search

mxmssh / manul

Manul is a coverage-guided parallel fuzzer for open-source and blackbox binaries on Windows, Linux and MacOS
Apache License 2.0
337 stars 66 forks source link

[linux] dbi mode doesn't work (as expected) #71

Open kotee4ko opened 3 years ago

kotee4ko commented 3 years ago

python3 manul.py -c ./T/st0.config -i in -o out -n 1 "./T/stage0 @@"

88EDdWkmWZMEg8QBQQQ#QQQB#QQQ8QDO0OZdIkomZPH0d5ZHyWOgQQgg8g0600$R06dMEZaH3s3zyhoH
    9DERGzj3sIkhM9gQBBQQgQB8Q8ZkxIj5R98Myue$g8BQQd6g0E5OD66E8QQQQQQ$g$gQ$90QQBB8gEDE
    Qg09dqPPMbZEgOW8Q8g0$Q8B8Q0PWMhKMZz*!)zmazwhHZ9$Dduhqo3DgB#QBggQ8B#B$$dwGdWkwab6
    $9dd9$D0$06Eg0dO$$$D6g$80R8QgdZ0day*~xVyITVbZ00E$$$BQQQ860gd0ODDOE$8$MuVyyTv)vuy
    QQBQ$gQBBQg9OZMbdEE8b536z}e$g8wij66qzuLVMEO05zVsQBgMlVzZ80d3PdmmIuhsIWmqHwYxrvVz
    $D$BBBBQQ896maMZ06Og$0Wu}TK0$EyuZ$qwwx)YO88P}v^k8Rs*>^rlIZdZjemGayzushMdHmIcTzmm
    gg8QQQQQ$696RODdEQg$OOODRDOZgD00Q9V)v~**yRgD$hzbZezTTvxVWKHWM5MjzhshuxuukeOD880d
    QBBBQBQgd6d00d08QBQ8Pm68Qgg$9D8Dmv~~r:=:*6gRdaZaPaIwVVVzhyIdOmyyIymMzTYcs56OMqqm
    ####BQQg$gg$666ZucuuxTI$B8$0dggOwcP6ykemm0EqywOqdMd5zjjwwkyVmdq5KmPPjoheH60DOdE$
    Q##BQg0DROZZqZd6$8dWz}}Vd0$R0QQROWMaTy5mZ3MWyP66ZWZ65IYviTYzoKhsPzwzVzIjaZZMM6Dg
    @@#Q$RE$EMPhkqgg$0EdqmjVcs0BggQ0MVT}}kojWWIKqbZbPkeo}cucVImm3HjTjWPMbMhVuVaMD$DR
    B8$EZd6EdWojIIzVx^>*=~*r|YukyIVclYTxTxY|uVyzuy}kuilTuuuuj3M5zV}LxVuuwMbKojhM0QQO
    ZHsIHO00ZzyT}vr~.'~^!_``._:<*!!=^*r^=!~**\^!:_;}Vx<".'-,""::*vxxx}lVkTYzWhkImRQ#
    OMHaHGM6ZI})~:=(!-*xr!..,::.,|r=:!^^=:!==!!"=vyx"_!:- `:>>>,`:**~rLY}jPeKWmzhMgg
    6ZPezIq3Vv!:_!lqG|:rlxv)vr:  ,Y|~!!>=!!<:,:^yV*` -^*~:!*vx|,:=",,"*Y}u3qIywY}wzG
    5Hmzomkx^^>~~xoM$Q6kx(*^!.  `"xlvv)x(*()*rr}3v.   _^vxxLxr~(k}*:__=r\Tu}TxY}uwkm
    azkux)|TceKI}}uu}}xxVM0QQg06HjVVyyycciuuuxYyjxx\|Lx}TVkmM9gRsTv^^~:,"ryIVzhIu}uw
    mV}}VjG0gQBBQEOO6Mk)!:!rzZEEwvvYwmoVuyYTuTY()*uq6B#QZjTii)iulTv*(v)r~,,=v}uwcuyI
    yuVsHZ$BBQ$dKyivuV}\ivvx}clx;r|Vyommaoyju}x*!"!*xLx^__!r}wmMOg0E066dmx=!!=vVVyjG
    ysdE$EOROZI}VPzx(\|vVmHWhyyx\v}zIW6QQ$MacLir!!!"!ruVv^!!":\VywKZ6$QEM5o})~=rvLVw
    GMZ6ERd5IYxYY}iuulyz06PjYuewxvVdQBBQg8Q0uv;"__:!:!;vl}x*<*xkeI}*vVsM6696qox*v}}u
    8g00DdmcYixxxxVWMd$QgRhxrs$QQEgQDZHjyyeqHjxvkIwVx~"~|TyTrr|xxx(()rvuhqPMMMyvr|Yw
    E$6ZPk}vr*iwPdEgER0$av)wqR8gEdWTuykVTu}v(oyuIPdDdy|==ryLujyY)(vxi|v}VoMOR6Ix=:~|
    $RZmTr^r)xTomZ0g0EbMPPkaE0QB9hxr".~**"`_=^(xysGyYT}^":*xVyyov)))^==~)VeGddMhV)!!
    0dei~::^xyHdZMR000QQ$0EOd$QBQQQ$s;,___"xad0$0$QB##Bg9bKVL)vu3myl)!,-,*lmbOERaur<
    Mc)!:<xmdE$E0gQBB####BQ88gDOE0g$dKV;:iwaO0Eddd6WmahoqPazVVuuVVyjzVr~=!riyPdEDm(;
