jdbirdwell / afl Goto Github PK

sys/sendfile.h is Linux only. Unable to compile on OSX platforms

Hi,

I want to fuzz a network program which :

1. Binds to a socket.
2. listens to the socket
3. accepts request on the socket
4. when it receives a request, it reads data, does something with data.
5. closes the socket.

The program performs steps 1 to 5 three times sequentially.

When I try to fuzz this program using afl-net, it generates following output:

american fuzzy lop 1.95b (listen_socket)

┌─ process timing ─────────────────────────────────────┬─ overall results ─────┐
│        run time : 0 days, 0 hrs, 0 min, 49 sec       │  cycles done : 0      │
│   last new path : none seen yet                      │  total paths : 1      │
│ last uniq crash : none seen yet                      │ uniq crashes : 0      │
│  last uniq hang : 0 days, 0 hrs, 0 min, 0 sec        │   uniq hangs : 1      │
├─ cycle progress ────────────────────┬─ map coverage ─┴───────────────────────┤
│  now processing : 0 (0.00%)         │    map density : 13 (0.02%)            │
│ paths timed out : 0 (0.00%)         │ count coverage : 1.00 bits/tuple       │
├─ stage progress ────────────────────┼─ findings in depth ────────────────────┤
│  now trying : havoc                 │ favored paths : 1 (100.00%)            │
│ stage execs : 2144/2500 (85.76%)    │  new edges on : 1 (100.00%)            │
│ total execs : 2353                  │ total crashes : 0 (0 unique)           │
│  exec speed : 0.05/sec (zzzz...)    │   total hangs : 1 (1 unique)           │
├─ fuzzing strategy yields ───────────┴───────────────┬─ path geometry ────────┤
│   bit flips : 0/16, 0/15, 0/13                      │    levels : 1          │
│  byte flips : 0/2, 0/1, 0/0                         │   pending : 1          │
│ arithmetics : 0/112, 0/0, 0/0                       │  pend fav : 1          │
│  known ints : 0/11, 0/28, 0/0                       │ own finds : 0          │
│  dictionary : 0/0, 0/0, 0/0                         │  imported : n/a        │
│       havoc : 0/0, 0/0                              │  variable : 0          │
│        trim : n/a, 0.00%                            ├────────────────────────┘
└─────────────────────────────────────────────────────┘             [cpu: 39%]
[-]  SYSTEM ERROR : Attempt to bind socket to source address & port failed (TCP case)
    Stop location : network_send(), afl-fuzz.c:2188
       OS message : Address already in use

I think that afl-fuzzer sends a request to the first socket created and after receiving the request, the program proceeds forward. It created the second socket and waits for a request, but fuzzer doesn't send a request. And after some time kills the process and marks it as a "hang". And in next round, as socket was not closed, I get "Address already in use" error.

Is there a way to fuzz this code using afl-net given that it creates and closes three sockets?

Import the 1.96b changes please.

Do you know if Michael will add your changes into AFL? Or is working on his own? I has no interest in network support?

Hi,

I'm trying to compile a Kafka-lib (librdkafka - the Apache Kafka C/C++ client library) with Afl-gcc (network) and the following messages appears:

./src/librdkafka.a(rdkafka.o): TLS transition from R_X86_64_TLSGD to R_X86_64_GOTTPOFF against `rd_kafka_last_error_code' at 0x2737 in section `.text' failed
../src/librdkafka.a: error adding symbols: Bad value
collect2: error: ld returned 1 exit status
make[1]: *** [rdkafka_example] Error 1
make[1]: Leaving directory `/pe/lib-pe/librdkafka/examples'
make: *** [examples] Error 2

Have you ever experience this issue?

Thank you.

I was hoping to try https://www.fastly.com/blog/how-fuzz-server-american-fuzzy-lop without having to modify the code.

