#AFL Mothership
Manage and run multiple synchronising AFL fuzzers. The accomponying project report can be found here.
Clone (or download) the repo
git clone https://github.com/afl-mothership/afl-mothership.git
cd afl-mothership
Create a python3 virtualenv and install the requirements
virtualenv -p $(which python3) venv
source venv/bin/activate
pip install -r requirements.txt
Create the database
python manage.py createdb
Run the (development) server
python manage.py runserver
Check the server is running http://localhost:5000/
The page should have two error alerts: "Missing libdislocator.so" and "Missing afl-fuzz" To fix you must provide the afl-fuzz binary and (if desired) the libdislocator shared object.
Download and build afl-fuzz:
pushd /tmp/
wget http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz
tar xfz afl-latest.tgz
cd afl-2.35b/ # change version number to what was extracted
make
Optionally build libdislocator
cd libdislocator/
make
Copy the files into AFL mothership's data directory
popd
cp -t data/ /tmp/afl-2.35b/afl-fuzz /tmp/afl-2.35b/libdislocator/libdislocator.so
Reload the webpage and the errors should be gone! You can now create campaigns.
Note that manage.py runserver should only be used for development and real use should have uwsgi or similar serving the app.
e.g.
pip install uwsgi
./venv/bin/uwsgi --home venv --wsgi-file manage.py --callable app --master
Use the "new campaign" button to create a campaign. Choose a name and appropriate parameters.
The executable should be built with afl-gcc/g++ or afl-clang then uploaded.
Multiple testcases can be uploaded along with an optional dictionary and libraries required by the executable.
Libraries and testcases also be added to a campaign after creation and a campaign will show libraries that are required by the executable.
Fuzzers are launched using slave/slave.py
.
Ensure that the desired campaigns are activated in the web interface and launch slaves on the desired host(s) with
python slave.py <web address of mothership> <number of fuzzers to run> [temp directory to operate out of]
An example of how launching of slaves can be automated on AWS EC2 using cloud init is provided in cloud-init.sh
. Note that this must be modified to use the correct address of the mothership. This script is designed for running the mothership and slaves inside the same VPC, communicating over the internal network.
ec2-request-spot-instances ami-f5f41398 --price 0.15 -t c3.large \
--valid-until 2016-07-04T23:23:18.000Z -z us-west-1c -k mothership -g mothership \
--user-data-file ./cloud-init.sh \
-n 4 --availability-zone-group "ImageMagick-6.7.0-identify-bmp-8-fuzzers"
ec2-request-spot-instances ami-6e84fa0e --price 0.15 -t c3.large \
--valid-until 2016-07-10T23:23:18.000Z -z us-west-1c -k "mothership keypair (us-west)" \
-g mothership --user-data-file ./cloud-init.sh -n 4 \
-availability-zone-group "libarchive 2.2.1 bstdar | 8 fuzzers"