首页
社区
课程
招聘
[原创]使用AFL++复现历史CVE(Fuzzing101 1~5)
发表于: 2022-7-25 17:31 23238

[原创]使用AFL++复现历史CVE(Fuzzing101 1~5)

2022-7-25 17:31
23238

这是我做Fuzzing101的一些笔记,通过复现CVE的方式熟悉AFL++的基本使用方式,过程对我这样的萌新十分友好,同时中间涉及到的代码审计等方面还是值得后续学习的。

CVE-2019-13288 in XPDF 3.02 (infinite recursion)

从github等途径下载并解压

安装依赖和目标

配置configure时有各种环境变量需要设置,比较常用的有

自己随便写,fuzzer会自己变异,但效率较低

从网上(github、官网、压缩包自带)找现成的样本sample

先删除原先的安装,重新编译安装库

参数

这里的@@不能少,虽然初始输入都来源于设置的-i参数,但我们需要根据程序读取输入的方式进行调整此参数

跑一会就能出结果

图片描述

源码编译出带调试符号的文件

运行gdb

追踪crash路径

bt:跑出crash后查看调用路径

图片描述

报错信息Program received signal SIGSEGV, Segmentation fault,存在内存泄漏

从xpdf/Parse.cc 94行的makeStream调用,一路跟着报错往下翻就会找到这个套娃,这里就不细说了。

图片描述

下个xpdf4.02源码对比一下就好,修复方式比较简单,加了个变量,记录循环次数,超过一定次数就结束进程。

CVE-2009-3895 (heap-based buffer overflow)and CVE-2012-2836 (Out-of-bounds Read)in libexif 0.6.14

从github等途径下载并解压

安装依赖

配置configure并安装

先删除原先的安装,重新编译安装库

如果编译不通过,可以加 AR=llvm-ar RANLIB=llvm-ranlib LD=afl-clang-lto

重新编译应用

测试运行

图片描述

编译出带调试信息的可执行文件

丢进gdb,跑出crash

图片描述

图片描述

图片描述

CVE-2017-13028 in TCPdump 4.9.2(Out-of-bounds Read)

libcap是tcpdump的依赖库,可以不install,但需要保证目录位置与tcpdump根目录相同,且名称可识别

这里配置tcpdump的configure时也要加AFL_USE_ASAN=1,因为它的依赖库也加了ASAN

ASAN会消耗大量内存,使用-m none不限制内存使用

这个我跑了比较久(挂着进程容易忘关)

图片描述

有ASAN就不用再重新编译整个文件来调试了(这里如果用普通编译来运行crash反而得不到报错信息,显然这里的内存泄露不会直接导致crash)

直接运行crash,ASAN会给出较为详细的报错和调用栈

图片描述

CVE-2016-9297 in libtiff 4.0.4 (Out-of-bounds Read)

lcov --zerocounters --directory ./:重置计数器

lcov --capture --initial --directory ./ --output-file app.info:为每个instrumented line返回覆盖率数据的初始化基准

$HOME/fuzzing_tiff/install/bin/tiffinfo -D -j -c -r -s -w $HOME/fuzzing_tiff/tiff-4.0.4/test/images/palette-1c-1b.tiff0:运行需要分析的应用,可以用多个样本运行多次

将结果转化生成HTML输出

这里使用尽可能多的参数,增大fuzz到漏洞代码的概率

图片描述

查看报错

图片描述

CVE-2017-9048 in LibXML2 2.9.4(stack buffer overflow)

本质上就是有一定意义的字符串token

AFL++提供了先成的字典(可以凑合)

