연습 또 연습. https://training-1.tistory.com/ ko Thu, 16 Apr 2026 10:12:04 +0900 TISTORY 100 범고래_1 쉘코딩 (shellcoding) - (3) https://training-1.tistory.com/265 <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">쉘코딩 하는 여러 방법<span>&nbsp;</span>소개 시리즈 (3)</p> <p data-ke-size="size16">쉘코드 작성 후 바이너리로 만들고 실행할 때</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">/flag 읽는 쉘코드</p> <pre id="code_1654690197087" class="bash" data-ke-language="bash" data-ke-type="codeblock"><code>// shellcode.S #include &lt;sys/syscall.h&gt; .intel_syntax noprefix .global _start .text _start: /* open(file='/flag', oflag=0, mode=0) */ /* push '/flag\x00' */ push 0x67 push 0x616c662f mov ebx, esp xor ecx, ecx xor edx, edx /* call open() */ push SYS_open /* 5 */ pop eax int 0x80 /* read(fd='eax', buf='esp', nbytes=32) */ mov ebx, eax mov ecx, esp push 0x30 pop edx /* call read() */ push 3 /* 3 */ pop eax int 0x80 /* write(fd=1, buf='esp', n=32) */ push 1 pop ebx mov ecx, esp push 0x30 pop edx /* call write() */ push SYS_write /* 4 */ pop eax int 0x80</code></pre> <p data-ke-size="size16">빌드 (x86)</p> <pre id="code_1654690256723" class="bash" data-ke-language="bash" data-ke-type="codeblock"><code>gcc -c -o shellcode.o shellcode.S -m32 ld -m elf_i386 -o shellcode shellcode.o</code></pre> <p data-ke-size="size16">실행</p> <pre id="code_1654690267606" class="bash" data-ke-language="bash" data-ke-type="codeblock"><code>./shellcode</code></pre> pwnable/Shellcoding 범고래_1 https://training-1.tistory.com/265 https://training-1.tistory.com/265#entry265comment Wed, 8 Jun 2022 21:11:10 +0900 libssl install (libcrypto) https://training-1.tistory.com/264 <p data-ke-size="size16">x86</p> <pre id="code_1653374797547" class="bash" data-ke-language="bash" data-ke-type="codeblock"><code>sudo dpkg --add-architecture i386 sudo apt update sudo apt install libssl-dev:i386</code></pre> <p data-ke-size="size16">x86-64</p> <pre id="code_1653374812690" class="bash" data-ke-language="bash" data-ke-type="codeblock"><code>sudo apt update sudo apt install libssl-dev</code></pre> Linux 범고래_1 https://training-1.tistory.com/264 https://training-1.tistory.com/264#entry264comment Tue, 24 May 2022 15:46:54 +0900 CLI에서 chrome driver 사용하기 https://training-1.tistory.com/263 <p data-ke-size="size16"><b>Ubuntu</b></p> <pre id="code_1652780130554" class="bash" data-ke-language="bash" data-ke-type="codeblock"><code>sudo apt install chromium-chromedriver</code></pre> <p data-ke-size="size16"><b>Mac</b></p> <pre id="code_1652780155190" class="bash" data-ke-language="bash" data-ke-type="codeblock"><code>brew tap homebrew/cask &amp;&amp; brew cask install chromedriver</code></pre> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">Reference</p> <p data-ke-size="size16"><a href="https://stackoverflow.com/questions/53330322/is-chrome-installation-needed-or-only-chromedriver-when-using-selenium/62449076#62449076" target="_blank" rel="noopener">https://stackoverflow.com/questions/53330322/is-chrome-installation-needed-or-only-chromedriver-when-using-selenium/62449076#62449076</a></p> 기타 