olasergiolas / tfg Goto Github PK

Discovered issue

Previously, when fuzzing was performed using the "fuzz.py" script with Qiliing stable, AFL++ was able to properly identify and record when the binary crashed but now on Qiling dev, crashes do not seem to be getting caught by AFL++ anymore. It was also observed that when running "fuzz.py" without afl, two different behaviors are exhibited depending on the version of Qiling that is being used. This issue will be discussed with the authors of the Qiling project at qilingframework/qiling#1163.

Versions used

Qiling stable

Qiling Dev

Fuzzing results

Qiling stable

The crash is found instantly.

Qiling dev

No crashes found after fuzzing for 20 minutes.

Crash behavior

This is the code snippet that is used to force an artificial crash.

Qiling stable

Qiling dev

Until now, the Docker image was based off AFL++'s official image whis is based off Ubuntu 22.04 itself. Qiling does not seem to support the arm-linux-gnueabi libs that are included in this Ubuntu version with the libc6-armel-cross, namely libc.so and ld-2.31.so.

A dirty workaraound would be to replace those libs when building the image with the ones included in the 2.31-0ubuntu9.2cross1 version of the package but given that this could lead to future dependency issues, the proper solution would be to directly use Ubuntu focal as base instead. In this Ubuntu version the aforementioned libs are supported by Qiling.

Create the needed scripts to emulate and fuzz binaries on Qiling and create their respective fuzzing setups.

The following binaries will be tested:

• Netgear R7000: upnpd
• Wyzecam v3: cJSON library

The main README needs to be extended and additional READMEs for the different subdirectories should be added.

Let's create a Docker container to use as the working environment of this project. This container should mainly include the following tools plus all the needed dependencies to get every sample working:

• Qiling
• AFL++ (with support for ARM and MIPS)
• Unicorn Engine
• gbd-multiarch
• Binwalk

Create fuzzing setups to fuzz the following binaries in AFL++ QEMU mode:

• Wyzecam v3: libcjson.so

Write a simple PoC for fuzzing specific sections of either an ARM or MIPS binary. This will serve as an introduction for later fuzzing real firmware with QIling.

Every section of the current LaTeX template being used needs to be filled. This document will be writen following the directions provided by ETSIIT and the structure provided by the following template.

The following sections need to be discussed in the document:

• Introduction: How is the security aspect of IoT devices in recent years.
• State of the art: Latest techniques and tools for fuzzing IoT.
• Planning and methodology: How this project will be planned.
• Experiments: Practical use-cases of what was learned during the research phase.
• Complementary tools: Tools developed to facilitate the development of the experiments.
• Final thoughts and future work: Lessons learned and what was left out of the project.

for example
bin/upnpd

root@cdacc56dce42:~/examples/Fuzzing Netgear R7000# AFL_DEBUG=1 AFL_PATH="$(realpath ./AFLplusplus)" PATH="$AFL_PATH:$PATH" /qiling/AFLplusplus/afl-fuzz -i afl_inputs -o afl_outputs -U -- python3 ./netgearR7000_fuzzer.py @@
[+] Loaded environment variable AFL_DEBUG with value 1
[+] Loaded environment variable AFL_DEBUG with value 1
[+] Loaded environment variable AFL_PATH with value /qiling/examples/Fuzzing Netgear R7000/AFLplusplus
afl-fuzz++4.01a based on afl by Michal Zalewski and a large online community
[+] afl++ is maintained by Marc "van Hauser" Heuse, Heiko "hexcoder" Eißfeldt, Andrea Fioraldi and Dominik Maier
[+] afl++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] NOTE: This is v3.x which changes defaults and behaviours - see README.md
[+] No -M/-S set, autoconfiguring for "-S default"
[] Getting to work...
[+] Using exponential power schedule (FAST)
[+] Enabled testcache with 50 MB
[+] Generating fuzz data with a length of min=1 max=1048576
[] Checking core_pattern...
[] Checking CPU scaling governor...
[+] You have 48 CPU cores and 4 runnable tasks (utilization: 8%).
[+] Try parallel jobs - see docs/parallel_fuzzing.md.
[] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[] Deleting old session data...
[+] Output dir cleanup successful.
[] Checking CPU core loadout...
[+] Found a free CPU core, try binding to #0.
[] Scanning 'afl_inputs'...
[+] Loaded a total of 1 seeds.
[] Creating hard links for all input files...
[] Validating target binary...
[] No auto-generated dictionary tokens to reuse.
[] Attempting dry run with 'id:000000,time:0,execs:0,orig:a'...
[] Spinning up the fork server...
[=] mmap2(addr = 0x0, length = 0x1000, prot = 0x3, flags = 0x4000022, fd = 0xffffffff, pgoffset = 0x0) = 0x90000000
[=] open(filename = 0x7ff3c308, flags = 0x0, mode = 0x0) = -0x2 (ENOENT)
[=] open(filename = 0x7ff3c2f0, flags = 0x0, mode = 0x0) = -0x2 (ENOENT)
[=] open(filename = 0x7ff3c2f0, flags = 0x0, mode = 0x0) = 0x3
[=] fstat(fd = 0x3, buf_ptr = 0x7ff3c288) = 0x0
[=] mmap2(addr = 0x0, length = 0x1000, prot = 0x3, flags = 0x4000022, fd = 0xffffffff, pgoffset = 0x0) = 0x90001000
[=] read(fd = 0x3, buf = 0x90001000, length = 0x1000) = 0x1000
[=] mmap2(addr = 0x0, length = 0x25000, prot = 0x0, flags = 0x22, fd = 0xffffffff, pgoffset = 0x0) = 0x90002000
[=] mmap2(addr = 0x90002000, length = 0xdf1c, prot = 0x5, flags = 0x12, fd = 0x3, pgoffset = 0x0) = 0x90002000
[=] mmap2(addr = 0x90018000, length = 0x4d40, prot = 0x3, flags = 0x12, fd = 0x3, pgoffset = 0xe) = 0x90018000
[=] mmap2(addr = 0x9001d000, length = 0x9d48, prot = 0x3, flags = 0x32, fd = 0xffffffff, pgoffset = 0x0) = 0x9001d000
[=] close(fd = 0x3) = 0x0
[=] munmap(addr = 0x90001000, length = 0x1000) = 0x0
[=] open(filename = 0x7ff3c2f8, flags = 0x0, mode = 0x0) = -0x2 (ENOENT)
[=] open(filename = 0x7ff3c2e0, flags = 0x0, mode = 0x0) = -0x2 (ENOENT)
[=] open(filename = 0x7ff3c2e0, flags = 0x0, mode = 0x0) = 0x3
[=] fstat(fd = 0x3, buf_ptr = 0x7ff3c278) = 0x0
[=] mmap2(addr = 0x0, length = 0x1000, prot = 0x3, flags = 0x4000022, fd = 0xffffffff, pgoffset = 0x0) = 0x90001000
[=] read(fd = 0x3, buf = 0x90001000, length = 0x1000) = 0x1000
[=] mmap2(addr = 0x0, length = 0x64000, prot = 0x0, flags = 0x22, fd = 0xffffffff, pgoffset = 0x0) = 0x90027000
[=] mmap2(addr = 0x90027000, length = 0x448a0, prot = 0x5, flags = 0x12, fd = 0x3, pgoffset = 0x0) = 0x90027000
[=] mmap2(addr = 0x90074000, length = 0x48d4, prot = 0x3, flags = 0x12, fd = 0x3, pgoffset = 0x45) = 0x90074000
[=] mmap2(addr = 0x90079000, length = 0x11ae4, prot = 0x3, flags = 0x32, fd = 0xffffffff, pgoffset = 0x0) = 0x90079000
[=] close(fd = 0x3) = 0x0
[=] munmap(addr = 0x90001000, length = 0x1000) = 0x0
[=] open(filename = 0x7ff3c2e8, flags = 0x0, mode = 0x0) = -0x2 (ENOENT)
[=] open(filename = 0x7ff3c2d0, flags = 0x0, mode = 0x0) = -0x2 (ENOENT)
[=] open(filename = 0x7ff3c2d0, flags = 0x0, mode = 0x0) = 0x3
[=] fstat(fd = 0x3, buf_ptr = 0x7ff3c268) = 0x0
[=] mmap2(addr = 0x0, length = 0x1000, prot = 0x3, flags = 0x4000022, fd = 0xffffffff, pgoffset = 0x0) = 0x90001000
[=] read(fd = 0x3, buf = 0x90001000, length = 0x1000) = 0x1000
[=] mmap2(addr = 0x0, length = 0x19000, prot = 0x0, flags = 0x22, fd = 0xffffffff, pgoffset = 0x0) = 0x9008b000
[=] mmap2(addr = 0x9008b000, length = 0x10844, prot = 0x5, flags = 0x12, fd = 0x3, pgoffset = 0x0) = 0x9008b000
[=] mmap2(addr = 0x900a3000, length = 0xb88, prot = 0x3, flags = 0x12, fd = 0x3, pgoffset = 0x10) = 0x900a3000
[=] close(fd = 0x3) = 0x0
[=] munmap(addr = 0x90001000, length = 0x1000) = 0x0
[=] open(filename = 0x7ff3c2d8, flags = 0x0, mode = 0x0) = 0x3
[=] fstat(fd = 0x3, buf_ptr = 0x7ff3c270) = 0x0
[=] mmap2(addr = 0x0, length = 0x1000, prot = 0x3, flags = 0x4000022, fd = 0xffffffff, pgoffset = 0x0) = 0x90001000
[=] read(fd = 0x3, buf = 0x90001000, length = 0x1000) = 0x1000
[=] mmap2(addr = 0x0, length = 0x1d000, prot = 0x0, flags = 0x22, fd = 0xffffffff, pgoffset = 0x0) = 0x900a4000
[=] mmap2(addr = 0x900a4000, length = 0x22f4, prot = 0x5, flags = 0x12, fd = 0x3, pgoffset = 0x0) = 0x900a4000
[=] mmap2(addr = 0x900ae000, length = 0x1000, prot = 0x3, flags = 0x12, fd = 0x3, pgoffset = 0x2) = 0x900ae000
[=] mmap2(addr = 0x900af000, length = 0x11268, prot = 0x3, flags = 0x32, fd = 0xffffffff, pgoffset = 0x0) = 0x900af000
[=] close(fd = 0x3) = 0x0
[=] munmap(addr = 0x90001000, length = 0x1000) = 0x0
[=] open(filename = 0x7ff3c2c8, flags = 0x0, mode = 0x0) = 0x3
[=] fstat(fd = 0x3, buf_ptr = 0x7ff3c260) = 0x0
[=] mmap2(addr = 0x0, length = 0x1000, prot = 0x3, flags = 0x4000022, fd = 0xffffffff, pgoffset = 0x0) = 0x90001000
[=] read(fd = 0x3, buf = 0x90001000, length = 0x1000) = 0x1000
[=] mmap2(addr = 0x0, length = 0x181000, prot = 0x0, flags = 0x22, fd = 0xffffffff, pgoffset = 0x0) = 0x900c1000
[=] mmap2(addr = 0x900c1000, length = 0x162bbc, prot = 0x5, flags = 0x12, fd = 0x3, pgoffset = 0x0) = 0x900c1000
[=] mmap2(addr = 0x9022b000, length = 0x1499c, prot = 0x3, flags = 0x12, fd = 0x3, pgoffset = 0x162) = 0x9022b000
[=] mmap2(addr = 0x90240000, length = 0x1bd4, prot = 0x3, flags = 0x32, fd = 0xffffffff, pgoffset = 0x0) = 0x90240000
[=] close(fd = 0x3) = 0x0
[=] munmap(addr = 0x90001000, length = 0x1000) = 0x0
[=] open(filename = 0x7ff3c2b8, flags = 0x0, mode = 0x0) = 0x3
[=] fstat(fd = 0x3, buf_ptr = 0x7ff3c250) = 0x0
[=] mmap2(addr = 0x0, length = 0x1000, prot = 0x3, flags = 0x4000022, fd = 0xffffffff, pgoffset = 0x0) = 0x90001000
[=] read(fd = 0x3, buf = 0x90001000, length = 0x1000) = 0x1000
[=] mmap2(addr = 0x0, length = 0x5b000, prot = 0x0, flags = 0x22, fd = 0xffffffff, pgoffset = 0x0) = 0x90242000
[=] mmap2(addr = 0x90242000, length = 0x4d264, prot = 0x5, flags = 0x12, fd = 0x3, pgoffset = 0x0) = 0x90242000
[=] mmap2(addr = 0x90297000, length = 0x5334, prot = 0x3, flags = 0x12, fd = 0x3, pgoffset = 0x4d) = 0x90297000
[=] close(fd = 0x3) = 0x0
[=] munmap(addr = 0x90001000, length = 0x1000) = 0x0
[=] open(filename = 0x7ff3c2a8, flags = 0x0, mode = 0x0) = 0x3
[=] fstat(fd = 0x3, buf_ptr = 0x7ff3c240) = 0x0
[=] mmap2(addr = 0x0, length = 0x1000, prot = 0x3, flags = 0x4000022, fd = 0xffffffff, pgoffset = 0x0) = 0x90001000
[=] read(fd = 0x3, buf = 0x90001000, length = 0x1000) = 0x1000
[=] mmap2(addr = 0x0, length = 0x12000, prot = 0x0, flags = 0x22, fd = 0xffffffff, pgoffset = 0x0) = 0x9029d000
[=] mmap2(addr = 0x9029d000, length = 0x98d8, prot = 0x5, flags = 0x12, fd = 0x3, pgoffset = 0x0) = 0x9029d000
[=] mmap2(addr = 0x902ae000, length = 0xaf0, prot = 0x3, flags = 0x12, fd = 0x3, pgoffset = 0x9) = 0x902ae000
[=] close(fd = 0x3) = 0x0
[=] munmap(addr = 0x90001000, length = 0x1000) = 0x0
[=] open(filename = 0x7ff3c298, flags = 0x0, mode = 0x0) = 0x3
[=] fstat(fd = 0x3, buf_ptr = 0x7ff3c230) = 0x0
[=] mmap2(addr = 0x0, length = 0x1000, prot = 0x3, flags = 0x4000022, fd = 0xffffffff, pgoffset = 0x0) = 0x90001000
[=] read(fd = 0x3, buf = 0x90001000, length = 0x1000) = 0x1000
[=] mmap2(addr = 0x0, length = 0x19000, prot = 0x0, flags = 0x22, fd = 0xffffffff, pgoffset = 0x0) = 0x902af000
[=] mmap2(addr = 0x902af000, length = 0xefcc, prot = 0x5, flags = 0x12, fd = 0x3, pgoffset = 0x0) = 0x902af000
[=] mmap2(addr = 0x902c6000, length = 0x1004, prot = 0x3, flags = 0x12, fd = 0x3, pgoffset = 0xf) = 0x902c6000
[=] close(fd = 0x3) = 0x0
[=] munmap(addr = 0x90001000, length = 0x1000) = 0x0
[=] open(filename = 0x7ff3c288, flags = 0x0, mode = 0x0) = 0x3
[=] fstat(fd = 0x3, buf_ptr = 0x7ff3c220) = 0x0
[=] mmap2(addr = 0x0, length = 0x1000, prot = 0x3, flags = 0x4000022, fd = 0xffffffff, pgoffset = 0x0) = 0x90001000
[=] read(fd = 0x3, buf = 0x90001000, length = 0x1000) = 0x1000
