Jump to content
em

Fuzzing pentru incepători / linux

Recommended Posts

Posted

Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failing built-in code assertions or for finding potential memory leaks.

 

 - In timpul acestui tutorial mi-am dat seama ca mai am nevoie de pachetele po4a, libtool, texi2html.

sudo apt install po4a libtool texi2html

 

Folosesc American Fuzzy Lop (afl). - http://lcamtuf.coredump.cx/afl/'

$ wget http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz
$ tar xf afl-latest.tgz
$ cd afl-2.39b/
$ make
$ sudo make install

Ca să vedeți dacă s-a intalat cu succes puteți verifica tastând afl-gcc

$ afl-gcc
afl-cc 2.39b by <lcamtuf@google.com>
This is a helper application for afl-fuzz. It serves as a drop-in replacement
for gcc or clang, letting you recompile third-party code with the required
runtime instrumentation. A common use pattern would be one of the following:
  CC=/usr/local/bin/afl-gcc ./configure
  CXX=/usr/local/bin/afl-g++ ./configure
You can specify custom next-stage toolchain via AFL_CC, AFL_CXX, and AFL_AS.
Setting AFL_HARDEN enables hardening optimizations in the compiled code.

 

În principiu acest program se așteaptă ca ținta testată să citească fișiere. Să zicem că vrem să testăm utilitarul "wc" (utilitar care numără linii în linux).

 

man wc
.. derulăm până jos cu SHIFT-G ..
[..]
GNU coreutils 8.25

 

Bun am aflat că wc face parte din pachetul coreutils. Hai să luam sursa de coreutils și să o compilăm
Din moment ce folosesc ubuntu server o caut direct pe repo-urile canonical. O găsesc aici

$ wget http://archive.ubuntu.com/ubuntu/pool/main/c/coreutils/coreutils_8.25.orig.tar.xz 
$ tar xf coreutils_8.25.orig.tar.xz
$ cd coreutils-8.25/
$ CC=afl-gcc ./configure
$ make


 

Bun. Acum am compilat utilitarul pe care vrem sa il testam cu afl-gcc. Hai să verificăm dacă chiar au fost adăugate simbolurile fuzzerului.

$ cd src/
$ strings ./wc | grep -i afl
[..]
__afl_fork_pid
.AFL_VARS
__afl_global_area_ptr

 

Totul e în regulă deci.

Hai să verificăm că programul nostru chiar merge.

$ ./wc /etc/passwd
  33   48 1740 /etc/passwd

 

Fuzzerul are nevoie de două foldere. Unul pentru input altrul pentru output.

$ mkdir in/
$ mkdir out/
$ echo "test" > in/input
$ echo "test2" >> in/input
# testam
$ ./wc in/input
 2  2 11 in/input

 

Acum hai să pornim o rulare.

$ afl-fuzz -i in/ -o out/ ./wc @@
                         american fuzzy lop 2.39b (wc)
lq process timing qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqwq overall results qqqqqk
x        run time : 0 days, 0 hrs, 0 min, 5 sec        x  cycles done : 0      x
x   last new path : 0 days, 0 hrs, 0 min, 2 sec        x  total paths : 58     x
x last uniq crash : none seen yet                      x uniq crashes : 0      x
x  last uniq hang : none seen yet                      x   uniq hangs : 0      x
tq cycle progress qqqqqqqqqqqqqqqqqqqqwq map coverage qvqqqqqqqqqqqqqqqqqqqqqqqu
x  now processing : 0 (0.00%)         x    map density : 0.23% / 0.25%         x
x paths timed out : 0 (0.00%)         x count coverage : 1.92 bits/tuple       x
tq stage progress qqqqqqqqqqqqqqqqqqqqnq findings in depth qqqqqqqqqqqqqqqqqqqqu
x  now trying : havoc                 x favored paths : 1 (1.72%)              x
x stage execs : 21.6k/32.8k (65.87%)  x  new edges on : 8 (13.79%)             x
x total execs : 23.7k                 x total crashes : 0 (0 unique)           x
x  exec speed : 3591/sec              x   total hangs : 0 (0 unique)           x
tq fuzzing strategy yields qqqqqqqqqqqvqqqqqqqqqqqqqqqwq path geometry qqqqqqqqu
x   bit flips : 8/88, 1/87, 1/85                      x    levels : 2          x
x  byte flips : 0/11, 1/10, 4/8                       x   pending : 58         x
x arithmetics : 1/616, 0/75, 0/0                      x  pend fav : 1          x
x  known ints : 0/62, 3/280, 3/352                    x own finds : 57         x
x  dictionary : 0/0, 0/0, 0/0                         x  imported : n/a        x
x       havoc : 0/0, 0/0                              x stability : 100.00%    x
x        trim : 0.00%/2, 0.00%                        tqqqqqqqqqqqqqqqqqqqqqqqqj
^Cqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj          [cpu000: 44%]

 

O să găsiți inputurile care crapă programul în ./out/crashes și cele care îl blochează în ./out/hangs.

Have fun :)


 

  • Upvote 8

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...