W dniu 19.11.2015 o 11:25, Sandro Santilli pisze: > gnash -r2 - Thanks! I managed to use it with AFL really quickly and already found one crash:
root@35efc6731a98:~/fuzz-results/gnash# ~/bin/cwdump crashwalk.db (1 of 9) - Hash: 42cf699aa3c84af55b5fa038a3b84dce.42cf699aa3c84af55b5fa038a3b84dce ---CRASH SUMMARY--- Filename: o/master/crashes/id:000006,sig:06,src:000009,op:havoc,rep:8 SHA1: 8d91c84e3729bbf2df58f8ea426e78a6f7247804 Classification: EXPLOITABLE Hash: 42cf699aa3c84af55b5fa038a3b84dce.42cf699aa3c84af55b5fa038a3b84dce Command: gtk-gnash -r 2 - Faulting Frame: gnash::SWFMovieDefinition::read_all_swf @ 0x00007ffff7a4c4b7: in /usr/lib/gnash/libgnashcore-0.8.11.so Disassembly: Stack Head (8 entries): raise @ 0x00007ffff3bcf107: in /lib/x86_64-linux-gnu/libc-2.19.so (BL) abort @ 0x00007ffff3bd04e8: in /lib/x86_64-linux-gnu/libc-2.19.so (BL) None @ 0x00007ffff3bc8226: in /lib/x86_64-linux-gnu/libc-2.19.so (BL) __assert_fail @ 0x00007ffff3bc82d2: in /lib/x86_64-linux-gnu/libc-2.19.so (BL) gnash::SWFMovieDefinition @ 0x00007ffff7a4c4b7: in /usr/lib/gnash/libgnashcore-0.8.11.so None @ 0x00007ffff442d5c0: in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21 start_thread @ 0x00007ffff3f4b0a4: in /lib/x86_64-linux-gnu/libpthread-2.19.so clone @ 0x00007ffff3c8006d: in /lib/x86_64-linux-gnu/libc-2.19.so (BL) Registers: rax=0x0000000000000000 rbx=0x00007ffff7fec000 rcx=0x00007ffff3bcf107 rdx=0x0000000000000006 rsi=0x000000000000510c rdi=0x000000000000431f rbp=0x00007ffff3cfed08 rsp=0x00007fffdcbfe6b8 r8=0x00007fffd80008b0 r9=0xfefefeff092d6364 r10=0x0000000000000008 r11=0x0000000000000202 r12=0x00007ffff7b5baf9 r13=0x00007ffff7b5bca0 r14=0x00005555559424d0 r15=0x00007fffdcbff700 rip=0x00007ffff3bcf107 efl=0x0000000000000202 cs=0x0000000000000033 ss=0x000000000000002b ds=0x0000000000000000 es=0x0000000000000000 fs=0x0000000000000000 gs=0x0000000000000000 Extra Data: Description: Possible stack corruption Short description: PossibleStackCorruption (7/22) Explanation: GDB generated an error while unwinding the stack and/or the stack contained return addresses that were not mapped in the inferior's process address space and/or the stack pointer is pointing to a location outside the defa ult stack region. These conditions likely indicate stack corruption, which is generally considered exploitable. ---END SUMMARY--- root@35efc6731a98:~/fuzz-results/gnash# gtk-gnash -r 2 - < ./o/master/crashes/id:000004* ALSA lib confmisc.c:768:(parse_card) cannot find card '0' ALSA lib conf.c:4260:(_snd_config_evaluate) function snd_func_card_driver returned error: No such file or directory ALSA lib confmisc.c:392:(snd_func_concat) error evaluating strings ALSA lib conf.c:4260:(_snd_config_evaluate) function snd_func_concat returned error: No such file or directory ALSA lib confmisc.c:1251:(snd_func_refer) error evaluating name ALSA lib conf.c:4260:(_snd_config_evaluate) function snd_func_refer returned error: No such file or directory ALSA lib conf.c:4739:(snd_config_expand) Evaluate error: No such file or directory ALSA lib pcm.c:2267:(snd_pcm_open_noupdate) Unknown PCM default gtk-gnash: ../../../libcore/parser/SWFMovieDefinition.cpp:450: void gnash::SWFMovieDefinition::read_all_swf(): Assertion `startPos <= _swf_end_pos' failed. Aborted (core dumped) root@35efc6731a98:~/fuzz-results/gnash# base64 ./o/master/crashes/id:000004* RldTCAAAAAAg2t3y+3t5WHVnd+8= Here's a Docker file that you can use to reproduce the fuzzing: FROM d33tah/afl-sid RUN aflize gnash RUN dpkg -i ~/pkgs/* RUN apt-get -f install -y RUN mkdir i # Note to mailing list: below has to be in one line RUN echo 'Q1dTCOgwAAB42t06+3tcxXVnd+/ujiTLNopBGK9dUVywKXHMIyU4tixZz41Xd927Akwdul2t7kqLV7vK7l1bDuEZCI+kxkmL8CMGGtq0CSmEQto0bdP3OymtbQxtSELIA1L6F/SHquecmbk7V9qV7H5fv69f9X2enTlz5pwz5zU=' | base64 -d > i/1 # The line above ended before # ENTRYPOINT afl-fuzz-parallel -i i -o o -m none -- gtk-gnash -r 2 - To use it, save it as Dockerfile and run: sudo docker build --no-cache=true -t afl-gnash . sudo docker run -ti afl-gnash Let me know if you're having any problems - I'm still working on afl-sid, so there might be some recent bugs. Cheers, d3tah
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnash-dev mailing list Gnash-dev@gnu.org https://lists.gnu.org/mailman/listinfo/gnash-dev