Afl - 4fun and pr0fit

AFL - 4Fun & Pr0fit
Muhammad Sahputra - Chief Executive Officer @ Mahapatih.ID
<rasyid /at/ mahapatih.id>
Research Team Sharing Session - PT Mahapatih Sibernusa Teknologi

–Erlend Oftedal
https://www.youtube.com/watch?v=DFQT1Yx
vpDo&t=2109s

Basic Fuzzing
• Throw garbage at an application, and see if you hit
something
• Sample application: PNG parser
$ cat /dev/urandom | convert -in — -out data.png

Mutational Fuzzer
• Mutate valid input
• flip bits
• relocate data
• More effective than random
• May run the same thing over and over again

Grammar Fuzzer
• Define rules for how the input should be changed
• Better control over input - good for structured data
• Time consuming to setup - knowledge

Feedback-based Fuzzer
• Application feedback - instrumentation / coverage data
• Slower, but less repetition
• High effectiveness
• For best result, requires source code (compile time
instrumentation)

AFL
• American Fuzzy Lop
• Developed by Michal Zalewski (@lcamtuf)
• Opensource: http://lcamtuf.coredump.cx/afl/
• Optimized and smart

Installing AFL
$ git clone https://github.com/google/AFL.git
$ cd AFL
$ make
$ cd llvm_mode && make && cd ..
$ cd libdislocator/ && make && sudo cp libdislocator.so /usr/local/lib && cd
..
$ sudo make install

LLVM: Fuzzing non-x86
• Instrumentation is CPU-independent
• Build afl-fuzz with AFL_NO_X86=1

Workflow
1. Compile the target binary with AFL
2. Find a test corpus
3. Run the fuzzer
4. Triage the findings
5. Profit..!

Compile the target binary with AFL
• CC / CXX - standard env variable for configuration with C / C++ compiler to use:
- afl-gcc / afl-g++
- afl-clang / afl-clang++
- afl-clang-fast / afl-clang-fast++
• AFL_INST_RATIO - instrumentation ratio (0-100%)
• AFL_HARDEN=1 - adds code hardening (includes -D_FORTIFY_SOURCE=2 and -fstack-
protector-all
See https://github.com/google/AFL/blob/master/docs/env_variables.txt for more

Find a test corpus
$ afl-cmin -i <in folder> -o <out folder> — <binary to run> <options to binary> @@
$ afl-tmin -i <test case file> -o <minimized file> — <binary to run> <options to binary> @@
• Files from unit / integration tests
- Source code repo / github / sample folders
• Optimization: Minimize the list of the cases
• Optimization: Minimize each test file

Run the Fuzzer
$ screen -S <fuzzing session name> /bin/bash -c "afl-fuzz -i <input> -o <output> -M fuzzer1 -- /path/to/app“ [Master]
ctrl+a-c [to create new window]
$ afl-fuzz -i <input> -o <output> -S fuzzer2 -- /path/to/app [Slave]
ctrl+a-c [to create new window]
$ afl-fuzz -i <input> -o <output> -S fuzzer3 -- /path/to/app [Slave]
…
…
ctrl+a “ [to list all windows of running session]

Triage the Findings
• Runt the crash files through normal binary
- Compile without afl
- Possibly use address sanitizer or memory sanitizer
- GDB exploitable plugin: https://github.com/jfoote/exploitable
- GDB exploit development plugin: https://github.com/longld/peda

Triage the Findings
• Report findings to dev team
• Fix if you are part of dev team
• Responsible disclosure (i.e bug bounty)
• Simply keep the bug for yourself and develop reliable exploit for
more $$$ ;)

rapidjson
1. Compile the target binary without AFL and have an understanding of how it
works
2. Compile the target binary with AFL to insert instrumentation
3. Find a test corpus
4. Run the fuzzer
5. Triage the findings
6. Profit..!

Compile the target binary without AFL
$ git clone https://github.com/Tencent/rapidjson.git
$ cd rapidjson
$ mkdir build && cd build && cmake ..
$ make
We’re going to fuzz one
of these sample tool:
jsonx

What is jsonx about?
- JSON to JSONx conversion example, using SAX API.
- JSONx is an IBM standard format to represent JSON as XML.
- JSONx parses JSON text from stdin with validation, and convert to JSONx format to stdout.
- https://www-01.ibm.com/support/knowledgecenter/SS9H2Y_7.1.0/com.ibm.dp.doc/json_jsonx.html
See https://github.com/Tencent/rapidjson/blob/master/example/jsonx/jsonx.cpp for more

Compile the target binary with AFL
Research Team Sharing Session - PT Mahapatih Sibernusa

Find test corpus
- Find good test data to seed fuzzing.
- Test data usually readily available throughout the internet.
- Even better, some repo in github already included fuzzing data we can use.
- https://github.com/DaveGamble/cJSON/tree/master/tests/inputs for example
- Make sure uninstrumented binary can use the test data

Corpus minimization: afl-cmin
• Minimize the list of the cases
• According to AFL, only 12 of 15 test files are ‘good’ enough to
seed the fuzzing

Corpus minimization: afl-tmin
• Minimize each test case file

Run the Fuzzer
- AFL utilize CPU core. Use dedicated machine (not shared hosting).
- Check CPU core availability before starting
- Use screen to run several fuzzing session against one target (master + slave)

Triage the findings
- We can observe further and analyze the crash without interrupting the running fuzzer.
- All result availabe under “output” folder.
- Folder “crashes” contains all input that causes crash on fuzzed binary app.

Triage the findings
- Use GDB and several plugins to analyse the crashes.
- Exploitable plugin shows if the crash potentially security related.
- PEDA plugin have several features required to help us develop reliable exploit.
- $ gdb ./jsonx
- $ source ~/exploitable/exploitable/exploitable.py
- $ source ~/peda/peda.py
- $ r < ~/mst/instr/rapidjson/build/fuzzing/output/fuzzer7/crashes/<choose one of the input file that
generate crash>
- use “exploitable” or “peda features” to analyse further

Triage the findings
Exploitable!

Profit
• Fuzzing is an art, need lot of practice to sharpen your sense and skill
• Again, practice makes perfect!
• Tons of application in github to start, make your hand ditry right away
• Fuzz your own apps (e-commerce backend system, banking apps, etc)
• I will continue with more advanced topic later such as distributed fuzzing, fuzzing using libFuzzer, etc
• Ping me if you’re really enjoying the art of hardcore hacking, so we can fuzz together, or develop smart
fuzzer for better future ;) [twitter: @cyberheb / linkedin:
https://www.linkedin.com/in/muhammadsahputra/]

Afl - 4fun and pr0fit

More Related Content

What's hot (20)

Similar to Afl - 4fun and pr0fit (20)

Recently uploaded (20)

Afl - 4fun and pr0fit