ttdennis / fpicker Goto Github PK
View Code? Open in Web Editor NEWfpicker is a Frida-based fuzzing suite supporting various modes (including AFL++ in-process fuzzing)
License: MIT License
fpicker is a Frida-based fuzzing suite supporting various modes (including AFL++ in-process fuzzing)
License: MIT License
I'm getting this error while cross compiling fpicker for Android (x86_64 CPU architecture):
ld: error: unable to find library -lresolv
ld: error: unable to find library -lrt
clang-12: error: linker command failed with exit code 1 (use -v to see invocation)
make: *** [Makefile:11: fpicker-linux] Error 1
I tested with NDK r22 and r23 but i get the same error.
ensure that you reset prev_loc
to zero for every fuzz attempt, as otherwise the first edge ID calculated is always different, resulting in "new paths" being found that are not.
returnzero@returnzero-virtual-machine:~/Fuzz/fpicker-aflpp-android/fpicker$ make fpicker-linux
cc -fPIC -m64 -ffunction-sections -fdata-sections -Wall -Wno-format -Os -pipe -g3 fpicker.c fp_communication.c fp_standalone_mode.c fp_afl_mode.c -o fpicker -L. -lfrida-core-linux -ldl -lm -lresolv -lrt -Wl,--export-dynamic -Wl,--gc-sections,-z,noexecstack -pthread
In file included from /usr/include/string.h:535,
from frida-core-linux.h:9315,
from fpicker.h:2,
from fp_communication.c:1:
In function ‘strncpy’,
inlined from ‘create_communication_map’ at fp_communication.c:257:5:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:95:10: warning: ‘__builtin_strncpy’ output truncated before terminating nul copying 12 bytes from a string of the same length [-Wstringop-truncation]
95 | return __builtin___strncpy_chk (__dest, __src, __len,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
96 | __glibc_objsize (__dest));
| ~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/bin/ld: /tmp/cc49uJGR.o:/home/returnzero/Fuzz/fpicker-aflpp-android/fpicker/fpicker.h:245: multiple definition of verbose'; /tmp/ccBjYP55.o:/home/returnzero/Fuzz/fpicker-aflpp-android/fpicker/fpicker.h:245: first defined here /usr/bin/ld: /tmp/ccfmi0ID.o:/home/returnzero/Fuzz/fpicker-aflpp-android/fpicker/fpicker.h:245: multiple definition of
verbose'; /tmp/ccBjYP55.o:/home/returnzero/Fuzz/fpicker-aflpp-android/fpicker/fpicker.h:245: first defined here
/usr/bin/ld: /tmp/cc4RMsRp.o:/home/returnzero/Fuzz/fpicker-aflpp-android/fpicker/fpicker.h:245: multiple definition of `verbose'; /tmp/ccBjYP55.o:/home/returnzero/Fuzz/fpicker-aflpp-android/fpicker/fpicker.h:245: first defined here
collect2: error: ld returned 1 exit status
make: *** [Makefile:11: fpicker-linux] Error 1
Hello,
I have built Frida, AFL++ and FPicker on a custom Linux target.
Frida JS injection/tracing seems to work, FPicker in standalone mode works (attach/in-process, shm or send).
I am trying AFL FPicker mode and it appears to fail
[*] Spinning up the fork server...
[!] WARNING: Old fork server model is used by the target, this still works though.
[+] All right - old fork server is up.
[*] Extended forkserver functions received (00000000).
[*] No auto-generated dictionary tokens to reuse.
[*] Attempting dry run with 'id:000000,time:0,execs:0,orig:001.bin'...
[D] DEBUG: calibration stage 1/7
[-] PROGRAM ABORT : No instrumentation detected
Location : perform_dry_run(), src/afl-fuzz-init.c:1238
Quick question; would you know if the AFL++ vs FPicker combo I am running is compatible?
Looking through the AFL++ afl-proxy.c example, it looks like that (assuming NOT USEMMAP) AFL++
expects the proxy to
__afl_area_ptr = shmat(shm_id, 0, 0);
and write the coverage to __afl_area_ptr, and I understand that in FPicker this is done in harness/fuzzer.js. But it doesn't seem to work.
I don't mind trying to figure out how to get it to work, but I figure I ask first what you think about this.
Thanks!
Using the same harness and process in Standalone mode works but AFL++ mode does not.
Do I do something wrong? How can I debug it? Fix it?
[+] Loaded environment variable AFL_DEBUG with value 1
[+] Loaded environment variable AFL_DEBUG with value 1
afl-fuzz++3.13a based on afl by Michal Zalewski and a large online community
[+] afl++ is maintained by Marc "van Hauser" Heuse, Heiko "hexcoder" Eißfeldt, Andrea Fioraldi and Dominik Maier
[+] afl++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] NOTE: This is v3.x which changes defaults and behaviours - see README.md
[+] No -M/-S set, autoconfiguring for "-S default"
[*] Getting to work...
[+] Using exponential power schedule (FAST)
[+] Enabled testcache with 50 MB
[*] Checking core_pattern...
[*] Checking CPU scaling governor...
[+] You have 4 CPU cores and 11 runnable tasks (utilization: 275%).
[!] WARNING: System under apparent load, performance may be spotty.
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Checking CPU core loadout...
[+] Found a free CPU core, try binding to #0.
[*] Scanning 'examples/test-network/in'...
[+] Loaded a total of 2 seeds.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Spinning up the fork server...
[-] Hmm, looks like the target binary terminated before we could complete a
handshake with the injected code. You can try the following:
- The target binary crashes because necessary runtime conditions it needs
are not met. Try to:
1. Run again with AFL_DEBUG=1 set and check the output of the target
binary for clues.
2. Run again with AFL_DEBUG=1 and 'ulimit -c unlimited' and analyze the
generated core dump.
- Possibly the target requires a huge coverage map and has CTORS.
Retry with setting AFL_MAP_SIZE=10000000.
Otherwise there is a horrible bug in the fuzzer.
Poke <[email protected]> for troubleshooting tips.
[-] PROGRAM ABORT : Fork server handshake failed
Location : afl_fsrv_start(), src/afl-forkserver.c:1029
Here in standalone mode
__ _ _
/ _| (_) | |
| |_ _ __ _ ___| | _____ _ __
| _| '_ \| |/ __| |/ / _ \ '__|
| | | |_) | | (__| < __/ |
|_| | .__/|_|\___|_|\_\___|_|
| |
|_| Frida-Based Fuzzing Suite
- - - - - - - - - - - - - - - - - - - - - - -
Running fpicker using the following configuration:
- fuzzer-mode: FUZZER_MODE_STANDALONE_ACTIVE
- coverage_mode: COVERAGE_MODE_STALKER_SUMMARY
- standalone_mutator: STANDALONE_MUTATOR_NULL
- communication_mode: COMMUNICATION_MODE_SEND
- input_mode: INPUT_MODE_IN_PROCESS
- exec_mode: EXEC_MODE_ATTACH
- device_type: DEVICE_REMOTE
- process_name: stagefright
- command: (null)
- fuzzer_timeout: 500
- fuzzer_sleep: 100
- verbose: false
- agent_script: fuzzer-agent.js
- corpus_dir: examples/test/in/
- out_dir: examples/test/out/
- metrics: enabled
[*] Found 3 Frida devices.
[*] Found desired Frida device: Local Socket(1)
[*] Trying to attach to process stagefright
[*] Found process stagefright with PID 26487
[*] Attached to process stagefright on frida device Local Socket
[*] Agent script created
[*] Agent script loaded
[*] Slept a bit to give the agent script some time.
[*] MODULE=/data/local/tmp/stagefright, start=0x5b822941a000, end=0x5b822942f000
[*] Harness preparation done
[*] Fuzzer is ready.
[*] Getting corpus coverage (0)
What could be the problem with segmentation fault at the target process search stage? Frida can attach to this process in emulator without faults (frida_device_enumerate_processes_sync() returns NULL)
Hi, I tested this on ubuntu18.04, but got follow error message:
$ afl-fuzz -i examples/test/in -o ./examples/test/out -- ./fpicker --fuzzer-mode afl -e attach -p test -f ./examples/test/harness.js
afl-fuzz++3.12a based on afl by Michal Zalewski and a large online community
[+] afl++ is maintained by Marc "van Hauser" Heuse, Heiko "hexcoder" Eißfeldt, Andrea Fioraldi and Dominik Maier
[+] afl++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] NOTE: This is v3.x which changes defaults and behaviours - see README.md
[+] No -M/-S set, autoconfiguring for "-S default"
[*] Getting to work...
[+] Using exponential power schedule (FAST)
[+] Enabled testcache with 50 MB
[*] Checking core_pattern...
[!] WARNING: Could not check CPU scaling governor
[+] You have 4 CPU cores and 3 runnable tasks (utilization: 75%).
[+] Try parallel jobs - see /usr/local/share/doc/afl/parallel_fuzzing.md.
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Checking CPU core loadout...
[+] Found a free CPU core, try binding to #0.
[*] Scanning 'examples/test/in'...
[+] Loaded a total of 2 seeds.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Spinning up the fork server...
[-] Hmm, looks like the target binary terminated before we could complete a
handshake with the injected code.
Most likely the target has a huge coverage map, retry with setting the
environment variable AFL_MAP_SIZE=8000000
Otherwise there is a horrible bug in the fuzzer.
Poke <[email protected]> for troubleshooting tips.
[-] PROGRAM ABORT : Fork server handshake failed
Location : afl_fsrv_start(), src/afl-forkserver.c:972
These are my commans:
➜ test git:(main) ✗ AFL_DEBUG=1 afl-fuzz -i ./in -o ./out -m none -- ../../fpicker -m afl -u shm -e attach -p test -f harness.js -v
[+] Enabled environment variable AFL_DEBUG with value 1
[+] Enabled environment variable AFL_DEBUG with value 1
afl-fuzz++4.09a based on afl by Michal Zalewski and a large online community
[+] AFL++ is maintained by Marc "van Hauser" Heuse, Dominik Maier, Andrea Fioraldi and Heiko "hexcoder" Eißfeldt
[+] AFL++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] NOTE: AFL++ >= v3 has changed defaults and behaviours - see README.md
[+] No -M/-S set, autoconfiguring for "-S default"
[*] Getting to work...
[+] Using exponential power schedule (FAST)
[+] Enabled testcache with 50 MB
[+] Generating fuzz data with a length of min=1 max=1048576
[*] Checking CPU scaling governor...
[+] You have 12 CPU cores and 3 runnable tasks (utilization: 25%).
[+] Try parallel jobs - see /usr/local/share/doc/afl/fuzzing_in_depth.md#c-using-multiple-cores
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Scanning './in'...
[+] Loaded a total of 6 seeds.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Spinning up the fork server...
[+] All right - fork server is up.
[*] Extended forkserver functions received (00000000).
[*] No auto-generated dictionary tokens to reuse.
[*] Attempting dry run with 'id:000000,time:0,execs:0,orig:0'...
1
4
[D] DEBUG: calibration stage 1/7
5
6
7
8
7
AAAAA
../../fpicker
[-] Oops, the program crashed with one of the test cases provided. There are
several possible explanations:
- The test case causes known crashes under normal working conditions. If
so, please remove it. The fuzzer should be seeded with interesting
inputs - but not ones that cause an outright crash.
- In QEMU persistent mode the selected address(es) for the loop are not
properly cleaning up variables and memory. Try adding
AFL_QEMU_PERSISTENT_GPR=1 or select better addresses in the binary.
- On MacOS X, the semantics of fork() syscalls are non-standard and may
break afl-fuzz performance optimizations when running platform-specific
targets. To fix this, set AFL_NO_FORKSRV=1 in the environment.
- Least likely, there is a horrible bug in the fuzzer. If other options
fail, poke the Awesome Fuzzing Discord for troubleshooting tips.
[!] WARNING: Test case 'id:000000,time:0,execs:0,orig:0' results in a crash, skipping
and the syslogs are:
17:19:15.804460+0800 fpicker [JS]: [*] afl_area_ptr: 0x0
17:19:15.804554+0800 fpicker [JS]: [*] commap: 0x103f79000
17:19:15.804807+0800 fpicker [JS]: [*] commap_id: /fp_comm_shm_10492_1804289383
17:19:15.805056+0800 fpicker [JS]: [*] base: 0x1027ab000
17:19:15.805157+0800 fpicker [JS]: [*] iteration_sem: 0x4
17:19:15.805352+0800 fpicker [JS]: [*] exec_sem: 0x4
17:19:15.805589+0800 fpicker [JS]: [*] Not excluding test from stalker
17:19:15.805721+0800 fpicker [JS]: [*] Setting up interceptor
17:19:15.806433+0800 fpicker [JS]: {"type":"send","payload":{"type":"_fpicker_ready","data":[{"name":"test","base":"0x1027ab000","size":16384,"path":"/Users/wujiesong3/Desktop/fpicker_test/fpicker/examples/test/test","id":0,"end":"0x1027af000"},{"name":"libSystem.B.dylib","base":"0x7ff811cf7000","size":8192,"path":"/usr/lib/libSystem.B.dylib","id":1,"end":"0x7ff811cf9000"},{"name":"libcache.dylib","base":"0x7ff811cf1000","size":24568,"path":"/usr/lib/system/libcache.dylib","id":2,"end":"0x7ff811cf6ff8"},{"name":"libcommonCrypto.dylib","base":"0x7ff811ca8000","size":49144,"path":"/usr/lib/system/libcommonCrypto.dylib","id":3,"end":"0x7ff811cb3ff8"},{"name":"libcompiler_rt.dylib","base":"0x7ff811cd5000","size":32768,"path":"/usr/lib/system/libcompiler_rt.dylib","id":4,"end":"0x7ff811cdd000"},{"name":"libcopyfile.dylib","base":"0x7ff811cc7000","size":57344,"path":"/usr/lib/system/libcopyfile.dylib","id":5,"end":"0x7ff811cd5000"},{"name":"libcorecrypto.dylib","base":"0x7ff805c26000","size":618448,"path":"/usr/lib/system/libcorecrypto.dyli<…>
17:19:15.806474+0800 fpicker [*] MODULE=/Users/wujiesong3/Desktop/fpicker_test/fpicker/examples/test/test, start=0x1027ab000, end=0x1027af000
17:19:15.806587+0800 fpicker [JS]: [1] before sem_wait in wait_for_exec (1694078355805)
17:19:15.809526+0800 fpicker [*] Harness preparation done
17:19:15.809650+0800 fpicker [*] Everything ready, starting to fuzz!
17:19:15.827044+0800 fpicker [2] PRE SEM_POST in fuzz_iteration_in_process_shm: 1694078355827
17:19:15.827088+0800 fpicker [*] POST SEM_POST in fuzz_iteration_in_process_shm: 1694078355827
17:19:15.827105+0800 fpicker [*] PRE SEM_WAIT in fuzz_iteration_in_process_shm: 1694078355827
17:19:15.827117+0800 fpicker [*] 1
17:19:15.827572+0800 fpicker [JS]: [3] after sem_wait in wait_for_exec (1694078355827). This took 22 ms
17:19:15.827688+0800 fpicker [JS]: 0x103f79020 5
17:19:15.827816+0800 fpicker [JS]: [*] Interceptor ENTER (1694078355827)
17:19:15.829277+0800 fpicker [JS]: {"type":"send","payload":{"type":"crash","msg":{"message":"access violation accessing 0xd8cd","type":"access-violation","address":"0x103f721b5","memory":{"operation":"read","address":"0xd8cd"},"context":{"pc":"0x103f721b5","sp":"0x700009691ef0","rax":"0xd8cd","rcx":"0xd8cd","rdx":"0x0","rbx":"0x10407c000","rsp":"0x700009691ef0","rbp":"0x700009691f20","rsi":"0x103f101f0","rdi":"0x700009692258","r8":"0x0","r9":"0x103eb66e0","r10":"0x0","r11":"0x1027aecd0","r12":"0x7000096925a0","r13":"0x1","r14":"0x2","r15":"0x0","rip":"0x103f721b5"},"nativeContext":"0x0","fileName":"test-fuzzer.js","lineNumber":38}}}
17:19:15.829315+0800 fpicker [->] CRASH type received
17:19:15.829338+0800 fpicker [->] message: {"type":"send","payload":{"type":"crash","msg":{"message":"access violation accessing 0xd8cd","type":"access-violation","address":"0x103f721b5","memory":{"operation":"read","address":"0xd8cd"},"context":{"pc":"0x103f721b5","sp":"0x700009691ef0","rax":"0xd8cd","rcx":"0xd8cd","rdx":"0x0","rbx":"0x10407c000","rsp":"0x700009691ef0","rbp":"0x700009691f20","rsi":"0x103f101f0","rdi":"0x700009692258","r8":"0x0","r9":"0x103eb66e0","r10":"0x0","r11":"0x1027aecd0","r12":"0x7000096925a0","r13":"0x1","r14":"0x2","r15":"0x0","rip":"0x103f721b5"},"nativeContext":"0x0","fileName":"test-fuzzer.js","lineNumber":38}}}
17:19:15.829353+0800 fpicker [*] SEM_POST in _signal_exec_finished_with_ret_status 1694078355829
17:19:15.829380+0800 fpicker [*] 2
I can't figure out where the mistakes lie. I just use the example in the repo and do as the README teaches.
This has been confuded with me for three days in work.
I have succeeded on macos,what should I do to fuzz on IOS device.
Should I rewrite the test-fuzzer.js?
where should I put the fpicker, afl-fuzz and harness.js?
Somehow when I run the fuzzer with one file in seed (input directory) with this size
-rw-r--r-- 1 root root 1267 Apr 28 13:42 small_movie.mp4
It works rather smoothly:
__ _ _
/ _| (_) | |
| |_ _ __ _ ___| | _____ _ __
| _| '_ \| |/ __| |/ / _ \ '__|
| | | |_) | | (__| < __/ |
|_| | .__/|_|\___|_|\_\___|_|
| |
|_| Frida-Based Fuzzing Suite
- - - - - - - - - - - - - - - - - - - - - - -
Running fpicker using the following configuration:
- fuzzer-mode: FUZZER_MODE_STANDALONE_ACTIVE
- coverage_mode: COVERAGE_MODE_STALKER_SUMMARY
- standalone_mutator: STANDALONE_MUTATOR_NULL
- communication_mode: COMMUNICATION_MODE_SEND
- input_mode: INPUT_MODE_IN_PROCESS
- exec_mode: EXEC_MODE_ATTACH
- device_type: DEVICE_REMOTE
- process_name: stagefright
- command: (null)
- fuzzer_timeout: 500
- fuzzer_sleep: 100
- verbose: false
- agent_script: fuzzer-agent.js
- corpus_dir: examples/test/in/
- out_dir: examples/test/out/
- metrics: enabled
[*] Found 3 Frida devices.
[*] Found desired Frida device: Local Socket(1)
[*] Trying to attach to process stagefright
[!] Unable to find stagefright PID, retrying.
[!] Unable to find stagefright PID, retrying.
[*] Found process stagefright with PID 6721
[*] Attached to process stagefright on frida device Local Socket
[*] Agent script created
[*] Agent script loaded
[*] Slept a bit to give the agent script some time.
[*] MODULE=/data/local/tmp/stagefright, start=0x5dd6381f8000, end=0x5dd638228000
[*] Harness preparation done
[*] Fuzzer is ready.
[*] Getting corpus coverage (small_movie.mp4)
[!] fuzz_iteration_in_process_send exec_finished timeout
[!] Error getting coverage for payload small_movie.mp4 (probably due to crash)
[*] Using 1 input files covering a total of 0 basic blocks
[!] fuzz_iteration_in_process_send exec_finished timeout
[!] Error getting coverage for mutated corpus small_movie.mp4
[t=1619610172] [BBs=0] [seed=0] [fc=1] [fcps=1] [cur_loop=81031] [mut_avg=2] [cov_avg=158824] [corpus=1]
[!] New coverage found, nice!
[*] Added new file small_movie.mp4 to corpus
[t=1619610172] [BBs=1567] [seed=1] [fc=3] [fcps=3] [cur_loop=108254] [mut_avg=2] [cov_avg=86993] [corpus=2]
[t=1619610172] [BBs=1567] [seed=2] [fc=5] [fcps=5] [cur_loop=143084] [mut_avg=2] [cov_avg=79711] [corpus=2]
[t=1619610173] [BBs=1567] [seed=3] [fc=7] [fcps=7] [cur_loop=133520] [mut_avg=2] [cov_avg=68858] [corpus=2]
[t=1619610173] [BBs=1567] [seed=4] [fc=9] [fcps=9] [cur_loop=140593] [mut_avg=2] [cov_avg=68610] [corpus=2]
[t=1619610173] [BBs=1567] [seed=5] [fc=11] [fcps=11] [cur_loop=122006] [mut_avg=2] [cov_avg=59444] [corpus=2]
[t=1619610173] [BBs=1567] [seed=6] [fc=13] [fcps=13] [cur_loop=134830] [mut_avg=3] [cov_avg=60178] [corpus=2]
[t=1619610173] [BBs=1567] [seed=7] [fc=15] [fcps=15] [cur_loop=134421] [mut_avg=2] [cov_avg=60759] [corpus=2]
[t=1619610173] [BBs=1567] [seed=8] [fc=17] [fcps=17] [cur_loop=121575] [mut_avg=2] [cov_avg=57927] [corpus=2]
[t=1619610173] [BBs=1567] [seed=9] [fc=19] [fcps=19] [cur_loop=127596] [mut_avg=2] [cov_avg=58070] [corpus=2]
[t=1619610173] [BBs=1567] [seed=10] [fc=21] [fcps=21] [cur_loop=137293] [mut_avg=2] [cov_avg=58728] [corpus=2]
[t=1619610174] [BBs=1567] [seed=11] [fc=23] [fcps=23] [cur_loop=134883] [mut_avg=2] [cov_avg=57410] [corpus=2]
[t=1619610174] [BBs=1567] [seed=12] [fc=25] [fcps=25] [cur_loop=142315] [mut_avg=2] [cov_avg=58299] [corpus=2]
[t=1619610174] [BBs=1567] [seed=13] [fc=27] [fcps=27] [cur_loop=121059] [mut_avg=2] [cov_avg=58060] [corpus=2]
[t=1619610174] [BBs=1567] [seed=14] [fc=29] [fcps=29] [cur_loop=130966] [mut_avg=2] [cov_avg=58199] [corpus=2]
[t=1619610174] [BBs=1567] [seed=15] [fc=31] [fcps=15] [cur_loop=109512] [mut_avg=2] [cov_avg=57834] [corpus=2]
[t=1619610174] [BBs=1567] [seed=16] [fc=33] [fcps=16] [cur_loop=136583] [mut_avg=2] [cov_avg=58313] [corpus=2]
[t=1619610174] [BBs=1567] [seed=17] [fc=35] [fcps=17] [cur_loop=125231] [mut_avg=2] [cov_avg=58416] [corpus=2]
[t=1619610174] [BBs=1567] [seed=18] [fc=37] [fcps=18] [cur_loop=121583] [mut_avg=2] [cov_avg=58386] [corpus=2]
[t=1619610175] [BBs=1567] [seed=19] [fc=39] [fcps=19] [cur_loop=131471] [mut_avg=3] [cov_avg=57334] [corpus=2]
[t=1619610175] [BBs=1567] [seed=20] [fc=41] [fcps=20] [cur_loop=125470] [mut_avg=3] [cov_avg=57349] [corpus=2]
[t=1619610175] [BBs=1567] [seed=21] [fc=43] [fcps=21] [cur_loop=133559] [mut_avg=3] [cov_avg=57482] [corpus=2]
[t=1619610175] [BBs=1567] [seed=22] [fc=45] [fcps=22] [cur_loop=116070] [mut_avg=2] [cov_avg=57400] [corpus=2]
[t=1619610175] [BBs=1567] [seed=23] [fc=47] [fcps=15] [cur_loop=134269] [mut_avg=2] [cov_avg=57699] [corpus=2]
[t=1619610175] [BBs=1567] [seed=24] [fc=49] [fcps=16] [cur_loop=140688] [mut_avg=2] [cov_avg=57972] [corpus=2]
[t=1619610175] [BBs=1567] [seed=25] [fc=51] [fcps=17] [cur_loop=125048] [mut_avg=2] [cov_avg=57277] [corpus=2]
[t=1619610175] [BBs=1567] [seed=26] [fc=53] [fcps=17] [cur_loop=107827] [mut_avg=2] [cov_avg=57008] [corpus=2]
[t=1619610176] [BBs=1567] [seed=27] [fc=55] [fcps=18] [cur_loop=129959] [mut_avg=2] [cov_avg=57212] [corpus=2]
With more files or bigger file, it fuzzes I see it in the process output but get those:
__ _ _
/ _| (_) | |
| |_ _ __ _ ___| | _____ _ __
| _| '_ \| |/ __| |/ / _ \ '__|
| | | |_) | | (__| < __/ |
|_| | .__/|_|\___|_|\_\___|_|
| |
|_| Frida-Based Fuzzing Suite
- - - - - - - - - - - - - - - - - - - - - - -
Running fpicker using the following configuration:
- fuzzer-mode: FUZZER_MODE_STANDALONE_ACTIVE
- coverage_mode: COVERAGE_MODE_STALKER_SUMMARY
- standalone_mutator: STANDALONE_MUTATOR_NULL
- communication_mode: COMMUNICATION_MODE_SEND
- input_mode: INPUT_MODE_IN_PROCESS
- exec_mode: EXEC_MODE_ATTACH
- device_type: DEVICE_REMOTE
- process_name: stagefright
- command: (null)
- fuzzer_timeout: 500
- fuzzer_sleep: 100
- verbose: false
- agent_script: fuzzer-agent.js
- corpus_dir: examples/test/in/
- out_dir: examples/test/out/
- metrics: enabled
[*] Found 3 Frida devices.
[*] Found desired Frida device: Local Socket(1)
[*] Trying to attach to process stagefright
[*] Found process stagefright with PID 6721
[*] Attached to process stagefright on frida device Local Socket
[*] Agent script created
[*] Agent script loaded
[*] Slept a bit to give the agent script some time.
[*] MODULE=/data/local/tmp/stagefright, start=0x5dd6381f8000, end=0x5dd638228000
[*] Harness preparation done
[*] Fuzzer is ready.
[*] Getting corpus coverage (hevc-crash-poc.mp4)
[->] error: {"type":"error","description":"SyntaxError: unexpected end of string","stack":"SyntaxError: unexpected end of string\n at <input>:1\n at parse (native)\n at c (frida/runtime/message-dispatcher.js:6)","fileName":"frida/runtime/message-dispatcher.js","lineNumber":6,"columnNumber":1}
[!] Error getting coverage for payload hevc-crash-poc.mp4 (probably due to crash)
[*] Getting corpus coverage (small_movie.mp4)
[->] error_send_message: {"type":"send","payload":["frida:rpc",2,"error","access violation accessing 0x0","Error","Error: access violation accessing 0x0\n at fuzz (test-fuzzer.js:38)\n at fuzzInternal (../../harness/fuzzer.js:273)\n at fuzz (../../harness/fuzzer.js:103)\n at apply (native)\n at <anonymous> (frida/runtime/message-dispatcher.js:13)\n at c (frida/runtime/message-dispatcher.js:23)",{"message":"access violation accessing 0x0","type":"access-violation","address":"0x0","memory":{"operation":"execute","address":"0x0"},"context":{"pc":"0x0","sp":"0x7baf5aafc780","rax":"0x7baf4514b4de","rcx":"0x0","rdx":"0x2","rbx":"0x7bafdf5c12c8","rsp":"0x7baf5aafc780","rbp":"0x0","rsi":"0x1","rdi":"0x0","r8":"0x7baf1a067a10","r9":"0x0","r10":"0x18b813780000000","r11":"0x246","r12":"0x7bafdf7253a0","r13":"0x1","r14":"0x7baf5aafca90","r15":"0x2","rip":"0x0"},"nativeContext":"0x0","fileName":"test-fuzzer.js","lineNumber":38}]}
[!] Error getting coverage for payload small_movie.mp4 (probably due to crash)
[*] Using 2 input files covering a total of 0 basic blocks
[->] error: {"type":"error","description":"SyntaxError: unexpected end of string","stack":"SyntaxError: unexpected end of string\n at <input>:1\n at parse (native)\n at c (frida/runtime/message-dispatcher.js:6)","fileName":"frida/runtime/message-dispatcher.js","lineNumber":6,"columnNumber":1}
[!] Error getting coverage for mutated corpus hevc-crash-poc.mp4
[!] fuzz_iteration_in_process_send exec_finished timeout
[!] Error getting coverage for mutated corpus small_movie.mp4
[t=1619610851] [BBs=0] [seed=0] [fc=2] [fcps=2] [cur_loop=125670] [mut_avg=5] [cov_avg=103289] [corpus=2]
[->] error: {"type":"error","description":"SyntaxError: unexpected end of string","stack":"SyntaxError: unexpected end of string\n at <input>:1\n at parse (native)\n at c (frida/runtime/message-dispatcher.js:6)","fileName":"frida/runtime/message-dispatcher.js","lineNumber":6,"columnNumber":1}
[!] Error getting coverage for mutated corpus hevc-crash-poc.mp4
[!] fuzz_iteration_in_process_send exec_finished timeout
[!] Error getting coverage for mutated corpus small_movie.mp4
[t=1619610851] [BBs=0] [seed=1] [fc=4] [fcps=4] [cur_loop=129653] [mut_avg=4] [cov_avg=82736] [corpus=2]
[->] error: {"type":"error","description":"SyntaxError: unexpected end of string","stack":"SyntaxError: unexpected end of string\n at <input>:1\n at parse (native)\n at c (frida/runtime/message-dispatcher.js:6)","fileName":"frida/runtime/message-dispatcher.js","lineNumber":6,"columnNumber":1}
[!] Error getting coverage for mutated corpus hevc-crash-poc.mp4
[!] fuzz_iteration_in_process_send exec_finished timeout
[!] Error getting coverage for mutated corpus small_movie.mp4
[t=1619610851] [BBs=0] [seed=2] [fc=6] [fcps=6] [cur_loop=135099] [mut_avg=3] [cov_avg=75664] [corpus=2]
[->] error: {"type":"error","description":"SyntaxError: unexpected end of string","stack":"SyntaxError: unexpected end of string\n at <input>:1\n at parse (native)\n at c (frida/runtime/message-dispatcher.js:6)","fileName":"frida/runtime/message-dispatcher.js","lineNumber":6,"columnNumber":1}
[!] Error getting coverage for mutated corpus hevc-crash-poc.mp4
[!] fuzz_iteration_in_process_send exec_finished timeout
[!] Error getting coverage for mutated corpus small_movie.mp4
[t=1619610851] [BBs=0] [seed=3] [fc=8] [fcps=8] [cur_loop=135543] [mut_avg=3] [cov_avg=72405] [corpus=2]
[->] error: {"type":"error","description":"SyntaxError: unexpected end of string","stack":"SyntaxError: unexpected end of string\n at <input>:1\n at parse (native)\n at c (frida/runtime/message-dispatcher.js:6)","fileName":"frida/runtime/message-dispatcher.js","lineNumber":6,"columnNumber":1}
[!] Error getting coverage for mutated corpus hevc-crash-poc.mp4
[!] fuzz_iteration_in_process_send exec_finished timeout
[!] Error getting coverage for mutated corpus small_movie.mp4
[t=1619610851] [BBs=0] [seed=4] [fc=10] [fcps=10] [cur_loop=136007] [mut_avg=4] [cov_avg=70405] [corpus=2]
[->] error: {"type":"error","description":"SyntaxError: unexpected end of string","stack":"SyntaxError: unexpected end of string\n at <input>:1\n at parse (native)\n at c (frida/runtime/message-dispatcher.js:6)","fileName":"frida/runtime/message-dispatcher.js","lineNumber":6,"columnNumber":1}
[!] Error getting coverage for mutated corpus hevc-crash-poc.mp4
[!] fuzz_iteration_in_process_send exec_finished timeout
[!] Error getting coverage for mutated corpus small_movie.mp4
[t=1619610852] [BBs=0] [seed=5] [fc=12] [fcps=12] [cur_loop=131615] [mut_avg=4] [cov_avg=68903] [corpus=2]
[->] error: {"type":"error","description":"SyntaxError: unexpected end of string","stack":"SyntaxError: unexpected end of string\n at <input>:1\n at parse (native)\n at c (frida/runtime/message-dispatcher.js:6)","fileName":"frida/runtime/message-dispatcher.js","lineNumber":6,"columnNumber":1}
[!] Error getting coverage for mutated corpus hevc-crash-poc.mp4
[!] fuzz_iteration_in_process_send exec_finished timeout
[!] Error getting coverage for mutated corpus small_movie.mp4
[t=1619610852] [BBs=0] [seed=6] [fc=14] [fcps=14] [cur_loop=135562] [mut_avg=3] [cov_avg=68022] [corpus=2]
Any ideas how to debug/fix it?
Thanks,
What is the best practice to resume fuzzing?
Thanks,
✘ u@MBP ~/Code/fpicker <main ±> $ ./fpicker --fuzzer-mode active -e attach -p test -o examples/test/out/ -i examples/test/in/ -f examples/test/test-fuzzer.js
__ _ _
/ _| (_) | |
| |_ _ __ _ ___| | _____ _ __
| _| '_ \| |/ __| |/ / _ \ '__|
| | | |_) | | (__| < __/ |
|_| | .__/|_|\___|_|\_\___|_|
| |
|_| Frida-Based Fuzzing Suite
- - - - - - - - - - - - - - - - - - - - - - -
Running fpicker using the following configuration:
- fuzzer-mode: FUZZER_MODE_STANDALONE_ACTIVE
- coverage_mode: COVERAGE_MODE_STALKER_SUMMARY
- standalone_mutator: STANDALONE_MUTATOR_NULL
- communication_mode: COMMUNICATION_MODE_SEND
- input_mode: INPUT_MODE_IN_PROCESS
- exec_mode: EXEC_MODE_ATTACH
- device_type: DEVICE_LOCAL
- process_name: test
- command: (null)
- fuzzer_timeout: 500
- fuzzer_sleep: 100
- verbose: false
- agent_script: examples/test/test-fuzzer.js
- corpus_dir: examples/test/in/
- out_dir: examples/test/out/
- metrics: enabled
[*] Found 2 Frida devices.
[*] Found desired Frida device: Local System(0)
[*] Trying to attach to process test
[*] Found process test with PID 33317
[*] Attached to process test on frida device Local System
[!] Unable to create agent script: Script(line 1): SyntaxError: expecting '('
[!] Error injecting Frida agent script
The code seems to be a bit old and there are issues with the javascript engine
also in order to be able to execute that script I added
import { createRequire } from 'module';
const require = createRequire(import.meta.url);
before
// Import the fuzzer base class
const Fuzzer = require("../../harness/fuzzer.js");
My current directory structure is:
syc@ubuntu:~/Downloads/fpicker-main$ tree ./
./
├── aflpp-ios.patch
├── assets
│ └── fpicker_logo.png
├── examples
│ ├── protocol_example
│ │ ├── in
│ │ │ └── 1
│ │ ├── protocol_example.c
│ │ ├── README.md
│ │ ├── test-fuzzer.js
│ │ └── wisec21_tutorial_frida_fuzzing.pdf
│ ├── test
│ │ ├── in
│ │ │ ├── 0
│ │ │ └── 1
│ │ ├── Makefile
│ │ ├── test.c
│ │ └── test-fuzzer.js
│ └── test-network
│ ├── in
│ │ ├── 0
│ │ └── 1
│ ├── Makefile
│ ├── test-network.c
│ └── test-network-fuzzer.js
├── fp_afl_mode.c
├── fp_communication.c
├── fpicker.c
├── fpicker.h
├── fp_standalone_mode.c
├── frida-core-linux.h
├── harness
│ ├── darwin-shm.js
│ ├── fuzzer.js
│ └── stalker-instrumentation.js
├── libfrida-core-linux.a
├── LICENSE
├── Makefile
└── README.md
A compile error occurs, indicating that there is no frida-core.h
syc@ubuntu:~/Downloads/fpicker-main$ make fpicker-linux
cc -fPIC -m64 -ffunction-sections -fdata-sections -Wall -Wno-format -Os -pipe -g3 fpicker.c fp_communication.c fp_standalone_mode.c fp_afl_mode.c -o fpicker -L. -lfrida-core-linux -ldl -lm -lresolv -lrt -Wl,--export-dynamic -Wl,--gc-sections,-z,noexecstack -pthread
fpicker.c:2:10: fatal error: frida-core.h: No such file or directory
2 | #include "frida-core.h"
| ^~~~~~~~~~~~~~
compilation terminated.
In file included from /usr/include/string.h:495,
from frida-core-linux.h:22131,
from fpicker.h:2,
from fp_communication.c:1:
In function ‘strncpy’,
inlined from ‘create_communication_map’ at fp_communication.c:257:5:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: warning: ‘__builtin_strncpy’ output truncated before terminating nul copying 12 bytes from a string of the same length [-Wstringop-truncation]
106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
make: *** [Makefile:11: fpicker-linux] Error 1
I can compile it successfully if I re-patch it (frida-core-devkit-15.2.2-linux-x86_64)
./
├── aflpp-ios.patch
├── assets
│ └── fpicker_logo.png
├── examples
│ ├── protocol_example
│ │ ├── in
│ │ │ └── 1
│ │ ├── protocol_example.c
│ │ ├── README.md
│ │ ├── test-fuzzer.js
│ │ └── wisec21_tutorial_frida_fuzzing.pdf
│ ├── test
│ │ ├── in
│ │ │ ├── 0
│ │ │ └── 1
│ │ ├── Makefile
│ │ ├── test.c
│ │ └── test-fuzzer.js
│ └── test-network
│ ├── in
│ │ ├── 0
│ │ └── 1
│ ├── Makefile
│ ├── test-network.c
│ └── test-network-fuzzer.js
├── fp_afl_mode.c
├── fp_communication.c
├── fpicker.c
├── fpicker.h
├── fp_standalone_mode.c
├── frida-core.h
├── frida-core-linux.h
├── harness
│ ├── darwin-shm.js
│ ├── fuzzer.js
│ └── stalker-instrumentation.js
├── libfrida-core-linux.a
├── LICENSE
├── Makefile
└── README.md
syc@ubuntu:~/Downloads/fpicker-main$ make fpicker-linux
cc -fPIC -m64 -ffunction-sections -fdata-sections -Wall -Wno-format -Os -pipe -g3 fpicker.c fp_communication.c fp_standalone_mode.c fp_afl_mode.c -o fpicker -L. -lfrida-core-linux -ldl -lm -lresolv -lrt -Wl,--export-dynamic -Wl,--gc-sections,-z,noexecstack -pthread
In file included from /usr/include/string.h:495,
from frida-core-linux.h:22131,
from fpicker.h:2,
from fp_communication.c:1:
In function ‘strncpy’,
inlined from ‘create_communication_map’ at fp_communication.c:257:5:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: warning: ‘__builtin_strncpy’ output truncated before terminating nul copying 12 bytes from a string of the same length [-Wstringop-truncation]
106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Is this right?
Kindly provide clear instructions and commands always.
┌──(kali㉿kali)-[~/AFL++/AFLplusplus/fpicker-main]
└─$ make fpicker-linux
cc -fPIC -m64 -ffunction-sections -fdata-sections -Wall -Wno-format -Os -pipe -g3 fpicker.c fp_communication.c fp_standalone_mode.c fp_afl_mode.c -o fpicker -L. -lfrida-core-linux -ldl -lm -lresolv -lrt -Wl,--export-dynamic -Wl,--gc-sections,-z,noexecstack -pthread
In file included from fpicker.c:1:
fpicker.h:2:14: fatal error: frida-core-linux.h: No such file or directory
2 | #include "frida-core-linux.h"
| ^~~~~~~~~~~~~~~~~~~~
compilation terminated.
In file included from fp_communication.c:1:
fpicker.h:2:14: fatal error: frida-core-linux.h: No such file or directory
2 | #include "frida-core-linux.h"
| ^~~~~~~~~~~~~~~~~~~~
compilation terminated.
In file included from fp_standalone_mode.c:1:
fpicker.h:2:14: fatal error: frida-core-linux.h: No such file or directory
2 | #include "frida-core-linux.h"
| ^~~~~~~~~~~~~~~~~~~~
compilation terminated.
In file included from fp_afl_mode.c:1:
fpicker.h:2:14: fatal error: frida-core-linux.h: No such file or directory
2 | #include "frida-core-linux.h"
| ^~~~~~~~~~~~~~~~~~~~
Hi @ttdennis,
Let me just start by saying thank you for such a cool idea! I'm excited to use this for some fuzzing research I am performing. However, I've been running into an issue when trying to usefpicker
to perform instrumentation while fuzzing with AFL++.
I'm trying to fuzz a function within the CoreAudio
MacOS library that handles incoming mach messages.
Here's the command I'm running:
sudo afl-fuzz -i in -o out -- ./fpicker -v --fuzzer-mode afl --communication-mode shm -e attach -p coreaudiod -f harness.js
Here's my harness.js file before compiling it with frida-compile
:
// Import the fuzzer base class
import { Fuzzer } from "./harness/fuzzer.js";
//const Fuzzer = require("harness/fuzzer.js");
// The custom fuzzer needs to subclass the Fuzzer class to work properly
class TestFuzzer extends Fuzzer {
constructor() {
// The constructor needs to specify the address of the targeted function and a NativeFunction
// object that can later be called by the fuzzer.
const fuzz_function_addr = Module.enumerateSymbolsSync("CoreAudio").filter(function(o) {return o.name == "HALB_MIGServer_server";})[0].address;
const fuzz_function = new NativeFunction(
fuzz_function_addr,
"int", ["pointer", "pointer"], {
});
super("CoreAudio", fuzz_function_addr, fuzz_function);
}
prepare() {
}
fuzz(payload, length) {
const outputPointer = Memory.alloc(Process.pointerSize);
Memory.writePointer(outputPointer, ptr("0x0"));
this.target_function(payload, outputPointer);
}
}
const f = new TestFuzzer();
//exports.fuzzer = f;
export const fuzzer = f;
However, fpicker
stalls during the first test case, every time. Am I using the tool wrong? Any ideas? Thanks so much:
sudo afl-fuzz -i ../subsystem_messages/CoreAudio/HALB_MIGServer_server -o HALB_MIGServer_server-OUT -- ./fpicker -v --fuzzer-mode afl --communication-mode shm -e attach -p coreaudiod -f harness.js
Password:
afl-fuzz++4.06a based on afl by Michal Zalewski and a large online community
[+] afl++ is maintained by Marc "van Hauser" Heuse, Heiko "hexcoder" Eißfeldt, Andrea Fioraldi and Dominik Maier
[+] afl++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] NOTE: This is v3.x which changes defaults and behaviours - see README.md
[+] No -M/-S set, autoconfiguring for "-S default"
[*] Getting to work...
[+] Using exponential power schedule (FAST)
[+] Enabled testcache with 50 MB
[+] Generating fuzz data with a length of min=1 max=1048576
[*] Checking CPU scaling governor...
[+] You have 4 CPU cores and 4 runnable tasks (utilization: 100%).
[*] Setting up output directories...
[*] Scanning '../subsystem_messages/CoreAudio/HALB_MIGServer_server'...
[+] Loaded a total of 1235 seeds.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Spinning up the fork server...
[+] All right - fork server is up.
[*] No auto-generated dictionary tokens to reuse.
[*] Attempting dry run with 'id:000000,time:0,execs:0,orig:fffd8968a91c12de202b3a81c1b0c0f4'...
[-] Oops, the program crashed with one of the test cases provided. There are
several possible explanations:
- The test case causes known crashes under normal working conditions. If
so, please remove it. The fuzzer should be seeded with interesting
inputs - but not ones that cause an outright crash.
- In QEMU persistent mode the selected address(es) for the loop are not
properly cleaning up variables and memory. Try adding
AFL_QEMU_PERSISTENT_GPR=1 or select better addresses in the binary.
- On MacOS X, the semantics of fork() syscalls are non-standard and may
break afl-fuzz performance optimizations when running platform-specific
targets. To fix this, set AFL_NO_FORKSRV=1 in the environment.
- Least likely, there is a horrible bug in the fuzzer. If other options
fail, poke <[email protected]> for troubleshooting tips.
[!] WARNING: Test case 'id:000000,time:0,execs:0,orig:fffd8968a91c12de202b3a81c1b0c0f4' results in a crash, skipping
[*] Attempting dry run with 'id:000001,time:0,execs:0,orig:fff272ad2955f2359fd438f00d9de95d'...
^Czsh: killed sudo afl-fuzz -i ../subsystem_messages/CoreAudio/HALB_MIGServer_server -o --
I dug into the logs a bit more and saw this output. It seems to be waiting for a semaphore to be released that never is:
log show --predicate 'process == "fpicker"' --last 5m
Filtering the log data using "process == "fpicker""
Skipping info and debug messages, pass --info and/or --debug to include.
Timestamp Thread Type Activity PID TTL
2023-10-09 12:24:56.550043-0700 0xdcbff Default 0x0 35310 0 fpicker: __ _ _
/ _| (_) | |
| |_ _ __ _ ___| | _____ _ __
| _| '_ \| |/ __| |/ / _ \ '__|
| | | |_) | | (__| < __/ |
|_| | .__/|_|\___|_|\_\___|_|
| |
|_| Frida-Based Fuzzing Suite
- - - - - - - - - - - - - - - - - - - - - - -
2023-10-09 12:24:56.552630-0700 0xdcbff Default 0x0 35310 0 fpicker: Running fpicker using the following configuration:
2023-10-09 12:24:56.552634-0700 0xdcbff Default 0x0 35310 0 fpicker: - fuzzer-mode: FUZZER_MODE_AFL
2023-10-09 12:24:56.552636-0700 0xdcbff Default 0x0 35310 0 fpicker: - coverage_mode: COVERAGE_MODE_STALKER_SUMMARY
2023-10-09 12:24:56.552638-0700 0xdcbff Default 0x0 35310 0 fpicker: - standalone_mutator: STANDALONE_MUTATOR_NULL
2023-10-09 12:24:56.552639-0700 0xdcbff Default 0x0 35310 0 fpicker: - communication_mode: COMMUNICATION_MODE_SHM
2023-10-09 12:24:56.552640-0700 0xdcbff Default 0x0 35310 0 fpicker: - input_mode: INPUT_MODE_IN_PROCESS
2023-10-09 12:24:56.552641-0700 0xdcbff Default 0x0 35310 0 fpicker: - exec_mode: EXEC_MODE_ATTACH
2023-10-09 12:24:56.552642-0700 0xdcbff Default 0x0 35310 0 fpicker: - device_type: DEVICE_LOCAL
2023-10-09 12:24:56.552647-0700 0xdcbff Default 0x0 35310 0 fpicker: - process_name: coreaudiod
2023-10-09 12:24:56.552648-0700 0xdcbff Default 0x0 35310 0 fpicker: - command: (null)
2023-10-09 12:24:56.552649-0700 0xdcbff Default 0x0 35310 0 fpicker: - fuzzer_timeout: 500
2023-10-09 12:24:56.552650-0700 0xdcbff Default 0x0 35310 0 fpicker: - fuzzer_sleep: 100
2023-10-09 12:24:56.552652-0700 0xdcbff Default 0x0 35310 0 fpicker: - verbose: true
2023-10-09 12:24:56.552653-0700 0xdcbff Default 0x0 35310 0 fpicker: - agent_script: harness.js
2023-10-09 12:24:56.552655-0700 0xdcbff Default 0x0 35310 0 fpicker: - corpus_dir: (null)
2023-10-09 12:24:56.552656-0700 0xdcbff Default 0x0 35310 0 fpicker: - out_dir: (null)
2023-10-09 12:24:56.552657-0700 0xdcbff Default 0x0 35310 0 fpicker: - metrics: disabled
2023-10-09 12:24:56.552663-0700 0xdcbff Default 0x0 35310 0 fpicker:
2023-10-09 12:24:56.552666-0700 0xdcbff Default 0x0 35310 0 fpicker: [*] SHM_ENV_VAR = /afl_35296_846930886
2023-10-09 12:24:56.575475-0700 0xdcc01 Activity 0x16cd0 35310 0 fpicker: (CoreFoundation) Loading Preferences From System CFPrefsD
2023-10-09 12:24:56.580202-0700 0xdcc01 Activity 0x16cd1 35310 0 fpicker: (TCC) TCCAccessRequest() IPC
2023-10-09 12:24:56.602599-0700 0xdcc01 Default 0x0 35310 0 fpicker: (AppKit) [com.apple.AppKit:Appearance] Current system appearance, (HLTB: 2), (SLS: 1)
2023-10-09 12:24:56.604590-0700 0xdcc01 Default 0x0 35310 0 fpicker: (libMobileGestalt.dylib) No persisted cache on this platform.
2023-10-09 12:24:56.605377-0700 0xdcc01 Default 0x0 35310 0 fpicker: (libMobileGestalt.dylib) Failed to copy the SysCfgDict MG key with error: 0
2023-10-09 12:24:56.752310-0700 0xdcc01 Default 0x0 35310 0 fpicker: (AppKit) [com.apple.AppKit:Appearance] Current system appearance, (HLTB: 2), (SLS: 1)
2023-10-09 12:24:56.753025-0700 0xdcc01 Default 0x0 35310 0 fpicker: (AppKit) [com.apple.AppKit:Appearance] Post-registration system appearance: (HLTB: 2)
2023-10-09 12:24:56.756934-0700 0xdcbff Default 0x0 35310 0 fpicker: [*] Found 2 Frida devices.
2023-10-09 12:24:56.756943-0700 0xdcbff Default 0x0 35310 0 fpicker: [*] Found desired Frida device: Local System(0)
2023-10-09 12:24:56.756965-0700 0xdcbff Default 0x0 35310 0 fpicker: [*] Trying to attach to process with name coreaudiod.
2023-10-09 12:24:56.761833-0700 0xdcc08 Activity 0x16cd2 35310 0 fpicker: (libsystem_info.dylib) Retrieve User by Name
2023-10-09 12:24:56.807690-0700 0xdcbff Default 0x0 35310 0 fpicker: [*] Found process coreaudiod with PID 35284
2023-10-09 12:24:56.989409-0700 0xdcbff Default 0x0 35310 0 fpicker: [*] Attached to process coreaudiod on frida device Local System
2023-10-09 12:24:56.992157-0700 0xdcbff Default 0x0 35310 0 fpicker: [*] Agent script created
2023-10-09 12:24:57.097285-0700 0xdcbff Default 0x0 35310 0 fpicker: [*] Agent script loaded
2023-10-09 12:24:58.097628-0700 0xdcbff Default 0x0 35310 0 fpicker: [*] Slept a bit to give the agent script some time.
2023-10-09 12:24:58.097642-0700 0xdcbff Default 0x0 35310 0 fpicker: [*] SEND: ["frida:rpc", 0, "call", "prepare", ["SHM", "AFL", "IN_PROCESS", "/afl_35296_846930886", "/fp_comm_shm_35310_1804289383", "1"]]
2023-10-09 12:24:58.099173-0700 0xdcc01 Default 0x0 35310 0 fpicker: [JS]: [*] afl_area_ptr: 0x0
2023-10-09 12:24:58.099431-0700 0xdcc01 Default 0x0 35310 0 fpicker: [JS]: [*] commap: 0x10a8d6000
2023-10-09 12:24:58.099675-0700 0xdcc01 Default 0x0 35310 0 fpicker: [JS]: [*] commap_id: /fp_comm_shm_35310_1804289383
2023-10-09 12:24:58.099834-0700 0xdcc01 Default 0x0 35310 0 fpicker: [JS]: [*] base: 0x7ff805b1f000
2023-10-09 12:24:58.100093-0700 0xdcc01 Default 0x0 35310 0 fpicker: [JS]: [*] iteration_sem: 0xffffffffffffffff
2023-10-09 12:24:58.100246-0700 0xdcc01 Default 0x0 35310 0 fpicker: [JS]: [*] exec_sem: 0xffffffffffffffff
2023-10-09 12:24:58.100474-0700 0xdcc01 Default 0x0 35310 0 fpicker: [JS]: [*] Not excluding CoreAudio from stalker
2023-10-09 12:24:58.100742-0700 0xdcc01 Default 0x0 35310 0 fpicker: [JS]: [*] Setting up interceptor
2023-10-09 12:24:58.109838-0700 0xdcc01 Default 0x0 35310 0 fpicker: [JS]: {"type":"send","payload":{"type":"_fpicker_ready","data":[{"name":"coreaudiod","base":"0x1084c9000","size":98304,"path":"/usr/sbin/coreaudiod","id":0,"end":"0x1084e1000"},{"name":"caulk","base":"0x7ff80d25c000","size":155648,"path":"/System/Library/PrivateFrameworks/caulk.framework/Versions/A/caulk","id":1,"end":"0x7ff80d282000"},{"name":"CoreAudio","base":"0x7ff805b1f000","size":7462910,"path":"/System/Library/Frameworks/CoreAudio.framework/Versions/A/CoreAudio","id":2,"end":"0x7ff80623cffe"},{"name":"CoreFoundation","base":"0x7ff803b6a000","size":4825088,"path":"/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation","id":3,"end":"0x7ff804004000"},{"name":"Foundation","base":"0x7ff8049e3000","size":10559479,"path":"/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation","id":4,"end":"0x7ff8053f4ff7"},{"name":"libobjc.A.dylib","base":"0x7ff803799000","size":245721,"path":"/usr/lib/libobjc.A.dylib","id":5,"end":"0x7ff8037d4fd9"},{"name":"libc++.1.dylib","base":"0<…>
2023-10-09 12:24:58.109848-0700 0xdcc01 Default 0x0 35310 0 fpicker: [*] MODULE=/usr/sbin/coreaudiod, start=0x1084c9000, end=0x1084e1000
2023-10-09 12:24:58.110678-0700 0xdcc01 Default 0x0 35310 0 fpicker: [JS]: [1] before sem_wait in wait_for_exec (1696879498103)
2023-10-09 12:24:58.110691-0700 0xdcc01 Default 0x0 35310 0 fpicker: [JS]: [3] after sem_wait in wait_for_exec (1696879498103). This took 0 ms
2023-10-09 12:24:58.110702-0700 0xdcc01 Default 0x0 35310 0 fpicker: [JS]: [*] Interceptor ENTER (1696879498103)
2023-10-09 12:24:58.110738-0700 0xdcc01 Default 0x0 35310 0 fpicker: [JS]: {"type":"send","payload":{"type":"crash","msg":{"message":"access violation accessing 0xd8d1","type":"access-violation","address":"0x10873f1b5","memory":{"operation":"read","address":"0xd8d1"},"context":{"pc":"0x10873f1b5","sp":"0x70000f95ef80","rax":"0xd8d1","rcx":"0xd8d1","rdx":"0x0","rbx":"0x10fae3000","rsp":"0x70000f95ef80","rbp":"0x70000f95efb0","rsi":"0x10fea83e0","rdi":"0x70000f95f2e8","r8":"0x70000f95f3c8","r9":"0x10aa09800","r10":"0x0","r11":"0x7ff8060ebd0e","r12":"0x70000f95f580","r13":"0x1","r14":"0x2","r15":"0x0","rip":"0x10873f1b5"},"nativeContext":"0x0","fileName":"mach.js","lineNumber":28}}}
2023-10-09 12:24:58.110770-0700 0xdcc01 Default 0x0 35310 0 fpicker: [->] CRASH type received
2023-10-09 12:24:58.110774-0700 0xdcc01 Default 0x0 35310 0 fpicker: [->] message: {"type":"send","payload":{"type":"crash","msg":{"message":"access violation accessing 0xd8d1","type":"access-violation","address":"0x10873f1b5","memory":{"operation":"read","address":"0xd8d1"},"context":{"pc":"0x10873f1b5","sp":"0x70000f95ef80","rax":"0xd8d1","rcx":"0xd8d1","rdx":"0x0","rbx":"0x10fae3000","rsp":"0x70000f95ef80","rbp":"0x70000f95efb0","rsi":"0x10fea83e0","rdi":"0x70000f95f2e8","r8":"0x70000f95f3c8","r9":"0x10aa09800","r10":"0x0","r11":"0x7ff8060ebd0e","r12":"0x70000f95f580","r13":"0x1","r14":"0x2","r15":"0x0","rip":"0x10873f1b5"},"nativeContext":"0x0","fileName":"mach.js","lineNumber":28}}}
2023-10-09 12:24:58.110776-0700 0xdcc01 Default 0x0 35310 0 fpicker: [*] SEM_POST in _signal_exec_finished_with_ret_status 1696879498110
2023-10-09 12:24:58.110804-0700 0xdcc01 Default 0x0 35310 0 fpicker: [JS]: [1] before sem_wait in wait_for_exec (1696879498105)
2023-10-09 12:24:58.110815-0700 0xdcc01 Default 0x0 35310 0 fpicker: [JS]: [3] after sem_wait in wait_for_exec (1696879498105). This took 0 ms
2023-10-09 12:24:58.110825-0700 0xdcc01 Default 0x0 35310 0 fpicker: [JS]: [*] Interceptor ENTER (1696879498105)
2023-10-09 12:24:58.114698-0700 0xdcbff Default 0x0 35310 0 fpicker: [*] Harness preparation done
2023-10-09 12:24:58.114725-0700 0xdcbff Default 0x0 35310 0 fpicker: [*] Everything ready, starting to fuzz!
2023-10-09 12:24:58.129164-0700 0xdcbff Default 0x0 35310 0 fpicker: [2] PRE SEM_POST in fuzz_iteration_in_process_shm: 1696879498129
2023-10-09 12:24:58.129173-0700 0xdcbff Default 0x0 35310 0 fpicker: [*] POST SEM_POST in fuzz_iteration_in_process_shm: 1696879498129
2023-10-09 12:24:58.129175-0700 0xdcbff Default 0x0 35310 0 fpicker: [*] PRE SEM_WAIT in fuzz_iteration_in_process_shm: 1696879498129
2023-10-09 12:24:58.129179-0700 0xdcbff Default 0x0 35310 0 fpicker: [*] POST SEM_WAIT in fuzz_iteration_in_process_shm: 1696879498129
2023-10-09 12:24:58.129791-0700 0xdcbff Default 0x0 35310 0 fpicker: [2] PRE SEM_POST in fuzz_iteration_in_process_shm: 1696879498129
2023-10-09 12:24:58.129797-0700 0xdcbff Default 0x0 35310 0 fpicker: [*] POST SEM_POST in fuzz_iteration_in_process_shm: 1696879498129
2023-10-09 12:24:58.129798-0700 0xdcbff Default 0x0 35310 0 fpicker: [*] PRE SEM_WAIT in fuzz_iteration_in_process_shm: 1696879498129
2023-10-09 12:25:28.336289-0700 0xdcc01 Default 0x0 35310 0 fpicker: [JS]: [*] Interceptor ENTER (1696879528335)
I'm exploring the use of fpicker for a specific application and wonder if anyone else has tried something similar. Initially, I intended to use an AFL-proxy I developed for fuzzing embedded systems. However, my focus shifted after discovering fpicker. I'm working with a Linux licensing server program that communicates over a network socket. My goal is to fuzz this server binary using AFL++/fpicker
specifically targeting the network handling function (like the recv()
function from a client) and leveraging FRIDA
or another Dynamic Binary Instrumentation (DBI) for coverage analysis. This coverage data would then feedback into AFL++'s
loop, updating the coverage map as expected.
My key question is: does fpicker support a mode where I can send test cases to the target through a socket connection, as opposed to using Shared Memory (SHM
) or other Inter-Process Communication (IPC
) mechanisms? This approach seems theoretically feasible, but I'm curious if there are any known limitations or reasons it might not work. I'm eager to test this out and would appreciate any insights or experiences anyone might have in this area.
I tried the example in Readme and executed the following command:
afl-fuzz -i examples/test-network/in -o ./examples/test-network/out -- ./fpicker --fuzzer-mode afl -e attach -p test-network -f ./examples/test-network/harness.js
[-] Hmm, looks like the target binary terminated before we could complete a
handshake with the injected code. You can try the following:
- The target binary crashes because necessary runtime conditions it needs
are not met. Try to:
1. Run again with AFL_DEBUG=1 set and check the output of the target
binary for clues.
2. Run again with AFL_DEBUG=1 and 'ulimit -c unlimited' and analyze the
generated core dump.
- Possibly the target requires a huge coverage map and has CTORS.
Retry with setting AFL_MAP_SIZE=10000000.
Otherwise there is a horrible bug in the fuzzer.
Poke <[email protected]> for troubleshooting tips.
[-] PROGRAM ABORT : Fork server handshake failed
Location : afl_fsrv_start(), src/afl-forkserver.c:1175
What would writing custom mutator involve? How can I write it? Anything I can base off?
A very simple example would be great.
Thanks,
Can you briefly explain the fields meaning?
[t=1619610289] [BBs=1567] [seed=795] [fc=1591] [fcps=13] [cur_loop=105957] [mut_avg=2] [cov_avg=59723] [corpus=2]
Also how a "healthy" fuzzing output should look like?
I assume corpus increasing etc?
Thanks,
Hello,
currently I am trying to get fpicker to run on Android devices.
I already tried to do it like in the issues #19 and #5, but did not succeded.
As this is not featured in the docs yet, I wanted to (1) ask about some help on building and running it and (2) use this issue as a base to update the docs for running fpicker on Android devices.
First, I wanted to ask, which frida-core-devkit to download. Is frida-core-devkit-16.0.2-android-arm64.tar.xz the right one? Or can I use
frida-core-devkit-16.0.2-linux-arm64.tar.xz as well?
I tried both of them and added the header file and the library as frida-core-linux.h and libfrida-core-linux.a to the fpicker root.
After that, I simply tried to run make fpicker-linux
.
Unfortunately I ran with both of them in the following error:
cannot find -lfrida-core-linux: No such file or directory
As I am not really fluent with C, I am not sure, if this error is trivial or I am missing something.
I would be really thankful for any input and would like to update the README with detailed instructions for running on Android, as this seems to be an often asked request. (At least as seen in #5)
Hi!
Read the doc, but could not figure it out.
Have a binary with a function (that takes buffer and lenght) on Android device.
Can I fuzz it with fpicker?
Wanted to use afl++ mode on it.
I saw fuzzing on network device, but how to fuzz on an Android mobile?
Or I should somehow install ssh on the mobile?
Maybe I am missing something.
Thanks,
What does it mean by "Compile with CFLAGS="-DUSEMMAP=1""?
May I just type :
AFLplusplus $ export CFLAGS="-DUSEMMAP=1"
AFLplusplus $ gmake
...
or any other commands.
Sorry i am not familiar with AFL++ that much.
Hi,
I'm trying to build fpicker for linux x64. I've downloaded frida-core-devkit-15.1.28-linux-x86_64 and renamed the library and the header file to frida-core-linux.a and frida-core-linux.h.
When I'm running make fpicker-linux I'm getting an error:
➜ make fpicker-linux
cc -fPIC -m64 -ffunction-sections -fdata-sections -Wall -Wno-format -Os -pipe -g3 fpicker.c fp_communication.c fp_standalone_mode.c fp_afl_mode.c -o fpicker -L. -lfrida-core-linux.a -ldl -lm -lresolv -lrt -Wl,--export-dynamic -Wl,--gc-sections,-z,noexecstack -pthread
In file included from /usr/include/string.h:495,
from frida-core-linux.h:22131,
from fpicker.h:2,
from fp_communication.c:1:
In function ‘strncpy’,
inlined from ‘create_communication_map’ at fp_communication.c:248:5:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: warning: ‘__builtin_strncpy’ output truncated before terminating nul copying 12 bytes from a string of the same length [-Wstringop-truncation]
106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/bin/ld: cannot find -lfrida-core-linux.a
collect2: error: ld returned 1 exit status
make: *** [Makefile:11: fpicker-linux] Error 1
Hello. I'm having an issue with running fpicker.
Here's my command: fpicker --fuzzer-mode active -e attach -p <target_process> -D remote -o ./out -i ./in -f harness.js
I'm running on a X86_64 Host but my target application is a 32bit binary running in a chroot. I also have Frida-Server-x86 running in that chroot to facilitate the remote connection.
Here's my harness:
const Fuzzer = require("./harness/fuzzer.js");
class TestFuzzer extends Fuzzer.Fuzzer {
constructor() {
const fn_addr = Module.getExportByName("libtarget.so.0.1.0","target_function");
const fn = new NativeFunction(
fn_addr,
"bool", ["pointer", "size_t"], {
});
super("target", fn_addr, fn);
}
fuzz(payload, len) {
this.target_function(payload, parseInt(len));
}
}
const f = new TestFuzzer();
exports.fuzzer = f;
Here's the output of when I run fpicker:
$ fpicker --fuzzer-mode active -e attach -p target -D remote -o ./out -i ./in -f harness.js
__ _ _
/ _| (_) | |
| |_ _ __ _ ___| | _____ _ __
| _| '_ \| |/ __| |/ / _ \ '__|
| | | |_) | | (__| < __/ |
|_| | .__/|_|\___|_|\_\___|_|
| |
|_| Frida-Based Fuzzing Suite
- - - - - - - - - - - - - - - - - - - - - - -
Running fpicker using the following configuration:
- fuzzer-mode: FUZZER_MODE_STANDALONE_ACTIVE
- coverage_mode: COVERAGE_MODE_STALKER_SUMMARY
- standalone_mutator: STANDALONE_MUTATOR_NULL
- communication_mode: COMMUNICATION_MODE_SEND
- input_mode: INPUT_MODE_IN_PROCESS
- exec_mode: EXEC_MODE_ATTACH
- device_type: DEVICE_REMOTE
- process_name: target
- command: (null)
- fuzzer_timeout: 500
- fuzzer_sleep: 100
- verbose: false
- agent_script: harness.js
- corpus_dir: ./in
- out_dir: ./out
- metrics: enabled
[*] Found 2 Frida devices.
[*] Found desired Frida device: Local Socket(1)
[*] Trying to attach to process target
[*] Found process targetwith PID 69823
[*] Attached to process target on frida device Local Socket
[*] Agent script created
[->] error: {"type":"error","description":"Error: compilation failed: module.c:45: error: field not found: undefined","stack":"Error: compilation failed: module.c:45: error: field not found: undefined\n at <anonymous> (harness/stalker-instrumentation.js:64)\n at call (native)\n at o (../../../../../../../usr/local/lib/node_modules/frida-compile/node_modules/browser-pack/_prelude.js:1)\n at <anonymous> (../../../../../../../usr/local/lib/node_modules/frida-compile/node_modules/browser-pack/_prelude.js:1)\n at Fuzzer (harness/fuzzer.js:10)\n at TestFuzzer (target-fuzzer.js:25)\n at <anonymous> (target-fuzzer.js:46)\n at call (native)\n at o (../../../../../../../usr/local/lib/node_modules/frida-compile/node_modules/browser-pack/_prelude.js:1)\n at r (../../../../../../../usr/local/lib/node_modules/frida-compile/node_modules/browser-pack/_prelude.js:1)\n at <eval> (/harness.js:527)","fileName":"harness/stalker-instrumentation.js","lineNumber":64,"columnNumber":1}
[*] Agent script loaded
^C
Frida-server is not outputting anything while running in verbose mode.
Any Help would be appreciated.
