Drafl - Afl + Dynamorio = Fuzzing Binaries Amongst No Rootage Code On Linux
Original AFL supports black-box coverage-guided fuzzing using QEMU mode. I highly recommend to endeavor it offset as well as if it doesn't live you lot tin plough over the axe endeavor this tool.
Usage
You postulate to specify
DRRUN_PATH to betoken to drrun launcher as well as LIBCOV_PATH to betoken to libbinafl.so coverage library. You also postulate to switch off AFL's fork server (AFL_NO_FORKSRV=1) as well as likely AFL_SKIP_BIN_CHECK=1. See pace v inwards the construct department below for to a greater extent than details.NOTE: Don't forget that you lot should role 64-bit DynamoRIO for 64-bit binaries as well as 32-bit DynamoRIO for 32-bit binaries, otherwise it volition non work. To brand certain that your target is running nether DynamoRIO, you lot tin plough over the axe run it using the next command:
drrun -- Instrumentation DLL
Instrumentation library is a modified version of winAFL's coverage library created past times Ivan Fratric.
Build
Step 1. Clone drAFL repo
git clone https://github.com/mxmssh/drAFL.git /home/max/drAFL cd /home/max/drAFLStep 2. Clone as well as construct DynamoRIO
git clone https://github.com/DynamoRIO/dynamorio mkdir build_dr cd build_dr/ cmake ../dynamorio/ brand -j cd ..Step 3. Build coverage tool
mkdir construct cd construct cmake ../bin_cov/ -DDynamoRIO_DIR=../build_dr/cmake brand -j cd ..Step 4. Build patched AFL
cd afl/ brand cd ..Step 5. Configure surroundings variables as well as run the target
cd construct mkdir inwards mkdir out echo "AAAA" > in/seed export DRRUN_PATH=/home/max/drAFL/build_dr/bin64/drrun export LIBCOV_PATH=/home/max/drAFL/build/libbinafl.so export AFL_NO_FORKSRV=1 export AFL_SKIP_BIN_CHECK=1 ../afl/afl-fuzz -m 500 -i inwards -o out -- ./afl_test @@afl_test you lot should await 25-30 exec/sec as well as 1 unique crash inwards 2-3 minutes.