Some questions about the usage of driller

[kennynaoh]

Hello guys, I need some help. I have some question about driller want to ask. First, I followed the example https://github.com/shellphish/driller#example to run the driller. I print the new_inputs, and the result shows below set([((7, 134513087, 134513100), '^\xfe\xfe\xfe\xfe^\xfe'), ((7, 134513409, 134513424), '^\xff\x01\xfe\xf7\xa1\xfe'), ((7, 134513100, 134513087), '^\x01\x01\xfe\xfe^\xfe'), ((7, 134513087, 134513100), '\xfe\x01\x01\xfe\xfe\xfe\xfe'), ((7, 134513100, 134513087), '\xfe\xfe\xfe\xfe\xfe\xfe\xfe'), ((7, 134513100, 134513087), '^\xfe\x01\xfe\xfe^\xfe'), ((7, 134513087, 134513100), '\xfe\x01\xfe\xfe\xfe\xfe\xfe'), ((7, 134513210L, 134513263), '\x00\x00\x00\x00\x00\x00\x00'), ((7, 134513100, 134513087), '^\x01\xfe\xfe\xfe^\xfe'), ((7, 134513087, 134513100), '\xfe\xfe\x01\xfe\xfe\xfe\xfe'), ((7, 134513719L, 167772168), '^\xff\x01\xfe\xf7\xa1\xfe'), ((7, 134513348, 134513388), '\xfe\xfe\xfe\xfe\xfe\xfe\xfe'), ((7, 134513719L, 167772168), '\x00\x00\x00\x00\x00\x00\x00')]) Could someone help me explain the meaning of these messages? Thanks!

Second, I follow the code https://github.com/shellphish/driller/blob/master/driller/driller.py#L30, and I found that the second parameter of running driller.Driller(...) is input string. The input string for ./CADET_00001 is racecar. My question is how do I know what input string should be fed into the binary? Thanks!

[zardus]

Driller works by mutating inputs to divert their control flow over previously-untriggered edges. You can read the full details in the paper (https://www.internetsociety.org/sites/default/files/blogs-media/driller-augmenting-fuzzing-through-selective-symbolic-execution.pdf).

The example that you're talking about is that small-scale step of diverting a single testcase. I don't know/remember what the first two tuple elements of every entry in that set is, but the last element is the mutated testcase.

For the "integrated" system, check out shellphuzz here.

[kennynaoh]

Thank you for your reply. I have read the driller paper. And what I figure out is that the concept of concolic execution and the fuzzer. When the fuzzer get stuck, driller will invoke concolic execution to solve. I can't figure out the result I ask above. Could you help me explain more detail? I want to know how to get the crash input or what crash of some cgc examples. Thank you very much!

[zardus]

In Driller's operation, it'll help AFL achieve higher code coverage, and eventually AFL will find the crash. The crash will show up in AFL's output directory as it normally does.

[kennynaoh]

I have installed driller-afl https://github.com/shellphish/driller-afl and shellphish-afl https://github.com/shellphish/shellphish-afl. What you mean is that the crash result will be generated in those directory. If possible, could you show me the detail step? I appreciate that.

[zardus]

Check out shellphuzz, linked above -- when run on a CGC binary, it should automatically produce the required directory structure (in /dev/shm/work, by default). The -d option to shellphuzz will make it use driller.

[kennynaoh]

Sorry, please forgive my poor comprehension. I can't get it. What do you mean shellphuzz? Is shellphish-afl? If possible, would you mind give some example command? I have tried this. Take CADET_00001 for example, I'm not sure how to run it with shellphish-afl. I have tried ./CADET_00001 -d shellphish-afl. I'm sure this is wrong, but what is the correct command? I have also tried sc1_0b32aa01_01, but it can't work, either. Sorry to bother you again. Thanks so much!

