반응형

추천 환경

  • All steps have been tested on 64-bit Ubuntu 16.04.

p2im - gitclone

git clone [<https://github.com/RiS3-Lab/p2im.git>](<https://github.com/RiS3-Lab/p2im.git>)
git submodule update --init
git submodule update --remote

GNU Arm Embedded Toolcahin

  • x86 → ARM 환경에서 실행되는 바이너리
wget <https://developer.arm.com/-/media/Files/downloads/gnu-rm/10.3-2021.10/gcc-arm-none-eabi-10.3-2021.10-x86_64-linux.tar.bz2?rev=78196d3461ba4c9089a67b5f33edf82a&hash=D484B37FF37D6FC3597EBE2877FB666A41D5253B>
tar xjf *.tar.bz2
PATH=$PATH:/home/parallels/tmp/gcc-arm-none-eabi-10.3-2021.10/bin
echo $PATH

AFL

babyhack@ubuntu:~/tmp/p2im/afl$ make
[*] Checking for the ability to compile x86 code...
[+] Everything seems to be working, ready to compile.
cc -O0 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\\"/usr/local/lib/afl\\" -DDOC_PATH=\\"/usr/local/share/doc/afl\\" -DBIN_PATH=\\"/usr/local/bin\\" -DVERSION=\\"2.06b\\" afl-gcc.c -o afl-gcc -ldl
set -e; for i in afl-g++ afl-clang afl-clang++; do ln -sf afl-gcc $i; done
cc -O0 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\\"/usr/local/lib/afl\\" -DDOC_PATH=\\"/usr/local/share/doc/afl\\" -DBIN_PATH=\\"/usr/local/bin\\" -DVERSION=\\"2.06b\\" afl-fuzz.c -o afl-fuzz -ldl
cc -O0 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\\"/usr/local/lib/afl\\" -DDOC_PATH=\\"/usr/local/share/doc/afl\\" -DBIN_PATH=\\"/usr/local/bin\\" -DVERSION=\\"2.06b\\" afl-showmap.c -o afl-showmap -ldl
cc -O0 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\\"/usr/local/lib/afl\\" -DDOC_PATH=\\"/usr/local/share/doc/afl\\" -DBIN_PATH=\\"/usr/local/bin\\" -DVERSION=\\"2.06b\\" afl-tmin.c -o afl-tmin -ldl
cc -O0 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\\"/usr/local/lib/afl\\" -DDOC_PATH=\\"/usr/local/share/doc/afl\\" -DBIN_PATH=\\"/usr/local/bin\\" -DVERSION=\\"2.06b\\" afl-gotcpu.c -o afl-gotcpu -ldl
cc -O0 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\\"/usr/local/lib/afl\\" -DDOC_PATH=\\"/usr/local/share/doc/afl\\" -DBIN_PATH=\\"/usr/local/bin\\" -DVERSION=\\"2.06b\\" afl-analyze.c -o afl-analyze -ldl
cc -O0 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\\"/usr/local/lib/afl\\" -DDOC_PATH=\\"/usr/local/share/doc/afl\\" -DBIN_PATH=\\"/usr/local/bin\\" -DVERSION=\\"2.06b\\" afl-as.c -o afl-as -ldl
ln -sf afl-as as
[*] Testing the CC wrapper and instrumentation output...
unset AFL_USE_ASAN AFL_USE_MSAN; AFL_QUIET=1 AFL_INST_RATIO=100 AFL_PATH=. ./afl-gcc -O0 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\\"/usr/local/lib/afl\\" -DDOC_PATH=\\"/usr/local/share/doc/afl\\" -DBIN_PATH=\\"/usr/local/bin\\" -DVERSION=\\"2.06b\\" test-instr.c -o test-instr -ldl
echo 0 | ./afl-showmap -m none -q -o .test-instr0 -- ./test-instr
echo 1 | ./afl-showmap -m none -q -o .test-instr1 -- ./test-instr
[+] All right, the instrumentation seems to be working!
[+] All done! Be sure to review README - it\\'s pretty short and useful.