[=] mmap2(addr = 0x0, length = 0x18000, prot = 0x0, flags = 0x22, fd = 0xffffffff, pgoffset = 0x0) = 0x902c8000
[=] mmap2(addr = 0x902c8000, length = 0xe478, prot = 0x5, flags = 0x12, fd = 0x3, pgoffset = 0x0) = 0x902c8000
[=] mmap2(addr = 0x902de000, length = 0x6bc, prot = 0x3, flags = 0x12, fd = 0x3, pgoffset = 0xe) = 0x902de000
[=] mmap2(addr = 0x902df000, length = 0xcfc, prot = 0x3, flags = 0x32, fd = 0xffffffff, pgoffset = 0x0) = 0x902df000
[=] close(fd = 0x3) = 0x0
[=] munmap(addr = 0x90001000, length = 0x1000) = 0x0
[=] open(filename = 0x7ff3c278, flags = 0x0, mode = 0x0) = 0x3
[=] fstat(fd = 0x3, buf_ptr = 0x7ff3c210) = 0x0
[=] mmap2(addr = 0x0, length = 0x1000, prot = 0x3, flags = 0x4000022, fd = 0xffffffff, pgoffset = 0x0) = 0x90001000
[=] read(fd = 0x3, buf = 0x90001000, length = 0x1000) = 0x1000
[=] mmap2(addr = 0x0, length = 0x1a000, prot = 0x0, flags = 0x22, fd = 0xffffffff, pgoffset = 0x0) = 0x902e0000
[=] mmap2(addr = 0x902e0000, length = 0xa564, prot = 0x5, flags = 0x12, fd = 0x3, pgoffset = 0x0) = 0x902e0000
[=] mmap2(addr = 0x902f2000, length = 0x53c0, prot = 0x3, flags = 0x12, fd = 0x3, pgoffset = 0xa) = 0x902f2000
[=] mmap2(addr = 0x902f8000, length = 0x1590, prot = 0x3, flags = 0x32, fd = 0xffffffff, pgoffset = 0x0) = 0x902f8000
[=] close(fd = 0x3) = 0x0
[=] munmap(addr = 0x90001000, length = 0x1000) = 0x0
[=] open(filename = 0x7ff3c268, flags = 0x0, mode = 0x0) = -0x2 (ENOENT)
[=] open(filename = 0x7ff3c250, flags = 0x0, mode = 0x0) = -0x2 (ENOENT)
[=] open(filename = 0x7ff3c250, flags = 0x0, mode = 0x0) = 0x3
[=] fstat(fd = 0x3, buf_ptr = 0x7ff3c1e8) = 0x0
[=] mmap2(addr = 0x0, length = 0x1000, prot = 0x3, flags = 0x4000022, fd = 0xffffffff, pgoffset = 0x0) = 0x90001000
[=] read(fd = 0x3, buf = 0x90001000, length = 0x1000) = 0x1000
[=] mmap2(addr = 0x0, length = 0xb000, prot = 0x0, flags = 0x22, fd = 0xffffffff, pgoffset = 0x0) = 0x902fa000
[=] mmap2(addr = 0x902fa000, length = 0x2200, prot = 0x5, flags = 0x12, fd = 0x3, pgoffset = 0x0) = 0x902fa000
[=] mmap2(addr = 0x90304000, length = 0x388, prot = 0x3, flags = 0x12, fd = 0x3, pgoffset = 0x2) = 0x90304000
[=] mprotect(start = 0x902fa000, mlen = 0x2200, prot = 0x7) = 0x0
[=] close(fd = 0x3) = 0x0
[=] munmap(addr = 0x90001000, length = 0x1000) = 0x0
[=] open(filename = 0x7ff3c258, flags = 0x0, mode = 0x0) = 0x3
[=] fstat(fd = 0x3, buf_ptr = 0x7ff3c1f0) = 0x0
[=] mmap2(addr = 0x0, length = 0x1000, prot = 0x3, flags = 0x4000022, fd = 0xffffffff, pgoffset = 0x0) = 0x90001000
[=] read(fd = 0x3, buf = 0x90001000, length = 0x1000) = 0x1000
[=] mmap2(addr = 0x0, length = 0x74000, prot = 0x0, flags = 0x22, fd = 0xffffffff, pgoffset = 0x0) = 0x90305000
[=] mmap2(addr = 0x90305000, length = 0x64ec0, prot = 0x5, flags = 0x12, fd = 0x3, pgoffset = 0x0) = 0x90305000
[=] mmap2(addr = 0x90372000, length = 0x1374, prot = 0x3, flags = 0x12, fd = 0x3, pgoffset = 0x65) = 0x90372000
[=] mmap2(addr = 0x90374000, length = 0x45d0, prot = 0x3, flags = 0x32, fd = 0xffffffff, pgoffset = 0x0) = 0x90374000
[=] close(fd = 0x3) = 0x0
[=] munmap(addr = 0x90001000, length = 0x1000) = 0x0
[=] open(filename = 0x7ff3c248, flags = 0x0, mode = 0x0) = -0x2 (ENOENT)
[=] open(filename = 0x7ff3c230, flags = 0x0, mode = 0x0) = -0x2 (ENOENT)
[=] open(filename = 0x7ff3c230, flags = 0x0, mode = 0x0) = 0x3
[=] fstat(fd = 0x3, buf_ptr = 0x7ff3c1c8) = 0x0
[=] close(fd = 0x3) = 0x0
[=] open(filename = 0x7ff3c238, flags = 0x0, mode = 0x0) = -0x2 (ENOENT)
[=] open(filename = 0x7ff3c220, flags = 0x0, mode = 0x0) = -0x2 (ENOENT)
[=] open(filename = 0x7ff3c220, flags = 0x0, mode = 0x0) = 0x3
[=] fstat(fd = 0x3, buf_ptr = 0x7ff3c1b8) = 0x0
[=] close(fd = 0x3) = 0x0
[=] open(filename = 0x7ff3c228, flags = 0x0, mode = 0x0) = 0x3
[=] fstat(fd = 0x3, buf_ptr = 0x7ff3c1c0) = 0x0
[=] close(fd = 0x3) = 0x0
[=] open(filename = 0x7ff3c218, flags = 0x0, mode = 0x0) = 0x3
[=] fstat(fd = 0x3, buf_ptr = 0x7ff3c1b0) = 0x0
[=] close(fd = 0x3) = 0x0
[=] open(filename = 0x7ff3c208, flags = 0x0, mode = 0x0) = 0x3
[=] fstat(fd = 0x3, buf_ptr = 0x7ff3c1a0) = 0x0
[=] mmap2(addr = 0x0, length = 0x1000, prot = 0x3, flags = 0x4000022, fd = 0xffffffff, pgoffset = 0x0) = 0x90001000
[=] read(fd = 0x3, buf = 0x90001000, length = 0x1000) = 0x1000
[=] mmap2(addr = 0x0, length = 0xb000, prot = 0x0, flags = 0x22, fd = 0xffffffff, pgoffset = 0x0) = 0x90379000
[=] mmap2(addr = 0x90379000, length = 0x16f4, prot = 0x5, flags = 0x12, fd = 0x3, pgoffset = 0x0) = 0x90379000
[=] mmap2(addr = 0x90382000, length = 0x1000, prot = 0x3, flags = 0x12, fd = 0x3, pgoffset = 0x1) = 0x90382000
[=] mmap2(addr = 0x90383000, length = 0x4, prot = 0x3, flags = 0x32, fd = 0xffffffff, pgoffset = 0x0) = 0x90383000
[=] close(fd = 0x3) = 0x0
[=] mmap2(addr = 0x0, length = 0x1000, prot = 0x3, flags = 0x4000022, fd = 0xffffffff, pgoffset = 0x0) = 0x90384000
[=] munmap(addr = 0x90001000, length = 0x1000) = 0x0
[=] open(filename = 0x7ff3c1f8, flags = 0x0, mode = 0x0) = 0x3
[=] fstat(fd = 0x3, buf_ptr = 0x7ff3c190) = 0x0
[=] close(fd = 0x3) = 0x0
[=] open(filename = 0x7ff3c1e8, flags = 0x0, mode = 0x0) = 0x3
[=] fstat(fd = 0x3, buf_ptr = 0x7ff3c180) = 0x0
[=] close(fd = 0x3) = 0x0
[=] open(filename = 0x7ff3c1d8, flags = 0x0, mode = 0x0) = 0x3
[=] fstat(fd = 0x3, buf_ptr = 0x7ff3c170) = 0x0
[=] close(fd = 0x3) = 0x0
[=] open(filename = 0x7ff3c1c8, flags = 0x0, mode = 0x0) = 0x3
[=] fstat(fd = 0x3, buf_ptr = 0x7ff3c160) = 0x0
[=] close(fd = 0x3) = 0x0
[=] open(filename = 0x7ff3c1b8, flags = 0x0, mode = 0x0) = 0x3
[=] fstat(fd = 0x3, buf_ptr = 0x7ff3c150) = 0x0
[=] close(fd = 0x3) = 0x0
[=] open(filename = 0x7ff3c1a8, flags = 0x0, mode = 0x0) = 0x3
[=] fstat(fd = 0x3, buf_ptr = 0x7ff3c140) = 0x0
[=] close(fd = 0x3) = 0x0
[=] open(filename = 0x7ff3c198, flags = 0x0, mode = 0x0) = 0x3
