반응형

설치 방법

$ sudo apt update
$ sudo apt install -y build-essential python3-dev automake git flex bison libglib2.0-dev libpixman-1-dev python3-setuptools cmake
$ sudo apt install -y lld-11 llvm-11 llvm-11-dev clang-11
$ sudo apt install -y gcc-$(gcc --version|head -n1|sed 's/.* //'|sed 's/\..*//')-plugin-dev libstdc++-$(gcc --version|head -n1|sed 's/.* //'|sed 's/\..*//')-dev
$ cd $HOME
$ git clone [https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus) && cd AFLplusplus
$ export LLVM_CONFIG="llvm-config-11"
$ make distrib
$ sudo make install

AFL++ 구동테스트

  •  구버전을 활용하여 테스트 진행 (3.02 CVE-2019-13288 테스트)

어플 설치

$ cd $HOME $ mkdir fuzzing_xpdf && cd fuzzing_xpdf/ 
$ wget https://dl.xpdfreader.com/old/xpdf-3.02.tar.gz 
$ tar -zxvf xpdf-3.02.tar.gz $ cd xpdf-3.02/

컴파일 (llvm 11, afl-clang-ito 옵션 적용)

$ export AFL_USE_ASAN=1 
$ export LLVM_CONFIG="llvm-config-11" 
$ CC=$HOME/AFLplusplus/afl-clang-lto CXX=$HOME/AFLplusplus/afl-clang-lto++ ./configure --prefix="$HOME/fuzzing_xpdf/install/"
$ make 
$ make install
# [ASAN option]
CC=afl-clang-fast CXX=afl-clang-fast++ CFLAGS="-fno-rtti -fsanitize=address,undefined -fno-sanitize-recover=all -g" CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" LDFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --prefix="/home/babyhack/ASASN_xpdf/install/"
cmake -DCMAKE_C_COMPILER=afl-clang-fast -DCMAKE_CXX_COMPILER=afl-clang-fast++ -DCMAKE_CXX_FLAGS="-fno-rtti -fsanitize=address,undefined -fno-sanitize-recover=all -g" -DCMAKE_C_FLAGS="-fno-rtti -fsanitize=address,undefined -fno-sanitize-recover=all -g" -DCMAKE_EXE_LINKER_FLAGS="-fno-rtti -fsanitize=address,undefined -fno-sanitize-recover=all" DCMAKE_INSTALL_PREFIX=~root/fuzz_xpdf-4.03/install/ -DCMAKE_MODULE_LINKER_FLAGS="-fno-rtti -fsanitize=address,undefined -fno-sanitize-recover=all" -DCMAKE_BUILD_TYPE=Debug,ASAN,UBSAN -DWITH_SSE2=ON -DMONOLITHIC_BUILD=ON -DBUILD_SHARED_LIBS=OFF .

샘플 파일

$ cd $HOME/fuzzing_xpdf $ mkdir pdf_examples && cd pdf_examples 
$ wget https://github.com/mozilla/pdf.js-sample-files/raw/master/helloworld.pdf 
$ wget http://www.africau.edu/images/default/sample.pdf 
$ wget https://www.melbpc.org.au/wp-content/uploads/2017/10/small-example-pdf-file.pdf

구동 테스트

$HOME/fuzzing_xpdf/install/bin/pdfinfo -box -meta $HOME/fuzzing_xpdf/pdf_examples/helloworld.pdf

퍼징 테스트

  • root 권한이 필요함.

[-] PROGRAM ABORT : Suboptimal CPU scaling governor Location : check_cpu_governor(), src/afl-fuzz-init.c:2310

  • 실행 명령어
root@raspberrypi$ afl-fuzz -i ~babyhack/fuzzing_xpdf/pdf_examples/ -o ~babyhack/fuzzing_xpdf/out/ -s 123 -- ~babyhack/fuzzing_xpdf/install/bin/pdftotext @@ ~babyhack/fuzzing_xpdf/output
  • 옵션 설명
    • -i : 입력값 테스트 케이스들이 모여있는 디렉터리 경로이다.
    • -o : AFL++가 변이하여 생성할 파일들이 저장될 경로이다.
    • -s : static random seed 를 설정한 것이다. 이렇게 한 이유는 단지 이 예제 결과를 항상 동일하게 보여주기 위한 것일뿐(교육자료 목적) 이 옵션을 빼고 완전히 랜덤으로 진행해도 된다.
    • @@ 로 표기한 부분에 커맨드라인상으로 AFL이 생성한 파일의 이름이 매핑된다.

crash 폴더

$ cd /home/cpuu/fuzzing_xpdf/out/default/crashes 
$ ls -l 
total 8 
-rw------- 1 cpuu cpuu 689 Jan 26 11:31 README.txt 
-rw------- 1 cpuu cpuu 3941 Jan 26 11:31 id:000000,sig:11,src:000963,time:73213,execs:69034,op:havoc,rep:8

crash 분석 방법

  • dact를 활용한 분류 (feat. ASAN)
$ export AFL_USE_ASAN=1 
$ CC=[afl folder]/afl-clang-fast CXX=[afl folder]/afl-clang-fast++ CFLAGS="-fsanitize=address -g " CXXFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address -g" ./configure
$ make
  • ASAN 적용 결과
# [ASAN 적용]
$ ~babyhack/fuzzing_xpdf/ASASN_xpdf/install/bin/pdftotext /home/babyhack/fuzzing_xpdf/out/xpdf/crashes/id:000000,sig:11,src:000000+000126,time:723512,execs:41054,op:splice,rep:16
Error: PDF file is damaged - attempting to reconstruct xref table...
Error (1499): Illegal character <47> in hex string
Error (1500): Illegal character <6f> in hex string
Error (1501): Illegal character <54> in hex string
Error (1502): Illegal character <6f> in hex string
Error (1503): Illegal character <52> in hex string
Error: Missing 'endstream'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==4021875==ERROR: AddressSanitizer: stack-overflow on address 0x007fc42ccfd0 (pc 0x0000004b1f34 bp 0x007fb7114000 sp 0x007fc42ccfb0 T0)
AddressSanitizer:DEADLYSIGNAL

 

ref. 

https://cpuu.postype.com/post/11671863

반응형

'Hacking > Fuzzing' 카테고리의 다른 글

p2im fuzzing  (1) 2023.01.25

+ Recent posts