babyhack@ubuntu:~/tmp/p2im$ make -C afl/
make: Entering directory '/home/babyhack/tmp/p2im/afl'
[*] Checking for the ability to compile x86 code...
[+] Everything seems to be working, ready to compile.
[*] Testing the CC wrapper and instrumentation output...
unset AFL_USE_ASAN AFL_USE_MSAN; AFL_QUIET=1 AFL_INST_RATIO=100 AFL_PATH=. ./afl-gcc -O0 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\\"/usr/local/lib/afl\\" -DDOC_PATH=\\"/usr/local/share/doc/afl\\" -DBIN_PATH=\\"/usr/local/bin\\" -DVERSION=\\"2.06b\\" test-instr.c -o test-instr -ldl
echo 0 | ./afl-showmap -m none -q -o .test-instr0 -- ./test-instr
echo 1 | ./afl-showmap -m none -q -o .test-instr1 -- ./test-instr
[+] All right, the instrumentation seems to be working!
[+] All done! Be sure to review README - it's pretty short and useful.
NOTE: If you can read this, your terminal probably uses white background.
This will make the UI hard to read. See docs/status_screen.txt for advice.
make: Leaving directory '/home/babyhack/tmp/p2im/afl'

Docker Install

sudo apt install docker.io
sudo usermod -aG docker $USER
cd ~tmp/p2im/qemu
WORK_FOLDER_PATH=`pwd`/src ./build_scripts/build-qemu.sh --deb64 --no-strip
babyhack@ubuntu:~/tmp/p2im/qemu$ WORK_FOLDER_PATH=`pwd`/src ./build_scripts/build-qemu.sh --deb64 --no-strip

Using "/home/babyhack/tmp/p2im/qemu/src" as Work folder...
Helper script: "/home/babyhack/tmp/p2im/qemu/src/scripts/build-helper.sh".
Script "./build_scripts/build-qemu.sh" started at Wed Jan 18 06:45:50 PST 2023.

Running on Ubuntu 64-bits.

Checking host curl...
curl 7.47.0 (x86_64-pc-linux-gnu) libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3

Checking host git...
git version 2.7.4

Checking Docker...
Docker version 18.09.7, build 2d0083d

Checking host automake...

Firmware preparation

  • p2im-real_firmware
git clone <https://github.com/RiS3-Lab/p2im-real_firmware.git>

seed 파일 복사

WORKING_DIR=~/tmp/p2im/fuzzing/Drone/5/
mkdir -p ${WORKING_DIR}
cd ${WORKING_DIR}
cp -r ~/tmp/p2im/fuzzing/templates/seeds/ ${WORKING_DIR}/inputs

config 수정

#  P2IM - fuzzing configuration template
#  ------------------------------------------------------

#  Copyright (C) 2018-2020 RiS3 Lab

#  Licensed under the Apache License, Version 2.0 (the "License");
#  you may not use this file except in compliance with the License.
#  You may obtain a copy of the License at:

#    <http://www.apache.org/licenses/LICENSE-2.0>

# Please change configurations that are enclosed in "< >".
# Please use absolute path in this file.

[DEFAULT] # used only by fuzz.py
#  is the path of root directory of P2IM git repo
base        = /home/babyhack/tmp/p2im  ## 수정해야함. fuzzer 프로그램 경로
#  can be arbitrary string you want. It doesn't need to be the firmware binary name
program     = Drone ### 타켓 프로그램명 및 디렉토리 이름
# Each firmware may be fuzzed multiple times. So it's better to number each fuzzer run
run         = 5
# working directory of fuzzing
working_dir = %(base)s/fuzzing/%(program)s/%(run)s

[afl] # used only by fuzz.py
bin         = %(base)s/afl/afl-fuzz
timeout     = 150+
input       = %(working_dir)s/inputs
output      = %(working_dir)s/outputs

[cov] # used only by cov.py
#count_hang  = False
count_hang  = True
bbl_cov_read_sz = 20000000
# 1 second
timeout     = 1

[qemu]
bin         = %(base)s/qemu/precompiled_bin/qemu-system-gnuarmeclipse
log         = unimp,guest_errors,int
#log         = unimp,guest_errors,exec,int -D qemu.log

[program]
# the board/mcu supported by QEMU is listed as comments below
#board       = 
#mcu         = 

#board       = STM32F429I-Discovery
#mcu         = STM32F429ZI
board       = NUCLEO-F103RB   # 타켓 board와 mcu 선택 (주석 제거)
mcu         = STM32F103RB     #
#board       = Arduino-Due
#mcu         = SAM3X8E
#board       = FRDM-K64F
#mcu         = MK64FN1M0VLL12

#  has to be name of firmware elf file
img         = %(working_dir)s/Drone      # 이미지 경로 대소문자 구분하니 조심

[model]
retry_num   = 3
peri_addr_range = 512
# arm-none-eabi-objdump is part of GNU Arm Embedded Toolchain you downloaded while setting up P2IM environment.
# For example,  on my machine is /home/bo/gcc-arm-none-eabi-6-2017-q2-update/bin/arm-none-eabi-objdump

### objdump 경로 풀 경로 입력 해야함.
objdump     = /home/babyhack/tmp/gcc-arm-none-eabi-10.3-2021.10/bin/arm-none-eabi-objdump
# config below are only used by fuzz.py
bin         = %(base)s/model_instantiation/me.py
log_file    = %(working_dir)s/me.log

fuzzing 환경 설정 폴더

babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5$ cp /home/babyhack/tmp/p2im/externals/p2im-real_firmware/Drone ./
babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5$ ls
Drone  fuzz.cfg  inputs

Fuzzer 실행

#python3 ~/tmp/p2im/model_instantiation/fuzz.py -c fuzz.cfg

babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5$ python3 ~/tmp/p2im/model_instantiation/fuzz.py -c fuzz.cfg
Change working dir to: /home/babyhack/tmp/p2im/fuzzing/Drone/5
CWD: /home/babyhack/tmp/p2im/fuzzing/Drone/5

try our best to extract model w/o input
cmd_me0: /home/babyhack/tmp/p2im/model_instantiation/me.py -c /home/babyhack/tmp/p2im/fuzzing/Drone/5/fuzz.cfg --run-num 0 --print-to-file

Change working dir to: 0/
CWD: /home/babyhack/tmp/p2im/fuzzing/Drone/5/0
Redirect stdout to file named stdout

테스트 환경

0.random.8
run f/w w/ seed input to check if there is aup
cmd_qemu: /home/babyhack/tmp/p2im/qemu/precompiled_bin/qemu-system-gnuarmeclipse -nographic -aflFile /home/bats/random -board NUCLEO-F103RB -mcu STM32F103RB -image /home/babyhack/tmp/p2im/fuzzing/Drone/5/Drone -pm-stagp2im/fuzzing/Drone/5/0.random.7/peripheral_model.json -me-bin /home/babyhack/tmp/p2im/model_instantiation/me.m/fuzzing/Drone/5/fuzz.cfg

There is aup, run ME
cmd_me: /home/babyhack/tmp/p2im/model_instantiation/me.py -c /home/babyhack/tmp/p2im/fuzzing/Drone/5/fuzz.cfge --run-from-forkserver --afl-file /home/babyhack/tmp/p2im/fuzzing/Drone/5/inputs/random --model-if /home/babdom.7/peripheral_model.json
Change working dir to: 0.random.8/
CWD: /home/babyhack/tmp/p2im/fuzzing/Drone/5/0.random.8
Redirect stdout to file named stdout
Traceback (most recent call last):
  File "/home/babyhack/tmp/p2im/model_instantiation/me.py", line 1166, in <module>
    srr_info = stage1_5()
  File "/home/babyhack/tmp/p2im/model_instantiation/me.py", line 490, in stage1_5
    objdump = subprocess.check_output([cfg.objdump, "-dC", cfg.img])
  File "/usr/lib/python3.5/subprocess.py", line 626, in check_output
    **kwargs).stdout
  File "/usr/lib/python3.5/subprocess.py", line 693, in run
    with Popen(*popenargs, **kwargs) as process:
  File "/usr/lib/python3.5/subprocess.py", line 947, in __init__
    restore_signals, start_new_session)
  File "/usr/lib/python3.5/subprocess.py", line 1551, in _execute_child
    raise child_exception_type(errno_num, err_msg)
OSError: [Errno 8] Exec format error

0.random.9
run f/w w/ seed input to check if there is aup
cmd_qemu: /home/babyhack/tmp/p2im/qemu/precompiled_bin/qemu-system-gnuarmeclipse -nographic -aflFile /home/bats/random -board NUCLEO-F103RB -mcu STM32F103RB -image /home/babyhack/tmp/p2im/fuzzing/Drone/5/Drone -pm-stagp2im/fuzzing/Drone/5/0.random.8/peripheral_model.json -me-bin /home/babyhack/tmp/p2im/model_instantiation/me.m/fuzzing/Drone/5/fuzz.cfg
.............................
babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5$ /home/babyhack/tmp/p2im/qemu/precompiled_bin/qemu-system-gnuarme

(process:17789): GLib-WARNING **: /Host/Work/qemu/glib-2.51.0/glib/gmem.c:483: custom memory allocation vtabl
[0, 0]   1-th(total   1-th)     unassigned mem_r *0x0
[0, 0]   2-th(total   2-th)     unassigned mem_r *0x4
QEMU 2.3.50 monitor - type 'help' for more information
(qemu) QEMU 2.3.50 monitor - type 'help' for more information
(qemu) [8004f10, 8004f4e]   1-th(total   3-th)  pm_r *0x40021000 gets 0x0, remains CR+SR
[8004f10, 8004f4e]   1-th(total   1-th)         pm_w *0x40021000 = 0x1, remains CR+SR
[8004f10, 8004f4e]   2-th(total   4-th)         pm_r *0x40021004 gets 0x0, remains CR
[8004f10, 8004f4e]   2-th(total   2-th)         pm_w *0x40021004 = 0x0, remains CR
[8004f10, 8004f4e]   3-th(total   5-th)         pm_r *0x40021000 gets 0x1, remains CR+SR
[8004f10, 8004f4e]   3-th(total   3-th)         pm_w *0x40021000 = 0x1, remains CR+SR
[8004f10, 8004f4e]   4-th(total   6-th)         pm_r *0x40021000 gets 0x1, remains CR+SR
[8004f10, 8004f4e]   4-th(total   4-th)         pm_w *0x40021000 = 0x1, remains CR+SR
[8004f10, 8004f4e]   5-th(total   7-th)         pm_r *0x40021004 gets 0x0, remains CR
[8004f10, 8004f4e]   5-th(total   5-th)         pm_w *0x40021004 = 0x0, remains CR
[8004f10, 8004f4e]   6-th(total   6-th)         pm_w *0x40021008 = 0x9f0000, remains DR
start up afl forkserver!
[8001128, 800113a]   6-th(total   8-th)         pm_r *0x40022000 gets 0x0, remains CR
[8001128, 800113a]   7-th(total   7-th)         pm_w *0x40022000 = 0x10, remains CR
[8004ccc, 8004ce8]   7-th(total   9-th)         pm_r *0x40021018 gets 0x0, remains CR
[8004ccc, 8004ce8]   8-th(total   8-th)         pm_w *0x40021018 = 0x1, remains CR
[8004ccc, 8004ce8]   8-th(total  10-th)         pm_r *0x40021018 gets 0x1, remains CR
[8001cba, 8001cc4]   9-th(total  11-th)         pm_r *0x40021004 gets 0x0, remains CR
[8001cd4, 8001cf0]  10-th(total  12-th)         pm_r *0x40021000 gets 0x1, remains CR+SR
[8001cf6, 8001d10]  11-th(total  13-th)         pm_r *0x40021000 gets 0x1, remains CR+SR
[8001cf6, 8001d10]   9-th(total   9-th)         pm_w *0x40021000 = 0x81, remains CR+SR
...........................

