search

stephenfewer / grinder

Grinder is a system to automate the fuzzing of web browsers and the management of a large number of crashes.
BSD 3-Clause "New" or "Revised" License
413 stars 135 forks source link

Log file not created #6

Closed v-p-b closed 10 years ago

v-p-b commented 11 years ago

I'm using a 32-bit Windows 7 VM with IE8. Everything looks OK but the log file is not created. I used Process Monitor to monitor access to the file and it seems that no CreateFile is issued from the browser process at all, the first access is done by ruby and results in a "file not found" error. I would really appreciate some pointers on how to debug this problem.

Ruby version: ruby 1.9.3p392 (2013-02-22) [i386-mingw32](used the Windows installer) Grinder version: 0.5-dev

Thank you!

[+G+] Starting at 2013-04-02 11:13:02
[+G+] Using the config file 'config'...
[+G+] Bringing up Grinder node 'TestingG'...
[+G+] Started the Grinder continue process 2884
[+S+] Starting at 2013-04-02 11:13:04
[+S+] Adding fuzzer 'SimpleExample' to the testcase server
[+S+] Testcase server running on 127.0.0.1:8080
[+G+] Started the Grinder server process 3780
[+G+] Started the Grinder debugger process 196
[+D+] Starting at 2013-04-02 11:13:06
[+D+] Using the symbol path 'SRV*C:\symbols\*http://msdl.microsoft.com/download/
symbols'
[+D+] Running 'C:\Program Files\Internet Explorer\iexplore.exe'
[+D+] Attached debugger to new process 1708
[+D+] Logger DLL loaded into process 1708 @ 0x6FA80000
[+D+] Logging process 1708 to log file 'C:\Users\b\AppData\Local\Temp\Low\logger
_1708.xml'
[+D+] Attached debugger to new process 2528
[+D+] Logger DLL loaded into process 2528 @ 0x6FA80000
[+D+] Logging process 2528 to log file 'C:\Users\b\AppData\Local\Temp\Low\logger
_2528.xml'
[+D+] jscript.dll DLL loaded into process 2528 at address 0x67F40000
[+D+] Resolved jscript!StrToDbl @ 0x67F57C37
[+D+] Hooked JavaScript parseFloat() to grinder_logger.dll via proxy @ 0x01EF000
0
[-D-] Error, unable to save the log file 'C:\Users\b\AppData\Local\Temp\Low\logg
er_2528.xml' (File doesnt exist)
[-D-] Failed to save the log file.
[*D*]
[*D*] Caught a Read Access Violation in IE8 process 2528 at 2013-04-02 11:13:24
with a crash hash of 6AD5B069.76FF3FD4
[*D*]
[+D+] Finished at 2013-04-02 11:13:24
v-p-b commented 11 years ago

I did some dumb debugging:

I modified the exception handler to print out the address of the occuring access violation:

[+D+]  [IE8] jscript.dll DLL loaded into process 564 at address 0x6E840000
[+D+] Resolved jscript!StrToDbl @ 0x6E857C37
[+D+] Hooked JavaScript parseFloat() to grinder_logger.dll via proxy @ 0x02600000
[+D+] === Access Violation @ ====
[+D+] 2600006
[-D-] Error, unable to save the log file 'C:\Users\b\AppData\Local\Temp\Low\logger_564.xml' (File doesnt exist)
[-D-] Failed to save the log file.
[*D*]
[*D*] Caught a Read Access Violation in IE8 process 564 at 2013-04-18 15:55:03 with a crash hash of 6AD5B069.76FF3FD4

So it seems that the proxy code tries to access some invalid address at the beginning of the code:

pushfd
pushad
mov eax, [esp+0x04+0x24]
mov ebx, [eax] ; here we crash

Hope this helps a bit.

I would really appreciate some advice about how to set up and handle breakpoints from inside Grinder - the Metasm documentation doesn't help me much :(

stephenfewer commented 10 years ago

closing as #9 seems to be a dupe.

b0nd commented 10 years ago

Hi Stephen, seems issue still persists. For testing out something, I run Win7 + IE8 + rubyinstaller-1.9.3-p448 with default SimpleExample fuzzer. Under the crash folder, only crash files are there but no log files.

