0

I'm trying to fuzz using AFL (Qemu-mode) a binary-app that keeps waiting for data, and because I don't have the source code to modify the binary so that it exit(0) after parsing the data, I'm faced with a problem in AFL (timeout), so I decided to write a wrapper around the binary so that I can make it exit after a certain time passes, with that in mind.

  1. AFL fuzzer: it can passes test inputs through STDIN or as an argument file
  2. the binary-app that I'm fuzzing expects the input to be in the STDIN and just keep waiting for input

My strategies are based on parent/child style (forking) such that the child will be the binary-app and the parent will monitor it.

  • the parent makes the child(binary-app) exit with a 0 status if nothing happens for 5 seconds (no crash happens in the child process).

  • and also the parent is responsible for sending the input to the child that it receives from stdin

  • if the child crash I want the parent to crash as well so that AFL will notice that and save the test file that is responsible for the crash

my questions are :

  • how can you make a child exit with a status of 0 from the parent?
  • how to send the data to the child process from the parent process after the child runs the binary-app using exec()?
  • is it a good idea to tell if the child crashed based on the exit status of the child?
zerocool
  • 3,256
  • 2
  • 24
  • 40
  • "how can you make a child exit with a status of 0 from the parent". You can only do it if the child is coded to exit 0 under some condition and you can trigger one of those conditions. – kaylum Mar 27 '20 at 00:50
  • "how to send the data to the child process from the parent process". This one is doable. And is covered in many posts on Stackoverflow and the web in general. For example: https://stackoverflow.com/questions/9405985/linux-3-0-executing-child-process-with-piped-stdin-stdout – kaylum Mar 27 '20 at 00:52
  • @kaylum I'm not the original coder of the binary-app so I have no idea about what condition triggers the exit(0) and the binary is static linked with no symbols so reversing is hard even with signatures based tools like IDA PRO (didn't recognize anything ) – zerocool Mar 27 '20 at 00:54
  • Well then you can't do what you want. That was my point. – kaylum Mar 27 '20 at 00:54
  • But I don't really see that you need to do that. Just have the parent kill the child and exit with 0 if the child hasn't crashed. If it has crashed then exit with the child's non-zero exit status which can be obtained via `wait`. – kaylum Mar 27 '20 at 01:01

1 Answers1

1

Not exactly the answer to the question you are asking, but ...

because I don't have the source code to modify the binary so that it exit(0) after parsing the data,

The premise above is false.

I decided to write a wrapper around the binary so that I can make it exit after a certain time passes,

That approach, while workable, will waste a lot of time: you don't know how long the parsing takes, so you'll have to wait some maximum time. If you don't wait long enough, you miss test coverage. And you also miss coverage of the parser going into infinite loop.

So how can you make the program exit(0) after parsing? By binary patching. Here is an example.

You'll need to find a place in the binary where the ParseInput() (or whatever it's called) routine returns, and patch a few instructions to execute the equivalent of syscall(SYS_exit, 0).

Afer that, your fuzzing will go much faster (no wasting time waiting when parsing is already done) and you'll be able to detect when the parser goes into infinite loop.

Employed Russian
  • 199,314
  • 34
  • 295
  • 362