Fuzzing a customizable shell

[Tanvi Allada]

Hello!

My name is Tanvi Allada, and I am a senior undergraduate student at Virginia Tech. This semester I am participating in a semester-long research for credit opportunity where I have to fuzz a shell. I have created my inputs in the form of textfiles, where I have commands I want to run. However, when I try to run the executable (compiled via afl-gcc), the fuzzer is not able to find any paths (odd, check syntax), and so it is not able to fuzz? Do you know where it would take input from? How would I go about fixing this? 

Thank you,

Tanvi Allada

[Connor Shugg]

Hi Tavni,

Go Hokies! I just wrapped my studies there (also computer science) in 2022. I hope senior year is treating you well - sounds like you're getting up to some really interesting security projects!

You seem to be taking the correct approach of compiling with afl-gcc and storing shell commands (that should be recognized by your shell) in text files to serve as the input corpus. Here are a few sanity checks to perform to make sure things are set up right.

Check for Instrumentation

Try running strings /path/to/your/shell_executable | grep "afl" to make sure your compiled executable is indeed instrumented with AFL's code. If things are instrumented correctly, you should see a long list of strings beginning with __afl_. For example:

Manually running input files

Since a shell accepts input from stdin, you'll want AFL to pipe the commands you placed into the input files into the shell's stdin during fuzzing. It couldn't hurt to do a quick test to make sure the particular shell you're fuzzing doesn't do anything unexpected when doing this. Just a quick example with bash:

Try this out with your shell if you haven't already. If all is well, your shell should execute the command, then promptly exit. (The shell should exit when it reaches EOF.)

AFL command-line arguments

I would expect your command-line arguments for afl-fuzz to look something like this: afl-fuzz -i /path/to/your/input_file_directory -o /path/to/your/output_directory ./your_shell. Unless there's a special command-line flag you need AFL to run the shell with, you shouldn't need anything else after ./your_shell. By default, AFL will automatically pipe the input files' contents into the shell's stdin (what we did manually above). Something else to watch out for: some shells, like bash, have a -c option that allows you to specify a command within an argument to be executed:

You would not want to specify this when running AFL. That would force your shell to run only echo hello there and completely ignore the input file AFL is feeding it. An issue like this might be the cause of AFL not discovering any paths during fuzzing (since your shell would only ever run  echo hello there).

Hopefully some of this helps! Of course, feel free to reply back with questions or more information and I'm happy to help out more.

Thanks,

Connor

--
You received this message because you are subscribed to the Google Groups "afl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to afl-users+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/afl-users/91e2f7e1-520d-4c50-8d88-d56d33990591n%40googlegroups.com.

[Connor Shugg]

Ah, woops! Just realized I swapped two letters in your name - sorry about that Tanvi!