也可以自己手动构建,用codeql(在线平台LGTM)可以快速查询我们需要的特征字符串如

将fuzzer分为master和slave,实现共享instance

这里在编译时没有直接用ASAN,而是用了编译器自带的fsanitize,功能如下

编译时设置AFL_MAP_SIZE=262144,决定共享空间大小,因为程序较大,不改成一个较大值会给弹一个警告,最好设置一下。

这里用的是fuzzing101提供的样本以及test中的dtd9(DTD,它们会定义 XML 文档的结构和合法元素/属性,并用于确定 xml 文档是否有效)。

使用AFL++提供的字典

然后要跑很久,居然是靠havoc出的让我很意外
图片描述

先手动编译出不插桩的程序,丢进gdb里调试

图片描述

wget https://dl.xpdfreader.com/old/xpdf-3.02.tar.gz
tar -xvzf xpdf-3.02.tar.gz
wget https://dl.xpdfreader.com/old/xpdf-3.02.tar.gz
tar -xvzf xpdf-3.02.tar.gz
sudo apt update && sudo apt install -y build-essential gcc
./configure --prefix="$HOME/fuzz_target/fuzzing_xpdf/install/"
make
make install
sudo apt update && sudo apt install -y build-essential gcc
./configure --prefix="$HOME/fuzz_target/fuzzing_xpdf/install/"
make
make install
cd $HOME/fuzz_target/fuzzing_xpdf
mkdir pdf_examples && cd pdf_examples
wget https://github.com/mozilla/pdf.js-sample-files/raw/master/helloworld.pdf
wget http://www.africau.edu/images/default/sample.pdf
wget https://www.melbpc.org.au/wp-content/uploads/2017/10/small-example-pdf-file.pdf
cd $HOME/fuzz_target/fuzzing_xpdf
mkdir pdf_examples && cd pdf_examples
wget https://github.com/mozilla/pdf.js-sample-files/raw/master/helloworld.pdf
wget http://www.africau.edu/images/default/sample.pdf
wget https://www.melbpc.org.au/wp-content/uploads/2017/10/small-example-pdf-file.pdf
$HOME/fuzz_target/fuzzing_xpdf/install/bin/pdfinfo -box -meta $HOME/fuzz_target/fuzzing_xpdf/pdf_examples/helloworld.pdf
$HOME/fuzz_target/fuzzing_xpdf/install/bin/pdfinfo -box -meta $HOME/fuzz_target/fuzzing_xpdf/pdf_examples/helloworld.pdf
rm -r install
cd xpdf-3.02
make clean
export LLVM_CONFIG="llvm-config-12"
CC=afl-clang-fast CXX=afl-clang-fast++ ./configure --prefix="$HOME/fuzz_target/fuzzing_xpdf/install/"
make
make install
rm -r install
cd xpdf-3.02
make clean
export LLVM_CONFIG="llvm-config-12"
CC=afl-clang-fast CXX=afl-clang-fast++ ./configure --prefix="$HOME/fuzz_target/fuzzing_xpdf/install/"
make
make install
afl-fuzz -i $HOME/fuzz_target/fuzzing_xpdf/pdf_examples/ -o $HOME/fuzz_target/fuzzing_xpdf/out/ -s 123 -- $HOME/fuzz_target/fuzzing_xpdf/install/bin/pdftotext @@ $HOME/fuzz_target/fuzzing_xpdf/output
afl-fuzz -i $HOME/fuzz_target/fuzzing_xpdf/pdf_examples/ -o $HOME/fuzz_target/fuzzing_xpdf/out/ -s 123 -- $HOME/fuzz_target/fuzzing_xpdf/install/bin/pdftotext @@ $HOME/fuzz_target/fuzzing_xpdf/output
 
make clean
CFLAGS="-g -O0" CXXFLAGS="-g -O0" ./configure --prefix="$HOME/fuzz_target/fuzzing_xpdf/install/"
make
make install
make clean
CFLAGS="-g -O0" CXXFLAGS="-g -O0" ./configure --prefix="$HOME/fuzz_target/fuzzing_xpdf/install/"
make
make install
gdb --args $HOME/fuzz_target/fuzzing_xpdf/install/bin/pdftotext $HOME/fuzz_target/fuzzing_xpdf/out/default/crashes/<your_filename> $HOME/fuzz_target/fuzzing_xpdf/output
gdb --args $HOME/fuzz_target/fuzzing_xpdf/install/bin/pdftotext $HOME/fuzz_target/fuzzing_xpdf/out/default/crashes/<your_filename> $HOME/fuzz_target/fuzzing_xpdf/output
 
wget https://dl.xpdfreader.com/old/xpdf-4.02.tar.gz
wget https://dl.xpdfreader.com/old/xpdf-4.02.tar.gz
tar -xzvf libexif-0_6_14-release.tar.gz
tar -xzvf libexif-0_6_14-release.tar.gz
apt-get install
apt-get install
autoreconf -fvi 用于适配系统环境,简化config命令
//安装autoreconf sudo apt-get install autopoint libtool gettext libpopt-dev
./configure --enable-shared=no (如果是库文件,必须编译成静态库) --prefix="/root/fuzz_target/fuzzing_libexif/install/"
make
make install
autoreconf -fvi 用于适配系统环境,简化config命令
//安装autoreconf sudo apt-get install autopoint libtool gettext libpopt-dev
./configure --enable-shared=no (如果是库文件,必须编译成静态库) --prefix="/root/fuzz_target/fuzzing_libexif/install/"
make
make install
make clean
export LLVM_CONFIG="llvm-config-12"
CC=/root/fuzz/AFLplusplus/afl-clang-lto ./configure --enable-shared=no --prefix="/root/fuzz_target/fuzzing_libexif/install/"
make
make install
make clean
export LLVM_CONFIG="llvm-config-12"
CC=/root/fuzz/AFLplusplus/afl-clang-lto ./configure --enable-shared=no --prefix="/root/fuzz_target/fuzzing_libexif/install/"
make
make install
 
make clean
export LLVM_CONFIG="llvm-config-12"
CC=/root/fuzz/AFLplusplus/afl-clang-lto ./configure --enable-shared=no --prefix="$HOME/fuzz_target/fuzzing_libexif/install/" PKG_CONFIG_PATH=$HOME/fuzz_target/fuzzing_libexif/install/lib/pkgconfig
make
make install
make clean
export LLVM_CONFIG="llvm-config-12"
CC=/root/fuzz/AFLplusplus/afl-clang-lto ./configure --enable-shared=no --prefix="$HOME/fuzz_target/fuzzing_libexif/install/" PKG_CONFIG_PATH=$HOME/fuzz_target/fuzzing_libexif/install/lib/pkgconfig
make
make install
$HOME/fuzz_target/fuzzing_libexif/install/bin/exif $HOME/fuzz_target/fuzzing_libexif/exif-samples-master/jpg/Canon_40D_photoshop_import.jpg
$HOME/fuzz_target/fuzzing_libexif/install/bin/exif $HOME/fuzz_target/fuzzing_libexif/exif-samples-master/jpg/Canon_40D_photoshop_import.jpg
afl-fuzz -i $HOME/fuzz_target/fuzzing_libexif/exif-samples-master/jpg/ -o $HOME/fuzz_target/fuzzing_libexif/out/ -s 123 -- $HOME/fuzz_target/fuzzing_libexif/install/bin/exif @@
afl-fuzz -i $HOME/fuzz_target/fuzzing_libexif/exif-samples-master/jpg/ -o $HOME/fuzz_target/fuzzing_libexif/out/ -s 123 -- $HOME/fuzz_target/fuzzing_libexif/install/bin/exif @@
cd libexif-libexif-0_6_14-release
make clean
CFLAGS="-g -O0" CXXFLAGS="-g -O0" ./configure --prefix="$HOME/fuzz_target/fuzzing_libexif/install/"
make
make install
 
cd exif-exif-0_6_15-release
make clean
CFLAGS="-g -O0" CXXFLAGS="-g -O0" PKG_CONFIG_PATH=$HOME/fuzz_target/fuzzing_libexif/install/lib/pkgconfig ./configure --prefix="$HOME/fuzz_target/fuzzing_libexif/install/"
make
make install
cd libexif-libexif-0_6_14-release
make clean
CFLAGS="-g -O0" CXXFLAGS="-g -O0" ./configure --prefix="$HOME/fuzz_target/fuzzing_libexif/install/"
make
make install
 
cd exif-exif-0_6_15-release
make clean
CFLAGS="-g -O0" CXXFLAGS="-g -O0" PKG_CONFIG_PATH=$HOME/fuzz_target/fuzzing_libexif/install/lib/pkgconfig ./configure --prefix="$HOME/fuzz_target/fuzzing_libexif/install/"
make
make install
gdb --args ./install/bin/exif ./out/default/crashes/id\:000000\,sig\:11\,src\:000281\,time\:64869\,execs\:64957\,op\:havoc\,rep\:16
gdb --args ./install/bin/exif ./out/default/crashes/id\:000000\,sig\:11\,src\:000281\,time\:64869\,execs\:64957\,op\:havoc\,rep\:16
gdb --args ./install/bin/exif ./out/default/crashes/id\:000002\,sig\:11\,src\:000301\,time\:126417\,execs\:126621\,op\:havoc\,rep\:8
gdb --args ./install/bin/exif ./out/default/crashes/id\:000002\,sig\:11\,src\:000301\,time\:126417\,execs\:126621\,op\:havoc\,rep\:8
gdb --args ./install/bin/exif ./out/default/crashes/id\:000006\,sig\:11\,src\:000492+000181\,time\:341313\,execs\:358541\,op\:splice\,rep\:8
gdb --args ./install/bin/exif ./out/default/crashes/id\:000006\,sig\:11\,src\:000492+000181\,time\:341313\,execs\:358541\,op\:splice\,rep\:8
 
cd $HOME/fuzz_target/fuzzing_tcpdump/libpcap-1.8.0/
export LLVM_CONFIG="llvm-config-12"
CC=/root/fuzz/AFLplusplus/afl-clang-lto ./configure --enable-shared=no --prefix="$HOME/fuzz_target/fuzzing_tcpdump/install/"
AFL_USE_ASAN=1 make
AFL_USE_ASAN=1 make install
 
