-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathcommands.ref
More file actions
176 lines (106 loc) · 6.28 KB
/
commands.ref
File metadata and controls
176 lines (106 loc) · 6.28 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
AFL++: https://github.com/AFLplusplus/AFLplusplus
# Compile
Edit Makefile and change GCC and GCC++ compilers and LD linker to afl-fuzz compilers
```
CC=$(AFL_BIN_PATH)/afl-cc
CXX=$(AFL_BIN_PATH)/afl-cc++
CFLAGS = -g -O2 -Wall -Wno-unused-value
```
Compile with `make``
Clean with `make clean`
---
ssh_kali_fcup
cd tpas-project
./AFLplusplus/afl-fuzz -M m1 -i figlet-in/ -o figlet-out/ -- figlet/figlet -d -
Quit: CTRL + C
Resume: -i -
screen -dmS afl-m1 -- ./AFLplusplus/afl-fuzz -M m1 -i - -o figlet-out/ -- figlet/figlet -d -
---
cd tpas-project
sudo -s
./AFLplusplus/afl-fuzz -S s1 -i figlet-in/ -o figlet-out/ -- figlet/figlet -d -
Quit: CTRL + C
Resume: -i -
screen -dmS afl-s1 -- ./AFLplusplus/afl-fuzz -S s1 -i - -o figlet-out/ -- figlet/figlet -d -
---
Pop screen back
screen -r afl-m1
screen -r afl-s1
screen -r afl-s2
screen -r afl-s3
screen -r afl-s4
screen -r afl-s5
---
Run all and wait for results
screen -dmS afl-m1 ./AFLplusplus/afl-fuzz -S m1-take-2 -i figlet-in/ -o figlet-out/ -- figlet/figlet -d -
screen -dmS afl-s1 ./AFLplusplus/afl-fuzz -S s1-take-2 -i figlet-in/ -o figlet-out/ -- figlet/figlet -d -
screen -dmS afl-s2 ./AFLplusplus/afl-fuzz -S s2-take-2 -i figlet-in/ -o figlet-out/ -- figlet/figlet -d -
screen -dmS afl-s3 ./AFLplusplus/afl-fuzz -S s3-take-2 -i figlet-in/ -o figlet-out/ -- figlet/figlet -d -
screen -dmS afl-s4 ./AFLplusplus/afl-fuzz -S s4-take-2 -i figlet-in/ -o figlet-out/ -- figlet/figlet -d -
screen -dmS afl-s5 ./AFLplusplus/afl-fuzz -S s5-take-2 -i figlet-in/ -o figlet-out/ -- figlet/figlet -d -
---
Iteration #1:
Used "basic" input (string abc) with the following command:
./AFLplusplus/afl-fuzz -S m1 -i figlet-in/ -o figlet-out/ -- figlet/figlet -d -
Program executed for 20h non stop and made more than 1B figlet executions. Pretty cool huh? Way more cooler when we noticed that it wasn't assigning any generated string
to figlet parameters!! To fix this we had to include the `AFL_INIT_ARGV()` macro in the instrumented figlet main function.
Iteration #2:
Used "basic" input again (string abc), with same command as iteration #1, but now added the AFL_INIT_ARGV macro.
CPUs were starved so we only had around 12M figlet executions. However, we got over 30k crashes!! That f#cking cool right? Let's use the crash input on figlet!!
`cat <crash_input>` | ./figlet` -> Segmentation fault (crash), as expected.
but...
`cat <crash_input>` | figlet` -> No crash, prettifies crash input (NOOOOO!!!).
Why didn't it crash on the original figlet binary? If it is not crashing it must be something we introduced... But we only introduced AFL_INIT_ARGV macro...
Upon furter inspection with some traces on the instrumented code, we noticed that inside the `getparams` function of figlet, the following line of code was crashing the program.