    i**vhmsK6gQQ80DEg80ERZZqddbOdM5Wkx\)rr*\uhZZRRdOMdRdQQ$0MbZGmjzy}}x*)iukmMDDZZK}
    uVVTYiPgQEddO0QgEE$QQ$5ss3sszuTivr<:,!^rxlyjseGMHmMbZZ6088Q00gg63zu)rrvYjWD8Q8EP
    }uiTK0ROOOD8Q$HKH$##06azkVuxvx|rr)vr**~;~<***rv}TVzyG660Eg0$E$0$$bqqPzTzjyMO0$$0
    }}eE8$E6MRB8amHdQQQQDHWWHqWPGHKmPKPsjaIVVywzuixYYYceyjMMmzzq9$6Mdq6MT*vxyVW000g9
    MO8Q9MmPgQMaq6Q#ggB8ZZM5Md66OdMMMMMW5MZZZMbddZHmezVujuyPGohowH$$dMP3M3|":rLymDgR
    $BQ9MqdQQOOO$B#$gBQ6Odq5qMbdddZMqqGHPHq5MZZbddMHKhzwkeIaqZ3mIyV3$0emPPM}^_,*uVjd
    Qd609RQQ90$QB#0EQQ0$RdZ5G3m3W5MMMM5WGHHWqMMMWPKsjzhhsmMW556qeswVlsEqTvVoyc*__~vv
    Z900DgQ9g8BgQOHdQg$9ObZdqejIIImPGMMMq5qqWWWGamhkoIheePMMqMZ9mmIyulyda(;^*vzc:-,~
    qbdbO6ROd$qM$GM0Q06O96RdGesIzkkyzsmmeeehkyVzoIIwzsPHPKMdM5Pd5smey}i}qIr!^!~xk*:>
    emadG9OHdmhO0bR8g9E$DE9dMGWKzwyVyzjzzyVuYii}yjhjzzs5qaPqZMmaMomazu\rYPx=*<:=*oT^
[WARNING] Output directory is not empty, creating backup of output folder
[INFO] Done
[INFO] 1 fuzzer instances successfully launched
[INFO] Starting fuzzer 0
[INFO] Performing intialization of fuzzer 0
[INFO] Getting PIPE name for fuzzer 0
[INFO] IPC object name in /usr/tmp/manul_uds_socket_899403689
[INFO] Setting up shared mem 24150114 for fuzzer:0
[INFO] Initializing mutators
[INFO] Initalization is done for 0
[INFO] Performing dry run
[INFO] Launching /opt/wokr/FUZZING/manul/dbi_clients_src/dr_cov/DynamoRIO-Linux-8.0.18836/bin64/drrun -c /opt/wokr/FUZZING/manul/linux/dbi_64/libbinafl.so -target_module /opt/wokr/FUZZING/manul/T/stage0 -target_method open_file -fuzz_iterations 500 -persistence_mode 1 -coverage_module stage0 -debug_manul -ipc_obj_name /usr/tmp/manul_uds_socket_899403689 -- ./T/stage0 out/0/mutations/.cur_input
[INFO] Persistence mode
[INFO] Starting UDS on /usr/tmp/manul_uds_socket_899403689
[INFO] Target successfully started, waiting for result
[INFO] Reading from UDS /usr/tmp/manul_uds_socket_899403689
[WARNING] Failed to establish connection with target, timeout. Restarting the target
[INFO] Output from target 
[ERROR] test doesn't cover any path in the target, Make sure the binary is actually instrumented
[WARNING] Fuzzer 0 unexpectedly terminated
[WARNING] Fuzzer 0 unexpectedly terminated
[WARNING] Fuzzer 0 unexpectedly terminated
[WARNING] Fuzzer 0 unexpectedly terminated
[WARNING] Fuzzer 0 unexpectedly terminated
[WARNING] Fuzzer 0 unexpectedly terminated
[WARNING] Fuzzer 0 unexpectedly terminated
[WARNING] Fuzzer 0 unexpectedly terminated
[WARNING] Fuzzer 0 unexpectedly terminated
[WARNING] Fuzzer 0 unexpectedly terminated
[WARNING] Fuzzer 0 unexpectedly terminated
[WARNING] Fuzzer 0 unexpectedly terminated
[WARNING] Fuzzer 0 unexpectedly terminated

