search

ttdennis / fpicker

fpicker is a Frida-based fuzzing suite supporting various modes (including AFL++ in-process fuzzing)
MIT License
254 stars 25 forks source link

Error: compilation failed: module.c:45: error: field not found: undefined" #13

Closed afterthought325 closed 3 years ago

afterthought325 commented 3 years ago

Hello. I'm having an issue with running fpicker.

Here's my command: fpicker --fuzzer-mode active -e attach -p -D remote -o ./out -i ./in -f harness.js

I'm running on a X86_64 Host but my target application is a 32bit binary running in a chroot. I also have Frida-Server-x86 running in that chroot to facilitate the remote connection.

Here's my harness:

const Fuzzer = require("./harness/fuzzer.js");

class TestFuzzer extends Fuzzer.Fuzzer {
    constructor() {

        const fn_addr = Module.getExportByName("libtarget.so.0.1.0","target_function");
        const fn = new NativeFunction(
            fn_addr,
            "bool", ["pointer", "size_t"], {
        });

        super("target", fn_addr, fn);
    }
    fuzz(payload, len) {
        this.target_function(payload, parseInt(len));
    }
}

const f = new TestFuzzer();
exports.fuzzer = f;

Here's the output of when I run fpicker:

$ fpicker --fuzzer-mode active -e attach -p target -D remote -o ./out -i ./in -f harness.js
       __       _      _                     
      / _|     (_)    | |                    
     | |_ _ __  _  ___| | _____ _ __         
     |  _| '_ \| |/ __| |/ / _ \ '__|      
     | | | |_) | | (__|   <  __/ |           
     |_| | .__/|_|\___|_|\_\___|_|        
         | |                                 
         |_|        Frida-Based Fuzzing Suite
- - - - - - - - - - - - - - - - - - - - - - -

Running fpicker using the following configuration:
- fuzzer-mode:          FUZZER_MODE_STANDALONE_ACTIVE
- coverage_mode:        COVERAGE_MODE_STALKER_SUMMARY
- standalone_mutator:       STANDALONE_MUTATOR_NULL
- communication_mode:       COMMUNICATION_MODE_SEND
- input_mode:           INPUT_MODE_IN_PROCESS
- exec_mode:            EXEC_MODE_ATTACH
- device_type:          DEVICE_REMOTE
- process_name:         target
- command:          (null)
- fuzzer_timeout:       500
- fuzzer_sleep:         100
- verbose:          false
- agent_script:         harness.js
- corpus_dir:           ./in
- out_dir:          ./out
- metrics: enabled

[*] Found 2 Frida devices.
[*] Found desired Frida device: Local Socket(1)
[*] Trying to attach to process target
[*] Found process targetwith PID 69823
[*] Attached to process target on frida device Local Socket
[*] Agent script created
[->] error: {"type":"error","description":"Error: compilation failed: module.c:45: error: field not found: undefined","stack":"Error: compilation failed: module.c:45: error: field not found: undefined\n    at <anonymous> (harness/stalker-instrumentation.js:64)\n    at call (native)\n    at o (../../../../../../../usr/local/lib/node_modules/frida-compile/node_modules/browser-pack/_prelude.js:1)\n    at <anonymous> (../../../../../../../usr/local/lib/node_modules/frida-compile/node_modules/browser-pack/_prelude.js:1)\n    at Fuzzer (harness/fuzzer.js:10)\n    at TestFuzzer (target-fuzzer.js:25)\n    at <anonymous> (target-fuzzer.js:46)\n    at call (native)\n    at o (../../../../../../../usr/local/lib/node_modules/frida-compile/node_modules/browser-pack/_prelude.js:1)\n    at r (../../../../../../../usr/local/lib/node_modules/frida-compile/node_modules/browser-pack/_prelude.js:1)\n    at <eval> (/harness.js:527)","fileName":"harness/stalker-instrumentation.js","lineNumber":64,"columnNumber":1}
[*] Agent script loaded
^C

Frida-server is not outputting anything while running in verbose mode.

Any Help would be appreciated.

afterthought325 commented 3 years ago

Additionally, I have all the processes mapped to my host system, so if I try to hook into the process locally, this is my output.

$ sudo ../fpicker --fuzzer-mode active -e attach -p target -o ./out -i ./in -f harness.js
       __       _      _                     
      / _|     (_)    | |                    
     | |_ _ __  _  ___| | _____ _ __         
     |  _| '_ \| |/ __| |/ / _ \ '__|      
     | | | |_) | | (__|   <  __/ |           
     |_| | .__/|_|\___|_|\_\___|_|        
         | |                                 
         |_|        Frida-Based Fuzzing Suite
- - - - - - - - - - - - - - - - - - - - - - -

Running fpicker using the following configuration:
- fuzzer-mode:          FUZZER_MODE_STANDALONE_ACTIVE
- coverage_mode:        COVERAGE_MODE_STALKER_SUMMARY
- standalone_mutator:       STANDALONE_MUTATOR_NULL
- communication_mode:       COMMUNICATION_MODE_SEND
- input_mode:           INPUT_MODE_IN_PROCESS
- exec_mode:            EXEC_MODE_ATTACH
- device_type:          DEVICE_LOCAL
- process_name:         target
- command:          (null)
- fuzzer_timeout:       500
- fuzzer_sleep:         100
- verbose:          false
- agent_script:         harness.js
- corpus_dir:           ./in
- out_dir:          ./out
- metrics: enabled

[*] Found 2 Frida devices.
[*] Found desired Frida device: Local System(0)
[*] Trying to attach to process target
[*] Found process target with PID 79992
[!] Failed to attach to process target on frida device Local System (Unable to inject library into process without libc)
[!] Error in spawning or attaching to process

though I wasn't particularly expecting that to work because of the x86 vs x86_64 difference

afterthought325 commented 3 years ago

Okay, So I've figured out the problem. Because the target platform is ia32 and not x64, compilation of the cmodule within stalker_instrumentation.js fails due to pc not being set. I'll put up a quick MR for that as that fixes it for me. I'm still dealing with an issue, but its related to frida_server and the target platform using a fairly old libc environment.