-
-
[原创]AFL-FUZZ学习:QEMU模式的使用(MIPS架构)
-
发表于: 2022-8-16 14:29 13735
-
最近学习用AFL(American Fuzzy Lop)进行漏洞挖掘,简单的记录一下AFL的QEMU模式的使用。
首先创建测试用例:test.c
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 | #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #include <signal.h> int vuln(char * str ) { int len = strlen( str ); if ( str [ 0 ] = = 'A' && len = = 66 ) { raise (SIGSEGV); / / 如果输入的字符串的首字符为A并且长度为 66 ,则异常退出 } else if ( str [ 0 ] = = 'F' && len = = 6 ) { raise (SIGSEGV); / / 如果输入的字符串的首字符为F并且长度为 6 ,则异常退出 } else { printf( "it is good!\n" ); } return 0 ; } int main( int argc, char * argv[]) { char buf[ 100 ] = { 0 }; gets(buf); / / 存在栈溢出漏洞 printf(buf); / / 存在格式化字符串漏洞 vuln(buf); return 0 ; } |
编译生成MIPS架构的可执行文件(需要建立MIPS交叉编译环境)
使用mips-linux-gcc
编译test.c
文件,
1 | mips - linux - gcc - g - o mips - test test.c |
使用file
命令查看文件类型
1 2 | ubuntu20 - 1 @ubuntu:~ / fuzzing$ file mips - test mips - test: ELF 32 - bit MSB executable, MIPS, MIPS32 version 1 (SYSV), dynamically linked, interpreter / lib / ld - uClibc.so. 0 , with debug_info, not stripped |
在使用afl进行fuzz前,先用qemu的用户模式测试MIPS文件能否正常运行
1 2 | ubuntu20 - 1 @ubuntu:~ / fuzzing$ qemu - mips - L . / mips - test qemu - mips: Could not open '/lib/ld-uClibc.so.0' : No such file or directory |
-L
参数的作用:将elf解释器前缀设置为“path”,通常为lib
文件夹的父目录
1 | - L path QEMU_LD_PREFIX set the elf interpreter prefix to 'path' |
报错:qemu-mips: Could not open '/lib/ld-uClibc.so.0': No such file or directory
,缺少lib
文件
解决方法:在当前目录创建lib
文件夹,使用locate
命令进行查找,并将ld-uClibc.so.0
文件复制进lib
文件夹
1 2 3 4 5 6 7 8 | ubuntu20 - 1 @ubuntu:~ / fuzzing$ locate ld - uClibc.so. 0 / home / ubuntu20 - 1 / buildroot - mips / output / build / uclibc - 1.0 . 39 / lib / ld - uClibc.so. 0 / home / ubuntu20 - 1 / buildroot - mips / output / host / mips - buildroot - linux - uclibc / sysroot / lib / ld - uClibc.so. 0 / home / ubuntu20 - 1 / buildroot - mips / output / target / lib / ld - uClibc.so. 0 ubuntu20 - 1 @ubuntu:~ / fuzzing$ mkdir lib ubuntu20 - 1 @ubuntu:~ / fuzzing$ cp / home / ubuntu20 - 1 / buildroot - mips / output / target / lib / ld - uClibc.so. 0 . / lib |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | #再次执行qemu-mips,仍然报错,解决方法同上 ubuntu20 - 1 @ubuntu:~ / fuzzing$ qemu - mips - L . / mips - test / home / ubuntu20 - 1 / fuzzing / mips - test: can 't load library ' libc.so. 0 ' ubuntu20 - 1 @ubuntu:~ / fuzzing$ locate libc.so. 0 / home / ubuntu20 - 1 / buildroot - mips / output / build / uclibc - 1.0 . 39 / lib / ld - uClibc.so. 0 / home / ubuntu20 - 1 / buildroot - mips / output / build / uclibc - 1.0 . 39 / lib / libc.so. 0 / home / ubuntu20 - 1 / buildroot - mips / output / host / mips - buildroot - linux - uclibc / sysroot / lib / ld - uClibc.so. 0 / home / ubuntu20 - 1 / buildroot - mips / output / host / mips - buildroot - linux - uclibc / sysroot / lib / libc.so. 0 / home / ubuntu20 - 1 / buildroot - mips / output / target / lib / ld - uClibc.so. 0 / home / ubuntu20 - 1 / buildroot - mips / output / target / lib / libc.so. 0 ubuntu20 - 1 @ubuntu:~ / fuzzing$ cp / home / ubuntu20 - 1 / buildroot - mips / output / host / mips - buildroot - linux - uclibc / sysroot / lib / libc.so. 0 . / lib |
