Closed marcinguy closed 1 year ago
Actually, installing ssh server in emulator (via termux for example) does not seem to work. I hope I can use adb port forward, right?
In general fpicker should work on Android. I didn't try it yet, but I don't see why it wouldn't.
However, AFL++ mode will only work in local mode, which means fpicker, afl++, and the target need to run on the same system. Fpicker strictly requires shared memory when in AFL++ mode. So it wouldn't work over network or USB.
If your target
is running on your Android device and you have both fpicker and AFL++ running on your Android device, you can fuzz it like shown in the readme:
afl-fuzz -i examples/test-network/in -o ./examples/test-network/out -- \\
./fpicker --fuzzer-mode afl -e attach -p target -f ./examples/test-network/harness.js
If you would want to fuzz it over USB or network, you could also use fpicker in standalone mode. However, I would then suggest to either use a custom mutator command or implement a better one, as the random
mutator that's currently available is really just a proof of concept.
If you wanted to do it via USB it should work by running frida-server
on the Android device and running fpicker with something like:
./fpicker --fuzzer-mode active -e attach -p target -D USB -o examples/test/out/ -i examples/test/in/ \\
-f fuzzer-agent.js --communication-mode send
Important here are -D USB
and --communication-mode send
.
I hope that helps!
Actually it should work if you put he afl network proxy in between afl-fuzz and fpicker. Check out util/afl_proxy in afl++
@vanhauser-thc Cool.
@ttdennis Any ideas how to add it? I can try ...
afl-proxy.c
/* here you have to create the magic that feeds the buf/len to the
target and write the coverage to __afl_area_ptr */
// ... the magic ...
Would be cool to be able to use fpicker with AFL++ on remote device.
I am just in the phone I think my pointer was wrong. Not afl_proxy but util/afl_network_proxy or something like that
Yes, in theory you should be able to use the afl_network_proxy (https://github.com/AFLplusplus/AFLplusplus/tree/stable/utils/afl_network_proxy) to use AFL mode over the network.
I didn't try it (because it's not really something I need right now) but you could possibly do it as follows:
On your target device run something like this:
afl-network-server -i 1111 -m 25M -t 1000 -- ./fpicker --fuzzer-mode afl -e attach \\
-p test-service -f test-agent.js
And on the host:
afl-fuzz -i in -o out -t 2000+ -- afl-network-client TARGET-IP 1111
But then you still need to run fpicker on your target device/system. And if that's possible then you could just run AFL++/fpicker entirely on that device. The network proxy will probably cost you a ton of performance.
@vanhauser-thc as I recall in chroot environment with clang12 (not clang11, as I wrote in my previous comment, my mistake) the linker could not find -lc, whatever library this is. Could not figure it out.
ld: cannot find -lc
clang-12: error: linker command failed with exit code 1
Any ideas what it could be looking for and how to fix it?
well -lxx is always libxxx.{so|a}. so it is libc.so (or libc.a if you compile static. Android has a different libc than Linux so you need to install an Android cross compile suite and compile with that.
@vanhauser-thc thank you. Compiled it with NDK toolchain. Seems to work.
Have now fpicker and AFL++ running on the device and/or emulator. Will try to run fpicker in AFL++ proxy mode. Will see if it works with sharedmemory lib preload.
Hmmmm
Tried with 2 different targets, including the test
from example.
Looked good until crash :/ Any idea why Frida (Frida Server) gets access violation? What can I try? @ttdennis
In active mode it seems to work. (just fpicker and harness - fuzzer-agent.js)
On physical Android device. Running everything as root. Using latest frida-server (frida-server-14.2.18-android-arm64)
Terminal output:
[+] Loaded environment variable AFL_NO_AFFINITY with value 1
afl-fuzz++3.13a based on afl by Michal Zalewski and a large online community
[+] afl++ is maintained by Marc "van Hauser" Heuse, Heiko "hexcoder" Eißfeldt, Andrea Fioraldi and Dominik Maier
[+] afl++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] NOTE: This is v3.x which changes defaults and behaviours - see README.md
[+] No -M/-S set, autoconfiguring for "-S default"
[*] Getting to work...
[+] Using exponential power schedule (FAST)
[+] Enabled testcache with 50 MB
[!] WARNING: LD_PRELOAD is set, are you sure that is what to you want to do instead of using AFL_PRELOAD?
[*] Checking core_pattern...
[*] Checking CPU scaling governor...
[+] You have 6 CPU cores and 1 runnable tasks (utilization: 17%).
[+] Try parallel jobs - see docs/parallel_fuzzing.md.
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[!] WARNING: Not binding to a CPU core (AFL_NO_AFFINITY set).
[*] Scanning 'in'...
[+] Loaded a total of 1 seeds.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Spinning up the fork server...
[+] All right - fork server is up.
[*] No auto-generated dictionary tokens to reuse.
[*] Attempting dry run with 'id:000000,time:0,orig:test'...
[-] Oops, the program crashed with one of the test cases provided. There are
several possible explanations:
- The test case causes known crashes under normal working conditions. If
so, please remove it. The fuzzer should be seeded with interesting
inputs - but not ones that cause an outright crash.
- In QEMU persistent mode the selected address(es) for the loop are not
properly cleaning up variables and memory. Try adding
AFL_QEMU_PERSISTENT_GPR=1 or select better addresses in the binary.
- Least likely, there is a horrible bug in the fuzzer. If other options
fail, poke <afl-users@googlegroups.com> for troubleshooting tips.
[!] WARNING: Test case 'id:000000,time:0,orig:test' results in a crash, skipping
[+] All test cases processed.
[-] PROGRAM ABORT : We need at least one valid input seed that does not crash!
Location : main(), src/afl-fuzz.c:1808
Logs:
05-09 18:24:27.933 9678 9678 I fpicker : __ _ _
05-09 18:24:27.933 9678 9678 I fpicker : / _| (_) | |
05-09 18:24:27.933 9678 9678 I fpicker : | |_ _ __ _ ___| | _____ _ __
05-09 18:24:27.933 9678 9678 I fpicker : | _| '_ \| |/ __| |/ / _ \ '__|
05-09 18:24:27.933 9678 9678 I fpicker : | | | |_) | | (__| < __/ |
05-09 18:24:27.933 9678 9678 I fpicker : |_| | .__/|_|\___|_|\_\___|_|
05-09 18:24:27.933 9678 9678 I fpicker : | |
05-09 18:24:27.933 9678 9678 I fpicker : |_| Frida-Based Fuzzing Suite
05-09 18:24:27.933 9678 9678 I fpicker : - - - - - - - - - - - - - - - - - - - - - - -
05-09 18:24:27.933 9678 9678 I fpicker :
05-09 18:24:27.933 9678 9678 I fpicker : Running fpicker using the following configuration:
05-09 18:24:27.933 9678 9678 I fpicker : - fuzzer-mode: FUZZER_MODE_AFL
05-09 18:24:27.933 9678 9678 I fpicker : - coverage_mode: COVERAGE_MODE_STALKER_SUMMARY
05-09 18:24:27.933 9678 9678 I fpicker : - standalone_mutator: STANDALONE_MUTATOR_NULL
05-09 18:24:27.933 9678 9678 I fpicker : - communication_mode: COMMUNICATION_MODE_SEND
05-09 18:24:27.933 9678 9678 I fpicker : - input_mode: INPUT_MODE_IN_PROCESS
05-09 18:24:27.933 9678 9678 I fpicker : - exec_mode: EXEC_MODE_ATTACH
05-09 18:24:27.933 9678 9678 I fpicker : - device_type: DEVICE_LOCAL
05-09 18:24:27.933 9678 9678 I fpicker : - process_name: test
05-09 18:24:27.933 9678 9678 I fpicker : - command: (null)
05-09 18:24:27.933 9678 9678 I fpicker : - fuzzer_timeout: 1000000
05-09 18:24:27.933 9678 9678 I fpicker : - fuzzer_sleep: 100
05-09 18:24:27.933 9678 9678 I fpicker : - agent_script: /data/local/tmp/fpicker/fuzzer-agent.js
05-09 18:24:27.933 9678 9678 I fpicker : - corpus_dir: (null)
05-09 18:24:27.933 9678 9678 I fpicker : - out_dir: (null)
05-09 18:24:27.933 9678 9678 I fpicker : - metrics: disabled
05-09 18:24:27.933 9678 9678 I fpicker :
05-09 18:24:27.933 9678 9678 I fpicker : [*] SHM_ENV_VAR = 9
05-09 18:24:27.935 9678 9678 I fpicker : [*] Found 2 Frida devices.
05-09 18:24:27.935 9678 9678 I fpicker : [*] Found desired Frida device: Local System(0)
05-09 18:24:27.935 9678 9678 I fpicker : [*] Trying to attach to process test
05-09 18:24:27.945 9678 9678 I fpicker : [*] Found process test with PID 9627
05-09 18:24:27.962 0 0 D [2: logd.reader: 3422] logd: logdr: UID=0 GID=0 PID=9681 b tail=0 logMask=10 pid=0 start=0ns timeout=0ns
05-09 18:24:28.050 9678 9678 I fpicker : [*] Attached to process test on frida device Local System
05-09 18:24:28.056 9678 9678 I fpicker : [*] Agent script created
05-09 18:24:28.061 9678 9678 I fpicker : [*] Agent script loaded
05-09 18:24:29.062 9678 9678 I fpicker : [*] Slept a bit to give the agent script some time.
05-09 18:24:29.067 9678 9679 I fpicker : [*] MODULE=/data/local/tmp/fpicker/test, start=0x5555555000, end=0x5555558000
05-09 18:24:29.068 9678 9678 I fpicker : [*] Harness preparation done
05-09 18:24:29.069 9678 9678 I fpicker : [*] Everything ready, starting to fuzz!
05-09 18:24:29.085 9678 9678 I fpicker : [*] frida post: ["frida:rpc", 1, "call", "fuzz", ["MQo="]]
05-09 18:24:29.095 9678 9679 I fpicker : [->] error_send_message: {"type":"send","payload":["frida:rpc",1,"error","access violation accessing 0xa879","Error","Error: access violation accessing 0xa879\n at fuzz (test-fuzzer.js:38)\n at fuzzInternal (../../harness/fuzzer.js:273)\n at fuzz (../../harness/fuzzer.js:103)\n at apply (native)\n at <anonymous> (frida/runtime/message-dispatcher.js:13)\n at c (frida/runtime/message-dispatcher.js:23)",{"message":"access violation accessing 0xa879","type":"access-violation","address":"0x7d24392220","memory":{"operation":"read","address":"0xa879"},"context":{"pc":"0x7d24392220","sp":"0x7d171c63f0","x0":"0xa879","x1":"0xffffffffffffffff","x2":"0x55555557a8","x3":"0x3efffffff9","x4":"0x7d171c67b0","x5":"0x7d12333438","x6":"0xffffffffffffffff","x7":"0x7d1742b870","x8":"0x7d171c6520","x9":"0x7d24392174","x10":"0x7d171c6760","x11":"0x7d171c67a0","x12":"0xc7ade1b7e176e469","x13":"0x7","x14":"0x7d170781e0","x15":"0x80000000","x16":"0x55555557a8","x17":"0x7d1742b870","x18":"0x0","x19":"0x7d16f21000","
05-09 18:24:29.124 0 0 I [0: init: 1] init: Untracked pid 9678 received signal 15
Weird is that it works in active mode (frida server, agent/harness), but not when in AFL++ mode :/
you can set AFL_DEBUG=1 and see if there is output of the target that crashes. also you can try to generate the core file and see with gdb what makes it crash
Per Frida dev(s):
"you're most likely not keeping a memory allocation alive. E.g. the JS value returned by Memory.alloc() must stay alive for as long as the memory area is needed."
Looking at the fuzzer code: https://github.com/ttdennis/fpicker/blob/20fce17eed18c97b52567a2f8484c1cc1fa5a05e/harness/fuzzer.js I see few Memory.alloc()s
cc @ttdennis Do you think it could be the issue here?
I think this line is causing the violation:
Without it, it goes further but the target segfaults and AFL++ shows no instrumentation????
[*] Spinning up the fork server...
[+] All right - fork server is up.
[*] No auto-generated dictionary tokens to reuse.
[*] Attempting dry run with 'id:000000,time:0,orig:test'...
[-] PROGRAM ABORT : No instrumentation detected
Location : perform_dry_run(), src/afl-fuzz-init.c:1094
Issue is with Shared memory I think:
It find the shmat function (using preloaded lib)
05-10 09:30:23.724 15654 15655 I fpicker : [JS]: shmat_addr: 0x7fb6ae076c
But then shm add is 0xffffffffffffffff, which I think is wrong
05-10 09:30:24.727 15654 15655 I fpicker : [JS]: shm add: 0xffffffffffffffff
05-10 09:30:24.727 15654 15655 I fpicker : [JS]: [*] afl_area_ptr: 0xffffffffffffffff
Any ideas how to replace shared memory or make it work on andoird using ashmem?
I think it should be a different pointer than 0xffffffffffffffff,right?
Did some changes
Now it errors here:
05-10 13:13:43.673 20770 20770 I fpicker : - metrics: disabled
05-10 13:13:43.673 20770 20770 I fpicker :
05-10 13:13:43.673 20770 20770 I shmem : int shmget(key_t, size_t, int): bound UNIX socket /dev/shm/00005122 in pid=20770
05-10 13:13:43.673 20770 20770 I fpicker : [*] Created AFLmap = 1361182721
05-10 13:13:43.674 20770 20770 I fpicker : [*] SHM_ENV_VAR = 1361182721
05-10 13:13:43.676 20770 20770 I fpicker : [*] Found 2 Frida devices.
05-10 13:13:43.676 20770 20770 I fpicker : [*] Found desired Frida device: Local System(0)
05-10 13:13:43.676 20770 20770 I fpicker : [*] Trying to attach to process test
05-10 13:13:43.685 20770 20770 I fpicker : [*] Found process test with PID 20767
05-10 13:13:43.702 0 0 D [2: logd.reader: 3422] logd: logdr: UID=0 GID=0 PID=20774 b tail=0 logMask=10 pid=0 start=0ns timeout=0ns
05-10 13:13:43.802 20770 20770 I fpicker : [*] Attached to process test on frida device Local System
05-10 13:13:43.845 20770 20770 I fpicker : [*] Agent script created
05-10 13:13:43.851 20770 20772 I fpicker : [JS]: payload 0x7d25752a00
05-10 13:13:43.851 20770 20772 I fpicker : [JS]: shmat_addr0x7d1fefbce0
05-10 13:13:43.851 20770 20772 I fpicker : [JS]: [*] Fuzzer constructor end.
05-10 13:13:43.852 20770 20770 I fpicker : [*] Agent script loaded
05-10 13:13:44.852 20770 20770 I fpicker : [*] Slept a bit to give the agent script some time.
05-10 13:13:44.852 20770 20770 I fpicker : [*] SEND: ["frida:rpc", 0, "call", "prepare", ["SEND", "AFL", "IN_PROCESS", "", "(null)", "1"]]
Cannot start the server
[+] Loaded a total of 1 seeds.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Spinning up the fork server...
[-] PROGRAM ABORT : Timeout while initializing fork server (setting AFL_FORKSRV_INIT_TMOUT may help)
Location : afl_fsrv_start(), src/afl-forkserver.c:826
Above creates the shared memory in fpicker using shmget() and puts the ID in env var SHM_ENV_VAR.
Should this work?
Can somebody actually explain how the shared mem is used in AFL++ and with fpicker? cc @vanhauser-thc @ttdennis
Actually getting closer ...
05-10 15:46:36.655 23472 23472 I fpicker : - out_dir: (null)
05-10 15:46:36.655 23472 23472 I fpicker : - metrics: disabled
05-10 15:46:36.655 23472 23472 I fpicker :
05-10 15:46:36.655 23472 23472 I shmem : int shmget(key_t, size_t, int): bound UNIX socket /data/local/tmp/mysocket in pid=23472
05-10 15:46:36.656 23472 23472 I fpicker : [*] Created AFLmap = 1538260994
05-10 15:46:36.656 23472 23472 I fpicker : [*] SHM_ENV_VAR = 1538260994
05-10 15:46:37.848 23467 23484 I shmem : shmid: 1538260994
05-10 15:46:37.848 23467 23484 I shmem : shmid 1538260994
05-10 15:46:37.848 23467 23484 I shmem : failed to connect
05-10 15:46:37.848 23467 23484 I shmem : int ashv_read_remote_segment(int): send() failed on socket /data/local/tmp/mysocket: Transport endpoint is not connected
05-10 15:46:37.848 23467 23484 I shmem : void *shmat(int, const void *, int): shmid 5bb00002 does not exist
I hope this would work, but have some issues with Unix Socket connection
@marcinguy I cant really help you there, I dont do anything on Android ...
@vanhauser-thc thanks for your help so far :)
OK, got it to work (the shared memory part), but still there is access violation
05-10 16:22:15.616 24566 24566 I fpicker : __ _ _
05-10 16:22:15.616 24566 24566 I fpicker : / _| (_) | |
05-10 16:22:15.616 24566 24566 I fpicker : | |_ _ __ _ ___| | _____ _ __
05-10 16:22:15.616 24566 24566 I fpicker : | _| '_ \| |/ __| |/ / _ \ '__|
05-10 16:22:15.616 24566 24566 I fpicker : | | | |_) | | (__| < __/ |
05-10 16:22:15.616 24566 24566 I fpicker : |_| | .__/|_|\___|_|\_\___|_|
05-10 16:22:15.616 24566 24566 I fpicker : | |
05-10 16:22:15.616 24566 24566 I fpicker : |_| Frida-Based Fuzzing Suite
05-10 16:22:15.616 24566 24566 I fpicker : - - - - - - - - - - - - - - - - - - - - - - -
05-10 16:22:15.616 24566 24566 I fpicker :
05-10 16:22:15.616 24566 24566 I fpicker : Running fpicker using the following configuration:
05-10 16:22:15.616 24566 24566 I fpicker : - fuzzer-mode: FUZZER_MODE_AFL
05-10 16:22:15.616 24566 24566 I fpicker : - coverage_mode: COVERAGE_MODE_STALKER_SUMMARY
05-10 16:22:15.616 24566 24566 I fpicker : - standalone_mutator: STANDALONE_MUTATOR_NULL
05-10 16:22:15.616 24566 24566 I fpicker : - communication_mode: COMMUNICATION_MODE_SEND
05-10 16:22:15.616 24566 24566 I fpicker : - input_mode: INPUT_MODE_IN_PROCESS
05-10 16:22:15.616 24566 24566 I fpicker : - exec_mode: EXEC_MODE_ATTACH
05-10 16:22:15.616 24566 24566 I fpicker : - device_type: DEVICE_LOCAL
05-10 16:22:15.616 24566 24566 I fpicker : - process_name: test
05-10 16:22:15.616 24566 24566 I fpicker : - command: (null)
05-10 16:22:15.616 24566 24566 I fpicker : - fuzzer_timeout: 500
05-10 16:22:15.616 24566 24566 I fpicker : - fuzzer_sleep: 100
05-10 16:22:15.616 24566 24566 I fpicker : - agent_script: /data/local/tmp/fpicker/fuzzer-agent.js
05-10 16:22:15.616 24566 24566 I fpicker : - corpus_dir: (null)
05-10 16:22:15.616 24566 24566 I fpicker : - out_dir: (null)
05-10 16:22:15.616 24566 24566 I fpicker : - metrics: disabled
05-10 16:22:15.616 24566 24566 I fpicker :
05-10 16:22:15.616 24566 24566 I shmem : int shmget(key_t, size_t, int): bound UNIX socket /data/local/tmp/mysocket in pid=24566
05-10 16:22:15.616 24566 24566 I fpicker : [*] Created AFLmap = 1609957377
05-10 16:22:15.617 24566 24566 I fpicker : [*] SHM_ENV_VAR = 1609957377
05-10 16:22:15.619 24566 24566 I fpicker : [*] Found 2 Frida devices.
05-10 16:22:15.619 24566 24566 I fpicker : [*] Found desired Frida device: Local System(0)
05-10 16:22:15.619 24566 24566 I fpicker : [*] Trying to attach to process test
05-10 16:22:15.631 24566 24566 I fpicker : [*] Found process test with PID 24240
05-10 16:22:15.647 0 0 D [1: logd.reader: 3422] logd: logdr: UID=0 GID=0 PID=24570 b tail=0 logMask=10 pid=0 start=0ns timeout=0ns
05-10 16:22:15.791 24566 24566 I fpicker : [*] Attached to process test on frida device Local System
05-10 16:22:15.816 24566 24566 I fpicker : [*] Agent script created
05-10 16:22:15.822 24566 24568 I fpicker : [JS]: payload 0x7d0511d530
05-10 16:22:15.822 24566 24568 I fpicker : [JS]: shmat func addr 0x7d1fee8d64
05-10 16:22:15.822 24566 24568 I fpicker : [JS]: [*] Fuzzer constructor end.
05-10 16:22:15.822 24566 24566 I fpicker : [*] Agent script loaded
05-10 16:22:16.823 24566 24566 I fpicker : [*] Slept a bit to give the agent script some time.
05-10 16:22:16.823 24566 24566 I fpicker : [*] SHM_ENV_VAR = 1609957377
05-10 16:22:16.823 24566 24566 I fpicker : [*] SEND: ["frida:rpc", 0, "call", "prepare", ["SEND", "AFL", "IN_PROCESS", "1609957377", "(null)", "1"]]
05-10 16:22:16.826 24240 24578 I shmem : void *shmat(int, const void *, int): mapped addr 0x7d050b4000 for FD 21 ID 7
05-10 16:22:16.828 24566 24568 I fpicker : [JS]: id 1609957377
05-10 16:22:16.828 24566 24568 I fpicker : [JS]: shm add 0x7d050b4000
05-10 16:22:16.829 24566 24568 I fpicker : [JS]: [*] afl_area_ptr: 0x7d050b4000
05-10 16:22:16.830 24566 24568 I fpicker : [JS]: [*] commap: no commap because SEND mode is used.
05-10 16:22:16.830 24566 24568 I fpicker : [JS]: [*] commap_id: (null)
05-10 16:22:16.831 24566 24568 I fpicker : [JS]: [*] base: 0x5555555000
05-10 16:22:16.831 24566 24568 I fpicker : [JS]: [*] iteration_sem: undefined
05-10 16:22:16.831 24566 24568 I fpicker : [JS]: [*] exec_sem: undefined
05-10 16:22:16.832 24566 24568 I fpicker : [JS]: modbase0x5555555000
05-10 16:22:16.833 24566 24568 I fpicker : [JS]: this.afl_area_ptr0x7d050b4000
05-10 16:22:16.833 24566 24568 I fpicker : [JS]: [*] Not excluding test from stalker
05-10 16:22:16.834 24566 24568 I fpicker : [JS]: [*] Setting up interceptor
05-10 16:22:16.835 24566 24568 I fpicker : [JS]: {"type":"send","payload":{"type":"_fpicker_ready","data":[{"name":"test","base":"0x5555555000","size":12288,"path":"/data/local/tmp/fpicker/test","id":0,"end":"0x5555558000"},{"name":"linker64","base":"0x7fb7f07000","size":200704,"path":"/system/bin/linker64","id":1,"end":"0x7fb7f38000"},{"name":"libdl.so","base":"0x7fb6b9d000","size":20480,"path":"/apex/com.android.runtime/lib64/bionic/libdl.so","id":2,"end":"0x7fb6ba2000"},{"name":"libc.so","base":"0x7fb6a89000","size":913408,"path":"/apex/com.android.runtime/lib64/bionic/libc.so","id":3,"end":"0x7fb6b68000"},{"name":"libnetd_client.so","base":"0x7da6918000","size":36864,"path":"/system/lib64/libnetd_client.so","id":4,"end":"0x7da6921000"},{"name":"libc++.so","base":"0x7da694d000","size":716800,"path":"/system/lib64/libc++.so","id":5,"end":"0x7da69fc000"},{"name":"libm.so","base":"0x7da6a04000","size":225280,"path":"/apex/com.android.runtime/lib64/bionic/libm.so","id":6,"end":"0x7da6a3b000"},{"name":"frida-agent-64.so","base":"0x7d243dd000","size":20
05-10 16:22:16.835 24566 24568 I fpicker : [*] MODULE=/data/local/tmp/fpicker/test, start=0x5555555000, end=0x5555558000
05-10 16:22:16.836 24566 24568 I fpicker : [JS]: {"type":"send","payload":["frida:rpc",0,"ok",null]}
05-10 16:22:16.838 24566 24566 I fpicker : [*] Harness preparation done
05-10 16:22:16.838 24566 24566 I fpicker : [*] Everything ready, starting to fuzz!
05-10 16:22:16.855 24566 24566 I fpicker : [*] frida post: ["frida:rpc", 1, "call", "fuzz", ["MQo="]]
05-10 16:22:16.865 24566 24568 I fpicker : [JS]: 0x7d0511d530 2
05-10 16:22:16.865 24566 24568 I fpicker : [JS]: [*] Interceptor ENTER (1620656536864)
05-10 16:22:16.866 24566 24568 I fpicker : [JS]: user_data2 0x7d050c7a00
05-10 16:22:16.873 24566 24568 I fpicker : [JS]: {"type":"send","payload":["frida:rpc",1,"error","access violation accessing 0x7d050be87a","Error","Error: access violation accessing 0x7d050be87a\n at fuzz (test-fuzzer.js:38)\n at fuzzInternal (../../harness/fuzzer.js:285)\n at fuzz (../../harness/fuzzer.js:107)\n at apply (native)\n at <anonymous> (frida/runtime/message-dispatcher.js:13)\n at c (frida/runtime/message-dispatcher.js:23)",{"message":"access violation accessing 0x7d050be87a","type":"access-violation","address":"0x7d1109124c","memory":{"operation":"write","address":"0x7d050be87a"},"context":{"pc":"0x7d1109124c","sp":"0x7d052463f0","x0":"0x7d050be87a","x1":"0x1","x2":"0x0","x3":"0x7d050cce40","x4":"0x7d050cce56","x5":"0x7ea6a709e0","x6":"0x6174616472657375","x7":"0x3530643778302032","x8":"0x7d055a6384","x9":"0x7d0511c6a0","x10":"0x10","x11":"0x1","x12":"0x6437783020326174","x13":"0x3030613763303530","x14":"0x2c","x15":"0x16","x16":"0x7fb6b9f170","x17":"0x7fb7f38434","x18":"0x0","x19":"0x7d05086000","x20":"0x7d05246520","x
