alwin.berger/FRET-LibAFL
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
FRET-LibAFL/fuzzers/frida_executable_libpng/README.md
Vincent 38ea17b426
libafl_frida for Linux executables (#1117) 
* add frida_executable_libpng

* fix makefile

* fix README.md

* remove author from Cargo.toml

* fix fuzzer

* fix fuzzer

* fix Makefile

* fix linter

* fix clang-format-13

* unsupport mac os

* fix build_and_test_fuzzers

* fix cargo fmt

* cargo fmt

* add safer libc_start_main

* fix call rax addr

* fix frida

* fix cargo fmt

* fix metadata() to metadata_map()

* fix toml

* fix maxmapfeedback
2023-03-22 15:18:21 +01:00

36 lines
2.0 KiB
Markdown
Raw Permalink Blame History

# Fuzzing libpng with frida as executale
This folder contains an example fuzzer for libpng, using LLMP for fast multi-process fuzzing and crash detection.
To show off crash detection, we added a ud2 instruction to the harness, edit harness.cc if you want a non-crashing example.
It has been tested on Linux.
## Build
To build this example, run `cargo build --release` in this folder.
This will call (the build.rs)[./build.rs], which in turn downloads a libpng archive from the web.
Then, it will build (the C++ harness)[./harness.cc] and the instrumented `libpng`.
Then, it will create frida fuzzer shared library in `./target/release/libfrida_fuzzer.so`.
On unix platforms, you'll need [libc++](https://libcxx.llvm.org/) to build it.
Alternatively you can run `cargo make run` and this command will automatically build and run the fuzzer
### Build For Android
When building for android using a cross-compiler, make sure you have a [_standalone toolchain_](https://developer.android.com/ndk/guides/standalone_toolchain), and then add the following:
1. In the ~/.cargo/config file add a target with the correct cross-compiler toolchain name (in this case aarch64-linux-android, but names may vary)
`[target.aarch64-linux-android]`
`linker="aarch64-linux-android-clang"`
2. add path to installed toolchain to PATH env variable.
3. define CLANG_PATH and add target to the build command line:
`CLANG_PATH=<path to installed toolchain>/bin/aarch64-linux-android-clang cargo -v build --release --target=aarch64-linux-android`
## Run
This example uses in-process-fuzzing, using the `launcher` feature, in combination with a Restarting Event Manager.
This means running --cores each client will start itself again to listen for crashes and timeouts.
By restarting the actual fuzzer, it can recover from these exit conditions.
After building the libpng-harness, you can run `find . -name libpng-harness` to find the location of your harness, then run
```
LD_PRELOAD=./target/release/libfrida_fuzzer.so ./libpng-harness -i corpus -o out -l ./libpng-harness.so
```
Reference in New Issue View Git Blame Copy Permalink