Qiling fuzzer is not working

[Bariskizilkaya]

I pulled clear docker Ubuntu image and followed the instruction and the example for x86_64 fuzzing is not working. The Binary crashes immediately.

Sample Code

#!/usr/bin/env python3

"""Simple example of how to use Qiling together with AFLplusplus.

Steps:
  o Clone and build AFL++
    $ git clone https://github.com/AFLplusplus/AFLplusplus.git
    $ make -C AFLplusplus

  o Build Unicorn support
    $ ( cd AFLplusplus/unicorn_mode ; ./build_unicorn_support.sh )

  o Start fuzzing
    $ AFL_AUTORESUME=1 AFL_PATH="$(realpath ./AFLplusplus)" PATH="$AFL_PATH:$PATH" afl-fuzz -i afl_inputs -o afl_outputs -U -- python3 ./fuzz_x8664_linux.py @@

  o Cleanup results
    $ rm -fr afl_outputs/default/
"""

# No more need for importing unicornafl, try afl.ql_afl_fuzz instead!

import os
import sys

from typing import Optional

sys.path.append("../../..")
from qiling import Qiling
from qiling.const import QL_VERBOSE
from qiling.extensions import pipe
from qiling.extensions import afl

def main(input_file: str):
    ql = Qiling(["./x8664_fuzz"], "../../rootfs/x8664_linux",
        verbose=QL_VERBOSE.OFF, # keep qiling logging off
        console=False)          # thwart program output

    # redirect stdin to our mock to feed it with incoming fuzzed keystrokes
    ql.os.stdin = pipe.SimpleInStream(sys.stdin.fileno())

    def place_input_callback(ql: Qiling, input: bytes, persistent_round: int) -> Optional[bool]:
        """Feed generated stimuli to the fuzzed target.

        This method is called with every fuzzing iteration.
        """

        # feed fuzzed input to our mock stdin
        ql.os.stdin.write(input)

        # signal afl to proceed with this input
        return True

    def start_afl(ql: Qiling):
        """Have Unicorn fork and start instrumentation.
        """

        afl.ql_afl_fuzz(ql, input_file=input_file, place_input_callback=place_input_callback, exits=[ql.os.exit_point])

    # get image base address
    ba = ql.loader.images[0].base

    # make the process crash whenever __stack_chk_fail@plt is about to be called.
    # this way afl will count stack protection violations as crashes
    ql.hook_address(callback=lambda x: os.abort(), address=ba + 0x126e)

    # set afl instrumentation [re]starting point. we set it to 'main'
    ql.hook_address(callback=start_afl, address=ba + 0x1275)

    # okay, ready to roll
    ql.run()

if __name__ == "__main__":
    if len(sys.argv) == 1:
        raise ValueError("No input file provided.")

    main(sys.argv[1])

[elicn]

The sample input file provided in the command line should be of a valid input (that is, not crashing the program). What was the command line, and what is the content of the sample file?

[Bariskizilkaya]

This is the sample program of the qiling's example folder.
https://github.com/qilingframework/qiling/tree/master/examples/fuzzing/linux_x8664

[wtdcode]

The current unicornafl might break. Will have a look.

[elicn]

From what I see the crash happens within: _uc2afl.uc_afl_fuzz_custom, on unicornafl.py.
The statement does not return, so there is no value returned or exception raised.

[rliebig]

@wtdcode @elicn I'm observing similiar behaviour - any ideas for fixes? Would like to help on this issue

[wtdcode]

We will release next unicornafl shortly: AFLplusplus/unicornafl#43

[daniel-rome]

I’m still running into the same problem with both the latest release and the Git version. Do you have any suggestions on how to fix it? Thanks!

[daniel-rome]

Found a temporal "fix" by overwriting the "unicornafl.so" library (from a stable AFL version e.g. AFLplusplus-4.33c) into the pip directory used by qiling.

[wtdcode]

Thanks for updates. For anyone having issue with this, please try new AFL++ release 4.34a which brings fixes and new features.

[daniel-rome]

Problem comes with the pip unicornafl installation, so probably should be updated as well. This is why overwriting the library with both 4.34a or 4.33c started working..

Anyway, looks like it continues failing since it does not crash but I am getting the "[-] Hmm, looks like the target binary terminated before we could complete a handshake with the injected code. You can try the following:" error message.

Traced the instructions executed (UC_HOOK_CODE) and the last one is the "ql_afl_fuzz(_ql, input_file=input_file, place_input_callback=place_input_callback, exits=[0x00957810])" I have configured in "exits". Is there anything I am overlooking? Arch:MIPS32 BE