Merge pull request #1044 from WorksButNotTested/osx-lib

Osx lib

frida_mode/README.md

@@ -300,6 +300,18 @@ to validate memory accesses against the shadow memory.
 FRIDA mode has also introduced some improvements to reduce collisions in the map.
 See [here](MapDensity.md) for details.
 
+# OSX Library Fuzzing
+An example of how to fuzz a dynamic library on OSX is included [here](test/osx-lib).
+This requires the use of a simple test harness executable which will load the
+library and call a target function within it. The dependent library can either
+be loaded in using `dlopen` and `dlsym` in a function marked
+`__attribute__((constructor()))` or the test harness can simply be linked
+against it. It is important that the target library is loaded before execution
+of `main`, since this is the point that FRIDA mode is initialized. Otherwise, it
+will not be possible to configure coverage for the test library using
+`AFL_FRIDA_INST_RANGES` or similar.
+
+
 ## TODO
 
 The next features to be added are Aarch32 support as well as looking at

frida_mode/test/osx-lib/GNUmakefile

@@ -0,0 +1,109 @@
+PWD:=$(shell pwd)/
+ROOT:=$(PWD)../../../
+BUILD_DIR:=$(PWD)build/
+TESTINSTR_DATA_DIR:=$(BUILD_DIR)in/
+TESTINSTR_DATA_FILE:=$(TESTINSTR_DATA_DIR)in
+AFLPP_DRIVER_DUMMY_INPUT:=$(BUILD_DIR)dummy.dat
+
+HARNESS_BIN:=$(BUILD_DIR)harness
+HARNESS_SRC:=$(PWD)harness.c
+
+HARNESS2_BIN:=$(BUILD_DIR)harness2
+HARNESS2_SRC:=$(PWD)harness2.c
+
+LIB_BIN:=$(BUILD_DIR)libcrashme.dylib
+LIB_SRC:=$(PWD)lib.c
+
+QEMU_OUT:=$(BUILD_DIR)qemu-out
+FRIDA_OUT:=$(BUILD_DIR)frida-out
+
+HARNESS_LDFLAGS:=-Wl,-no_pie
+LIB_CFLAGS:=-dynamiclib
+
+GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/get_symbol_addr.sh
+AFL_FRIDA_MAIN_ADDR=$(shell $(GET_SYMBOL_ADDR) $(HARNESS_BIN) main 0x0)
+AFL_FRIDA_FUZZ_ADDR=$(shell $(GET_SYMBOL_ADDR) $(HARNESS_BIN) LLVMFuzzerTestOneInput 0x0)
+AFL_FRIDA_FUZZ_ADDR2=$(shell $(GET_SYMBOL_ADDR) $(HARNESS2_BIN) LLVMFuzzerTestOneInput 0x0)
+
+AFLPP_FRIDA_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/frida_hook.so
+
+TEST_FILE:=$(BUILD_DIR)test.dat
+
+.PHONY: all clean qemu frida
+
+all: $(HARNESS_BIN) $(LIB_BIN)
+	make -C $(ROOT)frida_mode/
+
+$(BUILD_DIR):
+	mkdir -p $@
+
+$(TESTINSTR_DATA_DIR): | $(BUILD_DIR)
+	mkdir -p $@
+
+$(TESTINSTR_DATA_FILE): | $(TESTINSTR_DATA_DIR)
+	echo -n "$$FA$$" > $@
+
+$(AFLPP_DRIVER_DUMMY_INPUT): | $(BUILD_DIR)
+	truncate -s 1M $@
+
+$(HARNESS_BIN): $(HARNESS_SRC) | $(BUILD_DIR)
+	$(CC) $(CFLAGS) $(LDFLAGS) $(HARNESS_LDFLAGS) -o $@ $<
+
+$(LIB_BIN): $(LIB_SRC) | $(BUILD_DIR)
+	$(CC) $(CFLAGS) $(LDFLAGS) $(LIB_CFLAGS) -o $@ $<
+
+$(HARNESS2_BIN): $(HARNESS2_SRC) $(LIB_BIN) | $(BUILD_DIR)
+	$(CC) $(CFLAGS) $(LDFLAGS) $(HARNESS_LDFLAGS) -L$(BUILD_DIR) -lcrashme -o $@ $<
+
+clean:
+	rm -rf $(BUILD_DIR)
+
+.ONESHELL:
+frida_persistent: $(HARNESS_BIN) $(LIB_BIN) $(TESTINSTR_DATA_FILE)
+	cd $(BUILD_DIR) && \
+	AFL_INST_LIBS=1 \
+	AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_MAIN_ADDR) \
+	AFL_FRIDA_PERSISTENT_CNT=1000000 \
+	AFL_ENTRYPOINT=$(AFL_FRIDA_MAIN_ADDR) \
+	$(ROOT)afl-fuzz \
+		-D \
+		-O \
+		-i $(TESTINSTR_DATA_DIR) \
+		-o $(FRIDA_OUT) \
+		-f $(TEST_FILE) \
+		-- \
+			$(HARNESS_BIN) $(TEST_FILE)
+
+.ONESHELL:
+frida_persistent_hook: $(HARNESS_BIN) $(LIB_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) $(TESTINSTR_DATA_FILE)
+	cd $(BUILD_DIR) && \
+	AFL_INST_LIBS=1 \
+	AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_FUZZ_ADDR) \
+	AFL_FRIDA_PERSISTENT_CNT=1000000 \
+	AFL_ENTRYPOINT=$(AFL_FRIDA_FUZZ_ADDR) \
+	AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_FRIDA_DRIVER_HOOK_OBJ) \
+	AFL_FRIDA_INST_RANGES=libcrashme.dylib,harness \
+	$(ROOT)afl-fuzz \
+		-D \
+		-O \
+		-i $(TESTINSTR_DATA_DIR) \
+		-o $(FRIDA_OUT) \
+		-- \
+			$(HARNESS_BIN) $(AFLPP_DRIVER_DUMMY_INPUT)
+
+.ONESHELL:
+frida_persistent_hook2: $(HARNESS2_BIN) $(LIB_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) $(TESTINSTR_DATA_FILE)
+	cd $(BUILD_DIR) && \
+	AFL_INST_LIBS=1 \
+	AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_FUZZ_ADDR2) \
+	AFL_FRIDA_PERSISTENT_CNT=1000000 \
+	AFL_ENTRYPOINT=$(AFL_FRIDA_FUZZ_ADDR2) \
+	AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_FRIDA_DRIVER_HOOK_OBJ) \
+	AFL_FRIDA_INST_RANGES=libcrashme.dylib,harness2 \
+	$(ROOT)afl-fuzz \
+		-D \
+		-O \
+		-i $(TESTINSTR_DATA_DIR) \
+		-o $(FRIDA_OUT) \
+		-- \
+			$(HARNESS2_BIN) $(AFLPP_DRIVER_DUMMY_INPUT)

frida_mode/test/osx-lib/Makefile

@@ -0,0 +1,12 @@
+all:
+	@echo trying to use GNU make...
+	@gmake all || echo please install GNUmake
+
+clean:
+	@gmake clean
+
+frida_persistent:
+    @gmake frida_persistent
+
+frida_persistent_hook:
+    @gmake frida_persistent_hook

frida_mode/test/osx-lib/harness.c

@@ -0,0 +1,69 @@
+#include <string.h>
+#include <assert.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <dlfcn.h>
+
+
+//typedef for our exported target function.
+typedef void (*CRASHME)(const uint8_t *Data, size_t Size);
+
+//globals
+CRASHME fpn_crashme = NULL;
+
+
+int LLVMFuzzerTestOneInput(const unsigned char* data, size_t size){
+    fpn_crashme(data, size);
+    return 0;
+}
+
+int main(int argc, const char * argv[])
+{
+
+    for (int i = 1; i < argc; i++) {
+        fprintf(stderr, "Running: %s\n", argv[i]);
+        FILE *f = fopen(argv[i], "r");
+        assert(f);
+        fseek(f, 0, SEEK_END);
+        size_t len = ftell(f);
+        fseek(f, 0, SEEK_SET);
+        unsigned char *buf = (unsigned char*)malloc(len);
+        size_t n_read = fread(buf, 1, len, f);
+        fclose(f);
+        assert(n_read == len);
+        LLVMFuzzerTestOneInput(buf, len);
+        free(buf);
+        fprintf(stderr, "Done:    %s: (%zd bytes)\n", argv[i], n_read);
+    }
+
+    return 0;
+}
+
+__attribute__((constructor()))
+void constructor(void) {
+    // handles to required libs
+    void *dylib = NULL;
+
+    dylib = dlopen("./libcrashme.dylib", RTLD_NOW);
+    if (dylib == NULL)
+    {
+
+        printf("[-] Failed to load lib\n");
+        printf("[-] Dlerror: %s\n", dlerror());
+        exit(1);
+
+    }
+
+    printf("[+] Resolve function\n");
+
+    fpn_crashme = (CRASHME)dlsym(dylib, "crashme");
+    if (!fpn_crashme)
+    {
+
+        printf("[-] Failed to find function\n");
+        exit(1);
+
+    }
+
+    printf("[+] Found function.\n");
+}

frida_mode/test/osx-lib/harness2.c

@@ -0,0 +1,40 @@
+#include <string.h>
+#include <assert.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <dlfcn.h>
+
+
+extern void crashme(const uint8_t *Data, size_t Size);
+
+int LLVMFuzzerTestOneInput(const unsigned char* data, size_t size){
+    crashme(data, size);
+    return 0;
+}
+
+void run (int argc, const char * argv[])
+{
+    for (int i = 1; i < argc; i++) {
+        fprintf(stderr, "Running: %s\n", argv[i]);
+        FILE *f = fopen(argv[i], "r");
+        assert(f);
+        fseek(f, 0, SEEK_END);
+        size_t len = ftell(f);
+        fseek(f, 0, SEEK_SET);
+        unsigned char *buf = (unsigned char*)malloc(len);
+        size_t n_read = fread(buf, 1, len, f);
+        fclose(f);
+        assert(n_read == len);
+        LLVMFuzzerTestOneInput(buf, len);
+        free(buf);
+        fprintf(stderr, "Done:    %s: (%zd bytes)\n", argv[i], n_read);
+    }
+}
+
+int main(int argc, const char * argv[])
+{
+
+    run(argc, argv);
+
+    return 0;
+}

frida_mode/test/osx-lib/lib.c

@@ -0,0 +1,17 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+
+
+void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) {
+
+  if (Size < 5) return;
+
+  if (Data[0] == 'F')
+    if (Data[1] == 'A')
+      if (Data[2] == '$')
+        if (Data[3] == '$')
+          if (Data[4] == '$') abort();
+
+
+}