Drafl - Afl + Dynamorio = Fuzzing Binaries Amongst No Rootage Code On Linux
Original AFL supports black-box coverage-guided fuzzing using QEMU mode. I highly recommend to endeavor it offset as well as if it doesn't live you lot tin plough over the axe endeavor this tool.
Usage
You postulate to specify
DRRUN_PATH
to betoken to drrun
launcher as well as LIBCOV_PATH
to betoken to libbinafl.so
coverage library. You also postulate to switch off AFL's fork server (AFL_NO_FORKSRV=1
) as well as likely AFL_SKIP_BIN_CHECK=1
. See pace v inwards the construct department below for to a greater extent than details.NOTE: Don't forget that you lot should role 64-bit DynamoRIO for 64-bit binaries as well as 32-bit DynamoRIO for 32-bit binaries, otherwise it volition non work. To brand certain that your target is running nether DynamoRIO, you lot tin plough over the axe run it using the next command:
drrun --
Instrumentation DLL
Instrumentation library is a modified version of winAFL's coverage library created past times Ivan Fratric.
Build
Step 1. Clone drAFL repo
git clone https://github.com/mxmssh/drAFL.git /home/max/drAFL cd /home/max/drAFL
Step 2. Clone as well as construct DynamoRIO
git clone https://github.com/DynamoRIO/dynamorio mkdir build_dr cd build_dr/ cmake ../dynamorio/ brand -j cd ..
If you lot accept whatsoever problems alongside DynamoRIO compilation cheque this pageStep 3. Build coverage tool
mkdir construct cd construct cmake ../bin_cov/ -DDynamoRIO_DIR=../build_dr/cmake brand -j cd ..
Step 4. Build patched AFL
cd afl/ brand cd ..
Step 5. Configure surroundings variables as well as run the target
cd construct mkdir inwards mkdir out echo "AAAA" > in/seed export DRRUN_PATH=/home/max/drAFL/build_dr/bin64/drrun export LIBCOV_PATH=/home/max/drAFL/build/libbinafl.so export AFL_NO_FORKSRV=1 export AFL_SKIP_BIN_CHECK=1 ../afl/afl-fuzz -m 500 -i inwards -o out -- ./afl_test @@
In illustration of afl_test
you lot should await 25-30 exec/sec as well as 1 unique crash inwards 2-3 minutes.