uniFuzzer is a
- little or no and simple to construct
- can goal any specified serve as or code snippet
- coverage-guided fuzzing with really extensive velocity
- dependence resolved and loaded mechanically
- library serve as override through PRELOAD
and in finding fascinating purposes for fuzzing.
.crecord within the listing
callback, which will have to comprise the next callbacks:
void onLibLoad(const char *libName, void *baseAddr, void *ucBaseAddr): It is invoked every time an dependent library is loaded in Unicorn.
int uniFuzzerInit(uc_engine *uc): It is invoked simply in the end the binaries been loaded in Unicorn. Stack/heap/registers will also be setup up right here.
int uniFuzzerBeforeExec(uc_engine *uc, const uint8_t *information, size_t len): It is invoked earlier than every spherical of fuzzing execution.
int uniFuzzerAfterExec(uc_engine *uc): It is invoked after every spherical of fuzzing execution.
makeand get the fuzzing instrument named
uniFuzzer makes use of the next atmosphere variables as parameters:
UF_TARGET: Trail of the objective ELF record
UF_PRELOAD: Trail of the preload library. Please ensure that the library has the similar structure as the objective.
UF_LIBPATH: Paths wherein the dependent libraries live. Use
:to split a couple of paths.
And the fuzzing will also be began the usage of the next command:
[UF_PRELOAD= ] UF_LIBPATH= ./uf
There comes a demo for fundamental utilization. The demo comprises the next recordsdata:
- demo-vuln.c: That is the objective for fuzzing. It comprises a easy serve as named
vuln()which is to stack/heap overflow.
- demo-libcpreload.c: That is for PRELOAD hooking. It defines an empty
- callback/demo-callback.c: This defines the vital callbacks for fuzzing the demo
First, please set up gcc for mipsel (package deal
gcc-mipsel-linux-gnu on Debian) to construct the demo:
# the objective binary
# '-Xlinker --hash-style=sysv' tells gcc to make use of 'DT_HASH' as an alternative of 'DT_GNU_HASH' for image search for
# since recently uniFuzzer does now not enhance 'DT_GNU_HASH'
mipsel-linux-gnu-gcc demo-vuln.c -Xlinker --hash-style=sysv -no-pie -o demo-vuln
# the preload library
mipsel-linux-gnu-gcc -shared -fPIC -nostdlib -Xlinker --hash-style=sysv demo-libcpreload.c -o demo-libcpreload.so
Or you’ll be able to simply use the record
demo-libcpreload.so, that are compiled the usage of the instructions above.
make to construct uniFuzzer. Please notice that for those who compiled the demo on your own, then some addresses could be other from the prebuilt one and
demo-callback.c will have to be up to date accordingly.
In spite of everything, ensure that the libc library of MIPS is able. On it is in
/usr/mipsel-linux-gnu/lib/ after putting in the package deal
libc6-mipsel-cross, and that is the reason what
UF_LIBPATH will have to be:
UF_PRELOAD= UF_LIBPATH= ./uf
Hack on Unicorn
Unicorn clears the JIT cache of QEMU because of this , which slows down the velocity of fuzzing for the reason that goal binary would should be JIT re-compiled all over every spherical of execution.
We will remark out
tb_flush(env); as said in that factor for efficiency.