[zardus]

shellphuzz: https://github.com/shellphish/fuzzer/blob/master/shellphuzz

[kennynaoh]

Thank you so much! I got it. There is still a question want to ask about running shellphuzz lol. I ran the command shellphuzz -i -c 4 ~/CADET_00001/CADET_00001 under the directory fuzzer/ and I also tried another binary sc1_0b32aa01_01, and the result shows below: [*] Creating fuzzer... Traceback (most recent call last): File "/usr/local/bin/shellphuzz", line 63, in <module> create_dictionary=not args.no_dictionary, stuck_callback=stuck_callback File "/usr/local/lib/python2.7/dist-packages/fuzzer/fuzzer.py", line 160, in __init__ p = angr.Project(binary_path) File "/usr/local/lib/python2.7/dist-packages/angr/project.py", line 144, in __init__ raise Exception("Not a valid binary file: %s" % repr(thing)) Exception: Not a valid binary file: '-i' Exception AttributeError: "'Fuzzer' object has no attribute '_timer'" in <bound method Fuzzer.__del__ of <fuzzer.fuzzer.Fuzzer object at 0x7faa99f96f90>> ignored I followed the process on https://github.com/shellphish/fuzzer#installation. I'm not sure what's problem here. I have tried many method and installed all dependencies, but maybe I still lack something. Could you give me some tips? I'm very thankful.

[zardus]

Can you check if the binary is executable?

On May 26, 2017 3:45 AM, "naoh" notifications@github.com wrote:

Thank you so much! I got it. There is still a question want to ask about running shellphuzz lol. I ran the command shellphuzz -i -c 4 ~/CADET_00001/CADET_00001 under the directory fuzzer/ and I also tried another binary sc1_0b32aa01_01, and the result shows below: [*] Creating fuzzer... Traceback (most recent call last): File "/usr/local/bin/shellphuzz", line 63, in create_dictionary=not args.no_dictionary, stuck_callback=stuck_callback File "/usr/local/lib/python2.7/dist-packages/fuzzer/fuzzer.py", line 160, in init p = angr.Project(binary_path) File "/usr/local/lib/python2.7/dist-packages/angr/project.py", line 144, in init raise Exception("Not a valid binary file: %s" % repr(thing)) Exception: Not a valid binary file: '-i' Exception AttributeError: "'Fuzzer' object has no attribute '_timer'" in <bound method Fuzzer.del of <fuzzer.fuzzer.Fuzzer object at 0x7faa99f96f90>> ignored I followed the process on https://github.com/shellphish/ fuzzer#installation. I'm not sure what's problem here. I have tried many method and installed all dependencies, but maybe I still lack something. Could you give me some tips? I'm very thankful.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/shellphish/driller/issues/39#issuecomment-304215640, or mute the thread https://github.com/notifications/unsubscribe-auth/ADSzl8lEwepKYqfrDxxhxMkRmTT-_PH3ks5r9oMtgaJpZM4NiFqA .

[kennynaoh]

No, sorry about that. Actually, I ran ./CADET_00001 and result shows -bash: ./CADET_00001: cannot execute binary file: Exec format error. Then, I changed another executable file -> CSCI-4968-MBE/challenges/crackme0x01/crackme0x01. I tried shellphuzz -i -c 4 ~/CSCI-4968-MBE/challenges/crackme0x01/crackme0x01, and the result is the same as above I show you. I also tried another executable file fauxware/fauxware, and the result is the same.

[zardus]

CADET_00001 is a CGC binary, so you'll need the CGC VM if you want to execute it. shellphuzz will use our CGC qemu port, so it should work. Make sure to use -d 2 (or some other number) to enable several drilling cores.

[kennynaoh]

Thanks! So I think the problem is the environment, right? If I want to use shellphuzz, I think I need the CGC VM. Actually, I'm not sure what is that. Sorry about that. Would you like to give me some tips about the tutorial of CGC VM and CGC qemu port.Or anything related information. I will study that. Thank you!

