search

IntelLabs / kAFL

A fuzzer for full VM kernel/driver targets
https://intellabs.github.io/kAFL/
MIT License
623 stars 88 forks source link

how to use the payload #191

Open gjm-anban opened 1 year ago

gjm-anban commented 1 year ago

I fuzz the linux by https://intellabs.github.io/kAFL/tutorials/fuzzing_linux_kernel.html. I found some payload here image Could anyone tell how to use the payload to reproduce the crash. I didn't find tutorials.

Wenzel commented 1 year ago

Hi @gjm-anban ,

You can have a look at the kafl debug subcommand to replay a single payload.

The command line is similar to kafl fuzz, except that it takes an input file parameter, which is the payload.

I agree that documentation is missing on how to proceed with a fuzzing campaign, i'll add a note to do it this month !

Thanks for the feedback !

gjm-anban commented 1 year ago

thanks, I can run the payload now KAFL_CONFIG_FILE=./kafl_config.yaml kafl debug --kernel linux-guest/arch/x86/boot/bzImage -m 512 --input /dev/shm/kafl_root/corpus/crash/payload_00125 --action gdb --resume

liujf628995 commented 9 months ago

hello,@Wenzel. I tried using kafl debug to test Payload, but the program would always stop waiting for the snapshot to start.I tried to copy the qemu command and execute it in bash,it also had not any output.Here is the kafl debug log,I don't know how to run it correctly.

kafl debug --resume --kernel /home/liu/linux-guest/arch/x86/boot/bzImage --memory 2048 --input /dev/shm/kafl_root/corpus/kasan/payload_00001 --action gdb

No trace region configured! Intel PT disabled! Starting Qemu + GDB with payload /dev/shm/kafl_root/corpus/kasan/payload_00001 Connect with gdb to release guest from reset (localhost:1234) Worker-1337 Launching virtual machine... /home/liu/kAFL/kafl/qemu/x86_64-softmmu/qemu-system-x86_64 -enable-kvm -machine kAFL64-v1 -cpu kAFL64-Hypervisor-v1,+vmx -no-reboot -net none -display none -chardev socket,server,id=nyx_socket,path=/dev/shm/kafl_root/interface_1337 -device nyx,chardev=nyx_socket,workdir=/dev/shm/kafl_root,worker_id=1337,bitmap_size=65536,input_buffer_size=131072 -device isa-serial,chardev=kafl_serial -chardev file,id=kafl_serial,mux=on,path=/dev/shm/kafl_root/serial_1337.log -m 2048 -s -S -kernel /home/liu/linux-guest/arch/x86/boot/bzImage -append root=/dev/vda1 rw hprintf=4 nokaslr oops=panic nopti mitigations=off -netdev user,id=mynet0 -device virtio-net,netdev=mynet0 -fast_vm_reload path=/dev/shm/kafl_root/snapshot/,load=on [QEMU-NYX] Max Dirty Ring Size -> 1048576 (Entries: 65536) qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.07H:EBX.hle [bit 4] qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.07H:EBX.rtm [bit 11] [QEMU-NYX] Dirty ring mmap region located at 0x7fbdedd9c000 [QEMU-NYX] Warning: Invalid sharedir... [QEMU-NYX] Waiting for snapshot to start fuzzing...

Hi @gjm-anban ,

You can have a look at the kafl debug subcommand to replay a single payload.

The command line is similar to kafl fuzz, except that it takes an input file parameter, which is the payload.

I agree that documentation is missing on how to proceed with a fuzzing campaign, i'll add a note to do it this month !

Thanks for the feedback !

Wenzel commented 9 months ago

Hi @liujf628995,

When using the GDB kafl debug action, QEMU starts with -S:

-S              freeze CPU at startup (use 'c' to start execution)

so you need to connect to the QEMU instance with gdb and release the execution

gdb
(gdb) target remote :1234
(gdb) continue
liujf628995 commented 9 months ago

Hi @liujf628995,

When using the GDB kafl debug action, QEMU starts with -S:

-S              freeze CPU at startup (use 'c' to start execution)

so you need to connect to the QEMU instance with gdb and release the execution

gdb
(gdb) target remote :1234
(gdb) continue

@Wenzel Thanks for your help!