vanhauser-thc
commented
5 years ago what happens when you run "./a.out
Open eybee opened 5 years ago
vanhauser-thc
commented
5 years ago what happens when you run "./a.out
eybee
commented
5 years ago The forkserver was still compiled as 64bit application. I recompiled it and am now getting this error:
$ ../afl-pin/afl-fuzz-pin.sh -i indir/ -o odir/ -forkserver -- ./a.out @@
sysctl: permission denied on key 'kernel.core_pattern'
sysctl: permission denied on key 'kernel.randomize_va_space'
tee: '/sys/devices/system/cpu/cpu*/cpufreq/scaling_governor': No such file or directory
Running: afl-fuzz -m 1000 -i indir/ -o odir/ -- /home/ros/pin-3.6-97554-g31f0a167d-gcc-linux//pin -t /usr/local/lib/pintool/afl-pin.so -forkserver -- ./a.out @@
afl-fuzz 2.52b by <lcamtuf@google.com>
[+] You have 4 CPU cores and 1 runnable tasks (utilization: 25%).
[+] Try parallel jobs - see /usr/local/share/doc/afl/parallel_fuzzing.txt.
[*] Checking CPU core loadout...
[+] Found a free CPU core, binding to #0.
[*] Checking core_pattern...
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Scanning 'indir/'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Attempting dry run with 'id:000000,orig:crash_test.c'...
[*] Spinning up the fork server...
[+] All right - fork server is up.
[-] PROGRAM ABORT : Fork server is misbehaving (OOM?)
Location : run_target(), afl-fuzz.c:2381Running a.out results in this output
$ ./a.out indir/testfile
abcdeIt just reads the input and prints it out.
vanhauser-thc
commented
5 years ago well this is for sure something about the 32bit. as I have not tried anything 32bit related with this projects I cant help, sorry :(
out of curiosity - why are you using afl-pin? blackbox fuzzing would be so much faster with afl-dyninst or afl -Q (qemu mode)
vanhauser-thc
commented
5 years ago while doing something different - I am running into the same problem as you.
but the issue seesms to be in afl-fuzz, not pin and not my pintool code.
can you please try (download and compile https://github.com/vanhauser-thc/afl-simulate first):
# afl-simulate /home/ros/pin-3.6-97554-g31f0a167d-gcc-linux//pin -t /usr/local/lib/pintool/afl-pin.so -forkserver -- ./a.out /etc/hostsif you dont get errors then its the afl-fuzz issue I am also running into and it has nothing to do with afl-pin or pin-3.x
eybee
commented
5 years ago In the meantime I compiled afl-pin in debug mode to get more information. Unfortunately I still can't get it to run. Running the command you provided doesn't change anything either:
afl-simulate /home/ros/pin-3.6-97554-g31f0a167d-gcc-linux//pin -t /usr/local/lib/pintool/afl-pin.so -forkserver -alternative -- ./a.out /etc/hosts
DEBUG: image load no 0 for /home/ros/crash_test/a.out from 8048000 to 804879b
DEBUG: image load no 1 for /lib/ld-linux.so.2 from f7fda000 to f7ffbfff
DEBUG: image load no 2 for [vdso] from f7fd9000 to f7fd9c2e
DEBUG: image load no 3 for /lib32/libc.so.6 from f557c000 to f572fa1b
BB: 0x8048400 and id 0x4200
BB: 0x80483c0 and id 0x60e0
BB: 0x80483c6 and id 0x6113
BB: 0x8048370 and id 0x6149
BB: 0x80485f0 and id 0x6224
BB: 0x8048430 and id 0x6364
BB: 0x80485f9 and id 0x63f0
BB: 0x8048348 and id 0x60da
