search

ttdennis / fpicker

fpicker is a Frida-based fuzzing suite supporting various modes (including AFL++ in-process fuzzing)
MIT License
251 stars 27 forks source link

Fpicker instrumentation hangs in AFL proxy mode #30

Open dillonfranke opened 9 months ago

dillonfranke commented 9 months ago

Hi @ttdennis,

Let me just start by saying thank you for such a cool idea! I'm excited to use this for some fuzzing research I am performing. However, I've been running into an issue when trying to usefpicker to perform instrumentation while fuzzing with AFL++.

I'm trying to fuzz a function within the CoreAudio MacOS library that handles incoming mach messages.

Here's the command I'm running:

sudo afl-fuzz -i in -o out -- ./fpicker -v --fuzzer-mode afl --communication-mode shm -e attach -p coreaudiod -f harness.js

Here's my harness.js file before compiling it with frida-compile:

// Import the fuzzer base class
import { Fuzzer } from "./harness/fuzzer.js";
//const Fuzzer = require("harness/fuzzer.js");

// The custom fuzzer needs to subclass the Fuzzer class to work properly
class TestFuzzer extends Fuzzer {
    constructor() {
        // The constructor needs to specify the address of the targeted function and a NativeFunction
        // object that can later be called by the fuzzer.

        const fuzz_function_addr = Module.enumerateSymbolsSync("CoreAudio").filter(function(o) {return o.name == "HALB_MIGServer_server";})[0].address;
        const fuzz_function = new NativeFunction(
            fuzz_function_addr,
            "int", ["pointer", "pointer"], {
        });

        super("CoreAudio", fuzz_function_addr, fuzz_function);
    }

    prepare() {
    }

    fuzz(payload, length) {

        const outputPointer = Memory.alloc(Process.pointerSize);
        Memory.writePointer(outputPointer, ptr("0x0"));

        this.target_function(payload, outputPointer);
    }
}

const f = new TestFuzzer();
//exports.fuzzer = f;
export const fuzzer = f;

However, fpicker stalls during the first test case, every time. Am I using the tool wrong? Any ideas? Thanks so much:

sudo afl-fuzz -i ../subsystem_messages/CoreAudio/HALB_MIGServer_server -o HALB_MIGServer_server-OUT -- ./fpicker -v --fuzzer-mode afl --communication-mode shm -e attach -p coreaudiod -f harness.js
Password:
afl-fuzz++4.06a based on afl by Michal Zalewski and a large online community
[+] afl++ is maintained by Marc "van Hauser" Heuse, Heiko "hexcoder" Eißfeldt, Andrea Fioraldi and Dominik Maier
[+] afl++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] NOTE: This is v3.x which changes defaults and behaviours - see README.md
[+] No -M/-S set, autoconfiguring for "-S default"
[*] Getting to work...
[+] Using exponential power schedule (FAST)
[+] Enabled testcache with 50 MB
[+] Generating fuzz data with a length of min=1 max=1048576
[*] Checking CPU scaling governor...
[+] You have 4 CPU cores and 4 runnable tasks (utilization: 100%).
[*] Setting up output directories...
[*] Scanning '../subsystem_messages/CoreAudio/HALB_MIGServer_server'...
[+] Loaded a total of 1235 seeds.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Spinning up the fork server...
[+] All right - fork server is up.
[*] No auto-generated dictionary tokens to reuse.
[*] Attempting dry run with 'id:000000,time:0,execs:0,orig:fffd8968a91c12de202b3a81c1b0c0f4'...

[-] Oops, the program crashed with one of the test cases provided. There are
    several possible explanations:

    - The test case causes known crashes under normal working conditions. If
      so, please remove it. The fuzzer should be seeded with interesting
      inputs - but not ones that cause an outright crash.

    - In QEMU persistent mode the selected address(es) for the loop are not
      properly cleaning up variables and memory. Try adding
      AFL_QEMU_PERSISTENT_GPR=1 or select better addresses in the binary.

    - On MacOS X, the semantics of fork() syscalls are non-standard and may
      break afl-fuzz performance optimizations when running platform-specific
      targets. To fix this, set AFL_NO_FORKSRV=1 in the environment.

    - Least likely, there is a horrible bug in the fuzzer. If other options
      fail, poke <afl-users@googlegroups.com> for troubleshooting tips.
[!] WARNING: Test case 'id:000000,time:0,execs:0,orig:fffd8968a91c12de202b3a81c1b0c0f4' results in a crash, skipping
[*] Attempting dry run with 'id:000001,time:0,execs:0,orig:fff272ad2955f2359fd438f00d9de95d'...
^Czsh: killed     sudo afl-fuzz -i ../subsystem_messages/CoreAudio/HALB_MIGServer_server -o  --

I dug into the logs a bit more and saw this output. It seems to be waiting for a semaphore to be released that never is:

log show --predicate 'process == "fpicker"' --last 5m

Filtering the log data using "process == "fpicker""
Skipping info and debug messages, pass --info and/or --debug to include.
Timestamp                       Thread     Type        Activity             PID    TTL  
2023-10-09 12:24:56.550043-0700 0xdcbff    Default     0x0                  35310  0    fpicker:        __       _      _                     
      / _|     (_)    | |                    
     | |_ _ __  _  ___| | _____ _ __         
     |  _| '_ \| |/ __| |/ / _ \ '__|      
     | | | |_) | | (__|   <  __/ |           
     |_| | .__/|_|\___|_|\_\___|_|        
         | |                                 
         |_|        Frida-Based Fuzzing Suite
- - - - - - - - - - - - - - - - - - - - - - -
2023-10-09 12:24:56.552630-0700 0xdcbff    Default     0x0                  35310  0    fpicker: Running fpicker using the following configuration:
2023-10-09 12:24:56.552634-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - fuzzer-mode:             FUZZER_MODE_AFL
2023-10-09 12:24:56.552636-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - coverage_mode:       COVERAGE_MODE_STALKER_SUMMARY
2023-10-09 12:24:56.552638-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - standalone_mutator:      STANDALONE_MUTATOR_NULL
2023-10-09 12:24:56.552639-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - communication_mode:      COMMUNICATION_MODE_SHM
2023-10-09 12:24:56.552640-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - input_mode:          INPUT_MODE_IN_PROCESS
2023-10-09 12:24:56.552641-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - exec_mode:           EXEC_MODE_ATTACH
2023-10-09 12:24:56.552642-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - device_type:             DEVICE_LOCAL
2023-10-09 12:24:56.552647-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - process_name:        coreaudiod
2023-10-09 12:24:56.552648-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - command:             (null)
2023-10-09 12:24:56.552649-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - fuzzer_timeout:      500
2023-10-09 12:24:56.552650-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - fuzzer_sleep:        100
2023-10-09 12:24:56.552652-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - verbose:             true
2023-10-09 12:24:56.552653-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - agent_script:        harness.js
2023-10-09 12:24:56.552655-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - corpus_dir:          (null)
2023-10-09 12:24:56.552656-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - out_dir:             (null)
2023-10-09 12:24:56.552657-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - metrics: disabled
2023-10-09 12:24:56.552663-0700 0xdcbff    Default     0x0                  35310  0    fpicker: 
2023-10-09 12:24:56.552666-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] SHM_ENV_VAR = /afl_35296_846930886
2023-10-09 12:24:56.575475-0700 0xdcc01    Activity    0x16cd0              35310  0    fpicker: (CoreFoundation) Loading Preferences From System CFPrefsD
2023-10-09 12:24:56.580202-0700 0xdcc01    Activity    0x16cd1              35310  0    fpicker: (TCC) TCCAccessRequest() IPC
2023-10-09 12:24:56.602599-0700 0xdcc01    Default     0x0                  35310  0    fpicker: (AppKit) [com.apple.AppKit:Appearance] Current system appearance, (HLTB: 2), (SLS: 1)
