搭建AFL++环境并fuzz mcrypt

我的计算机安全课件设计：AFL++环境配置以及上手一个简单的fuzz任务。

这部分材料是我为计算机安全课程中fuzz部分准备的，因为我很菜又需要找一个（网上没有答案的）真实的crash，所以用的CVE是很老的QAQ。
我为计安课准备的其他材料还有：

• Buffer Overflow
  • Lecture 课件: Detailed explained how buffer overflow works and discussed some classical protections.
  • Lab 实验指导: Seed lab in Ubuntu24 plus: (avoid white-space characters in shellcode) + (vulnbility repair) + (question about ASLR and PIE) + (bonus for ASLR bypassing)
  • Lab attachments 实验材料
• Return-to-libc
  • Lecture 课件: Demostarte what happens when we launch a ROP attack and discuss about CFI protections.
  • Lab 实验指导: Pwn a ret2libc challenge and try protections like Canary, ASLR, NX, SafeStack, PAC…
  • Lab attachments 实验材料
• Fuzzing & Symbolic Execution
  • Lecture 课件: Talk about the idea of fuzzing and symbolic execution.
  • Lab 实验指导: Definitely N0t reversing CEC-IDE or other things!
  • Lab attachments 实验材料

Fuzzing task instruction

mcrypt is a small tool but supports many encryption algorithms. It is widely use in many web applications like php. In this lab, we will use AFL++ to find a real crash in mcrypt-2.6.5 (CVE-2012-4409).
CVE-2012-4409 happens when mcrypt decrypts a file.

If you find any new crash not on record, please report it to the maintainer.

Setup AFL++ environment

Note below steps will install shared libs in your Virtual Machine, be careful if you are using your own machine and don’t want to install shared libs.

1 Compile AFL++:

sudo apt update 
sudo apt install -y automake cmake ninja-build clang-12 lld-12 llvm-12 llvm-12-dev
sudo apt install -y gcc-$(gcc --version|head -n1|sed 's/.* //'|sed 's/\..*//')-plugin-dev libstdc++-$(gcc --version|head -n1|sed 's/.* //'|sed 's/\..*//')-dev
git clone https://github.com/AFLplusplus/AFLplusplus
export LLVM_CONFIG="llvm-config-12"
cd AFLplusplus
make distrib
sudo make install
cd qemu_mode
CPU_TARGET=i386 ./build_qemu_support.sh
cd ../
sudo make install

2 Fuzz binary in previous lab

First create a directory for input and output files:

sudo su
echo core >/proc/sys/kernel/core_pattern
exit

cd ~/Desktop/lab5
chmod +x ./ret2libc_static
mkdir inputs
mkdir outputs
echo "random input" > inputs/1
afl-fuzz -i inputs/ -o outputs/ -Q ./ret2libc_static

AFL may find crash quickly.

The crash can be found in outputs/default/crashes/

3 compile mcrypt

tar -zxvf mhash-0.9.9.9.tar.gz
tar -zxvf libmcrypt-2.5.8.tar.gz
tar -zxvf mcrypt-2.6.5.tar.gz
# z: uncompress with gzip
# x: extract files from archive
# v: verbose
# f: use archive file

# compile mhash first
cd mhash-0.9.9.9/
./configure
make -j
sudo make install  # remeber type your password
cd -
sudo ln -s /usr/local/lib/libmhash.so /lib/libmhash.so
sudo ln -s /usr/local/lib/libmhash.so.2 /lib/libmhash.so.2

# then compile libmcrypt
cd libmcrypt-2.5.8/
./configure
make -j
sudo make install
sudo ln -s /usr/local/lib/libmcrypt.so /lib/libmcrypt.so
sudo ln -s /usr/local/lib/libmcrypt.so.4 /lib/libmcrypt.so.4

# at last compile mcrypt
cd mcrypt-2.6.5/
CC=~/Desktop/AFLplusplus/afl-clang-fast ./configure --disable-shared
export AFL_USE_CFISAN=1
export LLVM_CONFIG="llvm-config-12"
# change directory to absolute path of your AFLplusplus
make CC=~/Desktop/AFLplusplus/afl-clang-fast CXX=~/Desktop/AFLplusplus/afl-clang-fast++ LD=~/Desktop/AFLplusplus/afl-clang-fast 

./src/mcrypt --version
cp ./src/mcrypt ..

Now you should have mcrypt in src/ directory (in mcrypt-2.6.5/src/).

Firstly, open a new terminal and run:
while true; do rm outputs/default/.cur_input.dc;done;

Then use afl-fuzz -i inputs/ -o outputs/ -- ./mcrypt arg1 arg2 (change agr1
and arg2 to real argument!!) to fuzz mcrypt program, if some arguments represent file, you can use @@ to represent the file.

If you need to stop and re-start the fuzzing, use the same command line options and switch the input directory with a dash (-):
afl-fuzz -i - -o outputs/ -- ./mcrypt arg1 arg2

This time, AFL may not find crash quickly, we can create a more vaild input for mcrypt to help AFL reach more code and find crash.

echo "random input" > raw_text
./mcrypt raw_text  # type some password
cp raw_text.nc inputs/2