범고래_1 https://training-1.tistory.com/263 https://training-1.tistory.com/263#entry263comment Tue, 17 May 2022 18:36:08 +0900 쉘코딩 (shellcoding) - (2) https://training-1.tistory.com/262 <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">쉘코딩 하는 여러 방법 소개 시리즈 (2)</p> <p data-ke-size="size16">어셈 코딩하고 opcode만 뽑내는 법</p> <p data-ke-size="size16">아래 예시는 execve("/bin/sh", ["/bin/sh", 0], 0)</p> <p data-ke-size="size16">일단 쉘코딩</p> <pre id="code_1648205293988" class="bash" data-ke-language="bash" data-ke-type="codeblock"><code>// gcc -m32 -c -o shellcode.o shellcode.S #include &lt;sys/syscall.h&gt; #define STRING "/bin/sh" #define STRLEN 7 #define ARGV0 (STRLEN+1) #define ENVP (ARGV0+4) .intel_syntax noprefix .text .globl main .type main, @function main: jmp calladdr popladdr: pop esi /* esi points to STRING */ mov [ARGV0+esi],esi /* set up argv[0] pointer to pathname */ xor eax,eax /* get a 32-bit zero value */ mov [STRLEN + esi],al /* null-terminate our string */ mov [ENVP + esi], eax /* set up null envp */ mov al,SYS_execve /* syscall number */ mov ebx,esi /* arg 1: string pathname */ lea ecx,[ARGV0 + esi] /* arg 2: argv */ lea edx,[ENVP + esi] /* arg 3: envp */ int 0x80 /* execve("/bin/sh", ["/bin/sh", NULL], [NULL]) */ xor ebx,ebx /* arg 1: 0 */ mov eax,ebx inc eax /* exit(0) */ /* mov+inc to avoid null byte */ int 0x80 /* invoke syscall */ calladdr: call popladdr .string STRING</code></pre> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">objcopy 사용해서 shellcode.bin으로 opcode 뽑기</p> <pre id="code_1648205408727" class="bash" data-ke-language="bash" data-ke-type="codeblock"><code>#!/bin/bash gcc -m32 -c -o shellcode.o shellcode.S objcopy -S -O binary -j .text shellcode.o shellcode.bin rm -rf shellcode.o</code></pre> pwnable/Shellcoding 범고래_1 https://training-1.tistory.com/262 https://training-1.tistory.com/262#entry262comment Fri, 25 Mar 2022 19:52:48 +0900 쉘코딩 (shellcoding) - (1) https://training-1.tistory.com/261 <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">쉘코딩 하는 여러 방법 소개 시리즈 (1)</p> <p data-ke-size="size16">어셈 코딩하고 해당 코드를 실행하는 방법 소개</p> <p data-ke-size="size16">아래 예시는 argv[1] 문자열을 뒤집는 쉘코드</p> <pre id="code_1648204230753" class="c++ arduino" data-ke-language="c++" data-ke-type="codeblock"><code># main.s # gcc -nostdlib main.s -m32 .intel_syntax noprefix .global _start .text _start: push ebp mov ebp, esp # if (argc &lt; 2) exit; cmp DWORD PTR [ebp+4], 2 jl exit # length of argv[1] : esi mov esi, 0x0 # i = 0 loop: mov eax, DWORD PTR [ebp+0xc] add eax, esi add esi, 1 cmp BYTE PTR[eax], 0 jne loop sub esi, 1 # while (true) i--; if(i &lt;= -1) break; write(1, &amp;argv[1][i], 1) write_one_char: mov eax, DWORD PTR [ebp+0xc] sub esi, 1 cmp esi, -1 jle exit add eax, esi # write(1, eax, 1) mov edx, 1 mov ecx, eax mov ebx, 1 mov eax, 4 int 0x80 # write jmp write_one_char # exit(0) exit: mov ebx, 0x0 mov eax, 0x1 int 0x80 # exit</code></pre> <p data-ke-size="size16">실행</p> <pre id="code_1648205196729" class="c++ arduino" data-ke-language="c++" data-ke-type="codeblock"><code>$ ./a.out</code></pre> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">&nbsp;</p> pwnable/Shellcoding 범고래_1 https://training-1.tistory.com/261 https://training-1.tistory.com/261#entry261comment Fri, 25 Mar 2022 19:47:08 +0900 AFL++ LTO mode https://training-1.tistory.com/260 <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16"><span style="color: #666666; font-family: AppleSDGothicNeo-Regular, 'Malgun Gothic', '맑은 고딕', dotum, 돋움, sans-serif;">AFL++에서 고오급 기능인 LTO 모드를 지원한다.