Trying to fuzz 7z using Winnie

[omkarbhat1995]

I'm new to fuzzing and was trying to understand how your fuzzer works. When I try to Fuzz the 7z (trying to recreate on of the applications mentioned in the paper and I'm getting this error. Can you help me with it? Also what did you put in the in folder? I tried using a location and a file I know exists should I be doing something else?

[stong]

Hi, could you please post the command line you used?

[omkarbhat1995]

afl-fuzz -i in -o out -t 1000 -I 1000 -- -bbfile basicblocks.bb -- -harness harness.dll -no_minidumps -- 7z2106-x64.exe @@

[stong]

Please refer to 7z command line manual: https://sevenzip.osdn.jp/chm/cmdline/syntax.htm

I think the command you want is probably afl-fuzz -i in -o out -t 1000 -I 1000 -- -bbfile basicblocks.bb -- -harness harness.dll -no_minidumps -- 7z2106-x64.exe x @@

Since you would normally use 7z like 7z x my_archive.7z or similar.

On Wed, Dec 29, 2021 at 08:27, Omkar Bhat @.***> wrote:

afl-fuzz -i in -o out -t 1000 -I 1000 -- -bbfile basicblocks.bb -- -harness harness.dll -no_minidumps -- 7z2106-x64.exe @@

— Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you commented.Message ID: @.***>

[omkarbhat1995]

I figured out the problem was in harness generation, when I try you Tracer.dll to create a harness I'm getting an error: Failure to map DLL ~\pin\source\tools\Tracer\x64\Release\Tracer.dll. I checked and the dll file is there. Do you know why that maybe be the case.

[Vulmatch]

I figured out the problem was in harness generation, when I try you Tracer.dll to create a harness I'm getting an error: Failure to map DLL ~\pin\source\tools\Tracer\x64\Release\Tracer.dll. I checked and the dll file is there. Do you know why that maybe be the case.

It's because you trying to trace 64 bit exe with 32 bit tracer or vice versa. Make sure the .exe and the tracer compiled in the same architecture.

[mineechor]

Can you tell me how to generate the harness(command)? Thank you very much!!!

[Vulmatch]

Can you tell me how to generate the harness(command)? Thank you very much!!!

I can't remember specifically what I did to successfully generate the harness code. I just followed their tutorial both in home directory and harnessgen folder.

[mineechor]

Can you tell me how to generate the harness(command)? Thank you very much!!!

I can't remember specifically what I did to successfully generate the harness code. I just followed their tutorial both in home directory and harnessgen folder.

Thanks

[KB-bit]

Can you tell me how to generate the harness(command)? Thank you very much!!!

Have you successfully generated the harness? I encountered a problem:

File ".../harness/common.py", line 513, int typedef assert mod AssertionError

Have you encountered the similar problem？

[mineechor]

@KB-bit Sorry, I didn't encounter the problem.

[KB-bit]

@KB-bit Sorry, I didn't encounter the problem.

Can you tell me the cmd to generate the harness for toy_example.exe? I followed the tutorial in harnessgen folder , but I failed to generate the harness for toy_example.exe in "../winnie-master/samples/toy_example".

[mineechor]

@KB-bit .\pin.exe -t source/tools/Tracer/Release/Tracer.dll -logdir "cor1_1" -trace_mode "all" -only_to_target "toy_example.exe" -only_to_lib "example_library.dll" -- D:\2022\final\w2\winnie\samples\toy_example\Release\toy_example.exe D:\2022\final\w2\winnie\samples\toy_example\in\input python synthesizer.py harness -t D:\2022\final\w2\winnie\harnessgen\lib\pin\cor1_1\drltrace.23944.log -d D:\2022\final\w2\winnie\harnessgen\lib\pin\cor1_1\memdump -s test -sample input

[KB-bit]

@KB-bit .\pin.exe -t source/tools/Tracer/Release/Tracer.dll -logdir "cor1_1" -trace_mode "all" -only_to_target "toy_example.exe" -only_to_lib "example_library.dll" -- D:\2022\final\w2\winnie\samples\toy_example\Release\toy_example.exe D:\2022\final\w2\winnie\samples\toy_example\in\input python synthesizer.py harness -t D:\2022\final\w2\winnie\harnessgen\lib\pin\cor1_1\drltrace.23944.log -d D:\2022\final\w2\winnie\harnessgen\lib\pin\cor1_1\memdump -s test -sample input

Thank you so much : )

[mineechor]

@KB-bit Hello, have you figured it out? If so, can you share the result with me?

[ElaineYao]

Hello @KB-bit and @mineechor, I am writing to ask for your help with a similar issue that I'm facing. After running the command $ python3 synthesizer.py harness -t drltrace.PID.log -d memdump -s "test", I received the following outputs:

Traceback (most recent call last): File "\path\to\winnie\harnessgen\synthesizer.py", line 147, in main() File "\path\to\winnie\harnessgen\synthesizer.py", line 135, in main syn = SingleSynthesizer(args.trace_file, args.dump_dir, File "\path\to\winnie\harnessgen\common.py", line 485, in init self.defined_types, self.defined_funcs = self.typedef() File "\path\to\winnie\harnessgen\common.py", line 518, in typedef assert mod AssertionError exit status 1 I was wondering if you have some idea of why this is happening and the possible solutions. Any advice would be helpful. Thanks in advance!

[kirito999]

@KB-bit Hello, have you figured it out? If so, can you share the result with me?

hello, I meet this problem when I use the following command python synthesizer.py harness -t lib\pin\cor1_1\drltrace.12064.log -d lib\pin\cor1_1\memdump -s test

And solve this problem when append "-sample path\input" as you say :)

but I don't see the argument of "-sample" in https://github.com/sslab-gatech/winnie/tree/master/harnessgen#one-trace what's usage of this argument？ like AFL's @@?

[kirito999]

Hello @KB-bit and @mineechor, I am writing to ask for your help with a similar issue that I'm facing. After running the command $ python3 synthesizer.py harness -t drltrace.PID.log -d memdump -s "test", I received the following outputs:

Traceback (most recent call last): File "\path\to\winnie\harnessgen\synthesizer.py", line 147, in main() File "\path\to\winnie\harnessgen\synthesizer.py", line 135, in main syn = SingleSynthesizer(args.trace_file, args.dump_dir, File "\path\to\winnie\harnessgen\common.py", line 485, in init self.defined_types, self.defined_funcs = self.typedef() File "\path\to\winnie\harnessgen\common.py", line 518, in typedef assert mod AssertionError exit status 1 I was wondering if you have some idea of why this is happening and the possible solutions. Any advice would be helpful. Thanks in advance!

maybe you can try $ python3 synthesizer.py harness -t drltrace.PID.log -d memdump -s "test" -sample input if you still paying attention to this paper :)

[ElaineYao]

Hello @KB-bit and @mineechor, I am writing to ask for your help with a similar issue that I'm facing. After running the command $ python3 synthesizer.py harness -t drltrace.PID.log -d memdump -s "test", I received the following outputs: Traceback (most recent call last): File "\path\to\winnie\harnessgen\synthesizer.py", line 147, in main() File "\path\to\winnie\harnessgen\synthesizer.py", line 135, in main syn = SingleSynthesizer(args.trace_file, args.dump_dir, File "\path\to\winnie\harnessgen\common.py", line 485, in init self.defined_types, self.defined_funcs = self.typedef() File "\path\to\winnie\harnessgen\common.py", line 518, in typedef assert mod AssertionError exit status 1 I was wondering if you have some idea of why this is happening and the possible solutions. Any advice would be helpful. Thanks in advance!

maybe you can try $ python3 synthesizer.py harness -t drltrace.PID.log -d memdump -s "test" -sample input if you still paying attention to this paper :)

Thank you @kirito999 ! I'll try this out.

[De3mond]

I'm new to fuzzing and was trying to understand how your fuzzer works. When I try to Fuzz the 7z (trying to recreate on of the applications mentioned in the paper and I'm getting this error. Can you help me with it? Also what did you put in the in folder? I tried using a location and a file I know exists should I be doing something else?

Hello, I'd like to know if you have successfully fuzzed 7z. The confusion I'm currently facing is that, when using synthesizer.py to generate a harness, I'm unsure about what the -s parameter represents. Since it's a closed-source software, we have no way of knowing its START_FUNCTION, making it impossible to automatically generate a harness for testing.