honggfuzz.git/examples/apache-httpd # 开始fuzz honggfuzz -f corpus_http1 -w ./httpd.wordlist -- /root/Hackit/apache/dist/bin/httpd -DFOREGROUND -f /root/Hackit/apache/dist/conf/httpd.conf.h1 ___FILE___
这里的httpd退出非常快,图中的exit with code 1是否是说这个fuzz是有效的呢?使用tcpdump抓包发现并没有数据传输,那么似乎并没有fuzz成功。
如何确定exit code 为1的原因呢?精力有限,欢迎讨论...
参考
- 官网 http://honggfuzz.com/
- honggfuzz漏洞挖掘技术深究系列 https://bbs.pediy.com/thread-247954.htm
- git submodules https://git-scm.com/book/zh/v2/Git-%E5%B7%A5%E5%85%B7-%E5%AD%90%E6%A8%A1%E5%9D%97
- https://github.com/Quick700/Quick700/blob/master/honggfuzz/Dockerfile
- https://blog.csdn.net/m0_37886429/article/details/79643078
- https://www.kancloud.cn/curder/apache/91273
补充资料:
- http://blog.swiecki.net/2018/01/fuzzing-tcp-servers.html
|
|
|---|---|
|
|
|
|
|
|
|
|
|
