WinAFL Crashes with testing code

[shba24]

I am getting the following crash on running the winafl.

<Application C:\Users\in3o\Documents\FuzzSample\Release\FuzzSample.exe (15208). WinAFL internal crash at PC 0x70f5cffb. Please report this at . Program aborted. 0xc0000005 0x00000000 0x70f5cffb 0x70f5cffb 0x00000003 0x00000000 Base: 0x70e90000 Registers: eax=0x00000000 ebx=0x012ff288 ecx=0xd27a70b4 edx=0x00000000 esi=0x2222e330 edi=0x2222e324 esp=0x012ff2a8 ebp=0x012ff358 eflags=0x0001020 version 6.2.17367, custom build -no_dynamic_options -client_lib 'C:\Users\in3o\Desktop\acrobat\winafl\bin32\winafl.dll;0;"-debug" "-target_module" "C:\Users\in3o\Documents\FuzzSample\Release\FuzzSample.exe" "-target_method" "Fuzz" "-coverage_module" "vulnerable.dll" "-fuzz_iterations" "10000"' -code_api -probe_api -stack_size 56K -max_elide_jmp 0 -max_ 0x012ff358 0x70f376f4 0x012ff384 0x70f37591 0x012ff890 0x70f372db 0x012ff8d0 0x70ec095d 0x012ff8f8 0x70f30f2c 0x012ff918 0x70f5c8c8>

I am running the fuzzer with following command line.

C:\Users\in3o\Desktop\acrobat\dynamorio\build\bin32\drrun.exe -c winafl.dll -debug -target_module C:\Users\in3o\Documents\FuzzSample\Release\FuzzSample.exe -target_method Fuzz -coverage_module vulnerable.dll -fuzz_iterations 10000 -- "C:\Users\in3o\Documents\FuzzSample\Release\FuzzSample.exe" in\sample.txt

[ivanfratric]

Which WinAFL version are you using?

I'm not sure this is the cause of your crash, but -target_module should take just the name, not a path, so -target_module FuzzSample.exe -nargs is missing (unless it's intended to be 0)

Does the debug log get created at all? Can you run your target under DynamoRIO but without WinAFL like this:

C:\Users\in3o\Desktop\acrobat\dynamorio\build\bin32\drrun.exe -- "C:\Users\in3o\Documents\FuzzSample\Release\FuzzSample.exe" in\sample.txt

[shba24]

I got the latest winAFL from the github. Compiled with latest DynamoRio.

When I tried to run C:\Users\in3o\Desktop\acrobat\dynamorio\build\bin32\drrun.exe -c winafl.dll -debug -target_module FuzzSample.exe -target_method Fuzz -coverage_module vulnerable.dll -fuzz_iterations 10000 -nargs 0 -- "C:\Users\in3o\Documents\FuzzSample\Release\FuzzSample.exe" in\sample.txt

I got the following log:

Module loaded, MFC140ENU.DLL Module loaded, drreg.dll Module loaded, FuzzSample.exe Exception caught: c0000005 crashed WARNING: Target function was never called. Incorrect target_offset? Coverage map follows:

If you need the sample Fuzz Code which I am fuzzing, I can provide you that too.

I tried - C:\Users\in3o\Desktop\acrobat\dynamorio\build\bin32\drrun.exe -- "C:\Users\in3o\Documents\FuzzSample\Release\FuzzSample.exe" in\sample.txt. Its giving me the same error.

<Application C:\Users\in3o\Desktop\acrobat\winafl\bin32\test_gdiplus.exe (8616). WinAFL internal crash at PC 0x702bcffb. Please report this at . Program aborted. 0xc0000005 0x00000000 0x702bcffb 0x702bcffb 0x00000003 0x00000000 Base: 0x701f0000 Registers: eax=0x00000000 ebx=0x009af118 ecx=0xd27a70b4 edx=0x00000000 esi=0x1a65db10 edi=0x1a65db04 esp=0x009af138 ebp=0x009af1e8 eflags=0x0001020 version 6.2.17367, custom build -no_dynamic_options -client_lib 'C:\Users\in3o\Desktop\acrobat\winafl\bin32\winafl.dll;0;"-debug" "-target_module" "FuzzSample.exe" "-target_method" "Fuzz" "-coverage_module" "vulnerable.dll" "-fuzz_iterations" "10000" "-nargs" "0"' -code_api -probe_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignore 0x009af1e8 0x702976f4 0x009af214 0x70297591 0x009af720 0x702972db 0x009af760 0x7022095d 0x009af788 0x70290f2c 0x009af7a8 0x702bc8c8>

[ivanfratric]

Wait, how can you get the same error when the command line doesn't incude WinAFL at all and the error log references winafl.dll (that shouldn't even exist in the same address space). Can you doublecheck and try again? Your error log also references test_gdiplus.exe that isn't present anywhere in the command line.

[shba24]

Sorry, I added the wrong log. Here is the correct log.

