antonio-morales / fuzzing101 Goto Github PK
View Code? Open in Web Editor NEWAn step by step fuzzing tutorial. A GitHub Security Lab initiative
Home Page: https://securitylab.github.com/
License: Apache License 2.0
An step by step fuzzing tutorial. A GitHub Security Lab initiative
Home Page: https://securitylab.github.com/
License: Apache License 2.0
Please feel free to submit the PoC for a record.
https://github.com/trickest/cve/blob/main/2019/CVE-2019-5847.md
#I need to know CPU requirements to find your bugs very quickly.
I have finish exercise 1 after 14 hours of fuzzing
Hi, I met a crash that occurred while fuzzing vlc. Build process is same as exercise7, and used input file was also provided in exercise7. The same problem occurred even when fuzzing harness was not applied.
╭─ ~/fuzzing_vlc/vlc-3.0.7.1/test
╰─❯ ./vlc-demux-run ../afl_in/short2.wmv
[-] FATAL: forkserver is already up, but an instrumented dlopen() library loaded afterwards. You must AFL_PRELOAD such libraries to be able to fuzz them or LD_PRELOAD to run outside of afl-fuzz.
To ignore this set AFL_IGNORE_PROBLEMS=1.
[1] 1353391 abort ./vlc-demux-run ../afl_in/short2.wmv
hi,i'm building VLC using afl-clang-fast as the compiler and with ASAN and FATAL Error:
CC="afl-clang-fast" CXX="afl-clang-fast++" ./configure --prefix="$HOME/fuzzing_vlc/vlc-3.0.7.1/install" --disable-a52 --disable-lua --disable-qt --with-sanitizer=address
AFL_LLVM_ALLOWLIST=$HOME/fuzzing_vlc/vlc-3.0.7.1/Partial_instrumentation make -j$(nproc) LDFLAGS="-fsanitize=address"
afl-cc++4.01a by Michal Zalewski, Laszlo Szekeres, Marc Heuse - mode: LLVM-PCGUARD
afl-cc++4.01a by Michal Zalewski, Laszlo Szekeres, Marc Heuse - mode: LLVM-PCGUARD
afl-cc++4.01a by Michal Zalewski, Laszlo Szekeres, Marc Heuse - mode: LLVM-PCGUARD
afl-cc++4.01a by Michal Zalewski, Laszlo Szekeres, Marc Heuse - mode: LLVM-PCGUARD
GEN ../modules/plugins.dat
[-] FATAL: forkserver is already up, but an instrumented dlopen() library loaded afterwards. You must AFL_PRELOAD such libraries to be able to fuzz them or LD_PRELOAD to run outside of afl-fuzz.
To ignore this set AFL_IGNORE_PROBLEMS=1.
/bin/bash: line 4: 451562 Aborted (core dumped) ./vlc-cache-gen `realpath ../modules`
make[2]: *** [Makefile:1831: ../modules/plugins.dat] Error 134
make[2]: Leaving directory '/home/test/Fuzz/fuzzing-101-solutions/exercise-7/fuzzing_vlc/vlc-3.0.7.1/bin'
make[1]: *** [Makefile:1553: all-recursive] Error 1
make[1]: Leaving directory '/home/test/Fuzz/fuzzing-101-solutions/exercise-7/fuzzing_vlc/vlc-3.0.7.1'
make: *** [Makefile:1438: all] Error 2
Why does feeding the one of the specially crafted PDFs to texttopdf show that it crashes xpdf? Wouldn't this instead show that it crashes texttopdf? I'm confused.
I got different outputs:
filename: id:000001,sig:11,src:001805,time:3011457,execs:1394662,op:havoc,rep:16
Error: Unterminated hex string
Error: Bad image parameters
Program received signal SIGSEGV, Segmentation fault.
EmbedStream::getChar (this=0x5555556ca2c0) at Stream.cc:787
787 return str->getChar();
(gdb) bt
#0 EmbedStream::getChar (this=0x5555556ca2c0) at Stream.cc:787
#1 0x00005555555b5974 in Gfx::opBeginImage (this=0x5555556cc8e0, args=0x7fffffffd960, numArgs=0) at Gfx.cc:3880
#2 0x00005555555a3fec in Gfx::execOp (this=0x5555556cc8e0, cmd=0x7fffffffd950, args=0x7fffffffd960, numArgs=0) at Gfx.cc:690
#3 0x00005555555a39ee in Gfx::go (this=0x5555556cc8e0, topLevel=1) at Gfx.cc:581
#4 0x00005555555a37af in Gfx::display (this=0x5555556cc8e0, obj=0x7fffffffdcb0, topLevel=1) at Gfx.cc:553
#5 0x00005555555fc537 in Page::displaySlice (this=0x5555556c9c10, out=0x5555556cc570, hDPI=72, vDPI=72, rotate=0, useMediaBox=0, crop=0, sliceX=-1, sliceY=-1,
sliceW=-1, sliceH=-1, printing=0, catalog=0x5555556cb3e0, abortCheckCbk=0x0, abortCheckCbkData=0x0) at Page.cc:317
#6 0x00005555555fc128 in Page::display (this=0x5555556c9c10, out=0x5555556cc570, hDPI=72, vDPI=72, rotate=0, useMediaBox=0, crop=1, printing=0,
catalog=0x5555556cb3e0, abortCheckCbk=0x0, abortCheckCbkData=0x0) at Page.cc:264
#7 0x00005555555fed50 in PDFDoc::displayPage (this=0x5555556c8bb0, out=0x5555556cc570, page=1, hDPI=72, vDPI=72, rotate=0, useMediaBox=0, crop=1, printing=0,
abortCheckCbk=0x0, abortCheckCbkData=0x0) at PDFDoc.cc:317
#8 0x00005555555fedd5 in PDFDoc::displayPages (this=0x5555556c8bb0, out=0x5555556cc570, firstPage=1, lastPage=2, hDPI=72, vDPI=72, rotate=0, useMediaBox=0,
crop=1, printing=0, abortCheckCbk=0x0, abortCheckCbkData=0x0) at PDFDoc.cc:330
#9 0x0000555555622556 in main (argc=3, argv=0x7fffffffe018) at pdftotext.cc:237
filename: id:000002,sig:11,src:001917,time:4388704,execs:2020321,op:havoc,rep:2
Error: Unterminated string
Program received signal SIGSEGV, Segmentation fault.
EmbedStream::getPos (this=0x5555556ca2c0) at Stream.h:364
364 virtual int getPos() { return str->getPos(); }
(gdb) bt
#0 EmbedStream::getPos (this=0x5555556ca2c0) at Stream.h:364
#1 0x00005555556018e9 in Stream::makeFilter (this=0x5555556ca2c0, name=0x5555556ca3b0 "", str=0x5555556ca2c0, params=0x7fffffffd7d0) at Stream.cc:271
#2 0x0000555555600d70 in Stream::addFilters (this=0x5555556ca2c0, dict=0x7fffffffd840) at Stream.cc:110
#3 0x00005555555b5c9b in Gfx::buildImageStream (this=0x5555556cc8e0) at Gfx.cc:3925
#4 0x00005555555b5925 in Gfx::opBeginImage (this=0x5555556cc8e0, args=0x7fffffffd960, numArgs=0) at Gfx.cc:3873
#5 0x00005555555a3fec in Gfx::execOp (this=0x5555556cc8e0, cmd=0x7fffffffd950, args=0x7fffffffd960, numArgs=0) at Gfx.cc:690
#6 0x00005555555a39ee in Gfx::go (this=0x5555556cc8e0, topLevel=1) at Gfx.cc:581
#7 0x00005555555a37af in Gfx::display (this=0x5555556cc8e0, obj=0x7fffffffdcb0, topLevel=1) at Gfx.cc:553
#8 0x00005555555fc537 in Page::displaySlice (this=0x5555556c9c10, out=0x5555556cc570, hDPI=72, vDPI=72, rotate=0, useMediaBox=0, crop=0, sliceX=-1, sliceY=-1,
sliceW=-1, sliceH=-1, printing=0, catalog=0x5555556cb3e0, abortCheckCbk=0x0, abortCheckCbkData=0x0) at Page.cc:317
#9 0x00005555555fc128 in Page::display (this=0x5555556c9c10, out=0x5555556cc570, hDPI=72, vDPI=72, rotate=0, useMediaBox=0, crop=1, printing=0,
catalog=0x5555556cb3e0, abortCheckCbk=0x0, abortCheckCbkData=0x0) at Page.cc:264
#10 0x00005555555fed50 in PDFDoc::displayPage (this=0x5555556c8bb0, out=0x5555556cc570, page=1, hDPI=72, vDPI=72, rotate=0, useMediaBox=0, crop=1, printing=0,
abortCheckCbk=0x0, abortCheckCbkData=0x0) at PDFDoc.cc:317
#11 0x00005555555fedd5 in PDFDoc::displayPages (this=0x5555556c8bb0, out=0x5555556cc570, firstPage=1, lastPage=2, hDPI=72, vDPI=72, rotate=0, useMediaBox=0,
crop=1, printing=0, abortCheckCbk=0x0, abortCheckCbkData=0x0) at PDFDoc.cc:330
#12 0x0000555555622556 in main (argc=3, argv=0x7fffffffe018) at pdftotext.cc:237
As far as I can tell, tcpdump at tag 4.9.2 contains the patch that fixes the target CVE.
wget https://github.com/the-tcpdump-group/tcpdump/archive/refs/tags/tcpdump-4.9.2.tar.gz\n
tar xf tcpdump-4.9.2.tar.gz
grep -n 'ND_TCHECK\(bp->bp_flags\)' tcpdump-tcpdump-4.9.2/print-bootp.c
325: ND_TCHECK(bp->bp_flags);
While compiling the libexif library I get the following error:
$ make
make all-recursive
make[1]: Entering directory '/home/amit/fuzzing/examples/Fuzzing101/Exercise 2/fuzzing_libexif/libexif-libexif-0_6_14-release'
Making all in m4m
make[2]: Entering directory '/home/amit/fuzzing/examples/Fuzzing101/Exercise 2/fuzzing_libexif/libexif-libexif-0_6_14-release/m4m'
make[2]: Nothing to be done for 'all'.
make[2]: Leaving directory '/home/amit/fuzzing/examples/Fuzzing101/Exercise 2/fuzzing_libexif/libexif-libexif-0_6_14-release/m4m'
Making all in po
make[2]: Entering directory '/home/amit/fuzzing/examples/Fuzzing101/Exercise 2/fuzzing_libexif/libexif-libexif-0_6_14-release/po'
make[2]: Nothing to be done for 'all'.
make[2]: Leaving directory '/home/amit/fuzzing/examples/Fuzzing101/Exercise 2/fuzzing_libexif/libexif-libexif-0_6_14-release/po'
Making all in libexif
make[2]: Entering directory '/home/amit/fuzzing/examples/Fuzzing101/Exercise 2/fuzzing_libexif/libexif-libexif-0_6_14-release/libexif'
Making all in canon
make[3]: Entering directory '/home/amit/fuzzing/examples/Fuzzing101/Exercise 2/fuzzing_libexif/libexif-libexif-0_6_14-release/libexif/canon'
/bin/bash ../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I../.. -DLOCALEDIR=\"/home/amit/fuzzing/examples/Fuzzing101/Exercise 2/install/share/locale\" -I../.. -I../../libexif -g -Wall -Wmissing-declarations -Wmissing-prototypes -g -O2 -MT exif-mnote-data-canon
.lo -MD -MP -MF .deps/exif-mnote-data-canon.Tpo -c -o exif-mnote-data-canon.lo exif-mnote-data-canon.c
libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../.. -DLOCALEDIR=\"/home/amit/fuzzing/examples/Fuzzing101/Exercise 2/install/share/locale\" -I../.. -I../../libexif -g -Wall -Wmissing-declarations -Wmissing-prototypes -g -O2 -MT exif-mnote-data-canon.lo -MD -MP -MF .deps/exif-mnote-da
ta-canon.Tpo -c exif-mnote-data-canon.c -o exif-mnote-data-canon.o
<command-line>: warning: missing terminating " character
gcc: warning: 2/install/share/locale": linker input file unused because linking not done
gcc: error: 2/install/share/locale": linker input file not found: No such file or directory
make[3]: *** [Makefile:421: exif-mnote-data-canon.lo] Error 1
make[3]: Leaving directory '/home/amit/fuzzing/examples/Fuzzing101/Exercise 2/fuzzing_libexif/libexif-libexif-0_6_14-release/libexif/canon'
make[2]: *** [Makefile:655: all-recursive] Error 1
make[2]: Leaving directory '/home/amit/fuzzing/examples/Fuzzing101/Exercise 2/fuzzing_libexif/libexif-libexif-0_6_14-release/libexif'
make[1]: *** [Makefile:492: all-recursive] Error 1
make[1]: Leaving directory '/home/amit/fuzzing/examples/Fuzzing101/Exercise 2/fuzzing_libexif/libexif-libexif-0_6_14-release'
make: *** [Makefile:401: all] Error 2
Does anyone have a clue as to what am I missing here??
Thanks!!
cccc@ubuntu:~/fuzzing_acro$ AFL_QEMU_PERSISTENT_ADDR=0x08a464c8 AFL_QEMU_PERSISTENT_GPR=1 ACRO_INSTALL_DIR=/opt/Adobe/Reader9/Reader ACRO_CONFIG=intellinux LD_LIBRARY_PATH=$LD_LIBRARY_PATH:'/opt/Adobe/Reader9/Reader/intellinux/lib' afl-fuzz -Q -i ./afl_in/ -o ./afl_out/ -t 2000 -- /opt/Adobe/Reader9/Reader/intellinux/bin/acroread -toPostScript @@
afl-fuzz++4.01a based on afl by Michal Zalewski and a large online community
[+] afl++ is maintained by Marc "van Hauser" Heuse, Heiko "hexcoder" Eißfeldt, Andrea Fioraldi and Dominik Maier
[+] afl++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] NOTE: This is v3.x which changes defaults and behaviours - see README.md
[+] No -M/-S set, autoconfiguring for "-S default"
[] Getting to work...
[+] Using exponential power schedule (FAST)
[+] Enabled testcache with 50 MB
[+] Generating fuzz data with a a length of min=1 max=1048576
[] Checking core_pattern...
[!] WARNING: Could not check CPU scaling governor
[+] You have 2 CPU cores and 1 runnable tasks (utilization: 50%).
[+] Try parallel jobs - see /usr/local/share/doc/afl/parallel_fuzzing.md.
[] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[] Deleting old session data...
[+] Output dir cleanup successful.
[] Checking CPU core loadout...
[+] Found a free CPU core, try binding to #0.
[] Scanning './afl_in/'...
[+] Loaded a total of 9 seeds.
[] Creating hard links for all input files...
[] Validating target binary...
[] No auto-generated dictionary tokens to reuse.
[] Attempting dry run with 'id:000000,time:0,execs:0,orig:test.pdf'...
[] Spinning up the fork server...
[+] All right - fork server is up.
[] Target map size: 65536
[-] Oops, the program crashed with one of the test cases provided. There are
several possible explanations:
- The test case causes known crashes under normal working conditions. If
so, please remove it. The fuzzer should be seeded with interesting
inputs - but not ones that cause an outright crash.
- In QEMU persistent mode the selected address(es) for the loop are not
properly cleaning up variables and memory. Try adding
AFL_QEMU_PERSISTENT_GPR=1 or select better addresses in the binary.
- Least likely, there is a horrible bug in the fuzzer. If other options
fail, poke <[email protected]> for troubleshooting tips.
[!] WARNING: Test case 'id:000000,time:0,execs:0,orig:test.pdf' results in a crash, skipping
[*] Attempting dry run with 'id:000001,time:0,execs:0,orig:LIBRE_OFFICE-98479-0.zip-2.fdf'...
[-] Oops, the program crashed with one of the test cases provided. There are
several possible explanations:
- The test case causes known crashes under normal working conditions. If
so, please remove it. The fuzzer should be seeded with interesting
inputs - but not ones that cause an outright crash.
- In QEMU persistent mode the selected address(es) for the loop are not
properly cleaning up variables and memory. Try adding
AFL_QEMU_PERSISTENT_GPR=1 or select better addresses in the binary.
- Least likely, there is a horrible bug in the fuzzer. If other options
fail, poke <[email protected]> for troubleshooting tips.
[!] WARNING: Test case 'id:000001,time:0,execs:0,orig:LIBRE_OFFICE-98479-0.zip-2.fdf' results in a crash, skipping
[*] Attempting dry run with 'id:000002,time:0,execs:0,orig:LIBRE_OFFICE-96902-1.pdf'...
[-] Oops, the program crashed with one of the test cases provided. There are
several possible explanations:
- The test case causes known crashes under normal working conditions. If
so, please remove it. The fuzzer should be seeded with interesting
inputs - but not ones that cause an outright crash.
- In QEMU persistent mode the selected address(es) for the loop are not
properly cleaning up variables and memory. Try adding
AFL_QEMU_PERSISTENT_GPR=1 or select better addresses in the binary.
- Least likely, there is a horrible bug in the fuzzer. If other options
fail, poke <[email protected]> for troubleshooting tips.
[!] WARNING: Test case 'id:000002,time:0,execs:0,orig:LIBRE_OFFICE-96902-1.pdf' results in a crash, skipping
[*] Attempting dry run with 'id:000003,time:0,execs:0,orig:LIBRE_OFFICE-92614-3.pdf'...
[-] Oops, the program crashed with one of the test cases provided. There are
several possible explanations:
- The test case causes known crashes under normal working conditions. If
so, please remove it. The fuzzer should be seeded with interesting
inputs - but not ones that cause an outright crash.
- In QEMU persistent mode the selected address(es) for the loop are not
properly cleaning up variables and memory. Try adding
AFL_QEMU_PERSISTENT_GPR=1 or select better addresses in the binary.
- Least likely, there is a horrible bug in the fuzzer. If other options
fail, poke <[email protected]> for troubleshooting tips.
[!] WARNING: Test case 'id:000003,time:0,execs:0,orig:LIBRE_OFFICE-92614-3.pdf' results in a crash, skipping
[*] Attempting dry run with 'id:000004,time:0,execs:0,orig:LIBRE_OFFICE-84690-0.pdf'...
[-] Oops, the program crashed with one of the test cases provided. There are
several possible explanations:
- The test case causes known crashes under normal working conditions. If
so, please remove it. The fuzzer should be seeded with interesting
inputs - but not ones that cause an outright crash.
- In QEMU persistent mode the selected address(es) for the loop are not
properly cleaning up variables and memory. Try adding
AFL_QEMU_PERSISTENT_GPR=1 or select better addresses in the binary.
- Least likely, there is a horrible bug in the fuzzer. If other options
fail, poke <[email protected]> for troubleshooting tips.
[!] WARNING: Test case 'id:000004,time:0,execs:0,orig:LIBRE_OFFICE-84690-0.pdf' results in a crash, skipping
[*] Attempting dry run with 'id:000005,time:0,execs:0,orig:LIBRE_OFFICE-129976-1.pdf'...
[-] Oops, the program crashed with one of the test cases provided. There are
several possible explanations:
- The test case causes known crashes under normal working conditions. If
so, please remove it. The fuzzer should be seeded with interesting
inputs - but not ones that cause an outright crash.
- In QEMU persistent mode the selected address(es) for the loop are not
properly cleaning up variables and memory. Try adding
AFL_QEMU_PERSISTENT_GPR=1 or select better addresses in the binary.
- Least likely, there is a horrible bug in the fuzzer. If other options
fail, poke <[email protected]> for troubleshooting tips.
[!] WARNING: Test case 'id:000005,time:0,execs:0,orig:LIBRE_OFFICE-129976-1.pdf' results in a crash, skipping
[*] Attempting dry run with 'id:000006,time:0,execs:0,orig:LIBRE_OFFICE-107149-0.pdf'...
[-] Oops, the program crashed with one of the test cases provided. There are
several possible explanations:
- The test case causes known crashes under normal working conditions. If
so, please remove it. The fuzzer should be seeded with interesting
inputs - but not ones that cause an outright crash.
- In QEMU persistent mode the selected address(es) for the loop are not
properly cleaning up variables and memory. Try adding
AFL_QEMU_PERSISTENT_GPR=1 or select better addresses in the binary.
- Least likely, there is a horrible bug in the fuzzer. If other options
fail, poke <[email protected]> for troubleshooting tips.
[!] WARNING: Test case 'id:000006,time:0,execs:0,orig:LIBRE_OFFICE-107149-0.pdf' results in a crash, skipping
[*] Attempting dry run with 'id:000007,time:0,execs:0,orig:LIBRE_OFFICE-106270-0.ps'...
[-] Oops, the program crashed with one of the test cases provided. There are
several possible explanations:
- The test case causes known crashes under normal working conditions. If
so, please remove it. The fuzzer should be seeded with interesting
inputs - but not ones that cause an outright crash.
- In QEMU persistent mode the selected address(es) for the loop are not
properly cleaning up variables and memory. Try adding
AFL_QEMU_PERSISTENT_GPR=1 or select better addresses in the binary.
- Least likely, there is a horrible bug in the fuzzer. If other options
fail, poke <[email protected]> for troubleshooting tips.
[!] WARNING: Test case 'id:000007,time:0,execs:0,orig:LIBRE_OFFICE-106270-0.ps' results in a crash, skipping
[*] Attempting dry run with 'id:000008,time:0,execs:0,orig:LIBRE_OFFICE-106270-0.pdf'...
[-] Oops, the program crashed with one of the test cases provided. There are
several possible explanations:
- The test case causes known crashes under normal working conditions. If
so, please remove it. The fuzzer should be seeded with interesting
inputs - but not ones that cause an outright crash.
- In QEMU persistent mode the selected address(es) for the loop are not
properly cleaning up variables and memory. Try adding
AFL_QEMU_PERSISTENT_GPR=1 or select better addresses in the binary.
- Least likely, there is a horrible bug in the fuzzer. If other options
fail, poke <[email protected]> for troubleshooting tips.
[!] WARNING: Test case 'id:000008,time:0,execs:0,orig:LIBRE_OFFICE-106270-0.pdf' results in a crash, skipping
[+] All test cases processed.
[-] PROGRAM ABORT : We need at least one valid input seed that does not crash!
