This artical gives some tips about how to run AFL++ to perform simple fuzzing with an ARM ELF.
Environment
Ubuntu 20.04
AFLPlusPlus(AFL++)
build-essentials
arm-linux-gnueabi-gcc
aarch64-linux-gnu-gcc
docker
Sample C code to fuzz
vuln.c
// below code is vulnerable to format string attack
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main(int argc, char **argv)
{
char buf[8];
if (read(0, buf, 8) < 1)
{
exit(1);
}
printf(buf);
exit(0);
}
Cross compile it by arm-linux-gnueabi-gcc (This can be installed by running apt install arm-linux-gnueabi-gcc)
$ arm-linux-gnueabi-gcc -o vuln_arm vuln.c -static
vuln.c: In function ‘main’:
vuln.c:12:9: warning: format not a string literal and no format arguments [-Wformat-security]
12 | printf(buf);
| ^~~
$ file vuln_arm
vuln_arm: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, BuildID[sha1]=1a36dfdd076c4e2d445d4ae3e89e24641141ddee, for GNU/Linux 3.2.0, not stripped
Pull AFL++ docker image and start it. The merit to use docker makes no need to build afl++ again.
$ sudo docker pull aflplusplus/aflplusplus
Using default tag: latest
latest: Pulling from aflplusplus/aflplusplus
Digest: sha256:bb5b09f7497c71a44a08fba0feb8c72153588dee5c96b7eafc1e57b910e2fdc1
Status: Image is up to date for aflplusplus/aflplusplus:latest
docker.io/aflplusplus/aflplusplus:latest
$ sudo docker run -it --rm -v $HOME:$HOME aflplusplus/aflplusplus
[AFL++ 8cc94948d57b] /AFLplusplus #
...
-rwxr-xr-x 1 root root 216704 Sep 6 10:34 afl-cc
...
lrwxrwxrwx 1 root root 6 Sep 6 10:34 afl-clang -> afl-cc
...
-rwxr-xr-x 1 root root 1818920 Sep 6 10:34 afl-fuzz
...
lrwxrwxrwx 1 root root 6 Sep 6 10:34 afl-gcc -> afl-cc
...
-rwxr-xr-x 1 root root 5109216 Sep 6 10:37 afl-qemu-trace
...
Then, try to build arm-oriented alf-qemu-trace. You can copy outputed ./afl-qemu-trace to /usr/local/bin/ for further use.
[AFL++ 1e70a664f43e] /AFLplusplus/qemu_mode # CPU_TARGET=arm ./build_qemu_support.sh
=================================================
QemuAFL build script
=================================================
[*] Performing basic sanity checks...
[+] All checks passed!
[*] Making sure qemuafl is checked out
[*] cloning qemuafl
[+] Got qemuafl.
[*] Checking out 847b43acb1
Already up to date.
HEAD is now at 847b43a AFL_OLD_FORKSERVER
[*] Making sure imported headers matches
[*] Configuring QEMU for arm...
Building for CPU target arm
...
make[1]: Leaving directory '/AFLplusplus/qemu_mode/qemuafl/build'
[+] Build process successful!
[*] Copying binary...
-rwxr-xr-x 1 root root 6316184 Sep 19 02:09 ../afl-qemu-trace
[+] Successfully created '../afl-qemu-trace'.
[!] Note: can't test instrumentation when CPU_TARGET set.
[+] All set, you can now (hopefully) use the -Q mode in afl-fuzz!
[!] Cross compiler arm-pc-linux-gnu-gcc could not be found, cannot compile libcompcov libqasan and unsigaction
[+] All done for qemu_mode, enjoy!
[AFL++ 1e70a664f43e] /AFLplusplus/qemu_mode # cp ../afl-qemu-trace /usr/local/bin/
Now, let's start fuzzing work.
# Make seeds
# mkdir -p seeds
# echo "sample input" > ./seeds/test.txt
# mkdir -p out
# Run QEMU mode and start fuzz arm ELF vuln
[AFL++ 1e70a664f43e] /home/chen/AFLPlusPlus/test # afl-fuzz -Q -i ./seeds -o ./out ./vuln_arm
By checking out/default/crashes, we can find various mutations make ELF receive SIGSEGV as crash.
[AFL++ 1e70a664f43e] /home/chen/AFLPlusPlus/test # ls out/default/crashes/
README.txt id:000004,sig:11,src:000000,time:6862,execs:11629,op:havoc,rep:10
id:000000,sig:11,src:000000,time:1824,execs:3273,op:havoc,rep:12 id:000005,sig:11,src:000044,time:8486,execs:14461,op:havoc,rep:4
id:000001,sig:11,src:000000,time:5168,execs:8794,op:havoc,rep:3 id:000006,sig:11,src:000044+000038,time:8544,execs:14564,op:splice,rep:1
id:000002,sig:11,src:000000,time:5357,execs:9110,op:havoc,rep:2 id:000007,sig:11,src:000186,time:16004,execs:19354,op:havoc,rep:6
id:000003,sig:11,src:000000,time:5387,execs:9154,op:havoc,rep:4
[AFL++ 1e70a664f43e] /home/chen/AFLPlusPlus/test # xxd out/default/crashes/id:000000,sig:11,src:000000,time:1824,execs:3273,op:havoc,rep:12
00000000: 2573 ed6d 6d25 73ed 6d6d 5eb1 2504 2514 %s.mm%s.mm^.%.%.
00000010: 3914 706e 5eb1 2504 7625 1439 1470 6e74 9.pn^.%.v%.9.pnt