`if ((myname = strrchr(Myargv[0],DIRSEP))!=NULL) {`
After printing `MyArgv[0]`, we noticed that it was printing a null address value `(null)`, which was crashing the strrchr function... To fix the issue a condition that
stops the fuzzing if the first argument is null was added:
```
if(argv[0] == NULL){
return -1;
}
```
We ran the crash input again and no crashes this time! But also no figlet prettify print... Strange
Iteration #3:
First, let's reboot our machine so we can get some new fresh cores from le cloud :D
Todo
-d/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaVaaaaaaaaaaaaaaaaaa-om420/faaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaa@a aaaaaaaaaaaaaaaaaa?d ?r_edo?\)??-Rw?-F?hbOd /aqe/fDr_\`do?do?-owe/f 2 . Bre?ble.???t\`b?b?e?flf\`-w 20/f lut/b?ibl?. let/b?ibl?.\lf -wd%Ce/_edo?-om420/faaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaKaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaro/fi-fbubble
sig:11 - segfault
1 - Tentar fuzzing ao binario original ("as cegas") - Freitas
2 - Fuzzing com fontes
3 - Tentar com AFL original - Rui
4 - Introduzir new lines nos inputs
Static Analysis à função splitlines - Rui
No relatorio fazer comparação black box vs white box, conforme os três casos
fuzz às cegas com binario original
fuzz guiado, ao melhorar os inputs com base nos outputs
fuzz humano, ao analisar o codigo e preparar os inputs para as possiveis vulnerabilidades encontradas
---
INIT_ARGV É NECESSÁRIO QUANDO SE NECESSITA QUE AFL CUSPA O INPUT GERADO, REESCREVENDO QUALQUER COMANDO PASSADO NA EXECUÇÃO
PARA PASSAR COMANDOS NÃO SE PODE USAR O INIT_ARGV
./AFLplusplus/afl-fuzz -M m1-fonts -i test/ -o figlet-out/ figlet/figlet -f @@
---
Escrever no relatorio que deve ser necessario antes demais analisar a ferramenta relativamente às suas proteções adicionados pelo compilador
ctw00745-admin@instance-1:~/tpas-binary-exploitation$ pwn checksec /usr/bin/figlet
[*] '/usr/bin/figlet'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
FORTIFY: Enabled
https://medium.com/@n80fr1n60/linux-binary-security-hardening-1434e89a2525
Explicar o que cada propriedade de segurança significa e o que significa no contexto do figlet
---
Whitebox Analysis
Mostrar comandos e scripts utilizados para automatizar o processo inicial de procura de funções vulneráveis
Mostrar linha de pensamento ao analisar o código manualmente
-----
screen -dmS afl-m1 afl-fuzz -M m1-take-lol -i figlet-in/messages/ -o figlet-out/ -- figlet/figlet -f /usr/share/figlet/mini.flf -w 20
screen -dmS afl-s1 afl-fuzz -S s1-take-lol -i figlet-in/messages/ -o figlet-out/ -- figlet/figlet -f /usr/share/figlet/mini.flf -w 20
screen -dmS afl-s2 afl-fuzz -S s2-take-lol -i figlet-in/messages/ -o figlet-out/ -- figlet/figlet -f /usr/share/figlet/mini.flf -w 20
screen -dmS afl-s3 afl-fuzz -S s3-take-lol -i figlet-in/messages/ -o figlet-out/ -- figlet/figlet -f /usr/share/figlet/mini.flf -w 20
screen -dmS afl-s4 afl-fuzz -S s4-take-lol -i figlet-in/messages/ -o figlet-out/ -- figlet/figlet -f /usr/share/figlet/mini.flf -w 20
screen -dmS afl-s5 afl-fuzz -S s5-take-lol -i figlet-in/messages/ -o figlet-out/ -- figlet/figlet -f /usr/share/figlet/mini.flf -w 20
screen -dmS afl-s6 afl-fuzz -S s6-take-lol -i figlet-in/messages/ -o figlet-out/ -- figlet/figlet -f /usr/share/figlet/mini.flf -w 20
screen -dmS afl-s7 afl-fuzz -S s7-take-lol -i figlet-in/messages/ -o figlet-out/ -- figlet/figlet -f /usr/share/figlet/mini.flf -w 20