Location : main(), src/afl-fuzz.c:2165
according to the error message ,i put a normal test.pdf into afl_in . The error was still generated. i don't know how to solve it. is it related with afl++ version? or else?
thank you ~~`
Hi All,
I am trying to run the first exercise and stuck at the following error... can anyone throw some light as to what went wrong here?
$ AFL_DEBUG=1 afl-fuzz -i $HOME/fuzzing/fuzzing_xpdf/pdf_examples/ -o $HOME/fuzzing/fuzzing_xpdf/out/ -s 123 -- $HOME/fuzzing/fuzzing_xpdf/install/bin/pdftotext @@ $HOME/fuzzing/fuzzing_xpdf/output
[+] Enabled environment variable AFL_DEBUG with value 10
[+] Enabled environment variable AFL_DEBUG with value 10
afl-fuzz++4.08a based on afl by Michal Zalewski and a large online community
[+] AFL++ is maintained by Marc "van Hauser" Heuse, Dominik Maier, Andrea Fioraldi and Heiko "hexcoder" Eißfeldt
[+] AFL++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] NOTE: AFL++ >= v3 has changed defaults and behaviours - see README.md
[+] Running with fixed seed: 123
[+] No -M/-S set, autoconfiguring for "-S default"
[*] Getting to work...
[+] Using exponential power schedule (FAST)
[+] Enabled testcache with 50 MB
[+] Generating fuzz data with a length of min=1 max=1048576
[*] Checking core_pattern...
[!] WARNING: Could not check CPU scaling governor
[+] You have 6 CPU cores and 2 runnable tasks (utilization: 33%).
[+] Try parallel jobs - see /usr/local/share/doc/afl/fuzzing_in_depth.md#c-using-multiple-cores
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Checking CPU core loadout...
[+] Found a free CPU core, try binding to #0.
[*] Scanning '/home/amit/fuzzing/fuzzing_xpdf/pdf_examples/'...
[+] Loaded a total of 3 seeds.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Spinning up the fork server...
**==116305==ERROR: UndefinedBehaviorSanitizer failed to allocate 0x0 (0) bytes of SetAlternateSignalStack (error code: 22)**
==116305==Process memory map follows:
0x000000400000-0x000000407000 /home/amit/fuzzing/fuzzing_xpdf/install/bin/pdftotext
0x000000407000-0x000000504000 /home/amit/fuzzing/fuzzing_xpdf/install/bin/pdftotext
0x000000504000-0x000000542000 /home/amit/fuzzing/fuzzing_xpdf/install/bin/pdftotext
0x000000542000-0x00000054c000 /home/amit/fuzzing/fuzzing_xpdf/install/bin/pdftotext
0x00000054c000-0x000000589000 /home/amit/fuzzing/fuzzing_xpdf/install/bin/pdftotext
0x000000589000-0x00000109a000
0x00000269e000-0x0000026bf000 [heap]
0x7f6bb43a8000-0x7f6bb43ad000
0x7f6bb43ad000-0x7f6bb43d5000 /usr/lib/x86_64-linux-gnu/libc.so.6
0x7f6bb43d5000-0x7f6bb456a000 /usr/lib/x86_64-linux-gnu/libc.so.6
0x7f6bb456a000-0x7f6bb45c2000 /usr/lib/x86_64-linux-gnu/libc.so.6
0x7f6bb45c2000-0x7f6bb45c6000 /usr/lib/x86_64-linux-gnu/libc.so.6
0x7f6bb45c6000-0x7f6bb45c8000 /usr/lib/x86_64-linux-gnu/libc.so.6
0x7f6bb45c8000-0x7f6bb45d5000
0x7f6bb45d5000-0x7f6bb45d8000 /usr/lib/x86_64-linux-gnu/libgcc_s.so.1
0x7f6bb45d8000-0x7f6bb45ef000 /usr/lib/x86_64-linux-gnu/libgcc_s.so.1
0x7f6bb45ef000-0x7f6bb45f3000 /usr/lib/x86_64-linux-gnu/libgcc_s.so.1
0x7f6bb45f3000-0x7f6bb45f4000 /usr/lib/x86_64-linux-gnu/libgcc_s.so.1
0x7f6bb45f4000-0x7f6bb45f5000 /usr/lib/x86_64-linux-gnu/libgcc_s.so.1
0x7f6bb45f5000-0x7f6bb468f000 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.30
0x7f6bb468f000-0x7f6bb479f000 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.30
0x7f6bb479f000-0x7f6bb480e000 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.30
0x7f6bb480e000-0x7f6bb4819000 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.30
0x7f6bb4819000-0x7f6bb481c000 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.30
0x7f6bb481c000-0x7f6bb481f000
0x7f6bb481f000-0x7f6bb482d000 /usr/lib/x86_64-linux-gnu/libm.so.6
0x7f6bb482d000-0x7f6bb48a9000 /usr/lib/x86_64-linux-gnu/libm.so.6
0x7f6bb48a9000-0x7f6bb4904000 /usr/lib/x86_64-linux-gnu/libm.so.6
0x7f6bb4904000-0x7f6bb4905000 /usr/lib/x86_64-linux-gnu/libm.so.6
0x7f6bb4905000-0x7f6bb4906000 /usr/lib/x86_64-linux-gnu/libm.so.6
0x7f6bb4906000-0x7f6bb4911000
0x7f6bb4911000-0x7f6bb4913000 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x7f6bb4913000-0x7f6bb493d000 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x7f6bb493d000-0x7f6bb4948000 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x7f6bb4948000-0x7f6bb4949000
0x7f6bb4949000-0x7f6bb494b000 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x7f6bb494b000-0x7f6bb494d000 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x7ffcbae77000-0x7ffcbae98000 [stack]
0x7ffcbaee2000-0x7ffcbaee6000 [vvar]
0x7ffcbaee6000-0x7ffcbaee8000 [vdso]
0xffffffffff600000-0xffffffffff601000 [vsyscall]
==116305==End of process memory map.
**==116305==Sanitizer CHECK failed: /build/llvm-toolchain-11-mnvtwk/llvm-toolchain-11-11.1.0/compiler-rt/lib/sanitizer_common/sanitizer_common.cpp:54 ((0 && "unable to mmap")) != (0) (0, 0)**
[-] Whoops, the target binary crashed suddenly, before receiving any input
from the fuzzer! You can try the following:
- The target binary crashes because necessary runtime conditions it needs
are not met. Try to:
1. Run again with AFL_DEBUG=1 set and check the output of the target
binary for clues.
2. Run again with AFL_DEBUG=1 and 'ulimit -c unlimited' and analyze the
generated core dump.
- Possibly the target requires a huge coverage map and has CTORS.
Retry with setting AFL_MAP_SIZE=10000000.
- Less likely, there is a horrible bug in the fuzzer. If other options
fail, poke the Awesome Fuzzing Discord for troubleshooting tips.
**[-] PROGRAM ABORT : Fork server crashed with signal 6
Location : afl_fsrv_start(), src/afl-forkserver.c:1281**
Thanks.
When I try to run fazzer I have one error for all exercises.
[-] Hmm, looks like the target binary terminated before we could complete a
handshake with the injected code. You can try the following:
- The target binary crashes because necessary runtime conditions it needs
are not met. Try to:
1. Run again with AFL_DEBUG=1 set and check the output of the target
binary for clues.
2. Run again with AFL_DEBUG=1 and 'ulimit -c unlimited' and analyze the
generated core dump.
- Possibly the target requires a huge coverage map and has CTORS.
Retry with setting AFL_MAP_SIZE=10000000.
Otherwise there is a horrible bug in the fuzzer.
Poke the Awesome Fuzzing Discord for troubleshooting tips.
[-] PROGRAM ABORT : Fork server handshake failed
Location : afl_fsrv_start(), src/afl-forkserver.c:1642
Can you help me?
Thanks
One of the goals of Exercise 2 is to find CVE-2009-3895.
However, the Solutions file provided is for CVE-2006-4168.
CVE-2006-4168 causes heap-based buffer overflow in exif_entry_fix by assigning the wrong size due to Integer overflow in exif_data_load_data_entry.
Also, CVE-2009-3895 was patched in version 0.6.19, so the provided crash file should crash in version 0.6.18. But it isn't.
So the crash file provided is CVE-2006-4168.
Thank you very much for the tutorial, I learned a lot in it. I encountered some problems that confused me in the third exercise "TCPdump". I followed the prompts to enable AFL_USE_ASAN when building libpcap:
cd $HOME/fuzzing_tcpdump/libpcap-libpcap-1.8.1/
export LLVM_CONFIG="llvm-config-11"
CC=afl-clang-lto ./configure --enable-shared=no --prefix="$HOME/fuzzing_tcpdump/install/"
AFL_USE_ASAN=1 make
AFL_USE_ASAN=1 make install
Then build tcpdump:
cd $HOME/fuzzing_tcpdump/tcpdump-tcpdump-4.9.2/
CC=afl-clang-lto CPPFLAGS=-I$HOME/fuzzing_tcpdump/install/include/ LDFLAGS=-L$HOME/fuzzing_tcpdump/install/lib/ ./configure --prefix="$HOME/fuzzing_tcpdump/install/"
AFL_USE_ASAN=1 make
AFL_USE_ASAN=1 make install
An error will be returned when executing AFL_USE_ASAN=1 make
:
configure: error: This is a bug, please follow the guidelines in CONTRIBUTING and include the
config.log file in your report. If you have downloaded libpcap from
tcpdump.org, and built it yourself, please also include the config.log
file from the libpcap source directory, the Makefile from the libpcap
source directory, and the output of the make process for libpcap, as
this could be a problem with the libpcap that was built, and we will
not be able to determine why this is happening, and thus will not be
able to fix it, without that information, as we have not been able to
reproduce this problem ourselves.
The following is the complete error:
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking for gcc... afl-clang-lto
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether afl-clang-lto accepts -g... yes
checking for afl-clang-lto option to accept ISO C89... none needed
checking whether the compiler supports the -ffloat-store option... no
checking for inline... inline
checking for __attribute__... yes
checking whether __attribute__((unused)) can be used without warnings... yes
checking whether __attribute__((noreturn)) can be applied to function pointers without warnings... yes
checking whether __attribute__((format)) can be used without warnings... yes
checking whether __attribute__((format)) can be applied to function pointers... yes
checking how to run the C preprocessor... afl-clang-lto -E
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking fcntl.h usability... yes
checking fcntl.h presence... yes
checking for fcntl.h... yes
checking rpc/rpc.h usability... yes
checking rpc/rpc.h presence... yes
checking for rpc/rpc.h... yes
checking rpc/rpcent.h usability... no
checking rpc/rpcent.h presence... no
checking for rpc/rpcent.h... no
checking netdnet/dnetdb.h usability... no
checking netdnet/dnetdb.h presence... no
checking for netdnet/dnetdb.h... no
checking for net/pfvar.h... no
checking for netinet/if_ether.h... yes
checking whether time.h and sys/time.h may both be included... yes
checking smi.h usability... no
checking smi.h presence... no
checking for smi.h... no
checking whether to enable the possibly-buggy SMB printer... yes
configure: WARNING: The SMB printer may have exploitable buffer overflows!!!
checking whether to drop root privileges by default... no
checking whether to chroot... no
checking for cap_enter... no
checking for cap_rights_limit... no
checking for cap_ioctls_limit... no
checking for openat... yes
checking whether to sandbox using capsicum... no
checking for library containing gethostbyname... none required
checking for library containing socket... none required
checking for library containing putmsg... no
checking whether the operating system supports IPv6... yes
checking ipv6 stack type... linux-glibc
checking for dnet_htoa declaration in netdnet/dnetdb.h... no
checking for vfprintf... yes
checking for strlcat... no
checking for strlcpy... no
checking for strdup... yes
checking for strsep... yes
checking for getopt_long... yes
checking for fork... yes
checking for vfork... yes
checking for strftime... yes
checking for setlinebuf... yes
checking for alarm... yes
checking for vsnprintf... yes
checking for snprintf... yes
checking return type of signal handlers... void
checking for sigaction... yes
checking for library containing dnet_htoa... no
checking for main in -lrpc... no
checking for library containing getrpcbynumber... none required
checking for local pcap library... ../libpcap-1.8.1/libpcap.a
checking for pcap-config... ../libpcap-1.8.1/pcap-config
checking for pcap_loop... no
configure: error: This is a bug, please follow the guidelines in CONTRIBUTING and include the
config.log file in your report. If you have downloaded libpcap from
tcpdump.org, and built it yourself, please also include the config.log
file from the libpcap source directory, the Makefile from the libpcap
source directory, and the output of the make process for libpcap, as
this could be a problem with the libpcap that was built, and we will
not be able to determine why this is happening, and thus will not be
able to fix it, without that information, as we have not been able to
reproduce this problem ourselves.
But when I canceled AFL_USE_ASAN=1
when building libpcap and made
directly, when I built tcpdump again, no error occurred, and AFL++ can also run normally. I don't quite understand whether the result I get by canceling AFL_USE_ASAN=1
is the same as expected. Is the cause of the build failure because the link library is damaged? Or is there something wrong with my operation during construction?
Fuzzing101/Exercise 6/persistent.patch
Lines 18 to 24 in 900814c
Why is exit(0)
outside the if definition, which should affect the execution flow when it is not compiled by afl-cc? Should it look like this:
#ifdef __AFL_COMPILER
}
exit(0);
#endif
gimp_unset_busy (gimp);
I believe
export $HOME="/home"
should be
export HOME="/home"
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.