Fuzzing unrealircd IRC server
334 views
Skip to first unread message
pizzaha...@gmail.com
Mar 9, 2016, 7:18:02 PM3/9/16
to afl-users
Hello :)
=== CONTEXT ===
I am trying to fuzz unrealircd (IRC server) on Linux for my own curiosity.
I modified it so it feeds itself with a file which path is passed via parameter -X
Example :
./src/ircd -F -X input.txt
When launched manually from a shell, this command will start the server, connect to the IRC port 6667, send the contents of "input.txt", handle the message and then exit.
With packet capture I can see that it seems to work very well :
1 - TCP connection on 6667 (loopback interface)
2 - NICK request (=IRC command=contents of input.txt)
3 - NOTICE (IRC server response)
4 - TCP [RST] (connection closed)
=== THE ISSUE ===
When ran with afl-fuzz in the following way :
afl-fuzz -d -t 5000 -i client_message_nick/ -o ./afl-findings-$(date +%Y%m%d-%H%M) -- \
./src/ircd -F -X @@
afl-fuzz behaves as if everything was ok : "All set and ready to roll!" + shows exec speed, total paths etc.
BUT I don't see ANY packet captured, as if the program was simply not run.
The port 6667 doesn't seem to be bound at all.
This may just be a basic Linux mistake from me but... seriously, I don't get it.
* Is there any sort of network optimisation that would make AFL to hide network packets ?
* Is there any way I can see the output of the commands run by afl ? (So I can eventually see any abnormal message or premature termination)
Any help would be appreciated :)
Regards
Pizza Hat
=== TECHNICAL INFORMATION ===
* OS : Kali Linux x64
* AFL : afl-cc 2.07b
* Configure options : CC=afl-gcc CFLAGS=-DPIZZAHAT
=== CONTEXT ===
I am trying to fuzz unrealircd (IRC server) on Linux for my own curiosity.
I modified it so it feeds itself with a file which path is passed via parameter -X
Example :
./src/ircd -F -X input.txt
When launched manually from a shell, this command will start the server, connect to the IRC port 6667, send the contents of "input.txt", handle the message and then exit.
With packet capture I can see that it seems to work very well :
1 - TCP connection on 6667 (loopback interface)
2 - NICK request (=IRC command=contents of input.txt)
3 - NOTICE (IRC server response)
4 - TCP [RST] (connection closed)
=== THE ISSUE ===
When ran with afl-fuzz in the following way :
afl-fuzz -d -t 5000 -i client_message_nick/ -o ./afl-findings-$(date +%Y%m%d-%H%M) -- \
./src/ircd -F -X @@
afl-fuzz behaves as if everything was ok : "All set and ready to roll!" + shows exec speed, total paths etc.
BUT I don't see ANY packet captured, as if the program was simply not run.
The port 6667 doesn't seem to be bound at all.
This may just be a basic Linux mistake from me but... seriously, I don't get it.
* Is there any sort of network optimisation that would make AFL to hide network packets ?
* Is there any way I can see the output of the commands run by afl ? (So I can eventually see any abnormal message or premature termination)
Any help would be appreciated :)
Regards
Pizza Hat
=== TECHNICAL INFORMATION ===
* OS : Kali Linux x64
* AFL : afl-cc 2.07b
* Configure options : CC=afl-gcc CFLAGS=-DPIZZAHAT
zv
Mar 10, 2016, 5:17:29 PM3/10/16
to afl-users, pizzaha...@gmail.com
Your question doesn't make it clear if you have modified the of sockopt code in the IRCD or if you are using a linker script / preloading to hijack the socket function calls?
Also, what do you mean you can "see" the packets? Is there debug logging code that is printing this? If you were to swap the socket inet fd with a file fd there would be no packets to sniff.
pizzaha...@gmail.com
Mar 11, 2016, 8:15:47 AM3/11/16
to afl-users, pizzaha...@gmail.com
Hello,
#1 - I have directly modified the C sourcecode of unrealircd so the executable :- Opens a connection to local TCP port 6667
- Writes the content of the file
- Closes it
#2 - I am using Wireshark to capture TCP packets on the loopback interface
https://fr.wikipedia.org/wiki/Wireshark
https://fr.wikipedia.org/wiki/Wireshark
What
I don't understand is why when calling my program manually I see
packets, and when it is called by afl-fuzz I don't see them. I think the
context should be exactly the same. (Same user, same filesystem, same
machine, etc.).
Is it clearer ?
