Tag Archives: closed

uniFuzzer – A Fuzzing Device For Closed-Supply Binaries Primarily based On Unicorn And LibFuzzer

uniFuzzer is a fuzzing instrument for closed-source binaries in accordance with Unicorn and LibFuzzer. Recently it helps fuzzing 32-bits LSB ELF recordsdata on ARM/MIPS, that are in most cases noticed in IoT gadgets.


  • little or no hack and simple to construct
  • can goal any specified serve as or code snippet
  • coverage-guided fuzzing with really extensive velocity
  • dependence resolved and loaded mechanically
  • library serve as override through PRELOAD

binary and in finding fascinating purposes for fuzzing.

  • Create a .c record within the listing callback, which will have to comprise the next callbacks:
    • void onLibLoad(const char *libName, void *baseAddr, void *ucBaseAddr): It is invoked every time an dependent library is loaded in Unicorn.
    • int uniFuzzerInit(uc_engine *uc): It is invoked simply in the end the binaries been loaded in Unicorn. Stack/heap/registers will also be setup up right here.
    • int uniFuzzerBeforeExec(uc_engine *uc, const uint8_t *information, size_t len): It is invoked earlier than every spherical of fuzzing execution.
    • int uniFuzzerAfterExec(uc_engine *uc): It is invoked after every spherical of fuzzing execution.
    1. Run make and get the fuzzing instrument named uf.

    uniFuzzer makes use of the next atmosphere variables as parameters:

    • UF_TARGET: Trail of the objective ELF record
    • UF_PRELOAD: Trail of the preload library. Please ensure that the library has the similar structure as the objective.
    • UF_LIBPATH: Paths wherein the dependent libraries live. Use : to split a couple of paths.

    And the fuzzing will also be began the usage of the next command:


    There comes a demo for fundamental utilization. The demo comprises the next recordsdata:

    • demo-vuln.c: That is the objective for fuzzing. It comprises a easy serve as named vuln() which is inclined to stack/heap overflow.
    • demo-libcpreload.c: That is for PRELOAD hooking. It defines an empty printf() and simplified malloc()/unfastened().
    • callback/demo-callback.c: This defines the vital callbacks for fuzzing the demo vuln() serve as.

    First, please set up gcc for mipsel (package deal gcc-mipsel-linux-gnu on Debian) to construct the demo:

    # the objective binary
    # '-Xlinker --hash-style=sysv' tells gcc to make use of 'DT_HASH' as an alternative of 'DT_GNU_HASH' for image search for
    # since recently uniFuzzer does now not enhance 'DT_GNU_HASH'
    mipsel-linux-gnu-gcc demo-vuln.c -Xlinker --hash-style=sysv -no-pie -o demo-vuln

    # the preload library
    mipsel-linux-gnu-gcc -shared -fPIC -nostdlib -Xlinker --hash-style=sysv demo-libcpreload.c -o demo-libcpreload.so

    Or you’ll be able to simply use the record demo-vuln and demo-libcpreload.so, that are compiled the usage of the instructions above.
    Subsequent, run make to construct uniFuzzer. Please notice that for those who compiled the MIPS demo on your own, then some addresses could be other from the prebuilt one and demo-callback.c will have to be up to date accordingly.
    In spite of everything, ensure that the libc library of MIPS is able. On Debian it is in /usr/mipsel-linux-gnu/lib/ after putting in the package deal libc6-mipsel-cross, and that is the reason what UF_LIBPATH will have to be:


    Hack on Unicorn
    Unicorn clears the JIT cache of QEMU because of this factor, which slows down the velocity of fuzzing for the reason that goal binary would should be JIT re-compiled all over every spherical of execution.
    We will remark out tb_flush(env); as said in that factor for efficiency.

    Obtain uniFuzzer