Open Irene-ML opened 7 months ago
You can run run.sh
after the testing, this automatically generates ASAN error logs. You need to check the logs (e.g., the crash locations) to find whether the target vulnerabilities are triggered.
I have copied select/fuzz/scripts/run.sh
to libming-CVE-2016-9827/obj-aflgo
and run run.sh
under the new location. I saw many prints of "Killed". Does this mean the target program was "killed"?
The folder in ./asan
contains many files, such as "1", "2", "17"... Taking file "17" as an example, it contains this:
id:000015,2816160,sig:11,src:000021+000301,op:splice,rep:128
. How can I tell if this found a vulnerability and what this vulnerability is?
run.sh
generates asan reports for each crash input.
We identify if we reproduce a target vulnerability based on its trace information. You can check the file id:000015,2816160,sig:11,src:000021+000301,op:splice,rep:128
to see the trace information.
Thanks a lot for the prompt response.
The problem is that it seems like the asan logs are not generated.. The run
script simply copies the file name under the cash folder into the asan
folder then run the fuzzing target with the crash input but I don't see how it can save the asan reports.
/selectfuzz/scripts/fuzz/libming-CVE-2016-9827/obj-aflgo# tree asan
asan
├── 1
├── 10
├── 11
├── 12
├── 13
├── 14
├── 15
├── 16
├── 17
├── 18
├── 19
├── 2
├── 20
├── 3
├── 4
├── 5
├── 6
├── 7
├── 8
└── 9
0 directories, 20 files
/selectfuzz/scripts/fuzz/libming-CVE-2016-9827/obj-aflgo# cat asan/10
id:000008,1963818,sig:11,src:000018+000142,op:splice,rep:16
This is the run.sh file not sure if we are looking at the same one:
#! /bin/sh
mkdir asan
export AFL_USE_ASAN=1
export ASAN_OPTIONS="log_path=asan/asan.log"
make clean all
i=1
for file in `ls ./out/crashes/`:
do
echo $file > ./asan/$i
i=$(($i+1));
./util/swftophp ./out/crashes/$file
done
Typically the asan log should be generated by the stderr from ./util/swftophp ./out/crashes/$file
but even if I tried this command manually it didn't produce the stack trace. And this line doesn't seem to save the output.
Hi,
I have a question about how to validate the found crashes/vulnerabilities in selectFuzz. Does the repo validate the vulnerabilities automatically ( having scripts or code) or manually?