|
|
| Line 29: |
Line 29: |
|
| |
|
| Programs that can be fuzzed are those that take input files, usually binary files or unusual formats. (Think mp3, multimedia, images, etc.) | | Programs that can be fuzzed are those that take input files, usually binary files or unusual formats. (Think mp3, multimedia, images, etc.) |
|
| |
| We'll be fuzzing [[John the Ripper]] to understand how AFL works.
| |
|
| |
| ==Compiling John the Ripper==
| |
|
| |
| We want to download and compile John so that it will be instrumented.
| |
|
| |
| ===Dependencies===
| |
|
| |
| Start with dependencies - OpenSSL development libs:
| |
|
| |
|
| <pre> | | <pre> |
| # apt-get install --fix-missing libssl-dev
| | wget http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.1.6.tar.gz |
| | tar -xvf libressl-2.1.6.tar.gz cd libressl-2.1.6/ |
| | CC=~/afl/afl-1.57b/afl-gcc ./configure |
| | make check |
| | mkdir /root/testing |
| | export DESTDIR=/root/testing/ |
| | make install |
| </pre> | | </pre> |
|
| |
| ===Get John the Ripper===
| |
|
| |
| <pre>
| |
| # git clone git@github.com:magnumripper/JohnTheRipper.git
| |
| # cd JohnTheRipper/src
| |
| # ./configure --help
| |
| </pre>
| |
|
| |
| ===Compile John the Ripper===
| |
|
| |
| We will compile John the Ripper using American Fuzzy Lop's own GCC:
| |
|
| |
| <pre>
| |
| CC=/path/to/afl-gcc ./configure
| |
|
| |
| [...]
| |
|
| |
| config.status: creating Makefile
| |
| config.status: creating aes/Makefile
| |
| config.status: creating aes/aesni/Makefile
| |
| config.status: creating aes/openssl/Makefile
| |
| config.status: creating escrypt/Makefile
| |
| config.status: creating autoconfig.h
| |
| config.status: linking x86-64.h to arch.h
| |
| config.status: executing default commands
| |
| configure: creating ./fmt_externs.h
| |
| afl-cc 2.10b by <lcamtuf@google.com>
| |
| configure: creating ./fmt_registers.h
| |
| afl-cc 2.10b by <lcamtuf@google.com>
| |
| afl-cc 2.10b by <lcamtuf@google.com>
| |
| afl-cc 2.10b by <lcamtuf@google.com>
| |
|
| |
| Configured for building John the Ripper jumbo:
| |
|
| |
| Target CPU ................................. x86_64 SSE4.1, 64-bit LE
| |
| AES-NI support ............................. depends on OpenSSL
| |
| Target OS .................................. linux-gnu
| |
| Cross compiling ............................ no
| |
| Legacy arch header ......................... x86-64.h
| |
|
| |
| Optional libraries/features found:
| |
| Fuzzing test ............................... no
| |
| Experimental code .......................... no
| |
| OpenMPI support (default disabled) ......... no
| |
| Fork support ............................... yes
| |
| OpenMP support ............................. yes (not for fast formats)
| |
| CUDA support (default disabled by OpenCL) .. no
| |
| OpenCL support ............................. no
| |
| Generic crypt(3) format .................... yes
| |
| Rexgen (extra cracking mode) ............... no
| |
| GMP (PRINCE mode and faster SRP formats) ... yes
| |
| PCAP (vncpcap2john and SIPdump) ............ no
| |
| Z (pkzip format, gpg2john) ................. yes
| |
| BZ2 (gpg2john extra decompression logic) ... no
| |
| 128-bit integer (faster PRINCE mode) ....... yes
| |
| Memory map (share/page large files) ........ yes
| |
|
| |
| Development options (these may hurt performance when enabled):
| |
| Memdbg memory debugging settings ........... disabled
| |
| AddressSanitizer ("ASan") .................. disabled
| |
| UndefinedBehaviorSanitizer ("UbSan") ....... disabled
| |
|
| |
| Install missing libraries to get any needed features that were omitted.
| |
|
| |
| Configure finished. Now 'make clean && make -s' to compile.
| |
|
| |
| </pre>
| |
|
| |
| when run make clean and make -s, see lots of output like this:
| |
|
| |
| <pre>
| |
| # make clean && make -s
| |
|
| |
| [...]
| |
|
| |
| [+] Instrumented 386 locations (64-bit, non-hardened mode, ratio 100%).
| |
| afl-as 2.10b by <lcamtuf@google.com>
| |
| </pre>
| |
|
| |
| Now we have compiled binaries in the <code>run</code> directory, one level up:
| |
|
| |
| <pre>
| |
| # cd ../run/
| |
| # ./john
| |
| </pre>
| |
|
| |
| Fuzz time.
| |
|
| |
|
| |
| ==Fuzzing John the Ripper==
| |
Fuzzer
https://necurity.co.uk/netsec/2015/03/30/Fun-With-AFL.html#sthash.h9Aurb7C.dpbs
About
American fuzzy lop is a program for fuzzing inputs. It is very sophisticated and can be instrumented with a binary to do very targeted fuzzing.
Installing
Get the latest version, and run make to make it:
$ wget http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz
$ tar -xvf afl-latest.tgz cd afl-latest.tgz
$ cd afl-*
$ make
$ make install
Success!
root@morpheus:~/codes/afl-2.10b# which afl-fuzz
/usr/local/bin/afl-fuzz
Fuzzing a Program
Programs that can be fuzzed are those that take input files, usually binary files or unusual formats. (Think mp3, multimedia, images, etc.)
wget http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.1.6.tar.gz
tar -xvf libressl-2.1.6.tar.gz cd libressl-2.1.6/
CC=~/afl/afl-1.57b/afl-gcc ./configure
make check
mkdir /root/testing
export DESTDIR=/root/testing/
make install