Closed AndyElGang closed 6 months ago
ifratric
commented
6 months ago test_gdiplus.exe is a real-world target and it's not expected that a crash would be found so quickly. While the test_gdiplus.exe binary is small, it's actually intended to find bugs in gdiplus.dll and WindowsCodecs.dll which are Windows image parsing libraries. Any crash found by it could potentially be an actual vulnerability in Windows OS with security implications.
AndyElGang
commented
6 months ago test_gdiplus.exe is a real-world target and it's not expected that a crash would be found so quickly. While the test_gdiplus.exe binary is small, it's actually intended to find bugs in
gdiplus.dllandWindowsCodecs.dllwhich are Windows image parsing libraries. Any crash found by it could potentially be an actual vulnerability in Windows OS with security implications.
AndyElGang
commented
6 months ago Collaborator
Hold on Ifratric could you give me your contact info? Because I could really use your help and so that we don't take ages to respond, totally up to you tho
AndyElGang
commented
6 months ago And if you don't mind me asking, where does that offset even come from? Like I tried searching for 0x1270 all around in IDA and found nothing in the test_gdiplus.exe
ifratric
commented
6 months ago Target offset is the offset of the target function (in examples, usually main, test_target, fuzz or something similar) in memory, starting from the module header. Note that the offset can change every time the target program is recompiled, the exact values given in examples are not guaranteed to be correct.
AndyElGang
commented
6 months ago Target offset is the offset of the target function (in examples, usually
main,test_target,fuzzor something similar) in memory, starting from the module header. Note that the offset can change every time the target program is recompiled, the exact values given in examples are not guaranteed to be correct.
But if I run the command with any other offset, I get an error
Is it normal that in 1 hour with such a simple program like test_gdiplus.exe which only has 13 KB of code hasn't even found a single crash?
command used:
afl-fuzz -i C:\Users\andye\Desktop\inputs -o out -D C:\Users\andye\Desktop\DynamoRIO\bin64 -t 20000 -- -coverage_module test_gdiplus.exe -coverage_module gdiplus.dll -coverage_module WindowsCodecs.dll -fuzz_iterations 5000 -target_module test_gdiplus.exe -target_offset 0x1270 -nargs 2 -- test_gdiplus.exe @@WinAFL's RT output: