qiling icon indicating copy to clipboard operation
qiling copied to clipboard

Published 20 hours ago verified publisher icon qilingframework

Qiling fuzzer is not working

Open Bariskizilkaya opened this issue 8 months ago • 6 comments
trafficstars

I pulled clear docker Ubuntu image and followed the instruction and the example for x86_64 fuzzing is not working. The Binary crashes immediately.

Sample Code

#!/usr/bin/env python3

"""Simple example of how to use Qiling together with AFLplusplus.

Steps:
  o Clone and build AFL++
    $ git clone https://github.com/AFLplusplus/AFLplusplus.git
    $ make -C AFLplusplus

  o Build Unicorn support
    $ ( cd AFLplusplus/unicorn_mode ; ./build_unicorn_support.sh )

  o Start fuzzing
    $ AFL_AUTORESUME=1 AFL_PATH="$(realpath ./AFLplusplus)" PATH="$AFL_PATH:$PATH" afl-fuzz -i afl_inputs -o afl_outputs -U -- python3 ./fuzz_x8664_linux.py @@

  o Cleanup results
    $ rm -fr afl_outputs/default/
"""

# No more need for importing unicornafl, try afl.ql_afl_fuzz instead!

import os
import sys

from typing import Optional

sys.path.append("../../..")
from qiling import Qiling
from qiling.const import QL_VERBOSE
from qiling.extensions import pipe
from qiling.extensions import afl

def main(input_file: str):
    ql = Qiling(["./x8664_fuzz"], "../../rootfs/x8664_linux",
        verbose=QL_VERBOSE.OFF, # keep qiling logging off
        console=False)          # thwart program output

    # redirect stdin to our mock to feed it with incoming fuzzed keystrokes
    ql.os.stdin = pipe.SimpleInStream(sys.stdin.fileno())

    def place_input_callback(ql: Qiling, input: bytes, persistent_round: int) -> Optional[bool]:
        """Feed generated stimuli to the fuzzed target.

        This method is called with every fuzzing iteration.
        """

        # feed fuzzed input to our mock stdin
        ql.os.stdin.write(input)

        # signal afl to proceed with this input
        return True

    def start_afl(ql: Qiling):
        """Have Unicorn fork and start instrumentation.
        """

        afl.ql_afl_fuzz(ql, input_file=input_file, place_input_callback=place_input_callback, exits=[ql.os.exit_point])

    # get image base address
    ba = ql.loader.images[0].base

    # make the process crash whenever __stack_chk_fail@plt is about to be called.
    # this way afl will count stack protection violations as crashes
    ql.hook_address(callback=lambda x: os.abort(), address=ba + 0x126e)

    # set afl instrumentation [re]starting point. we set it to 'main'
    ql.hook_address(callback=start_afl, address=ba + 0x1275)

    # okay, ready to roll
    ql.run()

if __name__ == "__main__":
    if len(sys.argv) == 1:
        raise ValueError("No input file provided.")

    main(sys.argv[1])

Image

Bariskizilkaya avatar Feb 19 '25 20:02 Bariskizilkaya

The sample input file provided in the command line should be of a valid input (that is, not crashing the program). What was the command line, and what is the content of the sample file?

elicn avatar Feb 20 '25 15:02 elicn

This is the sample program of the qiling's example folder. https://github.com/qilingframework/qiling/tree/master/examples/fuzzing/linux_x8664

Image

Bariskizilkaya avatar Feb 20 '25 16:02 Bariskizilkaya

The current unicornafl might break. Will have a look.

wtdcode avatar Feb 21 '25 02:02 wtdcode

From what I see the crash happens within: _uc2afl.uc_afl_fuzz_custom, on unicornafl.py. The statement does not return, so there is no value returned or exception raised.

elicn avatar Feb 21 '25 13:02 elicn

@wtdcode @elicn I'm observing similiar behaviour - any ideas for fixes? Would like to help on this issue

rliebig avatar May 27 '25 07:05 rliebig

We will release next unicornafl shortly: https://github.com/AFLplusplus/unicornafl/pull/43

wtdcode avatar May 27 '25 07:05 wtdcode

I’m still running into the same problem with both the latest release and the Git version. Do you have any suggestions on how to fix it? Thanks!

daniel-rome avatar Sep 27 '25 22:09 daniel-rome

Found a temporal "fix" by overwriting the "unicornafl.so" library (from a stable AFL version e.g. AFLplusplus-4.33c) into the pip directory used by qiling.

daniel-rome avatar Sep 28 '25 16:09 daniel-rome

Thanks for updates. For anyone having issue with this, please try new AFL++ release 4.34a which brings fixes and new features.

wtdcode avatar Sep 28 '25 17:09 wtdcode

Problem comes with the pip unicornafl installation, so probably should be updated as well. This is why overwriting the library with both 4.34a or 4.33c started working..

Anyway, looks like it continues failing since it does not crash but I am getting the "[-] Hmm, looks like the target binary terminated before we could complete a handshake with the injected code. You can try the following:" error message.

Traced the instructions executed (UC_HOOK_CODE) and the last one is the "ql_afl_fuzz(_ql, input_file=input_file, place_input_callback=place_input_callback, exits=[0x00957810])" I have configured in "exits". Is there anything I am overlooking? Arch:MIPS32 BE

daniel-rome avatar Sep 28 '25 22:09 daniel-rome