BB: 0x8048430 and id 0x62ca
BB: 0x8048351 and id 0x60a4
BB: 0x8048366 and id 0x6167
BB: 0x8048611 and id 0x63d1
BB: 0x8048620 and id 0x6294
BB: 0x80484d0 and id 0x63e0
BB: 0x80484db and id 0x6359
BB: 0x8048470 and id 0x630e
BB: 0x80484a3 and id 0x634d
BB: 0x804863b and id 0x6235
BB: 0x8048645 and id 0x62ac
BB: 0x80484fb and id 0x63ec
BB: 0x80483d0 and id 0x60d6
BB: 0x80483d6 and id 0x611f
BB: 0x8048370 and id 0x614d
BB: 0x804853c and id 0x6242
BB: 0x804855e and id 0x63e0
BB: 0x80483b0 and id 0x608f
BB: 0x80483b6 and id 0x6137
BB: 0x8048370 and id 0x6155
BB: 0x804856d and id 0x626a
BB: 0x804857f and id 0x63e4
BB: 0x8048390 and id 0x6097
BB: 0x8048396 and id 0x612f
BB: 0x8048370 and id 0x615d
error reading fileBB: 0x804858c and id 0x621a
BB: 0x80483a0 and id 0x60b3
BB: 0x80483a6 and id 0x613b
BB: 0x8048370 and id 0x6151
BB: 0x80484b0 and id 0x6284
BB: 0x80484b9 and id 0x6370
BB: 0x8048440 and id 0x630e
BB: 0x8048469 and id 0x6324
BB: 0x80484c4 and id 0x6378
BB: 0x8048654 and id 0x621b
BB: 0x8048430 and id 0x638d
BB: 0x804865d and id 0x6222
DEBUG: END OF PROGRAM
END=client finished
Error: init fork server failIt's really strange that "error reading file" is displayed. That's the output from a.out if the open() command fails.
I'm using afl-pin because qemu mode and dyninst both fail for my target. Others seem to have had success with this: https://github.com/v-p-b/WindowsDefenderTools/tree/recreate
vanhauser-thc
commented
5 years ago yeah sorry my bad, the afl-simulate was missing (if you did "make install", otherwise put the right path for forkserver.so):
PIN_APP_LD_PRELOAD=/usr/local/lib/pintool/forkserver.so afl-simulate /home/ros/pin-3.6-97554-g31f0a167d-gcc-linux//pin -t /usr/local/lib/pintool/afl-pin.so -forkserver -alternative -- ./a.out /etc/hostswhat you can also try:
AFL_MEM=none afl-fuzz-pin.sh -i in -o out -- /home/ros/pin-3.6-97554-g31f0a167d-gcc-linux//pin -t /usr/local/lib/pintool/afl-pin.so -forkserver -alternative -- ./a.out @@
eybee
commented
5 years ago $ PIN_APP_LD_PRELOAD=/usr/local/lib/pintool/forkserver.so afl-simulate /home/ros/pin-3.6-97554-g31f0a167d-gcc-linux//pin -t /usr/local/lib/pintool/afl-pin.so -forkserver -alternative -- ./a.out /etc/hosts
DEBUG: image load no 0 for /home/ros/crash_test/a.out from 8048000 to 804879b
DEBUG: image load no 1 for /lib/ld-linux.so.2 from f7fda000 to f7ffbfff
DEBUG: image load no 2 for [vdso] from f7fd9000 to f7fd9c2e
DEBUG: image load no 3 for /usr/local/lib/pintool/forkserver.so from f5786000 to f5788033
DEBUG: image load no 4 for /lib32/libc.so.6 from f5542000 to f56f5a1b
BB: 0x8048400 and id 0x4200
BB: 0x80483c0 and id 0x60e0
BB: 0x80483c6 and id 0x6113
BB: 0x8048370 and id 0x6149
BB: 0x80485f0 and id 0x6224
BB: 0x8048430 and id 0x6364
BB: 0x80485f9 and id 0x63f0
BB: 0x8048348 and id 0x60da
BB: 0x8048430 and id 0x62ca
BB: 0x8048351 and id 0x60a4
BB: 0x8048366 and id 0x6167
BB: 0x8048611 and id 0x63d1
BB: 0x8048620 and id 0x6294
BB: 0x80484d0 and id 0x63e0
BB: 0x80484db and id 0x6359
BB: 0x8048470 and id 0x630e
BB: 0x80484a3 and id 0x634d
BB: 0x804863b and id 0x6235
BB: 0x8048645 and id 0x62ac
DEBUG: starting forkserver()
Error: invalid pid received
Error reading fork server
