def choose_afl(self):
"""
Chooses the right AFL and sets up some environment.
"""
# set up the AFL path
p = angr.Project(self.target)
target_os = p.loader.main_object.os
afl_dir = shellphish_afl.afl_dir(target_os)
if target_os == 'cgc':
afl_path_var = shellphish_afl.afl_path_var('cgc')
else:
afl_path_var = shellphish_afl.afl_path_var(p.arch.qemu_name)
directory = None
if p.arch.qemu_name == "aarch64":
directory = "arm64"
if p.arch.qemu_name == "i386":
directory = "i386"
if p.arch.qemu_name == "x86_64":
directory = "x86_64"
if p.arch.qemu_name == "mips":
directory = "mips"
if p.arch.qemu_name == "mipsel":
directory = "mipsel"
if p.arch.qemu_name == "ppc":
directory = "powerpc"
if p.arch.qemu_name == "arm":
# some stuff qira uses to determine the which libs to use for arm
with open(self.target, "rb") as f:
progdata = f.read(0x800)
if "/lib/ld-linux.so.3" in progdata:
directory = "armel"
elif "/lib/ld-linux-armhf.so.3" in progdata:
directory = "armhf"
if directory is None:
l.warning("architecture \"%s\" has no installed libraries",
p.arch.qemu_name)
else:
libpath = os.path.join(afl_dir, "..", "fuzzer-libs", directory)
l.debug("exporting QEMU_LD_PREFIX of '%s'", libpath)
os.environ['QEMU_LD_PREFIX'] = libpath
# set environment variable for the AFL_PATH
os.environ['AFL_PATH'] = afl_path_var
# return the AFL path
return shellphish_afl.afl_bin(target_os)
def _run_multicb_trace(self, stdout_file=None):
args = [self._fakeforksrv_path]
args += self._binaries
stderr_file = tempfile.mktemp(dir="/dev/shm/",
prefix="tracer-multicb-stderr-")
saved_afl_path = os.environ.get('AFL_PATH', None)
with open('/dev/null', 'wb') as devnull:
os.environ['AFL_PATH'] = shellphish_afl.afl_dir('multi-cgc')
stdout_f = devnull
if stdout_file is not None:
stdout_f = open(stdout_file, 'wb')
stderr_f = open(stderr_file, 'wb')
p = None
try:
p = subprocess32.Popen(args,
stdin=subprocess32.PIPE,
stdout=stdout_f,
stderr=stderr_f,
close_fds=True,
preexec_fn=self.__get_rlimit_func())
_, _ = p.communicate(self.input, timeout=self.trace_timeout)
ret = p.wait(timeout=self.trace_timeout)
except subprocess32.TimeoutExpired:
if p != None:
p.terminate()
self.tmout = True
self.returncode = p.returncode
if stdout_file is not None:
stdout_f.close()
stderr_f.close()
if saved_afl_path:
os.environ['AFL_PATH'] = saved_afl_path
with open(stderr_file, 'r') as f:
buf = f.read()
for line in buf.split("\n"):
if "signaled" in line:
self.crash_mode = bool(int(line.split(":")[-1]))
def init_afl_config(binary_path, is_multicb=False):
"""
Returns AFL_PATH and AFL_DIR, if AFL_PATH is set in os.environ it returns that, if not it attempts to auto-detect
:param binary_path:
:return: afl_path_var, afl_dir, qemu_arch_name: afl_path_var is location of qemu_trace to use, afl_dir is the location of the afl binaries, qemu_arch_name is the name of the binary's architecture
"""
if Phuzzer.afl_bin_dir is not None:
return Phuzzer.afl_bin_dir, Phuzzer.qemu_arch_name
if "AFL_PATH" in os.environ:
Phuzzer.afl_bin_dir = os.environ["AFL_PATH"]
else:
if not ANGR_INSTALLED:
raise ModuleNotFoundError(
"AFL_PATH was found in enviornment variables and angr is not installed."