</span></p> <p data-ke-size="size16"><span style="color: #666666; font-family: AppleSDGothicNeo-Regular, 'Malgun Gothic', '맑은 고딕', dotum, 돋움, sans-serif;"><a style="color: #666666;" href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/instrumentation/README.lto.md" target="_blank" rel="noopener">공식 문서</a>에 따르면 LTO 모드를 사용하면 더 빠른 속도와 높은 커버리지를 가진다고 한다.</span></p> <p data-ke-size="size16"><span style="color: #666666; font-family: AppleSDGothicNeo-Regular, 'Malgun Gothic', '맑은 고딕', dotum, 돋움, sans-serif;">LTO 모드를 사용하기 위해서는 llvm 11 버전 이상을 사용해야 한다.</span></p> <p data-ke-size="size16"><span style="color: #666666; font-family: AppleSDGothicNeo-Regular, 'Malgun Gothic', '맑은 고딕', dotum, 돋움, sans-serif;">LTO 모드를 사용할 수 없으면 LLVM 모드를 사용하고, 이것도 불가능하면 GCC_PLUGIN 모드를 사용하고...</span></p> <p data-ke-size="size16"><span style="color: #666666; font-family: AppleSDGothicNeo-Regular, 'Malgun Gothic', '맑은 고딕', dotum, 돋움, sans-serif;">이런 식으로 점차 내려가게 된다. (<u><a style="color: #666666;" href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md" target="_blank" rel="noopener">https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md</a></u>)</span></p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16"><span style="color: #666666;">stable 버전인 13버전을 설치하고 LTO 모드를 사용해보자.</span></p> <h2 data-ke-size="size26">LLVM Install</h2> <p data-ke-size="size16"><span style="color: #666666;">다음 내용을 /etc/apt/sources.list.d에 적당히 추가해준다.</span></p> <p data-ke-size="size16"><span style="color: #666666;">20.04(focal), 21.04(hirsute) 적당히 알맞게...</span></p> <pre id="code_1648885184253" class="bash" data-ke-language="bash" data-ke-type="codeblock"><code>Focal (20.04) LTS - Last update : Fri, 28 Jan 2022 19:42:23 UTC / Revision: 20220128052849+ea05ee90596c deb http://apt.llvm.org/focal/ llvm-toolchain-focal main deb-src http://apt.llvm.org/focal/ llvm-toolchain-focal main # 12 deb http://apt.llvm.org/focal/ llvm-toolchain-focal-12 main deb-src http://apt.llvm.org/focal/ llvm-toolchain-focal-12 main # 13 deb http://apt.llvm.org/focal/ llvm-toolchain-focal-13 main deb-src http://apt.llvm.org/focal/ llvm-toolchain-focal-13 main ------------------------------------------------- Hirsute (21.04) - Last update : Fri, 28 Jan 2022 22:19:17 UTC / Revision: 20220128083604+c2a961e414e0 deb http://apt.llvm.org/hirsute/ llvm-toolchain-hirsute main deb-src http://apt.llvm.org/hirsute/ llvm-toolchain-hirsute main # 12 deb http://apt.llvm.org/hirsute/ llvm-toolchain-hirsute-12 main deb-src http://apt.llvm.org/hirsute/ llvm-toolchain-hirsute-12 main # 13 deb http://apt.llvm.org/hirsute/ llvm-toolchain-hirsute-13 main deb-src