Cheers!

stephenfewer commented 10 years ago

Hi, I will try to reproduce with the setup you listed. Is your Win7 and IE8 fully patched or are you fuzzing at a specific patch level?

b0nd commented 10 years ago

Hi, here is the stdout:

[+G+] Starting at 2014-01-22 21:38:09 [+G+] Using the config file 'config'... [+G+] Bringing up Grinder node 'G1'... [+G+] Started the Grinder continue process 2228 [+S+] Starting at 2014-01-22 21:38:09 [+S+] Adding fuzzer 'bFuzz' to the testcase server [+S+] Testcase server running on 127.0.0.1:8080 [+G+] Started the Grinder server process 1864 [+G+] Started the Grinder debugger process 2588 [+D+] Starting at 2014-01-22 21:38:11 [+D+] Using the symbol path 'SRV_C:\symbols_http://msdl.microsoft.com/download/ symbols' [+D+] Running 'C:\Program Files\Internet Explorer\iexplore.exe' [+D+] Attached debugger to new process 1132 [+D+] Logger DLL loaded into process 1132 @ 0x6D2A0000 [+D+] Logging process 1132 to log file 'C:\Users\Admin\AppData\Local\Temp\Low\lo gger_1132.xml' [+D+] Attached debugger to new process 2768 [+D+] Logger DLL loaded into process 2768 @ 0x6D2A0000 [+D+] Logging process 2768 to log file 'C:\Users\Admin\AppData\Local\Temp\Low\lo gger_2768.xml' [+D+] jscript.dll DLL loaded into process 2768 at address 0x69D30000 [+D+] Resolved jscript!StrToDbl @ 0x69D47D17 [+D+] Hooked JavaScript parseFloat() to grinder_logger.dll via proxy @ 0x02BA000 0 [-D-] Error, unable to save the log file 'C:\Users\Admin\AppData\Local\Temp\Low\ logger_2768.xml' (File doesnt exist) [-D-] Failed to save the log file. [D] [D] Caught a Read Access Violation in IE8 process 2768 at 2014-01-22 21:38:14 with a crash hash of 6AD5B069.76FF3FD4 [D] Posted crash to '127.0.0.1/server/status.php' [D] [+D+] Finished at 2014-01-22 21:38:14 [+G+] Started the Grinder debugger process 880 [+D+] Starting at 2014-01-22 21:38:15 [+D+] Using the symbol path 'SRV_C:\symbols_http://msdl.microsoft.com/download/ symbols' [+D+] Running 'C:\Program Files\Internet Explorer\iexplore.exe' [+D+] Attached debugger to new process 3688 [+D+] Logger DLL loaded into process 3688 @ 0x6D310000 [+D+] Logging process 3688 to log file 'C:\Users\Admin\AppData\Local\Temp\Low\lo gger_3688.xml' [+D+] Attached debugger to new process 2604 [+D+] Logger DLL loaded into process 2604 @ 0x6D310000 [+D+] Logging process 2604 to log file 'C:\Users\Admin\AppData\Local\Temp\Low\lo gger_2604.xml' [+D+] jscript.dll DLL loaded into process 2604 at address 0x688C0000 [+D+] Resolved jscript!StrToDbl @ 0x688D7D17 [+D+] Hooked JavaScript parseFloat() to grinder_logger.dll via proxy @ 0x02A3000 0 [-D-] Error, unable to save the log file 'C:\Users\Admin\AppData\Local\Temp\Low\ logger_2604.xml' (File doesnt exist) [-D-] Failed to save the log file. [D] [D] Caught a Read Access Violation in IE8 process 2604 at 2014-01-22 21:38:19 with a crash hash of 6AD5B069.76FF3FD4 [D] Posted crash to '127.0.0.1/server/status.php' [D] [+D+] Finished at 2014-01-22 21:38:21

[+G+] Started the Grinder debugger process 1676

I don't see any file inside 'C:\Users\Admin\AppData\Local\Temp\Low' or any .log file under 'crashes'. The IE version is 8.0.7601.1754 and Win7 is not fully patched.

stephenfewer commented 10 years ago

Hi,

Finally got around to reproducing and fixing this. Fixed in commit 91672e6f034e4e8fe59736ba5cd0f8db72617e76

Thanks for the report!

v-p-b commented 10 years ago

Thank you, I will test the fix in a couple of days

ustayready commented 10 years ago

I have the same issue with FF 26.

stephenfewer commented 10 years ago

@mfelch Thanks, just fixed FireFox logging for latest version 26.0 via commit b5634f0ceb9dec4822584e48ec614060b7dd1685

ustayready commented 10 years ago

Np! Thanks for the quick turn around. I wish I would have had more time to dig in to save you some time.

v-p-b commented 10 years ago

I tested the fix with IE8+Win7, I can confirm is works. Thanks again!