Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fpicker instrumentation hangs in AFL proxy mode #30

Open
dillonfranke opened this issue Oct 9, 2023 · 2 comments
Open

Fpicker instrumentation hangs in AFL proxy mode #30

dillonfranke opened this issue Oct 9, 2023 · 2 comments

Comments

@dillonfranke
Copy link

Hi @ttdennis,

Let me just start by saying thank you for such a cool idea! I'm excited to use this for some fuzzing research I am performing. However, I've been running into an issue when trying to usefpicker to perform instrumentation while fuzzing with AFL++.

I'm trying to fuzz a function within the CoreAudio MacOS library that handles incoming mach messages.

Here's the command I'm running:

sudo afl-fuzz -i in -o out -- ./fpicker -v --fuzzer-mode afl --communication-mode shm -e attach -p coreaudiod -f harness.js

Here's my harness.js file before compiling it with frida-compile:

// Import the fuzzer base class
import { Fuzzer } from "./harness/fuzzer.js";
//const Fuzzer = require("harness/fuzzer.js");

// The custom fuzzer needs to subclass the Fuzzer class to work properly
class TestFuzzer extends Fuzzer {
    constructor() {
        // The constructor needs to specify the address of the targeted function and a NativeFunction
        // object that can later be called by the fuzzer.

        const fuzz_function_addr = Module.enumerateSymbolsSync("CoreAudio").filter(function(o) {return o.name == "HALB_MIGServer_server";})[0].address;
        const fuzz_function = new NativeFunction(
            fuzz_function_addr,
            "int", ["pointer", "pointer"], {
        });

        super("CoreAudio", fuzz_function_addr, fuzz_function);
    }

    prepare() {
    }

    fuzz(payload, length) {

        const outputPointer = Memory.alloc(Process.pointerSize);
        Memory.writePointer(outputPointer, ptr("0x0"));

        this.target_function(payload, outputPointer);
    }
}

const f = new TestFuzzer();
//exports.fuzzer = f;
export const fuzzer = f;

However, fpicker stalls during the first test case, every time. Am I using the tool wrong? Any ideas? Thanks so much:

sudo afl-fuzz -i ../subsystem_messages/CoreAudio/HALB_MIGServer_server -o HALB_MIGServer_server-OUT -- ./fpicker -v --fuzzer-mode afl --communication-mode shm -e attach -p coreaudiod -f harness.js
Password:
afl-fuzz++4.06a based on afl by Michal Zalewski and a large online community
[+] afl++ is maintained by Marc "van Hauser" Heuse, Heiko "hexcoder" Eißfeldt, Andrea Fioraldi and Dominik Maier
[+] afl++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] NOTE: This is v3.x which changes defaults and behaviours - see README.md
[+] No -M/-S set, autoconfiguring for "-S default"
[*] Getting to work...
[+] Using exponential power schedule (FAST)
[+] Enabled testcache with 50 MB
[+] Generating fuzz data with a length of min=1 max=1048576
[*] Checking CPU scaling governor...
[+] You have 4 CPU cores and 4 runnable tasks (utilization: 100%).
[*] Setting up output directories...
[*] Scanning '../subsystem_messages/CoreAudio/HALB_MIGServer_server'...
[+] Loaded a total of 1235 seeds.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Spinning up the fork server...
[+] All right - fork server is up.
[*] No auto-generated dictionary tokens to reuse.
[*] Attempting dry run with 'id:000000,time:0,execs:0,orig:fffd8968a91c12de202b3a81c1b0c0f4'...

[-] Oops, the program crashed with one of the test cases provided. There are
    several possible explanations:

    - The test case causes known crashes under normal working conditions. If
      so, please remove it. The fuzzer should be seeded with interesting
      inputs - but not ones that cause an outright crash.

    - In QEMU persistent mode the selected address(es) for the loop are not
      properly cleaning up variables and memory. Try adding
      AFL_QEMU_PERSISTENT_GPR=1 or select better addresses in the binary.

    - On MacOS X, the semantics of fork() syscalls are non-standard and may
      break afl-fuzz performance optimizations when running platform-specific
      targets. To fix this, set AFL_NO_FORKSRV=1 in the environment.

