American Fuzzy Lop

From charlesreid1

Fuzzer

https://necurity.co.uk/netsec/2015/03/30/Fun-With-AFL.html#sthash.h9Aurb7C.dpbs

About

American fuzzy lop is a program for fuzzing inputs. It is very sophisticated and can be instrumented with a binary to do very targeted fuzzing.

Installing

Get the latest version, and run make to make it: 

$ wget http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz 
$ tar -xvf afl-latest.tgz cd afl-latest.tgz
$ cd afl-*
$ make 
$ make install

Success! 

root@morpheus:~/codes/afl-2.10b# which afl-fuzz
/usr/local/bin/afl-fuzz

Fuzzing a Program

Programs that can be fuzzed are those that take input files, usually binary files or unusual formats. (Think mp3, multimedia, images, etc.)

We'll be fuzzing John the Ripper to understand how AFL works.

Compiling John the Ripper

We want to download and compile John so that it will be instrumented.

Dependencies

Start with dependencies - OpenSSL development libs: 

# apt-get install --fix-missing libssl-dev

Get John the Ripper

# git clone git@github.com:magnumripper/JohnTheRipper.git
# cd JohnTheRipper/src
# ./configure --help

Compile John the Ripper

We will compile John the Ripper using American Fuzzy Lop's own GCC: 

CC=/path/to/afl-gcc ./configure

[...]

config.status: creating Makefile
config.status: creating aes/Makefile
config.status: creating aes/aesni/Makefile
config.status: creating aes/openssl/Makefile
config.status: creating escrypt/Makefile
config.status: creating autoconfig.h
config.status: linking x86-64.h to arch.h
config.status: executing default commands
configure: creating ./fmt_externs.h
afl-cc 2.10b by <lcamtuf@google.com>
configure: creating ./fmt_registers.h
afl-cc 2.10b by <lcamtuf@google.com>
afl-cc 2.10b by <lcamtuf@google.com>
afl-cc 2.10b by <lcamtuf@google.com>

Configured for building John the Ripper jumbo:

Target CPU ................................. x86_64 SSE4.1, 64-bit LE
AES-NI support ............................. depends on OpenSSL
Target OS .................................. linux-gnu
Cross compiling ............................ no
Legacy arch header ......................... x86-64.h

Optional libraries/features found:
Fuzzing test ............................... no
Experimental code .......................... no
OpenMPI support (default disabled) ......... no
Fork support ............................... yes
OpenMP support ............................. yes (not for fast formats)
CUDA support (default disabled by OpenCL) .. no
OpenCL support ............................. no
Generic crypt(3) format .................... yes
Rexgen (extra cracking mode) ............... no
GMP (PRINCE mode and faster SRP formats) ... yes
PCAP (vncpcap2john and SIPdump) ............ no
Z (pkzip format, gpg2john) ................. yes
BZ2 (gpg2john extra decompression logic) ... no
128-bit integer (faster PRINCE mode) ....... yes
Memory map (share/page large files) ........ yes

Development options (these may hurt performance when enabled):
Memdbg memory debugging settings ........... disabled
AddressSanitizer ("ASan") .................. disabled
UndefinedBehaviorSanitizer ("UbSan") ....... disabled

Install missing libraries to get any needed features that were omitted.

Configure finished.  Now 'make clean && make -s' to compile.

when run make clean and make -s, see lots of output like this: 

# make clean && make -s

[...]

[+] Instrumented 386 locations (64-bit, non-hardened mode, ratio 100%).
afl-as 2.10b by <lcamtuf@google.com>

Now we have compiled binaries in the run/ directory, one level up: 

# cd ../run/
# ./john
Retrieved from "https://charlesreid1.com/w/index.php?title=American_Fuzzy_Lop&oldid=10217"