-
Notifications
You must be signed in to change notification settings - Fork 6
ztaylor3uncc/automatic-fuzzy-lop
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
# ####### ### # ## ####### ###### # # # ## ####### ####### # # # ## # # # # # ## ## ## # ### # # ## # # # ### ##### # ## ### ### # # # ## # # # # # ## ## ## # # ####### # ###### # ####### ####### ####### ######################################################################## # After what feels like 10,000 years of trying to find an easy # # way to fuzz non-x8 binaries, I decided to make one myself! # ######################################################################## # Here is the extremely short version of how to get started: # ######################################################################## # 1. Make a new directory # # # # 2. Put the three .sh files into the new directory # # # # 3. ./01-run-this-first.sh # # # # 4. Download firmware and unzip it (if necessary) # # # # 5. ./extract.sh <firmware image> # # # # 6. cd firmware-library/<firmware architecture>_<your firmware>/ # # # # 7. ./auto-fuzz /path/to/desired/binary -4G # # # # 8. If you are familiary with the firmware binary and you know # # that it takes input directly from stdin (think of 'echo') # # then run this instead: # # # # ./aut-fuzz /path/to/desirec/binary -4G @@ # # # # 9. Enjoy! # ######################################################################## # Here is a bit more detailed instructions if you would like to # # understand what is going on a bit better: # ######################################################################## # 1. Make a directory named whatever you want # # # # 2. Put '01-run-this-first.sh', 'extract.sh', and 'auto-fuzz.sh' # # in there # # # # 3. Run '01-run-this-first.sh' -- this file installs all of the # # dependencies you need for these files, and it grabs the newest # # availble version of AFL (the fuzzer we will be using for various # # reasons I won't go into here) from the great lcamtuf himself. # # If you already have AFL installed on your machine, it might be # # a good idea to remove it for cleanliness. You can use the # # version we install here exactly as you did with your previous # # install, but we want to play it safe. # # # # 4. Once that's done, download some firmware (x86, ARM, MIPS, # # whatever). Copy the image into your new directory made for the # # three files mentioned above and unzip it (if applicable). If # # it's already in the .bin format (or some other format read by # # binwalk) then run ./extract.sh <your firmware image> # # # # 5. The extract.sh file will extract the firmware using 'binwalk -e' # # but it will also compile AFL's QEMU Mode for the arhcitecture # # of the firmware extracted. This means that every time you extract # # new firmware, AFL is recompiled to run as a black box fuzzer for # # the architecture of the firmware you extracted. It will also move # # the extracted folder to the 'firmware-library' folder under the # # naming convention <architecture>_<old folder name>. The .bin file # # (or whatever extension) will be moved inside of this folder so # # you can extract from it again in case anything goes wrong with # # your experiments. Recompiling AFL's QEMU mode can take some time, # # which means that having it recompile every time you want to # # extract firmware might get annoying. If that's the feedback I get # # then I will retool that part into the '01-run-this-first.sh' # # script. # # # # 6. Go into the new folder in the firmware-library folder and you # # will see that a very convenient auto-fuzz.sh script has been # # placed there for you. All you have to do is run that file with # # two parameters (the third parameter is optional, but we'll get to # # that) -- the first parameter is the path to the binary you # # want to fuzz. This will look something like this: # # # # ./auto-fuzz.sh /squashfs-root/bin/<some_binary> # # # # But, YMMV. # # The second parameter is for a number of bytes to be allocated # # to AFL's child processes. The default for this is 200MB, but # # when black box fuzzing (which is what we are doing here, mind # # you) a significant increase in memory is required. # # 4G is a good start (this has always worked for me, when 3G # # someimtes doesn't). So, the complete call will look like this: # # # # ./auto-fuzz.sh /squashfs-root/bin/<some_binary> 4G # # # # If the amount is too low, AFL will tell you. # # The final (and only optional) parameter is '@@'. This is a # # unique identifier that AFL uses to indicate when a binary # # requires direct input from stdin. When you add '@@' to the end # # of an AFL call, AFL replaced the '@@' with the provided input # # files. So, a complete call for a binary that reads from # # stdin will look like this: # # # # ./auto-fuzz.sh /squashfs-root/bin/<some_binary> 4G @@ # # # # 7. The auto-fuzz command currently provides you with input files. # # The goal is to utilize the features of AFL to minimize the # # seed corpus, though, for now, we are just using AFL's provided # # testcases (which include a testcase from every popular file type) # # and trusting that AFL's genetic algortihm will dispense with the # # useless inputs as quickly as possible (rather, it will 'focus' # # on the more useful input files). # # # # 8. Also, it's a little late to mention this, but it may be helpful # # to run all of the scripts with 'sudo'. Anytime you need 'sudo', # # the terminal will ask you, of course, but it prevents the whole # # 'run-this-and-walk-away' idea I'm going for from working. # # # # 9.That should be it. There are a few to-do's left, and I will updte # # this as I can. # ########################################################################
About
Attempting to automate non-x86 fuzzing with AFL
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published