my config:

#   Manul - experimental configuration file for Linux
#   -------------------------------------
#   Maksim Shudrak <mshudrak@salesforce.com> <mxmssh@gmail.com>
#
#   Copyright 2019 Salesforce.com, inc. All rights reserved.
#
#   Licensed under the Apache License, Version 2.0 (the "License");
#   you may not use this file except in compliance with the License.
#   You may obtain a copy of the License at:
#     http://www.apache.org/licenses/LICENSE-2.0
#
#   Unless required by applicable law or agreed to in writing, software
#   distributed under the License is distributed on an "AS IS" BASIS,
#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#   See the License for the specific language governing permissions and
#   limitations under the License.

# NOTE: This configuration file is experimental due to problems with forkserver.
#       You can remove forkserver_on = True at the end of the config to safely use this 
#       config file.

# Manul config file
# Format: <option_name> = <value>
# -----------------

# absolute path to dictionary with usefull tokens
#dict = dictionaries/test.dict

# Mutator weights (should be 10 in total). Use my_mutator:x,my_mutator_2:x to define and use your own
# custom mutator (should be 10 in total). Specify 0 to disable certain mutators. Weights basically are
# used to tell manul how many mutations per 10 executions should be performed by certain fuzzer.
# example afl:5,radamsa:2,my_awesome_fuzzer:3
# afl will be used to mutate 5 out of 10 cases, 2 out of 10 for radamsa and 3 out of 10 for my_awesome_fuzzer
# Your custom mutator's main file should be located in the same folder as manul.py.
# Two default mutators should always be defined (afl, radamsa)
#mutator_weights=afl:5,radamsa:5
mutator_weights=afl:10,radamsa:0
#mutator_weights=afl:6,radamsa:0,example_mutator:4

# Use determenistic seed for test cases generation (only radamsa option).
determenistic_seed = False

# Print fuzzing summary per thread instead of total summary
print_per_thread = False

# disable volatile bytes suppression algorithm
#disable_volatile_bytes = True

# Choose DBI framework to provide coverage back to Manul ("dynamorio" or "pin"). Example dbi = dynamorio

dbi = dynamorio
dbi_root = /opt/wokr/FUZZING/manul/dbi_clients_src/dr_cov/DynamoRIO-Linux-8.0.18836/bin64/drrun
dbi_client_root = /opt/wokr/FUZZING/manul/linux/dbi_64/libbinafl.so

#this were compiled from sources -- and doesn't work, so, i decided try to use prebuilded one. The same....
#dbi = dynamorio
#dbi_root = /opt/wokr/FUZZING/drAFL/build_dr/bin64/drrun
#dbi_client_root = /opt/wokr/FUZZING/drAFL/build/libbinafl.so

#dbi = pin
#dbi_root = /opt/wokr/FUZZING/manul/linux/dbi_64/afl-pin.so
#dbi_client_root = /opt/wokr/FUZZING/manul/linux/dbi_64/libbinafl.so

dbi_client_libs = None
# Select persistence mode: 0 - no persistence, 1 - standard persistence (function wrapping), 2 - inapp persistence
dbi_persistence_mode = 1
# Module name where the target function is implemented
#dbi_target_module = /opt/wokr/FUZZING/manul/T/stage2_threads_socket_inf_loop
dbi_target_module = /opt/wokr/FUZZING/manul/T/stage0
# Function name
dbi_target_method = open_file
# Function offset in 0xFFFFFF format
#dbi_target_offset = 0x1672

#offset to prologue of main in /opt/wokr/FUZZING/manul/T/stage0
dbi_target_offset = 0x11d9  
# Number of fuzz iterations to run in-memory before the whole program restarts.
dbi_fuzz_iterations = 500
# Instrument coverage only from a thread that executed the target function
#dbi_thread_coverage = False

# Timeout for target binary
timeout = 10

# wait time before actually start sending test cases in the target
init_wait = 1

# Stop manul after n seconds of running (specify 0 for infinite run)
#stop_after_nseconds = 0

# net_config_master and net_config_slave below are used to share manul instances over network. 
# Path to network configuration file with a list of IP:port slave addresses. Specified for master instance.
net_config_master = None

# IP and port to listen for connections from master (e.g. net_config_slave = 0.0.0.0:1337)
net_config_slave = None

# Run in debug mode, print details in console
debug = True

# Print Manul ASCII logo at the beginning
manul_logo = True

# Disable stats saving in the manul working dir
no_stats = True

# Save debug messages to log files (one per thread)
logging_enable = True

# Bitmap sync frequency (5000 recommended for DBI mode)
sync_freq = 5000

# Custom path to save input file
#custom_path = test_path

# Command line fuzzing (experimental)
#cmd_fuzzing = True

# define signals to be ignored by manul
user_signals = 6

# Network fuzzing. Target IP address
#target_ip_port = 127.0.0.1:4444
# tcp | udp
#target_protocol = tcp
# wait time between test cases
#net_sleep_between_cases = 0.000001

# Enable AFL's forkserver fuzzing mode (experimental, only available on Linux)
# forkserver_on = True

So, after few more attempts i found this:

/opt/wokr/FUZZING/manul/dbi_clients_src/dr_cov/DynamoRIO-Linux-8.0.18836/bin64/drrun -c /opt/wokr/FUZZING/manul/linux/dbi_64/libbinafl.so -target_method open_file -fuzz_iterations 500 -persistence_mode 1 -coverage_module stage0 -debug_manul -ipc_obj_name /usr/tmp/manul_uds_socket_717970363 -- ./T/stage0 out/0/mutations/.cur_input
<Application /opt/wokr/FUZZING/manul/T/stage0 (380551). Client library targets an incompatible API version and should be re-compiled.>

so, i return my config file to previous self-builded version

/opt/wokr/FUZZING/drAFL/build_dr/bin64/drrun -c /opt/wokr/FUZZING/drAFL/build/libbinafl.so -target_method open_file -fuzz_iterations 500 -persistence_mode 1 -coverage_module stage0 -debug_manul -ipc_obj_name /usr/tmp/manul_uds_socket_506322889 -- ./T/stage0 out/0/mutations/.cur_input
UNRECOGNIZED OPTION: "-target_method"
ASSERT FAILURE: /opt/wokr/FUZZING/drAFL/bin_cov/bin_coverage.c:381: (0) (invalid option)

okey. i patch this asserts, rebuild bin_conv and finaly:


root@l0c4lh05t:/opt/wokr/FUZZING/manul# python3 manul.py -c ./T/st0.config -i in -o out -n 1 "./T/stage0 @@"
88EDdWkmWZMEg8QBQQQ#QQQB#QQQ8QDO0OZdIkomZPH0d5ZHyWOgQQgg8g0600$R06dMEZaH3s3zyhoH
    9DERGzj3sIkhM9gQBBQQgQB8Q8ZkxIj5R98Myue$g8BQQd6g0E5OD66E8QQQQQQ$g$gQ$90QQBB8gEDE
    Qg09dqPPMbZEgOW8Q8g0$Q8B8Q0PWMhKMZz*!)zmazwhHZ9$Dduhqo3DgB#QBggQ8B#B$$dwGdWkwab6
    $9dd9$D0$06Eg0dO$$$D6g$80R8QgdZ0day*~xVyITVbZ00E$$$BQQQ860gd0ODDOE$8$MuVyyTv)vuy
    QQBQ$gQBBQg9OZMbdEE8b536z}e$g8wij66qzuLVMEO05zVsQBgMlVzZ80d3PdmmIuhsIWmqHwYxrvVz
    $D$BBBBQQ896maMZ06Og$0Wu}TK0$EyuZ$qwwx)YO88P}v^k8Rs*>^rlIZdZjemGayzushMdHmIcTzmm
    gg8QQQQQ$696RODdEQg$OOODRDOZgD00Q9V)v~**yRgD$hzbZezTTvxVWKHWM5MjzhshuxuukeOD880d
    QBBBQBQgd6d00d08QBQ8Pm68Qgg$9D8Dmv~~r:=:*6gRdaZaPaIwVVVzhyIdOmyyIymMzTYcs56OMqqm
    ####BQQg$gg$666ZucuuxTI$B8$0dggOwcP6ykemm0EqywOqdMd5zjjwwkyVmdq5KmPPjoheH60DOdE$
    Q##BQg0DROZZqZd6$8dWz}}Vd0$R0QQROWMaTy5mZ3MWyP66ZWZ65IYviTYzoKhsPzwzVzIjaZZMM6Dg
    @@#Q$RE$EMPhkqgg$0EdqmjVcs0BggQ0MVT}}kojWWIKqbZbPkeo}cucVImm3HjTjWPMbMhVuVaMD$DR
    B8$EZd6EdWojIIzVx^>*=~*r|YukyIVclYTxTxY|uVyzuy}kuilTuuuuj3M5zV}LxVuuwMbKojhM0QQO
    ZHsIHO00ZzyT}vr~.'~^!_``._:<*!!=^*r^=!~**\^!:_;}Vx<".'-,""::*vxxx}lVkTYzWhkImRQ#
    OMHaHGM6ZI})~:=(!-*xr!..,::.,|r=:!^^=:!==!!"=vyx"_!:- `:>>>,`:**~rLY}jPeKWmzhMgg
    6ZPezIq3Vv!:_!lqG|:rlxv)vr:  ,Y|~!!>=!!<:,:^yV*` -^*~:!*vx|,:=",,"*Y}u3qIywY}wzG
    5Hmzomkx^^>~~xoM$Q6kx(*^!.  `"xlvv)x(*()*rr}3v.   _^vxxLxr~(k}*:__=r\Tu}TxY}uwkm
    azkux)|TceKI}}uu}}xxVM0QQg06HjVVyyycciuuuxYyjxx\|Lx}TVkmM9gRsTv^^~:,"ryIVzhIu}uw
    mV}}VjG0gQBBQEOO6Mk)!:!rzZEEwvvYwmoVuyYTuTY()*uq6B#QZjTii)iulTv*(v)r~,,=v}uwcuyI
    yuVsHZ$BBQ$dKyivuV}\ivvx}clx;r|Vyommaoyju}x*!"!*xLx^__!r}wmMOg0E066dmx=!!=vVVyjG
    ysdE$EOROZI}VPzx(\|vVmHWhyyx\v}zIW6QQ$MacLir!!!"!ruVv^!!":\VywKZ6$QEM5o})~=rvLVw
    GMZ6ERd5IYxYY}iuulyz06PjYuewxvVdQBBQg8Q0uv;"__:!:!;vl}x*<*xkeI}*vVsM6696qox*v}}u
    8g00DdmcYixxxxVWMd$QgRhxrs$QQEgQDZHjyyeqHjxvkIwVx~"~|TyTrr|xxx(()rvuhqPMMMyvr|Yw
    E$6ZPk}vr*iwPdEgER0$av)wqR8gEdWTuykVTu}v(oyuIPdDdy|==ryLujyY)(vxi|v}VoMOR6Ix=:~|
    $RZmTr^r)xTomZ0g0EbMPPkaE0QB9hxr".~**"`_=^(xysGyYT}^":*xVyyov)))^==~)VeGddMhV)!!
    0dei~::^xyHdZMR000QQ$0EOd$QBQQQ$s;,___"xad0$0$QB##Bg9bKVL)vu3myl)!,-,*lmbOERaur<
    Mc)!:<xmdE$E0gQBB####BQ88gDOE0g$dKV;:iwaO0Eddd6WmahoqPazVVuuVVyjzVr~=!riyPdEDm(;
    i**vhmsK6gQQ80DEg80ERZZqddbOdM5Wkx\)rr*\uhZZRRdOMdRdQQ$0MbZGmjzy}}x*)iukmMDDZZK}
    uVVTYiPgQEddO0QgEE$QQ$5ss3sszuTivr<:,!^rxlyjseGMHmMbZZ6088Q00gg63zu)rrvYjWD8Q8EP
    }uiTK0ROOOD8Q$HKH$##06azkVuxvx|rr)vr**~;~<***rv}TVzyG660Eg0$E$0$$bqqPzTzjyMO0$$0
    }}eE8$E6MRB8amHdQQQQDHWWHqWPGHKmPKPsjaIVVywzuixYYYceyjMMmzzq9$6Mdq6MT*vxyVW000g9
    MO8Q9MmPgQMaq6Q#ggB8ZZM5Md66OdMMMMMW5MZZZMbddZHmezVujuyPGohowH$$dMP3M3|":rLymDgR
    $BQ9MqdQQOOO$B#$gBQ6Odq5qMbdddZMqqGHPHq5MZZbddMHKhzwkeIaqZ3mIyV3$0emPPM}^_,*uVjd
    Qd609RQQ90$QB#0EQQ0$RdZ5G3m3W5MMMM5WGHHWqMMMWPKsjzhhsmMW556qeswVlsEqTvVoyc*__~vv
    Z900DgQ9g8BgQOHdQg$9ObZdqejIIImPGMMMq5qqWWWGamhkoIheePMMqMZ9mmIyulyda(;^*vzc:-,~
    qbdbO6ROd$qM$GM0Q06O96RdGesIzkkyzsmmeeehkyVzoIIwzsPHPKMdM5Pd5smey}i}qIr!^!~xk*:>
    emadG9OHdmhO0bR8g9E$DE9dMGWKzwyVyzjzzyVuYii}yjhjzzs5qaPqZMmaMomazu\rYPx=*<:=*oT^
[WARNING] Output directory is not empty, creating backup of output folder
[INFO] Done
[INFO] 1 fuzzer instances successfully launched
[INFO] Starting fuzzer 0
[INFO] Performing intialization of fuzzer 0
[INFO] Getting PIPE name for fuzzer 0
[INFO] IPC object name in /usr/tmp/manul_uds_socket_541226403
[INFO] Setting up shared mem 24182856 for fuzzer:0
[INFO] Initializing mutators
[INFO] Initalization is done for 0
[INFO] Performing dry run
[INFO] Launching /opt/wokr/FUZZING/drAFL/build_dr/bin64/drrun -c /opt/wokr/FUZZING/drAFL/build/libbinafl.so -target_method open_file -fuzz_iterations 500 -persistence_mode 1 -coverage_module stage0 -debug_manul -ipc_obj_name /usr/tmp/manul_uds_socket_541226403 -- ./T/stage0 out/0/mutations/.cur_input
[INFO] Persistence mode
[INFO] Starting UDS on /usr/tmp/manul_uds_socket_541226403
[INFO] Target successfully started, waiting for result
[INFO] Reading from UDS /usr/tmp/manul_uds_socket_541226403
target module: stage0
[WARNING] Failed to establish connection with target, timeout. Restarting the target
[INFO] Dry run finished
[INFO] Running <function bitflip_1bit at 0x7f3b9d70f280> stage of AFL mutator
[INFO] Running /opt/wokr/FUZZING/drAFL/build_dr/bin64/drrun -c /opt/wokr/FUZZING/drAFL/build/libbinafl.so -target_method open_file -fuzz_iterations 500 -persistence_mode 1 -coverage_module stage0 -debug_manul -ipc_obj_name /usr/tmp/manul_uds_socket_541226403 -- ./T/stage0 out/0/mutations/.cur_input
[INFO] Persistence mode
[WARNING] The process is alive but Zombie, killing it
[INFO] Starting UDS on /usr/tmp/manul_uds_socket_541226403
[INFO] Target successfully started, waiting for result
[INFO] Reading from UDS /usr/tmp/manul_uds_socket_541226403
target module: stage0