)
if not SHELLPHISH_AFL_INSTALLED:
raise ModuleNotFoundError(
"AFL_PATH was found in enviornment variables and either shellphish_afl is not installed."
)
try:
p = angr.Project(binary_path)
Phuzzer.qemu_arch_name = p.arch.qemu_name
tracer_id = 'cgc' if p.loader.main_object.os == 'cgc' else p.arch.qemu_name
if is_multicb:
tracer_id = 'multi-{}'.format(tracer_id)
afl_path_var = shellphish_afl.afl_path_var(tracer_id)
os.environ['AFL_PATH'] = afl_path_var
Phuzzer.afl_bin_dir = shellphish_afl.afl_dir(tracer_id)
print(f"afl_dir {Phuzzer.afl_bin_dir}")
except Exception:
traceback.format_exc()
raise ModuleNotFoundError(
"AFL_PATH was found in enviornment variables and "
"either angr or shellphish_afl is not installed.")
return Phuzzer.afl_bin_dir, Phuzzer.qemu_arch_name
def __init__(self, binary_path, testcase):
"""
:param binary_path: path to the binary which the testcase applies to
:param testcase: string representing the contents of the testcase
"""
self.binary_path = binary_path
self.testcase = testcase
Fuzzer._perform_env_checks()
self.base = Fuzzer._get_base()
l.debug("got base dir %s", self.base)
# unfortunately here is some code reuse between Fuzzer and Minimizer
p = angr.Project(self.binary_path)
tracer_id = 'cgc' if p.loader.main_object.os == 'cgc' else p.arch.qemu_name
self.tmin_path = os.path.join(shellphish_afl.afl_dir(tracer_id),
"afl-tmin")
self.afl_path_var = shellphish_afl.afl_path_var(tracer_id)
l.debug("tmin_path: %s", self.tmin_path)
l.debug("afl_path_var: %s", self.afl_path_var)
os.environ['AFL_PATH'] = self.afl_path_var
# create temp
self.work_dir = tempfile.mkdtemp(prefix='tmin-', dir='/tmp/')
# flag for work directory removal
self._removed = False
self.input_testcase = os.path.join(self.work_dir, 'testcase')
self.output_testcase = os.path.join(self.work_dir, 'minimized_result')
l.debug("input_testcase: %s", self.input_testcase)
l.debug("output_testcase: %s", self.output_testcase)
# populate contents of input testcase
with open(self.input_testcase, 'wb') as f:
f.write(testcase)
def cmin(self, fuzzer_prefix="fuzzer-"):
afl_dir = shellphish_afl.afl_dir(self.target_os)
afl_path_var = shellphish_afl.afl_path_var(self.target_arch)
os.environ['AFL_PATH'] = afl_path_var
# create queue.all dir
if os.path.exists(self.queue_all_dir):
shutil.rmtree(self.queue_all_dir)
os.makedirs(self.queue_all_dir)
# copy all seeds
for seed in glob(f"{self.work_dir}/{fuzzer_prefix}*/queue/id:*"):
id = seed.split("/")[-1]
fuzzer = seed.split("/queue")[0].split("/")[-1]
shutil.copy(seed, f"{self.queue_all_dir}/{{{fuzzer}}}{id}")
# create queue.cmin
if os.path.exists(self.queue_min_dir):
shutil.rmtree(self.queue_min_dir)
os.makedirs(self.queue_min_dir)
# create cmd args
cmin_path = os.path.join(afl_dir, "afl-cmin")
args = [cmin_path]
args += ["-i", self.queue_all_dir]
args += ["-o", self.queue_min_dir]
args += ["-m", self.memory]
args += ["-Q"]
args += ["--"]
args += [self.target]
args += self.target_opts
#l.debug(f"execing: AFL_PATH={afl_path_var} {' '.join(args)}")
return subprocess.Popen(args,
env=os.environ,
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL,
close_fds=True)
def _check_environment():
err = ""
# check for afl sensitive settings
with open("/proc/sys/kernel/core_pattern") as f:
if not "core" in f.read():
err += "!!!! AFL ERROR: Pipe at the beginning of core_pattern\n"
err += "++++ TO FIX THIS, LITERALLY JUST EXECUTE THIS COMMAND:\n"
err += " echo core | sudo tee /proc/sys/kernel/core_pattern\n"
# This file is based on a driver not all systems use
# http://unix.stackexchange.com/questions/153693/cant-use-userspace-cpufreq-governor-and-set-cpu-frequency
# TODO: Perform similar performance check for other default drivers.
if os.path.exists(
"/sys/devices/system/cpu/cpu0/cpufreq/scaling_governor"):
with open("/sys/devices/system/cpu/cpu0/cpufreq/scaling_governor"
) as f:
if not "performance" in f.read():
err += "!!!! AFL ERROR: Suboptimal CPU scaling governor\n"
err += "++++ TO FIX THIS, LITERALLY JUST EXECUTE THIS COMMAND:\n"
err += " echo performance | sudo tee /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor\n"
# TODO: test, to be sure it doesn't mess things up
with open("/proc/sys/kernel/sched_child_runs_first") as f:
if not "1" in f.read():
err += "!!!! AFL WARNING: We probably want the fork() children to run first\n"
err += "++++ TO FIX THIS, LITERALLY JUST EXECUTE THIS COMMAND:\n"
err += " echo 1 | sudo tee /proc/sys/kernel/sched_child_runs_first\n"
if err:
afl_dir = shellphish_afl.afl_dir('linux')
configpath = os.path.join(afl_dir, "afl-system-config")
err += "!!!! AFL WARNING: The environment was not properly configured\n"
err += "++++ TO FIX THIS, LITERALLY JUST EXECUTE THIS COMMAND:\n"
err += " sudo sh " + configpath + "\n"
err += "++++ YOU MAY ALSO ADD TO /etc/default/grub:\n"
err += " GRUB_CMDLINE_LINUX_DEFAULT='ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off'"
raise InstallError(err)
def __init__(self, binary_path, work_dir, afl_count=1, library_path=None, time_limit=None,
target_opts=None, extra_opts=None, create_dictionary=False,
seeds=None, crash_mode=False, never_resume=False):
'''
:param binary_path: path to the binary to fuzz. List or tuple for multi-CB.
:param work_dir: the work directory which contains fuzzing jobs, our job directory will go here
:param afl_count: number of AFL jobs total to spin up for the binary
:param library_path: library path to use, if none is specified a default is chosen
:param timelimit: amount of time to fuzz for, has no effect besides returning True when calling timed_out
:param seeds: list of inputs to seed fuzzing with
:param target_opts: extra options to pass to the target
:param extra_opts: extra options to pass to AFL when starting up
:param crash_mode: if set to True AFL is set to crash explorer mode, and seed will be expected to be a crashing input
:param never_resume: never resume an old fuzzing run, even if it's possible
'''
self.binary_path = binary_path
self.work_dir = work_dir
self.afl_count = afl_count
self.time_limit = time_limit
self.library_path = library_path
self.target_opts = [ ] if target_opts is None else target_opts
self.crash_mode = crash_mode
Fuzzer._perform_env_checks()
if isinstance(binary_path,basestring):
self.is_multicb = False
self.binary_id = os.path.basename(binary_path)
elif isinstance(binary_path,(list,tuple)):
self.is_multicb = True
self.binary_id = os.path.basename(binary_path[0])
else:
raise ValueError("Was expecting either a string or a list/tuple for binary_path! It's {} instead.".format(type(binary_path)))
# sanity check crash mode
if self.crash_mode:
if seeds is None:
raise ValueError("Seeds must be specified if using the fuzzer in crash mode")
l.info("AFL will be started in crash mode")
self.seeds = ["fuzz"] if seeds is None or len(seeds) == 0 else seeds
self.job_dir = os.path.join(self.work_dir, self.binary_id)
self.in_dir = os.path.join(self.job_dir, "input")
self.out_dir = os.path.join(self.job_dir, "sync")
# sanity check extra opts
self.extra_opts = extra_opts
if self.extra_opts is not None:
if not isinstance(self.extra_opts, list):
raise ValueError("extra_opts must be a list of command line arguments")
# base of the fuzzer package
self.base = Fuzzer._get_base()
self.start_time = int(time.time())
# create_dict script
self.create_dict_path = os.path.join(self.base, "bin", "create_dict.py")
# afl dictionary
self.dictionary = None
# processes spun up
self.procs = [ ]
# start the fuzzer ids at 0
self.fuzz_id = 0
# test if we're resuming an old run
self.resuming = bool(os.listdir(self.out_dir)) if os.path.isdir(self.out_dir) else False
# has the fuzzer been turned on?
self._on = False
if never_resume and self.resuming:
l.info("could resume, but starting over upon request")
shutil.rmtree(self.job_dir)
self.resuming = False
if self.is_multicb:
# Where cgc/setup's Dockerfile checks it out
# NOTE: 'afl/fakeforksrv' serves as 'qemu', as far as AFL is concerned
# Will actually invoke 'fakeforksrv/multicb-qemu'
# This QEMU cannot run standalone (always speaks the forkserver "protocol"),
# but 'fakeforksrv/run_via_fakeforksrv' allows it.
# XXX: There is no driller/angr support, and probably will never be.
self.afl_path = shellphish_afl.afl_bin('multi-cgc')
self.afl_path_var = shellphish_afl.afl_path_var('multi-cgc')
else:
p = angr.Project(binary_path)
self.os = p.loader.main_bin.os
afl_dir = shellphish_afl.afl_dir(self.os)
# the path to AFL capable of calling driller
self.afl_path = shellphish_afl.afl_bin(self.os)
self.afl_path_var = shellphish_afl.afl_path_var(p.arch.qemu_name)
# set up libraries
self._export_library_path(p)
self.qemu_dir = self.afl_path_var
l.debug("self.start_time: %r", self.start_time)
l.debug("self.afl_path: %s", self.afl_path)
l.debug("self.afl_path_var: %s", self.afl_path_var)
l.debug("self.qemu_dir: %s", self.qemu_dir)
l.debug("self.binary_id: %s", self.binary_id)
l.debug("self.work_dir: %s", self.work_dir)
l.debug("self.resuming: %s", self.resuming)
# if we're resuming an old run set the input_directory to a '-'
if self.resuming:
l.info("[%s] resuming old fuzzing run", self.binary_id)
self.in_dir = "-"
else:
# create the work directory and input directory
try:
os.makedirs(self.in_dir)
except OSError:
l.warning("unable to create in_dir \"%s\"", self.in_dir)
# populate the input directory
self._initialize_seeds()
# look for a dictionary
dictionary_file = os.path.join(self.job_dir, "%s.dict" % self.binary_id)
if os.path.isfile(dictionary_file):
self.dictionary = dictionary_file
# if a dictionary doesn't exist and we aren't resuming a run, create a dict
elif not self.resuming:
# call out to another process to create the dictionary so we can
# limit it's memory
if create_dictionary:
if self._create_dict(dictionary_file):
self.dictionary = dictionary_file
else:
# no luck creating a dictionary
l.warning("[%s] unable to create dictionary", self.binary_id)
# set environment variable for the AFL_PATH
os.environ['AFL_PATH'] = self.afl_path_var
def __init__(self,
binary,
input=None,
pov_file=None,
record_trace=False,
record_stdout=False,
record_magic=False,
seed=None,
memory_limit="8G",
bitflip=False,
report_bad_args=False,
use_tiny_core=False,
qemu=None):
"""
:param binary: path to the binary to be traced
:param input: concrete input string to feed to binary
:param pov_file: CGC PoV describing the input to trace
:param record_trace: whether or not to record the basic block trace
:param report_bad_arg: enable CGC QEMU's report bad args option
:param use_tiny_core: Use minimal core loading
"""
if isinstance(binary, basestring):
self.is_multicb = False
self.binaries = [binary]
elif isinstance(binary, (list, tuple)):
if not multicb_available:
raise ValueError("Multicb tracing is disabled")
self.is_multicb = True
self.binaries = binary
else:
raise ValueError(
"Expected list or string for binary, got {} instead".format(
type(binary)))
self.input = input
self.pov_file = pov_file
self._record_magic = record_magic
self._record_trace = record_trace
if record_trace and self.is_multicb:
l.warning(
"record_trace specified with multicb, no trace will be recorded"
)
self.trace = []
self.crashed_binary = 0
self.reg_vals = None
self._state = None
self.memory = None
self.seed = seed
self.memory_limit = memory_limit
self.bitflip = bitflip
if self.bitflip and self.is_multicb:
raise ValueError("Cannot perform bitflip with MultiCB")
self.report_bad_args = report_bad_args
self.use_tiny_core = use_tiny_core
if self.pov_file is None and self.input is None:
raise ValueError("must specify input or pov_file")
if self.pov_file is not None and self.input is not None:
raise ValueError("cannot specify both a pov_file and an input")
# a PoV was provided
if self.pov_file is not None:
self.pov_file = TracerPoV(self.pov_file)
self.pov = True
else:
self.pov = False
self.base = os.path.join(os.path.dirname(__file__), "..", "..")
self.tracer_qemu = None
self.tracer_qemu_path = None
self.forced_qemu = qemu
self.fakeforksrv_path = os.path.join(
shellphish_afl.afl_dir('multi-cgc'), "run_via_fakeforksrv")
self._setup()
l.debug("accumulating basic block trace...")
l.debug("self.tracer_qemu_path: %s", self.tracer_qemu_path)
# does the input cause a crash?
self.crash_mode = False
# if the input causes a crash, what address does it crash at?
self.crash_addr = None
self.stdout = None
self.magic = None
if record_stdout:
tmp = tempfile.mktemp(prefix="stdout_" + os.path.basename(binary))
# will set crash_mode correctly
self.dynamic_trace(stdout_file=tmp)
with open(tmp, "rb") as f:
self.stdout = f.read()
os.remove(tmp)
else:
# will set crash_mode correctly
self.dynamic_trace()
def __init__(self, binary_path, testcase, timeout=None):
"""
:param binary_path: path to the binary which the testcase applies to
:param testcase: string representing the contents of the testcase
:param timeout: millisecond timeout
"""
self.binary_path = binary_path
self.testcase = testcase
self.timeout = None
if isinstance(binary_path, str):
self.is_multicb = False
self.binaries = [binary_path]
elif isinstance(binary_path, (list, tuple)):
self.is_multicb = True
self.binaries = binary_path
else:
raise ValueError(
"Was expecting either a string or a list/tuple for binary_path! "
"It's {} instead.".format(type(binary_path)))
if timeout is not None:
if isinstance(timeout, int):
self.timeout = str(timeout)
elif isinstance(timeout, (str)):
self.timeout = timeout
elif isinstance(timeout, (bytes)):
self.timeout = timeout.decode('utf-8')
else:
raise ValueError("timeout param must be of type int or str")
# will be set by showmap's return code
self.causes_crash = False
AFL.check_environment()
# unfortunately here is some code reuse between Phuzzer and Minimizer (and Showmap!)
p = angr.Project(self.binaries[0])
tracer_id = 'cgc' if p.loader.main_object.os == 'cgc' else p.arch.qemu_name
if self.is_multicb:
tracer_id = 'multi-{}'.format(tracer_id)
self.showmap_path = os.path.join(shellphish_afl.afl_dir(tracer_id),
"afl-showmap")
self.afl_path_var = shellphish_afl.afl_path_var(tracer_id)
l.debug("showmap_path: %s", self.showmap_path)
l.debug("afl_path_var: %s", self.afl_path_var)
os.environ['AFL_PATH'] = self.afl_path_var
# create temp
self.work_dir = tempfile.mkdtemp(prefix='showmap-', dir='/tmp/')
# flag for work directory removal
self._removed = False
self.input_testcase = os.path.join(self.work_dir, 'testcase')
self.output = os.path.join(self.work_dir, 'out')
l.debug("input_testcase: %s", self.input_testcase)
l.debug("output: %s", self.output)
# populate contents of input testcase
with open(self.input_testcase, 'wb') as f:
f.write(testcase)
def __init__(self, binary=None, input=None, project=None, record_trace=True, record_stdout=False,
record_magic=True, record_core=False, seed=None, memory_limit="8G", bitflip=False, report_bad_args=False,
use_tiny_core=False, max_size=None, qemu=None, argv=None,
trace_log_limit=2**30, trace_timeout=10):
"""
:param binary : Path to the binary to be traced.
:param input : Concrete input to feed to binary (string or CGC TracerPoV).
:param project : The original project.
:param record_trace : Whether or not to record the basic block trace.
:param record_stdout : Whether ot not to record the output of tracing process.
:param record_magic : Whether ot not to record the magic flag page as reported by QEMU.
:param record_core : Whether or not to record the core file in case of crash.
:param report_bad_arg: Enable CGC QEMU's report bad args option.
:param use_tiny_core : Use minimal core loading.
:param max_size : Optionally set max size of input. Defaults to size
of preconstrained input.
:param qemu : Path to QEMU to be forced used.
:param argv : Optionally specify argv params (i,e,: ['./calc', 'parm1']).
Defaults to binary name with no params.
:param trace_log_limit: Optionally specify the dynamic trace log file
size limit in bytes, defaults to 1G.
:param trace_timeout : Optionally specify the dymamic time limit in seconds
defaults to 10 seconds.
"""
if type(input) not in (str, TracerPoV):
raise RunnerEnvironmentError("Input for tracing should be either a string or a TracerPoV for CGC PoV file.")
Runner.__init__(self, binary=binary, input=input, project=project, record_trace=record_trace,
record_core=record_core, use_tiny_core=use_tiny_core, trace_source_path=qemu, argv=argv)
self.tmout = False
self._record_magic = record_magic and self.os == 'cgc'
if record_trace and self.is_multicb:
l.warning("record_trace specified with multicb, no trace will be recorded")
if isinstance(seed, (int, long)):
seed = str(seed)
self._seed = seed
self._memory_limit = memory_limit
self._bitflip = bitflip
if self._bitflip and self.is_multicb:
raise ValueError("Cannot perform bitflip with MultiCB")
self._report_bad_args = report_bad_args
if self.input is None:
raise ValueError("Must specify input.")
# validate seed
if self._seed is not None:
try:
iseed = int(self._seed)
if iseed > 4294967295 or iseed < 0:
raise ValueError
except ValueError:
raise ValueError("The passed seed is either not an integer or is not between 0 and UINT_MAX")
self.input_max_size = max_size or len(input) if input is not None else None
self.trace_log_limit = trace_log_limit
self.trace_timeout = trace_timeout
if self.is_multicb:
self._fakeforksrv_path = os.path.join(shellphish_afl.afl_dir('multi-cgc'), "run_via_fakeforksrv")
self._setup()
l.debug("Accumulating basic block trace...")
l.debug("tracer qemu path: %s", self._trace_source_path)
self.stdout = None
# We need this to keep symbolic traces following the same path
# as their dynamic counterpart
self.magic = None
if record_stdout:
tmp = tempfile.mktemp(prefix="stdout_" + os.path.basename(binary))
# will set crash_mode correctly
self._run(stdout_file=tmp)
with open(tmp, "rb") as f:
self.stdout = f.read()
os.remove(tmp)
else:
# will set crash_mode correctly
self._run()
def choose_afl(self):
"""
Chooses the right AFL and sets up some environment.
