通常来讲,afl-fuzz需要对待fuzz程序重编译,重而对其进行插桩,这就要求拥有待fuzz程序的完整源代码。而afl-dyninst提供了一种静态无源码插桩的手段使得可以对无源码二进制程序插桩。

本文的测试系统为:ubuntu14.04。

下载&&编译

首先需要安装以下软件:

1
sudo apt-get install libelf-dev libelf1 libiberty-dev libboost-all-dev

afl-dyninst是基于dyninst的,所以需要下载&&编译&&安装dyninst:

1
2
3
4
5
6
7
git clone https://github.com/dyninst/dyninst.git
cd dyninst
mkdir build
cd build
cmake -DBOOST_LIBRARYDIR=/usr/lib/x86_64-linux-gnu
make
sudo make install

下载&&编译afl-dyninst

1
2
3
4
5
6
7
git clone https://github.com/talos-vulndev/afl-dyninst.git
cd afl-dyninst
make
sudo cp afl-dyninst /usr/bin/
sudo cp libAflDyninst.so /usr/local/lib/
echo "/usr/local/lib" > /etc/ld.so.conf.d/dyninst.conf && ldconfig
echo "export DYNINSTAPI_RT_LIB=/usr/local/lib/libdyninstAPI_RT.so" >> ~/.bashrc

使用

1
2
3
4
5
6
7
8
9
10
11
12
13
Usage: ./afl-dyninst -i <binary> -o <binary> -l <library> -e <address> -s <number>
-i: Input binary
-o: Output binary
-l: Library to instrument (repeat for more than one)
-e: Entry point address to patch (required for stripped binaries)
-r: Runtime library to instrument (path to, repeat for more than one)
-s: Number of basic blocks to skip
-v: Verbose output
example:
afl-dyninst -i testbin -o testbin_ins
to fuzz:
export AFL_SKIP_BIN_CHECK=1
afl-fuzz -i in -o out testbin_ins

碎碎念

dyninst目前支持POWER/Linux, x86/Linux, x86_64/Linux,x86/Windows XP/2000/2003/Windows 7多个平台以及aarch64,不过可惜的是不支持arm/thumb。afl-dyninst于15年3月公布,不过到目前为止还未添加到afl-fuzz的发行版本中,推测其应该存在较多的bug。不过dyninst项目目前仍然活跃,相信以后会更加成熟。持续关注中!