                          Manul 0.4. All fuzzers summary                     
---------Active threads: 1 --------------------------------------CPU: 2.00%-----
|                                                                              |
|  Mode: DBI             Strategy: afl radamsa               Logging: Enabled  |
|                                                                              |
|  --Timing----------------------------------   --Results--------------------- |
|  | Time: 0d 0h 0m 10s                     |   |  Crashes: 0                | |
|  | Last new crash found: n/a              |   |  Unique crashes: 0         | |
|  | Last new path found: n/a               |   |  Exceptions: 0             | |
|  ------------------------------------------   ------------------------------ |
|  --Coverage statistics---------------------   ---Performance---------------- |
|  | Volatile bytes: 0                      |   |  Exec/sec: 0.00000         | |
|  | Bitmap coverage: 0.09%                 |   |  Executions: 1             | |
|  | New paths found: 0                     |   |  Files in queue: 0         | |
|  ------------------------------------------   ------------------------------ |
--------------------------------------------------------------------------------

                          Manul 0.4. All fuzzers summary                     
---------Active threads: 1 --------------------------------------CPU: 1.10%-----
|                                                                              |
|  Mode: DBI             Strategy: afl radamsa               Logging: Enabled  |
|                                                                              |
|  --Timing----------------------------------   --Results--------------------- |
|  | Time: 0d 0h 0m 11s                     |   |  Crashes: 0                | |
|  | Last new crash found: n/a              |   |  Unique crashes: 0         | |
|  | Last new path found: n/a               |   |  Exceptions: 0             | |
|  ------------------------------------------   ------------------------------ |
|  --Coverage statistics---------------------   ---Performance---------------- |
|  | Volatile bytes: 0                      |   |  Exec/sec: 0.00000         | |
|  | Bitmap coverage: 0.09%                 |   |  Executions: 1             | |
|  | New paths found: 0                     |   |  Files in queue: 0         | |
|  ------------------------------------------   ------------------------------ |
--------------------------------------------------------------------------------

                          Manul 0.4. All fuzzers summary                     
---------Active threads: 1 --------------------------------------CPU: 1.00%-----
|                                                                              |
|  Mode: DBI             Strategy: afl radamsa               Logging: Enabled  |
|                                                                              |
|  --Timing----------------------------------   --Results--------------------- |
|  | Time: 0d 0h 0m 12s                     |   |  Crashes: 0                | |
|  | Last new crash found: n/a              |   |  Unique crashes: 0         | |
|  | Last new path found: n/a               |   |  Exceptions: 0             | |
|  ------------------------------------------   ------------------------------ |
|  --Coverage statistics---------------------   ---Performance---------------- |
|  | Volatile bytes: 0                      |   |  Exec/sec: 0.00000         | |
|  | Bitmap coverage: 0.09%                 |   |  Executions: 1             | |
|  | New paths found: 0                     |   |  Files in queue: 0         | |
|  ------------------------------------------   ------------------------------ |
--------------------------------------------------------------------------------

                          Manul 0.4. All fuzzers summary                     
---------Active threads: 1 --------------------------------------CPU: 1.10%-----
|                                                                              |
|  Mode: DBI             Strategy: afl radamsa               Logging: Enabled  |
|                                                                              |
|  --Timing----------------------------------   --Results--------------------- |
|  | Time: 0d 0h 0m 13s                     |   |  Crashes: 0                | |
|  | Last new crash found: n/a              |   |  Unique crashes: 0         | |
|  | Last new path found: n/a               |   |  Exceptions: 0             | |
|  ------------------------------------------   ------------------------------ |
|  --Coverage statistics---------------------   ---Performance---------------- |
|  | Volatile bytes: 0                      |   |  Exec/sec: 0.00000         | |
|  | Bitmap coverage: 0.09%                 |   |  Executions: 1             | |
|  | New paths found: 0                     |   |  Files in queue: 0         | |
|  ------------------------------------------   ------------------------------ |
--------------------------------------------------------------------------------

                          Manul 0.4. All fuzzers summary                     
---------Active threads: 1 --------------------------------------CPU: 1.10%-----
|                                                                              |
|  Mode: DBI             Strategy: afl radamsa               Logging: Enabled  |
|                                                                              |
|  --Timing----------------------------------   --Results--------------------- |
|  | Time: 0d 0h 0m 14s                     |   |  Crashes: 0                | |
|  | Last new crash found: n/a              |   |  Unique crashes: 0         | |
|  | Last new path found: n/a               |   |  Exceptions: 0             | |
|  ------------------------------------------   ------------------------------ |
|  --Coverage statistics---------------------   ---Performance---------------- |
|  | Volatile bytes: 0                      |   |  Exec/sec: 0.00000         | |
|  | Bitmap coverage: 0.09%                 |   |  Executions: 1             | |
|  | New paths found: 0                     |   |  Files in queue: 0         | |
|  ------------------------------------------   ------------------------------ |
--------------------------------------------------------------------------------

                          Manul 0.4. All fuzzers summary                     
---------Active threads: 1 --------------------------------------CPU: 1.20%-----
|                                                                              |
|  Mode: DBI             Strategy: afl radamsa               Logging: Enabled  |
|                                                                              |
|  --Timing----------------------------------   --Results--------------------- |
|  | Time: 0d 0h 0m 15s                     |   |  Crashes: 0                | |
|  | Last new crash found: n/a              |   |  Unique crashes: 0         | |
|  | Last new path found: n/a               |   |  Exceptions: 0             | |
|  ------------------------------------------   ------------------------------ |
|  --Coverage statistics---------------------   ---Performance---------------- |
|  | Volatile bytes: 0                      |   |  Exec/sec: 0.00000         | |
|  | Bitmap coverage: 0.09%                 |   |  Executions: 1             | |
|  | New paths found: 0                     |   |  Files in queue: 0         | |
|  ------------------------------------------   ------------------------------ |
--------------------------------------------------------------------------------

