因为在学习过程中有用到driller,但是安装过程中经常碰到奇奇怪怪的问题,尤其是angr 8发布后全面放弃python2,导致兼容性较差,本人将最后安装成功的过程记录下来,仅供参考。注,时间为2018.11.27,各个仓库采用该时间点的最新源码,安装环境为ubuntu 16。
另外,个人推荐使用shellphish的脚本fuzzer来使用driller,一方面功能比较全,性能好,另一方面自己写的脚本,在组建更新后可能会存在兼容性问题。
1. 安装各种linux下的包
sudo apt-get install build-essential gcc-multilib libtool automake autoconf bison debootstrap debian-archive-keyring libtool-bin python3-dev libffi-dev virtualenvwrapper
sudo apt-get build-dep qemu(可能不必须)
2. 安装angr
采用源码安装,并生成python的虚拟环境angr,接下来安装的python包都在这个环境中。
git clone https://github.com/angr/angr-dev
cd angr-dev/
./setup.sh -i -e angr
配置虚拟环境:
export WORKON_HOME=~/Envs
source /usr/local/bin/virtualenvwrapper.sh
可以将这两行添加到.bashrc中,路径不一定相同,可以用whereis查找一下。进入虚拟环境
workon angr
2. 安装afl
安装shellphish版本afl,采用pip安装。
pip3 install git+https://github.com/shellphish/shellphish-afl
安装时间较长,因为要下载编译多个qemu版本吧。
另外需要注意一下,安装后afl的路径,因为fuzzer脚本默认afl的路径为~/Envs/angr/bin/,如果不在该路径下会报错。
本人碰到了这个问题,所以将安装好后的afl拷贝到了该目录。
cd ~
cp ./.local/bin/afl-unix/ Envs/angr/bin/
cp ./.local/bin/afl-unix/ Envs/angr/bin/ -r
cp ./.local/bin/afl-cgc/ Envs/angr/bin/ -r
cp ./.local/bin/afl-multi-cgc/ Envs/angr/bin/ -r
3. 安装其他依赖
这几个安装比较快,为了兼容都采用源码。
git clone git@github.com:shellphish/driller.git
cd driller/
python3 setup.py install
cd ..
git clone git@github.com:angr/tracer.git
cd tracer/
python3 setup.py install
cd ..
git clone git@github.com:angr/cle.git
cd cle/
python3 setup.py install
..
4. 测试
采用外国一个博主博文中的一个测试例子进行测试
Guided Fuzzing with Driller
测试用例buggy.c:
#include <stdio.h>
#include <unistd.h>
int main(int argc, char *argv[]) {
char buffer[6] = {0};
int i;
int *null = 0;
read(0, buffer, 6);
if (buffer[0] == '7' && buffer[1] == '/' && buffer[2] == '4'
&& buffer[3] == '2' && buffer[4] == 'a' && buffer[5] == '8') {
i = *null;
}
puts("No problem");
}
编译命令为:
gcc -o buggy buggy.c
当输入为7/42a8是会发生crash。
使用afl的过程请参考上面链接博文,结果如下:
采用Driller,使用shellphish中的脚本进行测试:
mkdir workdir2/
echo core | sudo tee /proc/sys/kernel/core_pattern
echo 1 | sudo tee /proc/sys/kernel/sched_child_runs_first
./fuzzer/shellphuzz -c 4 -d 1 -C -w workdir2 ./buggy
fuzz过程中会很多warning和exception,暂时还没空分析。
给出最后一段输出:
WARNING | 2018-11-27 23:19:52,465 | local_callback | Driller stuck callback triggered!
WARNING | 2018-11-27 23:19:52,468 | local_callback | starting drilling of buggy, id:000000,orig:seed-0
WARNING | 2018-11-27 23:19:55,127 | angr.state_plugins.symbolic_memory | Register r13 has an unspecified value; Generating an unconstrained value of 8 bytes.
WARNING | 2018-11-27 23:19:55,129 | angr.state_plugins.symbolic_memory | Register r12 has an unspecified value; Generating an unconstrained value of 8 bytes.
WARNING | 2018-11-27 23:19:55,132 | angr.state_plugins.symbolic_memory | Register rbx has an unspecified value; Generating an unconstrained value of 8 bytes.
WARNING | 2018-11-27 23:19:55,228 | angr.state_plugins.symbolic_memory | Register cc_ndep has an unspecified value; Generating an unconstrained value of 8 bytes.
WARNING | 2018-11-27 23:19:55,405 | angr.state_plugins.symbolic_memory | Register r14 has an unspecified value; Generating an unconstrained value of 8 bytes.
WARNING | 2018-11-27 23:19:55,607 | angr.state_plugins.symbolic_memory | Register r15 has an unspecified value; Generating an unconstrained value of 8 bytes.
Traceback (most recent call last):
File "/home/chen/Envs/angr/lib/python3.5/site-packages/driller/local_callback.py", line 122, in <module>
for new_input in d.drill_generator():
File "/home/chen/Envs/angr/lib/python3.5/site-packages/driller/driller_main.py", line 101, in drill_generator
for i in self._drill_input():
File "/home/chen/Envs/angr/lib/python3.5/site-packages/driller/driller_main.py", line 141, in _drill_input
simgr.step()
File "/home/chen/Desktop/angr-dev/angr/angr/misc/hookset.py", line 75, in __call__
result = current_hook(self.func.__self__, *args, **kwargs)
File "/home/chen/Desktop/angr-dev/angr/angr/exploration_techniques/driller_core.py", line 39, in step
simgr.step(stash=stash, **kwargs)
File "/home/chen/Desktop/angr-dev/angr/angr/misc/hookset.py", line 75, in __call__
result = current_hook(self.func.__self__, *args, **kwargs)
File "/home/chen/Desktop/angr-dev/angr/angr/exploration_techniques/tracer.py", line 115, in step
return simgr.step(stash=stash, **kwargs)
File "/home/chen/Desktop/angr-dev/angr/angr/misc/hookset.py", line 80, in __call__
return self.func(*args, **kwargs)
File "/home/chen/Desktop/angr-dev/angr/angr/sim_manager.py", line 344, in step
successors = self.step_state(state, successor_func=successor_func, **run_args)
File "/home/chen/Desktop/angr-dev/angr/angr/misc/hookset.py", line 75, in __call__
result = current_hook(self.func.__self__, *args, **kwargs)
File "/home/chen/Desktop/angr-dev/angr/angr/exploration_techniques/tracer.py", line 135, in step_state
raise Exception("All states disappeared!")
Exception: All states disappeared!
(b'', None)
[*] Crash found!
[*] Terminating fuzzer.
大概5分钟后会找到产生crash的input,不得不说效率比单纯的afl高很多。
在之前设置的workdir2下,会产生变异后的文件:
(angr) [chen:workdir2]$ cd buggy/
buggy.dict fuzzer-1.log fuzzer-2.log fuzzer-3.log fuzzer-master.log input sync
(angr) [chen:buggy]$ pwd
/home/chen/Desktop/workdir2/buggy
在 /home/chen/Desktop/workdir2/buggy/sync/fuzzer-2/crashes 下会发现产生crash的文件。
(angr) [chen:fuzzer-2]$ cd crashes/
id:000000,sig:11,src:000005,op:havoc,rep:8 README.txt
(angr) [chen:crashes]$ cat id\:000000\,sig\:11\,src\:000005\,op\:havoc\,rep\:8
7/42a888�88-888888888
转载自原文链接, 如需删除请联系管理员。
原文链接:driller/shellphish安装与简单例程,转载请注明来源!