"""
# set up the AFL path
self.proj = self.proj or angr.Project(self.target,
auto_load_libs=False)
self.target_os = self.proj.loader.main_object.os
self.target_arch = self.proj.arch.qemu_name
afl_dir = shellphish_afl.afl_dir(self.target_os)
afl_path_var = shellphish_afl.afl_path_var(self.target_arch)
directory = None
if self.target_arch == "i386":
directory = "i386"
qemu_base = 0x40000000
if self.target_arch == "x86_64":
directory = "x86_64"
qemu_base = 0x4000000000
if directory is None:
l.warning("architecture \"%s\" has no installed libraries",
self.target_arch)
elif False: # for now, avoid mixing up libs
libpath = os.path.join(afl_dir, "..", "fuzzer-libs", directory)
l.debug("exporting QEMU_LD_PREFIX=%s", libpath)
os.environ['QEMU_LD_PREFIX'] = libpath
l.debug("exporting AFL_PATH=%s", afl_path_var)
os.environ['AFL_PATH'] = afl_path_var
libcompcovpath = os.path.join(afl_dir, "libcompcov.so")
libdislocatorpath = os.path.join(afl_dir, "libdislocator.so")
afl_preload = " ".join([libcompcovpath, libdislocatorpath])
afl_preload = f"'{afl_preload}'"
l.debug("exporting AFL_PRELOAD=%s", afl_preload)
os.environ['AFL_PRELOAD'] = afl_preload
l.debug("exporting AFL_COMPCOV_LEVEL=2")
os.environ[
'AFL_COMPCOV_LEVEL'] = "2" # CompareCoverage instrumentation
# set entrypoint
main = self.proj.loader.find_symbol('main')
entrypoint = main.rebased_addr if main else self.proj.entry
if self.proj.loader.main_object.pic:
entrypoint = self.proj.loader.main_object.addr_to_offset(
entrypoint)
entrypoint += qemu_base
#l.debug("exporting QEMU_SET_ENV=%s", f"QEMU_GUEST_BASE={hex(qemu_base)}")
os.environ['QEMU_SET_ENV'] = f"QEMU_GUEST_BASE={hex(qemu_base)}"
l.debug("exporting AFL_ENTRYPOINT=%s", hex(entrypoint))
os.environ['AFL_ENTRYPOINT'] = hex(entrypoint)
#if not self.proj.loader.main_object.pic:
#l.debug("exporting AFL_QEMU_PERSISTENT_ADDR=%s", hex(entrypoint))
#os.environ['AFL_QEMU_PERSISTENT_ADDR'] = hex(entrypoint)
#os.environ['AFL_QEMU_PERSISTENT_GPR'] = "1"
# return the AFL path
return shellphish_afl.afl_bin(self.target_os)
try:
import tracer, angr, fuzzer, shellphish_afl
except:
logger.error(
"Unable to find required angr/mechaphish libraries. Make sure mechaphish is installed."
)
exit(1)
# Just to be sure...
try:
input = raw_input
except:
pass
AFL_ROOT = shellphish_afl.afl_dir('unix')
class AFL(Fuzzer):
def __init__(self, bininfo):
self.fuzzer = None
self.target = GlobalConfig.target
self.target_args = GlobalConfig.arguments
self.work_dir = GlobalConfig.work_dir
self.threads = GlobalConfig.threads
self.seeds = GlobalConfig.seeds
# Use QEMU or not?
self.qemu = not bininfo.afl
self.dictionary = None
from . import *
from ..Config import global_config as GlobalConfig
try:
import tracer, angr, fuzzer, shellphish_afl
except:
logger.error("Unable to find required angr/mechaphish libraries. Make sure mechaphish is installed.")
exit(1)
# Just to be sure...
try:
input = raw_input
except:
pass
AFL_ROOT = shellphish_afl.afl_dir('unix')
class AFL(Fuzzer):
def __init__(self, bininfo):
self.fuzzer = None
self.target = GlobalConfig.target
self.target_args = GlobalConfig.arguments
self.work_dir = GlobalConfig.work_dir
self.threads = GlobalConfig.threads
self.seeds = GlobalConfig.seeds
# Use QEMU or not?
self.qemu = not bininfo.afl
self.dictionary = None