                          Manul 0.4. All fuzzers summary                     
---------Active threads: 1 --------------------------------------CPU: 1.10%-----
|                                                                              |
|  Mode: DBI             Strategy: afl radamsa               Logging: Enabled  |
|                                                                              |
|  --Timing----------------------------------   --Results--------------------- |
|  | Time: 0d 0h 0m 16s                     |   |  Crashes: 0                | |
|  | Last new crash found: n/a              |   |  Unique crashes: 0         | |
|  | Last new path found: n/a               |   |  Exceptions: 0             | |
|  ------------------------------------------   ------------------------------ |
|  --Coverage statistics---------------------   ---Performance---------------- |
|  | Volatile bytes: 0                      |   |  Exec/sec: 0.00000         | |
|  | Bitmap coverage: 0.09%                 |   |  Executions: 1             | |
|  | New paths found: 0                     |   |  Files in queue: 0         | |
|  ------------------------------------------   ------------------------------ |
--------------------------------------------------------------------------------

                          Manul 0.4. All fuzzers summary                     
---------Active threads: 1 --------------------------------------CPU: 1.40%-----
|                                                                              |
|  Mode: DBI             Strategy: afl radamsa               Logging: Enabled  |
|                                                                              |
|  --Timing----------------------------------   --Results--------------------- |
|  | Time: 0d 0h 0m 17s                     |   |  Crashes: 0                | |
|  | Last new crash found: n/a              |   |  Unique crashes: 0         | |
|  | Last new path found: n/a               |   |  Exceptions: 0             | |
|  ------------------------------------------   ------------------------------ |
|  --Coverage statistics---------------------   ---Performance---------------- |
|  | Volatile bytes: 0                      |   |  Exec/sec: 0.00000         | |
|  | Bitmap coverage: 0.09%                 |   |  Executions: 1             | |
|  | New paths found: 0                     |   |  Files in queue: 0         | |
|  ------------------------------------------   ------------------------------ |
--------------------------------------------------------------------------------

                          Manul 0.4. All fuzzers summary                     
---------Active threads: 1 --------------------------------------CPU: 1.50%-----
|                                                                              |
|  Mode: DBI             Strategy: afl radamsa               Logging: Enabled  |
|                                                                              |
|  --Timing----------------------------------   --Results--------------------- |
|  | Time: 0d 0h 0m 18s                     |   |  Crashes: 0                | |
|  | Last new crash found: n/a              |   |  Unique crashes: 0         | |
|  | Last new path found: n/a               |   |  Exceptions: 0             | |
|  ------------------------------------------   ------------------------------ |
|  --Coverage statistics---------------------   ---Performance---------------- |
|  | Volatile bytes: 0                      |   |  Exec/sec: 0.00000         | |
|  | Bitmap coverage: 0.09%                 |   |  Executions: 1             | |
|  | New paths found: 0                     |   |  Files in queue: 0         | |
|  ------------------------------------------   ------------------------------ |
--------------------------------------------------------------------------------

                          Manul 0.4. All fuzzers summary                     
---------Active threads: 1 --------------------------------------CPU: 1.10%-----
|                                                                              |
|  Mode: DBI             Strategy: afl radamsa               Logging: Enabled  |
|                                                                              |
|  --Timing----------------------------------   --Results--------------------- |
|  | Time: 0d 0h 0m 19s                     |   |  Crashes: 0                | |
|  | Last new crash found: n/a              |   |  Unique crashes: 0         | |
|  | Last new path found: n/a               |   |  Exceptions: 0             | |
|  ------------------------------------------   ------------------------------ |
|  --Coverage statistics---------------------   ---Performance---------------- |
|  | Volatile bytes: 0                      |   |  Exec/sec: 0.00000         | |
|  | Bitmap coverage: 0.09%                 |   |  Executions: 1             | |
|  | New paths found: 0                     |   |  Files in queue: 0         | |
|  ------------------------------------------   ------------------------------ |
--------------------------------------------------------------------------------

[WARNING] Failed to establish connection with target, timeout. Restarting the target
[INFO] Running <function bitflip_1bit at 0x7f3b9d70f280> stage of AFL mutator
[INFO] Running /opt/wokr/FUZZING/drAFL/build_dr/bin64/drrun -c /opt/wokr/FUZZING/drAFL/build/libbinafl.so -target_method open_file -fuzz_iterations 500 -persistence_mode 1 -coverage_module stage0 -debug_manul -ipc_obj_name /usr/tmp/manul_uds_socket_541226403 -- ./T/stage0 out/0/mutations/.cur_input
[INFO] Persistence mode
[WARNING] The process is alive but Zombie, killing it
[INFO] Starting UDS on /usr/tmp/manul_uds_socket_541226403
[INFO] Target successfully started, waiting for result
[INFO] Reading from UDS /usr/tmp/manul_uds_socket_541226403
target module: stage0

it launch all parts, it but doesn't work....

