Standalone mode works but AFL++ does not

[marcinguy]

Using the same harness and process in Standalone mode works but AFL++ mode does not.

Do I do something wrong? How can I debug it? Fix it?

[+] Loaded environment variable AFL_DEBUG with value 1
[+] Loaded environment variable AFL_DEBUG with value 1
afl-fuzz++3.13a based on afl by Michal Zalewski and a large online community
[+] afl++ is maintained by Marc "van Hauser" Heuse, Heiko "hexcoder" Eißfeldt, Andrea Fioraldi and Dominik Maier
[+] afl++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] NOTE: This is v3.x which changes defaults and behaviours - see README.md
[+] No -M/-S set, autoconfiguring for "-S default"
[*] Getting to work...
[+] Using exponential power schedule (FAST)
[+] Enabled testcache with 50 MB
[*] Checking core_pattern...
[*] Checking CPU scaling governor...
[+] You have 4 CPU cores and 11 runnable tasks (utilization: 275%).
[!] WARNING: System under apparent load, performance may be spotty.
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Checking CPU core loadout...
[+] Found a free CPU core, try binding to #0.
[*] Scanning 'examples/test-network/in'...
[+] Loaded a total of 2 seeds.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Spinning up the fork server...

[-] Hmm, looks like the target binary terminated before we could complete a
handshake with the injected code. You can try the following:

    - The target binary crashes because necessary runtime conditions it needs
      are not met. Try to:
      1. Run again with AFL_DEBUG=1 set and check the output of the target
         binary for clues.
      2. Run again with AFL_DEBUG=1 and 'ulimit -c unlimited' and analyze the
         generated core dump.

    - Possibly the target requires a huge coverage map and has CTORS.
      Retry with setting AFL_MAP_SIZE=10000000.

Otherwise there is a horrible bug in the fuzzer.
Poke <afl-users@googlegroups.com> for troubleshooting tips.

[-] PROGRAM ABORT : Fork server handshake failed
         Location : afl_fsrv_start(), src/afl-forkserver.c:1029

Here in standalone mode

       __       _      _                     
      / _|     (_)    | |                    
     | |_ _ __  _  ___| | _____ _ __         
     |  _| '_ \| |/ __| |/ / _ \ '__|      
     | | | |_) | | (__|   <  __/ |           
     |_| | .__/|_|\___|_|\_\___|_|        
         | |                                 
         |_|        Frida-Based Fuzzing Suite
- - - - - - - - - - - - - - - - - - - - - - -

Running fpicker using the following configuration:
- fuzzer-mode:          FUZZER_MODE_STANDALONE_ACTIVE
- coverage_mode:        COVERAGE_MODE_STALKER_SUMMARY
- standalone_mutator:       STANDALONE_MUTATOR_NULL
- communication_mode:       COMMUNICATION_MODE_SEND
- input_mode:           INPUT_MODE_IN_PROCESS
- exec_mode:            EXEC_MODE_ATTACH
- device_type:          DEVICE_REMOTE
- process_name:         stagefright
- command:          (null)
- fuzzer_timeout:       500
- fuzzer_sleep:         100
- verbose:          false
- agent_script:         fuzzer-agent.js
- corpus_dir:           examples/test/in/
- out_dir:          examples/test/out/
- metrics: enabled

[*] Found 3 Frida devices.
[*] Found desired Frida device: Local Socket(1)
[*] Trying to attach to process stagefright
[*] Found process stagefright with PID 26487
[*] Attached to process stagefright on frida device Local Socket
[*] Agent script created
[*] Agent script loaded
[*] Slept a bit to give the agent script some time.
[*] MODULE=/data/local/tmp/stagefright, start=0x5b822941a000, end=0x5b822942f000
[*] Harness preparation done
[*] Fuzzer is ready.
[*] Getting corpus coverage (0)

[ttdennis]

Hmm maybe something is wrong with the harness/frida agent script. Could be buggy on Android. In AFL mode fpicker logs to syslog, maybe you can find something there or post the log here. For more output you should also run it in verbose mode (-v).

[marcinguy]

Thanks. Well I was trying to run AFL++ mode remotely, but this is not supported as you described. That explains it.