http://apt.llvm.org/hirsute/ llvm-toolchain-hirsute-13 main</code></pre> <p data-ke-size="size16">Archive Signature</p> <pre id="code_1644380020654" class="html xml" data-ke-language="html" data-ke-type="codeblock"><code>wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key|sudo apt-key add -</code></pre> <pre id="code_1643459777764" class="bash" data-ke-language="bash" data-ke-type="codeblock"><code>sudo apt update # LLVM apt install libllvm-13-ocaml-dev libllvm13 llvm-13 llvm-13-dev llvm-13-doc llvm-13-examples llvm-13-runtime # Clang and co apt install clang-13 clang-tools-13 clang-13-doc libclang-common-13-dev libclang-13-dev libclang1-13 clang-format-13 python3-clang-13 clangd-13 clang-tidy-13 # libfuzzer apt install libfuzzer-13-dev # lldb apt install lldb-13 # lld (linker) apt install lld-13</code></pre> <pre id="code_1643459852025" class="bash" data-ke-language="bash" data-ke-type="codeblock"><code>apt install -y clang-13 clang-tools-13 libc++1-13 libc++-13-dev \ libc++abi1-13 libc++abi-13-dev libclang1-13 libclang-13-dev \ libclang-common-13-dev libclang-cpp13 libclang-cpp13-dev liblld-13 \ liblld-13-dev liblldb-13 liblldb-13-dev libllvm13 libomp-13-dev \ libomp5-13 lld-13 lldb-13 llvm-13 llvm-13-dev llvm-13-runtime llvm-13-tools</code></pre> <p data-ke-size="size16">설치 확인</p> <pre id="code_1643460065012" class="bash" data-ke-language="bash" data-ke-type="codeblock"><code>which llvm-config llvm-config --version</code></pre> <p data-ke-size="size16">PATH 설정</p> <pre id="code_1643459895467" class="bash" data-ke-language="bash" data-ke-type="codeblock"><code>export PATH=/usr/lib/llvm-13/bin:$PATH</code></pre> <p data-ke-size="size16">gcc plugin 설치</p> <pre id="code_1643460910256" class="shell" data-ke-language="shell" data-ke-type="codeblock"><code>sudo apt install -y gcc-$(gcc --version|head -n1|sed 's/.* //'|sed 's/\..*//')-plugin-dev libstdc++-$(gcc --version|head -n1|sed 's/.* //'|sed 's/\..*//')-dev</code></pre> <h2 data-ke-size="size26">AFL Build</h2> <pre id="code_1643460123043" class="bash" data-ke-language="bash" data-ke-type="codeblock"><code>apt install rustc cargo</code></pre> <pre id="code_1643460011887" class="bash" data-ke-language="bash" data-ke-type="codeblock"><code>git clone https://github.com/AFLplusplus/AFLplusplus cd AFLplusplus make source-only -j$(nproc)</code></pre> <p data-ke-size="size16"><span style="color: #666666;">make 옵션에 관한 상세한 사항은 <u><a style="color: #666666;" href="https://aflplus.plus/building/" target="_blank" rel="noopener">여기</a></u>서 참고.</span></p> <p data-ke-size="size16"><span style="color: #666666;">qemu 모드를 쓰는게 아니면 source-only로 make해도 충분한 듯 하다.</span></p> <p data-ke-size="size16"><span style="background-color: #ffffff; color: #666666;">make distrib은 모든 기능 빌드.</span></p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16"><span style="background-color: #ffffff; color: #666666;">afl 관련 명령어를 편하게 쓰기 위해 path 추가. (굳이 make install 안 하고 이렇게 쓴다.)