Hi,
So I have to put the Frida Server on the mobile, do port forwarding and then run fpicker
Assuming I have test-network binary on the phone
This is what I should run:
afl-fuzz -i examples/test-network/in -o ./examples/test-network/out -- \\
./fpicker --fuzzer-mode afl -e attach -p test-network -D remote -f ./examples/test-network/harness.js
Thanks,
This line does not update prev_cov
in the user_data
struct so prev_cov
is always 0 and AFL bits are computed only on the target address:
https://github.com/ttdennis/fpicker/blob/main/harness/stalker-instrumentation.js#L62
It probably should be ud->prev_loc = cur_loc >> 1;
I tried all the examples in the example folder as-is to practice using fpicker, but they do not work and produce the following error.
root@u20:/data/research/fpicker# AFL_DEBUG=1 afl-fuzz -i ./examples/protocol_example/in -o ./examples/protocol_example/out/ -- ./fpicker --fuzzer-mode afl -e attach -p protocol_example -f ./examples/protocol_example/harness.js
[+] Enabled environment variable AFL_DEBUG with value 1
[+] Enabled environment variable AFL_DEBUG with value 1
afl-fuzz++4.05a based on afl by Michal Zalewski and a large online community
[+] afl++ is maintained by Marc "van Hauser" Heuse, Heiko "hexcoder" Eißfeldt, Andrea Fioraldi and Dominik Maier
[+] afl++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] NOTE: This is v3.x which changes defaults and behaviours - see README.md
[+] No -M/-S set, autoconfiguring for "-S default"
[*] Getting to work...
[+] Using exponential power schedule (FAST)
[+] Enabled testcache with 50 MB
[+] Generating fuzz data with a length of min=1 max=1048576
[*] Checking core_pattern...
[!] WARNING: Could not check CPU scaling governor
[+] You have 2 CPU cores and 4 runnable tasks (utilization: 200%).
[!] WARNING: System under apparent load, performance may be spotty.
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Checking CPU core loadout...
[+] Found a free CPU core, try binding to #0.
[*] Scanning './examples/protocol_example/in'...
[+] Loaded a total of 1 seeds.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Spinning up the fork server...
[-] PROGRAM ABORT : Timeout while initializing fork server (setting AFL_FORKSRV_INIT_TMOUT may help)
Location : afl_fsrv_start(), src/afl-forkserver.c:1036
The AFL_DEBUG and ulimit options did not help with debugging, and the syslog is as follows.
Mar 28 14:22:09 u20 fpicker: __ _ _ #012 / _| (_) | | #012 | |_ _ __ _ ___| | _____ _ __ #012 | _| '_ \| |/ __| |/ / _ \ '__| #012 | | | |_) | | (__| < __/ | #012 |_| | .__/|_|\___|_|\_\___|_| #012 | | #012 |_| Frida-Based Fuzzing Suite#012- - - - - - - - - - - - - - - - - - - - - - -#012
Mar 28 14:22:09 u20 fpicker: Running fpicker using the following configuration:
Mar 28 14:22:09 u20 fpicker: - fuzzer-mode: #011#011#011FUZZER_MODE_AFL
Mar 28 14:22:09 u20 fpicker: - coverage_mode: #011#011COVERAGE_MODE_STALKER_SUMMARY
Mar 28 14:22:09 u20 fpicker: - standalone_mutator: #011#011STANDALONE_MUTATOR_NULL
Mar 28 14:22:09 u20 fpicker: - communication_mode: #011#011COMMUNICATION_MODE_SEND
Mar 28 14:22:09 u20 fpicker: - input_mode: #011#011#011INPUT_MODE_IN_PROCESS
Mar 28 14:22:09 u20 fpicker: - exec_mode: #011#011#011EXEC_MODE_ATTACH
Mar 28 14:22:09 u20 fpicker: - device_type: #011#011#011DEVICE_LOCAL
Mar 28 14:22:09 u20 fpicker: - process_name: #011#011protocol_example
Mar 28 14:22:09 u20 fpicker: - command: #011#011#011(null)
Mar 28 14:22:09 u20 fpicker: - fuzzer_timeout: #011#011500
Mar 28 14:22:09 u20 fpicker: - fuzzer_sleep: #011#011100
Mar 28 14:22:09 u20 fpicker: - verbose: #011#011#011false
Mar 28 14:22:09 u20 fpicker: - agent_script: #011#011./examples/protocol_example/harness.js
Mar 28 14:22:09 u20 fpicker: - corpus_dir: #011#011#011(null)
Mar 28 14:22:09 u20 fpicker: - out_dir: #011#011#011(null)
Mar 28 14:22:09 u20 fpicker: - metrics: disabled
Mar 28 14:22:09 u20 fpicker:
Mar 28 14:22:09 u20 fpicker: [*] SHM_ENV_VAR = 32823
Mar 28 14:22:09 u20 fpicker: [*] Found 2 Frida devices.
Mar 28 14:22:09 u20 fpicker: [*] Found desired Frida device: Local System(0)
Mar 28 14:22:09 u20 fpicker: [*] Trying to attach to process with name protocol_example.
Mar 28 14:22:09 u20 fpicker: [*] Found process protocol_example with PID 3987034
Mar 28 14:22:09 u20 fpicker: [*] Attached to process protocol_example on frida device Local System
Mar 28 14:22:09 u20 fpicker: [*] Agent script created
Mar 28 14:22:09 u20 fpicker: [->] error: {"type":"error","description":"TypeError: parent class must be constructor","stack":"TypeError: parent class must be constructor\n at <anonymous> (test-fuzzer.js:5)","fileName":"test-fuzzer.js","lineNumber":5,"columnNumber":1}
Mar 28 14:22:09 u20 fpicker: [*] Agent script loaded
Mar 28 14:22:10 u20 fpicker: [*] Slept a bit to give the agent script some time.
Mar 28 14:22:10 u20 fpicker: [->] error_send_message: {"type":"send","payload":["frida:rpc",0,"error","unable to find method 'prepare'"]}
The test environment is as follows:
host info
root@u20:/data/research/fpicker# cat /etc/issue
Ubuntu 20.04.3 LTS \n \l
frida-core-devkit version
root@u20:/data/research/fpicker# ls -al frida-core-devkit*
-rw-r--r-- 1 root root 220743680 2월 11 21:09 frida-core-devkit-16.0.9-linux-x86_64.tar
frida-compile version
root@u20:/data/research/fpicker# npm list frida-compile
[email protected] /data/research/fpicker
└── [email protected]
Do I need to add or modify the prepare statement in the provided fuzzer.js file?
Hello, I encountered a link error with 3.14a on MacOS.
Compiler Environment:
Environment variable:
export LDFLAGS="-L/usr/local/opt/llvm/lib -Wl,-rpath,/usr/local/opt/llvm/lib"
export PATH="/usr/local/opt/llvm/bin:$PATH"
export CPPFLAGS="-I/usr/local/opt/llvm/include"
If I execute the make distrib
command, it can compile normally.
If I execute theCFLAGS="-DUSEMMAP=1" make distrib
command when compiling afl++, the compilation will pass, but the link will report an error:
[*] Testing the CC wrapper and instrumentation output...
unset AFL_USE_ASAN AFL_USE_MSAN AFL_INST_RATIO; ASAN_OPTIONS=detect_leaks=0 AFL_QUIET=1 AFL_PATH=. AFL_LLVM_LAF_ALL=1 ./afl-cc -DUSEMMAP=1 -g -Wno-pointer-sign -Wno-variadic-macros -Wall -Wextra -Wpointer-arith -I include/ -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DDOC_PATH=\"/usr/local/share/doc/afl\" -Wall -g -Wno-cast-qual -Wno-variadic-macros -Wno-pointer-sign -I ./include/ -I ./instrumentation/ -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DLLVM_BINDIR=\"/usr/local/Cellar/llvm/12.0.0_1/bin\" -DVERSION=\"++3.14a\" -DLLVM_LIBDIR=\"/usr/local/Cellar/llvm/12.0.0_1/lib\" -DLLVM_VERSION=\"12.0.0\" -Wno-deprecated -DAFL_CLANG_FLTO=\"-flto=full\" -DAFL_REAL_LD=\"/usr/local/Cellar/llvm/12.0.0_1/bin/ld.lld\" -DAFL_CLANG_LDPATH=\"\" -DAFL_CLANG_FUSELD=\"1\" -DCLANG_BIN=\"/usr/local/Cellar/llvm/12.0.0_1/bin/clang\" -DCLANGPP_BIN=\"/usr/local/Cellar/llvm/12.0.0_1/bin/clang++\" -DUSE_BINDIR=1 -Wno-unused-function -fdebug-prefix-map="/Users/cqy/AFLplusplus=llvm_mode" -I/usr/local/opt/llvm/include ./test-instr.c -o test-instr -L/usr/local/opt/llvm/lib -Wl,-rpath,/usr/local/opt/llvm/lib
ld: library not found for -lrt
clang-12: error: linker command failed with exit code 1 (use -v to see invocation)
make[1]: *** [test_build] Error 1
make: [llvm] Error 2 (ignored)
/Library/Developer/CommandLineTools/usr/bin/make -f GNUmakefile.gcc_plugin
[+] shmat seems to be working.
[*] Checking for working 'gcc'...
[*] Checking for gcc plugin development header files...
[-] Oops, can't find gcc header files. Be sure to install 'gcc-X-plugin-dev'.
make[1]: *** [test_deps] Error 1
make: [gcc_plugin] Error 2 (ignored)
[*] Testing the CC wrapper afl-cc and its instrumentation output...
afl-cc ++3.14a by Michal Zalewski, Laszlo Szekeres, Marc Heuse - mode: LLVM-PCGUARD
SanitizerCoveragePCGUARD++3.14a
[+] Instrumented 11 locations with no collisions (non-hardened mode).
ld: library not found for -lrt
clang-12: error: linker command failed with exit code 1 (use -v to see invocation)
Oops, afl-cc failed
make: *** [test_build] Error 1
I want to ask, have you encountered this situation?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.