What i need to do?

Btw, my target is testcase but builded without afl instrumentation.

root@l0c4lh05t:/opt/wokr/FUZZING/manul/T# cc stage0.c -o stage0 
root@l0c4lh05t:/opt/wokr/FUZZING/manul/T# strip stage0
root@l0c4lh05t:/opt/wokr/FUZZING/manul/T# cat stage0.c 
/*
   Manul - test file for Linux
   -------------------------------------
   Maksim Shudrak <mshudrak@salesforce.com> <mxmssh@gmail.com>

   Copyright 2019 Salesforce.com, inc. All rights reserved.

   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at:
     http://www.apache.org/licenses/LICENSE-2.0

   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char** argv)
{
    char *buf = NULL;
    int size = 0;
    if(argc < 2) {
        printf("Usage: %s <input file>\n", argv[0]);
        exit(-1);
    }
    FILE *fp = fopen(argv[1], "rb");
    if (!fp) {
        printf("Couldn't open file specified %s", argv[1]);
        exit(-1);
    }
    printf("Opening %s\n", argv[1]);
    // obtain file size:
    fseek(fp , 0 , SEEK_END);
    size = ftell(fp);
    rewind(fp);

    // allocate memory to contain the whole file:
    buf = (char*) malloc (sizeof(char ) * size);
    if (buf == NULL) {printf("Unable to read file"); exit (-1);}

    // copy the file into the buffer:
    fread(buf, 1, size, fp);
    fclose(fp);

    if (buf[0] == 'P') {
        if (buf[1] == 'W') {
            if (buf[2] == 'N') {
                if (buf[3] == 'I') {
                    if (buf[4] == 'T') {
                        printf("Found it!\n");
                        ((void(*)())0x0)();
                    }
                }
            }
        }
    }

    printf("Parsed %d bytes\n", size);
    free(buf);
}

Thanks

kotee4ko commented 3 years ago 
                          Manul 0.4. All fuzzers summary                     
---------Active threads: 12 ------------------------------------CPU: 98.80%-----
|                                                                              |
|  Mode: DBI             Strategy: afl radamsa               Logging: Enabled  |
|                                                                              |
|  --Timing----------------------------------   --Results--------------------- |
|  | Time: 0d 0h 1m 50s                     |   |  Crashes: 12               | |
|  | Last new crash found: 0d 0h 0m 8s      |   |  Unique crashes: 1         | |
|  | Last new path found: 0d 0h 0m 18s      |   |  Exceptions: 12            | |
|  ------------------------------------------   ------------------------------ |
|  --Coverage statistics---------------------   ---Performance---------------- |
|  | Volatile bytes: 0                      |   |  Exec/sec: 132.58622       | |
|  | Bitmap coverage: 0.09%                 |   |  Executions: 14414         | |
|  | New paths found: 36                    |   |  Files in queue: 48        | |
|  ------------------------------------------   ------------------------------ |
--------------------------------------------------------------------------------

Manul on 12 threads with drrio 7.9 dec 2020 done 14414 executions to find crash while AFL + DynamoRIO 

                       american fuzzy lop 2.52b (stage0)

┌─ process timing ─────────────────────────────────────┬─ overall results ─────┐
│        run time : 0 days, 0 hrs, 1 min, 25 sec       │  cycles done : 0      │
│   last new path : 0 days, 0 hrs, 0 min, 26 sec       │  total paths : 4      │
│ last uniq crash : 0 days, 0 hrs, 0 min, 1 sec        │ uniq crashes : 1      │
│  last uniq hang : none seen yet                      │   uniq hangs : 0      │
├─ cycle progress ────────────────────┬─ map coverage ─┴───────────────────────┤
│  now processing : 3 (75.00%)        │    map density : 0.10% / 0.10%         │
│ paths timed out : 0 (0.00%)         │ count coverage : 1.02 bits/tuple       │
├─ stage progress ────────────────────┼─ findings in depth ────────────────────┤
│  now trying : bitflip 4/1           │ favored paths : 4 (100.00%)            │
│ stage execs : 16/29 (55.17%)        │  new edges on : 4 (100.00%)            │
│ total execs : 2142                  │ total crashes : 1 (1 unique)           │
│  exec speed : 25.54/sec (slow!)     │  total tmouts : 0 (0 unique)           │
├─ fuzzing strategy yields ───────────┴───────────────┬─ path geometry ────────┤
│   bit flips : 1/128, 0/124, 1/87                    │    levels : 4          │
│  byte flips : 0/12, 0/9, 0/3                        │   pending : 1          │
│ arithmetics : 2/669, 0/0, 0/0                       │  pend fav : 1          │
│  known ints : 0/64, 0/252, 0/132                    │ own finds : 3          │
│  dictionary : 0/0, 0/0, 0/0                         │  imported : n/a        │
│       havoc : 0/612, 0/0                            │ stability : 100.00%    │
│        trim : 42.86%/1, 0.00%                       ├────────────────────────┘
^C────────────────────────────────────────────────────┘          [cpu000: 21%]

on single thread.

So, Sir, appreciated for both you're project and you're hard work!