Michal Zalewski
Mar 11, 2016, 9:57:14 AM3/11/16
to afl-users, pizzaha...@gmail.com
> #1 - I have directly modified the C sourcecode of unrealircd so the
> executable :
> - Reads the content of the file passed via -X parameter
> - Opens a connection to local TCP port 6667
> - Writes the content of the file
> - Closes it
If unrealircd is writing the data at the time, who is receiving it on
> executable :
> - Reads the content of the file passed via -X parameter
> - Opens a connection to local TCP port 6667
> - Writes the content of the file
> - Closes it
the other end? Are you doing something with multiple threads /
processes? This is likely to be problematic.
Try repeating this experiment under afl-showmap; maybe this will help?
/mz
pizzaha...@gmail.com
Mar 11, 2016, 3:28:16 PM3/11/16
to afl-users, pizzaha...@gmail.com
Thanks for the tip !
afl-showmap showed me the output of the command... And it seems there is an issue with shared memory :
root/unrealircd/conf/modules.default.conf:34: loadmodule m_mode: failed to load: /root/unrealircd/tmp/4CD46002.m_mode.so: failed to map segment from shared object: Cannot allocate memory
/root/unrealircd/conf/modules.default.conf:36: loadmodule m_names: failed to load: /root/unrealircd/tmp/E210D840.m_names.so: failed to map segment from shared object: Cannot allocate memory
/root/unrealircd/conf/modules.default.conf:37: loadmodule m_nick: failed to load: /root/unrealircd/tmp/ADACEA88.m_nick.so: failed to map segment from shared object: Cannot allocate memory
/root/unrealircd/conf/modules.default.conf:38: loadmodule m_part: failed to load: /root/unrealircd/tmp/9D0C77B2.m_part.so: failed to map segment from shared object: Cannot allocate memory
[...]
I have tried the --disable-shared parameter to ./configure but it didn't work :-/
I'm going to check if I can fix this... But if you have new comments or suggestions I'd also appreciate it :)
Pizza
PS : I also had this reflection about write/read and threads. But unexpectedly, my trivial modification worked well, so the server may already be isolated in another thread than my code.
afl-showmap showed me the output of the command... And it seems there is an issue with shared memory :
root/unrealircd/conf/modules.default.conf:34: loadmodule m_mode: failed to load: /root/unrealircd/tmp/4CD46002.m_mode.so: failed to map segment from shared object: Cannot allocate memory
/root/unrealircd/conf/modules.default.conf:36: loadmodule m_names: failed to load: /root/unrealircd/tmp/E210D840.m_names.so: failed to map segment from shared object: Cannot allocate memory
/root/unrealircd/conf/modules.default.conf:37: loadmodule m_nick: failed to load: /root/unrealircd/tmp/ADACEA88.m_nick.so: failed to map segment from shared object: Cannot allocate memory
/root/unrealircd/conf/modules.default.conf:38: loadmodule m_part: failed to load: /root/unrealircd/tmp/9D0C77B2.m_part.so: failed to map segment from shared object: Cannot allocate memory
[...]
I have tried the --disable-shared parameter to ./configure but it didn't work :-/
I'm going to check if I can fix this... But if you have new comments or suggestions I'd also appreciate it :)
Pizza
PS : I also had this reflection about write/read and threads. But unexpectedly, my trivial modification worked well, so the server may already be isolated in another thread than my code.
Michal Zalewski
Mar 11, 2016, 3:30:32 PM3/11/16
to afl-users
> root/unrealircd/conf/modules.default.conf:34: loadmodule m_mode: failed to
> load: /root/unrealircd/tmp/4CD46002.m_mode.so: failed to map segment from
> shared object: Cannot allocate memory
Try increasing memory limit when calling afl-fuzz. Maybe -m 200 or so.
> load: /root/unrealircd/tmp/4CD46002.m_mode.so: failed to map segment from
> shared object: Cannot allocate memory
/mz
pizzaha...@gmail.com
Mar 11, 2016, 3:43:01 PM3/11/16
to afl-users
Oh my god... I can't believe that was that simple...
You were right, I just added -m 500 and this seems to work.
(Well, technically I still have much work to do because I currently have 1 execution per second :-/ )
Thanks
PS : By the way, that's an incredibly nice tool you made ! :)
You were right, I just added -m 500 and this seems to work.
(Well, technically I still have much work to do because I currently have 1 execution per second :-/ )
Thanks
PS : By the way, that's an incredibly nice tool you made ! :)
Reply all
Reply to author
Forward
0 new messages