adjust qbdi mode

2025-06-12 10:08:07 +00:00 · 2019-11-17 11:39:21 +01:00
parent 0071e537f3
commit 7e022a09cc
6 changed files with 130 additions and 92 deletions
--- a/include/config.h
+++ b/include/config.h
@ -41,7 +41,9 @@
 /* Comment out to disable fancy ANSI boxes and use poor man's 7-bit UI: */
 #ifndef ANDROID_DISABLE_FANCY // Fancy boxes are ugly from adb
 #define FANCY_BOXES
 #endif
 /* Default timeout for fuzzed code (milliseconds). This is the upper bound,
   also used for detecting hangs; the actual value is auto-scaled: */
--- a/qbdi_mode/README.md
+++ b/qbdi_mode/README.md
@ -30,6 +30,16 @@ For x86 standalone-toolchain
 ./build/tools/make_standalone_toolchain.py --arch x86 --api 21 --install-dir ../android-standalone-toolchain-x86
 ```
 In alternative you can also use the prebuilt toolchain, in that case make sure to set the proper CC and CXX env variables because there are many different compilers for each API version in the prebuilt toolchain.
 For example:
 ```
 export STANDALONE_TOOLCHAIN_PATH=~/Android/Sdk/ndk/20.1.5948944/toolchains/llvm/prebuilt/linux-x86_64/
 export CC=x86_64-linux-android21-clang
 export CXX=x86_64-linux-android21-clang++
 ```
 Then download the QBDI SDK from website
 ```
@ -76,35 +86,40 @@ this could build the afl-fuzz and also the qbdi template for android x86_64
 The demo-so.c is an vulnerable library, it has a function for test
 ```
-int target_func(char *buf, int size)
+int target_func(char *buf, int size) {
-{
+
-    printf("buffer:%p, size:%p\n", buf, size);
+  printf("buffer:%p, size:%p\n", buf, size);
-    switch (buf[0])
+  switch (buf[0]) {
-    {
+
-    case 1:
+    case 1:
-        puts("222");
+      puts("222");
-        if (buf[1] == '\x44')
+      if (buf[1] == '\x44') {
-        {
+
-            puts("null ptr deference");
+        puts("null ptr deference");
-            *(char *)(0) = 1;
+        *(char *)(0) = 1;
-        }
+
-        break;
+      }
-    case 0xff:
+
-        if (buf[2] == '\xff')
+      break;
-        {
+    case 0xff:
-            if (buf[1] == '\x44')
+      if (buf[2] == '\xff') {
-            {
+
-                puts("crash....");
+        if (buf[1] == '\x44') {
-                *(char *)(0xdeadbeef) = 1;
+
-            }
+          puts("crash....");
-        }
+          *(char *)(0xdeadbeef) = 1;
-        break;
+
-    default:
+        }
-        puts("default action");
+
-        break;
+      }
-    }
+
      break;
    default: puts("default action"); break;
  }
  return 1;
    return 1;
 }
 ```
@ -122,24 +137,18 @@ Then we should load the library in template.cpp and find the `target` function a
 then we read the data from file and call the function in `fuzz_func`
 ```
-QBDI_NOINLINE int fuzz_func()
+QBDI_NOINLINE int fuzz_func() {
 {
 	// afl forkserver stuff
    if (afl_setup())
    {
        afl_forkserver();
    }
-	// read the data from file(argv[2])
+  if (afl_setup()) { afl_forkserver(); }
    unsigned long len = 0;
    char *data = read_file(FPATH, &len);
  /* Read the input from file */
  unsigned long len = 0;
  char *        data = read_file(input_pathname, &len);
-    printf("In fuzz_func\n");
+  /* Call the target function with the input data */
  p_target_func(data, len);
  return 1;
 	// call the target function with input data.
    p_target_func(data, len);
    return 1;
 }
 ```
@ -159,39 +168,32 @@ adb push ../../android-standalone-toolchain-x86_64/sysroot/usr/lib/x86_64-linux-
 /data/local/tmp
 ```
-In android adb shell, we could try to run the loader
+In android adb shell, run the loader to test if it runs
 ```
 cd /data/local/tmp
 export LD_LIBRARY_PATH=/data/local/tmp
 ./loader /data/local/tmp/libdemo.so init
 ```
 the normal output like
 ```
 # ./loader /data/local/tmp/libdemo.so init                                        p_target_func:0x7b41ac26e600
 In fuzz_func
        offset:0x600
        offset:0x580
 buffer:0x7b41abe2b050, size:0x4
        offset:0x628
        offset:0x646
        offset:0x64b
        offset:0x65c
        offset:0x6df
        offset:0x590
 default action
        offset:0x6eb
 ```
 now run `afl-fuzz` to fuzz the library
 ```
 mkdir in
-echo xxxx > in/1
+echo 0000 > in/1
 ./loader libdemo.so in/1
 p_target_func:0x716d96a98600
 	offset:0x600
 	offset:0x580
 buffer:0x716d96609050, size:0x5
 	offset:0x628
 	offset:0x646
 	offset:0x64b
 	offset:0x65c
 	offset:0x6df
 	offset:0x590
 default action
 	offset:0x6eb
 ```
 Now run `afl-fuzz` to fuzz the demo library
 ```
 ./afl-fuzz -i in -o out -- ./loader /data/local/tmp/libdemo.so @@
 ```
-the snapshot
+![screen1](assets/screen1.png)
 ![image-20191114222336674](assets/image-20191114222336674.png)
 good job.
--- a/qbdi_mode/assets/image-20191114222336674.png
+++ b/qbdi_mode/assets/image-20191114222336674.png
--- a/qbdi_mode/assets/screen1.png
+++ b/qbdi_mode/assets/screen1.png
--- a/qbdi_mode/build.sh
+++ b/qbdi_mode/build.sh
@ -1,3 +1,4 @@
 if [ -z ${STANDALONE_TOOLCHAIN_PATH} ]; then
    echo "please set the android-standalone-toolchain path in STANDALONE_TOOLCHAIN_PATH environmental variable" 
    echo "for example: "
@ -16,10 +17,22 @@ fi
 if [ "$1" = "x86" ]; then
  echo "build x86 qbdi"
-  compiler_prefix="${STANDALONE_TOOLCHAIN_PATH}/bin/i686-linux-android-"
+  compiler_prefix="${STANDALONE_TOOLCHAIN_PATH}/bin/"
  if [ -z ${CC} ]; then
      export CC=i686-linux-android-gcc
  fi
  if [ -z ${CXX} ]; then
      export CXX=i686-linux-android-g++
  fi
 elif [ "$1" = "x86_64" ]; then
    echo "build x86_64 qbdi"
-    compiler_prefix="${STANDALONE_TOOLCHAIN_PATH}/bin/x86_64-linux-android-"
+    compiler_prefix="${STANDALONE_TOOLCHAIN_PATH}/bin/"
    if [ -z ${CC} ]; then
        export CC=x86_64-linux-android-gcc
    fi
    if [ -z ${CXX} ]; then
        export CXX=x86_64-linux-android-g++
    fi
 else
    echo "usage: ./build.sh arch[x86, x86_64]"
    exit
@ -28,12 +41,17 @@ fi
 CFLAGS="-I${QBDI_SDK_PATH}/usr/local/include/ -L${QBDI_SDK_PATH}/usr/local/lib/"
 echo "[+] Building the QBDI template"
 # build the qbdi template 
-${compiler_prefix}g++ -o loader template.cpp -lQBDI -ldl -w  -g ${CFLAGS}
+${compiler_prefix}${CXX} -o loader template.cpp -lQBDI -ldl -w  -g ${CFLAGS}
 echo "[+] Building the demo library"
 # build the demo share library
-${compiler_prefix}gcc -shared -o libdemo.so demo-so.c -w -g
+${compiler_prefix}${CC} -shared -o libdemo.so demo-so.c -w -g
 echo "[+] Building afl-fuzz for Android"
 # build afl-fuzz
 cd ..
-${compiler_prefix}gcc -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -I include/ -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DDOC_PATH=\"/usr/local/share/doc/afl\" -Wno-unused-function src/afl-fuzz-misc.c src/afl-fuzz-extras.c src/afl-fuzz-queue.c src/afl-fuzz-one.c src/afl-fuzz-python.c src/afl-fuzz-stats.c src/afl-fuzz-init.c src/afl-fuzz.c src/afl-fuzz-bitmap.c src/afl-fuzz-run.c src/afl-fuzz-globals.c src/afl-common.c src/afl-sharedmem.c src/afl-forkserver.c -o qbdi_mode/afl-fuzz  -ldl -w
+${compiler_prefix}${CC} -DANDROID_DISABLE_FANCY=1 -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -I include/ -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DDOC_PATH=\"/usr/local/share/doc/afl\" -Wno-unused-function src/afl-fuzz-misc.c src/afl-fuzz-extras.c src/afl-fuzz-queue.c src/afl-fuzz-one.c src/afl-fuzz-python.c src/afl-fuzz-stats.c src/afl-fuzz-init.c src/afl-fuzz.c src/afl-fuzz-bitmap.c src/afl-fuzz-run.c src/afl-fuzz-globals.c src/afl-common.c src/afl-sharedmem.c src/afl-forkserver.c -o qbdi_mode/afl-fuzz  -ldl -w
 echo "[+] All done. Enjoy!"
--- a/qbdi_mode/template.cpp
+++ b/qbdi_mode/template.cpp
@ -20,6 +20,20 @@
 #include <QBDI.h>
 /* NeverZero */
 #if (defined(__x86_64__) || defined(__i386__)) && defined(AFL_QEMU_NOT_ZERO)
 #define INC_AFL_AREA(loc)           \
  asm volatile(                     \
      "incb (%0, %1, 1)\n"          \
      "adcb $0, (%0, %1, 1)\n"      \
      : /* no out */                \
      : "r"(afl_area_ptr), "r"(loc) \
      : "memory", "eax")
 #else
 #define INC_AFL_AREA(loc) afl_area_ptr[loc]++
 #endif
 using namespace QBDI;
 typedef int (*target_func)(char *buf, int size);
@ -35,6 +49,8 @@ unsigned char *afl_area_ptr = NULL;           /* Exported for afl_gen_trace */
 unsigned long afl_prev_loc = 0;
 char input_pathname[PATH_MAX];
 /* Set up SHM region and initialize other stuff. */
 int afl_setup(void) {
@ -98,36 +114,37 @@ void afl_maybe_log(unsigned long cur_loc) {
  if (afl_area_ptr == NULL) { return; }
  unsigned long afl_idx = cur_loc ^ afl_prev_loc;
-  afl_area_ptr[afl_idx % MAP_SIZE]++;
+  afl_idx &= MAP_SIZE -1;
  INC_AFL_AREA(afl_idx);
  afl_prev_loc = cur_loc >> 1;
 }
 char *read_file(char *path, unsigned long *length) {
-  FILE *pFile = fopen(path, "rb");
+  unsigned long len;
-  char *pBuf;
+  char * buf;
-  fseek(pFile, 0, SEEK_END);
+
-  unsigned long len = ftell(pFile);
+  FILE *fp = fopen(path, "rb");
-  pBuf = (char *)malloc(len);
+  fseek(fp, 0, SEEK_END);
-  rewind(pFile);
+  len = ftell(fp);
-  fread(pBuf, 1, len, pFile);
+  buf = (char *)malloc(len);
-  fclose(pFile);
+  rewind(fp);
  fread(buf, 1, len, fp);
  fclose(fp);
  *length = len;
-  return pBuf;
+  return buf;
 }
 char FPATH[200];
 QBDI_NOINLINE int fuzz_func() {
  if (afl_setup()) { afl_forkserver(); }
  unsigned long len = 0;
-  char *        data = read_file(FPATH, &len);
+  char *        data = read_file(input_pathname, &len);
-  printf("In fuzz_func\n");
+  // printf("In fuzz_func\n");
  p_target_func(data, len);
  return 1;
@ -172,8 +189,7 @@ int main(int argc, char **argv) {
  const char *lib_path;
  lib_path = argv[1];
-  // FPATH = argv[2];
+  strcpy(input_pathname, argv[2]);
  strcpy(FPATH, argv[2]);
  void *handle = dlopen(lib_path, RTLD_LAZY);
  if (handle == nullptr) {