This project aims to guide security researchers along the journey of squeezing out as much capability of AFL++ as possible for any engagement where fuzzing is desired.
To paraphrase what a wise meme on the Internet once said...
This project accomplishes this goal by:
- Leveraging a good balance of AFL++'s advanced capbilities, including those that further advance AFL++'s advanced capbilities :) Examples include:
- Preeny
- LibFuzzer
- HonggFuzz
- Radamsa
- Address Sanitizer
- And Much More...Checkout instrumentation_globals.sh && init_aflplusplus_container.sh for more details.
- Providing guidance around instrumenting binaries with AFL++ "Persistence Mode" with functions such as
__AFL_FUZZ_INIT(),__AFL_INIT(), &&__AFL_LOOP() - Supports the ability to spin up a "main" fuzzer with multiple "secondaries"
- Enabling the Creation of test cases for a given target
- Cranking out as many mutations / second as possible
- Aiding researchers in discovering .so files loaded via dlopen (which can be appended to AFL_PRELOAD at runtime)
- Clone the repo:
$ cd /opt
$ sudo git clone https://github.com/0dayInc/container.aflplusplus.template
$ sudo chown -R $USER:$USER container.aflplusplus.template
- Review Usage:
$ cd container.aflplusplus.template
$ ./AFLplusplus_template.sh -h
USAGE:
./AFLplusplus_template.sh
-h # Display USAGE
-T <TARGET CMD/FLAGS> # REQUIRED
# TARGET CMD / FLAGS of the target binary
# to be fuzzed. It must reside in the
# TARGET prefix (i.e. /fuzz_session/TARGET)
-m <main || secondary> # REQUIRED
# afl++ Mode
-r <src dir name> # REQUIRED
# Name of the source code folder
# residing in ./TARGET_SRC to build
-P # OPTIONAL / main MODE ONLY
# Preload target specific, colon delimited
# list of .so files to append to AFL_PRELOAD
-c # OPTIONAL / main MODE ONLY
# Nuke contents of TARGET prefix
# (i.e. /fuzz_session/TARGET)
# which is tmpfs and LOST AFTER REBOOT
# OF HOST OS
-n # OPTIONAL / main MODE ONLY
# Nuke contents of multi-sync (New afl++ Session)
# (i.e. /fuzz_session/AFLplusplus/multi_sync)
# which is tmpfs and LOST AFTER REBOOT
# OF HOST OS
-t # OPTIONAL / main MODE ONLY
# Nuke contents of input (afl++ Test Cases)
# (i.e. /fuzz_session/AFLplusplus/input)
# which is tmpfs and LOST AFTER REBOOT
# OF HOST OS
-D # OPTIONAL
# Enable Debugging
- Clone the Target Source Code Repo:
$ cd TARGET_SRC
$ git clone <TARGET_GIT_REPO>
- Instrument your target function(s) w/
__AFL_INIT&&__AFL_LOOP:
$ vi <TARGET_GIT_REPO>/<TARGET_SRC_FILE_TO_INSTRUMENT_W __AFL_INIT && __AFL_LOOP>
- Sanity check instrumentation_globals.sh && build_target.sh scripts
$ cd ..
$ vi TARGET/instrumentation_globals.sh
$ vi TARGET/build_target.sh
-
Add your own test cases as single files in the
./TARGET/test_casesdirectory. From there, they'll be copied into /fuzz_session/AFLplusplus/input once fuzzing begins. -
Begin Fuzzing (Example Usage):
$ tmux new -s afl_main
$ ./AFLplusplus_template.sh \
-m main \
-r <src_folder_name> \
-T "target_bin --flags"
- add another CPU core into the fuzzing mix:
$ tmux new -s afl_sec1
$ ./AFLplusplus_template.sh \
-m secondary \
-r <src_folder_name> \
-T "target_bin --flags"
Happy Fuzzing!
If you've found this project useful and you're interested in supporting our efforts, we invite you to take a brief moment to keep us caffeinated:
