Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

unable to find method 'prepare' #23

Open
analyst-cooper opened this issue Mar 28, 2023 · 4 comments
Open

unable to find method 'prepare' #23

analyst-cooper opened this issue Mar 28, 2023 · 4 comments

Comments

@analyst-cooper
Copy link

I tried all the examples in the example folder as-is to practice using fpicker, but they do not work and produce the following error.

root@u20:/data/research/fpicker# AFL_DEBUG=1 afl-fuzz -i ./examples/protocol_example/in -o ./examples/protocol_example/out/ -- ./fpicker --fuzzer-mode afl -e attach -p protocol_example -f ./examples/protocol_example/harness.js 
[+] Enabled environment variable AFL_DEBUG with value 1
[+] Enabled environment variable AFL_DEBUG with value 1
afl-fuzz++4.05a based on afl by Michal Zalewski and a large online community
[+] afl++ is maintained by Marc "van Hauser" Heuse, Heiko "hexcoder" Eißfeldt, Andrea Fioraldi and Dominik Maier
[+] afl++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] NOTE: This is v3.x which changes defaults and behaviours - see README.md
[+] No -M/-S set, autoconfiguring for "-S default"
[*] Getting to work...
[+] Using exponential power schedule (FAST)
[+] Enabled testcache with 50 MB
[+] Generating fuzz data with a length of min=1 max=1048576
[*] Checking core_pattern...
[!] WARNING: Could not check CPU scaling governor
[+] You have 2 CPU cores and 4 runnable tasks (utilization: 200%).
[!] WARNING: System under apparent load, performance may be spotty.
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Checking CPU core loadout...
[+] Found a free CPU core, try binding to #0.
[*] Scanning './examples/protocol_example/in'...
[+] Loaded a total of 1 seeds.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Spinning up the fork server...

[-] PROGRAM ABORT : Timeout while initializing fork server (setting AFL_FORKSRV_INIT_TMOUT may help)
         Location : afl_fsrv_start(), src/afl-forkserver.c:1036

The AFL_DEBUG and ulimit options did not help with debugging, and the syslog is as follows.

Mar 28 14:22:09 u20 fpicker:        __       _      _                     #012      / _|     (_)    | |                    #012     | |_ _ __  _  ___| | _____ _ __         #012     |  _| '_ \| |/ __| |/ / _ \ '__|      #012     | | | |_) | | (__|   <  __/ |           #012     |_| | .__/|_|\___|_|\_\___|_|        #012         | |                                 #012         |_|        Frida-Based Fuzzing Suite#012- - - - - - - - - - - - - - - - - - - - - - -#012
Mar 28 14:22:09 u20 fpicker: Running fpicker using the following configuration:
Mar 28 14:22:09 u20 fpicker: - fuzzer-mode: #011#011#011FUZZER_MODE_AFL
Mar 28 14:22:09 u20 fpicker: - coverage_mode: #011#011COVERAGE_MODE_STALKER_SUMMARY
Mar 28 14:22:09 u20 fpicker: - standalone_mutator: #011#011STANDALONE_MUTATOR_NULL
Mar 28 14:22:09 u20 fpicker: - communication_mode: #011#011COMMUNICATION_MODE_SEND
Mar 28 14:22:09 u20 fpicker: - input_mode: #011#011#011INPUT_MODE_IN_PROCESS
Mar 28 14:22:09 u20 fpicker: - exec_mode: #011#011#011EXEC_MODE_ATTACH
Mar 28 14:22:09 u20 fpicker: - device_type: #011#011#011DEVICE_LOCAL
Mar 28 14:22:09 u20 fpicker: - process_name: #011#011protocol_example
Mar 28 14:22:09 u20 fpicker: - command: #011#011#011(null)
Mar 28 14:22:09 u20 fpicker: - fuzzer_timeout: #011#011500
Mar 28 14:22:09 u20 fpicker: - fuzzer_sleep: #011#011100
Mar 28 14:22:09 u20 fpicker: - verbose: #011#011#011false
Mar 28 14:22:09 u20 fpicker: - agent_script: #011#011./examples/protocol_example/harness.js
Mar 28 14:22:09 u20 fpicker: - corpus_dir: #011#011#011(null)
Mar 28 14:22:09 u20 fpicker: - out_dir: #011#011#011(null)
Mar 28 14:22:09 u20 fpicker: - metrics: disabled
Mar 28 14:22:09 u20 fpicker: 
Mar 28 14:22:09 u20 fpicker: [*] SHM_ENV_VAR = 32823
Mar 28 14:22:09 u20 fpicker: [*] Found 2 Frida devices.
Mar 28 14:22:09 u20 fpicker: [*] Found desired Frida device: Local System(0)
Mar 28 14:22:09 u20 fpicker: [*] Trying to attach to process with name protocol_example.
Mar 28 14:22:09 u20 fpicker: [*] Found process protocol_example with PID 3987034
Mar 28 14:22:09 u20 fpicker: [*] Attached to process protocol_example on frida device Local System
Mar 28 14:22:09 u20 fpicker: [*] Agent script created
Mar 28 14:22:09 u20 fpicker: [->] error: {"type":"error","description":"TypeError: parent class must be constructor","stack":"TypeError: parent class must be constructor\n    at <anonymous> (test-fuzzer.js:5)","fileName":"test-fuzzer.js","lineNumber":5,"columnNumber":1}
Mar 28 14:22:09 u20 fpicker: [*] Agent script loaded
Mar 28 14:22:10 u20 fpicker: [*] Slept a bit to give the agent script some time.
Mar 28 14:22:10 u20 fpicker: [->] error_send_message: {"type":"send","payload":["frida:rpc",0,"error","unable to find method 'prepare'"]}

The test environment is as follows:

host info

root@u20:/data/research/fpicker# cat /etc/issue
Ubuntu 20.04.3 LTS \n \l

frida-core-devkit version

root@u20:/data/research/fpicker# ls -al frida-core-devkit*
-rw-r--r-- 1 root root 220743680  2월 11 21:09 frida-core-devkit-16.0.9-linux-x86_64.tar

frida-compile version

root@u20:/data/research/fpicker# npm list frida-compile
[email protected] /data/research/fpicker
└── [email protected]

Do I need to add or modify the prepare statement in the provided fuzzer.js file?
@jiska2342
Copy link
Collaborator

Sorry, my bad, I think in my last changes I forgot to rename Fuzzer.Fuzzer to Fuzzer in the examples. Will fix it in a moment.

Other than this, I've recently been using this for a training and it worked flawlessly :)

Please don't modify the main fuzzer.js file but create a new example in the examples folder. Also, fpicker is somewhat sensitive to in which folder you run the frida-compile command, you should strictly follow the instructions.

@jiska2342
Copy link
Collaborator

Fixed in my latest commit, please let me know if the examples work for you now.

0307db4

@analyst-cooper
Copy link
Author

analyst-cooper commented Mar 29, 2023
edited
Loading

Here are the steps I attempted:

  1. git pull
  2. Copied files under the harness folder to example/protocol_example and example/test-network respectively
  3. Modified import statements in test-network-fuzzer.js and test-fuzzer.js
import { Fuzzer } from "./fuzzer.js";
  1. Recompiled the harness using frida-compile in each directory
cd test-network
npx frida-compile test-fuzzer.js -o haraness.js
cd protocol_example
npx frida-compile test-network-fuzzer.js -o harness.js
  • /examples/test-network
$ AFL_DEBUG=1 afl-fuzz -i ./in -o ./out -- ../../fpicker --fuzzer-mode afl -e attach -p test-network -f ./harness.js
[+] Enabled environment variable AFL_DEBUG with value 1
[+] Enabled environment variable AFL_DEBUG with value 1
afl-fuzz++4.05a based on afl by Michal Zalewski and a large online community
[+] afl++ is maintained by Marc "van Hauser" Heuse, Heiko "hexcoder" Eißfeldt, Andrea Fioraldi and Dominik Maier
[+] afl++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] NOTE: This is v3.x which changes defaults and behaviours - see README.md
[+] No -M/-S set, autoconfiguring for "-S default"
[*] Getting to work...
[+] Using exponential power schedule (FAST)
[+] Enabled testcache with 50 MB
[+] Generating fuzz data with a length of min=1 max=1048576
[*] Checking core_pattern...
[!] WARNING: Could not check CPU scaling governor
[+] You have 2 CPU cores and 3 runnable tasks (utilization: 150%).
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Checking CPU core loadout...
[+] Found a free CPU core, try binding to #0.
[*] Scanning './in'...
[+] Loaded a total of 2 seeds.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Spinning up the fork server...
[+] All right - fork server is up.
[*] Extended forkserver functions received (00000000).
[*] No auto-generated dictionary tokens to reuse.
[*] Attempting dry run with 'id:000000,time:0,execs:0,orig:1'...
[D] DEBUG: calibration stage 1/7

[-] Oops, the program crashed with one of the test cases provided. There are
    several possible explanations:

    - The test case causes known crashes under normal working conditions. If
      so, please remove it. The fuzzer should be seeded with interesting
      inputs - but not ones that cause an outright crash.

    - In QEMU persistent mode the selected address(es) for the loop are not
      properly cleaning up variables and memory. Try adding
      AFL_QEMU_PERSISTENT_GPR=1 or select better addresses in the binary.

    - Least likely, there is a horrible bug in the fuzzer. If other options
      fail, poke <[email protected]> for troubleshooting tips.
[!] WARNING: Test case 'id:000000,time:0,execs:0,orig:1' results in a crash, skipping
[*] Attempting dry run with 'id:000001,time:0,execs:0,orig:0'...
[D] DEBUG: calibration stage 1/7

[-] PROGRAM ABORT : No instrumentation detected
         Location : perform_dry_run(), src/afl-fuzz-init.c:1107

Mar 29 12:40:29 u20 fpicker:        __       _      _                     #012      / _|     (_)    | |                    #012     | |_ _ __  _  ___| | _____ _ __         #012     |  _| '_ \| |/ __| |/ / _ \ '__|      #012     | | | |_) | | (__|   <  __/ |           #012     |_| | .__/|_|\___|_|\_\___|_|        #012         | |                                 #012         |_|        Frida-Based Fuzzing Suite#012- - - - - - - - - - - - - - - - - - - - - - -#012
Mar 29 12:40:29 u20 fpicker: Running fpicker using the following configuration:
Mar 29 12:40:29 u20 fpicker: - fuzzer-mode: #011#011#011FUZZER_MODE_AFL
Mar 29 12:40:29 u20 fpicker: - coverage_mode: #011#011COVERAGE_MODE_STALKER_SUMMARY
Mar 29 12:40:29 u20 fpicker: - standalone_mutator: #011#011STANDALONE_MUTATOR_NULL
Mar 29 12:40:29 u20 fpicker: - communication_mode: #011#011COMMUNICATION_MODE_SEND
Mar 29 12:40:29 u20 fpicker: - input_mode: #011#011#011INPUT_MODE_IN_PROCESS
Mar 29 12:40:29 u20 fpicker: - exec_mode: #011#011#011EXEC_MODE_ATTACH
Mar 29 12:40:29 u20 fpicker: - device_type: #011#011#011DEVICE_LOCAL
Mar 29 12:40:29 u20 fpicker: - process_name: #011#011test-network
Mar 29 12:40:29 u20 fpicker: - command: #011#011#011(null)
Mar 29 12:40:29 u20 fpicker: - fuzzer_timeout: #011#011500
Mar 29 12:40:29 u20 fpicker: - fuzzer_sleep: #011#011100
Mar 29 12:40:29 u20 fpicker: - verbose: #011#011#011false
Mar 29 12:40:29 u20 fpicker: - agent_script: #011#011./harness.js
Mar 29 12:40:29 u20 fpicker: - corpus_dir: #011#011#011(null)
Mar 29 12:40:29 u20 fpicker: - out_dir: #011#011#011(null)
Mar 29 12:40:29 u20 fpicker: - metrics: disabled
Mar 29 12:40:29 u20 fpicker: 
Mar 29 12:40:29 u20 fpicker: [*] SHM_ENV_VAR = 65547
Mar 29 12:40:29 u20 fpicker: [*] Found 2 Frida devices.
Mar 29 12:40:29 u20 fpicker: [*] Found desired Frida device: Local System(0)
Mar 29 12:40:29 u20 fpicker: [*] Trying to attach to process with name test-network.
Mar 29 12:40:29 u20 fpicker: [*] Found process test-network with PID 967755
Mar 29 12:40:30 u20 fpicker: [*] Attached to process test-network on frida device Local System
Mar 29 12:40:30 u20 fpicker: [*] Agent script created
Mar 29 12:40:30 u20 fpicker: [*] Agent script loaded
Mar 29 12:40:31 u20 fpicker: [*] Slept a bit to give the agent script some time.
Mar 29 12:40:31 u20 fpicker: [*] MODULE=/data/research/fpicker/examples/test-network/test-network, start=0x5574e3183000, end=0x5574e3188000
Mar 29 12:40:31 u20 fpicker: [*] Harness preparation done
Mar 29 12:40:31 u20 fpicker: [*] Everything ready, starting to fuzz!
Mar 29 12:40:31 u20 fpicker: [->] error_send_message: {"type":"send","payload":["frida:rpc",1,"error","illegal instruction","Error","Error: illegal instruction\n    at fuzz (test-network-fuzzer.js:46)\n    at fuzzInternal (fuzzer.js:280)\n    at fuzz (fuzzer.js:110)\n    at apply (native)\n    at <anonymous> (frida/runtime/message-dispatcher.js:13)\n    at c (frida/runtime/message-dispatcher.js:23)",{"message":"illegal instruction","type":"illegal-instruction","address":"0x7fd4d560b03b","context":{"pc":"0x7fd4d560b03b","sp":"0x7fd4d5ff8800","rax":"0x7fd4d5ff8be0","rcx":"0x2","rdx":"0x3","rbx":"0x7fd4d5ff8b00","rsp":"0x7fd4d5ff8800","rbp":"0x7fd4dc0c0b20","rsi":"0x3","rdi":"0x7fd4dc0eab10","r8":"0x0","r9":"0x0","r10":"0x7ffcda95e090","r11":"0x864fc12","r12":"0x7fd4dc082630","r13":"0x7fd4dc0010c8","r14":"0x7fd4d5ff8c18","r15":"0x0","rip":"0x7fd4d560b03b"},"nativeContext":"0x0","fileName":"test-network-fuzzer.js","lineNumber":46}]}
Mar 29 12:40:31 u20 fpicker: [!] fuzz_iteration_in_process_send exec_finished timeout
  • /example/protocol_example
$ afl-fuzz -i ./in -o ./out -- ../../fpicker --fuzzer-mode afl --communication-mode shm -e attach -p protocol_example -f ./harness.js
afl-fuzz++4.05a based on afl by Michal Zalewski and a large online community
[+] afl++ is maintained by Marc "van Hauser" Heuse, Heiko "hexcoder" Eißfeldt, Andrea Fioraldi and Dominik Maier
[+] afl++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] NOTE: This is v3.x which changes defaults and behaviours - see README.md
[+] No -M/-S set, autoconfiguring for "-S default"
[*] Getting to work...
[+] Using exponential power schedule (FAST)
[+] Enabled testcache with 50 MB
[+] Generating fuzz data with a length of min=1 max=1048576
[*] Checking core_pattern...
[!] WARNING: Could not check CPU scaling governor
[+] You have 2 CPU cores and 4 runnable tasks (utilization: 200%).
[!] WARNING: System under apparent load, performance may be spotty.
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Checking CPU core loadout...
[+] Found a free CPU core, try binding to #0.
[*] Scanning './in'...
[+] Loaded a total of 1 seeds.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Spinning up the fork server...

[-] PROGRAM ABORT : Timeout while initializing fork server (setting AFL_FORKSRV_INIT_TMOUT may help)
         Location : afl_fsrv_start(), src/afl-forkserver.c:1036

Mar 29 12:50:01 u20 CRON[981948]: (root) CMD (/etc/plura/plura.sh watchdog)
Mar 29 12:50:02 u20 kernel: [426659.099816] Unsafe core_pattern used with fs.suid_dumpable=2.
Mar 29 12:50:02 u20 kernel: [426659.099816] Pipe handler or fully qualified core dump path required.
Mar 29 12:50:02 u20 kernel: [426659.099816] Set kernel.core_pattern before fs.suid_dumpable.
Mar 29 12:50:02 u20 fpicker:        __       _      _                     #012      / _|     (_)    | |                    #012     | |_ _ __  _  ___| | _____ _ __         #012     |  _| '_ \| |/ __| |/ / _ \ '__|      #012     | | | |_) | | (__|   <  __/ |           #012     |_| | .__/|_|\___|_|\_\___|_|        #012         | |                                 #012         |_|        Frida-Based Fuzzing Suite#012- - - - - - - - - - - - - - - - - - - - - - -#012
Mar 29 12:50:02 u20 fpicker: Running fpicker using the following configuration:
Mar 29 12:50:02 u20 fpicker: - fuzzer-mode: #011#011#011FUZZER_MODE_AFL
Mar 29 12:50:02 u20 fpicker: - coverage_mode: #011#011COVERAGE_MODE_STALKER_SUMMARY
Mar 29 12:50:02 u20 fpicker: - standalone_mutator: #011#011STANDALONE_MUTATOR_NULL
Mar 29 12:50:02 u20 fpicker: - communication_mode: #011#011COMMUNICATION_MODE_SHM
Mar 29 12:50:02 u20 fpicker: - input_mode: #011#011#011INPUT_MODE_IN_PROCESS
Mar 29 12:50:02 u20 fpicker: - exec_mode: #011#011#011EXEC_MODE_ATTACH
Mar 29 12:50:02 u20 fpicker: - device_type: #011#011#011DEVICE_LOCAL
Mar 29 12:50:02 u20 fpicker: - process_name: #011#011protocol_example
Mar 29 12:50:02 u20 fpicker: - command: #011#011#011(null)
Mar 29 12:50:02 u20 fpicker: - fuzzer_timeout: #011#011500
Mar 29 12:50:02 u20 fpicker: - fuzzer_sleep: #011#011100
Mar 29 12:50:02 u20 fpicker: - verbose: #011#011#011false
Mar 29 12:50:02 u20 fpicker: - agent_script: #011#011./harness.js
Mar 29 12:50:02 u20 fpicker: - corpus_dir: #011#011#011(null)
Mar 29 12:50:02 u20 fpicker: - out_dir: #011#011#011(null)
Mar 29 12:50:02 u20 fpicker: - metrics: disabled
Mar 29 12:50:02 u20 fpicker: 
Mar 29 12:50:02 u20 fpicker: [*] SHM_ENV_VAR = 65549
Mar 29 12:50:02 u20 fpicker: [*] Created commap = 65550
Mar 29 12:50:02 u20 fpicker: [*] Found 2 Frida devices.
Mar 29 12:50:02 u20 fpicker: [*] Found desired Frida device: Local System(0)
Mar 29 12:50:02 u20 fpicker: [*] Trying to attach to process with name protocol_example.
Mar 29 12:50:02 u20 fpicker: [*] Found process protocol_example with PID 981106
Mar 29 12:50:02 u20 fpicker: [*] Attached to process protocol_example on frida device Local System
Mar 29 12:50:02 u20 fpicker: [*] Agent script created
Mar 29 12:50:02 u20 fpicker: [->] error: {"type":"error","description":"Error: unable to find export 'protocol_handler'","stack":"Error: unable to find export 'protocol_handler'\n    at value (frida/runtime/core.js:245)\n    at TestFuzzer (test-fuzzer.js:10)\n    at <anonymous> (test-fuzzer.js:54)","fileName":"frida/runtime/core.js","lineNumber":245,"columnNumber":1}
Mar 29 12:50:02 u20 fpicker: [*] SEM_POST in _signal_exec_finished_with_ret_status 1680061802301
Mar 29 12:50:02 u20 fpicker: [*] Agent script loaded
Mar 29 12:50:03 u20 fpicker: [*] Slept a bit to give the agent script some time.
Mar 29 12:50:03 u20 fpicker: [->] error_send_message: {"type":"send","payload":["frida:rpc",0,"error","unable to find method 'prepare'"]}
Mar 29 12:50:03 u20 fpicker: [*] SEM_POST in _signal_exec_finished_with_ret_status 1680061803303

I did not modify fuzzer.js.

@analyst-cooper
Copy link
Author

Here are the steps I attempted:

  1. git pull
  2. Copied files under the harness folder to example/protocol_example and example/test-network respectively
  3. Modified import statements in test-network-fuzzer.js and test-fuzzer.js
import { Fuzzer } from "./fuzzer.js";
  1. Recompiled the harness using frida-compile in each directory
cd test-network
npx frida-compile test-fuzzer.js -o haraness.js
cd protocol_example
npx frida-compile test-network-fuzzer.js -o harness.js
  • /examples/test-network
$ AFL_DEBUG=1 afl-fuzz -i ./in -o ./out -- ../../fpicker --fuzzer-mode afl -e attach -p test-network -f ./harness.js
[+] Enabled environment variable AFL_DEBUG with value 1
[+] Enabled environment variable AFL_DEBUG with value 1
afl-fuzz++4.05a based on afl by Michal Zalewski and a large online community
[+] afl++ is maintained by Marc "van Hauser" Heuse, Heiko "hexcoder" Eißfeldt, Andrea Fioraldi and Dominik Maier
[+] afl++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] NOTE: This is v3.x which changes defaults and behaviours - see README.md
[+] No -M/-S set, autoconfiguring for "-S default"
[*] Getting to work...
[+] Using exponential power schedule (FAST)
[+] Enabled testcache with 50 MB
[+] Generating fuzz data with a length of min=1 max=1048576
[*] Checking core_pattern...
[!] WARNING: Could not check CPU scaling governor
[+] You have 2 CPU cores and 3 runnable tasks (utilization: 150%).
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Checking CPU core loadout...
[+] Found a free CPU core, try binding to #0.
[*] Scanning './in'...
[+] Loaded a total of 2 seeds.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Spinning up the fork server...
[+] All right - fork server is up.
[*] Extended forkserver functions received (00000000).
[*] No auto-generated dictionary tokens to reuse.
[*] Attempting dry run with 'id:000000,time:0,execs:0,orig:1'...
[D] DEBUG: calibration stage 1/7

[-] Oops, the program crashed with one of the test cases provided. There are
    several possible explanations:

    - The test case causes known crashes under normal working conditions. If
      so, please remove it. The fuzzer should be seeded with interesting
      inputs - but not ones that cause an outright crash.

    - In QEMU persistent mode the selected address(es) for the loop are not
      properly cleaning up variables and memory. Try adding
      AFL_QEMU_PERSISTENT_GPR=1 or select better addresses in the binary.

    - Least likely, there is a horrible bug in the fuzzer. If other options
      fail, poke <[email protected]> for troubleshooting tips.
[!] WARNING: Test case 'id:000000,time:0,execs:0,orig:1' results in a crash, skipping
[*] Attempting dry run with 'id:000001,time:0,execs:0,orig:0'...
[D] DEBUG: calibration stage 1/7

[-] PROGRAM ABORT : No instrumentation detected
         Location : perform_dry_run(), src/afl-fuzz-init.c:1107

Mar 29 12:40:29 u20 fpicker:        __       _      _                     #012      / _|     (_)    | |                    #012     | |_ _ __  _  ___| | _____ _ __         #012     |  _| '_ \| |/ __| |/ / _ \ '__|      #012     | | | |_) | | (__|   <  __/ |           #012     |_| | .__/|_|\___|_|\_\___|_|        #012         | |                                 #012         |_|        Frida-Based Fuzzing Suite#012- - - - - - - - - - - - - - - - - - - - - - -#012
Mar 29 12:40:29 u20 fpicker: Running fpicker using the following configuration:
Mar 29 12:40:29 u20 fpicker: - fuzzer-mode: #011#011#011FUZZER_MODE_AFL
Mar 29 12:40:29 u20 fpicker: - coverage_mode: #011#011COVERAGE_MODE_STALKER_SUMMARY
Mar 29 12:40:29 u20 fpicker: - standalone_mutator: #011#011STANDALONE_MUTATOR_NULL
Mar 29 12:40:29 u20 fpicker: - communication_mode: #011#011COMMUNICATION_MODE_SEND
Mar 29 12:40:29 u20 fpicker: - input_mode: #011#011#011INPUT_MODE_IN_PROCESS
Mar 29 12:40:29 u20 fpicker: - exec_mode: #011#011#011EXEC_MODE_ATTACH
Mar 29 12:40:29 u20 fpicker: - device_type: #011#011#011DEVICE_LOCAL
Mar 29 12:40:29 u20 fpicker: - process_name: #011#011test-network
Mar 29 12:40:29 u20 fpicker: - command: #011#011#011(null)
Mar 29 12:40:29 u20 fpicker: - fuzzer_timeout: #011#011500
Mar 29 12:40:29 u20 fpicker: - fuzzer_sleep: #011#011100
Mar 29 12:40:29 u20 fpicker: - verbose: #011#011#011false
Mar 29 12:40:29 u20 fpicker: - agent_script: #011#011./harness.js
Mar 29 12:40:29 u20 fpicker: - corpus_dir: #011#011#011(null)
Mar 29 12:40:29 u20 fpicker: - out_dir: #011#011#011(null)
Mar 29 12:40:29 u20 fpicker: - metrics: disabled
Mar 29 12:40:29 u20 fpicker: 
Mar 29 12:40:29 u20 fpicker: [*] SHM_ENV_VAR = 65547
Mar 29 12:40:29 u20 fpicker: [*] Found 2 Frida devices.
Mar 29 12:40:29 u20 fpicker: [*] Found desired Frida device: Local System(0)
Mar 29 12:40:29 u20 fpicker: [*] Trying to attach to process with name test-network.
Mar 29 12:40:29 u20 fpicker: [*] Found process test-network with PID 967755
Mar 29 12:40:30 u20 fpicker: [*] Attached to process test-network on frida device Local System
Mar 29 12:40:30 u20 fpicker: [*] Agent script created
Mar 29 12:40:30 u20 fpicker: [*] Agent script loaded
Mar 29 12:40:31 u20 fpicker: [*] Slept a bit to give the agent script some time.
Mar 29 12:40:31 u20 fpicker: [*] MODULE=/data/research/fpicker/examples/test-network/test-network, start=0x5574e3183000, end=0x5574e3188000
Mar 29 12:40:31 u20 fpicker: [*] Harness preparation done
Mar 29 12:40:31 u20 fpicker: [*] Everything ready, starting to fuzz!
Mar 29 12:40:31 u20 fpicker: [->] error_send_message: {"type":"send","payload":["frida:rpc",1,"error","illegal instruction","Error","Error: illegal instruction\n    at fuzz (test-network-fuzzer.js:46)\n    at fuzzInternal (fuzzer.js:280)\n    at fuzz (fuzzer.js:110)\n    at apply (native)\n    at <anonymous> (frida/runtime/message-dispatcher.js:13)\n    at c (frida/runtime/message-dispatcher.js:23)",{"message":"illegal instruction","type":"illegal-instruction","address":"0x7fd4d560b03b","context":{"pc":"0x7fd4d560b03b","sp":"0x7fd4d5ff8800","rax":"0x7fd4d5ff8be0","rcx":"0x2","rdx":"0x3","rbx":"0x7fd4d5ff8b00","rsp":"0x7fd4d5ff8800","rbp":"0x7fd4dc0c0b20","rsi":"0x3","rdi":"0x7fd4dc0eab10","r8":"0x0","r9":"0x0","r10":"0x7ffcda95e090","r11":"0x864fc12","r12":"0x7fd4dc082630","r13":"0x7fd4dc0010c8","r14":"0x7fd4d5ff8c18","r15":"0x0","rip":"0x7fd4d560b03b"},"nativeContext":"0x0","fileName":"test-network-fuzzer.js","lineNumber":46}]}
Mar 29 12:40:31 u20 fpicker: [!] fuzz_iteration_in_process_send exec_finished timeout
  • /example/protocol_example
$ afl-fuzz -i ./in -o ./out -- ../../fpicker --fuzzer-mode afl --communication-mode shm -e attach -p protocol_example -f ./harness.js
afl-fuzz++4.05a based on afl by Michal Zalewski and a large online community
[+] afl++ is maintained by Marc "van Hauser" Heuse, Heiko "hexcoder" Eißfeldt, Andrea Fioraldi and Dominik Maier
[+] afl++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] NOTE: This is v3.x which changes defaults and behaviours - see README.md
[+] No -M/-S set, autoconfiguring for "-S default"
[*] Getting to work...
[+] Using exponential power schedule (FAST)
[+] Enabled testcache with 50 MB
[+] Generating fuzz data with a length of min=1 max=1048576
[*] Checking core_pattern...
[!] WARNING: Could not check CPU scaling governor
[+] You have 2 CPU cores and 4 runnable tasks (utilization: 200%).
[!] WARNING: System under apparent load, performance may be spotty.
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Checking CPU core loadout...
[+] Found a free CPU core, try binding to #0.
[*] Scanning './in'...
[+] Loaded a total of 1 seeds.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Spinning up the fork server...

[-] PROGRAM ABORT : Timeout while initializing fork server (setting AFL_FORKSRV_INIT_TMOUT may help)
         Location : afl_fsrv_start(), src/afl-forkserver.c:1036

Mar 29 12:50:01 u20 CRON[981948]: (root) CMD (/etc/plura/plura.sh watchdog)
Mar 29 12:50:02 u20 kernel: [426659.099816] Unsafe core_pattern used with fs.suid_dumpable=2.
Mar 29 12:50:02 u20 kernel: [426659.099816] Pipe handler or fully qualified core dump path required.
Mar 29 12:50:02 u20 kernel: [426659.099816] Set kernel.core_pattern before fs.suid_dumpable.
Mar 29 12:50:02 u20 fpicker:        __       _      _                     #012      / _|     (_)    | |                    #012     | |_ _ __  _  ___| | _____ _ __         #012     |  _| '_ \| |/ __| |/ / _ \ '__|      #012     | | | |_) | | (__|   <  __/ |           #012     |_| | .__/|_|\___|_|\_\___|_|        #012         | |                                 #012         |_|        Frida-Based Fuzzing Suite#012- - - - - - - - - - - - - - - - - - - - - - -#012
Mar 29 12:50:02 u20 fpicker: Running fpicker using the following configuration:
Mar 29 12:50:02 u20 fpicker: - fuzzer-mode: #011#011#011FUZZER_MODE_AFL
Mar 29 12:50:02 u20 fpicker: - coverage_mode: #011#011COVERAGE_MODE_STALKER_SUMMARY
Mar 29 12:50:02 u20 fpicker: - standalone_mutator: #011#011STANDALONE_MUTATOR_NULL
Mar 29 12:50:02 u20 fpicker: - communication_mode: #011#011COMMUNICATION_MODE_SHM
Mar 29 12:50:02 u20 fpicker: - input_mode: #011#011#011INPUT_MODE_IN_PROCESS
Mar 29 12:50:02 u20 fpicker: - exec_mode: #011#011#011EXEC_MODE_ATTACH
Mar 29 12:50:02 u20 fpicker: - device_type: #011#011#011DEVICE_LOCAL
Mar 29 12:50:02 u20 fpicker: - process_name: #011#011protocol_example
Mar 29 12:50:02 u20 fpicker: - command: #011#011#011(null)
Mar 29 12:50:02 u20 fpicker: - fuzzer_timeout: #011#011500
Mar 29 12:50:02 u20 fpicker: - fuzzer_sleep: #011#011100
Mar 29 12:50:02 u20 fpicker: - verbose: #011#011#011false
Mar 29 12:50:02 u20 fpicker: - agent_script: #011#011./harness.js
Mar 29 12:50:02 u20 fpicker: - corpus_dir: #011#011#011(null)
Mar 29 12:50:02 u20 fpicker: - out_dir: #011#011#011(null)
Mar 29 12:50:02 u20 fpicker: - metrics: disabled
Mar 29 12:50:02 u20 fpicker: 
Mar 29 12:50:02 u20 fpicker: [*] SHM_ENV_VAR = 65549
Mar 29 12:50:02 u20 fpicker: [*] Created commap = 65550
Mar 29 12:50:02 u20 fpicker: [*] Found 2 Frida devices.
Mar 29 12:50:02 u20 fpicker: [*] Found desired Frida device: Local System(0)
Mar 29 12:50:02 u20 fpicker: [*] Trying to attach to process with name protocol_example.
Mar 29 12:50:02 u20 fpicker: [*] Found process protocol_example with PID 981106
Mar 29 12:50:02 u20 fpicker: [*] Attached to process protocol_example on frida device Local System
Mar 29 12:50:02 u20 fpicker: [*] Agent script created
Mar 29 12:50:02 u20 fpicker: [->] error: {"type":"error","description":"Error: unable to find export 'protocol_handler'","stack":"Error: unable to find export 'protocol_handler'\n    at value (frida/runtime/core.js:245)\n    at TestFuzzer (test-fuzzer.js:10)\n    at <anonymous> (test-fuzzer.js:54)","fileName":"frida/runtime/core.js","lineNumber":245,"columnNumber":1}
Mar 29 12:50:02 u20 fpicker: [*] SEM_POST in _signal_exec_finished_with_ret_status 1680061802301
Mar 29 12:50:02 u20 fpicker: [*] Agent script loaded
Mar 29 12:50:03 u20 fpicker: [*] Slept a bit to give the agent script some time.
Mar 29 12:50:03 u20 fpicker: [->] error_send_message: {"type":"send","payload":["frida:rpc",0,"error","unable to find method 'prepare'"]}
Mar 29 12:50:03 u20 fpicker: [*] SEM_POST in _signal_exec_finished_with_ret_status 1680061803303

I did not modify fuzzer.js.

In the case of protocol_example, it seems to be a problem with Frida rather than fpicker.
As in the published YouTube video, when I attached to protocol_example in Frida without using fpicker and requested getExportByName(null, 'protocol_handler'), it said it couldn't find the address of protocol_handler.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jiska2342 @analyst-cooper