【发布时间】:2016-03-12 19:03:08
【问题描述】:
我一直在尝试使用 American Fuzzy Lop,但我无法通过这样的简单示例使其工作:
#include <stdio.h>
#include <string.h>
int main(int argc, char * argv[]){
char name[10];
if ( argc > 1 ){
strcpy(name, argv[1]);
printf("HELLO %s\n", name);
}
return 0;
}
我使用常规 gcc 编译此代码的一个版本,使用 afl-clang 编译另一个版本。然后将 gcc 版本放在输入文件夹中,我这样调用 fuzzer:
afl-fuzz -i input/ -o output/ -m 2G ./a.out @@
但它不起作用。
[*] Attempting dry run with 'id:000000,orig:a.out'...
[*] Spinning up the fork server...
[-] Whoops, the target binary crashed suddenly, before receiving any input
from the fuzzer! There are several probable explanations:
- The current memory limit (2.00 GB) is too restrictive, causing the
target to hit an OOM condition in the dynamic linker. Try bumping up
the limit with the -m setting in the command line. A simple way confirm
this diagnosis would be:
( ulimit -Sv $[2047 << 10]; /path/to/fuzzed_app )
Tip: you can use http://jwilk.net/software/recidivm to quickly
estimate the required amount of virtual memory for the binary.
- The binary is just buggy and explodes entirely on its own. If so, you
need to fix the underlying problem or find a better replacement.
- Less likely, there is a horrible bug in the fuzzer. If other options
fail, poke <lcamtuf@coredump.cx> for troubleshooting tips.
[-] PROGRAM ABORT : Fork server crashed with signal 6
Location : init_forkserver(), afl-fuzz.c:2056
我做错了什么?
【问题讨论】:
-
我不太明白实际传递给程序的参数是什么。
-
AFL 必须有一个规范的代码示例,你可以试试。
-
char name[10];可能太短,无法容纳传入的实际参数。使用strncpy(..,..,10)而不是strcpy -
这个想法是在那里有一个溢出。很容易抓到的。我尝试增加数组大小,但结果相同。
-
不要使用
strncpy,因为它不会在溢出情况下终止缓冲区
标签: c gcc american-fuzzy-lop