[=] fstat(fd = 0x3, buf_ptr = 0x7ff3c130) = 0x0
[=] close(fd = 0x3) = 0x0
[=] open(filename = 0x7ff3c188, flags = 0x0, mode = 0x0) = 0x3
[=] fstat(fd = 0x3, buf_ptr = 0x7ff3c120) = 0x0
[=] close(fd = 0x3) = 0x0
[=] open(filename = 0x7ff3c178, flags = 0x0, mode = 0x0) = 0x3
[=] fstat(fd = 0x3, buf_ptr = 0x7ff3c110) = 0x0
[=] close(fd = 0x3) = 0x0
[=] open(filename = 0x7ff3c168, flags = 0x0, mode = 0x0) = 0x3
[=] fstat(fd = 0x3, buf_ptr = 0x7ff3c100) = 0x0
[=] close(fd = 0x3) = 0x0
[=] open(filename = 0x7ff3c158, flags = 0x0, mode = 0x0) = 0x3
[=] fstat(fd = 0x3, buf_ptr = 0x7ff3c0f0) = 0x0
[=] close(fd = 0x3) = 0x0
[=] open(filename = 0x7ff3c148, flags = 0x0, mode = 0x0) = -0x2 (ENOENT)
[=] open(filename = 0x7ff3c130, flags = 0x0, mode = 0x0) = -0x2 (ENOENT)
[=] open(filename = 0x7ff3c130, flags = 0x0, mode = 0x0) = 0x3
[=] fstat(fd = 0x3, buf_ptr = 0x7ff3c0c8) = 0x0
[=] close(fd = 0x3) = 0x0
[=] open(filename = 0x7ff3c138, flags = 0x0, mode = 0x0) = -0x2 (ENOENT)
[=] open(filename = 0x7ff3c120, flags = 0x0, mode = 0x0) = -0x2 (ENOENT)
[=] open(filename = 0x7ff3c120, flags = 0x0, mode = 0x0) = 0x3
[=] fstat(fd = 0x3, buf_ptr = 0x7ff3c0b8) = 0x0
[=] close(fd = 0x3) = 0x0
[=] open(filename = 0x7ff3c128, flags = 0x0, mode = 0x0) = -0x2 (ENOENT)
[=] open(filename = 0x7ff3c110, flags = 0x0, mode = 0x0) = -0x2 (ENOENT)
[=] open(filename = 0x7ff3c110, flags = 0x0, mode = 0x0) = 0x3
[=] fstat(fd = 0x3, buf_ptr = 0x7ff3c0a8) = 0x0
[=] close(fd = 0x3) = 0x0
[=] open(filename = 0x7ff3c118, flags = 0x0, mode = 0x0) = 0x3
[=] fstat(fd = 0x3, buf_ptr = 0x7ff3c0b0) = 0x0
[=] close(fd = 0x3) = 0x0
[=] stat(path = 0x90384140, buf_ptr = 0x7ff3ccc0) = 0x0
[=] open(filename = 0x47be1c7, flags = 0x0, mode = 0x0) = -0x2 (ENOENT)
[=] gettimeofday(tv = 0x7ff3cd00, tz = 0x0) = 0x0
[=] mprotect(start = 0x900ae000, mlen = 0x1000, prot = 0x1) = 0x0
[=] mprotect(start = 0x902c6000, mlen = 0x1000, prot = 0x1) = 0x0
[=] mprotect(start = 0x902f2000, mlen = 0x1000, prot = 0x1) = 0x0
[=] mprotect(start = 0x90372000, mlen = 0x1000, prot = 0x1) = 0x0
[=] mprotect(start = 0x90382000, mlen = 0x1000, prot = 0x1) = 0x0
[=] mprotect(start = 0x47c6000, mlen = 0x1000, prot = 0x1) = 0x0
[=] mprotect(start = 0x902fa000, mlen = 0x2200, prot = 0x5) = 0x0
[=] ioctl(fd = 0x0, cmd = 0x5401, arg = 0x7ff3c8f4) = 0x0
[=] ioctl(fd = 0x1, cmd = 0x5401, arg = 0x7ff3c8f4) = 0x0
[=] getpid() = 0x512
[=] ugetrlimit(res = 0x3, rlim = 0x7ff3c940) = 0x0
[=] rt_sigaction(signum = 0x20, act = 0x7ff3c904, oldact = 0x0) = 0x0
[=] rt_sigaction(signum = 0x21, act = 0x7ff3c904, oldact = 0x0) = 0x0
[=] rt_sigaction(signum = 0x22, act = 0x7ff3c904, oldact = 0x0) = 0x0
[=] rt_sigprocmask(how = 0x0, nset = 0x7ff3c948, oset = 0x0, sigsetsize = 0x8) = 0x0
[=] rt_sigprocmask(how = 0x1, nset = 0x7ff3c948, oset = 0x0, sigsetsize = 0x8) = 0x0
[=] brk(inp = 0x0) = 0xef000
[=] brk(inp = 0xf0000) = 0xf0000