cd $HOME/fuzz_target/fuzzing_tcpdump/tcpdump-tcpdump-4.9.2/
AFL_USE_ASAN=1 CC=/root/fuzz/AFLplusplus/afl-clang-lto ./configure --prefix="$HOME/fuzz_target/fuzzing_tcpdump/install/"
AFL_USE_ASAN=1 make
AFL_USE_ASAN=1 make install
cd $HOME/fuzz_target/fuzzing_tcpdump/libpcap-1.8.0/
export LLVM_CONFIG="llvm-config-12"
CC=/root/fuzz/AFLplusplus/afl-clang-lto ./configure --enable-shared=no --prefix="$HOME/fuzz_target/fuzzing_tcpdump/install/"
AFL_USE_ASAN=1 make
AFL_USE_ASAN=1 make install
 
cd $HOME/fuzz_target/fuzzing_tcpdump/tcpdump-tcpdump-4.9.2/
AFL_USE_ASAN=1 CC=/root/fuzz/AFLplusplus/afl-clang-lto ./configure --prefix="$HOME/fuzz_target/fuzzing_tcpdump/install/"
AFL_USE_ASAN=1 make
AFL_USE_ASAN=1 make install
afl-fuzz -m none -i ./tcpdump-tcpdump-4.9.2/tests/ -o ./afl_out/ -s 123 -- ./install/sbin/tcpdump -vvvvXX -ee -nn -r @@
afl-fuzz -m none -i ./tcpdump-tcpdump-4.9.2/tests/ -o ./afl_out/ -s 123 -- ./install/sbin/tcpdump -vvvvXX -ee -nn -r @@
 
 
./install/sbin/tcpdump -vvvvXX -ee -nn -r ./afl_out/default/crashes/id\:000000\,sig\:06\,src\:011483\,time\:43941578\,execs\:17770128\,op\:havoc\,rep\:8
./install/sbin/tcpdump -vvvvXX -ee -nn -r ./afl_out/default/crashes/id\:000000\,sig\:06\,src\:011483\,time\:43941578\,execs\:17770128\,op\:havoc\,rep\:8
 
CFLAGS="--coverage" LDFLAGS="--coverage" ./configure --prefix="$HOME/fuzz_target/fuzzing_tiff/install/" --disable-shared
make
make install
CFLAGS="--coverage" LDFLAGS="--coverage" ./configure --prefix="$HOME/fuzz_target/fuzzing_tiff/install/" --disable-shared
make
make install
cd $HOME/fuzzing_tiff/tiff-4.0.4/
lcov --zerocounters --directory ./
lcov --capture --initial --directory ./ --output-file app.info
$HOME/fuzz_target/fuzzing_tiff/install/bin/tiffinfo -D -j -c -r -s -w $HOME/fuzz_target/fuzzing_tiff/tiff-4.0.4/test/images/palette-1c-1b.tiff
lcov --no-checksum --directory ./ --capture --output-file app2.info
cd $HOME/fuzzing_tiff/tiff-4.0.4/
lcov --zerocounters --directory ./
lcov --capture --initial --directory ./ --output-file app.info
$HOME/fuzz_target/fuzzing_tiff/install/bin/tiffinfo -D -j -c -r -s -w $HOME/fuzz_target/fuzzing_tiff/tiff-4.0.4/test/images/palette-1c-1b.tiff
lcov --no-checksum --directory ./ --capture --output-file app2.info
genhtml --highlight --legend -output-directory ./html-coverage/ ./app2.info
genhtml --highlight --legend -output-directory ./html-coverage/ ./app2.info
export LLVM_CONFIG="llvm-config-12"
CC=/root/fuzz/AFLplusplus/afl-clang-lto ./configure --prefix="$HOME/fuzz_target/fuzzing_tiff/install/" --disable-shared
AFL_USE_ASAN=1 make -j4
AFL_USE_ASAN=1 make install
afl-fuzz -m none -i $HOME/fuzz_target/fuzzing_tiff/tiff-4.0.4/test/images/ -o $HOME/fuzz_target/fuzzing_tiff/out/ -s 123 -- $HOME/fuzz_target/fuzzing_tiff/install/bin/tiffinfo -D -j -c -r -s -w @@
export LLVM_CONFIG="llvm-config-12"

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

最后于 2022-7-25 19:08 被Azyka编辑 ,原因:
收藏
免费 9
支持
分享
打赏 + 50.00雪花
打赏次数 1 雪花 + 50.00
 
赞赏  Editor   +50.00 2022/08/15 恭喜您获得“雪花”奖励,安全圈有你而精彩!
最新回复 (2)
雪    币: 14484
活跃值: (17483)
能力值: ( LV12,RANK:290 )
在线值:
发帖
回帖
粉丝
2
感谢分享
2022-7-25 17:37
0
雪    币:
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
3
你好,可以分享一下exercise5的触发输入吗?
2024-9-20 21:08
0
游客
登录 | 注册 方可回帖
返回
//