AFL++

参考：
https://www.cnblogs.com/unr4v31/p/15237728.html\

CC=/home/AFLplusplus/afl-gcc-fast CXX=/home/AFLplusplus/afl-g++-fast++ CFLAGS="-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=array-bounds,bool,builtin,enum,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unsigned-integer-overflow,unreachable,vla-bound,vptr -fno-sanitize-recover=array-bounds,bool,builtin,enum,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unreachable,vla-bound,vptr" CXXFLAGS="-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=array-bounds,bool,builtin,enum,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unsigned-integer-overflow,unreachable,vla-bound,vptr -fno-sanitize-recover=array-bounds,bool,builtin,enum,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unreachable,vla-bound,vptr -stdlib=libc++"  ./configure && make
#超级编译 ， 笑:)----------------------------------
CC=/src/aflplusplus/afl-clang-fast \
CXX=/src/aflplusplus/afl-clang-fast++ \
CFLAGS="-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -static -fsanitize=address" \
CXXFLAGS="-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -static -fsanitize=address" \
./configure --disable-shared
make
#宝宝版😀 
LDFLAGS="-static" \
CC=/home/AFLplusplus/afl-gcc \
CXX=/home/AFLplusplus/afl-g++ \
CFLAGS="-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address" \
CXXFLAGS="-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address" \
./configure --disable-shared
make
#好像disabel-shared和-static有点冲突？

LibFuzz

参考：
https://hollk.blog.csdn.net/article/details/123225999
https://github.com/libbpf/libbpf/issues/804

ossFuzz

参考：
https://n0va-scy.github.io/2022/02/14/oss-fuzz%E5%88%9D%E6%8E%A2/
https://github.com/google/oss-fuzz

1	https://hub.docker.com/r/zhouting27/oss-fuzz-base/tags

winafl

我感觉好像不太好用，再试试其他的
参考：
https://bushido-sec.com/index.php/2023/06/25/the-art-of-fuzzing-windows-binaries/

Jackalope

参考：
https://xz.aliyun.com/t/13659?time__1311=GqmxuD9Q0%3Di%3D%3DGNDQiiQd%2BC6mKbci42bD#toc-3
https://paper.seebug.org/2070/
https://signal-labs.com/fuzzing-wechats-wxam-parser/
https://medium.com/s2wblog/fuzzing-the-shield-cve-2022-24548-96f568980c0
https://www.youtube.com/watch?v=aE7Erfsfj5U*

Honggfuzz

参考：
https://www.cnblogs.com/hac425/p/9416915.html

WinDBG

参考：
https://www.cnblogs.com/xl2432/p/13356596.html

Docker

可用代理

{
  "registry-mirrors": [
    "https://dockerhub.icu",
    "https://docker.chenby.cn",
    "https://docker.1panel.live",
    "https://docker.awsl9527.cn",
    "https://docker.anyhub.us.kg",
    "https://dhub.kubesre.xyz"
  ]
}

Target Proj

1
2
3

https://github.com/libsndfile/libsndfile/issues/1012
https://github.com/WAVM/WAVM

AFL源码阅读类文段

1	https://www.anquanke.com/post/id/246080

Misc

1 2	编译c++:include：export CPLUS_INCLUDE_PATH=/usr/include/c++/9:/usr/include/x86_64-linux-gnu/c++/9 使用git: https://blog.csdn.net/qq_34082113/article/details/102998115