05-10 16:22:16.873 24566 24568 I fpicker : [->] error_send_message: {"type":"send","payload":["frida:rpc",1,"error","access violation accessing 0x7d050be87a","Error","Error: access violation accessing 0x7d050be87a\n at fuzz (test-fuzzer.js:38)\n at fuzzInternal (../../harness/fuzzer.js:285)\n at fuzz (../../harness/fuzzer.js:107)\n at apply (native)\n at <anonymous> (frida/runtime/message-dispatcher.js:13)\n at c (frida/runtime/message-dispatcher.js:23)",{"message":"access violation accessing 0x7d050be87a","type":"access-violation","address":"0x7d1109124c","memory":{"operation":"write","address":"0x7d050be87a"},"context":{"pc":"0x7d1109124c","sp":"0x7d052463f0","x0":"0x7d050be87a","x1":"0x1","x2":"0x0","x3":"0x7d050cce40","x4":"0x7d050cce56","x5":"0x7ea6a709e0","x6":"0x6174616472657375","x7":"0x3530643778302032","x8":"0x7d055a6384","x9":"0x7d0511c6a0","x10":"0x10","x11":"0x1","x12":"0x6437783020326174","x13":"0x3030613763303530","x14":"0x2c","x15":"0x16","x16":"0x7fb6b9f170","x17":"0x7fb7f38434","x18":"0x0","x19":"0x7d05086000","x20
@ttdennis Any ideas :)? No worries, if not ... :)
Are you aware of how ashmem on Android works? Every process only has locally shared maps, there is no such thing as global shared maps. That means, if you create shared maps, then fork (as you would usually do in afl++), you should be fine. If you try to do it from another process, though, it will not work. If you're running under root, you can probably grab the open file descriptor from the other process somehow. Else, you'll have to share the open file descriptor of the shared map with the new process, see for example the ashmem server in LibAFL: https://github.com/AFLplusplus/LibAFL/blob/main/libafl/src/bolts/os/ashmem_server.rs
Thank you @domenukk
Very insightful.
I think I made it to work!!!!
Looks good to me.
Great stuff all cc @ttdennis @vanhauser-thc @domenukk
Sounds great! Is the screenshot from running against the test binary? Because then I think the output looks fine.
How did you solve the shared mem issue in the end?
@marcinguy Can you please share the full solution (or a PR)? I am interested in running this on Android as well.
@marcinguy Can you please share the full solution (or a PR)? I am interested in running this on Android as well.
Can you please share the full solution (or a PR)? I am interested in running this on Android as well.
Can you please share the full solution (or a PR)? I am interested in running this on Android as well.
Tested again fpicker AFL mode on Android 12 in the emulator in Docker and it works. I am not aware of other setups other than AFL++ + QEMU by @Gr33nh4t (to also have access to processes/services on device). Am I wrong here?
In the past used it to refind Stagefright bug CVE 2020-0411 within hours (several months after being 0 day)
I plan a private or public release. Stay tuned.
@ttdennis
Here are my notes: https://github.com/marcinguy/fpicker-aflpp-android/
If you want I can put it somewhere in your project.
Thanks,
Awesome :) Sure, feel free to send a PR!
Hi!
Read the doc, but could not figure it out.
Have a binary with a function (that takes buffer and lenght) on Android device.
Can I fuzz it with fpicker?
Wanted to use afl++ mode on it.
I saw fuzzing on network device, but how to fuzz on an Android mobile?
Or I should somehow install ssh on the mobile?
Maybe I am missing something.
Thanks,