</span></p> <pre id="code_1643460304088" class="bash" data-ke-language="bash" data-ke-type="codeblock"><code>export PATH=$PATH:/home/alkyne/AFLplusplus</code></pre> <h2 data-ke-size="size26">Build Target Binary</h2> <p data-ke-size="size16">이제 타겟 바이너리를 빌드할 때 afl-clang-lto, afl-clang-lto++로 빌드 하면 된다.</p> <pre id="code_1643458641248" class="bash" data-ke-language="bash" data-ke-type="codeblock"><code>CC=afl-clang-lto CXX=afl-clang-lto++ LD=afl-ld-lto RANLIB=llvm-ranlib AR=llvm-ar ./configure --disable-shared --enable-lto make -j$(nproc)</code></pre> <p data-ke-size="size16">(만약 오류가 나면 AFL_LLVM_MAP_ADDR 값을 바꿔주거나 unset하자.)</p> <p data-ke-size="size16">빌드하면 이런식으로 mode : LLVM-LTO-PCGUARD가 찍히게 된다.</p> <p><figure class="imageblock alignCenter" data-ke-mobileStyle="widthOrigin" data-origin-width="2880" data-origin-height="1640"><span data-url="https://blog.kakaocdn.net/dn/LuDcW/btrr5VxjEwO/XjTaE29lQcgkgwzrfnQlgK/img.png" data-phocus="https://blog.kakaocdn.net/dn/LuDcW/btrr5VxjEwO/XjTaE29lQcgkgwzrfnQlgK/img.png"><img src="https://blog.kakaocdn.net/dn/LuDcW/btrr5VxjEwO/XjTaE29lQcgkgwzrfnQlgK/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FLuDcW%2Fbtrr5VxjEwO%2FXjTaE29lQcgkgwzrfnQlgK%2Fimg.png" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';" loading="lazy" width="2880" height="1640" data-origin-width="2880" data-origin-height="1640"/></span></figure> </p> <h2 data-ke-size="size26">Fuzzing</h2> <p data-ke-size="size16">Fuzzing 하는 방법은 똑같다.</p> <pre id="code_1643460363862" class="bash" data-ke-language="bash" data-ke-type="codeblock"><code>afl-fuzz -m none -t 200 -i ../input -o ../output -M Main_vim -- ../../src/vim -u NONE -i NONE -n -X -Z -e -s -S @@ -c ":qa!"</code></pre> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">References :&nbsp;</p> <p data-ke-size="size16">- <a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/instrumentation/README.lto.md" target="_blank" rel="noopener">https://github.com/AFLplusplus/AFLplusplus/blob/stable/instrumentation/README.lto.md</a></p> <p data-ke-size="size16">- <a href="https://cpuu.postype.com/post/11671863" target="_blank" rel="noopener">https://cpuu.postype.com/post/11671863</a></p> <p data-ke-size="size16">- <a href="https://apt.llvm.org/" target="_blank" rel="noopener">https://apt.llvm.org/</a></p> <p data-ke-size="size16">-&nbsp;<a href="https://aflplus.plus/building/">https://aflplus.plus/building/</a></p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">Acknowledgement</p> <p data-ke-size="size16">Special thanks to pwnstar.</p> pwnable/Fuzzing 범고래_1 https://training-1.tistory.com/260 https://training-1.tistory.com/260#entry260comment Sat, 29 Jan 2022 21:46:10 +0900 Valgrind https://training-1.tistory.com/259 <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">ASAN과 더불어 메모리 릭이나 access violation 확인할 때 유용하다.