ASAN代码分析

=================================================================
==3116373==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdd404f9b4 at pc 
   #可以看到ASAN给我们定位到了栈溢出地址在0x7ffdd404f9b4，同时也给了bp，sp的值
   0x55d2ab84708d bp 0x7ffdd404f7f0 sp 0x7ffdd404f7e8                                                                                                                                    
READ of size 4 at 0x7ffdd404f9b4 thread T0                                                                                              
    #0 0x55d2ab84708c in main /home/osaa/桌面/fuzz/asan_lab/stackover.cpp:4:10
    #1 0x7f2f7af6f189 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #2 0x7f2f7af6f244 in __libc_start_main csu/../csu/libc-start.c:381:3
    #3 0x55d2ab789300 in _start (/home/osaa/桌面/fuzz/asan_lab/stackover+0x20300) (BuildId: 70598e6f1fc76855f20289da2c89caf8155ace14)
#还表示了采用read操作和给了函数栈
Address 0x7ffdd404f9b4 is located in stack of thread T0 at offset 436 in frame
    #0 0x55d2ab846eaf in main /home/osaa/桌面/fuzz/asan_lab/stackover.cpp:1
#标记漏洞在溢出的地址（0x7ffdd404f9b4）偏移436处
  This frame has 1 object(s):
    [32, 432) 'osaa' (line 2) <== Memory access at offset 436 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/osaa/桌面/fuzz/asan_lab/stackover.cpp:4:10 in main
Shadow bytes around the buggy address:
  0x10003a801ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003a801ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003a801f00: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003a801f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003a801f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10003a801f30: 00 00 00 00 00 00[f3]f3 f3 f3 f3 f3 f3 f3 f3 f3
  0x10003a801f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003a801f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003a801f60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003a801f70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003a801f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3116373==ABORTING
     #这一部分给出了一个内存中的示意图

下面试全局变量的情况，同样的道理我们也可以分析到在0x55d8fd970cf4发生了全局变量复用溢出

==3118611==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55d8fd970cf4 at pc 0x55d8fd93bedc bp 0x7fff2488bba0 sp 0x7fff2488bb98                                                                                                     
READ of size 4 at 0x55d8fd970cf4 thread T0                                                                               
    #0 0x55d8fd93bedb in main /home/osaa/桌面/fuzz/asan_lab/global_buf_ex.cpp:4:10
    #1 0x7fcefdc2d189 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #2 0x7fcefdc2d244 in __libc_start_main csu/../csu/libc-start.c:381:3
    #3 0x55d8fd87e300 in _start (/home/osaa/桌面/fuzz/asan_lab/global_buf_ex+0x20300) (BuildId: e514f816b4c9a8607c4d2cac83c6aa6c8e736afc)

0x55d8fd970cf4 is located 4 bytes to the right of global variable 'osaa' defined in 'global_buf_ex.cpp:2:5' (0x55d8fd970b60) of size 400                                                                                                          
SUMMARY: AddressSanitizer: global-buffer-overflow /home/osaa/桌面/fuzz/asan_lab/global_buf_ex.cpp:4:10 in main           
Shadow bytes around the buggy address:
  0x0abb9fb26140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abb9fb26150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abb9fb26160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abb9fb26170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abb9fb26180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0abb9fb26190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f9]f9
  0x0abb9fb261a0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0abb9fb261b0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abb9fb261c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abb9fb261d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abb9fb261e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3118611==ABORTING

同样的道理记录一下各种类型的漏洞，下面这个是临时变量在调用函数外被重复使用

==3121967==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffc8dec3ee0 at pc 0x5601e8037fbe bp 0x7ffc8dec3eb0 sp 0x7ffc8dec3ea8                                                                                                      
WRITE of size 4 at 0x7ffc8dec3ee0 thread T0                                                                              
    #0 0x5601e8037fbd in main /home/osaa/桌面/fuzz/asan_lab/stack_use_after_sc.cpp:9:6
    #1 0x7f56074d9189 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #2 0x7f56074d9244 in __libc_start_main csu/../csu/libc-start.c:381:3
    #3 0x5601e7f7a300 in _start (/home/osaa/桌面/fuzz/asan_lab/stack_use_after_sc+0x20300) (BuildId: ddeb341fa724c7fc4aaf3a36d7181f1af9aaeabc)

Address 0x7ffc8dec3ee0 is located in stack of thread T0 at offset 32 in frame
    #0 0x5601e8037eaf in main /home/osaa/桌面/fuzz/asan_lab/stack_use_after_sc.cpp:4