With the following memory setting (512mb),

/home/user/afl/afl-fuzz -m 512 -i /home/user/testcases -o /home/user/outputs -D 1 -t 200+ -N udp://localhost:53 /home/user/knot-2.1.1/src/knotd -c /home/user/knot.conf

But on inspection with strace, it seems like there isn't enough memory

3398  mmap(NULL, 524288000, PROT_READ, MAP_SHARED, 5, 0) = -1 ENOMEM (Cannot allocate memory)
...
3398  write(2, "2016-04-14T08:35:43 critical: failed to open configuration database '' (not enough memor
y)\n", 91) = 91
...
3398  exit_group(1)                     = ?
3398  +++ exited with 1 +++

Running it with more memory (1024mb) results in

$ /home/user/afl/afl-fuzz -m 1024 -i /home/user/testcases -o /home/user/outputs -D 1 -t 200+ -N udp://localhost:53 /home/user/knot-2.1.1/src/knotd -c /home/user/knot.conf
afl-fuzz 1.95b by <[email protected]>
[+] You have 1 CPU cores and 2 runnable tasks (utilization: 200%).
[*] Checking core_pattern...
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Scanning '/home/user/testcases'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Attempting dry run with 'id:000000,orig:dns-query-sample'...
[*] Spinning up the fork server...
[+] All right - fork server is up.
[!] WARNING: Test case results in a hang (skipping)

[-] PROGRAM ABORT : All test cases time out, giving up!
         Location : perform_dry_run(), afl-fuzz.c:3240

Any ideas?

Heya Birdwell!

Having a lot of fun with your project. I updated it to the latest 2.50b and am working on tuning a project. I seem to be running into an issue where what I believe is, a fuzzing iteration that's trying to send a buffer exceeding 64k.

Eventually, all of my fuzzing instances stop with this error "Message too long." After modifying the code, I was able to validate that indeed its trying to send too much data for 1 packet.

My thoughts were to look at implementing a UDP flag and then if it is set, check the buffer to make sure it is not greater than (65535-20(ip header)-8(udp header)-1) 65506.

Thoughts on this approach friend?

##EDIT:
Alright, now I'm conflicted. If I truncate I realize we're gonna miss a lot of good test cases. I guess the proper thing to do would be to loop sendto until all of the payload is sent over?

Summary
I am a student currently trying to create a base test case for the network fuzzer with a simple TCP server that merely creates, binds, listens, accepts, receives a string, and closes a socket. However, I'm stuck on two errors I'm receiving when attempting to fuzz the application. While running the application by itself or using strace it functions properly and exits appropriately.

Do you mind helping me with these errors? I feel I don't quite understand how the network fuzzer functionality works.

Error 1
Possible bad values for -t flag and -D flag?

When attempting to run the fuzzer:

afl-fuzz -i testcases/ -o findings/ -t 5000+ -D 1000 -N tcp://127.0.0.1:8080 -- ./netprog/tcpserver 8080

I receive the following error:

[-] SYSTEM ERROR : Attempt to bind socket to source address & port failed (TCP case)
Stop location  : network_send(), afl-fuzz.c:2188
OS message  : Address already in use

Following a netstat -an | grep 8080 I found this:

tcp    0    0 0.0.0.0:8080             0.0.0.0:*              LISTEN
tcp    0    0 127.0.0.1:32800       127.0.0.1:8080            TIME_WAIT

Error 2
Test case is simply a file containing the string "test string"
How does the fuzzer send this data to the application?

Is the file parsed and the string data sent in an afl-formed TCP packet?
OR
Is the file itself sent?

When attempting to run the fuzzer:

afl-fuzz -i testcases/ -o findings/ -t 10000+ -D 5000 -N tcp://127.0.0.1:8080 -- ./netprog/tcpserver 8080

I receive the following error:

[-] PROGRAM ABORT : All test cases time out, giving up!
Location : perform_dry_run(), afl-fuzz.c:3240

Trying to determine if I need to tweak the application itself to be compatible with the fuzzer or if I don't quite understand how the network fuzzer works.

Thank you for your consideration.

I just need to figure out if what I look for is already in AFL or not. It might be a feature-request if not...

So, I am trying to fuzz a PDF viewer with a few PDF files as initial seed for the mutation engine. But, my problem is that the PDF viewer is expected to open the PDF file and stay opened... waiting for the user to quit. Thus, AFL run the test cases and hit the timeout for all of them, then decide to stop here.

Would it be possible to have an option telling to AFL that we would like to consider that killing the application once the timeout is reached is an "Okay behavior" ? I know that hangs won't be possible to detect then, but I am more looking for crashes, so I do not care to have it for this application.

Well, this option might already exists, I might have missed it in the documentation! So, feel free to RTFM me, I probably deserve it! :)