<Application C:\Users\in3o\Documents\FuzzSample\Release\FuzzSample.exe (3804). DynamoRIO internal crash at PC 0x7063cffb. Please report this at http://dynamorio.org/issues/. Program aborted. 0xc0000005 0x00000000 0x7063cffb 0x7063cffb 0x00000003 0x00000000 Base: 0x70570000 Registers: eax=0x00000000 ebx=0x00aff6c8 ecx=0xd27a70b4 edx=0x00000000 esi=0x24ee2080 edi=0x24ee207c esp=0x00aff6e8 ebp=0x00aff798 eflags=0x0001 version 6.2.17367, custom build -no_dynamic_options -code_api -probe_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct -no_aslr_dr -pad_jmps_mark_no_trace 0x00aff798 0x706176f4 0x00aff7c4 0x70617591 0x00affcd0 0x706172db 0x00affd10 0x705a095d 0x00affd38 0x70610f2c 0x00affd58 0x7063c8c8>

Apologies.

[ivanfratric]

Hmm in that case the issue seems to be with how DR interacts with your target and not in WinAFL. Can you try disabling your antivirus? Antivirus software caused similar issues in the past.

[shba24]

Seems like it. Can you confirm which version of DR would work perfectly with winafl?

I don't have any antivirus, just windows defender but I don't think that's interfering here.

[ivanfratric]

I'm using 6.2.0-2 from https://github.com/DynamoRIO/dynamorio/wiki/Downloads

[shba24]

I tried it the with version 6.2.0-2, its working there. I don't know what bug DynamoRIO introduced. Anyways, I am running Winafl on linked code.

I am getting following statistics.

           WinAFL 1.09 based on AFL 2.43b (FuzzSample.exe)

+- process timing -------------------------------------+- overall results ----+ | run time : 0 days, 0 hrs, 10 min, 35 sec | cycles done : 1 | | last new path : none seen yet | total paths : 2 | | last uniq crash : none seen yet | uniq crashes : 0 | | last uniq hang : none seen yet | uniq hangs : 0 | +- cycle progress --------------------+- map coverage -+----------------------+ | now processing : 0 (0.00%) | map density : 0.00% / 0.01% | | paths timed out : 0 (0.00%) | count coverage : 1.00 bits/tuple | +- stage progress --------------------+ findings in depth --------------------+ | now trying : splice 7 | favored paths : 2 (100.00%) | | stage execs : 1/16 (6.25%) | new edges on : 2 (100.00%) | | total execs : 420 | total crashes : 0 (0 unique) | | exec speed : 0.69/sec (zzzz...) | total tmouts : 0 (0 unique) | +- fuzzing strategy yields -----------+---------------+- path geometry -------+ | bit flips : 0/0, 0/0, 0/0 | levels : 1 | | byte flips : 0/0, 0/0, 0/0 | pending : 0 | | arithmetics : 0/0, 0/0, 0/0 | pend fav : 0 | | known ints : 0/0, 0/0, 0/0 | own finds : 0 | | dictionary : 0/0, 0/0, 0/0 | imported : n/a | | havoc : 0/306, 0/96 | stability : 100.00% | | trim : n/a, n/a +-----------------------+ ^C----------------------------------------------------+

exec speed : 0.69/sec (zzzz...) speed is way to slow. What do you think is the problem?

Here is the command line I am using ->

afl-fuzz.exe -i - -o out -D C:\Users\in3o\dynamorio-6.2.0-2\bin32 -t 20000+ -- -fuzz_iterations 50000 -covtype edge -target_module FuzzSample.exe -target_method Fuzz -nargs 0 -coverage_module vulnerable.dll -- "C:\Users\in3o\FuzzSample.exe" @@ Here is the log during my test run. I dont see any issue here but still. afl.FuzzSample.exe.27696.0000.proc.txt

[ivanfratric]

Please see "WinAFL runs slower than expected" in the FAQ section of the readme. I'd say that "return;" without first closing the file is the problem.

[shba24]

Yes. That was the problem. Thanks ivanfrantic.

[shba24]

@ivanfratric Is there any tool or feature for visualization of code coverage?

I can't see if my code is reaching certain function or not.

[0vercl0k]

I'd suggest you give a shot to Lighthouse: https://github.com/gaasedelen/lighthouse :).

Cheers

2017-07-24 4:55 GMT-07:00 Shubham Bansal notifications@github.com:

@ivanfratric https://github.com/ivanfratric Is there any tool or feature for visualization of code coverage?

I can't see if my code is reaching certain function or not.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/ivanfratric/winafl/issues/62#issuecomment-317399423, or mute the thread https://github.com/notifications/unsubscribe-auth/ABaHRRBWFeTUSmmiI1-ek587JGQf-CWxks5sRIYigaJpZM4Ofubr .

[shba24]

@0vercl0k I have to do it automatically also can't afford IDA Pro as of now. Nice tool btw, useful during CTFs for sure.

Looking for something like https://github.com/mrash/afl-cov if there is, otherwise I will have to write it myself.

[ivanfratric]

@iN3O I'd also suggest filing a bug with DynamoRIO and mention yo have an app that works fine on DR 6 but crashes on DR 7, perhaps DR devs will be interested in this.

[ksloven]

Hi, I have the same issue with both winafl and dynamorio crashing with "internal crash; program aborted" as reported above. Following the thread, i thought it was because I used dynamorio 7 but I downloaded and used Dynamorio6 and still get same error.

Anti-virus (defender) disabled from real-time scanning. Even running it directly with drrun, I still get the same error (and its not just adobe, almost any binary I have run thus far). C:\DynamoRIO\bin32>drrun.exe -- "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" C:\winafl\testcases\others\pdf\small.pdf

Any pointers?

Thanks