  This frame has 1 object(s):
    [32, 36) 'osaa' (line 6) <== Memory access at offset 32 is inside this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-scope /home/osaa/桌面/fuzz/asan_lab/stack_use_after_sc.cpp:9:6 in main
Shadow bytes around the buggy address:
  0x100011bd0780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100011bd0790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100011bd07a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100011bd07b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100011bd07c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100011bd07d0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1[f8]f3 f3 f3
  0x100011bd07e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100011bd07f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100011bd0800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100011bd0810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100011bd0820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3121967==ABORTING

内联函数标记为非内联函数时，出现类似stack_use_after_scope的漏洞

=================================================================
==3128767==ERROR: AddressSanitizer: stack-use-after-return on address 0x7f5e6c000024 at pc 0x55b0a492f06c bp 0x7fffa9f65d40 sp 0x7fffa9f65d38
READ of size 4 at 0x7f5e6c000024 thread T0
    #0 0x55b0a492f06b in main /home/osaa/桌面/fuzz/asan_lab/stack_after_return.cpp:12:10
    #1 0x7f5e6db2b189 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #2 0x7f5e6db2b244 in __libc_start_main csu/../csu/libc-start.c:381:3
    #3 0x55b0a4871300 in _start (/home/osaa/桌面/fuzz/asan_lab/stack_use_after_return+0x20300) (BuildId: 17029a1a9d90225c3fcd1f3ca22844d46ab77b87)

Address 0x7f5e6c000024 is located in stack of thread T0 at offset 36 in frame
    #0 0x55b0a492eeaf in FunctionA() /home/osaa/桌面/fuzz/asan_lab/stack_after_return.cpp:5

  This frame has 1 object(s):
    [32, 432) 'osaa' (line 6) <== Memory access at offset 36 is inside this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-return /home/osaa/桌面/fuzz/asan_lab/stack_after_return.cpp:12:10 in main
Shadow bytes around the buggy address:
  0x0fec4d7f7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fec4d7f7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fec4d7f7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fec4d7f7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fec4d7f7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fec4d7f8000: f5 f5 f5 f5[f5]f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x0fec4d7f8010: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x0fec4d7f8020: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x0fec4d7f8030: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x0fec4d7f8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fec4d7f8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3128767==ABORTING

下面是heap中的越界

=================================================================
==3132691==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6140000001d4 at pc 0x5608f3bcf1fd bp 0x7ffda8f2f3b0 sp 0x7ffda8f2f3a8                                                                                                       
READ of size 4 at 0x6140000001d4 thread T0                                                                               
    #0 0x5608f3bcf1fc in main /home/osaa/桌面/fuzz/asan_lab/uaf.cpp:5
    #1 0x7f9a24c46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #2 0x7f9a24c46244 in __libc_start_main_impl ../csu/libc-start.c:381
    #3 0x5608f3bcf0c0 in _start (/home/osaa/桌面/fuzz/asan_lab/uaf+0x10c0)

0x6140000001d4 is located 4 bytes to the right of 400-byte region [0x614000000040,0x6140000001d0)
allocated by thread T0 here:                                                                                             
    #0 0x7f9a24eb00c7 in operator new[](unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:102
    #1 0x5608f3bcf195 in main /home/osaa/桌面/fuzz/asan_lab/uaf.cpp:3

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/osaa/桌面/fuzz/asan_lab/uaf.cpp:5 in main
Shadow bytes around the buggy address:
  0x0c287fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c287fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c287fff8030: 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa
  0x0c287fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3132691==ABORTING

下面是pwn手们最熟悉uaf漏洞

==3133335==ERROR: AddressSanitizer: heap-use-after-free on address 0x614000000044 at pc 0x55f3fd3f41cb bp 0x7fff942f74c0 sp 0x7fff942f74b8                                                                                                        
READ of size 4 at 0x614000000044 thread T0                                                                               
    #0 0x55f3fd3f41ca in main /home/osaa/桌面/fuzz/asan_lab/uaf.cpp:5
    #1 0x7fecac046189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #2 0x7fecac046244 in __libc_start_main_impl ../csu/libc-start.c:381
    #3 0x55f3fd3f40b0 in _start (/home/osaa/桌面/fuzz/asan_lab/uaf+0x10b0)

0x614000000044 is located 4 bytes inside of 400-byte region [0x614000000040,0x6140000001d0)
freed by thread T0 here:                                                                                                 
    #0 0x7fecac2b0a87 in operator delete[](void*) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:163
    #1 0x55f3fd3f4195 in main /home/osaa/桌面/fuzz/asan_lab/uaf.cpp:4

previously allocated by thread T0 here:
    #0 0x7fecac2b00c7 in operator new[](unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:102
    #1 0x55f3fd3f418a in main /home/osaa/桌面/fuzz/asan_lab/uaf.cpp:3

SUMMARY: AddressSanitizer: heap-use-after-free /home/osaa/桌面/fuzz/asan_lab/uaf.cpp:5 in main
Shadow bytes around the buggy address:
  0x0c287fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c287fff8000: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
  0x0c287fff8010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c287fff8020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c287fff8030: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x0c287fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3133335==ABORTING

下面一种是内存泄露漏洞，即一个指针指向一块内容后，指针不在调用，内容停留在堆区无法改变

==3134055==ERROR: LeakSanitizer: detected memory leaks
                                                                                                                         
Direct leak of 8 byte(s) in 1 object(s) allocated from:
    #0 0x55571255914e in __interceptor_malloc (/home/osaa/桌面/fuzz/asan_lab/mem_leak+0xa314e) (BuildId: 2acd876452190a500971caf36fe487f749e427eb)
    #1 0x555712593eb8 in main /home/osaa/桌面/fuzz/asan_lab/mem_leak.cpp:8:10
    #2 0x7f9182d8c189 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: 8 byte(s) leaked in 1 allocation(s).

Fuzzing101

项目地址：https://github.com/antonio-morales/Fuzzing101

详细配置网上都有教程。记录一下踩的坑吧，尽量在fuzz的时候选择平台选择kali，ubuntu特别是22版本坑尤其多（为啥？因为我折腾了一天折磨惨了，换了kali就像拉屎一样顺畅（：就成功了，在配置afl和系统变量CC和CCX的时候很容易失败导致插桩出现问题，麻了，同时一定注意在配置环境变量LLVM_CONFIG的时候一定不要有多的空格，这个出错了很难发现：export LLVM_CONFIG=”llvm-config-11”）

Fuzzing101 Libexif

着重记录一下fuzz的参数: -i:指定输入文件夹 -o指定输出文件夹 -s：固定变异数据 -：分割符 @@：指代文件，如果不加就是标准输入

ex:
/home/osaa/桌面/fuzz/AFLplusplus/afl-fuzz -i /home/osaa/桌面/fuzz/fuzzing_libexif/exif-samples-master/jpg -o /home/osaa/桌面/fuzz/fuzzing_libexif/out -s 123 /home/osaa/桌面/fuzz/fuzzing_libexif/install/bin/exif @@

result：
american fuzzy lop ++4.06a {default} (...ng_libexif/install/bin/exif) [fast]
┌─ process timing ────────────────────────────────────┬─ overall results ────┐
│        run time : 0 days, 0 hrs, 10 min, 40 sec     │  cycles done : 0     │
│   last new find : 0 days, 0 hrs, 0 min, 24 sec      │ corpus count : 621   │
│last saved crash : 0 days, 0 hrs, 0 min, 59 sec      │saved crashes : 12    │
│ last saved hang : 0 days, 0 hrs, 3 min, 18 sec      │  saved hangs : 1     │
├─ cycle progress ─────────────────────┬─ map coverage┴──────────────────────┤
│  now processing : 593*1 (95.5%)      │    map density : 0.44% / 1.14%      │
│  runs timed out : 0 (0.00%)          │ count coverage : 3.12 bits/tuple    │
├─ stage progress ─────────────────────┼─ findings in depth ─────────────────┤
│  now trying : splice 4               │ favored items : 121 (19.48%)        │
│ stage execs : 4/50 (8.00%)           │  new edges on : 170 (27.38%)        │
│ total execs : 591k                   │ total crashes : 55 (12 saved)       │
│  exec speed : 1188/sec               │  total tmouts : 13 (0 saved)        │
├─ fuzzing strategy yields ────────────┴─────────────┬─ item geometry ───────┤
│   bit flips : disabled (default, enable with -D)   │    levels : 10        │
│  byte flips : disabled (default, enable with -D)   │   pending : 434       │
│ arithmetics : disabled (default, enable with -D)   │  pend fav : 3         │
│  known ints : disabled (default, enable with -D)   │ own finds : 527       │
│  dictionary : n/a                                  │  imported : 0         │
│havoc/splice : 452/334k, 87/118k                    │ stability : 100.00%   │
│py/custom/rq : unused, unused, unused, unused       ├───────────────────────┘
│    trim/eff : 74.94%/134k, disabled                │          [cpu000: 50%]
└────────────────────────────────────────────────────┘^C

+++ Testing aborted by user +++
[+] We're done here. Have a nice day!

同时在crashs中我们可以直接用gdb更上调试跟踪溢出点

ex:
gdb --args ./exif /home/osaa/桌面/fuzz/fuzzing_libexif/out/default/crashes/id:000000,sig:11,src:000181+000232,time:33959,execs:34578,op:splice,rep:8

    
 result:
87 exif_get_sshort (const unsigned char *buf, ExifByteOrder order)
   88 {
   89         if (!buf) return 0;
   90         switch (order) {
   91         case EXIF_BYTE_ORDER_MOTOROLA:
 ► 92                 return ((buf[0] << 8) | buf[1]);
   93         case EXIF_BYTE_ORDER_INTEL:
   94                 return ((buf[1] << 8) | buf[0]);
   95         }
   96 
   97         /* Won't be reached */
────────────────────────────────────────────[ STACK ]────────────────────────────────────────────
00:0000│ rsp 0x7fffffffd5d8 —▸ 0x555555566e15 (exif_data_load_data+1349) ◂— movzx eax, ax
01:0008│     0x7fffffffd5e0 —▸ 0x5555557a01e8 —▸ 0x5555557a0200 ◂— 0x0
02:0010│     0x7fffffffd5e8 ◂— 0x47e555652ea
03:0018│     0x7fffffffd5f0 —▸ 0x55555579fd26 ◂— 0xfbffffff2a004d4d /* 'MM' */
04:0020│     0x7fffffffd5f8 —▸ 0x55555579fcd0 ◂— 0x100000006
05:0028│     0x7fffffffd600 —▸ 0x55555559a250 (__afl_area_ptr) —▸ 0x55555559d3c0 (__afl_area_initial) ◂— 0x0                                                                                      
06:0030│     0x7fffffffd608 —▸ 0x55555579f7a0 —▸ 0x55555579fbb0 ◂— 0x736f2f656d6f682f ('/home/os')
07:0038│     0x7fffffffd610 —▸ 0x5555557a01b0 —▸ 0x5555557a0240 ◂— 0x0
──────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────
 ► f 0   0x5555555735fb exif_get_short+107
   f 1   0x5555555735fb exif_get_short+107
   f 2   0x555555566e15 exif_data_load_data+1349
   f 3   0x5555555700a4 exif_loader_get_data+100
   f 4   0x555555561337 main+2279
   f 5   0x7ffff7d0818a __libc_start_call_main+122
   f 6   0x7ffff7d08245 __libc_start_main+133
   f 7   0x55555555f5a1 _start+33
─────────────────────────────────────────────────────────────────────────────────

另外记录一个科学上网linux： git clone https://github.com/wanhebin/clash-for-linux.git 好用0.o（注意在使用sh可能无法执行启动脚本，换为/bin/bash start.sh 原因详见github issue）

Fuzzing101-TCPdump

流程与前面的Fuzzing101都一样，但是学会使用AFL_USE_ASEN参数设置，这里引用一下AFL_USE_ASEN的解释

读取环境变量``AFL_USE_ASAN`和`AFL_USE_MSAN`的值，如果其中有一个为1，则设置`sanitizer`为1，且将`inst_ratio`除3。这是因为在进行ASAN的编译时，AFL无法识别出ASAN特定的分支，导致插入很多无意义的桩代码，所以直接暴力地将插桩概率/3；

同时注意在运行fuzz的时候参数加入-m none，因为在ASEN模式下对内存消耗很大，禁用内存限制

Fuzzing101 - LibTIFF

result:

 american fuzzy lop ++4.06a {default} (...g_tiff/install/bin/tiffinfo) [fast]
┌─ process timing ────────────────────────────────────┬─ overall results ────┐
│        run time : 0 days, 0 hrs, 9 min, 25 sec      │  cycles done : 0     │
│   last new find : 0 days, 0 hrs, 0 min, 3 sec       │ corpus count : 555   │
│last saved crash : 0 days, 0 hrs, 0 min, 0 sec       │saved crashes : 30    │
│ last saved hang : 0 days, 0 hrs, 7 min, 4 sec       │  saved hangs : 2     │
├─ cycle progress ─────────────────────┬─ map coverage┴──────────────────────┤
│  now processing : 340.2 (61.3%)      │    map density : 0.35% / 1.89%      │
│  runs timed out : 0 (0.00%)          │ count coverage : 2.14 bits/tuple    │
├─ stage progress ─────────────────────┼─ findings in depth ─────────────────┤
│  now trying : havoc                  │ favored items : 180 (32.43%)        │
│ stage execs : 117/228 (51.32%)       │  new edges on : 273 (49.19%)        │
│ total execs : 667k                   │ total crashes : 56 (30 saved)       │
│  exec speed : 1069/sec               │  total tmouts : 1881 (0 saved)      │
├─ fuzzing strategy yields ────────────┴─────────────┬─ item geometry ───────┤
│   bit flips : disabled (default, enable with -D)   │    levels : 7         │
│  byte flips : disabled (default, enable with -D)   │   pending : 380       │
│ arithmetics : disabled (default, enable with -D)   │  pend fav : 92        │
│  known ints : disabled (default, enable with -D)   │ own finds : 538       │
│  dictionary : n/a                                  │  imported : 0         │
│havoc/splice : 514/375k, 54/97.8k                   │ stability : 100.00%   │
│py/custom/rq : unused, unused, unused, unused       ├───────────────────────┘
│    trim/eff : 1.88%/190k, disabled                 │          [cpu000: 50%]
└────────────────────────────────────────────────────┘^C



    
    
ASAN_result:

    =================================================================
==2688234==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000071 at pc 0x55ec6f1d24e1 bp 0x7ffceb971fb0 sp 0x7ffceb971778
READ of size 2 at 0x602000000071 thread T0
    #0 0x55ec6f1d24e0 in fputs (/home/osaa/桌面/fuzz/fuzzing_tiff/install/bin/tiffinfo+0x614e0) (BuildId: 09ddfdfe67d478d303d725e7968d407c632d1072)
    #1 0x55ec6f2c5051 in _TIFFPrintField /home/osaa/桌面/fuzz/fuzzing_tiff/tiff-4.0.4/libtiff/tif_print.c:127:4
    #2 0x55ec6f2c5051 in TIFFPrintDirectory /home/osaa/桌面/fuzz/fuzzing_tiff/tiff-4.0.4/libtiff/tif_print.c:641:5
    #3 0x55ec6f273e38 in tiffinfo /home/osaa/桌面/fuzz/fuzzing_tiff/tiff-4.0.4/tools/tiffinfo.c:449:2
    #4 0x55ec6f2737e6 in main /home/osaa/桌面/fuzz/fuzzing_tiff/tiff-4.0.4/tools/tiffinfo.c:152:6
    #5 0x7f41f3241189 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #6 0x7f41f3241244 in __libc_start_main csu/../csu/libc-start.c:381:3
    #7 0x55ec6f1b5570 in _start (/home/osaa/桌面/fuzz/fuzzing_tiff/install/bin/tiffinfo+0x44570) (BuildId: 09ddfdfe67d478d303d725e7968d407c632d1072)

0x602000000071 is located 0 bytes to the right of 1-byte region [0x602000000070,0x602000000071)
allocated by thread T0 here:                                                                     
    #0 0x55ec6f2383be in __interceptor_malloc (/home/osaa/桌面/fuzz/fuzzing_tiff/install/bin/tiffinfo+0xc73be) (BuildId: 09ddfdfe67d478d303d725e7968d407c632d1072)
    #1 0x55ec6f27b674 in setByteArray /home/osaa/桌面/fuzz/fuzzing_tiff/tiff-4.0.4/libtiff/tif_dir.c:51:19

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/osaa/桌面/fuzz/fuzzing_tiff/install/bin/tiffinfo+0x614e0) (BuildId: 09ddfdfe67d478d303d725e7968d407c632d1072) in fputs
Shadow bytes around the buggy address:
  0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa 00 00 fa fa fd fa fa fa fd fa fa fa[01]fa
  0x0c047fff8010: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2688234==ABORTING

Fuzzing101 - tiff

本次练习在之前的基础上，教会了我们使用lcov来查看代码覆盖率，调整fuzz的覆盖和变异种子，记住使用lcov之前要调整环境变量export LDFLAGS=”–coverage” export CFLAGS=”–coverage” make clean以后重新make

1
2
3

sudo su
echo core >/proc/sys/kernel/core_pattern
exit

调整崩溃处理后进行fuzz，之后可以看到由于我fuzz了3分钟就停止了覆盖率是很低的

Current view: 	top level 			Hit 	Total 	Coverage
Test: 	        app2.info 		    Lines: 	1229 	11796 	10.4 %
Date: 	    2023-02-27 16:09:56 		Functions: 	91 	560 	16.2 %
Legend: 	Rating: low: < 75 % medium: >= 75 % high: >= 90 % 	

					
Directory Sort by name 	Line Coverage Sort by line coverage 	Functions Sort by function coverage
libtiff 	                10.0%10.0%       10.0 % 	1159 / 11545 	15.9 % 	87 / 546
tools 	                     27.9%27.9        27.9 % 	70 / 251 	28.6 % 	4 / 14

Generated by: LCOV version 1.16

Fuzzing101 - libxml

本次练习学习了使用字典进行fuzz和多核并行测试

记录一下指令-M指定一个主实例fuzzer -D启用确定性突变（只适用于主实例fuzzer） -S指定其他fuzzer -x指定字典路径 –valid参数捕捉错误

+++++fuzz1++++
/home/osaa/桌面/fuzz/AFLplusplus/afl-fuzz -m none -i /home/osaa/桌面/fuzz/fuzzing_libXML2/afl_in -o /home/osaa/桌面/fuzz/fuzzing_libXML2/afl_out -s 123 -x /home/osaa/桌面/fuzz/fuzzing_libXML2/dictionaries/xml.dict -D -M osaa_fuzzer1 -- /home/osaa/桌面/fuzz/fuzzing_libXML2/install/bin/xmllint --memory --noenc --nocdata --dtdattr --loaddtd --valid --xinclude @@
+++++fuzz2+++++
/home/osaa/桌面/fuzz/AFLplusplus/afl-fuzz -m none -i /home/osaa/桌面/fuzz/fuzzing_libXML2/afl_in -o /home/osaa/桌面/fuzz/fuzzing_libXML2/afl_out -s 234 -S osaa_fuzzer2 -- /home/osaa/桌面/fuzz/fuzzing_libXML2/install/bin/xmllint --memory --noenc --nocdata --dtdattr --loaddtd --valid --xinclude @@

#########################FUZZ1####################################
 american fuzzy lop ++4.06a {osaa_fuzzer1} (...L2/install/bin/xmllint) [fast]
┌─ process timing ────────────────────────────────────┬─ overall results ────┐
│        run time : 0 days, 0 hrs, 3 min, 2 sec       │  cycles done : 0     │
│   last new find : 0 days, 0 hrs, 0 min, 17 sec      │ corpus count : 88    │
│last saved crash : none seen yet                     │saved crashes : 0     │
│ last saved hang : none seen yet                     │  saved hangs : 0     │
├─ cycle progress ─────────────────────┬─ map coverage┴──────────────────────┤
│  now processing : 2.0 (2.3%)         │    map density : 0.88% / 1.16%      │
│  runs timed out : 0 (0.00%)          │ count coverage : 1.16 bits/tuple    │
├─ stage progress ─────────────────────┼─ findings in depth ─────────────────┤
│  now trying : arith 8/8              │ favored items : 11 (12.50%)         │
│ stage execs : 13.4k/283k (4.71%)     │  new edges on : 19 (21.59%)         │
│ total execs : 149k                   │ total crashes : 0 (0 saved)         │
│  exec speed : 753.0/sec              │  total tmouts : 0 (0 saved)         │
├─ fuzzing strategy yields ────────────┴─────────────┬─ item geometry ───────┤
│   bit flips : 0/40.9k, 3/40.9k, 1/40.9k            │    levels : 2         │
│  byte flips : 0/5107, 0/4099, 0/4099               │   pending : 33        │
│ arithmetics : 0/0, 0/0, 0/0                        │  pend fav : 11        │
│  known ints : 0/0, 0/0, 0/0                        │ own finds : 9         │
│  dictionary : 0/0, 0/0, 0/0, 0/0                   │  imported : 0         │
│havoc/splice : 0/0, 0/0                             │ stability : 100.00%   │
│py/custom/rq : unused, unused, unused, unused       ├───────────────────────┘
│    trim/eff : disabled, 99.53%                     │          [cpu000:100%]
└────────────────────────────────────────────────────┘^C
                                                                                       
+++ Testing aborted by user +++                                                        
[+] We're done here. Have a nice day!      

++++++++++++++++++FUZZ2++++++++++++++++++++++++++++++++++++++
american fuzzy lop ++4.06a {osaa_fuzzer2} (...L2/install/bin/xmllint) [fast]
┌─ process timing ────────────────────────────────────┬─ overall results ────┐
│        run time : 0 days, 0 hrs, 2 min, 32 sec      │  cycles done : 0     │
│   last new find : 0 days, 0 hrs, 0 min, 2 sec       │ corpus count : 651   │
│last saved crash : none seen yet                     │saved crashes : 0     │
│ last saved hang : none seen yet                     │  saved hangs : 0     │
├─ cycle progress ─────────────────────┬─ map coverage┴──────────────────────┤
│  now processing : 441.1 (67.7%)      │    map density : 1.14% / 2.53%      │
│  runs timed out : 0 (0.00%)          │ count coverage : 2.44 bits/tuple    │
├─ stage progress ─────────────────────┼─ findings in depth ─────────────────┤
│  now trying : havoc                  │ favored items : 157 (24.12%)        │
│ stage execs : 14.7k/25.6k (57.51%)   │  new edges on : 234 (35.94%)        │
│ total execs : 120k                   │ total crashes : 0 (0 saved)         │
│  exec speed : 893.0/sec              │  total tmouts : 0 (0 saved)         │
├─ fuzzing strategy yields ────────────┴─────────────┬─ item geometry ───────┤
│   bit flips : disabled (default, enable with -D)   │    levels : 4         │
│  byte flips : disabled (default, enable with -D)   │   pending : 588       │
│ arithmetics : disabled (default, enable with -D)   │  pend fav : 153       │
│  known ints : disabled (default, enable with -D)   │ own finds : 569       │
│  dictionary : n/a                                  │  imported : 3         │
│havoc/splice : 324/78.4k, 231/21.5k                 │ stability : 100.00%   │
│py/custom/rq : unused, unused, unused, unused       ├───────────────────────┘
│    trim/eff : 21.20%/1035, disabled                │          [cpu001: 75%]
└────────────────────────────────────────────────────┘^C

+++ Testing aborted by user +++
[+] We're done here. Have a nice day!