DEBUG: END OF PROGRAM
END=client finished
Error: unable to request new preocess from fork server -- recv child_pid!$ AFL_MEM=none afl-fuzz-pin.sh -i indir/ -o odir/ -- /home/ros/pin-3.6-97554-g31f0a167d-gcc-linux//pin -t /usr/local/lib/pintool/afl-pin.so -forkserver -alternative -- ./a.out @@
sysctl: permission denied on key 'kernel.core_pattern'
sysctl: permission denied on key 'kernel.randomize_va_space'
tee: '/sys/devices/system/cpu/cpu*/cpufreq/scaling_governor': No such file or directory
Running: afl-fuzz -m none -i indir/ -o odir/ -- /home/ros/pin-3.6-97554-g31f0a167d-gcc-linux/pin -t /usr/local/lib/pintool/afl-pin.so -- /home/ros/pin-3.6-97554-g31f0a167d-gcc-linux//pin -t /usr/local/lib/pintool/afl-pin.so -forkserver -alternative -- ./a.out @@
afl-fuzz 2.52b by <lcamtuf@google.com>
[+] You have 4 CPU cores and 2 runnable tasks (utilization: 50%).
[+] Try parallel jobs - see /usr/local/share/doc/afl/parallel_fuzzing.txt.
[*] Checking CPU core loadout...
[+] Found a free CPU core, binding to #0.
[*] Checking core_pattern...
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Scanning 'indir/'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Attempting dry run with 'id:000000,orig:testfile'...
[*] Spinning up the fork server...
[-] Hmm, looks like the target binary terminated before we could complete a
handshake with the injected code. Perhaps there is a horrible bug in the
fuzzer. Poke <lcamtuf@coredump.cx> for troubleshooting tips.
[-] PROGRAM ABORT : Fork server handshake failed
Location : init_forkserver(), afl-fuzz.c:2253hmm my last guess is that something is not 32 bit compiled, afl-pin.so or forkserver.so
you have still another chance: https://github.com/vanhauser-thc/afl-dynamorio - this one would also be x10 faster then afl-pin
eybee
commented
5 years ago I double checked that already:
/usr/local/lib/pintool$ file afl-pin.so
afl-pin.so: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, BuildID[sha1]=00be1eac806025bc7d8013d034a8c5c649c0889f, not stripped/usr/local/lib/pintool$ file forkserver.so
forkserver.so: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, BuildID[sha1]=7adf944e4d25fdc5aa7ee1536cdd5021cbc02a22, not strippedDynamoRIO was my frist attempt, of course it failed :(
eybee
commented
5 years ago @v-p-b: I followed your notes to fuzz mpclient with win-afl just like you did. Maybe you have an idea what's going wrong here? Thanks!
muginekoo
commented
3 years ago I also encountered the same problem, you have an idea how to solve it?
vanhauser-thc
commented
3 years ago installing the forkserver is unreliable. but why dont you use afl++ in qemu mode? it is about 200 times faster and has introspection. afl + pin is kinda the worst performance you can get.
I want to fuzz a 32bit binary with your tool. So I compiled it with
-DTARGET_IA32flag. When I try to run it with any target binray I'm getting this error:I'm unsure about the few error messages at the beginning. Are they relevant?
When running
$ /home/ros/pin-3.6-97554-g31f0a167d-gcc-linux//pin -t /usr/local/lib/pintool/afl-pin.so -forkserver -- ./a.out @@I'm getting this error:Error: AFL environment variable __AFL_SHM_ID not setThanks