1 2 3 4 5 | #再次执行qemu-mips ubuntu20 - 1 @ubuntu:~ / fuzzing$ qemu - mips - L . / mips - test 123 123it is good! #正常输出,可用afl-fuzz进行测试 |
进行fuzz
创建afl-fuzz
的输入文件夹,并构造测试用例
1 2 3 4 | mkdir afl - in cd afl - in echo abc > testcase cd .. |
使用afl-fuzz
进行fuzz,因为没有使用afl-gcc
进行插桩编译,需要加上-Q
参数,即使用QEMU模式进行fuzz测试
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | #初始化设置 #需要设置core_pattern,若未设置会出现报错1,详情见后文 sudo su echo core > / proc / sys / kernel / core_pattern exit #设置AFL相关的环境变量 #AFL_PATH为afl的安装路径 #QEMU_LD_PREFIX 为 MIPS 的 lib/ 目录所在的目录,MIPS文件的根目录 export AFL_PATH = / home / ubuntu20 - 1 / afl - 2.52b export QEMU_LD_PREFIX = . #若未设置 -m none,会出现报错2,详情见后文 #若未设置export QEMU_LD_PREFIX=.,会出现报错3,详情见后文 afl - fuzz - i afl - in - o afl - out - m none - Q . / mips - test |
参数解释:-i afl-in
:输入文件夹为afl-in
-o afl-out
:输出文件夹为afl-out
-m none
:不限制内存大小-Q
:使用afl的QEMU模式./mips-test
:被fuzz测试的文件
开始fuzz
报错1:
1 2 3 4 5 6 7 8 9 10 11 12 | [ - ] Hmm, your system is configured to send core dump notifications to an external utility. This will cause issues: there will be an extended delay between stumbling upon a crash and having this information relayed to the fuzzer via the standard waitpid() API. To avoid having crashes misinterpreted as timeouts, please log in as root and temporarily modify / proc / sys / kernel / core_pattern, like so: echo core > / proc / sys / kernel / core_pattern [ - ] PROGRAM ABORT : Pipe at the beginning of 'core_pattern' Location : check_crash_handling(), afl - fuzz.c: 7275 |
报错2:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | [ - ] Hmm, looks like the target binary terminated before we could complete a handshake with the injected code. There are two probable explanations: - The current memory limit ( 200 MB) is too restrictive, causing an OOM fault in the dynamic linker. This can be fixed with the - m option. A simple way to confirm the diagnosis may be: ( ulimit - Sv $[ 199 << 10 ]; / path / to / fuzzed_app ) Tip: you can use http: / / jwilk.net / software / recidivm to quickly estimate the required amount of virtual memory for the binary. - Less likely, there is a horrible bug in the fuzzer. If other options fail, poke <lcamtuf@coredump.cx> for troubleshooting tips. [ - ] PROGRAM ABORT : Fork server handshake failed Location : init_forkserver(), afl - fuzz.c: 2253 |
报错3:
1 2 3 4 5 6 | [ - ] Hmm, looks like the target binary terminated before we could complete a handshake with the injected code. Perhaps there is a horrible bug in the fuzzer. Poke <lcamtuf@coredump.cx> for troubleshooting tips. [ - ] PROGRAM ABORT : Fork server handshake failed Location : init_forkserver(), afl - fuzz.c: 2253 |
赞赏
他的文章
看原图
赞赏
雪币:
留言: