antonio-morales / fuzzing101 Goto Github PK

View Code? Open in Web Editor NEW

2.3K 55.0 310.0 8.18 MB

An step by step fuzzing tutorial. A GitHub Security Lab initiative

Home Page: https://securitylab.github.com/

License: Apache License 2.0

fuzzing security bug-hunting afl fuzzilli fuzzer afl-fuzz bugbounty fuzz-testing hacking

fuzzing101's Introduction

Fuzzing-101

Do you want to learn how to fuzz like a real expert, but don't know how to start?

If so, this is the course for you!

10 real targets, 10 exercises. Are you able to solve all 10?

Structure

Exercise No.	Target	CVEs to find	Time estimated	Main topics
Exercise 1	Xpdf	CVE-2019-13288	120 mins	Afl-clang-fast, Afl-fuzz, GDB
Exercise 2	libexif	CVE-2009-3895, CVE-2012-2836	6 hours	Afl-clang-lto, Fuzz libraries, Eclipse IDE
Exercise 3	TCPdump	CVE-2017-13028	4 hours	ASan, Sanitizers
Exercise 4	LibTIFF	CVE-2016-9297	3 hours	Code coverage, LCOV
Exercise 5	Libxml2	CVE-2017-9048	3 hours	Dictionaries, Basic parallelization, Fuzzing command-line arguments
Exercise 6	GIMP	CVE-2016-4994, Bonus bugs	7 hours	Persistent fuzzing, Fuzzing interactive applications
Exercise 7	VLC media player	CVE-2019-14776	6 hours	Partial instrumentation, Fuzzing harness
Exercise 8	Adobe Reader		8 hours	Fuzzing closed-source applications, QEMU instrumentation
Exercise 9	7-Zip	CVE-2016-2334	8 hours	WinAFL, Fuzzing Windows Applications
Exercise 10 (Final Challenge)	Google Chrome / V8	CVE-2019-5847	8 hours	Fuzzilli, Fuzzing Javascript engines

Changelog

02/14/2022: Fixed some 'wget' typos in Exercise 5
11/25/2021: Exercise 3 updated with some fixes.

Who is the course intended for?

Anyone wishing to learn fuzzing basics
Anyone who wants to learn how to find vulnerabilities in real software projects.

Requirements

All you need for this course is a running Linux system with an internet connection. You will find a suitable VMware image in the exercises.
At least basic Linux skills are highly recommended.
All the exercises have been tested on Ubuntu 20.04.2 LTS. You can download it from here
In this course we're going to use AFL++, a newer and superior fork of Michał "lcamtuf" Zalewski's AFL, for solving the fuzzing exercises.

What is fuzzing?

Fuzz testing (or fuzzing) is an automated software testing technique that is based on feeding the program with random/mutated input values and monitoring it for exceptions/crashes.

AFL, libFuzzer and HonggFuzz are three of the most successful fuzzers when it comes to real world applications. All three are examples of Coverage-guided evolutionary fuzzers.

Coverage-guided evolutionary fuzzer

Evolutionary: is a metaheuristic approach inspired by evolutionary algorithms, which basically consists in the evolution and mutation of the initial subset (seeds) over time, by using a selection criteria (ex. coverage).
Coverage-guided: To increase the chance of finding new crashes, coverage-guided fuzzers gather and compare code coverage data between different inputs (usually through instrumentation) and pick those inputs which lead to new execution paths.

Simplification of the coverage gathering process of a coverage-guided evolutionary fuzzer

Thanks

Thanks for their help:

Contact

Are you stuck and looking for help? Do you have suggestions for making this course better or just positive feedback so that we can create more fuzzing content? Do you want to share your fuzzing experience with the community? Join the GitHub Security Lab Slack and head to the #fuzzing channel. Request an invite to the GitHub Security Lab Slack

fuzzing101's People

Contributors

Stargazers

Watchers

Forkers

asdyxcyxc microsvuln infernalheaven ckexploits attacker-codeninja affilares titounkle chanpu9 ogianatiempo sheisback randlily n1c3gu7 pxiaoer deeby 3xg71aafpv4w n0thing2speak 020monkey zytmatrix winterze fly8wo moryyi ridedi huanglei3 hartescout research-zoo burnsix passkwall adobe2016 fengjixuchui dhvssigrun gavz inarcissuss yeshuibo unleashedmen kact929 koeningyou jonlh22 jack51706 superuser5 horki mytfx newuser54 minkione hirajanwin nani1337 duongkai madusec epi052 acoderly omgfox blu3sh0rk thelumberjhack crackercat n0-traces noblevk21 materaj2 labba sbim shoeper bukeyong whitepoet mundi-xu yanshu911 unshorn paklovpavel ha1vk darn0 419066074 sulaimanzai vish-hal rtcms highonweb brenu rrrrrrri bgrstar lqingyu yessson fractal-86 witchfindertr medusa-group shyam0904a nathanawmk tai-rex 0roman smllxzbz eebob ceris3s a1phaboy y1seco anshumansrivastavagit justinforbes adidaz590 istais codesacka dumprop clem9669 hbxc0re bountyx1 storenth ph4n70mx864

fuzzing101's Issues

v8 version 7.5

After fetch v8, my v8 version 9.9, can i do this test?

What is CPU requirements

#I need to know CPU requirements to find your bugs very quickly.

I have finish exercise 1 after 14 hours of fuzzing

One problem for all exercises

When I try to run fazzer I have one error for all exercises.

[-] Hmm, looks like the target binary terminated before we could complete a
handshake with the injected code. You can try the following:

- The target binary crashes because necessary runtime conditions it needs
  are not met. Try to:
  1. Run again with AFL_DEBUG=1 set and check the output of the target
     binary for clues.
  2. Run again with AFL_DEBUG=1 and 'ulimit -c unlimited' and analyze the
     generated core dump.

- Possibly the target requires a huge coverage map and has CTORS.
  Retry with setting AFL_MAP_SIZE=10000000.

Otherwise there is a horrible bug in the fuzzer.
Poke the Awesome Fuzzing Discord for troubleshooting tips.

[-] PROGRAM ABORT : Fork server handshake failed
Location : afl_fsrv_start(), src/afl-forkserver.c:1642

Can you help me?
Thanks

Exercice-7 building VLC using afl-clang-fast as the compiler and with ASAN Error

hi,i'm building VLC using afl-clang-fast as the compiler and with ASAN and FATAL Error:

CC="afl-clang-fast" CXX="afl-clang-fast++" ./configure --prefix="$HOME/fuzzing_vlc/vlc-3.0.7.1/install" --disable-a52 --disable-lua --disable-qt --with-sanitizer=address
AFL_LLVM_ALLOWLIST=$HOME/fuzzing_vlc/vlc-3.0.7.1/Partial_instrumentation make -j$(nproc) LDFLAGS="-fsanitize=address"

afl-cc++4.01a by Michal Zalewski, Laszlo Szekeres, Marc Heuse - mode: LLVM-PCGUARD
afl-cc++4.01a by Michal Zalewski, Laszlo Szekeres, Marc Heuse - mode: LLVM-PCGUARD
afl-cc++4.01a by Michal Zalewski, Laszlo Szekeres, Marc Heuse - mode: LLVM-PCGUARD
afl-cc++4.01a by Michal Zalewski, Laszlo Szekeres, Marc Heuse - mode: LLVM-PCGUARD
  GEN      ../modules/plugins.dat
[-] FATAL: forkserver is already up, but an instrumented dlopen() library loaded afterwards. You must AFL_PRELOAD such libraries to be able to fuzz them or LD_PRELOAD to run outside of afl-fuzz.
To ignore this set AFL_IGNORE_PROBLEMS=1.
/bin/bash: line 4: 451562 Aborted                 (core dumped) ./vlc-cache-gen `realpath ../modules`
make[2]: *** [Makefile:1831: ../modules/plugins.dat] Error 134
make[2]: Leaving directory '/home/test/Fuzz/fuzzing-101-solutions/exercise-7/fuzzing_vlc/vlc-3.0.7.1/bin'
make[1]: *** [Makefile:1553: all-recursive] Error 1
make[1]: Leaving directory '/home/test/Fuzz/fuzzing-101-solutions/exercise-7/fuzzing_vlc/vlc-3.0.7.1'
make: *** [Makefile:1438: all] Error 2