    - Least likely, there is a horrible bug in the fuzzer. If other options
      fail, poke <[email protected]> for troubleshooting tips.
[!] WARNING: Test case 'id:000000,time:0,execs:0,orig:fffd8968a91c12de202b3a81c1b0c0f4' results in a crash, skipping
[*] Attempting dry run with 'id:000001,time:0,execs:0,orig:fff272ad2955f2359fd438f00d9de95d'...
^Czsh: killed     sudo afl-fuzz -i ../subsystem_messages/CoreAudio/HALB_MIGServer_server -o  --

I dug into the logs a bit more and saw this output. It seems to be waiting for a semaphore to be released that never is:

log show --predicate 'process == "fpicker"' --last 5m

Filtering the log data using "process == "fpicker""
Skipping info and debug messages, pass --info and/or --debug to include.
Timestamp                       Thread     Type        Activity             PID    TTL  
2023-10-09 12:24:56.550043-0700 0xdcbff    Default     0x0                  35310  0    fpicker:        __       _      _                     
      / _|     (_)    | |                    
     | |_ _ __  _  ___| | _____ _ __         
     |  _| '_ \| |/ __| |/ / _ \ '__|      
     | | | |_) | | (__|   <  __/ |           
     |_| | .__/|_|\___|_|\_\___|_|        
         | |                                 
         |_|        Frida-Based Fuzzing Suite
- - - - - - - - - - - - - - - - - - - - - - -
2023-10-09 12:24:56.552630-0700 0xdcbff    Default     0x0                  35310  0    fpicker: Running fpicker using the following configuration:
2023-10-09 12:24:56.552634-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - fuzzer-mode: 			FUZZER_MODE_AFL
2023-10-09 12:24:56.552636-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - coverage_mode: 		COVERAGE_MODE_STALKER_SUMMARY
2023-10-09 12:24:56.552638-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - standalone_mutator: 		STANDALONE_MUTATOR_NULL
2023-10-09 12:24:56.552639-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - communication_mode: 		COMMUNICATION_MODE_SHM
2023-10-09 12:24:56.552640-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - input_mode: 			INPUT_MODE_IN_PROCESS
2023-10-09 12:24:56.552641-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - exec_mode: 			EXEC_MODE_ATTACH
2023-10-09 12:24:56.552642-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - device_type: 			DEVICE_LOCAL
2023-10-09 12:24:56.552647-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - process_name: 		coreaudiod
2023-10-09 12:24:56.552648-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - command: 			(null)
2023-10-09 12:24:56.552649-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - fuzzer_timeout: 		500
2023-10-09 12:24:56.552650-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - fuzzer_sleep: 		100
2023-10-09 12:24:56.552652-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - verbose: 			true
2023-10-09 12:24:56.552653-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - agent_script: 		harness.js
2023-10-09 12:24:56.552655-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - corpus_dir: 			(null)
2023-10-09 12:24:56.552656-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - out_dir: 			(null)
2023-10-09 12:24:56.552657-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - metrics: disabled
2023-10-09 12:24:56.552663-0700 0xdcbff    Default     0x0                  35310  0    fpicker: 
2023-10-09 12:24:56.552666-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] SHM_ENV_VAR = /afl_35296_846930886
2023-10-09 12:24:56.575475-0700 0xdcc01    Activity    0x16cd0              35310  0    fpicker: (CoreFoundation) Loading Preferences From System CFPrefsD
2023-10-09 12:24:56.580202-0700 0xdcc01    Activity    0x16cd1              35310  0    fpicker: (TCC) TCCAccessRequest() IPC
2023-10-09 12:24:56.602599-0700 0xdcc01    Default     0x0                  35310  0    fpicker: (AppKit) [com.apple.AppKit:Appearance] Current system appearance, (HLTB: 2), (SLS: 1)
2023-10-09 12:24:56.604590-0700 0xdcc01    Default     0x0                  35310  0    fpicker: (libMobileGestalt.dylib) No persisted cache on this platform.
2023-10-09 12:24:56.605377-0700 0xdcc01    Default     0x0                  35310  0    fpicker: (libMobileGestalt.dylib) Failed to copy the SysCfgDict MG key with error: 0
2023-10-09 12:24:56.752310-0700 0xdcc01    Default     0x0                  35310  0    fpicker: (AppKit) [com.apple.AppKit:Appearance] Current system appearance, (HLTB: 2), (SLS: 1)
2023-10-09 12:24:56.753025-0700 0xdcc01    Default     0x0                  35310  0    fpicker: (AppKit) [com.apple.AppKit:Appearance] Post-registration system appearance: (HLTB: 2)
2023-10-09 12:24:56.756934-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] Found 2 Frida devices.
2023-10-09 12:24:56.756943-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] Found desired Frida device: Local System(0)
2023-10-09 12:24:56.756965-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] Trying to attach to process with name coreaudiod.
2023-10-09 12:24:56.761833-0700 0xdcc08    Activity    0x16cd2              35310  0    fpicker: (libsystem_info.dylib) Retrieve User by Name
2023-10-09 12:24:56.807690-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] Found process coreaudiod with PID 35284
2023-10-09 12:24:56.989409-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] Attached to process coreaudiod on frida device Local System
2023-10-09 12:24:56.992157-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] Agent script created
2023-10-09 12:24:57.097285-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] Agent script loaded
2023-10-09 12:24:58.097628-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] Slept a bit to give the agent script some time.
2023-10-09 12:24:58.097642-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] SEND: ["frida:rpc", 0, "call", "prepare", ["SHM", "AFL", "IN_PROCESS", "/afl_35296_846930886", "/fp_comm_shm_35310_1804289383", "1"]]
2023-10-09 12:24:58.099173-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [*] afl_area_ptr: 0x0
2023-10-09 12:24:58.099431-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [*] commap: 0x10a8d6000
2023-10-09 12:24:58.099675-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [*] commap_id: /fp_comm_shm_35310_1804289383
2023-10-09 12:24:58.099834-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [*] base: 0x7ff805b1f000
2023-10-09 12:24:58.100093-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [*] iteration_sem: 0xffffffffffffffff
2023-10-09 12:24:58.100246-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [*] exec_sem: 0xffffffffffffffff
2023-10-09 12:24:58.100474-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [*] Not excluding CoreAudio from stalker
2023-10-09 12:24:58.100742-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [*] Setting up interceptor
2023-10-09 12:24:58.109838-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: {"type":"send","payload":{"type":"_fpicker_ready","data":[{"name":"coreaudiod","base":"0x1084c9000","size":98304,"path":"/usr/sbin/coreaudiod","id":0,"end":"0x1084e1000"},{"name":"caulk","base":"0x7ff80d25c000","size":155648,"path":"/System/Library/PrivateFrameworks/caulk.framework/Versions/A/caulk","id":1,"end":"0x7ff80d282000"},{"name":"CoreAudio","base":"0x7ff805b1f000","size":7462910,"path":"/System/Library/Frameworks/CoreAudio.framework/Versions/A/CoreAudio","id":2,"end":"0x7ff80623cffe"},{"name":"CoreFoundation","base":"0x7ff803b6a000","size":4825088,"path":"/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation","id":3,"end":"0x7ff804004000"},{"name":"Foundation","base":"0x7ff8049e3000","size":10559479,"path":"/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation","id":4,"end":"0x7ff8053f4ff7"},{"name":"libobjc.A.dylib","base":"0x7ff803799000","size":245721,"path":"/usr/lib/libobjc.A.dylib","id":5,"end":"0x7ff8037d4fd9"},{"name":"libc++.1.dylib","base":"0<…>
2023-10-09 12:24:58.109848-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [*] MODULE=/usr/sbin/coreaudiod, start=0x1084c9000, end=0x1084e1000
2023-10-09 12:24:58.110678-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [1] before sem_wait in wait_for_exec (1696879498103)
2023-10-09 12:24:58.110691-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [3] after sem_wait in wait_for_exec (1696879498103). This took 0 ms
2023-10-09 12:24:58.110702-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [*] Interceptor ENTER (1696879498103)
2023-10-09 12:24:58.110738-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: {"type":"send","payload":{"type":"crash","msg":{"message":"access violation accessing 0xd8d1","type":"access-violation","address":"0x10873f1b5","memory":{"operation":"read","address":"0xd8d1"},"context":{"pc":"0x10873f1b5","sp":"0x70000f95ef80","rax":"0xd8d1","rcx":"0xd8d1","rdx":"0x0","rbx":"0x10fae3000","rsp":"0x70000f95ef80","rbp":"0x70000f95efb0","rsi":"0x10fea83e0","rdi":"0x70000f95f2e8","r8":"0x70000f95f3c8","r9":"0x10aa09800","r10":"0x0","r11":"0x7ff8060ebd0e","r12":"0x70000f95f580","r13":"0x1","r14":"0x2","r15":"0x0","rip":"0x10873f1b5"},"nativeContext":"0x0","fileName":"mach.js","lineNumber":28}}}
2023-10-09 12:24:58.110770-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [->] CRASH type received
2023-10-09 12:24:58.110774-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [->] message: {"type":"send","payload":{"type":"crash","msg":{"message":"access violation accessing 0xd8d1","type":"access-violation","address":"0x10873f1b5","memory":{"operation":"read","address":"0xd8d1"},"context":{"pc":"0x10873f1b5","sp":"0x70000f95ef80","rax":"0xd8d1","rcx":"0xd8d1","rdx":"0x0","rbx":"0x10fae3000","rsp":"0x70000f95ef80","rbp":"0x70000f95efb0","rsi":"0x10fea83e0","rdi":"0x70000f95f2e8","r8":"0x70000f95f3c8","r9":"0x10aa09800","r10":"0x0","r11":"0x7ff8060ebd0e","r12":"0x70000f95f580","r13":"0x1","r14":"0x2","r15":"0x0","rip":"0x10873f1b5"},"nativeContext":"0x0","fileName":"mach.js","lineNumber":28}}}
2023-10-09 12:24:58.110776-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [*] SEM_POST in _signal_exec_finished_with_ret_status 1696879498110
2023-10-09 12:24:58.110804-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [1] before sem_wait in wait_for_exec (1696879498105)
2023-10-09 12:24:58.110815-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [3] after sem_wait in wait_for_exec (1696879498105). This took 0 ms
2023-10-09 12:24:58.110825-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [*] Interceptor ENTER (1696879498105)
2023-10-09 12:24:58.114698-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] Harness preparation done
2023-10-09 12:24:58.114725-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] Everything ready, starting to fuzz!
2023-10-09 12:24:58.129164-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [2] PRE SEM_POST in fuzz_iteration_in_process_shm: 1696879498129
2023-10-09 12:24:58.129173-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] POST SEM_POST in fuzz_iteration_in_process_shm: 1696879498129
2023-10-09 12:24:58.129175-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] PRE SEM_WAIT in fuzz_iteration_in_process_shm: 1696879498129
2023-10-09 12:24:58.129179-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] POST SEM_WAIT in fuzz_iteration_in_process_shm: 1696879498129
2023-10-09 12:24:58.129791-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [2] PRE SEM_POST in fuzz_iteration_in_process_shm: 1696879498129
2023-10-09 12:24:58.129797-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] POST SEM_POST in fuzz_iteration_in_process_shm: 1696879498129
2023-10-09 12:24:58.129798-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] PRE SEM_WAIT in fuzz_iteration_in_process_shm: 1696879498129
2023-10-09 12:25:28.336289-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [*] Interceptor ENTER (1696879528335)
@Picasso-r
Copy link

It seems that your fpicker doesn't find the shared memory created by AFL++ as the log shows fpicker: [JS]: [*] afl_area_ptr: 0x0.
Did you enable the option CFLAGS="-DUSEMMAP=1" when you compile your AFL++?

@dillonfranke
Copy link
Author

Yes I did indeed compile AFL++ with CFLAGS="-DUSEMMAP=1" :/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dillonfranke @Picasso-r