2023-10-09 12:24:56.604590-0700 0xdcc01    Default     0x0                  35310  0    fpicker: (libMobileGestalt.dylib) No persisted cache on this platform.
2023-10-09 12:24:56.605377-0700 0xdcc01    Default     0x0                  35310  0    fpicker: (libMobileGestalt.dylib) Failed to copy the SysCfgDict MG key with error: 0
2023-10-09 12:24:56.752310-0700 0xdcc01    Default     0x0                  35310  0    fpicker: (AppKit) [com.apple.AppKit:Appearance] Current system appearance, (HLTB: 2), (SLS: 1)
2023-10-09 12:24:56.753025-0700 0xdcc01    Default     0x0                  35310  0    fpicker: (AppKit) [com.apple.AppKit:Appearance] Post-registration system appearance: (HLTB: 2)
2023-10-09 12:24:56.756934-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] Found 2 Frida devices.
2023-10-09 12:24:56.756943-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] Found desired Frida device: Local System(0)
2023-10-09 12:24:56.756965-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] Trying to attach to process with name coreaudiod.
2023-10-09 12:24:56.761833-0700 0xdcc08    Activity    0x16cd2              35310  0    fpicker: (libsystem_info.dylib) Retrieve User by Name
2023-10-09 12:24:56.807690-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] Found process coreaudiod with PID 35284
2023-10-09 12:24:56.989409-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] Attached to process coreaudiod on frida device Local System
2023-10-09 12:24:56.992157-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] Agent script created
2023-10-09 12:24:57.097285-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] Agent script loaded
2023-10-09 12:24:58.097628-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] Slept a bit to give the agent script some time.
2023-10-09 12:24:58.097642-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] SEND: ["frida:rpc", 0, "call", "prepare", ["SHM", "AFL", "IN_PROCESS", "/afl_35296_846930886", "/fp_comm_shm_35310_1804289383", "1"]]
2023-10-09 12:24:58.099173-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [*] afl_area_ptr: 0x0
2023-10-09 12:24:58.099431-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [*] commap: 0x10a8d6000
2023-10-09 12:24:58.099675-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [*] commap_id: /fp_comm_shm_35310_1804289383
2023-10-09 12:24:58.099834-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [*] base: 0x7ff805b1f000
2023-10-09 12:24:58.100093-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [*] iteration_sem: 0xffffffffffffffff
2023-10-09 12:24:58.100246-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [*] exec_sem: 0xffffffffffffffff
2023-10-09 12:24:58.100474-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [*] Not excluding CoreAudio from stalker
2023-10-09 12:24:58.100742-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [*] Setting up interceptor
2023-10-09 12:24:58.109838-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: {"type":"send","payload":{"type":"_fpicker_ready","data":[{"name":"coreaudiod","base":"0x1084c9000","size":98304,"path":"/usr/sbin/coreaudiod","id":0,"end":"0x1084e1000"},{"name":"caulk","base":"0x7ff80d25c000","size":155648,"path":"/System/Library/PrivateFrameworks/caulk.framework/Versions/A/caulk","id":1,"end":"0x7ff80d282000"},{"name":"CoreAudio","base":"0x7ff805b1f000","size":7462910,"path":"/System/Library/Frameworks/CoreAudio.framework/Versions/A/CoreAudio","id":2,"end":"0x7ff80623cffe"},{"name":"CoreFoundation","base":"0x7ff803b6a000","size":4825088,"path":"/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation","id":3,"end":"0x7ff804004000"},{"name":"Foundation","base":"0x7ff8049e3000","size":10559479,"path":"/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation","id":4,"end":"0x7ff8053f4ff7"},{"name":"libobjc.A.dylib","base":"0x7ff803799000","size":245721,"path":"/usr/lib/libobjc.A.dylib","id":5,"end":"0x7ff8037d4fd9"},{"name":"libc++.1.dylib","base":"0<…>
2023-10-09 12:24:58.109848-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [*] MODULE=/usr/sbin/coreaudiod, start=0x1084c9000, end=0x1084e1000
