American Fuzzy Lop fails with a simple example

Question

I've been trying to use American Fuzzy Lop but I can't make it work with a simple example like this:

#include <stdio.h>
#include <string.h>

int main(int argc, char * argv[]){
char name[10];

if ( argc > 1 ){
strcpy(name, argv[1]);

printf("HELLO %s\n", name);
}

return 0;
}

I compile one version of this code using regular gcc and another one using afl-clang. The gcc version is then placed inside the input folder and I call the fuzzer this way:

afl-fuzz -i input/ -o output/ -m 2G ./a.out @@

But it doesn't work.

[*] Attempting dry run with 'id:000000,orig:a.out'...
[*] Spinning up the fork server...

[-] Whoops, the target binary crashed suddenly, before receiving any input
    from the fuzzer! There are several probable explanations:

    - The current memory limit (2.00 GB) is too restrictive, causing the
      target to hit an OOM condition in the dynamic linker. Try bumping up
      the limit with the -m setting in the command line. A simple way confirm
      this diagnosis would be:

      ( ulimit -Sv $[2047 << 10]; /path/to/fuzzed_app )

      Tip: you can use http://jwilk.net/software/recidivm to quickly
      estimate the required amount of virtual memory for the binary.

    - The binary is just buggy and explodes entirely on its own. If so, you
      need to fix the underlying problem or find a better replacement.

    - Less likely, there is a horrible bug in the fuzzer. If other options
      fail, poke <lcamtuf@coredump.cx> for troubleshooting tips.

[-] PROGRAM ABORT : Fork server crashed with signal 6
         Location : init_forkserver(), afl-fuzz.c:2056

What am I doing wrong?

I don't quite get what parameters are actually passed to the program. — cadaniluk, Mar 12 '16 at 19:09
`char name[10];` is probbly too short to hold the actual parameter passed in. Use [`strncpy(..,..,10)`](http://linux.die.net/man/3/strncpy) instead of `strcpy` — Soren, Mar 12 '16 at 19:13
The idea is to have an overflow there. An easy one to catch. I tried to increase the array size but had the same result. — Davidoff, Mar 12 '16 at 19:17
Don't use `strncpy` as it does not terminate the buffer in the overflow case — M.M, Mar 14 '16 at 02:23

score 3 · Answer 1 · answered Mar 14 '16 at 01:01

First problem is that you are passing the input to afl-fuzz as a file with the '@@' command while the program takes the command line argument. afl accepts input from stdin or files. http://lcamtuf.coredump.cx/afl/README.txt

Second issue causing the crash on start is the automatic name given by afl to a testcase filename:

[*] Attempting dry run with 'id:000000,orig:a.out'...

Which is enough to overflow your buffer and cause a segfault.

score 1 · Answer 2 · answered Jul 08 '16 at 13:55

To complete wintermute response, if you want to try AFL or demonstrate that it works you can do something like that :

the path variable is the path from your @@ argument

char *buff;

if ((buff = malloc(10)) == NULL)
  abort();

if ((fd = fopen(path, "r")) == NULL)
  abort();
fread(buff, 10, 1, fd);

if (strncmp(buff, "h", 1) == 0)
{
  if (strncmp(buff, "he", 2) == 0)
  {
    if (strncmp(buff, "hel", 3) == 0)
    {
      if (strncmp(buff, "hell", 4) == 0)
      {
        if (strncmp(buff, "hello", 5) == 0)
        {
          buff[9] = 0; //just to be sure...
          fprintf(stderr, "Nailed it ! input file is %s\n", buff);
          abort();
        }
      }
      else
      {
        abort(); // it should be found quick
      }
    }
  }
}
free(buff);
fclose(fd);

Using abort() will result in illegal instruction, that is consider as a crash by AFL. So with this example, you'll get multiple different crashes.

American Fuzzy Lop fails with a simple example

2 Answers2