</p> <h2 data-ke-size="size26">Install</h2> <pre id="code_1643254389164" class="html xml" data-ke-language="html" data-ke-type="codeblock"><code>git clone git://sourceware.org/git/valgrind.git cd valgrind ./autogen.sh ./configure make</code></pre> <h2 data-ke-size="size26">Binary build</h2> <pre id="code_1643255879218" class="html xml" data-ke-language="html" data-ke-type="codeblock"><code>CFLAGS="-g" CXXFLAGS="-g" LDFLAGS="-g" ./configure make</code></pre> <h2 data-ke-size="size26">Run</h2> <pre id="code_1643255947918" class="html xml" data-ke-language="html" data-ke-type="codeblock"><code>./vg-in-place -s ./executable</code></pre> <p data-ke-size="size16">&nbsp;</p> pwnable 범고래_1 https://training-1.tistory.com/259 https://training-1.tistory.com/259#entry259comment Thu, 27 Jan 2022 12:59:32 +0900 AFL++ https://training-1.tistory.com/258 <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16"><a href="https://twitter.com/aflplusplus/status/1486278871318159364">https://twitter.com/aflplusplus/status/1486278871318159364</a></p> <p data-ke-size="size16">AFL++ 4.00c 버전이 나왔다.</p> <p data-ke-size="size16">기존 AFL 2.52b, 2.57b 버전보다 훨훨훨씬 좋다.</p> <p data-ke-size="size16">무엇보다도 속도가 매우 빠르다.</p> <h2 data-ke-size="size26">Install</h2> <pre id="code_1643250056733" class="html xml" data-ke-language="html" data-ke-type="codeblock"><code>git clone https://github.com/AFLplusplus/AFLplusplus cd AFLplusplus make</code></pre> <p data-ke-size="size16">afl-gcc,afl-g++, afl-clang, afl-clang-fast, afl-clang-fast++ 등등....</p> <p data-ke-size="size16">전부 afl-cc를 가리키고 있다.</p> <p><figure class="imageblock alignCenter" data-ke-mobileStyle="widthOrigin" data-origin-width="1356" data-origin-height="772"><span data-url="https://blog.kakaocdn.net/dn/cVdsg7/btrrKxZqBQ3/Vk8ZYBesLiPjs4BSATyuB0/img.png" data-phocus="https://blog.kakaocdn.net/dn/cVdsg7/btrrKxZqBQ3/Vk8ZYBesLiPjs4BSATyuB0/img.png"><img src="https://blog.kakaocdn.net/dn/cVdsg7/btrrKxZqBQ3/Vk8ZYBesLiPjs4BSATyuB0/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FcVdsg7%2FbtrrKxZqBQ3%2FVk8ZYBesLiPjs4BSATyuB0%2Fimg.png" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';" loading="lazy" width="623" height="355" data-origin-width="1356" data-origin-height="772"/></span></figure> </p> <p data-ke-size="size16">CC랑 CXX 설정시 전부 이걸로 하면 된다.</p> <h2 data-ke-size="size26">Build</h2> <pre id="code_1643250603531" class="html xml" data-ke-language="html" data-ke-type="codeblock"><code>CC=[AFLplusplus_DIR]/afl-cc CXX=[AFLplusplus_DIR]/afl-cc ./configure make</code></pre> <h2 data-ke-size="size26">ASAN</h2> <pre id="code_1643250632592" class="html xml" data-ke-language="html" data-ke-type="codeblock"><code>export AFL_USE_ASAN=1 CC=[AFLplusplus_DIR]/afl-cc CXX=[AFLplusplus_DIR]/afl-cc CFLAGS="-fsanitize=address -g" CXXFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address -g" ./configure make</code></pre> <p data-ke-size="size16">환경변수 PATH 설정해놓으면 afl-whatsup, afl-cmin, afl-fuzz 등 툴 쓰기 편하다.</p> <pre id="code_1643250804242" class="html xml" data-ke-language="html" data-ke-type="codeblock"><code>export PATH=$PATH:/home/alkyne/AFLplusplus</code></pre> pwnable 범고래_1 https://training-1.tistory.com/258 https://training-1.tistory.com/258#entry258comment Thu, 27 Jan 2022 11:33:42 +0900 AFL Parallel fuzzing https://training-1.tistory.com/257 <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">AFL은 단일 코어로 돌기 때문에, 멀티 코어로 퍼징하려면 각 코어마다 노드를 실행시켜야 한다.