Hi there
Maybe you want to try to fuzz a "normal" target first without using the
hooks? New paths are very important. This looks wrong:
On 19/05/15 09:55, kittencrap wrote:
> $ LD_PRELOAD=./hook_recvmsg.so /root/fuzz/afl/afl-fuzz -m 1024 -i
> fuzz/fuzz/ -o ./findings/ ./dhcpcd --static=./fuzz/static/
> --fuzz=./fuzz/fuzz/@@ eth0
I would try:
LD_PRELOAD=./hook_recvmsg.so /root/fuzz/afl/afl-fuzz -i fuzz/fuzz/ -o
./findings/ ./dhcpcd --static=./fuzz/static/ --fuzz=@@ eth0
Or try the -f option:
LD_PRELOAD=./hook_recvmsg.so /root/fuzz/afl/afl-fuzz -i fuzz/fuzz/ -o
./findings/ -f ./fuzzfile ./dhcpcd --static=./fuzz/static/
--fuzz=./fuzzfile eth0
Your memory limit (-m) is probably too high, that's why I removed the -m
option. Increase it *slowly* if afl-fuzz complains.
>
> this (seems) to work (unless I'm just not seeing something less obvious).
>
> I have on question, which is that when running, afl-fuzz is telling me
> "last new path : none yet (odd, check syntax)"
> --8<--
> american fuzzy lop 1.76b (dhcpcd)
>
> ┌─ process timing ─────────────────────────────────────┬─ overall
> results ─────┐
> │ run time : 0 days, 0 hrs, 7 min, 11 sec │ cycles done :
> 89 │
> │ *last new path : none yet (odd, check syntax!) *
> <snip>
>
> --8<--
>
> what does this warning mean, and might it be some indication that things
> are not working as expected?
Absolutely, this is a very important criteria. It means your dhcpcd
binary is behaving exactly the same for every run (with every input
file). In other words: Your not finding new behavior, therefore your
fuzzing is not effective. The usual reason is that your setup is wrong
(see above). You need to fix this, otherwise you won't have crashes.
cheers,
floyd
>
>
> On Sunday, 17 May 2015 05:58:28 UTC+10,
cha...@ceriksen.com wrote:
>
> I don't really have a good answer per say. But are you not sort of
> looking to do something like Preeny does? Maybe you can gleam off a
> few tricks from it:
>
https://github.com/zardus/preeny <
https://github.com/zardus/preeny>
> afl-fuzz 1.76bby<
lca...@google.com>
> [+]Youhave 1CPU cores and3runnable tasks (utilization:300%).
> [*]Checkingcore_pattern...
> [*]Settingup output directories...
> [+]Outputdirectory exists but deemed OK to reuse.
> [*]Deletingold session data...
> [+]Outputdir cleanup successful.
> [*]Scanning'fuzz/fuzz/'...
> [+]Noauto-generated dictionary tokens to reuse.
> [*]Creatinghard links forall input files...
> [*]Validatingtarget binary...
> [*]Attemptingdry run with'id:000000,orig:wibble.cap'...
> [*]Spinningup the fork server...
> [-]Hmm,looks like the target binary terminated before we could
> complete a
> handshake withthe injected code.Thereare two probable
> explanations:
> -Thecurrent memory limit (1.00GB)istoo restrictive,causing
> an OOM
> fault inthe dynamiclinker.Thiscan be fixedwiththe -m option.A
> simple way to confirm the diagnosis may be:
> (ulimit -Sv$[1023<<10];/path/to/fuzzed_app )
> fail,poke <
lca...@coredump.cx>fortroubleshooting tips.
> [-]PROGRAM ABORT :Forkserver handshake failed
> Location:init_forkserver(),afl-fuzz.c:1919
> --8<--
> |
>
>
> any thoughts?
>
> cheers!
>
>
> --
> You received this message because you are subscribed to the Google
> Groups "afl-users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to
afl-users+...@googlegroups.com
> <mailto:
afl-users+...@googlegroups.com>.
--
floyd
@floyd_ch
http://www.floyd.ch