환경이 맞으면, AFL Fuzzing 시작

babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5$ ls
0  0.random.1  0.random.2  0.random.3  Drone  fuzz.cfg  inputs  me.log  outputs  run_fw.py
babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5$ cd outputs/
babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5/outputs$ ls
crashes  fuzz_bitmap  fuzzer_stats  hangs  plot_data  queue
babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5/outputs$ ls -sla
total 2116
   4 drwx------ 5 babyhack babyhack    4096 Jan 24 06:58 .
   4 drwxrwxr-x 8 babyhack babyhack    4096 Jan 24 06:51 ..
   4 drwx------ 2 babyhack babyhack    4096 Jan 24 06:52 crashes
   4 -rw------- 1 babyhack babyhack     164 Jan 24 06:58 .cur_input
2048 -rw------- 1 babyhack babyhack 2097152 Jan 24 06:57 fuzz_bitmap
   4 -rw------- 1 babyhack babyhack    1093 Jan 24 06:57 fuzzer_stats
   4 drwx------ 2 babyhack babyhack    4096 Jan 24 06:54 hangs
   8 -rw------- 1 babyhack babyhack    4454 Jan 24 06:58 plot_data
  36 drwx------ 3 babyhack babyhack   36864 Jan 24 06:58 queue
babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5/outputs$ cd crashes/
babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5/outputs/crashes$ ls
id:000000,ret_v:0x1,src:000000,op:havoc,rep:8  README.txt
babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5/outputs/crashes$ ls -sla
total 16
4 drwx------ 2 babyhack babyhack 4096 Jan 24 06:52 .
4 drwx------ 5 babyhack babyhack 4096 Jan 24 06:58 ..
4 -rw------- 1 babyhack babyhack  148 Jan 24 06:52 id:000000,ret_v:0x1,src:000000,op:havoc,rep:8
4 -rw------- 1 babyhack babyhack 1106 Jan 24 06:52 README.txt
babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5/outputs/crashes$ cat README.txt
Command line used to find this crash:

/home/babyhack/tmp/p2im/afl/afl-fuzz -i /home/babyhack/tmp/p2im/fuzzing/Drone/5/inputs -o /home/babyhack/tmp/p2im/fuzzing/Drone/5/outputs -t 150+ -QQ -a /home/babyhack/tmp/p2im/model_instantiation/me.py -b /home/babyhack/tmp/p2im/fuzzing/Drone/5/fuzz.cfg -c /home/babyhack/tmp/p2im/fuzzing/Drone/5/0.random.3/peripheral_model.json -T Drone_5 -d /home/babyhack/tmp/p2im/qemu/precompiled_bin/qemu-system-gnuarmeclipse -nographic -board NUCLEO-F103RB -mcu STM32F103RB -image /home/babyhack/tmp/p2im/fuzzing/Drone/5/Drone -pm-stage 3 -aflFile @@

If you can't reproduce a bug outside of afl-fuzz, be sure to set the same
memory limit. The limit used for this fuzzing session was 2.00 GB.

Need a tool to minimize test cases before investigating the crashes or sending
them to a vendor? Check out the afl-tmin that comes with the fuzzer!

Found any cool bugs in open-source tools using afl-fuzz? If yes, please drop
me a mail at <lcamtuf@coredump.cx> once the issues are fixed - I'd love to
add your finds to the gallery at:

  <http://lcamtuf.coredump.cx/afl/>

Thanks :-)
babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5/outputs/crashes$
</lcamtuf@coredump.cx>

반응형

'Hacking > Fuzzing' 카테고리의 다른 글

[ARM] AFL++ 설정 방법  (0) 2023.01.11

+ Recent posts