mykter / afl-training Goto Github PK

Feedback from BSides London:

Potentially explain a little more about the purpose of fuzzing and its role in exploit dev, stability, etc. Maybe a case study or two?

https://rust-fuzz.github.io/book/afl.html
challenges from https://github.com/rust-fuzz/trophy-case

https://trustfoundry.net/introduction-to-triaging-fuzzer-generated-crashes/ looks like a good resource

Hi. The SSH listen port of docker env has been set to port 2222 by default in entrypoint.sh. So the env setup instruction should change from 22000:22 to 22000:2222 accordingly, or else error "Connection closed by remote host" will pop up.
https://github.com/mykter/afl-training/tree/main/environment#running-locally

install the C extension

Add a picture showing relationship between afl-fuzz, clang, afl-clang-fast, harness, target, folders

Due for release March 3.

when compile target in heartbleed by

AFL_USE_ASAN=1 afl-clang-fast++ -g handshake.cc openssl/libssl.a openssl/libcrypto.a -o handshake -I openssl/include -ldl

I got

I looked at the source code of handshake.cc, there does not exist identifier data or size.
How can I do to fix this?

I'm trying to complete the heartbleed challenge and the limit_memory.sh script doesn't work as the ASNWERS.md file suggests.

First of all, the script is located in the ~/AFLplusplus/utils/asan_cgroups/ directory, and not ~/AFLplusplus/examples/asan_cgroups/, like the answers file suggests.

Second of all, when you do try to run the script, then it fails:

sudo ~/AFLplusplus/utils/asan_cgroups/limit_memory.sh -u fuzzer afl-fuzz -i in -o out ./handshake

cgcreate: libcgroup initialization failed: Cgroup is not mounted

I also tried running it in the official AFL++ docker image, but ran into the same problem.

I don't know too much about cgroups, so I'm not sure what's going wrong. I'm running AFL++ from a privileged docker container, from inside a Virtualbox VM, if it makes any difference.

Hello @mykter! Really amazing collection in this repo!

I was wondering if you also have any examples and (most importantly) programs that have some kind of file IO, or they change their environment, that prohibits AFL of finding bugs?

I'm working on an isolation framework around AFL to checkpoint application files in case they have changed. So when the AFL forkserver spawns a new process, all files are reverted to their initial condition.

Fuzzing with AFL - GrayHat 2020.pdf

Hi,
I have done the experiment as the tutorial, but only about 78 paths detected after 24 hours fuzzing, neither does the heartbleed vulnerability.
The process is as follow:

1. git clone https://github.com/openssl/openssl.git
2. git checkout Checkout at tag OpenSSL_1_0_1f
3. export CC=/afl/afl-clang-fast export CXX=afl/afl-clang-fast++
4. in openssl dir, ./config && AFL_USE_ASAN=1 make
5. build the handshake binary
   AFL_USE_ASAN=1 /afl/afl-clang-fast++ -g handshake.cc openssl/libssl.a openssl/libcrypto.a -o handshake -I openssl/include -ldl
6. set "AAAAAAAAAA" as the seed
7. run the AFL
   /afl/afl-fuzz -i /seed -o /out -m none -- //handshake

Regards,
xiaosatianyu

There isn't time to cover it in the typical 4hr format, but people might find it valuable to have in the materials to work on after or if they're doing it offline.

Fuzzing.with.AFL.pptx

In readme there is a line "There is extra information in the speaker notes". But actually it has only slides. And there is no option to open speaker notes.

https://www.fuzzingbook.org/

If write harness as example https://github.com/mykter/afl-training/tree/main/harness#arbitrary-input-formats
the harness can tell which case to run based on the 1st parameter.
In this circumstances, how to make the harness read from input file? if we write the "echo" and "mul" in seed file, the AFL will mutate the "echo" and "mul" as well. if we just write the parameters in seed file, how the harness know whether lib_echo or mul be called?