[pwnslinger]

In completing @zardus comments, I would suggest use vagrant to get the CGC VM. You can find the walk through in the following link: https://github.com/CyberGrandChallenge/cgc-release-documentation/blob/master/walk-throughs/running-the-vm.md

In case you didn't find the vagrant file in that repo (Forbidden!) use this one instead: https://cgcdist.s3.amazonaws.com/release-final/boxes/Vagrantfile

[JsHuang]

@pwnslinger ,I download your vagrant file from https://cgcdist.s3.amazonaws.com/release-final/boxes/Vagrantfile, but it seems the vm.json (http://s3.amazonaws.com/cgcdist/boxes/vm.json) can not be accessed , is there any other choice? thanks

[pwnslinger]

Sorry for being late. In case you didn't fix the problem this one will help you.

you need to replace some stuff in files. in vm.json you need to change url portion to your local server like this:

"url": "http://192.168.236.1:7777/cgc-linux-dev.box"

and for vagrant file configuration just modify this line to your own local server:

config.vm.box_url = 'http://192.168.236.1:7777/vm.json'

Note: don't forget to put these files under your webserver path which in my case is running on port 7777.

also, since the repo is deprecated you need also to have these necessary files ..

[vm.json]

{
    "description": "This box contains a DECREE VM", 
    "name": "cgc-linux-dev", 
    "versions": [
        {
            "providers": [
                {
                    "checksum": "72d5505bbf203beb2ca8edd7aaee260d", 
                    "checksum_type": "md5", 
                    "name": "virtualbox", 
                    "url": "http://192.168.236.1:7777/cgc-linux-dev.box"
                }
            ], 
            "version": "10565"
        }
    ]
}

[JsHuang]

Thanks, but where can I download a cgc-linux-dev box now?

On 3/29/2018 13:36，Mohsen<notifications@github.com> wrote： 

Sorry for being late. In case you didn't fix the problem this one will help you. you need to replace some stuff in files. in vm.json you need to change url portion to your local server like this: "url": "http://192.168.236.1:7777/cgc-linux-dev.box" and for vagrant file configuration just modify this line to your own local server: config.vm.box_url = 'http://192.168.236.1:7777/vm.json' Note: don't forget to put these files under your webserver path which in my case is running on port 7777. also, since the repo is deprecated you need also to have these necessary files .. [vm.json] { "description": "This box contains a DECREE VM", "name": "cgc-linux-dev", "versions": [ { "providers": [ { "checksum": "72d5505bbf203beb2ca8edd7aaee260d", "checksum_type": "md5", "name": "virtualbox", "url": "http://192.168.236.1:7777/cgc-linux-dev.box" } ], "version": "10565" } ] }

—You are receiving this because you commented.Reply to this email directly, view it on GitHub, or mute the thread.

[rhelmot]

bumping this - I would appreciate an answer if anyone knows where that box lives these days.

[Jacopo]

http://archive.darpa.mil/cybergrandchallenge_repo/release-cqe/boxes/cgc-linux-dev.box

I think most stuff is now at http://archive.darpa.mil/cybergrandchallenge_repo/

[Ryan-hub-bit]

The above two links is not accessible now. I would appreciate if anyone can let me know where that box lives now.

[rhelmot]

I have a file named cgc-linux-dev.box with sha256sum f9a302cef019b6a03c1de903df7db1783a90a2a21cee0c5f258b9b60d853dc08 and md5sum 0844d54ecd3b8b6bbbfebfe6def0be14 but I do not have anywhere to host a 600MB file for public internet access. Any suggestions?

[Ryan-hub-bit]

Thanks for your reply. To clarify, do I need to install Shellphuzz on the CGC VM to use Driller? I originally installed Shellphuzz on my Ubuntu system and used it on several CGC binaries compiled by the CGC VM, which I then moved to my Ubuntu via a shared folder. However, I did not find any crashes for over 10 CGC binaries. I also found a download link (https://cgcdist.s3.amazonaws.com/release-cqe/boxes/cgc-linux-dev.box) located in the Vagrantfile on GitHub (https://github.com/funemy/binary-study/blob/master/vm/Vagrantfile). I'm unsure if this version is the same as the one I'm using.

[Ryan-hub-bit]

Also. I am a beginner on fuzzing. I just noticed that it mentions that driller has found crash on over 80 CGC binaries on it's paper. Could you please share some of them?

[Ryan-hub-bit]

I would appreciate if you would provide any insight on my project.