Exercise 2: Error while Fuzzy test

When I finish executing the following command
CC=afl-clang ./configure --enable-shared=no --prefix="$HOME/fuzzing_libexif/install/"
make
make install
The following error occurred

I don't know how to solve it, if you can give me some advice, I would be grateful.

Exercise 1 - xpdf

Why does feeding the one of the specially crafted PDFs to texttopdf show that it crashes xpdf? Wouldn't this instead show that it crashes texttopdf? I'm confused.

Exercise7 - crash when running vlc-demux-run

Hi, I met a crash that occurred while fuzzing vlc. Build process is same as exercise7, and used input file was also provided in exercise7. The same problem occurred even when fuzzing harness was not applied.

╭─   ~/fuzzing_vlc/vlc-3.0.7.1/test
╰─❯ ./vlc-demux-run ../afl_in/short2.wmv
[-] FATAL: forkserver is already up, but an instrumented dlopen() library loaded afterwards. You must AFL_PRELOAD such libraries to be able to fuzz them or LD_PRELOAD to run outside of afl-fuzz.
To ignore this set AFL_IGNORE_PROBLEMS=1.
[1]    1353391 abort      ./vlc-demux-run ../afl_in/short2.wmv

exercise 8 [-] PROGRAM ABORT : We need at least one valid input seed that does not crash!

cccc@ubuntu:~/fuzzing_acro$ AFL_QEMU_PERSISTENT_ADDR=0x08a464c8 AFL_QEMU_PERSISTENT_GPR=1 ACRO_INSTALL_DIR=/opt/Adobe/Reader9/Reader ACRO_CONFIG=intellinux LD_LIBRARY_PATH=$LD_LIBRARY_PATH:'/opt/Adobe/Reader9/Reader/intellinux/lib' afl-fuzz -Q -i ./afl_in/ -o ./afl_out/ -t 2000 -- /opt/Adobe/Reader9/Reader/intellinux/bin/acroread -toPostScript @@
afl-fuzz++4.01a based on afl by Michal Zalewski and a large online community
[+] afl++ is maintained by Marc "van Hauser" Heuse, Heiko "hexcoder" Eißfeldt, Andrea Fioraldi and Dominik Maier
[+] afl++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] NOTE: This is v3.x which changes defaults and behaviours - see README.md
[+] No -M/-S set, autoconfiguring for "-S default"
[] Getting to work...
[+] Using exponential power schedule (FAST)
[+] Enabled testcache with 50 MB
[+] Generating fuzz data with a a length of min=1 max=1048576
[] Checking core_pattern...
[!] WARNING: Could not check CPU scaling governor
[+] You have 2 CPU cores and 1 runnable tasks (utilization: 50%).
[+] Try parallel jobs - see /usr/local/share/doc/afl/parallel_fuzzing.md.
[] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[] Deleting old session data...
[+] Output dir cleanup successful.
[] Checking CPU core loadout...
[+] Found a free CPU core, try binding to #0.
[] Scanning './afl_in/'...
[+] Loaded a total of 9 seeds.
[] Creating hard links for all input files...
[] Validating target binary...
[] No auto-generated dictionary tokens to reuse.
[] Attempting dry run with 'id:000000,time:0,execs:0,orig:test.pdf'...
[] Spinning up the fork server...
[+] All right - fork server is up.
[] Target map size: 65536