[-] Hmm, looks like the target binary terminated before we could complete a
handshake with the injected code. You can try the following:

- The target binary crashes because necessary runtime conditions it needs
  are not met. Try to:
  1. Run again with AFL_DEBUG=1 set and check the output of the target
     binary for clues.
  2. Run again with AFL_DEBUG=1 and 'ulimit -c unlimited' and analyze the
     generated core dump.

- Possibly the target requires a huge coverage map and has CTORS.
  Retry with setting AFL_MAP_SIZE=10000000.

Otherwise there is a horrible bug in the fuzzer.
Poke [email protected] for troubleshooting tips.

[-] PROGRAM ABORT : Fork server handshake failed
Location : afl_fsrv_start(), src/afl-forkserver.c:1237

As a real world example of fuzzing with Qiling, let's fuzz the upnp daemon extracted from the R7000's firmware, specifically a function that makes some verifications on the firmware upgrade process. The inspiration behind this resides in this article where the author leaves up to the reader the possibility of reproducing the vulnerability with Unicorn (Qiling in our case). Besides that, as a way of comparing different fuzzing approaches, let's also perform fuzzing by using the Radamsa mutator in Qiling and also in HTTP requests.

This is related to #1.

The function "place_input_callback" is being called with an "input" parameter that has not been properly parsed, as a result, every byte after the first \x00 that delimits the magic string "*#$^" is being read as null bytes. This means that no firmware data is being fuzzed other than the first magic string.

This is the output when using 2A 23 24 5E 00 08 08 08 08 as input.

This is the output when using 2A 23 24 5E 08 08 08 08 08 as input.

This has been reported to the authors of the unicornafl project by creating an issue in their Github repository AFLplusplus/unicornafl#13.

Related to #6

At the moment, there are some examples that have not been throughly tested on the proposed Docker Container such as the netgear one. There are missing dependencies and hardcoded paths that do not correspond to what is needed inside the container.

Let's add a Github Action to automate the building and pushing of our Docker image to Dockerhub.