2023-10-09 12:24:58.110678-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [1] before sem_wait in wait_for_exec (1696879498103)
2023-10-09 12:24:58.110691-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [3] after sem_wait in wait_for_exec (1696879498103). This took 0 ms
2023-10-09 12:24:58.110702-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [*] Interceptor ENTER (1696879498103)
2023-10-09 12:24:58.110738-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: {"type":"send","payload":{"type":"crash","msg":{"message":"access violation accessing 0xd8d1","type":"access-violation","address":"0x10873f1b5","memory":{"operation":"read","address":"0xd8d1"},"context":{"pc":"0x10873f1b5","sp":"0x70000f95ef80","rax":"0xd8d1","rcx":"0xd8d1","rdx":"0x0","rbx":"0x10fae3000","rsp":"0x70000f95ef80","rbp":"0x70000f95efb0","rsi":"0x10fea83e0","rdi":"0x70000f95f2e8","r8":"0x70000f95f3c8","r9":"0x10aa09800","r10":"0x0","r11":"0x7ff8060ebd0e","r12":"0x70000f95f580","r13":"0x1","r14":"0x2","r15":"0x0","rip":"0x10873f1b5"},"nativeContext":"0x0","fileName":"mach.js","lineNumber":28}}}
2023-10-09 12:24:58.110770-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [->] CRASH type received
2023-10-09 12:24:58.110774-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [->] message: {"type":"send","payload":{"type":"crash","msg":{"message":"access violation accessing 0xd8d1","type":"access-violation","address":"0x10873f1b5","memory":{"operation":"read","address":"0xd8d1"},"context":{"pc":"0x10873f1b5","sp":"0x70000f95ef80","rax":"0xd8d1","rcx":"0xd8d1","rdx":"0x0","rbx":"0x10fae3000","rsp":"0x70000f95ef80","rbp":"0x70000f95efb0","rsi":"0x10fea83e0","rdi":"0x70000f95f2e8","r8":"0x70000f95f3c8","r9":"0x10aa09800","r10":"0x0","r11":"0x7ff8060ebd0e","r12":"0x70000f95f580","r13":"0x1","r14":"0x2","r15":"0x0","rip":"0x10873f1b5"},"nativeContext":"0x0","fileName":"mach.js","lineNumber":28}}}
2023-10-09 12:24:58.110776-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [*] SEM_POST in _signal_exec_finished_with_ret_status 1696879498110
2023-10-09 12:24:58.110804-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [1] before sem_wait in wait_for_exec (1696879498105)
2023-10-09 12:24:58.110815-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [3] after sem_wait in wait_for_exec (1696879498105). This took 0 ms
2023-10-09 12:24:58.110825-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [*] Interceptor ENTER (1696879498105)
2023-10-09 12:24:58.114698-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] Harness preparation done
2023-10-09 12:24:58.114725-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] Everything ready, starting to fuzz!
2023-10-09 12:24:58.129164-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [2] PRE SEM_POST in fuzz_iteration_in_process_shm: 1696879498129
2023-10-09 12:24:58.129173-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] POST SEM_POST in fuzz_iteration_in_process_shm: 1696879498129
2023-10-09 12:24:58.129175-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] PRE SEM_WAIT in fuzz_iteration_in_process_shm: 1696879498129
2023-10-09 12:24:58.129179-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] POST SEM_WAIT in fuzz_iteration_in_process_shm: 1696879498129
2023-10-09 12:24:58.129791-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [2] PRE SEM_POST in fuzz_iteration_in_process_shm: 1696879498129
2023-10-09 12:24:58.129797-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] POST SEM_POST in fuzz_iteration_in_process_shm: 1696879498129
2023-10-09 12:24:58.129798-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] PRE SEM_WAIT in fuzz_iteration_in_process_shm: 1696879498129
2023-10-09 12:25:28.336289-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [*] Interceptor ENTER (1696879528335)
Picasso-r commented 9 months ago

It seems that your fpicker doesn't find the shared memory created by AFL++ as the log shows fpicker: [JS]: [*] afl_area_ptr: 0x0. Did you enable the option CFLAGS="-DUSEMMAP=1" when you compile your AFL++?

dillonfranke commented 1 month ago

Yes I did indeed compile AFL++ with CFLAGS="-DUSEMMAP=1" :/