</p> <p data-ke-size="size16">한 개의 main 노드와 여러 개의 secondary 노드로 구성하면 된다.</p> <p data-ke-size="size16">각 노드는 주기적으로 싱크 디렉토리를 스캔하며, 재밌어 보이는 테스트 케이스를 자기 퍼저로 가져와 퍼징한다.</p> <p data-ke-size="size16">퍼포먼스 이유로 main 노드만이 큐를 싱크 시키며, secondary 노드들은 main 노드로 부터 싱크를 받아온다.</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">한번의 main 노드가 도는 동안 secondary 노드는&nbsp;여려번의 cycle을 수행한다.</p> <p data-ke-size="size16">* 큐에 있는 모든 input이 퍼징될 때까지 반복하는 것이 하나의 cycle이다.</p> <h2 data-ke-size="size26">Main node</h2> <p data-ke-size="size16">-M 옵션으로 main 노드 실행</p> <pre id="code_1642995374388" class="shell" data-ke-language="shell" data-ke-type="codeblock"><code>afl-fuzz -i input -o output -M Main_fuzzer -- ./src/vim -u NONE -i NONE -n -X -Z -e -m -s -S @@ -c ":qa!"</code></pre> <h2 data-ke-size="size26">Secondary Node</h2> <p data-ke-size="size16">-S 옵션으로 secondary 노드 여러개 실행</p> <pre id="code_1642995405065" class="shell" data-ke-language="shell" data-ke-type="codeblock"><code>afl-fuzz -i input -o output -S fuzzer01 -- ./src/vim -u NONE -i NONE -n -X -Z -e -m -s -S @@ -c ":qa!" afl-fuzz -i input -o output -S fuzzer02 -- ./src/vim -u NONE -i NONE -n -X -Z -e -m -s -S @@ -c ":qa!" afl-fuzz -i input -o output -S fuzzer03 -- ./src/vim -u NONE -i NONE -n -X -Z -e -m -s -S @@ -c ":qa!"</code></pre> <p data-ke-size="size16">이렇게 하면 총 4개 코어로 퍼징을 하게 된다.</p> <h2 data-ke-size="size26">Monitor</h2> <p data-ke-size="size16">퍼저들이 잘 돌아가고 있는지 afl-whatsup으로 확인</p> <p data-ke-size="size16">새 path를 찾지 못 하면 퍼징을 멈추면 된다.</p> <pre id="code_1642995864004" class="shell" data-ke-language="shell" data-ke-type="codeblock"><code>afl-whatsup [-s] output</code></pre> <p data-ke-size="size16">크래시 몽땅 확인</p> <pre id="code_1643349510626" class="html xml" data-ke-language="html" data-ke-type="codeblock"><code>#!/bin/sh for file in ~/fuzzing/fuzzing/output/Main_vim/crashes/*; do echo $file &gt;&gt; resMain timeout 4 ~/fuzzing/vim-asan/src -u NONE -i NONE -n -X -Z -e -m -s -S $file -c ":qa!" 2&gt;&gt; resMain done for file in ~/fuzzing/fuzzing/output/fuzzer01/crashes/*; do echo $file &gt;&gt; res1 timeout 4 ~/fuzzing/vim-asan/src -u NONE -i NONE -n -X -Z -e -m -s -S $file -c ":qa!" 2&gt;&gt; res1 done for file in ~/fuzzing/fuzzing/output/fuzzer02/crashes/*; do echo $file &gt;&gt; res2 timeout 4 ~/fuzzing/vim-asan/src -u NONE -i NONE -n -X -Z -e -m -s -S $file -c ":qa!" 2&gt;&gt; res2 done for file in ~/fuzzing/fuzzing/output/fuzzer03/crashes/*; do echo $file &gt;&gt; res3 timeout 4 ~/fuzzing/vim-asan/src -u NONE -i NONE -n -X -Z -e -m -s -S $file -c ":qa!" 2&gt;&gt; res3 done for file in ~/fuzzing/fuzzing/output/fuzzer04/crashes/*; do echo $file &gt;&gt; res4 timeout 4 ~/fuzzing/vim-asan/src -u NONE -i NONE -n -X -Z -e -m -s -S $file -c ":qa!" 2&gt;&gt; res4 done for file in ~/fuzzing/fuzzing/output/fuzzer05/crashes/*; do echo $file &gt;&gt; res5 timeout 4 ~/fuzzing/vim-asan/src -u NONE -i NONE -n -X -Z -e -m -s -S $file -c ":qa!" 2&gt;&gt; res5 done for file in ~/fuzzing/fuzzing/output/fuzzer06/crashes/*; do echo $file &gt;&gt; res6 timeout 4 ~/fuzzing/vim-asan/src -u NONE -i NONE -n -X -Z -e -m -s -S $file -c ":qa!" 2&gt;&gt; res6 done for file in ~/fuzzing/fuzzing/output/fuzzer07/crashes/*; do echo $file &gt;&gt; res7 timeout 4 ~/fuzzing/vim-asan/src -u NONE -i NONE -n -X -Z -e -m -s -S $file -c ":qa!" 2&gt;&gt; res7 done</code></pre> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">References :&nbsp;</p> <p data-ke-size="size16"><a href="https://d0ngr0thy.tistory.com/127" target="_blank" rel="noopener">https://d0ngr0thy.tistory.com/127</a></p> <p data-ke-size="size16"><a href="https://aflplus.plus/docs/parallel_fuzzing/" target="_blank" rel="noopener">https://aflplus.plus/docs/parallel_fuzzing/</a></p> <p data-ke-size="size16"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md" target="_blank" rel="noopener">https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md</a></p> pwnable/Fuzzing 범고래_1 https://training-1.tistory.com/257 https://training-1.tistory.com/257#entry257comment Mon, 24 Jan 2022 12:44:36 +0900 AFL Fuzzing https://training-1.tistory.com/256 <h2 data-ke-size="size26">Install AFL</h2> <pre id="code_1642959739783" class="html xml" data-ke-language="html" data-ke-type="codeblock"><code>wget http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz tar -xvf afl-latest.tgz cd afl-2.52b make # for afl-clang-fast and afl-clang-fast++ cd llvm_mode make # or sudo apt install afl++</code></pre> <h2 data-ke-size="size26">From git</h2> <pre id="code_1643193988936" class="html xml" data-ke-language="html" data-ke-type="codeblock"><code>git clone https://github.com/google/AFL cd AFL make cd llvm_mode make</code></pre> <h2 data-ke-size="size26">Build target binary with afl-gcc</h2> <pre id="code_1642959730889" class="shell" data-ke-language="shell" data-ke-type="codeblock"><code>CC=[AFL_DIR]/afl-2.52b/afl-gcc CXX=[AFL_DIR]/afl-2.52b/afl-g++ ./configure</code></pre> <h2 data-ke-size="size26">ASAN</h2> <pre id="code_1642959724179" class="shell" data-ke-language="shell" data-ke-type="codeblock"><code>export AFL_USE_ASAN=1 CC=[AFL_DIR]/afl-2.52b/afl-clang-fast CXX=[AFL_DIR]/afl-2.52b/afl-clang-fast++ CFLAGS="-fsanitize=address -g" CXXFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address -g" ./configure export PATH=/usr/lib/llvm-10/bin:$PATH</code></pre> <h2 data-ke-size="size26">Fuzzing</h2> <pre id="code_1643093586148" class="sas" data-ke-language="shell" data-ke-type="codeblock"><code>afl-fuzz -i input -o output -- ./src/vim -u NONE -i NONE -n -X -Z -e -m -s -S @@ -c ":qa!"</code></pre> <p data-ke-size="size18">stdin fuzzing은 -f 옵션으로 파일 지정하면 된다.</p> <p data-ke-size="size18">-m none 옵션을 주면 메모리 제한 해제</p> <h2 data-ke-size="size26">Reproduce and check crashes</h2> <pre id="code_1642959710798" class="bash" data-ke-language="bash" data-ke-type="codeblock"><code>for file in output/crashes/*;do echo Input: $file &gt;&gt; crash.log ./vim -u NONE -i NONE -S $file -c :qa! 2&gt;&gt; crash.log done</code></pre> <h2 data-ke-size="size26">&nbsp;</h2> pwnable/Fuzzing 범고래_1 https://training-1.tistory.com/256 https://training-1.tistory.com/256#entry256comment Mon, 24 Jan 2022 02:42:42 +0900